Global Security Report: 2016 Quarter 3

Security Reports

Global Security Report: 2016 Quarter 3

Each quarter, we release a Global Security Report that’s tracked the threat landscape of the preceding three months. Once again, malware traffic expanded for the fourth straight quarter with our security team noting 5.7 billion messages containing malware. Though the popular distribution file types for malware shifted this quarter, the bulk of malware traffic remained to be from ransomware. Botnet distribution of malware also remained a popular conduit.

For the first time, the Web saw disruptions caused by DDoS attacks leveraged by botnets comprised primarily of IoT devices. (Business Email Compromise) BEC attacks leading to wire transfer fraud have persisted throughout the quarter. Data breaches, having already reached a fever pitch this year, remain a major concern for organizations across the globe.


The third quarter gave way to some very noteworthy data breaches and hacking scandal, some even record-setting. The more noteworthy breaches include the one recently disclosed by Yahoo, the hack of DNC emails, stolen NSA hacking tools and even an iCloud account containing private pictures of the British royals.

One breach to rule them all: The biggest of all was the Yahoo breach disclosed in September. This came at a critical time for Yahoo as they were preparing for a major transaction with Verizon. The breach is believed to have exposed the credentials of 500 million users that could possibly have been compromised for years. Critics have come out to the public that Yahoo may have opted not to improve security in fear of taking a performance hit. Whether that is true or not, the trade of off convenience over security is a point of focus that often defines the state of data security for many organizations.

To avoid identity theft, Yahoo users should change their passwords immediately and monitor email and credit activity closely. And all netizens, whether their information was compromised in the hack or not should make sure they are utilizing a password that is complex, lengthy and most importantly “unique” (e.g. not p@$$w0rd or your mother’s maiden name followed by her birth year). Since we know that password reuse across multiple accounts is very common, Yahoo users need to also ensure that they are not using the same password they were using for their Yahoo account with other accounts as well.

Hackers wielding political influence: While it may never be truly settled who was responsible for the hack of the DNC emails, there is little doubt that it will have some impact on the current US election cycle. In July of this year, WikiLeaks posted 20,000 of the DNC’s private emails. While this act could well be misconstrued as “hacktivism,” there are other accusations that it may have been state-sponsored.

With so much information being stored digitally today, there is certainly more to come when it comes to cyberattacks affecting political events. Aside from the obvious political impact, there were also some unfortunate donors that had their social security and credit card information exposed. While credit cards can be cancelled, social security numbers are often used to commit identity fraud, which is something these people will now bear the burden of monitoring themselves for the foreseeable future.

NSA tools released: In mid-August, it was reported that some extremely powerful hacking tools created by the NSA had been posted online. These tools were far more advanced than the already effective tools currently available to anyone with a few bitcoins on the black market today. Some former NSA workers have speculated that the leaked tools were the result of an accidental leak by an insider. These tools are believed to have been developed by the NSA, and while they do not represent the entire NSA arsenal by any means, they are reported to be highly advanced and contain multiple “zero-day” exploits. While these exploits will eventually be patched, the tools were available to any nation state or hacker willing to take advantage.

More iCloud Hacks: We certainly can’t go long without news of a celebrity or public figure having their private photos posted online. This time it was Pippa Middleton (sister to the Duchess of Cambridge) who had her iCloud account hacked. The hacker made off with 3,000 of her personal photos and had quickly offered them for sale to a popular news site for £50,000. The trove of stolen photos contained private photos that included members of the UK royal family. A high court judge subsequently ruled that the photos shall be barred from publication. This type of event should serve as a reminder to replace any weak or shared passwords you may be using and to enable two factor authentication whenever it is offered.

Throughout the past three months, we have seen some very disturbing and impactful breaches. This trend will not stop any time soon as there is simply too much to gain for attackers willing to commit these acts. But keep in mind, for every earth-shattering breach that you read about publicly there are thousands (if not millions) of attacks that are being successfully thwarted by security professionals around the globe. If it’s not already, keeping customer’s data secure should be a top priority for all enterprises. A determined hacker can be quite difficult to detect but organizations need to commit to hardening themselves to these types of attacks by keeping security a top priority.


More shocking revelations were revealed this quarter. The discovery and public outing of a previously unknown threat to iPhone users everywhere was a huge eye opener. More proof of concept hacks on smart cars could be the sign of things to come and what may be one of the largest DDoS attacks ever seen caused a major interruption for security blogger Brian Krebs.

In August, Apple released a security update for vulnerabilities that had been disclosed to them as a result of the recent discovery of a very advanced exploit chain-type malware. The malware some are now referring to as “Trident” used multiple “zero-day” exploits that could essentially jailbreak an iOS9 device, thus giving the attacker access to emails, texts, voice calls and the phones camera, microphone and location. This malware was discovered only after malicious links leading to the exploit were sent to a human rights defender in the UAE. There is no telling how many times this threat had been used in the time from its creation to until the time Apple patched the exploits, but was certainly greater than zero. It was later discovered that it had been created and presumably sold by NSO Group—a company that specializes in “cyber warfare.”

Chinese hacking team KEEN claimed to have taken advantage of multiple vulnerabilities in the Tesla Model S software that allowed them to execute, what would be, the first successful remote exploit of a Tesla vehicle. They even posted a video of it on YouTube. Last year, hackers appeared to pull off a similar feat on a Jeep Cherokee. In both instances, the attackers were seemingly able to control various aspects of the vehicle's control system from a remote location. The KEEN team contacted Tesla and gave them time to patch the vulnerabilities prior to the team releasing any details about how they were able to compromise the vehicle.

According to a Computer World article, 75 percent of the world’s cars will be connected to the Internet by the year 2020. As we transition to a smarter car society, we will likely see this become a battleground for hackers on some scale going forward.

In addition to cars and phones, in late September there was a record-setting DDoS attack being committed with a botnet of insecure/compromised IoT devices, such as home video cameras, routers, and DVRs. The first attack was aimed at the website of security writer Brian Krebs. Many reports have that attack topping out at around 600Gbps and let to the website being shut down temporarily.

This came at a time when Krebs was writing a story on the DDoS for hire market. This made big headlines since it appeared that someone created a massive botnet of more than 150,000 IoT devices and were intent on using it for revenge. Just days later, hosting company OVH reported that they were being targeted with a similar attack at a magnitude of 1Tbps. As more IoT devices become connected, and unless consumers start taking the time to install these devices more securely, this trend will only get worse.

Malware in all shapes and sizes

Long gone are the days for only having to look out for “obvious” malware in email attachments. These days, you never know what form a virus might come in or what new exploit it may be using. This sort of onslaught with new techniques and file types can throw some users for a loop or fly under their personal radar of things they should or shouldn’t be clicking.

Teaching a user to avoid clicking zipped .exe files from an email should be a best-practice, but these days you have all sorts of file types being used and abused that can come in a number or archived formats. Some of the most common malware we see these days comes in formats the majority of average users are unaware of.

This quarter, the three primary file formats for malware distribution have been JavaScript (.js), Windows Script Files (.wsf) and Macro enabled documents (.doc and .xls). Word Documents and Excel sheets are something most users in a business environment will encounter every day. Microsoft Office Documents are the second most popular attachments users send, second only to PDFs. But most users may not be aware of the dangers that are present with Office documents containing macros. These macros are essentially a program written in to the document that can be executed and infect the machine.

With the familiarity people have working with these documents, it presents a real danger if users click these attachments from unknown sources. They often mistakenly believe if it comes in a Word or Excel document, it must be safe. And unfortunately, just a few misguided clicks can cause a disastrous infection. Fortunately, Microsoft disables macros by default. However, if macros haven’t been blocked by a registry edit or group policy, users can run them with a single click. And often the malware will even have a note informing the user they must enable editing to view the document further. When in reality, the enable button will run the actual malware payload.


The two other popular file formats we have been seeing this quarter account for the vast majority of the malware traffic are JavaScript (.JS) and Windows Script File (.WSF) formats. While these are technically two different file types, they are very similar in that they both use a built-in feature in Microsoft Windows called the Windows Scripting Host.

The Windows Script Host is able to interpret the language format these are written in and execute the code naturally. The main reason these file formats have been popular over about the past year is that the code they are written in can be heavily obfuscated in the attempt to bypass security products. This obfuscation can also be done dynamically and varied in the obfuscation process.

What often happens is that a single malware campaign will have the same end result when the code is executed, but the actual code and file structure has hundreds of variants in how it is written. The advantage of this is that the code can be bloated up in size or have so many hoops to jump through that it isn’t readable by humans. However, the code’s appearance or format ultimately doesn’t matter, as long as it is properly executed. And that’s what the malware authors care about.


While .JS, .WSF and macro malware are certainly the most common malware file types we see these days, there are still some we see that are far less common. A rare type we saw this quarter was the .HTA file format.

The campaign delivered the Zepto ransomware using .HTA files. and was written in a valid .HTA format using JavaScript. The eventual payload that it delivered was the Zepto ransomware. The .HTA files are essentially more script files that usually execute within the browser. The main advantage again to abusing this type of file formatting for malware is that pretty much most users in a business out there have a browser (just like most have the Windows Scripting Host and Microsoft office) and most have probably never heard of an .HTA file or the dangers associated with them.


The following is an example of a recent malware campaign that we quarantined as it was attempting to deliver a ransomware payload using the afore mentioned .WSF file type. This message attempts to dupe users into opening the attachment under the false pretense that it contains tracking information for a recent delivery issue from DHL. This is a has been a popular social engineering tactic for some time now. Malware distributors also frequently pose as UPS and FedEx as well. In all we quarantined around 40,000 of these particular messages (which still pale in comparison to the sheer volume and vast array of message themes that we block 24/7).


With all of the above file types (and many not mentioned), it becomes more and more important to train users to be wary of any unexpected files. Just because something looks benign, it doesn’t mean it is safe. While training users about extensions and file types is a great step, it’s certainly not the only one to take and shouldn’t be your only line of defense. Having protections in place that are able to keep up with malware trends both on the web and email can prevent the majority of bad things ever getting to your users. With systems in place to protect users as well as an informed and trained user base, you can have a more robust protection for an organization.


Ransomware has been talked about quite frequently over the past few years since CryptoLocker made waves back in 2013. It wasn’t the first ransomware made, but the volume of infections and huge profit the attackers were making paved the way for ransomware to be a household name. This quarter isn’t any different.

Ransomware was still extremely popular and there have been various versions with specific targets seen over the past few months. Locky and Zepto are still some of the reigning champs as far as volume goes, but a few others have also been seen lurking online these days.

Princess – The Princess ransomware stands out mostly due to its high ransom price and the pink tiara it boasts once you are infected. While some ransomware prices to unlock files may be significantly higher due to its target (tens of thousands sometimes), the usual asking price for most ransomware is around the $300 mark. Princess, however, has a starting price of around $1,800. If you’re too slow to pay, that will double itself and cost around $3,600 (or six bitcoins) to get the key.

EduCrypt – EduCrypt was a small ransomware that was very different from any other malicious ransomware infections. This one was aimed at teaching users a lesson. Once the virus ran and encrypted files, it would let the user know that a key had been hidden on their computer and they just needed to find it to get their files back and decrypt them. While it still holds your files hostage until you can find the key, it doesn’t connect to a remote command server or require any money to be paid. The note that pops up has some often recommended advice of not downloading random things on the internet.

IoT Ransomware – The Internet of Things is quite the buzzword these days and is essentially used to describe hardware devices that have internet access. You can find everyday items with Internet capabilities all the time now, including washing machines, refrigerators, cameras, watches, etc. In the world or ransomware, hackers were able to demonstrate that they could successfully infect a thermostat with ransomware. This would allow an attacker to gain full control over the device and demand a ransom for the owner to get control back.

While this is a very specific situation with a certain model of a thermostat, it brings up a point that security researchers have been trying to bring to light: the Internet of Things can be a security nightmare. Many IoT devices are built with security being a secondary concern, and convenience being a primary. The issue is that many of these systems are really just tiny computers. They are still vulnerable to attacks, even though they aren’t being treated that way.

IoT devices are here to stay and will continue to grow in popularity. But with that, we will likely be seeing a trend of security flaws coming along with them unless manufacturers start to make security a main focus in the design process. Allowing unsecured devices with internet access on to your network could spell bad news if it becomes compromised.

MarsJoke(Aka Polyglot) – The MarsJoke ransomware is the newest of the few listed above. This one is aimed at targeting government agencies and educational institutions. The attack has mainly been seen via links in email messages that lead to the malicious download. The government and education sectors, along with the medical sector have become prime targets for ransomware. This is mainly due to the sometime enormous attack area (users, computers, and networks), the budget these organizations have access to for the ransom, and the sensitivity of the data.

These industries are obviously in charge of some very important data, making a successful ransomware attack likely to pay off big time. Though researchers at Kaspersky were eventually able to release a decryption tool to defeat the current version of MarsJoke, we would not be surprised to see a MarsJoke 2.0 or something similar soon.

Phishing Attacks

The onslaught phishing messages were still prominent in Q3. In early September, we noticed a spike in PayPal-themed messages. Utilization of attached (.)HTM/HTML files to distribute malware and phishing attacks has been actively used for the better part of a decade now. This file type is still considered relatively low risk since they are still shared for legitimate purposes quite regularly – despite that fact that they are used for evil with even greater regularity.

One particular variant poses as a security alert from PayPal. It utilizes an attached .HTM file (containing an embedded script) in an attempt to trick users into disclosing a bevy of personal and financial information. In addition to phishing a potentially devastating amount of information from the target, beneath the surface the obfuscated script also serves to install malware onto the victim’s machine.

Clicking the attached (.)HTM file begins the process. The phishing pages rendered attempt to gather a great deal of information such as PayPal credentials, mother’s maiden name, social security and credit card data – in a series of three consecutive phishing pages (displayed below).


Remember, a legitimate security alert should never require direct interaction with an email attachment. Should you ever find yourself on the receiving end of a message of this nature, reach out to the company directly to voice your concern.

If you suspect that you may have fallen victim to phishing or think your credentials have been exposed through some other means (such as a data breach), you should take immediate action to help reduce the potential impact. Always contact the provider immediately for their recommended course of action. Change your password for not only the affected account, but also for any others where you may be using the same or similar password. But surely no one is doing that… right?

Malware Traffic

In Q3 of 2016, our SecureTide email solution quarantined about 5.7 billion emails containing malware. This total was a thirty-five percent increase of the already record-setting total we had recorded in Q2 of this year.

This quarter’s malicious traffic relied heavily upon the use of macro-embedded documents and malicious JavaScript attachments. They also utilized the more traditional zipped executable approach along with some less common methods, like the use of legacy Word template files. Below you can see the steady increase of malicious email activity over the past four quarters.

Throughout the quarter, malware levels sustained rates on par with or above the very high levels that we have been seeing throughout the year.

Spam Traffic

Spam traffic remained steady throughout Q3. In total we quarantined 2.34 billion spam messages in the quarter. This was a slight decrease in traffic over the previous quarter.

Top Ten

Of the 2.34 billion spam messages quarantined in Q3, around seventy-five percent of them originated in one of these ten countries.

Spam Traffic by Region

The chart below represents the global distribution of spam sources by region as seen by our filters.

Web Metrics

Daily Threat Percentage

The following are Web metrics as seen by our SecureSurf™ Web filtering solution. The chart below displays the percentage of web traffic deemed bad on a daily basis throughout Q3. This includes malware, phishing and compromised sites.

Threats Tracked

The following displays the total number of unique threat locations (domains, URIs and IPs) that we were tracking throughout Q3 of 2016. On average, we were tracking around 40 million unique threat locations on any given day with malware being by far the most prevalent.

Blocked Threats

The following chart displays the sum of both malware and phishing blocked DNS requests by our Web filtering customers. A blocked request could be generated by a user initiated request or in the background via malware activity.


To download this report in PDF format, click here.