Phishing, Ransomware on the RiseSymantec's Narang: Low Awareness May Make Asia More Susceptible
That attackers are getting sophisticated and intelligently adapting social engineering and other targeting techniques to snare users is common knowledge. An example of such a customized, yet mass targeted attack was recently uncovered by Symantec in a phishing campaign in the wild that impersonated the Income Tax department of India and attempted to infect users.
See Also: Ransomware Recovery in the 'New Normal'
Close to end of the financial year, purported emails from the tax authority are bound to catch taxpayers' attention, and attackers attempted to use this to their advantage and infect machines with info-stealing malware.
"If you tell somebody that Rs. 80,000 have been deducted from their bank account, that would naturally be a very alarming email to receive, and the inclination would be to open the attachment immediately," says California- based Satnam Narang, a Senior Security Response Manager with Symantec.
This is a clear example of how cybercrime is beginning to affect consumers within and outside enterprises. And increased awareness is the only way to fight it. Narang confirms that these kinds of attacks are hard to pinpoint for a lay user, and the situation is exacerbated in regions such as Asia, with low levels of awareness and security maturity. This is the reason he believes that trends such as ransomware, social media scams and frauds are on the rise.
In this interview with ISMG, Narang talks about some of the trends in the Asian security landscape at the beginning of this year, makes some comparisons with the global landscape, and shares insights on emergent trends. He speaks about:
- His research into some phishing campaigns in the region;
- The rising incidences of Ransomware;
- Some recommendation to enterprise practitioners to combat these trends.
Narang has worked in the security industry for over nine years, spending the past five at Symantec in the security operations and response group. He's extremely passionate about internet/information security and user education. is role is multi-pronged, and his research focuses on social media scams, mobile threats, social engineering, spear phishing attacks, and consumer security best practices. He works on enterprise related issues, where he helps customers triage incident response related issues. Narang has been Symantec's spokesperson and is featured often on U.S. television and trade media.
Edited excerpts follow:
VARUN HARAN: Let me start by asking you about some of the research that you have been doing around the targeted phishing attacks in India, where email posing to be from the Income tax department is being used to deliver malware. It is interesting that this is happening during the tax filing season here in India.
SATNAM NARANG: Essentially, what we found over the last three months is a phishing campaign where 43 percent of the targets are Indians. These mails are impersonating government agencies like the IT department of India. A common pattern is that these emails inform you that money has been deducted from your account and they provide you with a receipt as an attachment, which is a malicious file/keylogger.
The email actually looks very much like the emails sent by the income tax department and follows the same template, so for the lay user, there is really no way of suspecting that this is a malicious mail. The only difference we find is that the authentic mails from the IT Department have attachments that are password protected using an individual's specific details such as their PAN card number. In the case of the malicious mails, the attackers are unable to individualize the mails as they are mass targeted.
The malware in these attacks are specifically the Infostealer.Donx Trojan, and another information-stealing Trojan that Symantec detects as Trojan.Gen.
HARAN: Is there any kind of attribution on where these attacks are originating from? While the individual may not have much recourse when it comes to protecting against such emails besides being vigilant, when it comes to the enterprise, what are some recommendations to protect against such kind of targeted phishing and malware?
NARANG: The malware in these attacks is quite crudely designed. It contains source code that looks to be taken from multiple sources. We've seen code in Hindi as well as Spanish. The point is not the sophistication here, but rather the mass targeting tailored to a specific time or event. Take the example of these phishing attempts during income tax filing season in India.
If you tell somebody that Rs. 80,000 have been deducted from their bank account, that would naturally be a very alarming email to receive, and the inclination would be to open the attachment immediately. This innocuous looking email that does not actually request any information can have a malicious PDF or screensaver file as an attachment that infects the system and can log keystrokes and send sensitive system information back to the attacker that would enable them to further compromise these systems.
The most important thing that enterprises can do is deploy some sort of email security platform. If you can block such emails at the gateway, you can prevent them being sent to your users. Other than that endpoint protection is an important component of enterprise security strategy as well.
HARAN: What are the kind of threats you see in the Asian landscape? What is unique about this region?
NARANG: India is the third highest for ransomware in Asia. We are seeing close to 60,000 attacks per year - or 170 attacks per day. Crypto-ransomware is the biggest threat on the internet today for businesses as well as consumers, and this is especially a trend we are noticing in Asia. Traditional ransomware would just lock your computer, and there are ways of getting around that. But crypto-ransomware encrypts your critical data, making it a much harder problem to solve - about 86 percent of ransomware attacks in India were crypto-ransomware, per our telemetry from Symantec's network.
Backing up your files is becoming critically important for businesses as well as consumers. The only recourse from a technical point of view, once you are infected with crypto-ransomware and your files have been encrypted, is to pay the ransom. We highly discourage users from doing this, because you are effectively supporting that business model. But that said, the only way to decrypt the files once they are encrypted is to get the encryption key from the criminals. So backups are critical as the first course of action. (Also see: Ransomware: Are We in Denial?)
HARAN: In my conversations with practitioners in India, I find that there is a three-pronged challenge: 1) There are no agencies or legislation they can turn to for support in the event of such attacks; 2)The LEA interfaces and know-how around these attacks to assist them; 3) The attackers are keeping the cost low enough that in the absence of the first two, victims find it much easier and cheaper to pay the ransom and get their data back. What are your thoughts?
NARANG: It is a challenge for LEA, and it is a challenge for enterprises - it is a challenge across the board, but at the end of the day, the reason a line needs to be drawn at paying out the ransom is that we don't want to, as a community, embolden these criminals and support these business models, because it's going to get difficult to stop them if they know they'll succeed, and that people will pay the ransom, especially if they put it at a low enough figure simply because it's a lot cheaper and a lot easier. (Also See: Cyber Extortionists Demand Bitcoins)
Taking a multi-layered approach to the security of your network and backing up from the get-go should ideally be how this problem is dealt with. It is a cat and mouse game between criminals and security professionals. Obviously, cybercrime is a big enterprise, there's millions of dollars being traded back and forth in this world. Security now needs to institute not just signature-based, but also behavior-based detection and techniques that are more proactive to combat these innovations, such as reputation and intrusion prevention with reliable signatures.
HARAN: When you compare what's happening in the threat landscape in Asia - and you are sitting out of California; you see the global and the North American landscape as well - what are some points that stand out to you? Also, what are some of the major challenges for security going to be this year?
NARANG: One of the things we've noticed about India is that it ranks the second highest when it comes to social media based scams on a global level, and they are the first within APJ. Social media-based scams and fraud seem particularly effective in this region. And given the function of social media is to share information, we find that a lot of malicious links are being manually shared via social media platforms and users have no awareness of this.
I have personal experience of this where a family member got phished out of his account by clicking on a link on social media and entering his credentials into a phishing site - he had no idea he had done so. So in that respect, user awareness is still low in this region compared to other geographies.
From a trend point of view, we are seeing a resurgence of email-based threats, so making sure that email protection is up to date and being revisited is important. Some of the challenges are not really specific to this region, but I think on the whole, educating users and employees about the threat landscape is going to be important, and therefore, a critically challenge.