Select Page

Cyren Security Blog

Q2 Threat Report Highlights the First Android Ransomware, Increasing Malware Attacks, Dangerous PDFs, and June Spam at 5-Year Low

Android smart phone users experienced the first ever ransomware attack in the second quarter of 2014 and PC-focused malware continues to cause problems, with cybercriminals attacking known vulnerabilities in both PDFs and MS Office documents. Phishing attacks emphasize financial gain, focusing on global banks and the World Cup. And, spam levels remain essentially unchanged at an average of 55 billion emails per day for the quarter, although June experienced a noticeable drop to the lowest level in five years.

Attacks on Android

Android Ransomware

The big news during the 2nd quarter was the appearance of the first ever Android ransomware. The initial version appeared in May and took over phones by displaying a message accusing the user of watching child pornography; however, this version lacked true encryption. The second version appeared in June and contained strong encryption capabilities, locking the device’s secure digital (SD) card and blocking phone use displaying a message similar to the May version. The ransomware demanded 260 Ukraine Hryvnia (UAH), around $22, to be paid through a Russian/Ukrainian money transfer service.

For more on the first ever Android ransomware, other types of Android malware, as well as analysis and trends, download a copy of the CYREN Q2 Internet Threats Trend Report

Android iBanking Malware and an Antivirus App that Does Nothing

A number of fake banking applications targeting Android users appeared in Q2. Once installed, this malware collects sensitive data such as text messages, banking information, and audio. And, while technically not malware (since it did not ultimately affect Android operation), approximately 30,000 Android users purchased ”Virus Shield” for $3.99 through the Google Play store. The app provided no antivirus security (nor anything else for that matter), displaying only two different icons when launched. Fortunately, it did no harm to the users’ data. Google fully refunded money to all the buyers and provided them with a Play Store credit. News reports revealed that the app’s creators had mistakenly released an early placeholder version of the software.

Malware Trends

Malware via PDFs, Dropbox, and MSOffice

During the 2nd quarter, cybercriminals used both real and phony PDF files, Dropbox, and Microsoft Word to distribute malware. In one version, malware arrives in the victim’s email inbox presented as a utility bill that looks like a PDF, but is actually a zip file, represented by a false PDF icon. In a variation, cybercriminals spread similar malware using a Dropbox link and payroll-related emails. (Dropbox disabled the links within a few hours.) Cybercriminals also used actual PDF files (in an email disguised as coming from a major bank) embedded with executable malware. If the actual PDF was opened, the malware affected PC users who had not updated their system with a fix for this known PDF vulnerability. And, Microsoft Word users who had failed to update their software found themselves in a similar predicament when cybercriminals sent malware-embedded “.doc” attachments.

Phishers Target Global Banks and World Cup

Phishing trends remained consistent this quarter with the financial industry and World Cup as the focus of several schemes. Customers of global and country-specific banks and other types of financial institutions were targeted in Europe, the United States, and India. And, a slick looking email scam containing the smiling faces of a Brazilian football star and the chance to win a new car, convinced many to divulge their personal information.

For more information and analysis on Q2 global malware and phishing activity, download a copy of the CYREN Q2 Internet Threats Trend Report

Spam Trends: Spammer Relationships, Quarterly Spam Levels, and Pump and Dump Stock Spam.

Trust Among Thieves: An Overview of New Research on Relationships Between the Harvester, the Botmaster and the Spammer

In a paper published in June at the ASIA CCS ’14 Proceedings of the 9th ACM symposium on Information, Computer and Communications Security, researchers examine the relationships between three key spammer roles: the harvester, who collects valid email addresses; the botmaster, who controls the Internet-connected programs that distribute the spam; and the spammer, who develops emails. Key findings from the research include the identification of well-developed processes and black market relationships, the use of search engines as proxy to hide identities or optimize the harvesting process, the enhancement of purchased email lists, and the speculation that some spammers focus on target markets, such as pharmaceuticals. The researchers cite spamming pipeline bottlenecks and fingerprinting a particular botnet’s email engine as opportunities for identification and the development of future threat mitigation.

Quarterly Spam Levels

Five-year record low spam levels in June were the big news during the 2nd quarter. Unfortunately, high spam levels in April and May offset the June gain to keep the quarter’s average at 55 billion per day, roughly the same as the first quarter. CYREN researchers found that spam accounted for 66% of all emails during this quarter. While pharmaceutical spam continued to dominate spam topics, there was a noticeable jump in pump-and-dump stock spam, accounting for 17% of all spam sent.

Countries of Origin and Zombies

Spain, Argentina, the United States and Germany continued to be among the leading spam-producing countries this quarter, with Vietnam also entering the top five. The Russian Federation pushed India out of the top zombie country spot this quarter, the first time India has relinquished the crown in four years.

For more information and analysis on Q2 global spam and zombie activity, download a copy of the CYREN Q2 Internet Threats Trend Report

You might also like

LinkedIn Phish Kit

Scam Warning Back in January, LinkedIn posted a warning about connection requests from individuals impersonating employees of a legitimate organization. These requests come from newly created accounts. If someone accepts the request, the attackers will have more...