2015 has been a crazy year for hacking, with everything from the OPM breach to vehicles being hacked and the VTech breach. With that being said, phishing has played a huge part too, so here’s a quick recap of the top 10 phishing threats faced during 2015.
One: Dyre and Upatre
We’ve taken the decision to group Dyre and Upatre together, as they are often seen used in conjunction with attacks. Dyre continues to make an impact, even though it was noted as the #1 threat of 2014 (opens in new tab). Dyre attackers continue to steal millions of pounds, and the attackers behind it have shown the ability to quickly change their tactics when research is pushed out about their malware (opens in new tab).
Upatre is an interesting piece of malware, so deserves a separate mention too, as it typically serves one function: to download more malware. This has been used to download Dyre, Pony, Cryptowall, and many other families of malware. For delivery to the end user, the malware is typically shipped inside of a ZIP archive, where the user runs the file, infecting their system.
Three: Office Macro
Let’s party like it’s 1997, because macros are back! The Dridex family of malware has been pretty prolific for spreading word documents that contain macros in order to infect users, however they’re not the only ones using macros. This technique has been used by attackers to deliver Dyre, Pony, Dridex, ZeuS, Vawtrak, and many other families of malware. Even though PhishMe broke (opens in new tab) the code for them to use passwords, attackers of all shapes and sizes have continued to use macros.
It’s easy to use and it’s available to virtually anyone who knows how to compile it. The Pony malware has been utilised by threat actors of every level of sophistication for years and continues to be a direct avenue to stealing FTP, email, and online login credentials for threat actors.
Its most prominent usage this year has been as an intermediary step after victims engage with an Office document containing a hostile macro. This allows the threat actor to collect stored credentials as they push a more sophisticated financial crimes Trojan such as the Vawtrak or Neverquest malware.
Dridex has been one of the most prolific malware varieties since its debut in 2014. This financial crimes Trojan represents a continuation in development started with the Cridex Trojan that was very prominent in 2012 and 2013. Predominantly delivered by Office documents with downloader macro scripts, Dridex has hammered the United Kingdom and France, targeting online banking customers with extensive and sophisticated Web inject and login-stealing functionality.
Generic keyloggers are also a thorn in the side of many enterprises, as they can lead to accounts being used or stolen, and then used to spread even more malware. While not always the most advanced of malware, logging keystrokes is still a fairly large threat.
In 2015, many of these were delivered using phishing narratives related to requests for quotes and orders for large amounts of industrial materials. The likelihood that these messages might appeal to victims within an industrial firm makes keylogger malware an attractive tool for threat actors seeking to steal intellectual property and information related to large corporate accounts.
Tinba, or Tiny Banker, has been a staple of the threat landscape for years. Almost daily iterations of phishing campaigns attempt to deliver this malware using Polish-language messages. This malware, while not especially complex, allows for threat actors to collect online banking credentials from citizens of a growing Eastern European economy.
Cryptowall is a piece of ransomware that will encrypt a user’s files, and the files won’t be unlocked unless they pay the bounty. The attackers behind the Cryptowall campaigns used resume (opens in new tab)/CV themed phishing emails, trying to fool a user into opening the fake resumes/CVs. Cryptowall would also be delivered via drive-by downloads, forcing even more users to pay the ransom.
CryptoWall likely represents the most successful encryption ransomware due to its continued success in the threat landscape. It has also succeeded in creating a recognisable branding that in later versions suggests being infected is akin to being welcomed into its “community”. Another encryption ransomware, TeslaCrypt, has even imitated the CryptoWall experience by borrowing much of its user interface from this popular ransomware.
Nine: Remote Access Trojan (RATs)
Both APT and amateur hackers have used RATs in order to infect systems. Once a system is compromised, this gives an attacker the ability to remotely log keystrokes, watch a person via their webcam, or remotely control their computer from a distance. Poison Ivy is one popular RAT used by attackers, and was one of the RATs used in the RSA attacks of 2011. Like many keylogger phishing campaigns, RATs are often distributed using industrial order phishing narratives that might succeed in landing the malware in an environment where the threat actor can gain access to industrial information or controls.
ZeuS – Even though Gameover ZeuS was taken down, the source code of some of its predecessors is still widely available. Threat actors with the cursory knowledge required to compile this malware and set up the necessary command and control infrastructure can use a ZeuS botnet to make quick money by compromising online banking accounts.
Neverquest / Gozi – One of the comeback stories of 2015, the Neverquest Trojan, also known as Vawtrak represents one of the more successful financial crime malware in today’s threat landscape. Derived from the Gozi malware of the late 2000s, this malware is currently being delivered using sophisticated Microsoft Office macro scripts and the Pony malware downloader.
Mydoom – A true testament to the fact that small, fast spreading viruses can be nearly impossible to squash, the Mydoom worm is still in circulation over ten years after its initial introduction.
Can we Make 2016 Safer?
The one thing all of these threats have in common is that the creator is reliant upon tricking someone into falling for a scam, or following a fake link, that inadvertently invites the malware into the network and allows it to deploy. There is no silver bullet for the phishing threat but that doesn’t mean we throw in the towel. A robust defence requires a blend of the right technology, combined with educating employees about threats and simple processes to report them.
Through education and application of threat intelligence, it is possible to both train people how to avoid falling for these phishing lures as well as bolster an organisation's ability to effectively respond to relevant threats.
Rather than repeat the mistakes of 2015, let’s work together to be vigilant and make 2016 a safer year.
Image Credit: Maksim Kabakou / Shutterstock