Related Links

Related Stories

  • Mobile Malware, Spam, Malicious URLs All on the Rise in Q2
    Android-based malware achieved a 35% growth rate in the second quarter of 2013 according to a new report – a rate not seen since early 2012. The quarter was marked by the proliferation of twice as many new ransomware samples in Q2 as in Q1, raising the 2013 ransomware count higher than the total found in all previous periods combined.
  • Mobile Malware Spikes 30% in First Half of 2013
    Mobile malware continues to escalate in volume, with security vendor Fortinet seeing a 30% increase in malicious samples in just the last six months. The firm is seeing more than 1,300 new samples per day, mostly, unsurprisingly, Android-focused. The threats range from new ransomware samples to new exploits of old vulnerabilities.
  • Water Hole Replacing Spear-Phishing as State-Sponsored Weapon of Choice
    Spear-phishing is an attack that attempts to ensnare a specific individual or group of victims via email; water hole attacks wait for the victim to come to the trap. Attackers – especially state-sponsored attackers – are increasingly turning to the latter as their weapon of choice.
  • Internet Explorer zero-day blamed for Department of Labor website attack
    The watering hole campaign that targeted a US Department of Labor website was the result of a brand-new zero-day vulnerability affecting Internet Explorer 8 (CVE-2013-1347), and not a patched, known quantity as originally thought.
  • Android malware surges while Symbian malware is still growing
    F-Secure’s analysis of mobile threats in Q3 2012 shows a surge in Android malware, now with 51,477 unique samples and 42 new families. Symbian, in maintenance mode with Nokia, still has 21 new families and variants.

Top 5 Stories


F-Secure's Threat Report H1 2013

24 September 2013

F-Secure's Threat Report for the first half of 2013 says that threat vectors have remained similar but got worse over the first half of this year. Watering hole attacks and mobile malware are good examples.

Exploits are leading the attack pack, and Java is the most exploited. Six out of the company's top ten detections were exploits, and Java accounted for 50% of these. Exploits, of course, are the means, not the end to an attack. They are just one phase in the attack cycle, with targets being driven to an exploit kit (by email phishing), or diverted to the EK through watering hole attacks.

Here F-Secure is scathing about 'several internet giants'. "The most notable information security occurrence of early 2013 is undoubtedly the hacking and breach of several Internet giants (Twitter, Facebook, Apple, Microsoft) and of numerous other Silicon valley companies via a watering hole at iPhone Dev SDK." The problem, however, is that these victims "kept and have continued to keep important details tightly under wraps."

As a result, the general public perception is that a number of individual sites were briefly hacked. But, says the F-Secure report, the key takeaway should have been this: "a dedicated group of criminals had managed to hack numerous Internet companies via a watering hole. The attack was targeted and required human labor – it wasn't automated crimeware." The implication is that where major hacks are concerned, serious criminal gangs are willing to spend more time and resources to achieve their ends.

F-Secure notes a similar 'same but worse' scenario in mobile malware. Mobile malware continues to increase, and Android remains the most targeted platform. The company found 358 new families and variants of Android malware in the first half of the year – almost doubling the total number. But confirming the warning delivered by ENISA last week, mobile malware is growing up. It is no longer, for example, just distributed via app stores, but is now also spread by malvertising and drive-by downloads.

It is also increasing in sophistication, and Stels is given special mention. "Stels", says the report, "is an Android trojan that serves multiple purposes—it can turn an infected device into a bot that becomes a part of a larger botnet, and it can act as a banking trojan that steals mobile Transaction Authentication Numbers (mTANs)."

But F-Secure also mentions two new developments. The first is that Stels now uses social media as part of its C&C process. The problem with a centralized C&C structure is that if the server is discovered and taken down, the criminals' access to the botnet is lost. "The Stels author(s) attempt to combat this issue by setting up a few Twitter accounts for the bots check with to obtain a new C&C server address if the old one is no longer available." 

This has already happened with one Stels version that used the Russian Juick rather than Twitter. In May 2013 the botnet owner lost control of one of his C&C servers at Stels then queried Juick and received a new encrypted URL to use as an alternative C&C server.

The second new development for mobile malware is that Stels has been delivered via IRS-themed spam sent by the Cutwail botnet. "A user who clicked on the link on an Android device was directed to a web page asking him to update the Flash Player application. The ‘update’ which the user ended up with is actually the Stels trojan."

If there is one single message from F-Secure's Threat Report for the first half of 2013 it is this: the threats remain broadly similar to those of 2012; but the actors are getting more sophisticated and more professional, and the threats are getting more dangerous.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×