Security Reports

The first quarter of 2015 is going as expected so far; malware levels are continuing to rise at a steady pace since we've said goodbye to 2014 — "The Year of the Breach". News of businesses large and small suffering from attacks, where cyber thieves made off with billions of pieces of personal information and untold amounts of subsequent money from said breaches, made the public stand up and listen, as many of them became victims themselves.

Point of Sale systems became the talk of the town as more and more of them suffered compromise and we watched the sale of malware specific to these systems take off in the underground marketplaces. We also saw major medical insurer, Anthem, take a hit that affected 80 million customers. Personal data has flooded the black market thanks to these attacks and more and more people are realizing that security is everyone's job, from the big banks to the retailers and down to the individual.

We have also seen big government getting more into the security realm with legislation to encourage data sharing between public and private businesses and themselves in an aim to not only protect citizens from individual attacks but from nation-state attacks as well. This hasn't been well-received by all, as some see it as a blow to privacy and others see it as a necessary move to better protect the nation as a whole.

In this report, we will discuss these topics, as well as look at recent tax scams, including the major blow taken by online tax filer Intuit, where cyber criminals took it upon themselves to file state taxes for its users and divert victim returns to their own accounts. In addition, we will share metrics as seen by AppRiver's SecureTide™ and SecureSurf™ filters from our nodes throughout the world. We'll point out recent trends in spam and malware, from both an email and web perspective, and share some insight about what we can expect for the rest of the year.

Anthem Breach

So far, the year 2015 is still keeping up with previous years' breaches. This is unsurprising since data breaches have historically yielded a lot of data for successful attackers. There has been a major data breach that stands out from the rest so far this year though. At the beginning of February, customers of the United States' second largest health insurance company, Anthem, were alerted of a breach involving personal data.

This data breach ended up involving records of over 80 million customers. That is a very large amount of data that was stolen when compared to most breaches that occur. Some of the data stolen included home addresses, email addresses, names, and even social security numbers. This type of data is a gold mine for attackers. It allows them to obtain very detailed information and to use that data for nefarious reasons.

Unfortunately, the individual victims can still find themselves victim of targeted phishing attacks or even identity theft. So far, 2015 is only a quarter of the way done but breaches are already setting new records. While we hope breaches will decline in frequency, we expect them to continue this year. Events like this should always make businesses give some extra thought to their own security. Whether it be an international corporation or a small town shop, criminals will go after any data they can get if given the chance.

Tax Time Malware Runs Rampant

With the US tax deadline quickly approaching, cyber criminals wasted no time in taking advantage of the situation. As W2s started to arrive, we saw an increase in the amount of tax-related spam that attempted to phish users for sensitive data or to infect their PCs outright.

2015 has proven to be quite the busy year for tax scams of all sorts. Reports of telephone-based scams have also been reported in high numbers. Early in the year, Intuit, the company that owns the very popular tax software/service Turbo Tax, announced that it was shutting down state tax filing capabilities due to a recent rash of "suspicious" filings. This news came at a time when millions of US citizens were filing federal and state tax returns.

This resulted in a partial service outage (albeit temporary) for the most used online tax prep software provider in the US. This shutdown came on the heels of the news that Minnesota stopped accepting filings from Turbo Tax in light of some potentially fraudulent activity, where TurboTax appeared to be the one common thread amongst a very significant portion of the fraudulent filings.

A full investigation is still pending, but Intuit's initial response was that the false filings were not a result of a breach of their internal network, but rather being conducted via some other means. It stands to reason that the perpetrators may have utilized username/password combos stolen in any of the multitude of recent breaches that were being shared across multiple accounts. Or, perhaps they were harvested through one of the many tax-themed phishing campaigns that we see hitting our spam filter on a daily basis.

In fact, we have seen hundreds of variants of tax-themed email campaigns attempting to dupe users in Q1 2015. The majority of these messages either contained malware directly as an attachment or contained a URL leading to a malicious payload. More and more users are now filing electronically and in the eyes of unsuspecting users, an email such as the one pictured below may look legitimate.

This particular variant is quite simple and straightforward, asking the user to follow the link to view a message from the IRS regarding their tax documents. To the average user, these messages look exactly like what a tax document email from the IRS should look like, the only problem is that the IRS "does not initiate taxpayer communications through e-mail and won't send a message about your tax account". As is customary in these types of the messages, the URL will lead to either a malware infection or a phishing landing page.

The Recent Rise of POS Malware

Point of Sale malware has recently become a very wide topic of conversation, mostly due to the string of breaches that occurred all through 2014. One of the most notable, the attack against Target, utilized a rather simplistic memory scraper by the name of BlackPOS to steal customer payment information just before and during the holiday season of 2013. However, Target wasn't the biggest of 2013/2014; that trophy would go to Home Depot, who lost nearly $33 million in dealing with their breach of over 56 million credit and debit card numbers and over 53 million employee and customer email addresses.

It certainly seemed that the success of the Target breach set the pace for what was to come. Point of Sale systems were immediately seen as the go-to target for cyber thieves. Most of them appeared to be the relatively unguarded goldmine through which all store transactions are made. Why break into bank networks or spend countless hours attacking individuals when thieves can just go to businesses that do these transactions, most of whom aren't even thinking about security or have it on the backburner. It barely took a month for the Target news to get out before copycat attacks began and many different versions of POS scraping kits began to show up on underground forums.

These carried names such as POSeiden, VSkimmer, LusyPOS, Dexter, BrutPOS, ChewBacca, Backoff, etc. The price of these POS specific viruses ranged from free to around $2000 USD with full support. Their functionality ranged greatly as well: some versions were slimmed down to simply collect the transaction information and keep it locally for the thieves to come back and retrieve, while more sophisticated versions utilized command and control server architecture to automate attacks against multiple victims at once. One version, LusyPOS, even boasted utilizing Tor as its communication network to further anonymize its illegal communications.

Even though this particular technique has quickly become very popular, it is hardly a new one. POS malware functionality is basically comprised of three standard parts. One of those is a network traffic sniffer that is looking for these transactions. The second piece is the data scraper itself that utilizes regular expression to recognize card data and copy it from memory. The third part, which isn't always present in more elementary versions, is the keylogger which looks for manually-entered data. The memory scraping component of these pieces dates back at least eight years in the evolution of malware to about 2007.

This pre-dates the use of network sniffing malware as well, although it didn't take long for all of these components to exist in malware samples in the wild. The recent popularity of POS malware can likely be attributed to a couple of factors, one being that many more small businesses are using them as they become more widely available and most importantly, affordable. Its popularity is also due to the simple fact that the majority of these small and sometimes larger businesses either don't have dedicated security teams or they have simply been neglecting this area of their networks. In all likelihood, a large majority of these systems weren't initially built with security in mind.

Even though its roots run deeper than it may seem, POS malware represents a very active, current trend in the world of cybercrime and the ball is now in our court to fix this gaping hole in security. The onus lies with both the people that create these security systems and the merchants that use them in their shops to make sure they are doing everything in their power to keep transactions safe.

Government Cyber Plans

This year we have seen President Obama acknowledge cyber threats by signing executive orders. One such order is aimed at increasing data sharing between government agencies and private companies. It's an attempt to build a framework designed to make voluntary sharing of threat data easy. In February, Facebook announced a similar system called ThreatExchange, which provides a central location for researches and companies to share security threats and intelligence, however, the President's plan is to expand the data sharing to include government security agencies.

This would allow companies and government agencies to have a centralized system for threat sharing, which could make it easier to recognize and to identify attacks being seen by both the private sector and government sector. This order does come with a lot of public skepticism, with many questioning which types of data will be shared and if the sharing of that data will step on privacy concerns. The idea is very upfront that it would have to be a voluntary sharing of data, but up to the companies to strip and privatize data before being sent. The idea is still in its infancy, but it's out there on the table now and will hopefully start forming into a system that can help all parties involved without breaching a user's privacy at the same time.

More recently, President Obama signed a new executive order giving the United States the ability to place sanctions on suspected cyber criminals. This move wasn't surprising, as we discussed such a thing happening in the 2014 End of The Year report. In that report, we mentioned how the sanctions placed against high level individuals in North Korea for the Sony cyber attack could possibly open the door for more actions to be taken by the US government for future cyber criminal activities. And that appears to be what has happened.

This order giving the power of using sanctions is a big step the government is taking to try and combat some of these high profile attacks and breaches that keep making the news. The order gives the government power to place travel and financial sanctions on entities accused of cyber attacks. The accused attackers will be determined by the Justice, State, and Treasury departments and will allegedly only be for attacks that they decide warrant a sanctioning approach. This is the part that is up to interpretation for the actions.

This essentially will be giving power to the government to place sanctions on individuals or countries who are simply accused of a cyber attack. This has led some people to be very skeptical of the process since it can have large repercussions for actions that may have inadequate evidence. With it being in the early stages of development, the government will hopefully iron the plan out more and set effective guidelines and processes in place.

Traffic by Region

This chart shows region of origin for spam as detected by AppRiver filters. Spam originating from North America overtook Europe in 2014 and continued to expand its share in Q1 of 2015. North America and Europe now account for over 78 percent of the spam traffic we see.

Spam by Country

This chart represents the top countries from which spam originated during Q1 2015. The US remained the top point of origin for spam as we saw 2.2 billion spam and malicious emails with the US as its point of origin throughout Q1. Spam emanating from the US has now increased for the third consecutive quarter.

Spam Traffic

This chart displays spam traffic throughout Q1 2015. Spam traffic increased 38 percent over Q4 2014, and accounted for 83 percent off all email traffic during Q1 2015. In total, we quarantined roughly 5.5 billion spam messages in the first quarter (about 1.5 billion more than the previous quarter).

Virus Traffic

This chart displays virus traffic from Q1 2015. Malware distribution was relatively calm for the first month of 2015, but the calm gave way to some large virus spikes in mid-February. We quarantined just under 200 million messages with virus attachments in Q1.

Top Email Virus Threats

These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before any of them).

Top Threats

• X.MrinvBasic.exe
• X.HeurFXexeBSc.exe
• X.BadMacAOa_b.doc
• X.W32Troj.patre.zip
• X.HeurFXexeBSa.exe
• X.Suspw18IMp.exe
• X.HeurNMQ.exe
• X.BDexYR.heurB.exe
• X.MSW.Mac.DLfile.100114a
• X.YTBNscr.zip
• X.HurGenMalNMF.zip
• X.W32.Bredolab.pak
• X.SuspBDimpGTP.exe
• X.SuspImMal.RAb.exe
• X.MysVM.bdis.exe
• X.HeurNMK.exe
• X.GenMalth26YSI.zip
• X.W32.Ramnit.lc
• X.HeurNMC.exe
• X.MrinvBasicB.exe

Email Viruses

• 19,474,590
• 13,827,463
• 11,738,223
• 9,484,748
• 8,918,018
• 7,470,083
• 7,394,968
• 7,377,587
• 6,756,678
• 6,307,118
• 3,709,180
• 3,522,134
• 3,154,974
• 3,034,900
• 2,914,492
• 2,601,869
• 2,651,140
• 2,218,245
• 2,213,854
• 2,157,350

To download this report in PDF format, click here.