Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

Report: One-Quarter Of Malicious Sites Healthcare-Related

G DATA Security Labs report also shows a spike in banking Trojan action and a move by the Ukraine to be a top 5 player in the malicious hosting business.

The first six months of this year were characterized by a record-setting spike of banking Trojan activity, a rash of adware spewing healthcare sites, the Ukraine charging into the top 5 countries to host a malicious server, and over 3 million new strains of malware, according to a new report by G DATA Security Labs.

Healthcare sites has become a more popular medium for delivering malware than technical and gambling ones, accounting for 26.6 percent of malicious sites in the first half of 2015, according to the report.

Among the attacks capitalizing on healthcare-related content is the Money Rain malvertising campaign, which drops malware via ads for get-rich-quick schemes. "In one of the dubious money campaigns," states the report, "the initiators even try to use a YouTube video that they have created themselves to lend a serious tone to the whole undertaking. 'Breaking news' for the supposedly rapid 'rain of money' is presented in the style of a news update."

Researchers found that the overwhelming majority of malicious and fraudulent websites continue to be hosted on servers in the United States -- 43.3 percent are in the U.S., followed by 9.5 percent in China, and 8.2 percent in France.

While these figures are largely unchanged from previous reports, the big change is at fourth place. The Ukraine -- which had not even been in the Top 10 before -- is now host to 5 percent of malicious sites. "An association with the continuing political conflict in the Ukraine and the numerous media reports concerning a cyberwar between the Ukraine and Russia cannot be ruled out," according to the report.

Researchers anticipate that banking Trojans will "presumably" be rising for the first time since 2012. In March, while the Timba, Vawtrak, and Bebloh banking Trojans were down, and Gozi was slightly up, Swatbanker -- which only targets Germany, Austria, and Poland -- had a spike so high that it smashed all previous records for banking Trojans. The swell in Swatbanker activity lasted through mid-June, making one of its final targets the German Parliament's intranet. 

The bank targeted by the widest variety of Trojan variants was Wells Fargo -- which G DATA gives a 35.28 percent "attack probability" -- followed by HSBC and Lloyds Banking Group.

Angler has been the most dominant exploit kit. Researchers detected record-breaking numbers of Angler attacks in the weeks following Jan. 21, when Angler added an exploit for the Flash zero-day CVE-2015-0311.

Flash vulnerabilities were most frequently abused by exploit kits all around, the researchers say, while Java exploits were scarcely used at all. "The attractiveness of Java might have declined simply because browsers have more and more protective functions built into them now," the report states, suggesting that Flash attacks might be reduced if browsers introduced click-to-play controls, on by default, for Flash.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.
PUBLISHED: 2020-05-24
Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter.