Report: One-Quarter Of Malicious Sites Healthcare-Related

The first six months of this year were characterized by a record-setting spike of banking Trojan activity, a rash of adware spewing healthcare sites, the Ukraine charging into the top 5 countries to host a malicious server, and over 3 million new strains of malware, according to a new report by G DATA Security Labs.

Healthcare sites has become a more popular medium for delivering malware than technical and gambling ones, accounting for 26.6 percent of malicious sites in the first half of 2015, according to the report.

Among the attacks capitalizing on healthcare-related content is the Money Rain malvertising campaign, which drops malware via ads for get-rich-quick schemes. "In one of the dubious money campaigns," states the report, "the initiators even try to use a YouTube video that they have created themselves to lend a serious tone to the whole undertaking. 'Breaking news' for the supposedly rapid 'rain of money' is presented in the style of a news update."

Researchers found that the overwhelming majority of malicious and fraudulent websites continue to be hosted on servers in the United States -- 43.3 percent are in the U.S., followed by 9.5 percent in China, and 8.2 percent in France.

While these figures are largely unchanged from previous reports, the big change is at fourth place. The Ukraine -- which had not even been in the Top 10 before -- is now host to 5 percent of malicious sites. "An association with the continuing political conflict in the Ukraine and the numerous media reports concerning a cyberwar between the Ukraine and Russia cannot be ruled out," according to the report.

Researchers anticipate that banking Trojans will "presumably" be rising for the first time since 2012. In March, while the Timba, Vawtrak, and Bebloh banking Trojans were down, and Gozi was slightly up, Swatbanker -- which only targets Germany, Austria, and Poland -- had a spike so high that it smashed all previous records for banking Trojans. The swell in Swatbanker activity lasted through mid-June, making one of its final targets the German Parliament's intranet. 

The bank targeted by the widest variety of Trojan variants was Wells Fargo -- which G DATA gives a 35.28 percent "attack probability" -- followed by HSBC and Lloyds Banking Group.

Angler has been the most dominant exploit kit. Researchers detected record-breaking numbers of Angler attacks in the weeks following Jan. 21, when Angler added an exploit for the Flash zero-day CVE-2015-0311.

Flash vulnerabilities were most frequently abused by exploit kits all around, the researchers say, while Java exploits were scarcely used at all. "The attractiveness of Java might have declined simply because browsers have more and more protective functions built into them now," the report states, suggesting that Flash attacks might be reduced if browsers introduced click-to-play controls, on by default, for Flash.