Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Cloudmark 2014Global Threat Report

Bootleg Viagra®

Introduction

Cloudmark commissioned a chemical analysis of samples of bootleg [1] Viagra® sold by spammers. They contained the same active ingredient as the real drug, but lab results suggest that samples were manufactured with inferior quality control and distributed without prescriptions, dosage advice, or health warnings. This could cause serious health issues for purchasers.

Background

Cloudmark ordered [2] Viagra® from three different pharmacy web sites that were promoted by email spam. However, two of the web sites, though different in design, resulted in purchases from the same organization, and we received a notice asking if we wanted to cancel the duplicate order. This may be because the bootleg pharmacy operates an affiliate network, and the spam and web sites were authored by different affiliates. Affiliate networks of this type are common in spam driven enterprises as it allows cybercriminals to specialize in either sending spam or fulfilling orders for bootleg goods. The organization fulfilling the orders can then deny legal responsibility for the spam.

All three sites claimed to sell Viagra®. However, at some point in the process, all of them indicated that this was a generic version. In the US, Pfizer holds a patent covering the use of sildenafil citrate to treat erectile dysfunction. A similar patent held by Pfizer was invalidated in Canada after 2012. That means generic versions of this drug are legal in Canada, though not the US. This, along with Canada’s reputation for inexpensive prescription drugs and health services, may be the reason for the “Canadian Pharmacy” theme of all three web sites. In fact, we believe that the organizations behind these web sites are based in Russia and Eastern Europe [3], and are drop shipping drugs from India and China.

A bootleg pharmacy with Canadian branding.
A bootleg pharmacy with Canadian branding.

The packages that we ordered were both drop shipped from India. One of them came from Combitic Global Caplet Pvt. Ltd. According to their web site[4], this is an Indian company that imports drugs in bulk from China and packages them for export to other countries such as Afghanistan and Libya. The United States is not on their list of markets. The package was shipped from Chuna Mandi, New Delhi, India, less than 25 miles from Sonipat where Combitic Global Caplet has their factory. The second package appears to have drugs manufactured by Centurion Laboratories in Gujarat, India, and shipped by Ghevarsha International of Maharashtra, India. India did not recognize drug patents between 1972 and 2005, which was three years after Pfizer registered the patent for using sildenafil citrate to treat erectile dysfunction. Thus the generic version of Viagra® was legal in India. Though the current law recognizes some older patents, this apparently does not apply to Viagra® and Indian pharmaceutical manufacturers continue to produce sildenafil citrate. It is one of the featured products on Centurion Laboratories web page.[5]

Fake generic Viagra® branded as Cenforce.
Fake generic Viagra® branded as Cenforce.

The pills were shipped in envelopes containing bubble packs. There was no box or outer packaging. Along with branding, both bubble packs were imprinted with: “Dosage: As directed by the physician.” The Combitic Global Caplet pack also said: “Warning: To be sold by retail on the prescription of a Urologist/Psychiatrist/Endocrinologist/Dermatologist/Venereologist only.” There was no attempt to check for a prescription when the order was placed.

Generic Viagra® May Work But Could Have Serious Health Risks

Physically, the pills mimicked Pfizer’s trademarked blue color and rounded diamond shape for Viagra®, though the Combitic Global Caplet were rounder than the originals. Neither package contained any health warning. The official health warning [6] for Viagra® is several pages long and warns about possible drug interactions and medical conditions which might make the use of sildenafil citrate dangerous.

Fake generic Viagra® branded as Nizagara.
Fake generic Viagra® branded as Nizagara.

Samples of the pills were sent to a lab for analysis using a mass spectrograph and other tests. The resulting report showed what drugs were present in what ratios, but not exact dosages or certain types of inactive ingredients. Both pills contained sildenafil citrate, the active ingredient in Viagra®. The Centurion Labs version also contained, palmitic acid, stearic acid and phthalates, while the Combitic Global Caplet contained stearic acid, diclofenac, palmitic acid, and trace amounts of acetaminophen (Tylenol). Stearic and palmitic acid are used to mask the bitter taste of sildenafil citrate [7]. Phthalates are used as the water-soluble carrier for PDE5 inhibitors such as Viagra®. [8] Diclofenac is an anti-inflammatory painkiller. The diclofenac and acetaminophen may be the result of residue from a previous run in the manufacturing process and could present a problem for anyone with allergies to these drugs. Ironically, some studies suggest that diclofenac may, in rare cases, cause erectile dysfunction. [9]

Due to the presence of unrelated drugs in one sample, we believe that it was manufactured without adequate quality control. In addition, both samples were supplied without medical supervision or health warnings. We therefore believe that ordering from a spam advertised pharmacy could present significant medical risks, and we strongly recommend against it. However, some consumers may feel they have little choice but to purchase bootleg drugs, as they can’t afford genuine ones. According to one study, [10] 33% of the orders placed from US to one of these bootleg sites were not for drugs to treat erectile dysfunction, but for other diseases. Prescription drugs are far more expensive in the US than in many other countries, including Canada. So long as the law prohibits US consumers from ordering from legitimate Canadian pharmacies, those without drug coverage will be tempted to order from unlicensed ‘Canadian’ pharmacies. This policy encourages spam generated by rogue pharmacies and exposes consumers to unnecessary medical risk.

Counterfeit Goods Pioneer iMessage Spam in the US

2014 saw the first major spam campaign using Apple’s free iMessage service reported to the GSMA’s Spam Reporting Service. Advertisements for counterfeit designer goods were delivered by iMessage directly to iPhones and related Apple desktop operating systems. In the latter half of this year, Cloudmark launched an investigation into the methods and techniques that spammers were using surrounding this new form of spam.

The campaign peddled an old staple among spam campaigns — heavily discounted designer goods. This started with Oakley and Ray-Ban sunglasses as well as Michael Kors handbags. It was plausible to assume this could simply be a bait to persuade victims to enter valuable credit card and personal information that could be resold on underground markets. However, it turned out that those responsible were not credit card thieves. Merchandise was actually shipped to the customer.

Unfortunately, the merchandise wasn’t legitimate designer goods. The items received were painfully obvious fakes with cheap imitation leather, poorly plated buckles, and labeling in Chinese. The following demonstrates the level of quality, or lack thereof, for one such bag:

Cheap plated clasps including a Chinese-inscribed button. Credit: Dan Conway
Cheap plated clasps including a Chinese-inscribed button. Credit: Dan Conway

While much less dangerous than the potential medical problems posed by bootleg Viagra®, counterfeit designer products have begun causing issues for some US mobile subscribers duped by their offers. Consumer complaints about this type of spam indicate that some people spent over $200 buying these fakes, with typical losses in the range of $50 to $100. Unfortunately, it was apparent that many victims were unaware of the shoddy quality of products from such shady shops. Many demanded refunds, but never received any compensation.

Fig. 1: Monthly Auction / Sale Site Mobile Spam, US, 2014

With sunglasses and handbags on display, it’s no surprise that this form of spam peaked in May and June — summer for the spammers’ US targets. During these two months, more than 40% of all reported SMS spam in the US hit iPhone users with counterfeit sunglasses and bags. Following the summer months and heavy publicity surrounding this iMessage spam, numbers plummeted in September. While it appears, percentage-wise, that this form of spam has held steady levels since the drop, this is not the case.

A steady increase over the year’s remaining months led to a four-fold increase in volume from September to December for this iMessage spam. However, several other forms of SMS spam and scams overshadowed this increase in volume resulting in iMessage and Auction site spam remaining only 5–7% of the total US SMS spam during the final months of 2014.

Legal Efforts

The lawyers of Greer, Burns & Crain, Ltd. (GBC) have been quite effective in shutting down the related websites used as virtual market places for this surge of impostor goods. Even as the spammers move into using legitimate but hacked sites to host their bazaar, the legal team at GBC has shown a remarkable prowess for finding and shutting down these compromised sites within days of the initial spam. It should be noted that while some anti-phishing groups are capable of takedowns within hours or even minutes, the severity and legal process of these two situations differ dramatically.

Further investigation into the sellers themselves showed that the merchant accounts associated with these bags and sunglasses are also linked to a diverse portfolio of spamming methods and counterfeit goods. For example, one such account is also responsible attempting to sell counterfeit watches [11] promoted via a separate spam campaign run outside of iMessage. Cross-referencing our own sources with the public list of domains now under GBC control, they appear to be effectively defending many luxury brands including: Michael Kors, Luxottica (maker of many popular sunglasses including Ray-Ban and Oakley), Burberry, Bulgari, and several other LVMH brands.

One of many fake Michael Kors sites.
One of many fake Michael Kors sites.

In 2012, GBC landed a monumental $200 million dollar judgment for Deckers Outdoor [12], maker of Ugg boots. The law firm also aided Deckers in seizing over 12,800 domains used by spammers to sell the fake footwear. In November of this year, it appears that the iMessage spammers began pushing Ugg boots as their newest brand of counterfeits. While it remains unclear if this is the same group of counterfeiters, it’s interesting to see that this brand is still under attack in spite of aggressive legal protection.

Likely the single largest issue in shutting down such outfits is that these operations are run out of China, India, and similar countries with lax intellectual property enforcement. Upon our investigation into this campaign, it became clear that this specific operation was run out of Shanghai and the surrounding area.

Merchandise from these illegal sites appears to ship from ports in and around Shanghai — including neighboring Suzhou and Qingdao just to the north. Registrants for the disposable domains used originally by the spammers appear to originate almost exclusively from China. The spammers have since started using compromised domains to host their counterfeit sites.

Similarly, many of the original email addresses used to send these iMessages were from several very popular Chinese webmail sites. At its peak, 59% of email addresses used to produce the iMessage spam came from accounts associated with Chinese emails. In today’s hyper-connected world, however, this does not rule out the possibility of those responsible being unassociated with China. An individual or group responsible for this type of business could easily be a foreigner orchestrating details from somewhere across the globe, and having goods drop shipped from China.

WhatsApp India? Spammers Move to OTT

Chinese counterfeiters aren’t the only ones moving to OTT services like iMessage for virtually free spamming with similar economics to sending email spam. Mobile spammers in India have moved to OTT apps such as WhatsApp that use Internet based calls and text messages to evade the recent strengthening of messaging security within the country’s mobile operators. [13]

Prior to this move, Indian mobile subscribers were receiving in excess of 20 spam text messages a day per subscriber. In response, the regulatory body responsible for mobile operators in India, the Telecom Regulatory Authority of India (TRAI), began a series of attempts to stop this intrusive abuse.

This started with strict policies meant to control registered commercial messages sent via SMS. Violators found soliciting anyone registered on the national Do-Not-Disturb list faced fines and an eventual ban. However, this was easy to avoid. Instead of using sanctioned commercial services, spammers used extremely cheap unlimited SMS packages meant for regular users (known as Person-to-person or P2P traffic.) The blatant abuse of P2P SMS led to the TRAI implementing a spam reporting service to which users could report unsolicited text messages or calls. More recently, a resolution asked all MNOs to block spam messages originating from within their network using intelligent, signature-based content filters.

Hefty fines were then imposed on any operator responsible for delivering spam calls or text messages to its users. This monetary incentive led to mobile operators in India implementing anti-abuse solutions to prevent unnecessary fines. For one of the top four Indian carriers, these changes led to a 99.3% drop in spam complaints reported to the TRAI’s spam reporting service.

The resulting mobile environment has now made it extremely hard to deliver unwanted commercial messages. Many spammers have given up using SMS for spamming and instead have moved to various OTT services that implement far fewer controls or filters to prevent unwanted spam. Some have remained behind, determined to peddle their content via SMS. However, the effort, amount of obfuscation, and speed with which they’re required to change messages has led to these gems:

example spam text message about lpca registrationexample spam text message about real estate

General 2014 SMS Trends

United Kingdom

The UK saw very little change from 2013 to 2014. Payday loan offers remained the country’s leading form of SMS spam with nearly half of all reports this year and last. Regulatory intervention into the predatory habits of the UK payday loan sector during the latter half of 2013 were predicted [4] to help combat or at least dent the amount of unwanted SMS payday loan offers in 2014. However, this turned out not to be the case with levels of payday loan spam actually increasing during 2014 despite 19 of the top 50 payday lenders abandoning the market.

Fig. 2: Top SMS Spam & Scams in the UK, 2013 vs. 2014

The UK’s Information Commissioners Office (ICO) has also taken legal swings at spammers. Reports to 7726 from UK mobile subscribers helped the ICO lead raids on several spam operations during 2014. The most effective raid to date appears to be the closure of a claims management call center in the Welsh town of Llanelli. This was responsible for millions of unsolicited SMS messages in the UK. Officers made the arrests during the final days of August. The following month, September saw a 40% drop in spam volumes. Sadly, not all measures are nearly as effective. A similar raid in Wolverhampton earlier in 2014 led to no lasting effect on the volume of UK spam outside of a small lull for several weeks.

United States

While it was previously mentioned that iMessage auction / sale site spam peaked in the number one spot for US mobile spam during several summer months, bank and account phishing reign supreme overall for 2014. More than one in four unsolicited SMS messages reported in 2014 attempted to steal the victim’s personal or financial information.

Fig. 3: Top SMS Spam & Scams in the US, 2013 vs. 2014

At the turn of the year, mobile phishing attempts were focused primarily on stealing victims’ prepaid debits card details. These grabs for quick cash made up 54% of all phishing attempts in January. The attempts targeted two flavors of debit cards, one sent to (usually) low-income recipients of tax refunds while the other was used for child welfare payments.

At the start of 2014 a very small number of phishing messages, roughly 3%, pretended to be major financial institutions such as Wells Fargo and Bank of America. This relatively low rate wouldn’t be unexpected since these banks have massive fraud departments and resources to stop abuse. Meanwhile smaller prepaid debit issuers likely have less fraud prevention and less motivation to prevent fraud since the stolen cards lose money the victim has already paid for, not money the bank is liable for.

However, this changed over the course of the year. Instead, attackers began impersonating larger national institutions such as Wells Fargo, Chase, and Bank of America. With this shift in targets came a shift in tactics. Previously, these phishing attempts simply asked users to reply to alert messages of frozen account by calling the provided phone number. In later months, SMS phishing attempts began popping up with links to fake recovery pages with the passable versions of the bank’s branding on it.

Following in close second during 2014 are the roughly fourth of reported US texts claiming the recipient had won something. This something ranges from free tickets, to iPhones, to Caribbean cruises. This year, the category was dominated by “free” cruise offers promising a getaway to the Caribbean. Free cruise spam contributed more than 70% of all fake prize ploys during the US’ second quarter alone.

Sadly, these “free” cruises are anything but. First, a gauntlet of timeshare pitches, from which Caribbean Cruise Line profits handsomely, awaits those hoping to cash in on this free trip. After hours of sales presentations, victims find that the cruise is far less free than they had hoped. Many victims report being charged a myriad of hidden fees for various reasons. The unclear terms and questionable tactics have netted the company hundreds of complaints with the Better Business Bureau.

New Zealand

Similar to the UK, mobile spam in New Zealand was led primarily by a single campaign. With roughly two-thirds of all reports, a rather inconsistent lotto scam plagued many subscribers in the country during 2014. The campaign fluctuated quite a bit with its core message alternating between prize pools ranging from 850 thousand to 2.5 million, currencies from pounds to dollars, and fake identities such as the “World Welfare Grant” to impersonating Red Bull email addresses.

On many occasions, these types of lotto scams hook victims with the temptation of having won millions so that the thieves can exact processing fees and similar charges but never pay out the supposed lottery winnings — also known as advanced fee fraud. This attempt may have actually veered from the norm and may have only aimed to steal personal information or banking details. Recipients were asked to email the provided address to collect their winnings.

exmaple spam text message about fake redbull promotion

Among victims who responded to the email address provided, many reported never receiving a response back while one user claimed that the scammers never asked for money. However, these could be simple measures to weed out less credulous victims likely to waste the scammers time.

Fig. 4: Top SMS Spam & Scams in New Zealand and Argentina, 2014

Argentina

Argentinean mobile spam this year was driven mostly by seemingly benign automobile ads. However, further research found this to be an elaborate form of advanced fee fraud. Rather than the cheap, low mileage vehicle promised in the ads, victims would be presented with a series of fees and import taxes for the vehicle that needed to be paid up front to become eligible. Dealers would then make it extremely difficult to complete the process so that they could collect these simple fees with very little other effort.

exmaple spam text message about used car scam

Country Reports

Nigeria

“Nigerian Gold” has long been recognized as one of the standard forms of spam. Though many forms of this and other advanced fee scams are in fact operated from Nigeria, the actual spam promoting them is rarely sent directly from Nigeria.

Nigeria has a population of 178 million, more than half the population of the United States. However, while the US has 1.6 billion IPv4 addresses allocated to it, about 5 per person, Nigeria has 1.4 million, or about one IP address for every 125 people. Nigerian hosting companies are not in a position to offer large blocks of IP addresses in the way hosting companies based in the US are. Since one of the easiest forms of spam filtering is IP address blacklisting and spammers based in Nigeria cannot obtain large blocks of IP addresses, they are forced to go outside the country for the resources needed to send spam.

Within Nigeria, Internet scam artists are known as Yahoo Boys, as most of them used to use free Yahoo! Mail accounts to send spam. Though we still see Yahoo! Mail used by Nigerian con men, Yahoo! has improved their security in the past few years, and we see free accounts from other webmail providers or compromised accounts from other ISPs being used, often managed by a spam sending program called SendSafe. The messages contents include advanced fee scams offering gold bullion, lottery winnings, or unclaimed inheritances, and some Nigerian scam artists specialize in the fake Internet girlfriend scam, where they pretend to be a single female looking for love and financial support from men in the US and Europe.

In the past, Yahoo Boys have often been able to bribe corrupt officials in order to avoid prosecution. [15] However, the Nigerian government finally seems to be responding to international pressure and stepping up their efforts to deal with cybercrime. Last year a number of Yahoo Boys were arrested [16] and this year penalties for Internet fraud have been increased [17] . Several additional Nigerian Yahoo Boys were arrested in South Africa this year at the instigation of US law enforcement. [18]

While we have seen good progress against the Yahoo Boys in the past two years, we will probably not see the end of this problem until the Nigerian economy has developed to the point where intelligent and tech savvy students in Nigeria can find jobs that reward them for their skills so that they do not have to turn to crime to make a decent living. [19]

North Korea

Attempting to attribute the Sony Pictures Entertainment attack to North Korea is complicated by the fact that a worm active in that country may be allowing foreign hackers access to computers within North Korea to launch attacks.

North Korea has an extremely narrow connection to the Internet. There is a single ISP, Star JV, which is a joint venture between the national telecom ministry and Thailand’s Loxley Pacific. [20] Star JV peers with two other networks to connect to the Internet, China Netcom and Intelsat, and is only allocated a single IP address block, 175.45.176.0/22. That address block contains 1,024 IPv4 addresses. This is a very small allocation for a country of 24 million people. For comparison, that is the same number of IP addresses that is allocated to Cloudmark.

The FBI has identified North Korea as the source of the recent compromise of Sony Pictures Entertainment (SPE). [21] Other researchers remain dubious of this claim, stating that the level of access gained by the attackers indicates that is was an inside job involving disgruntled ex-employees. [22] One argument used against the involvement of North Korea in the SPE attack is they do not have the bandwidth to receive the large volume of data that was exfiltrated from Sony. [23] However, the data may well have been exfiltrated to a location outside North Korea.

As part of the evidence that North Korea was responsible for the SPE attack, the FBI stated that, “several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.” However, in examining the email sent from North Korean IP addresses shows one of them, 175.45.176.143, has been sending spam, a common sign of an infected machine. The Composite Block List (CBL) maintained by the anti-spam non-profit Spamhaus confirms this. As of January 1, 2015, that lists 175.45.176.143 as being infected with the Wapomi worm, which is transmitted by USB drives and file server shares. This malware includes a software downloader that gives the criminal controlling it the ability to download and run any sort of malware on the victim’s machine.

Cloudmark detected this IP address sending spam on December 11, 2014, but it could have been under the control of criminal hackers long before that. It’s not clear if this is one of the IP addresses that the FBI regards as “Known North Korean infrastructure.” However, unless the FBI releases more specific details of their case against North Korea, some experts will continue to question if they are in fact correct.

Blocked IPv4 Addresses by Country

During 2014 China saw first a large increase in the number of blacklisted IPv4 addresses in May, followed by a similar decrease in November. This was in large part due to a block of IP addresses claimed by ZenInet Communications, a hosting company based in Hong Kong. At the peak of the problem Cloudmark was blocking over 1.1 million IP addresses at ZenInet, by far the largest amount for any ISP or hosting company in the world. This represented 89.7% of all ZenInet’s IP space. Those IP addresses were subsequently transferred to Zhejiang Telecom Company Ltd., a subsidiary of China Telecom. Since we did not see any further abuse coming from them, their reputation was restored in November 2014. ZenInet’s ASN is no longer visible in the global routing table, and their website [24] appears to have been abandoned before it was completed.

Fig. 5: Blocked IP Address Count For Several High Volume Countries, 2014
Fig. 6: Blocked IP Address Count For Several Other Countries, 2014

Apart from that outlier, we have seen a generally increasing trend in the number of blocked IP addresses in both China and the US over the course of the past year. These are the countries with the most IPv4 address space allocated to them, so IP addresses are cheaper and easier to obtain there.

Romania, for a long time one of the worst offenders as a source of spam, has shown significant improvements over the second half of 2014, with the number of blacklisted IP addresses down to half the level at the start of the year. However, we are still blocking 13.6, and Iran, which has grown to 4 at the start of the year to 1% by year-end. We would like to send our thanks to Belarus CERT for their effective action in dealing with spammers.

Fig. 7: Percentage of IP Address Space Blocked By Cloudmark, 2014
Fig. 8: Lower Percentage of IP Address Spaces Blocked By Cloudmark, 2014

Ransomware: A Growing Threat

Ransomware is a significant and growing threat to Windows users. So long as Bitcoin continues to enable anonymous ransom payments to extortionists, we expect to see this continue and to spread to other platforms.

The first encryption-based ransomware was the AIDS Trojan distributed by Joseph Popp in 1989. While this was cryptographically unsophisticated, by 1996 two researchers, Adam L. Young and Moti Yung, suggested using public key cryptography for ransomware. From 2005 onwards we started to see real world attacks using this approach, within increasing cryptographic sophistication. There was still a weakness in these attacks, however. Any form of extortion requires a payment to be made, and by following the money trail it was possible to track down the perpetrator. That changed with the advent of the Bitcoin cryptocurrency, as Bitcoin allows the payments to be made which are entirely anonymous at both ends.

The first successful ransomware to exploit Bitcoin was CryptoLocker, which appeared in September 2013. CryptoLocker was normally delivered to compromised PC as part of a package of malware, including Game Over/Zeus that would attempt to steal online banking credentials, and the Cutwail spam sending botnet. Only after the attackers had attempted to extract all the value they could from the PC by other means would they turn on the ransomware and lock up the computer. The CryptoLocker attack was taken down in May 2014 by a joint operation involving security researchers and law enforcement. The malware bundle used two command and control mechanisms: a peer-to-peer network, with a domain generation algorithm for backup. A bug in the peer-to-peer component allowed that to be taken over, and pre-registering or black-holing all the domains from the DGA prevented the attackers from retaining control of the botnet.

While CryptoLocker has not returned, we have seen a number of other forms of ransomware attempt to take its place. Rather than being the final step in a longer process of exploitation, as CryptoLocker was, the new variants are an end in themselves. Two of the most successful are CryptoWall and Torrent Locker. They are using various forms of distribution, including email spam, malvertising, and watering hole attacks. Torrent Locker is not related to BitTorrent, but does disguise its configuration information in the Windows registry as if it was part of BitTorrent. The latest version of CryptoWall uses the Tor network for command and control, making it less vulnerable to the sort of attack that disabled CryptoLocker.

The advice usually given by security experts is to make sure you backup all your systems, and not to pay ransom if you are attacked, as that will only encourage more attacks. However, in many cases businesses with backups have still found it cost effective to pay ransom rather than go through the time consuming and potentially fallible process of restoring their systems [25] . Even law enforcement agencies have decided to pay ransom on occasion. [26] Given the obvious success of Bitcoin based ransomware in generating revenue for cybercriminals, we expect to see this spread to other platforms. There have already been some examples of mobile device ransomware [27] , but we expect to see similar attacks on data stored on cloud services, Macs, and corporate networks.

The main uses of Bitcoin appear to be for illegal activities: avoiding exchange controls, unlicensed gambling, purchasing illicit drugs, and now extortion. We have already seen one large scale DDoS attack on Bitcoin: the transaction malleability attack that bankrupted the BitCoin exchange called MtGox and caused temporary problems for several others. [28] The solution to the ransomware problem may only come when some nation state becomes so sufficiently annoyed by Bitcoin that they use a combination of legal and technical attacks to bring it down permanently.

DNS Threats

DNS is a critical part of an organization’s network infrastructure, enabling essential services including:

  • domain name to IP address lookups
  • announcing an organization’s domain name or email servers
  • announcing a domain’s policy for sending and allowing authenticated email

However, unlike most other network components, an organization’s DNS servers tend to have less monitoring and be less protected against security threats. These threats are not just hypothetical — according to a survey of 300 US and UK technology decision makers by Vanson Bourne commissioned by Cloudmark, three-quarters of US and UK organizations have suffered a DNS attack, varying from Distributed Denial of Service (DDoS) (74), or hijacking (33%).

DDoS Using DNS Amplification

DNS has long been used as a vector to carry out distributed denial of service (DDoS) attacks. To perform the attack, an attacker relies on two things:

  • a collection of open DNS resolvers that perform recursive DNS lookups. Typically these are misconfigured DNS servers or customer premise equipment (CPE) that performs DNS lookups by default.
  • the ability to send DNS requests with spoofed source IP addresses

The attacker sends a large number of DNS requests to the open resolvers with a spoofed source address that is the target’s IP address. The DNS requests are designed to be ones that result in large responses. They could be ANY requests which return all available record types for a given domain name, or TXT requests where the response is a large block of text.

The intermediate resolvers perform the lookups and send the responses not to the attacker, but to the target. The volume of response traffic overwhelms the target, disrupting normal communication. The volume of these attacks can easily reach tens of gigabits/sec. A high profile attack against Spamhaus in 2013 reached volumes in excess of 75 Gbps. [29]

DNS amplification overview.
DNS amplification overview.

Although the attack uses DNS requests and responses, the volume is so high that the actual payload data does not matter. As a result, it is difficult to mitigate a DNS Amplification attack at a target’s DNS servers. However, there are steps to take at the source and intermediate networks:

  • Network operators should take steps to prevent traffic from leaving their network with source IPs that are not local to that network. Doing so prevents attackers from sending the requests to the open resolvers.
  • Network operators should not allow access to open recursive resolvers on their local network that they do not operate.
  • If a network operator’s own resolvers are configured to perform recursive lookups, they should:
    • Restrict access to the resolvers to requests coming only from their local network.
    • Have the ability to identify floods of requests related to DNS Amplification and rate limit the responses.

DNS Resource Exhaustion aka Water Torture Attacks

DNS resource exhaustion, also known as a water torture attack, attacks an organization’s DNS servers. The attack involves a flood of maliciously crafted impossible-to-resolve DNS lookup requests. These requests affect DNS infrastructure at two places:

  • The remote target’s authoritative name server is swamped with a large volume of requests.
  • Intermediate resolvers experience delays and timeouts waiting for the end target’s authoritative name server to respond to the requests. This consumes network, CPU, and storage resources at the intermediate resolver.

To perform the attack, an attacker identifies a remote target and a domain name owned by that target (e.g. 500sf.com). The attacker then utilizes a botnet of compromised machines and open resolvers to flood the target with malicious lookup requests for random, unique, and non-existent subdomains of that domain name (for example, kbsruxixqf.www.500sf.com, adujqzutahyp.www.500sf.com, etc.)

As the subdomains are unique and random, responses cannot be obtained from the cache of the intermediate name servers, forcing the lookup requests to go to the remote target’s name server. This flood of lookups overwhelms the remote name server, causing timeouts.

However, the flood of lookup requests also ties up significant resources at any intermediate name servers along the path between the compromised machines and the remote target. For an organization’s recursive name server, each lookup request may remain active for tens of seconds before it times out.

DNS resource exhaustion overview.
DNS resource exhaustion overview.

To get an idea of how bad an attack like this can be, here’s a graph of the number of outstanding DNS requests at a major ISP for a 30 minute period where one of these attacks was taking place. An “outstanding request” is a request waiting for an answer from an upstream authoritative name server. While waiting for an answer, the lookup request ties up network connections, cache space, etc until it times out.

Fig. 9: Volume of Outstanding Requests, Sampled on May 29, 2014

The independent axis shows time and the dependent axis shows the number of outstanding lookups at that time. There are lines for several popular domains, the remainder, and an overall total. You can see that the attack on domain 500sf.com is consuming more resources on its own than all other domains, combined. This is because the 500sf.com queries take a long time to time out. As a point of comparison, requests for google.com are shown. You can see that the number of outstanding requests is nowhere near the same volume as 500sf.com.

This ISP’s DNS infrastructure could still handle the load, but it wouldn’t take much more to reach a tipping point where the outstanding requests consume all network resources, preventing legitimate lookups.

DNS Tunneling and Exfiltration

Another threat related to DNS does not directly attack an organization’s DNS infrastructure, but exploits a lack of security and monitoring of DNS traffic to avoid channels with higher levels of security.

DNS tunneling uses DNS queries and responses to send data that cannot otherwise be sent via traditional network connections. The tunnel consists of a client inside a restricted network and a server that acts as an authoritative DNS server, using an agreed-upon domain name as the basis for queries and responses (e.g. dnstunnel.example.com). To send data from the client to the server, the client encodes data in the hostname portion of specifically constructed DNS requests (e.g. <encoded data>.dnstunnel.example.com). To send data from the server to the client, the server encodes data in the payload of DNS responses.

An especially malicious use of DNS tunneling is for data exfiltration, where sensitive internal information is sent out of a local network by using DNS tunneling techniques.

Using DNS tunneling to pass traditional network controls.
Using DNS tunneling to pass traditional network controls.

Reasons to use DNS Tunneling

DNS tunneling is used to circumvent limits on network traffic or access that would otherwise prevent communications from a confined local network. DNS access is generally available and rarely restricted or monitored so it is an effective sideband communications channel.

For enterprises, DNS tunneling can circumvent firewalls that limit access on undesired ports and protocols or access to websites such as Facebook or YouTube that may have been restricted in the work environment. DNS tunneling exclusively uses port 53 and almost always uses UDP so it bypasses any tcp/application level restrictions.

DNS tunneling can also circumvent content firewalls and inspection gateways that perform egress traffic filtering to prevent data exfiltration. Content firewalls usually inspect TCP and application level data but do not inspect DNS traffic.

DNS tunneling circumvents this egress traffic filtering and allows potentially sensitive data to be sent from the restricted local networks. For ISPs and other service providers, DNS tunneling can circumvent paywalls that require registration or payment for access to WiFi networks. For example, airports, and hotels often charge users for Internet access.

Usually in these networks DNS access is still open, so by using a DNS tunnel, a potential customer can skip the registration/payment process and access the Internet via a DNS tunnel. This results in lost revenue for the service provider. In addition to loss of revenue, DNS tunneling to avoid payment is also a very inefficient way to provide Internet access and can result in a much larger CPU load on the DNS system than the load from the users who are using approved access methods.

For Mobile Operators, DNS tunneling can be more problematic than some users circumventing WiFi paywalls. Mobile operators in less well-regulated parts of the world may install software on the handsets of their subscribers that causes all traffic to be tunneled over DNS when roaming on foreign networks. This loses vital revenue for the mobile operator on whose network the subscriber is roaming. The mobile operator of the subscriber may well still charge the subscriber for roaming access, however.

DNS tunneling also circumvents data consumption measurements and limits, so by using DNS tunneling a client can bypass any restrictions on the amount of data they can download per week/month/etc.

Examples of DNS Tunneling for Internet Access

Several VPN providers list DNS-based tunneling as one of their connectivity options. They specifically advertise the ability to bypass local network restrictions. Here are some quotes from their websites:

  • “Unblock sites such as Twitter and Facebook from China, Hulu or iPlayer from your office - anywhere your internet access is filtered, <vpn service> can help!” [30]
  • “In a few words, it lets you tunnel data through a DNS server. Data exfiltration, for those times when everything else is blocked.“ [31]
  • “ISP blocked websites and protocols at work or at home? YouTube, Facebook and Twitter sent a goodbye note? Not a problem anymore — enjoy your freedom.” [32]
  • “Because many ISPs, such as Wifi hotspots, restrict access via standard protocols, our technology allows you to communicate with our network by using other protocols that the service provider may leave unrestricted.“ [33]

It’s relatively easy for anyone with a laptop or PC to install software that sets up a VPN client that will allow DNS tunneling. On an Android device, there are apps that provide this ability. For an iOS phone or tablet, the device first needs to be jailbroken, but then it’s possible to follow the instructions on website or YouTube video to see how to install a DNS Tunneling application.

For an ISP that charges for Internet access, clients that connect to the network and use one of these VPN providers are likely bypassing the authentication and payment mechanisms the ISP relies on for revenue.

An example Android app for smartphones that performs DNS based tunneling to a VPN provider.
An example Android app for smartphones that performs DNS based tunneling to a VPN provider.

Examples of DNS Tunneling for Exfiltration

Other security companies have identified malware packages and built proof of concepts that use DNS-based exfiltration methods. Here are some examples:

  • A newer variant of the FrameworkPOS malware package that was used to steal 56 Million credit card numbers from Home Depot uses DNS for data exfiltration [34]
  • A modification to the SqlMap database penetration testing tool uses DNS exfiltration to return data [35]
  • MS SQL 2005 can be manipulated into performing DNS Queries, which can be used to exfiltrate data [36]

In each of these cases the software exploits a lack of security on DNS channels to send sensitive data from a local network, bypassing firewalls, access control, and content-based monitoring.

DNS is a fundamental part of Internet infrastructure that has been around for over 30 years. At that time, hosts on the Arpanet/Internet consisted of academic and research institutions that generally trusted each other. For that reason, there was no need to add many layers of protection and security to DNS. 30 years later, those assumptions of trust are no longer true.

Today’s Internet infrastructure has strong layers of security for almost every network component, and the relative lack of security and protection around DNS is a glaring weakness. In this section we’ve described specific attacks that exploit a lack of security on DNS channels. They result in several major threats against an organization’s network infrastructure:

  • Denial of service: DDoS attacks swamp a target with malicious traffic, preventing almost all network communication.
  • Loss of critical services: resource exhaustion attacks both the authoritative name servers for a given domain as well as the intermediate resolvers that perform recursive lookups for that domain. This has the potential to cripple an organization’s DNS resolvers and the upstream services that rely on DNS.
  • Revenue loss: for ISPs, DNS Tunneling can be used to bypass authentication and payment systems.
  • Data security: DNS exfiltration can be used for attackers to send sensitive data from a local network to outside sources, bypassing firewalls and content-based protections.

Given the severity of these threats, organizations need to increase the level of protection for their DNS infrastructure to match their other critical network components.

2015 Security Predictions

2014 has seen some interesting developments in computer security and the lack thereof: the growth of encryption based ransomware, the exposure of several highly sophisticated state sponsored cyber espionage malware packages, the takedown of the Silk Road drug sales website (twice), a series of massive credit card breaches from major retail chains in the US, and a massive invasion of personal privacy in the form of leaked celebrity nudes have all made headlines. Here are Cloudmark’s thoughts on how these threats are likely to mutate in 2015, along with a few new headlines we expect to see.

An earlier version of these predictions was published in the Cloudmark blog in early December. [37] As noted below, we are seeing several of them starting to happen already.

Ransomware will spread to other platforms: the enterprise, the cloud, and mobile devices

Ramping up in the fall of 2013, ransomware is now one of the most successful forms of cybercrime. Though Cryptolocker has been largely disabled, Cryptowall, Torrent Locker and other forms of PC ransomware are spreading by multiple vectors. However, PCs are not the only places where data of value is stored. We’ve already seen ransom attempts on mobile devices using compromised credentials, and we expect these to grow in sophistication. The theft of celebrities’ nude photos shows how vulnerable data stored in the cloud can be. What if that cloud data had been encrypted rather than stolen, and that encrypted version had automatically overridden all the original copies? Finally, in the past year, we’ve seen the ease with which attackers can penetrate corporate defenses to steal credit card and customer data. Again, what if, instead of stealing that customer database, the backup system were disabled and the database was encrypted. Large companies probably have robust enough backup systems to deal with this, but there may be many small and medium sized businesses that do not.

Encryption will be the default in more consumer products, but this will come under both technical and political attack

Data encryption will become a feature, rather than a conscious choice of users. Users won’t likely be choosing to encrypt, but they will want software with more security. However, not all companies are looking out for their customers. Recently, several major carriers in the US and abroad have been caught actively subverting the use of encrypted email channels [38], downgrading them to plaintext. They’ve done this by preventing STARTTLS from functioning, thus forcing the messages back to plaintext. Given this fallback mechanism exists in other technologies, it’s very likely that in 2015 we’ll see ISPs strip DNSSEC from DNS requests. DNS, the technology behind such things as how your browser finds the website for URLs, provides DNSSEC as an additional security feature, and preventing its use will actively subvert the security of DNS traffic in an analogous manner. It’s also very likely that in the 2015 rush to engage customer demand for security it will be done wrong in spectacular ways, eventually leading to users being compromised.

Unfortunately, the move to fingerprints as a method for unlocking secured devices wasn’t without pitfalls. A Virginia court ruled recently [39] that the Fifth Amendment (which would ordinarily protect someone from divulging incriminating evidence) does not apply to your fingerprint since you own it rather than know it. Thus, law enforcement and judges can force you to unlock your otherwise secure device if by fingerprint or similar biometric. This, on its face, is a logical step. The problem arises when we consider more and more individuals are storing their entire day-to-day lives digitally. With FBI Director James Comey weighing in [40] on the debate about phone encryption, claiming it has “swung too far” against government’s ability to investigate, it’s likely that we’ll continue to see the legal grounds of privacy and security ironed out in the face of national, and local, security needs. It is likely that the security establishment will make common cause with the intellectual property industry in sponsoring another round of Internet legislation with features from the failed SOPA and CISPA bills.

Since the original version of these predictions was published, President Obama has called for Congress to work with the White House on a new set of strong cybersecurity laws. [41]

More nation states will start building elite cyber espionage teams

In the past year we have seen evidence of widespread cyber espionage for military, political, and commercial purposes. The big players in the game are currently, the US, the UK, China, Russia and Israel. Regin, Flame, Stuxnet, Sandworm, BlackEnergy, and Hikit are all examples of highly sophisticated malware from these countries. Targets included businesses, activists, and industrial control systems as well as the more traditional military and intelligence targets of state sponsored espionage. It is clear that nation state cyber espionage teams are working to further the commercial aims of businesses in their country as well as having political goals. However, the barriers to entry in this game are minimal, as is the downside if you get caught. You don’t even have the embarrassment of seeing your spies put on trial in a foreign country like the bad old days of the Cold War. Your spies never leave their desks in Beijing or Cheltenham. All you need is a fast Internet connection and a dozen or so great software engineers. While great software engineers are not that common, they are a lot easier to come by than nuclear scientists, so a nation wishing to increase their threat profile will find it far better to put together a cyber espionage team than a nuclear weapons program.

When the original version of these predictions was published we indicated that we were particularly concerned about would-be nuclear powers North Korea and Iran. Since then the FBI has stated that North Korea was responsible for the attack on Sony Pictures Entertainment and has issued a “Flash” [42] warning about the developing cyber espionage capabilities of Iran.

Government takedowns of drug marketplaces will continue but the Internet drug trade will continue while the Tor network still exists

As the effort that went into the takedown of Silk Road and Silk Road 2 shows, this is obviously a high priority for law enforcement, and we can expect this to continue. Underground drug marketplaces are also vulnerable to hacking and bitcoin theft, or to the owner simply shutting up shop and keeping all the bitcoins that were held in escrow [43] . However, there is a lot of money to be made in this business, and as each one gets taken down, another will spring up. The eventual survivor(s) will be operated out of countries such as Russia where they are beyond the reach of US law enforcement. So long as the Tor network provides anonymous secure communications and bitcoin allows for anonymous payments these marketplaces will continue to operate.

The Tor network will suffer a major DDoS attack

The Tor network was created to allow dissidents in oppressive countries to access the Internet anonymously. While it is still used for this purpose, it is also used for a range of criminal purposes: drug dealing, sharing child abuse material, and botnet command and control. We live in interesting times and the Tor network is attracting the attention of important people. Sooner or later someone is going to decide that the world would be a better place without Tor, and give the order to take it down. There are only a limited number of Tor endpoints where the network connects to the rest of the Internet, and these are publicly listed. Launching a coordinated DDoS attack on these would be well within the capabilities of any major botmaster or nation state.

Since the original publication of these predictions, the Tor network has suffered one rather ineffectual attempted attack [44] from Lizard Squad, a group of black hat hackers known for their DDoS attacks on gaming sites.

Credit cards with embedded chips will finally roll out in the US, and will be attacked via compromised point of sale networks

EMV credit cards, which have an embedded chip, are scheduled to roll out in the US in 2015. In most countries a PIN is also required to confirm sales, but the US had standardized on the weaker chip and signature validation. Even so, these are far harder to fake than the magnetic stripe cards currently in use, and this system will provide significantly better security. The most likely attack vector for this system is through point of sale (POS) devices. Hackers have already demonstrated the ease with which they can compromise POS networks to harvest credit card information. Perhaps it is just as easy to turn off validation in those POS devices so that they approve transactions for a forged credit card even if there is an invalid chip in it. This would allow accomplices to make unlimited purchases from the store with a dummy card. In this case it is likely that the store would be legally responsible for the losses rather than the issuing banks.

Email spam originating from IPv6 addresses will become more common

Unlike IPv4 space, where most ISPs and enterprises used real time blacklists of IPs sending spam, IPv6 paths often have little or no protections. We expect to see spammers exploiting this increasingly in future. As filtering based on blacklists becomes less effective, policy-based rate limiting by IP block and content based filtering will increase in importance.

At least one startup will fail because of messaging abuse on its site or service

Many growing startups are based on social networking or messaging. As soon as they build up a sufficiently large user base, the spammers move in to try to exploit that. Making sure that they don’t succeed is fundamental to maintaining growth. There are too many ways to spend time on the Internet, people will just avoid the ones where they are likely to get spammed. However, based on past history we expect to see at least one promising startup get this wrong, and fade into obscurity because they can’t control spam on their network.

As mobile payment systems become more mainstream, they will come under attack from cybercriminals

When asked why he robbed banks, Willie Sutton is famous for saying, “Because that’s where the money is.” Though that line was actually made up by an enterprising reporter, it’s certainly true that just as spammers will go wherever people are reading messages, thieves will go wherever money as being transferred. Several systems are competing to let us use our phones to make payments, both in person and remotely. Apple, Venmo, PayPal, Square, and Snapchat all have approaches to this. PayPal is already one of the most phished brands in the world, but we can expect to see attacks on the other payment systems both through credential theft and malware.

References

  1. Viagra® (sildenafil citrate) is a registered trademark of Pfizer Inc.
  2. Ordering prescription drugs from offshore pharmacies for delivery to the United States is illegal. Cloudmark used an agent based outside the US to facilitate this.
  3. See Spam Nation, by Brian Krebs, Sourcebooks (2014). Also, see: http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf
  4. http://www.cgcaplet.in/
  5. http://www.centurionremedies.net/
  6. http://www.drugs.com/cdi/viagra.html
  7. http://www.google.com/patents/WO2011030351A2?cl=en
  8. http://www.google.com/patents/WO2007002125A1?cl=en
  9. http://www.medpagetoday.com/Urology/ErectileDysfunction/25204
  10. http://cseweb.ucsd.edu/~savage/papers/UsenixSec11-SMTM.pdf
  11. https://www.scamguard.com/fad-watchesnet/
  12. http://gbclaw.net/cases/ugg-wins-case-against-1549-online-counterfeiters
  13. http://www.thehindu.com/sci-tech/technology/10-lakh-complaints-about-spam-calls-in-the-last-three-years/article6689376.ece
  14. http://blog.cloudmark.com/2013/08/26/summer-sports-and-sms-spam-in-the-uk/
  15. http://www.newscientist.com/blogs/onepercent/2012/02/meet-the-yahoo-boys.html
  16. http://www.voanews.com/content/arrest_of_nigeria_yahoo_yahoo_boys_angers_locals_internet_scams/1598442.html
  17. http://sunnewsonline.com/new/?p=87503
  18. http://msbusiness.com/blog/2014/05/21/members-nigerian-yahoo-boys-arrested-identity-theft/
  19. http://techcrunch.com/2011/05/15/the-chilling-story-of-genius-in-a-land-of-chronic-unemployment/
  20. http://www.northkoreatech.org/2012/04/08/dprk-gets-second-link-to-internet/
  21. http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation
  22. https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/
  23. http://www.buzzfeed.com/sheerafrenkel/did-north-korea-do-it
  24. http://zeninet.net/
  25. http://news.techworld.com/security/3582363/disaster-as-cryptowall-encrypts-us-firms-entire-server-installation/
  26. https://nakedsecurity.sophos.com/2013/11/19/us-local-police-department-pays-cryptolocker-ransom/
  27. http://threatpost.com/android-ransomware-first-to-encrypt-data-on-mobile-devices/106535
  28. http://www.coindesk.com/massive-concerted-attack-launched-bitcoin-exchanges/
  29. http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/
  30. https://www.overplay.net/smartdns/setup.php
  31. https://www.vpnoverdns.com/
  32. http://www.vpnsolid.com/
  33. http://www.wi-free.com/how_it_works.html
  34. https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html
  35. http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281
  36. http://pentestmonkey.net/blog/mssql-dns
  37. http://blog.cloudmark.com/2014/12/02/predictions-for-2015/
  38. http://arstechnica.com/tech-policy/2014/11/condemnation-mounts-against-isp-that-sabotaged-users-e-mail-encryption/
  39. http://www.huffingtonpost.com/2014/10/31/apple-touch-id-ruling_n_6083920.html
  40. http://online.wsj.com/articles/fbi-chief-warns-phone-encryption-may-have-gone-too-far-1413489352
  41. http://www.whitehouse.gov/the-press-office/2014/12/19/remarks-president-year-end-press-conference
  42. http://www.reuters.com/article/2014/12/13/us-cybersecurity-iran-fbi-idUSKBN0JQ28Z20141213
  43. http://www.coindesk.com/sheep-marketplace-track-stolen-bitcoins/
  44. http://www.pcmag.com/article2/0,2817,2474219,00.asp

Cloudmark 2014 Annual Security Threat Report (2.7MB)

back to top

Cloudmark 2014 Annual Security Threat Report (2.7MB)

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.

With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.

Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.

Site Map  •  Privacy Policy  •  ©2002–2018 Cloudmark, Inc.