05:20 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

Solutionary Research Reveals Cybercriminals Frequently Use UPS, Better Business Bureau Names To Disguise Phishing Emails Used For Malware Attacks

New report provides insights into current malware trends

OMAHA, NE – October 4, 2012 – Solutionary, the leading pure-play managed security services provider (MSSP), announced today the release of the Q3 2012 SERT Quarterly Research Report, the first quarterly research report released by Solutionary's Security Engineering Research Team (SERT). The report provides insights into current malware trends and key tactics used by cybercriminals to execute malware distribution attacks. Research revealed that the UPS and Better Business Bureau (BBB) brands were among the most commonly used by cybercriminals to disguise malware-attack phishing emails, that 92% of all malware was mass distributed, and that anti-virus solutions were unable to detect 60% of malware in the wild.

"Cybercriminals constantly evolve malware and attack techniques to evade security and gain the most profit from their targets. Sixty percent of the mass-distributed malware we examined can easily slip past anti-virus software, and when that doesn't work, cybercriminals fool email recipients with phishing emails that inject malware into networks and computers at unprecedented rates," said Rob Kraus, director of SERT. "Most organizations simply don't have the internal resources needed to keep pace with modern malware attacks. To stay ahead of the threats, protect their brands and defend against breaches they need products, solutions and services that are focused purely on reducing security risks."

SERT research revealed that the majority of mass-distributed malware samples were banking Trojans, malware that uses man-in-the-browser keystroke logging to steal victim's bank account information so that it can later be used to make fraudulent charges. The most common method of delivery used for the banking Trojans was phishing emails claiming to be legitimate - such as UPS delivery confirmations, BBB complaints, flight ticket confirmations and scanned documents - that lured victims to compromised websites. Once infected, the victims' browsers were redirected, unbeknownst to them, to a Blackhole Exploit Kit landing page, which then installed additional malware, such as Zeus or Cridex.

"The malware types identified in our report impact enterprises, SMBs, government agencies and consumers," added Kraus. "They leave businesses exposed to data breaches, banks liable for millions in fraudulent charges, and consumers reeling from the impact of identity theft."

The last quarter also produced evidence of a new era in cyber espionage with the rise of advanced, modular toolkits. Flame, first discovered in May 2012, appears to have been written for espionage and has become the model for sophisticated attack toolkits. Gauss, the next toolkit to be identified, targets financial and social-media information for a specific area in the Middle East.

Late in the quarter two other trends were identified by SERT: new Zero-day exploits and increased attacks on the financial sector. The end of August brought the discovery of a Java Zero-day (CVE-2012-4681) in the wild. The exploit downloads a payload executable that resembles a Poison Ivy variant and acts as a remote access tool (RAT), allowing a remote "operator" to control a system. In September two more notably significant Zero-day vulnerabilities were observed, including one that affected Microsoft's Internet Explorer and another that had to do with Java's sandboxing mechanisms. There were also significant issues observed during the month of September regarding attacks against the financial sector. The first was financial transaction fraud conducted using malware, which in some cases was preempted or followed up by Distributed Denial of Service (DDoS) attacks. The other issue observed was DDoS attacks against a significant volume of banking websites, although these highly disruptive attacks appear to be driven by a hacktivist agenda rather than financial theft.

Key findings

· Ninety-two percent of malware analyzed during the quarter was mass distributed

· Nearly 60% of all malware goes undetected by common anti-virus software

· The majority of malware samples analyzed in Q3 were banking Trojans, with Cridex taking the lead at 91%

· Only 54% of the Cridex banking Trojan samples were detected by common anti-virus software at the time of analysis

· The Blackhole Exploit Kit continued to be the most popular exploit kit used by cybercriminals

To access a copy of the complete report, please visit http://www.solutionary.com/index/SERT/Quarterly-Threat-Report.php.

Visit our blog at http://blog.solutionary.com/.

Follow us on Twitter.

About Solutionary

Solutionary is the leading pure-play managed security services provider. Solutionary reduces the information security and compliance burden, delivering flexible managed security services that align with client goals, enhancing organizations' existing security program, infrastructure and personnel. The company's services are based on experienced security professionals, global threat intelligence from the Solutionary Security Engineering Research Team (SERT) and the patented, cloud-based ActiveGuard® service platform. Solutionary works as an extension of clients' internal teams, providing industry-leading customer service, patented technology, thought leadership, years of innovation and proprietary certifications that exceed industry standards. This client focus and dedication to customer service enables Solutionary to boast a client retention rate of over 98%. Solutionary provides 24/7 services to mid-market and global, enterprise clients through multiple security operations centers (SOCs) in North America. For more information, visit www.solutionary.com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.