In the first part of our little blog series on the basics of malware, we’ve been dealing with the terminology of viruses, worms, etc. We discovered that the types of cyberattacks have changed considerably over the years. Until a few years ago, relatively simple spam messages and viruses were widely distributed according to the minimax principle (minimum effort at maximum range). Today, attacks are more sophisticated and unique. This is because defense mechanisms have adapted and the detection of waves of mass spam and viruses has been significantly improved. But before this multi-part series explores how malware can be analyzed and fended off, let’s shed light on who’s behind all these attacks.
The stereotype of a hacker looks something like this: A pale, hoodie-wearing, single man sits in a dark basement while eating pizza and drinking cola. From here, he is hacking code into a computer and attacks his targets. The reality of it is much more complex. Nowadays, cyber-attackers are acting like small businesses – they consist of teams whose members specialize in subtasks and who professionally distribute their “goods”. After all, this industry has become a highly lucrative field of activity and cybercrime revenues are said to be even higher than in worldwide drug trafficking.
More than just nerds sitting in basements
To security professionals’ dismay, there are a large number of varying cybercrime groups. To complete the list thematically, we therefore also have to include the field of cyberwar. The goals of this group of people are often not monetary, but ideological.
The following list shows some groups that most cybercriminals can be divided into:
This group includes all those who pursue purely economic goals with their cyber-attacks. Their aim is to generate the highest possible amount of money – in whatever form. In addition to banking trojans and spyware, they also use ransomware attacks or crypto mining malware. The sale of stolen data and information should also be mentioned: Selling lists of emails or other personal information, botnets and other content can be highly profitable. Even the sale of malware itself falls into this category: attacks are offered as a service, so that even technically less experienced or less-equipped people can launch attacks. This could be in form of a new ransomware, but also in form of a simple DDoS attack on companies, organizations and government agencies.
Stay in touch
Sign up to get the latest News about Cloud Security.
These are actors that can be attributed to national governments. One of their main goals is to improve the situation for their own country, be it through hacker attacks or through sabotage, classic espionage or the infiltration of opponents.
Although these activities are not openly communicated by individual countries, they are still an open secret. As a result, individual countries repeatedly blame each other for these attacks – currently the American FBI and the British National Cyber Security Center (NCSC) accuse Russia of being responsible for a large-scale cyberattack in which hackers have infiltrated network infrastructures on a large scale. By the way, the two authorities are using the cyber kill chain as an explanation.
To combat crime and terrorism, authorities are actively using certain programs to spy on target persons and obtain information relevant to investigations. The Federal Trojan, which is allegedly already in use, is such an example. Officially, the state organs are subject to the legislative and judiciary, but in reality, this control has gaps.
Some state institutions even gather their own knowledge about security holes without allowing them to be closed so that they may be able to exploit them for themselves. The problem is that if these so-called zero-day exploits fall into the wrong hands they can then be misused – as it happened in the ransomware attack WannaCry, in which an exploit that was probably lost by the NSA, was used by North Korean hacker groups.
Activists, political groups
This group of cyber criminals, also known as “hacktivists”, conducts cyberattacks based on their ideological views. Victims can include private companies, politicians or state organs. They try to enforce their political, social or other ideas through their attacks. In addition to classic hacking, DDoS attacks are used as well.
Hacktivists include the groups Anonymous, WikiLeaks and LulzSec.
The private sector is not immune to the activities of cybercrime. Generalized as industrial espionage, the goal of this group of attackers is to spy on their competitors, gain information, and use it for their own benefit.
Vandal / “jesters”
These attackers do not set strategic goals for their cyber-attacks – they are more concerned with satisfying their curiosity, trying out new ideas, and gaining recognition for their achievements. It might also be the pure pleasure of destruction that drives this group of people.
There are also people who are actively looking for vulnerabilities in IT infrastructures to increase the security of IT systems. These experts can be found in public institutions such as universities and public authorities, but also in private companies in so-called “security labs”. The difficulty sometimes lies in cybercriminals being able to misuse and exploit these published findings for their own purposes.
Money is the main driver
The main motivation behind the attacks is highly interesting: According to a recent survey by telecommunications provider Verizon, 76% of all security breaches last year were financial in nature, followed by espionage activities, “fun motives” and personal aversions. Another very interesting statistic from the Verizon study: 28% of all data breaches were carried out by internal staff.
The next part of our series will explore how malware analysis works and how to develop defense strategies based on these findings.
Cybercriminals are currently trying to obtain sensitive data from ING-DiBa customers with dubious fake emails. The fake email claims that a problem has occurred during a routine security check of the online banking system. It advises that customers should immediately log on to an external website to avoid troubles with their bank.
However, in reality, this is a phishing attack that tries to collect personal information. In the following blog article, you will learn in detail how to protect yourself from fake emails or phishing attacks.
The fake email from our example
A German ING-DIBA fake email (click for zoom)
The adjacent picture shows the detailed structure of the fake email – allegedly sent by ING-DiBa – in an iPhone mailbox. In fact, the email is part of a mass phishing attack and the message was sent fraudulently to a variety of email recipients.
For example, the subject line states “For Your Safety (Reference Number: xyz)”, and the presumable arbitrary order of the combination was set to “kx5qrvnzx3h” in this case. Before we blackened the personal information for reasons of data protection, we noticed that both the recipient’s address and the sender’s address had the same information. This was already a first indication of a fake email.
This scam is not uncommon amongst perpetrators when it comes to gathering information about their randomly selected victims via phishing. Those affected are especially inclined to follow the attached link if the phishing or fake email is opened on a mobile device, as it is in this case. This is particularly true if they are actual customers of the bank mentioned in the email.
In everyday life, too, recipients of phishing emails are also quick to follow the link when receiving such an email. The attacker offers the targeted person appropriate options in case a recipient does not have an account with ING-DiBa. In our example, the recipient has the opportunity to follow a flashy red button and allegedly communicate that he is not a customer of ING-DiBa. The destination of the link, however, is a phishing website, which is intended to tap user data in a big way from the mostly unsuspecting victims. The fake security notification of ING-DiBa is not an isolated case.
6 tips to detect phishing or fake emails
With the following tips, you will be able to detect phishing or fake emails to protect yourself from being affected by such attacks.
Feature No. 1: The salutation
It is striking that either a standard phrase is used to address the target person, or the salutation is completely missing. Very rarely recipients of phishing emails are addressed with their whole name. This is due to the fact that fake emails are not isolated cases, but often automated emails which are sent out millions of times. Individual addresses are rather the exception. In our example there was no address at all.
Once the victim has entered his details into the according form fields and pressed the confirmation button, the cybercriminal is in possession of the login details. Now he can make orders in online shops under false names or get access to sensitive account or company data. The phishing attack has been successful.
Stay in touch
Sign up to get the latest News about Cloud Security.
Feature No. 2: Content of the email
A phishing mail is contextually designed to hide the true intentions towards the recipient at least until he first clicks on one of the attached links. These following baits are very popular with cyber crooks:
- Fake emails in the form of alleged PayPal security notifications
- Phishing emails which seem to come from banks or other institutions
- Fake email notifications that seem to come from Amazon or Ebay
- Fake security issues in social media accounts that need to be resolved promptly
This shows that cybercriminals are very creative when it comes to fooling their victims.
Feature No. 3: The call to action
Once the attacker has created and sent out his fake email, he urges the recipient to act. In this specific case, the targeted person is initially led to an external page by clicking on a link. This page usually resembles closely the login area of a bank, an online retailer or any other company that offers certain Internet services.
Feature No. 4: The time shortage
An effective means often used by attackers is the limitation of time. This is an attempt to put the victim under stress and distract it. In our example, this is stated as follows: “Please log into your account as soon as possible to avoid any delay in your banking activities.”
Fear-spreading phrases in the subject line, such as “Your account has been suspended” or “An amount has been debited from your account” are also quite popular and common. These sentences cause some recipients to panic, so they follow the attached link without much thought.
Feature No. 5: Questionable buttons and links
In order to successfully carry out the process of phishing, a related link in text or button form is part of the standard repertoire of any phishing or fake email. This is also the case in our example.
Therefore, when it comes to questionable security queries that have a link, we recommend that you do not access these links from your email program. Instead, you should always directly log in to your user accounts via a browser or via the official website of the provider. This applies to online services of any kind.
Feature No. 6: This is how reputable companies and institutes work
As far as the detection of phishing emails or fake emails is concerned, it should always be remembered that reputable companies or institutes would never ask you to disclose personal information via email.
For this reason, various banks regularly point to the problem of fake emails or the so-called phishing mails. One bank states for example:
“Volksbank Raiffeisenbank or BVR will never ask bank customers for personal information such as PIN or account number via email. Neither will we insert a link to online banking in emails or ask bank customers to make test or remittance transfers. These practices are always indicators of attempted fraud.” (Source: Volksbank Raiffeisenbank)
Therefore, you can delete such an email immediately. This is ultimately the simplest way to counter a phishing attack.
Additional service information