Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

Report: One-Quarter Of Malicious Sites Healthcare-Related

G DATA Security Labs report also shows a spike in banking Trojan action and a move by the Ukraine to be a top 5 player in the malicious hosting business.

The first six months of this year were characterized by a record-setting spike of banking Trojan activity, a rash of adware spewing healthcare sites, the Ukraine charging into the top 5 countries to host a malicious server, and over 3 million new strains of malware, according to a new report by G DATA Security Labs.

Healthcare sites has become a more popular medium for delivering malware than technical and gambling ones, accounting for 26.6 percent of malicious sites in the first half of 2015, according to the report.

Among the attacks capitalizing on healthcare-related content is the Money Rain malvertising campaign, which drops malware via ads for get-rich-quick schemes. "In one of the dubious money campaigns," states the report, "the initiators even try to use a YouTube video that they have created themselves to lend a serious tone to the whole undertaking. 'Breaking news' for the supposedly rapid 'rain of money' is presented in the style of a news update."

Researchers found that the overwhelming majority of malicious and fraudulent websites continue to be hosted on servers in the United States -- 43.3 percent are in the U.S., followed by 9.5 percent in China, and 8.2 percent in France.

While these figures are largely unchanged from previous reports, the big change is at fourth place. The Ukraine -- which had not even been in the Top 10 before -- is now host to 5 percent of malicious sites. "An association with the continuing political conflict in the Ukraine and the numerous media reports concerning a cyberwar between the Ukraine and Russia cannot be ruled out," according to the report.

Researchers anticipate that banking Trojans will "presumably" be rising for the first time since 2012. In March, while the Timba, Vawtrak, and Bebloh banking Trojans were down, and Gozi was slightly up, Swatbanker -- which only targets Germany, Austria, and Poland -- had a spike so high that it smashed all previous records for banking Trojans. The swell in Swatbanker activity lasted through mid-June, making one of its final targets the German Parliament's intranet. 

The bank targeted by the widest variety of Trojan variants was Wells Fargo -- which G DATA gives a 35.28 percent "attack probability" -- followed by HSBC and Lloyds Banking Group.

Angler has been the most dominant exploit kit. Researchers detected record-breaking numbers of Angler attacks in the weeks following Jan. 21, when Angler added an exploit for the Flash zero-day CVE-2015-0311.

Flash vulnerabilities were most frequently abused by exploit kits all around, the researchers say, while Java exploits were scarcely used at all. "The attractiveness of Java might have declined simply because browsers have more and more protective functions built into them now," the report states, suggesting that Flash attacks might be reduced if browsers introduced click-to-play controls, on by default, for Flash.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.