1: Wanted: Data-stealing rogue mobile app
Wanted For: Falsely impersonating brand, data theft, and brand damage
Modus Operandi: Threat actors leverage rogue versions of brand name mobile apps to gain access to intended victim tablets and mobile phones. They can accomplish this in two ways:
1. With permissionware (i.e. packages of permissions used to access sensitive data), malware, spyware, or adware, threat actors can download, modify, repackage, and upload brands' legitimate mobile apps.
2. Developers can develop their own apps and copy branding information like trademarked content and logos, imitate functionality, or claim to provide services on top of the brand’s mobile app (e.g. login aggregator app claiming to be partner with banks).
Last Seen: One of the most publicised examples was an incident known as 'the Snappening'. It turns out, there were almost 700 rogue Snapchat mobile apps, 75 per cent of which were available for download outside of Google Play and The App Store. Threat actors breached one of them to access photos from thousands of Snapchat users.
2: Wanted: Malvertisement
Wanted For: Distributing malware via exploit kits, fake software updates, and scareware software packages
Modus Operandi: Threat actors use digital ads to drop exploit kits or serve fake software updates and scareware on victim devices. The most common entry point is via programmatic platforms, SaaS-based advertising portals. These portals allow the threat actor to program ad distribution campaigns autonomously.
Malvertising appeals to threat actors because advanced ad targeting technology enables them to choose highly targeted audiences. It also offers the ability to scale those audiences across multiple digital properties.
Last Seen: One of the most well-known examples is the Kyle and Stan malvertising campaign. It spread malvertisements across web properties and used different malware variations to target both Mac and PC users.
3: Wanted: Domain infringement
Wanted For: Hosting malware, phishing, redirecting to traffic distribution networks, personally identifiable information (PII) theft.
Modus Operandi: Threat actors use brand-infringing domains as platforms for launching cyber-attacks on customers, employees, and end-users. They target a specific brand using either the name of the company in the domain (log-in-page-brandname.com), a variation of the spelling of a brand (favebook.com), or the brand name and an uncommon TLD (brandname.net, brandname.de, brandname.party). The domain can resolve to or create redirections to hosts serving up malware, dropping exploit kits, hosting fake login pages, and offering customer surveys phishing for PII.
Last Seen: In both the Premera Blue Cross and Anthem breaches, typosquatted domains were sent in emails to employees that redirected malware.
4: Wanted: Rogue social profile
Wanted For: Falsely impersonating brands, executives, and VIPs/Data theft, brand damage, posting links to sites hosting malware and redirecting links to hosts serving malware
Modus Operandi: Threat actors can capture traffic headed for the social profiles of brands and their executives by setting up fake look-alike profiles on various social media platforms, which mislead their victims. An example would be a Twitter profile claiming to be customer service for a bank. These profiles can also be used to post links that redirect to phishing, hosts serving up malware, traffic distribution networks, and click fraud networks.
Last Seen: There has been an increase in LinkedIn-based attacks. Cyber criminals create fake recruiter profiles and connect with employees at target organisations to collect information they can use in spear-phishing email attacks.
5: Wanted: Phishing
Wanted For: False brand impersonation, login credential theft, SPAMing, and granting privileged access to sensitive environments
Modus Operandi: Threat actors use phishing to capture login credentials with alarming proficiency. Trillions of email abuse messages circulate the Internet every day targeting organisations, their employees, and their customers. Phishers can also carry out their attacks via social media and mobile, as a multichannel approach helps them scale their attacks to overwhelm the controls most organisations have had in place for over a decade.
Last Seen: Tax season is a particularly busy time for threat actors active in phishing — the IRS reported a 400 per cent surge in phishing emails in 2016. But phishing isn’t only a problem for government organisations and financial institutions (financial institutions have traditionally been the main target); it was recently reported that individuals are four times more likely to receive a phishing email from their healthcare provider than a social media company.
6: Wanted: Malware
Wanted For: Illegally downloading unwanted and dangerous programs onto victim machines that steal data and credit card information, log keystrokes, encrypt files and ransom keys, and spy on users
Modus Operandi: Malware does a lot of the dirty work that powers the criminal underground and nation-state threat actor groups. There are several variations of malware threat actors can deploy for a myriad of nefarious purposes. The most common types of malware used in external threats are commodity exploit kits and Remote Access Trojans) (RATs) spread via drive-by downloading software, fake software updates, and fake antivirus software known as ‘scareware'.
Instead of monetising solely from stolen information, threat actors earn a living distributing malware. The system works on a pay-per-installation model, which means they get paid when the malicious code is installed on a victim’s machine successfully. The malware distribution group may be responsible for developing the exploit kit or RAT, but not necessarily—exploit kits and RATs are available for purchase on the dark web.
Ben Harknett, VP EMEA, RiskIQ
Image Credit: underverse/Shutterstock