Localised "designer" malware campaigns all the rage, says Sophos

Criminal outfits are increasingly distributing "designer" spam and malware, customised to optimally target victims in specific geographic regions, according to new research from Sophos' research division, SophosLabs.

SophosLabs research has found that malware campaigns have become increasingly localised, featuring custom content designed to fool even spam-savvy recipients.
SophosLabs research has found that malware campaigns have become increasingly localised, featuring custom content designed to fool even spam-savvy recipients.

Evolving from classic “spray and pray” tactics, criminal outfits are increasingly distributing “designer” spam and malware, customised to optimally target victims in specific geographic regions, according to new research from Sophos' research division, SophosLabs.

In a press release and blog post published today, Sophos reported that cyber-criminals are becoming ever more proficient at using localised language and vernacular in phishing emails and ransomware notes. Older, more amateurish spam communications like the classic Nigerian Prince scam are easy to catch, but more recent efforts feature dramatically improved grammar. “That means you're more likely to accidentally fall for the ones that aren't stupid,” Chester Wisniewski, senior security adviser at Sophos, told SCMagazine.com.

Malicious campaigns are also more accurately spoofing legitimate brands endemic to a particular country or culture. According to the research, postal companies, tax and law enforcement agencies and utility firms are among the most commonly spoofed local entities in these phishing campaigns, which attempt to trick recipients with convincing emails that feature official-looking logos and content such as bills and account balances, shipping notices, refunds and speeding tickets.

Such tactics are likely to generate a higher rate of infection in countries with especially desirable targets—and that in turn allows cyber-criminal operators who sell malware-as-a-service to other bad actors to charge a higher rate per infection.

Certainly, a targeted attack containing localised content is not a new concept, but Wisniewski said that such instances have become so prominent in the last several years that “it's becoming the norm, rather than the unusual.” Recognising such trends are especially important, said Wisniewski, because “it changes how you need to defend yourself.”

The improved localisation of campaigns is attributable to increasing specialisation within the malware industry, said Wisniewski, with different cyber-criminals developing specific expertise in coding, content and distribution. “With that specialisation, malware is getting more tailored,” he noted.

In some cases, cyber-criminals are even outsourcing content translation services to innocent local experts. “The criminal is buying services from legitimate freelancers who don't even realise what they're doing,” said Wisniewski. “If you're pulling hundreds of thousands of dollars a month on your scam, when you've got that kind of cash, it's easy to [farm] that out” for a relatively minor fee, he added.

At the same time, some adversaries are strategically filtering certain regions out of their campaigns, using malware that fails to activate, or deletes itself, if an online geo IP lookup determines that the affected computer is in a non-targeted country. (Such was the case with early variants of the computer worm Conficker, which eschewed attacks in Ukraine.) Criminals sometimes do this to avoid the wrath of law enforcement in their own countries.

Further Sophos analysis over the first three months of 2016 found that the countries with the highest percent of endpoints exposed to a malware attacks were Algeria (30.7 percent), Bolivia (20.3 percent), Pakistan (19.9 percent), China (18.5 percent) and India (16.9 percent). Nations with the lowest" threat exposure rates" were France (5.2 percent), followed by Canada (4.6 percent), Australia (4.10 percent), the US (three percent) and the UK (2.8 percent).

Despite a lower frequency of exposure, Western countries did tend to experience greater proportions of targeted, localised cyber-threats—suggesting these attacks featured a higher level of sophistication.