Network and endpoint security company Sophos Ltd. said that its research has revealed a growing trend among cyber criminals to target and even filter out specific countries when designing ransomware and other malicious cyberattacks.
Research from SophosLabs, which includes information from millions of endpoints worldwide, found that cyber criminals are now crafting “customized spam to carry threats using regional vernacular, brands and payment methods for better cultural compatibility” in an attempt to lure more victims with cyberattacks.
“Ransomware cleverly disguised as authentic email notifications, complete with counterfeit local logos, is more believable, highly clickable and therefore more financially rewarding to the criminal,” Sophos said in a press release on Tuesday. “To be as effective as possible, these scam emails now impersonate local postal companies, tax and law enforcement agencies and utility firms, including phony shipping notices, refunds, speeding tickets and electricity bills.”
SophosLabs added that it has seen a rise in spam where the grammar is more often properly written and perfectly punctuated.
“You have to look harder to spot fake emails from real ones,” said Chester Wisniewski, senior security advisor at Sophos. “Being aware of the tactics used in your region is becoming an important aspect of security.”
Researchers also saw historic trends of different ransomware strains that targeted specific locations. For example, versions of CryptoWall predominantly hit victims in the United States, United Kingdom, Canada, Australia, Germany and France. TorrentLocker attacked primarily the U.K., Italy, Australia and Spain, while TeslaCrypt honed in on the U.K., U.S., Canada, Singapore and Thailand.
Threat exposure rates (TER) for countries during the first three months of 2016 showed that although Western economies are more highly targeted, they typically have a lower TER. TER data represents malware infections and attacks per 1,000 Sophos endpoints in each country, from Jan. 1 to April 8, the release explained.
Nations ranked with the lowest TER include France at 5.2%, Canada at 4.6%, Australia at 4.1%, the U.S. at 3%, and the U.K. at 2.8%. Among the countries with the highest percentage of endpoints exposed to a malware attack include Algeria at 30.7%, Bolivia at 20.3%, Pakistan at 19.9%, China at 18.5% and India at 16.9%.
“Even money laundering is localized to be more lucrative,” said Wisniewski in the release. “Credit card processing can be risky for criminals, so they started using anonymous Internet payment methods to extort money from ransomware victims. We have seen cyber crooks using local online cash-equivalent cards and purchasing locations, such as prepaid Green Dot MoneyPak cards from Walgreens in the U.S. and Ukash, which is now paysafecard, from various retail outlets in the U.K.”
The concept of filtering out specific countries has also emerged as a trend, Sophos reported. “Cyber criminals are programming attacks to avoid certain countries or keyboards with a particular language,” Wisniewski said. “This could be happening for many reasons. Maybe the crooks don’t want attacks anywhere near their launch point to better avoid detection. It could be national pride or perhaps there’s a conspiratorial undertone to create suspicion about a country by omitting it from an attack,” he suggested.
Banking is an example of how cyber criminals are using location-based malware to be more prosperous, the release said. Sophos research reveals historically how Trojans and malware used to infiltrate banks and financial institutions converges on specific regions:
Zbot is widely spread, but mostly in the U.S., U.K., Canada, Germany, Australia, Italy, Spain and Japan;
Specific banker Trojans and variants pinpoint Brazil;
Dridex is predominant in the U.S. and Germany;
Trustezeb is most prevalent in German speaking counties; and
Yebot is popular in Hong Kong and Japan.
“There is an entire cottage industry of uniquely-crafted Trojans just targeting banks in Brazil,” Wisniewski added.