Evolving from classic “spray and pray” tactics, criminal outfits are increasingly distributing “designer” spam and malware, customized to optimally target victims in specific geographic regions, according to new research from Sophos' research division, SophosLabs.
In a press release and blog post published today, Sophos reported that cybercriminals are becoming ever more proficient at using localized language and vernacular in phishing emails and ransomware notes. Older, more amateurish spam communications like the classic Nigerian prince scheme are easy to catch, but more recent efforts feature dramatically improved grammar. “That means you're more likely to accidentally fall for the ones that aren't stupid,” Chester Wisniewski, senior security adviser at Sophos, told SCMagazine.com.
Malicious campaigns are also more accurately spoofing legitimate brands endemic to a particular country or culture. According to the research, postal companies, tax and law enforcement agencies and utility firms are among the most commonly spoofed local entities in these phishing campaigns, which attempt to trick recipients with convincing emails that feature official-looking logos and content such as bills and account balances, shipping notices, refunds and speeding tickets.
Such tactics are likely to generate a higher rate of infection in countries with especially desirable targets—and that in turn allows cybercriminal operators who sell malware-as-a-service to other bad actors to charge a higher rate per infection.
Certainly, a targeted attack containing localized content is not a new concept, but Wisniewski said that such instances have become so prominent in the last several years that “it's becoming the norm, rather than the unusual.” Recognizing such trends are especially important, said Wisniewski, because “it changes how you need to defend yourself.”
The improved localization of campaigns is attributable to increasing specialization within the malware industry, said Wisniewski, with different cybercriminals developing specific expertise in coding, content and distribution. “With that specialization, malware is getting more tailored,” he noted.
In some cases, cybercriminals are even outsourcing content translation services to innocent local experts. “The criminal is buying services from legitimate freelancers who don't even realize what they're doing,” said Wisniewski. “If you're pulling hundreds of thousands of dollars a month on your scam, when you've got that kind of cash, it's easy to [farm] that out” for a relatively minor fee, he added.
At the same time, some adversaries are strategically filtering certain regions out of their campaigns, using malware that fails to activate, or deletes itself, if an online geo IP lookup determines that the affected computer is in a non-targeted country. (Such was the case with early variants of the computer worm Conficker, which eschewed attacks in Ukraine.) Criminals sometimes do this to avoid the wrath of law enforcement in their own countries.
Further Sophos analysis over the first three months of 2016 found that the countries with the highest percent of endpoints exposed to a malware attacks were Algeria (30.7 percent), Bolivia (20.3 percent), Pakistan (19.9 percent), China (18.5 percent) and India (16.9 percent). Nations with the lowest" threat exposure rates" were France (5.2 percent), followed by Canada (4.6 percent), Australia (4.10 percent), the U.S. ( three percent) and the U.K. (2.8 percent).
Despite a lower frequency of exposure, Western countries did tend to experience greater proportions of targeted, localized cyberthreats—suggesting these attacks featured a higher level of sophistication.