Insights from CYREN's Q2 2014 Internet Threats Trend Report
 

Insights from CYREN's Q2 2014 Internet Threats Trend Report

on

  • 40 views

Insights from CYREN's Q2 2014 Internet Threats Trend Report

Insights from CYREN's Q2 2014 Internet Threats Trend Report

Statistics

Views

Total Views
40
Views on SlideShare
38
Embed Views
2

Actions

Likes
1
Downloads
0
Comments
0

1 Embed 2

http://www.slideee.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The Simplocker ransomware is hidden in an app that presents itself as a pornography player under the name “Sex Xonix”.  After launching the app, a message appears on the screen accusing the user of watching and distributing child pornography (among “other perversions”) and demands payment to decrypt the user’s now encrypted Android files. The user is asked to pay 260 UAH (Ukraine Hryvnia), around $22, via MoneXy, a money transferring service used mostly in Russia and Ukraine.
  • Users are tricked into downloading the file commbank.apk which disguises itself as a mobile authentication application. We’ve also seen other versions that look like Facebook or Gmail authentication apps and even a “malware scanner”. <br /> When downloaded, the app looks surprisingly legitimate, in this case, similar to an app that might be issued by a well-known bank: Australia and New Zealand Banking Group Limited, commonly called ANZ.  This app would normally provide mobile transaction authorization numbers (mTAN) or mTokens enabling login to the online banks using two-factor authentication. <br /> <br /> The stolen data is stored in a SQLite database directly on the victim’s phone
  • So can Play Store downloads be malicious? <br /> <br /> News reports later quoted the app’s developer as claiming that the app had been mistakenly released and was an early placeholder. This situation illustrates the struggles associated with scanning and evaluating the sheer number of Android apps appearing on the market.
  • Before we get started we though it would be interesting to get your opinion on which of these will grow in 2014.
  • All of the above pseudo-random domain names are now redirected to the IP address 142.0.36.234 which is a DNS Reply Sinkhole hosted by the FBI. <br /> Kudos to the US Department of Justice, the FBI, Europol and the UK’s National Crime Agency, who have managed to disrupt the GameOver Zeus botnet. They have built a sinkhole that redirects the infected computers to the substitute servers under the control of the government as opposed to the Zbot servers. <br />
  • All of the above pseudo-random domain names are now redirected to the IP address 142.0.36.234 which is a DNS Reply Sinkhole hosted by the FBI. <br /> Kudos to the US Department of Justice, the FBI, Europol and the UK’s National Crime Agency, who have managed to disrupt the GameOver Zeus botnet. They have built a sinkhole that redirects the infected computers to the substitute servers under the control of the government as opposed to the Zbot servers. <br /> <br />
  • Many users dismiss suggestions that these can be dangerous since they are “just text and images”.  It is true that PDF files are not blocked by most email programs.  But of course they can be malicious - as shown in this example.  <br /> <br /> 9.303, 9.304, 9.4, 9.401, 9.402, 9.403, 9.404, 9.405, 9.406, 9.407, 9.5, 9.501, 9.502, 9.503, 9.504,10.101, 10.102, 10.103, 10.104, 10.105, 10.106, 11, 11.001 <br /> (The current version is 11.0.07) <br /> <br /> If successfully exploited the malicious PDF then executes an embedded shellcode that downloads another malicious executable Backdoor from the following link which CYREN detects as W32/Androm.AQ: <br /> <br /> Lastly, keep your software up-to-date especially for Adobe Reader to protect you from possible vulnerability attacks. <br /> <br />
  •  CVE-2010-3333 vulnerability even though it’s over a year old.  Why do attackers still use this exploit? Mainly because it’s very simple to exploit and many users have still not applied the MS10-087 update (or maybe they are using cracked versions of MS Office).
  • Since winxp is EOL from an update point of view and potentially exposed as soon as the next vuln is made public we were curious…
  • Reasons for decrease <br /> Pharma companies shutting down factories <br /> Big spam affiliates shut down <br /> In short – less monay in spam - more money elsewhere
  • “bioceutical” penny stock <br /> <br /> he Wolf of Wall Street, you’ll be amused at this pump and  dump schemers choice of pseudonym’s “Oakmont Stratton”. (Prosecuted in the 1990s for stock and investment fraud, the real owners of the firm Stratton Oakmont eventually pleaded guilty to 10 counts of securities fraud and money laundering.)
  • Countries – Spain 1st time number 1 <br /> <br /> Zombies – top 5 is generally the same
  • More hacked gmail accounts
  • Our data is sourced from our GlobalView security lab and based on huge volume of traffic seen in GlobalView cloud – 12 billion trans per day. <br /> <br /> We have seen the big increase in web malware/explouit kits and PHISHING! So a cloud based solution is needed <br /> <br /> WebSecurity – in the cloud web securiyt and web filtering , with CYREN protection, the simplest user interface, and muti-tier partner management – and all with white label options so that you can make it look like your own. <br />
  • Our partners can co- brand our yearbook or the Q1 trend report

Insights from CYREN's Q2 2014 Internet Threats Trend Report Insights from CYREN's Q2 2014 Internet Threats Trend Report Presentation Transcript

  • 21 August 2014 © 2014 CYREN Confidential and Proprietary INSIGHTS FROM CYREN'S NEW Q2 TREND REPORT
  • © 2014 CYREN Confidential and Proprietary 2 IN TODAY’S WEBINAR  Android ransomware and banking malware  The rise and fall (and rise) of Zbot  PDFs and Docs – real and unreal  Worldwide, World Cup phishing  Stock scams with Oakmont Stratton
  • © 2014 CYREN Confidential and Proprietary 3 © 2014 CYREN Confidential and Proprietary ANDROID MALWARE TRENDS
  • © 2014 CYREN Confidential and Proprietary 4 PC RANSOMWARE
  • © 2014 CYREN Confidential and Proprietary 5 POLL – RANSOMWARE HONESTY  Do you know someone who paid the ransom? Did they get their files back?  They paid and got their files back  They paid and lost their files  They refused to pay and lost their files  They refused to pay and managed to regain access to their PC  Happily I don’t know anyone who has been infected
  • © 2014 CYREN Confidential and Proprietary 6 ANDROID RANSOMWARE ARRIVES  May – “ransomware” – but no encryption  June – ransomware with encryption AndroidOS/Simplocker. A.gen!Eldorado.
  • © 2014 CYREN Confidential and Proprietary 7 ANDROID RANSOMWARE ARRIVES  Before and after encryption  Scans SD card and encrypts files like .jpg, .png, .doc amongst others
  • © 2014 CYREN Confidential and Proprietary 8 ANDROID IBANKING MALWARE  SMS/spyware – collects  Text messages,  Phone calls  Recorded audio  Works in tandem with PC- based malware  Intercepts SMS codes sent by banks  Android OS/Agent.HJ
  • © 2014 CYREN Confidential and Proprietary 9 UNKNOWN SOURCES?
  • © 2014 CYREN Confidential and Proprietary 10 NO MALWARE DETECTED  ''Virus Shield'', priced at $3.99 in the Google Play store  30,000 copies in April  Does nothing
  • © 2014 CYREN Confidential and Proprietary 11 POLL: YOUR MOBILE APPS  Where do you download apps  Android: The Google Play Store  Android: Anywhere I can find apps  iOS: Only the iTunes Store  iOS: Jailbroken device – anywhere I can find apps
  • © 2014 CYREN Confidential and Proprietary MALWARE TRENDS
  • © 2014 CYREN Confidential and Proprietary 13 A QUICK ZBOT HISTORY  Zeus Trojan (PC) discovered ~2007  Generally steals credentials - Banks, email, social media  Keyloggers, screenshots  Sold as botnet creation kit  Zeus botnet, other botnets  Distributed command and control  Millions of victims  2012 – Microsoft takedown of SpyEye  Gameover Zbot  Peer to peer encrypted botnet  June 2014- Operation Tovar disrupted botnet  July – new variants emerging…
  • © 2014 CYREN Confidential and Proprietary 14 ONE OF THE LAST ZBOT EMAILS  Attachment: Eonenergy-Bill-29052014.scr displays a PDF icon  W32/Zbot.BXN
  • © 2014 CYREN Confidential and Proprietary 15 ANOTHER ZBOT SENT USING DROPBOX
  • © 2014 CYREN Confidential and Proprietary 16 ACTUAL PDFS CAN ALSO BE PROBLEMATIC  Securedoc.pdf from BoA  Versions of reader attacked: 9.3x – 9.5x, 10.1x, 11, 11.001  (The current version is 11.0.07)
  • © 2014 CYREN Confidential and Proprietary 17 WORD DOCS TO AVOID  traking_doc_MW42133077 1CA.doc  aircanada_eticket_[random _number].doc  efax__[random_number].d oc  file- _[random_number]_doc  President Obama’s Speech.doc
  • © 2014 CYREN Confidential and Proprietary 18 SECURITY EDUCATION POLL  Do you think people are aware that a PDF or Doc file could be harmful?  Yes  No
  • © 2014 CYREN Confidential and Proprietary PHISHING TRENDS
  • © 2014 CYREN Confidential and Proprietary 20 WORLD CUP PHISHING  Chance to win “World-Cup” related prizes  Cielo – biggest credit card provider in Brazil
  • © 2014 CYREN Confidential and Proprietary 21 GLOBAL BANK PHISHING  Global brands  American Express, Bank of America, or Barclays  Country-specific  Natwest (Britain)  Danske Bank (Denmark)  Swedbank and SEB (Sweden)  Bank of India (India)  Credem (Italy)  Hypovereinsbank (Germany)
  • © 2014 CYREN Confidential and Proprietary SPAM TRENDS
  • © 2014 CYREN Confidential and Proprietary 23 SPAM LEVELS  Spam levels continue to drop  June average is lowest in 5 years! Q2 Average 55 Billion June Average 49 Billion
  • © 2014 CYREN Confidential and Proprietary 24 Q2 SPAM TOPICS Pharmacy Products 43% Job Offer 22% Stock 17% Diet 8% Other 4% Online Casino 3% Phishing 2% Malware 1% Pharmacy Products Job Offer Stock Diet Other Online Casino Phishing Malware
  • © 2014 CYREN Confidential and Proprietary 25 PUMP AND DUMP - RCHA  Buy: 417,000 @ 0.19  Sell: Many more @ 0.36  Profit ~$63,000
  • © 2014 CYREN Confidential and Proprietary 26 Q2 SPAM COUNTRIES, SPAM ZOMBIES Argentina 8% Spain 8% Vietnam 7% United States 6% Germany 5% Italy 5% Iran 4%Brazil 4% Colombia 4% Mexico 3% Others 46%
  • © 2014 CYREN Confidential and Proprietary 27 SAVING HOSTING COSTS…  Google Docs phishing email  Google logo at the top stored on legitimate Internet security blog called http://www.onlinethreatalerts.com/
  • © 2014 CYREN Confidential and Proprietary GLOBALVIEW
  • © 2014 CYREN Confidential and Proprietary 29 GLOBALVIEW CLOUD AND PRODUCT FAMILIES WEB EMAILANTIMALWARE CYREN WebSecurity URL-Filtering MobileSecurity AntiVirus CYREN EmailSecurity Email Messaging Suite AntiSpam Outbound AntiSpam IP Reputation AntiVirus for Email GlobalViewTM Cloud
  • © 2014 CYREN Confidential and Proprietary 30 We focus on our core competencies so our partners can focus on theirs.  Technical Account Managers  Partner Success Program COMMITTED TO PARTNER SUCCESS WHAT MAKES US DIFFERENT © 2014 CYREN Confidential and Proprietary
  • © 2014 CYREN Confidential and Proprietary ANY QUESTIONS?