© 2015 MarkMonitor Inc. All rights reserved.

Malware Attacks: Examining the Impact

on Your Business

November 18, 2015

Jack Johnson, SOC Manager

Stefanie Ellis, AntiFraud Product Marketing Manager

MarkMonitor

Agenda

Malware Attack Cycle, Malware Variations & Types

Examples and Business Impact

Analysis of Mitigation Strategies

Best Practices

2 | Confidential

“2016 will be the Year of Online Extortion”

“Ransomware will remain a major and rapidly growing threat in 2016”

“China will drive mobile malware growth to 20M by the end of 2016”

3 | Confidential

Sources: http://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2016,

http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf

Malware Reach is Growing

Plan

&

Scan

Compromise

& Configure

Create

Payloads

Distribute

&

Deliver

Infect

&

Exploit

Collection

&

Monetization

Malware Attack Lifecycle

• Type of Attack

• Target List

• Scale

• Infrastructure

4 | Confidential

Plan

&

Scan

Compromise

& Configure

Create

Payloads

Distribute

&

Deliver

Infect

&

Exploit

Collection

&

Monetization

Malware Attack Lifecycle

Content Management Systems

Web Server

Domain Name Registrations

Exploit Tool Kit

5 | Confidential

Plan

&

Scan

Compromise

& Configure

Create

Payloads

Distribute

&

Deliver

Infect

&

Exploit

Collection

&

Monetization

Malware Attack Lifecycle

Macro Enabled

Postscript Documents

MS Word Documents

Malicious Java Script

URL

6 | Confidential

Plan

&

Scan

Compromise

& Configure

Create

Payloads

Distribute

&

Deliver

Infect

&

Exploit

Collection

&

Monetization

Malware Attack Lifecycle

Email

Social Media

Text Messages

7 | Confidential

Plan

&

Scan

Compromise

& Configure

Create

Payloads

Distribute

&

Deliver

Infect

&

Exploit

Collection

&

Monetization

Malware Attack Lifecycle

Key loggers

Ransom Ware

Screen Captures

Print Captures

8 | Confidential

Plan

&

Scan

Compromise

& Configure

Create

Payloads

Distribute

&

Deliver

Infect

&

Exploit

Collection

&

Monetization

Funds Transfer

Fake Invoicing

Identity Theft

Propagate Malware

Malware Attack Lifecycle

9 | Confidential

Example:

Trojan:

Win32/Meredrop

Spyware

Example:

Shiz Gozi

Dridex

Banking Trojans

Example:

CryptoWall CryptoLocker

Ransomware

Example:

Back Orifice JSocket

AlienSpy

Remote Access

Trojans (RATs)

Characteristics:

Key logging Screen

Captures

Print Captures Pop Ups

Adware

Characteristics:

Organizational target list

Configuration

Files Key logging

Screen captures Print captures DGAs

HTML Form Injection

Characteristics:

Encrypts files Encrypts hard

disk

Requests payment

Characteristics:

Installed w/ user application

Included

Backdoor Allows remote

access Enables

Administrative

control Key logging

Malware Variations

10 | Confidential

Malware For Sale

11 | Confidential

Ransomware Growth

Source: http://www.mcafee.com/us/resources/reports/rp-threats-predictions -2016.pdf

12 | Confidential

Financial Impact

$100 million in known losses from GameOver Zeus, 2011 to

2014

$30 million paid in ransom due to Cryptolocker ransomware,

Sept to Dec 2013

$18 million in losses and 992 CryptoWall related complaints to

the FBI, Apr 2014 to June 2015

http://money.cnn.com/2014/06/02/technology/security/gameover -zeus-botnet/

https://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted/documents/gameover-zeus-and-cryptolocker-poster-pdf

http://www.ic3.gov/media/2015/150623.aspx

13 | Confidential

Malware in Business Email Compromise Dear Sir/Madam,

The following domain names have been suspended for violation of the

ABCD Registrar, Inc. Abuse Policy:

Domain Name: yourprimarybusinessdomain.com

Registrar: ABCD Registrar, Inc.

Registrant Name: Domain Administrator

Multiple warnings were sent by ABCD Registrar, Inc. Spam and Abuse

Department to give you an opportunity to address the complaints we

have received.

We did not receive a reply from you to these email warnings so we then

attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not

respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this

notification.

Sincerely,

ABCD Registrar, Inc.

Spam and Abuse Department

Abuse Department Hotline: XXX-XXX-XXXX

14 | Confidential

Exploiting Brands to Target Consumers

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.

You can review complete details of your order in the find attached.

Yours truly,

John Doe

ABCD Logistics Company

Support Manager Email

Attachment

Credential Theft

The zip file contains a trojan that pulls in

a secondary infection, which could be a

number of different malware types –

Dridex, Cridex, CryptoLocker, Zeus

The real malware then begins

harvesting credentials and sends

them to a collection point, or can be

click-fraud malware sending the user

to advertisement sites.

15 | Confidential

Analysis of Mitigation Strategies

TTPs

Tools

Network/Host Artifacts

Domain Names

IP Addresses

Hash Values Malware Binaries

16 | Confidential

Botnet Communication Points

TTPs

Tools

Network/Host Artifacts

Domain Names

IP Addresses

Hash Values

Analysis of Mitigation Strategies

17 | Confidential

Analysis of Mitigation Strategies

Domain Generation Algorithms (DGAs)

TTPs

Tools

Network/Host Artifacts

Domain Names

IP Addresses

Hash Values

18 | Confidential

Analysis of Mitigation Strategies

Hosting providers/Registrars

TTPs

Tools

Network/Host Artifacts

Domain Names

IP Addresses

Hash Values

19 | Confidential

Exploit Kits/Turnkey Malware Solutions

TTPs

Tools

Network/Host Artifacts

Domain Names

IP Addresses

Hash Values

Analysis of Mitigation Strategies

20 | Confidential

Analysis of Mitigation Strategies

Who, What, Why, Where, When, How

TTPs

Tools

Network/Host Artifacts

Domain Names

IP Addresses

Hash Values

21 | Confidential

Analysis of Mitigation Strategies

Who, What, Why, Where, When, How

Exploit Kits/Turnkey Malware Solutions

Hosting providers/Registrars

Domain Generation Algorithms (DGAs)

Botnet Communication Points

Malware Binaries

TTPs

Tools

Network/Host Artifacts

Domain Names

IP Addresses

Hash Values

22 | Confidential

Employee Education on Email

Delete or report to IT any unsolicited email; do not open first

Be suspicious of pressure to take action quickly or change

business practices; report suspicious emails to IT

When reporting scam email to IT, in an Outlook environment,

select Ctrl+Alt+F to forward the full email as an attachment

Minimize use of email “Reply;” instead, choose “Forward” and

input the email address yourself

23 | Confidential

Best Practices for Business Protection

Digital signatures should be used by both parties in a

transaction

Internal approval processes should be formalized

Pre-establish out of band communications to verify transactions

Pre-establish internal escalation procedures to a primary point

of contact

Build capability to analyze and mitigate malware attacks

For more info & best practices: https://www.ic3.gov/media/2015/150122.aspx

24 | Confidential

Questions?

Thank You!

For information on MarkMonitor solutions, services and

complimentary educational events:

• Contact via email:

marketing@markmonitor.com

• Visit our website at:

www.markmonitor.com

• Contact via phone:

US: 1 (800) 745 9229

Europe: +44 (0) 203 206 2220