2014 and Beyond Online Threat Report

2014 and Beyond Online Threat Report

As the end of 2014 is approaching, it is time to look back at some of the big security threats and incidents that took place this year.

Unsurprisingly, attackers have gotten more sophisticated and have gone after bigger targets. Indeed, many small and medium-sized businesses as well as large organisations fell victim to spear phishing attacks and security breaches.

Also, our faith in security standards was severely tested with decades-old vulnerabilities uncovered in major pieces of software that we all rely upon. In many cases, they lead to a frenzy of attacks that took advantage of vulnerable systems.

Again, privacy (or the lack of) was a major source of protests and forced industry giants to beef up their services and provide end-to-end encryption to respond to consumers’ demands to the great distress of many three-letter agencies.

This is also a good time to stop and give some thoughts to what we think might happen in the new year. The so-called ‘security predictions’ are an iffy topic in this industry.

To some people these words make them cringe, while for others they are a source of entertainment.

But security, much like defending against malware, isn’t just about responding to attacks as they come. Anticipating future threats and how to deal with them is an essential part of being prepared and responding well to what might, may or will happen.

2014 in review

There are so many topics to choose from when reflecting on this past year and we can clearly say that the bad guys have kept us very busy on several fronts.

The quantity of new malware samples keeps on growing at a fast pace and the cat and mouse game between security vendors and malware authors is still a daily challenge for both sides.

Unfortunately, this isn’t the only worry when it comes to keeping your computers, phones and tablets secure. Severe vulnerabilities and zero-days show the limits of traditional reactive solutions which while effective, just don’t cut it.

Scams and fraud through social engineering have reached whole new levels. While malware is most feared, potentially unwanted programs and social scams can be just as nasty and leave your wallet a little lighter.

Now let us dig into some of the hottest topics of these past months.

Data breaches: When it rains, it pours

Computer Security category

 Just like in 2013, large security breaches have made the news all throughout the year, so much so that people have started to complain about ‘breach fatigue’ syndrome.

The massive Target breach was followed by countless others: Home Depot, Michaels, Dairy Queen, Goodwill, Nieman Marcus, JP Morgan Chase, etc. where customer information that included their credit/debit card data was stolen by Point of Sale (PoS) malware.

Security journalist Brian Krebs was busy keeping a tab on all these breaches. The use of outdated and insecure terminals, the lack of chip and PIN technology, as well as social engineering are some of the factors contributing to data breaches.

Cyber-criminals have been keen on targeting PoS with specifically written malware designed to remain stealth but yet exfiltrate sensitive information.

It’s worth noting that nation states are also allegedly involved in data breaches, albeit for other motives such as gathering competitive intelligence or details about critical infrastructure.

Zero days and other vulnerabilities

Stock Computer bug

 Major vulnerabilities discovered in 2014 were quickly exploited and the bad guys wreaked havoc on thousands of web servers. More generally, these finds have shaken the trust we place in our devices and technologies.

These flaws inherited interesting names that make them hard to forget as well: Heartbleed, ShellShock, POODLE.

The OpenSSL zero day known as Heartbleed was particularly scary because it allowed an attacker to view and steal passwords or encryption keys from a server in complete transparency.

It also sparked some conversations about whether open source was truly more secure than closed source. After all, these bugs had been laying in plain sight for a number of years without anyone noticing.

On the exploit front, several zero days such as CVE-2014-0515 were used in watering hole attacks before integrating mainstream exploits kits.

Overall, bad guys have become quicker at adapting zero days or new vulnerabilities, sometimes in a matter of days, for example with the Flash CVE-2014-0569 in Fiesta EK.

Malvertising: Trouble in the ad industry

bad-bot

 Malicious ads are a major traffic lead generation for exploit kit operators by affecting popular sites and going undetected for several hours.

The complex and layered structure of the ad business coupled with the ease of use and anonymity given to advertisers to bid on impressions are dangerous mixes.

Moreover, the line between legitimate and fraudulent can get very blurry. We caught several ad agencies spreading malware under the table while the big bucks rolled in.

Even legitimate ad networks such as Google’s DoubleClick.net can get caught up in malvertising. Last September, a massive malvertising campaign leveraged DoubleClick to infect users who were browsing mainstream sites.

Tech support scams: How much is enough?

Stock Traders Working At Computers

 Tech support scams have reached a new high (or low based on your point of view).

The classic cold calls from India still happen but are getting relegated by a flurry of new tricks involving phishing, scareware pages and bogus registry cleaners.

We discovered a Netflix phishing scam that only stole the victim’s credentials but also tricked them into calling a 1-800 number to unlock their account. Once on the phone, users were social engineered into paying hundreds of dollars to fix non-existent problems.

Finally, we uncovered and went after US-based companies that operated large call centres and were duping seniors and non computer savvy users into purchasing premium support packages.

The battle to stop these crooks is hard but progress was made to send a clear message to these scam artists.

Mobile malware

Mobile Smartphone category

Mobile malware is often underestimated because many people don’t realize that a phone can become infected like a ‘computer’, which is ironic since phones are technically computers albeit with their own operating system.

Yet, more and more people spend time browsing on a smart phone or tablet than they do on a Desktop. That includes doing online banking, storing sensitive information, etc…

This year we saw the ‘port’ to mobile of some of the worst Windows malware such as scareware and ransomware for instance with Koler, the Police Locker. As usual, Android remains the main target for malware authors who manage to shove malicious apps on the Play Store.

 

 

Gaming the gamers

Man with games console

Gamers are not exempt from malware threats despite efforts from gaming companies to protect their customers.

The bad guys are creating malicious applications in order to bypass security defences and disguise them as patches or validation tools. This was the case with fake Steam Guard files that circulated and stole users’ passwords and other details.

Steam was on the forefront many times this year, and more recently with fake screensaver files that circulated through Steam Chat. Unsuspecting gamers that were fooled into opening the ‘picture’ ended up with a nasty Trojan on their PC.

 

 

Looking ahead: 2015

Ah, the security predictions! Everybody loves them, don’t they? Well, we’re not going to use our crystal ball for this one, but instead we, bloggers at Malwarebytes Unpacked, shared some of our thoughts on the trends we think will be most noticeable.

security category

On the mobile side, we expect ransomware to be a major issue. We have already seen mobile malware variants that encrypt phone data and demand payment to retrieve. Pre-existing phone backup options will make this threat less severe, however many users still might be willing to pay to get their data back.

With more people using mobile devices to bank, it’s becoming more popular for malware authors to exploit. Creating a fake site that looks like a mobile banking site may be a bit easier for cyber criminals since many sites are limited to keep the data processing of the site low.

In the Exploit Kits world, there will be more fileless payloads. In an effort to circumvent detection a special breed of malware doesn’t leave a physical file on the system but rather only runs in memory. This will likely be a trend adopted by new and existing exploit families in 2015 and the antivirus and anti-malware communities will have to quickly adapt to contain the wave.

We expect a major Internet of Things (IoT) attack in the new year against an Internet connected device that was previously not connected. Take for example a thermostat that can be controlled over the internet.

Cloud security is now more important than Desktop security, this is due to the fact that users are uploading tons of personal data like images or documents to ‘cloud’ storage. This makes it easy for an attacker to gain access if they are able to compromise the account. In addition, with the trend of users making purchases, downloading games, songs, movies, etc. through cloud services, the attractiveness of these accounts has increased and we will see more of an effort against gamers and video/music streamers.

Potentially Unwanted Programs (PUPs) are a nuisance to the modern user because of their high requirements for system resources and constant bombardment of advertising.  However, we have seen numerous instances this year of PUPs actually going a step further and installing near-malicious and full-malicious software on the host system.  This trend may very well become more prevalent in the coming year as the war against junk software leads some developers to dabble in illegal activities to make a profit.

Phishers will continue to use sophisticated and effective tactics to get users to hand over their information. It’s also highly likely that, due to the bombardment of Personal Information stealing breaches at large companies, the pool of spear phishing targets will be larger and not just limited to the selected few (like executives).

Accomplishments

Cyber Crime category

 It can be quite depressing to read about security news, but the fight against malware continues more than ever.

While cyber crime pays, it can also land you in jail. Some notable achievements were made in 2014.

We saw the arrest of an entire network responsible for the Blackshades malware, as well as the Shylock banking Trojan. Operating Tovar went after the Gameover ZeuS botnet and caused disruption while also helping people to recover their encrypted files (CryptoLocker).

The FTC investigated several tech support scammers and shutdown a Facebook/Microsoft scam, and more recently announced the temporary restraining order of two Florida-based companies accused of robbing $120 million from their victims.

Perhaps the single most important element in the fight against cyber-crime is the end user. By practicing safe computer habits and protecting themselves with the right tools, people can greatly affect the outcome.

What about you? What do you feel will be the big thing in 2015? Feel free to share your thoughts in the comments section below.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher