IT Threat Report, 2nd quarter 2013

This post is also available in: עברית (Hebrew)

The Bitcoin is becoming a favorite target for criminals; another favorite tactic is blocking access to mobile phones and demanding a money for unlocking them.

The Kaspersky Lab experts published the IT Threat Report for the second quarter of 2013, analyzing significant trends and events during the quarter and predicting future developments. According to the reports malicious apps for mobile phones were the most significant category of the quarter, considering both quantity and level of sophistication. Online criminals are improving the malicious code developed specifically for mobile platforms, the capabilities of the applications and the sophistication of their user targeting methods. In addition to malicious code for mobiles, online criminals also focus on bitcoin theft schemes, in light of the online currency’s recent rise in value.

The risk of local infection around the world — Q2 2013
The risk of local infection around the world — Q2 2013

Statistics for Malicious Code for the Second Quarter of 2013

The following data was collected from the Kaspersky Security Network (KSN), with consent given by all KSN users.

The Kasperski Lab solutions identified and neutralized 983,051,408 threats during the second quarter of 2013.

Web based attacks: 577,159,385 infections were blocked while users browsed the net.

Computer infections: 400,604,327 malicious applications were blocked before infecting computers.

Malicious mobile code: 29,695 attacks by new malicious mobile codes were detected by the Kaspersky Lab identification system throughout the quarter.

The development of malicious mobile code

As of June 30th, 2013 Kasperky Lab recorded 100,386 cases of embedded malicious codes, a significant amount when compared to the 46,445 cases recorded by the end of 2012.

Embedded malicious codes are not individual cases of infection or a single malicious code software. They are malicious codes integrated by online criminals into normal mobile applications. The most common way to do that is to download a normal application and then embed the malicious code within it. Afterward the criminals start spreading the malicious version of the application through websites such as independent application shops. The Kasperski Lab system identifies the signature of the malicious code entered into the engineered applications, using cloud-based technologies, heuristic identification and anti-virus signatures. By identifying the signatures of the malicious code Kaspersky Lab can detect malicious applications before they are uploaded into the user’s device.

Categories of malicious mobile code

The most common malicious code category has traditionally been SMS-sending trojans. According to the Kasperski Lab report this category is becoming less common as trojans aimed at mobile platforms grow more flexible and sophisticated.

In the second quarter back-door trojans were the most common type of malicious code embedded in applications – 32.3% of all trojans. Below them are trojans (23.2%) and SMS-sending trojans (27%).

In terms of malicious code capabilities, online criminals are adopting stealth techniques in order to avoid detection and analysis, and at the same time create malicious apps that carry a number of activation charges, thus allowing entry by multiple methods. Certain versions can also access large amounts of data on users’ devices, and at the same time download and install additional malicious code. The largest growth was in the category of malicious code for Android devices, almost comparable now to the popularity of Windows-based threats for personal computers.

The risk of online infection around the world in Q2 2013
The risk of online infection around the world in Q2 2013

Ransom for Android devices

The first version of malicious code for ransoming android devices was detected in June – Free Calls Update – a free application available for download from independent application shops. Malicious ransom code is a software used to blackmail victims by blocking the device or the computer until they pay a ransom. Usually this is a fraud within a fraud, because even after the victims pay the ransom they don’t get control of the device back. After installation, the application activates itself, tries to change the device settings and turn off browsing and calls, Wi-Fi or cellular. The application pretends to search for malicious code and a false virus detection warning pops up. The application recommends purchasing a fake anti-virus license to remove the block. The warning keeps popping up while the device remains blocked, and in effect cannot be used at all.

Malicious random code and fake anti-virus warnings were common methods of fraud in personal computers. Online criminals use the same methods now, on technical and psychological levels, in order to commit fraud in the less mature mobile market.

The bitcoin drives underground economics

The most noticeable trend in the second quarter is the growing focus of online criminals on creating malicious code to acquire bitcoin. The bitcoin is a digital currency based on p2p infrastructure, used for anonymous deals.

The activities are done on servers called bitcoin miners, used to support bitcoin exchange and processing. The infrastructure is based on networks of personal computers that allow the bitcoin miners to work. The virtual currency can later be exchanged in order to pay for products and services in online shops (the bitcoin symbol is a lower case b, while the bitcoin infrastructure is represented by an upper case B.)

Bitcoin values soared over the last year, and while one unit was worth less than one American cent a year ago, its current value is about 130 dollars. The value of the currency is still fluctuating but is gradually becoming more stable.

The popularity, anonymity and growing value marked the bitcoin as a prime target for online criminals. In addition, bitcoin is itself their favorite currency, as it allows them to transfer money anonymously and uses a secure payment system lacking financial and regulatory oversight – making the criminals harder to track.

In April the Kaspersky Lab research team discovered a scheme that was used by online criminals to mine bitcoin by spreading malicious code through Skype. The first stage of the scheme involved using social engineering to infect the victims, and then a malicious software was installed on victims’ devices that used their processing power to mine bitcoin. As the mining went on bitcoin was sent to the accounts of those criminals responsible for the fraud.

A month later the Kaspersky Lab experts discovered another bitcoin scheme, based on a phishing attack originating from Brazil. The purpose of that attack was similar to the Skype social engineering in the earlier scheme, but this time the criminals used email messages to direct users to a fake website, a version of the most popular bitcoin commerce website, MtGox. The site handles large volumes of approved deals, and the purpose of the scheme was to get account information details from victims, later stealing bitcoin directly from them.