Traditionally, we think of online threats in terms of highly targeted attacks on the one hand and opportunistic cash grabs on the other hand. Nation-state sponsored or advanced persistent threat (APT) attackers target specific individuals or organizations, and the more common, financially motivated digital thieves take an “infect them all” approach.
Our SophosLabs research shows that way of thinking is becoming outdated, as APT attackers and common cybercrooks learn and borrow techniques from one another.
Common online crooks have learned how to become more efficient and increase their yield per victim by targeting individuals based on their specific country, using a variety of methods. Here I will go into a few of them: geo IP lookups; traffic direction services; and email targeting. I will also explain how and why cybercrooks avoid certain countries.
Why geo-targeting is becoming more popular
We can compare an online criminal enterprise to a legitimate business like McDonald’s, a very successful company with restaurants all over the world. Even though you may recognize McDonald’s as the same restaurant wherever you go, there are important differences in every country.
You will have to pay different prices and use different currencies. And you’ll find different offerings on the menu and a different approach to advertising based on the local diet, culture and language.
Cybercrime is now a highly competitive, multi-billion-dollar business. They want to target wealthy countries with particular kinds of malware, like ransomware and banking malware, while utilizing other victims for more mundane tasks like spamming or participating in denial-of-service attacks.
To customize their attacks and make their email scams and phishing attacks more believable, the cybercriminals are imitating local brands and using grammatically correct local languages as lures.
Users have been conditioned to believe they can spot scams by the incorrect grammar and shoddy spelling, which leads to them falling even harder for well-crafted scam messages.
Location, location, location: IP lookups and traffic direction services
A popular tactic favored by today’s criminals is using malware that is geo-targeted based on information gleaned from the computer’s IP address or the language setting in Windows.
Common crooks don’t often infect computers themselves – they typically use services provided by other cybercriminals who have collected thousands of infected (zombified) computers and sell them to the highest bidder.
A criminal may want to drop banking malware on computers in Germany, for example, simply because Germany is a wealthy country, or because the crook has money mules in Germany – people they have recruited to take money out of local ATMs using cards produced from card numbers and PINs stolen by the malware or skimmers.
We have seen examples where criminals go on the black market to use compromised traffic direction services (TDS), which provide real-time bidding and traffic direction, to find the most appropriate victims, much like legitimate ad networks serve you the most relevant ads whenever you visit a website.
Your IP address, which often shows your computer’s location, is detected by the compromised web server that’s sending the malicious stuff, and serves you the malware “designed” for your region.
We see this IP lookup technique favored by crooks using banking malware because most banks tend to serve a particular country or region – in our example, users based in Germany have a high likelihood of being customers of Deutsche Bank, so malware targeting that bank will have a high rate of success.
Thus, we see different families of malware used to infiltrate banks and financial institutions converging on specific regions:
- Various banking Trojans designed to pinpoint Brazil
- Dridex is predominant in the U.S. and Germany
- Trustezeb is most prevalent in German speaking counties
- Yebot is popular in Hong Kong and Japan
- Zbot is mostly found in the U.S., UK, Canada, Germany, Australia, Italy, Spain and Japan
Geo-malware example: ransomware
One of the more prevalent examples of geo-targeted malware is ransomware.
You’re familiar with ransomware by now – ransomware gets right in your face, with warning messages that pop up on your screen and demand a ransom in your local language. These nasty threats infect your computer and use public-key cryptography to scramble your files, then hold all your data hostage until you pay for the key to decrypt them.
In recent months, we’ve seen most ransomware being distributed via attachments in emails, which are carefully crafted in your local language and spoof local institutions like your region’s postal service or law enforcement agency, luring you to open the attachment and download the ransomware.
Criminals have taken one step further to make ransomware more effective and provide payment pages to instruct you how to pay in your native language or currency.
Ransomware crooks tend to want to infect as many computers as possible and then serve up the correct language based on what keyboard you have installed on your computer or the language setting in Windows.
With crypto-ransomware, the crooks demand payments in bitcoins or other anonymous e-payment systems such as Ukash. The payment pages offer detailed instructions in the local language, with payment amounts listed in the local currency, and links to local Bitcoin exchanges.
The most popular ransomware in recent months, Locky, has ransom pages carefully translated into various languages including Portuguese, Danish and Chinese, although for some reason the Locky crooks are not interested in Czech or Arabic-speaking countries. Locky also can check to see if Windows is set to Russian, which causes the malware to exit and delete itself.
SophosLabs telemetry data shows that ransomware tends to target wealthier countries, likely because victims in those countries are more able or willing to pay. There is some regionalization of different ransomware families:
- CryptoWall predominantly targeted victims in the U.S., UK, Canada, Australia, Germany and France
- TorrentLocker attacked primarily the UK, Italy, Australia and Spain
- TeslaCrypt honed in on the U.S., UK, Canada, Singapore and Thailand
Natural geo-targeting: email country codes
Cybercriminals don’t always need sophisticated malware to target your location – they may be able to figure out where you live just based on your email address, using the country code extension.
This is a clean and simple way to filter victims: the crooks can hit all the .uk country code emails with spam targeted for the UK; the .nl email addresses get Dutch spam; the .no ones get Norwegian spam, and so on.
The grammar and spelling of these emails is greatly improved compared to past email spam campaigns, leading to more victims believing the messages are real. The crooks aren’t relying on some sloppy machine translator. They hire human translators who create the messages in their native language – we have heard of freelance translators being contracted to do this type of work for the criminals unwittingly.
Cybercrooks aren’t just customizing email attacks based on language and regional institutions – they shift tactics based on seasons as well. So, during tax season the emails might pretend to be from the IRS in the US or the Office of State Revenue in Australia. Around Christmas time, you can expect to see fake package delivery notices.
It’s also important to remember that if you get a phishing email, it doesn’t matter what type of computer or mobile device you’re using. When you get an email trying to phish your banking credentials, you can still give away your bank account password whether you have a Windows or Mac, iPhone or Android computer.
Crooks will use your location to make the trick more convincing. But all bits of information about you are important, and the criminals will always look to take advantage of information they have and use it against you.
No-go zones: country filtering
We also see examples of geo-customization where cybercriminals are programming attacks to avoid certain countries or keyboards with a particular language.
This could be happening for a few reasons. Maybe the crooks don’t want attacks in their home country out of a sense of national pride. Another theory is that the crooks don’t target their own countries because their local law enforcement is willing to look the other way, so long as the victims aren’t locals.
One of the earliest examples we’ve seen of attackers excluding particular countries was the Conficker virus, which at its peak infected more than 11 million PCs globally. Yet there was one country where Conficker would not initially spread – Ukraine.
The first version of Conficker used an online geo IP lookup to determine whether you were in the Ukraine or not, and the virus would avoid Ukrainian computers. (Later versions of Conficker dropped this behavior.)
As mentioned above, Locky ransomware has also been found to delete itself if a computer’s language is set to Russian.
Although circumstantial, other evidence points to Locky being made by an Eastern European criminal. Recently I grabbed some Word docs with malicious macros that were spreading Locky, and noticed that when the document was created the language was set to Cyrillic, an indication that whoever was last editing it had their keyboard set to Cyrillic.
We don’t know for sure that Locky is made by Eastern Europeans, but if not, someone went through a lot of trouble to make it look that way.
What to do
With cybercriminals creating geo-targeted and authentic-looking threats, it is more difficult to recognize malicious spam. Here are some security tips for home and business users to stay protected against email-borne malware attacks.
For home users:
- Make sure you protect your computers with an anti-malware and web protection solution. Sophos Home is free, enterprise-grade security software that protects both Macs and PCs.
- Keep your files safe from ransomware by backing them up regularly. Keep at least one recent backup offline.
- Be very careful about opening email attachments. Malware including ransomware is very often spread in email. You should also be wary of clicking links in emails, as they may take you to a phishing or malware website.
- Always keep your computers, devices and applications up to date with the latest security updates.
- Use strong, unique passwords for all your accounts. Consider using a password manager to create and store strong passwords for you. Just make sure you use a strong password for the password manager itself.
For business users:
- Patch, patch, patch. Malware that doesn’t come in via document macros often relies on bugs in software and applications. When you apply security patches, you give the cybercriminals fewer options for infecting you.
- Don’t give yourself more login power than necessary. Avoid browsing, opening documents or other regular work activities while logged in as administrator.
- Don’t enable macros. A lot of ransomware is distributed in Office documents that trick users into enabling macros. Microsoft has released a new tool in Office 2016 that can prevent you from enabling them on documents downloaded from the internet.
- Train and retrain employees in your business. Your users can be your weakest link if you don’t train them how to avoid booby-trapped documents and malicious emails.
- Segment the company network. Separate functional areas with a firewall, e.g., the client and server networks, so systems and services can only be accessed if really necessary.