In the study, McAfee notably discovered the first increase in global spam volume in more than three years – it nearly doubled in Q1 2013, though perpetrators appear to be targeting regions with specific scams in hopes of duping new victims.
For instance, the pump-and-dump scam is back for penny stock trading. Spreading the word that a certain stock is about to explode lures victims to buy it, thus inflating the stock price. When it reaches a certain high, the perpetrator sells, causing the stock to collapse. This is particularly prevalent in North America. “We haven’t seen this in a widespread way since 2007,” said Adam Wosotowsky, messaging operations architect for McAfee, in an interview with Infosecurity. “It had disappeared for a long time because of FBI investigations. Perhaps now they have a different way of hiding themselves.”
Spam levels are also being especially driven by so-called “snowshoe spam,” a semi-legal grey area. Like a snowshoe spreads the load of a traveler across a wide area of snow, avoiding sinking, snowshoe spamming spreads its activities across many IPs and domains, in order to dilute reputation metrics and evade filters. Shady marketing companies claim to have millions of opt-in email addresses, luring popular, legitimate businesses to sign up. According to Wosotowsky, those include a satellite TV company, a cigar company, furniture-sellers and some popular restaurants. Snowshoeing has also become the method of choice for drug spam, especially human growth hormone, diet remedies and generic pharma.
“These spammers have various hosting companies, register thousands of domain names and send out millions of mails per hour,” said Wosotowsky. “Then they’ll go quiet for a while so they don’t get kicked out of their servers. But if you’re in the cross-hairs you could be receiving 50 emails a day, easy. We expect to see this continue to rise because it’s cheaper than spamming via botnet.”
McAfee also noted a surge in Master Boot Record (MBR) attacks, where the goal is to infect a machine’s storage system, and from there take control of the entire device. The appearance of MBR samples increased more than 30% in Q1. MBR corruption was popular in the '80s and '90s, but there has been a gap in MBR infections until now, Wosotowsky said.
Meanwhile, Koobface, a worm first discovered in 2008, has been relatively quiet for the last year. But discoveries of the worrm tripled in the first quarter of 2013 to levels never previously seen. And the other retro-threat that spiked in Q1 was the discovery of Autorun samples. Traditionally, Autorun worms were distributed via thumbdrives or CDs, McAfee noted. They are particularly useful to cybercriminals because Autorun worms can be used to install backdoors or password stealers on infected machines. The new spike in Autorun discoveries is likely being driven by the popularity of cloud-based file sharing services, the firm postulated.
Conversely, many previously “hot” trends have slowed, McAfee found. However, they’re being retooled for new use, the company warned. “These particular trends, however, do not mean that cyberspace is becoming safer,” McAfee said in the report. “On the contrary, when combined with other trends observed in the first quarter, it would appear that the cybercriminal community is becoming smarter and more disciplined as it develops a preference for more targeted attacks aimed at specific communities or geographies. Like all businesses, cybercrime syndicates desire to optimize their efficiency and profits. The observed trend towards more targeted attacks would seem to indicate that the global threat landscape is moving in a new and more dangerous direction.”
A primary example of this would be the Citadel trojan. Originally designed to steal currency from very specific banks, Citadel has been “updated” so that it can be used to extract personal information from targeted victims.
Also, while the absolute count of new Android samples increased 40%, this represented a 10% decrease in growth rate compared to Q4 2012. That may be reassuring for mobile users, but Wosotowsky pointed out a rise in multiscreen threats – one vector, say the PC, is used to infect another, such as a tablet. “We will continue to see different aspects of malware working together,” Wosotowsky said. “If both PC and phone infected, then hackers can get around two-factor authentication. This is the type of thing we’ll see more of.”
That’s not to say that there aren’t new threats to worry about. Wosotowsky noted there is notable growth in targeted, high-value espionage campaigns as profitability increases for advanced persistent threats.
“People traditionally sell pure botnet logs,” noted Wosotowsky. “Over the course of the day, the data about what a group of users were doing – he used this user name and password on this website, he sent this IM – is collected into logs that are parceled into 100MB chunks. They would be sold and the hacker that bought it would write a script to extract user names and passwords from the raw data. Prices hover around $10 per 100MB, and they have gigs and gigs to sell.”
However, if that’s the value of random data, consider the margins involved in more targeted assaults, he noted. “When it comes to corporate espionage, attackers in this case can be very very patient. They’re expecting a $1 million or even $10 million payoff, so if they spend years to get the information, they’re still making massive profits.”
Thanks to the rise in such persistent threats, McAfee also expects continued development of rootkit exploits. “When it comes to persistent threats, the rootkit is where it’s at,” Wosotowsky said. “Even if you clean off the trojan responsible for the infection, rootkits hide subtly under the layers of the computer and have just enough functionality to get the infection going again. That’s a big place for a lot of skillful development to start appearing out of the malware community.”
Also, the market can continue to see the evolution of the “malware for dummies” approach. “A lot of the viruses written in the '90s hinged on a piece of monolithic code – it just went out to replicate itself, and experts wrote it,” explained Wosotowsky. “Experts are writing the equivalent of SDKs now, and that means that hackers with no real [coding] knowledge can build whatever threat they want.”
The SDK approach allows would-be criminals to use point-and-click interfaces to build a trojan or compromise a web page to serve drive-by downloads, for example, with just a freshman level knowledge of HTML. “This is leading to threats being combined in new ways, and for there to be more of them,” Wosotowsky noted.
It wasn’t all bad news. In the plus column, the number detected malicious web URLs increased 12% in Q1, but the growth rate, which was above 80% in Q4 2012, fell nearly 40 percentage points. Even though McAfee added more than 14 million new malware samples to its index, the growth in known PC-targeted malware fell in the quarter to hit 28%, compared to 38% in Q4 2012. The growth rate in the sheer volume of password stealers, ransomware and fake anti-virus gambits were in particular relatively flat in the first quarter.
In all, to combat this evolving threatscape, the company advocates a layered endpoint protection approach, as well as equipping security administrators with more functional report and response tools. “This evolving security cockpit…will be increasingly important to allow practitioners to respond rapidly and effectively to the newly emerging targeted attacks,” the company said.