We analysed over 200,000 ad campaigns across multiple GEOs, devices and browsers between 1st January to 31st March, check out our findings and insights into cyber-criminal behaviour during Q1.Continue reading
Cryptojacking, the practice of exploiting computer's processing power to mine cryptocurrencies without the owner's consent or knowledge, appears to be the new Eldorado for cybercriminals after its popularity exploded last autumn.
Fast forward to 2017, the cryptocurrency industry has changed drastically: the diversity of altcoins available (more than 1,000), the total market capitalization skyrocketed to more than $150 billion, and the revival of in-browser mining through services like Coinhive, JSEcoin, Cryptoloot and similar copycats have certainly provoked cybercriminal interest.
From the original idea of providing a monetization alternative to regular display ads for webmasters, to the usage we see today, we will review in this post a few examples of deceitful and malicious implementation that have been uncovered during the last few months:
Coinhive & co:
It comes as no surprise, that WordPress websites would be among the platforms to become a victim of cryptojacking. According to security researcher Troy Mursch from Bad Packets Report, there were around 30,000 WordPress sites infected with cryptomining scripts in November 2017, this number has been steadily growing to reach more that 50,000 in March 2018. This figure includes WordPress websites, where mining scripts are quietly running in the background, for some the integration would have been done by the publisher himself, the rest are either compromised or have been hijacked by plugins, such as "Animated Weather Widget by weatherfor.us" that sneakily inject mining script to generate money by extorting users' computer resources, and this is, needless to say, without the publishers' knowledge.
Cryptojacking is not limited to websites, browser extensions have also been caught mining cryptocurrency on thousands of computers. For example "Archive Poster," a browser extension designed to help Tumblr users perform various tasks remained on the Chrome Web Store for days while silently cryptojacking an unknown portion of their 100,000+ users. After multiple user reports, followed by multiple media covering the issue, the extension was removed.
In another example, which took place in December at a Buenos Aires Starbucks, a customer using the public wi-fi discovered that someone had manipulated the wi-fi system, delaying the connection in order to mine Monero with shoppers' devices. CoffeeMiner uses a man-in-the-middle (MITM) attack to hijack users connecting to wi-fi hotspots and injected mining code into all HTML pages requested by those users.
We'll cover in the second part of this blog post, some more cases describing how cryptojacking has quickly become a favorite revenue stream for cybercriminals.
AdSecure provides next-gen defenses that protect publishers and ad platforms against a wide range of attacks in real-time including cryptojacking. To test how AdSecure can help your organization detect, investigate, and respond to advanced malvertising attacks, sign up for a free trial.
ansomware targets businesses, government institutions, public services such as hospitals, council offices and of course people at home. Home computers are perhaps the easiest way for cyber-criminals to carry out attacks as your average Joe doesn't have a cyber-security department protecting him like businesses and organisations do. Many individuals at home think that an anti virus programme will protect them. This is simply not the case. As we have mentioned in previous blog posts, cyber-criminals sometimes distribute malware via online ads and landing pages, so if you are an ad network or a publisher, we recommend that you protect your users with a product such as AdSecure. Not only will you be helping to keep ransomware at bay, you will also be protecting users from being exposed to ransomware and keep that valuable trust from clients and website visitors because they will be protected from attack.
So let's have a closer look at the history of ransomware, why ransomware creators and distributors find home users easy targets and what happens when a user is infected.
The very first ransomware emerged way back in 1989. Named the AIDS Trojan, it spread via floppy disks and each victim was asked to send $189 ransom to a post office box in Panama. Of course nowadays ransomware is much more sophisticated and the growth of crypto-currencies has ensured ransomware is a much more attractive proposition to cyber criminals.
Types of ransomware
There are two types of ransomware: Locker ransomware, this locks the victim out of the operating system, which makes it impossible for them to access their desktop, apps and files. In this case the files are not encrypted, but the attackers ask for a ransom to unlock the infected computer. The second is Encrypting ransomware, which uses advanced encryption algorithms. It blocks system files and then demands payment in exchange for a key that can decrypt the blocked content.
Home users are easy targets and here's why…
- They rarely create, or don't do data backups.
- They don't always keep their software up to date.
- They think that it can't happen to them.
- They have little or no cyber security awareness/education, meaning that they can easily be persuaded to click on almost anything.
- They are much less likely to purchase cyber security solutions with most home users still relying on antivirus software, but this can be ineffective because ransomware uses evasion techniques so it is undetected by traditional antivirus software.
- And of course the sheer volume of home internet users can allow cyber-criminals to build up huge scale in order to exploit potential victims
The infection – stage 1
What generally happens when a user unknowingly infects his computer from a malicious website or link that he clicks on? The infection delivers a security exploit to create a backdoor on the victim's computer using vulnerable software on their system. Once the victim has unwittingly clicked on a link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC. The downloader uses a list of domains or C&C servers controlled by cyber criminals to place the ransomware program on the system. The contacted C&C server responds by sending back the requested data. The infected PC can be turned into a botnet, so that the cyber criminals can grow their infrastructure and carry out future attacks, and it can spread to other PCs connected to a local network, which causes further damage.
The infection – stage 2
It then uses unbreakable encryption, which means a victim cannot decrypt the files using the various decryption tools available from cyber security researchers. It has the ability to encrypt many different kinds of files on a victim's PC including photos, videos, documents, audio files, etc. It encrypts data stored in cloud accounts such as Google Drive and Dropbox that are synced on the PC. It can also encrypt data on other computers connected to a local network. It scrambles file names, so the victim has no idea which data is affected. This is done in order to confuse and coerce victims into paying the ransom. It can also extract data from the infected PC such as usernames, passwords, email addresses, etc. which it then sends to the server controlled by the cyber criminals.
The infection – stage 3
It then displays an image/message that tells the victim that their data has been encrypted and that they have to pay to get their data back. It can also include geographical targeting, so that the ransom note is translated into the victim's language, increasing the chances for the ransom to be paid. Payment is usually requested in Bitcoins, because crypto-currency cannot be tracked by cyber security researchers or law enforcement agencies. Generally there is a set time period to pay and missing the deadline means the ransom will increase, but it can also mean that the data will be destroyed and lost forever.
As you can see this can be a shocking experience for your average Joe at home and with 638 million ransomware attacks in 2016, it is inevitable that the number of ransomware attacks will only increase.
The days of needing the coding skills of an accomplished hacker to build malware are over, at least if news from Symantec is true. The antivirus and cybersecurity company recently reported the existence of a Trojan Development Kit (TDK) that allows anyone to create Android ransomware—no coding skills required.
This latest TDK, can be found on hacking forums and even in social media advertisements in China. All the cyber criminal has to do is download the APK and install it and they're ready to build ransomware. The process itself is simple: Just specify a ransom message, an unlock key, the ransomware's app icon, mathematical operations to randomize the code and an animation to be shown on the infected Android device.