Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

Report: One-Quarter Of Malicious Sites Healthcare-Related

G DATA Security Labs report also shows a spike in banking Trojan action and a move by the Ukraine to be a top 5 player in the malicious hosting business.

The first six months of this year were characterized by a record-setting spike of banking Trojan activity, a rash of adware spewing healthcare sites, the Ukraine charging into the top 5 countries to host a malicious server, and over 3 million new strains of malware, according to a new report by G DATA Security Labs.

Healthcare sites has become a more popular medium for delivering malware than technical and gambling ones, accounting for 26.6 percent of malicious sites in the first half of 2015, according to the report.

Among the attacks capitalizing on healthcare-related content is the Money Rain malvertising campaign, which drops malware via ads for get-rich-quick schemes. "In one of the dubious money campaigns," states the report, "the initiators even try to use a YouTube video that they have created themselves to lend a serious tone to the whole undertaking. 'Breaking news' for the supposedly rapid 'rain of money' is presented in the style of a news update."

Researchers found that the overwhelming majority of malicious and fraudulent websites continue to be hosted on servers in the United States -- 43.3 percent are in the U.S., followed by 9.5 percent in China, and 8.2 percent in France.

While these figures are largely unchanged from previous reports, the big change is at fourth place. The Ukraine -- which had not even been in the Top 10 before -- is now host to 5 percent of malicious sites. "An association with the continuing political conflict in the Ukraine and the numerous media reports concerning a cyberwar between the Ukraine and Russia cannot be ruled out," according to the report.

Researchers anticipate that banking Trojans will "presumably" be rising for the first time since 2012. In March, while the Timba, Vawtrak, and Bebloh banking Trojans were down, and Gozi was slightly up, Swatbanker -- which only targets Germany, Austria, and Poland -- had a spike so high that it smashed all previous records for banking Trojans. The swell in Swatbanker activity lasted through mid-June, making one of its final targets the German Parliament's intranet. 

The bank targeted by the widest variety of Trojan variants was Wells Fargo -- which G DATA gives a 35.28 percent "attack probability" -- followed by HSBC and Lloyds Banking Group.

Angler has been the most dominant exploit kit. Researchers detected record-breaking numbers of Angler attacks in the weeks following Jan. 21, when Angler added an exploit for the Flash zero-day CVE-2015-0311.

Flash vulnerabilities were most frequently abused by exploit kits all around, the researchers say, while Java exploits were scarcely used at all. "The attractiveness of Java might have declined simply because browsers have more and more protective functions built into them now," the report states, suggesting that Flash attacks might be reduced if browsers introduced click-to-play controls, on by default, for Flash.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethe...
PUBLISHED: 2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.