Cybercrime is a big business and it is costing law-abiding citizens tens of millions of dollars a year. CryptoLocker, one of the more high-profile strains known as ransomware, is believed to have netted its shadowy operators million alone.
Now, cybercriminals have upped the game by using a range of methods to find out where you and your business are located and tailoring their malware for maximum effect.
It’s All About ROI
Tracking a device or network to its geographical location is termed geo-targeting and is used by legitimate marketing companies and service providers every day. We will be looking at the various ways in which criminals use geo-targeting in their operations, but first, why geo-target at all? Focusing on ransomware specifically, isn’t it easier to use the so-called “spray and pray,” method and sit back and gather the takings?
It all comes down to ROI. Just like honest businesses, cybercrime networks have to spend money on IT resources and everyone participating in the scam is going to want their share of the takings, too. The more efficient a hacking operation is, the more money flows into criminal hands. For a start, extortionists will want to spend their time targeting relatively wealthy countries.
Taking ransomware as an example, one way to get enough people to bite is to ensure that local currency payment options are available. Another is to take into account the financial norms for a specific country. A scammer may prefer a nice big transfer of a million dollars worth of Bitcoins but how much more productive would it be to infect 10,000 US-based businesses and charge 00 via wire payment to decrypt the files?
Phishing: Trust is Everything
In order for ransomware to work, a Trojan or similarly malicious file needs to be downloaded onto the target PC. One common vector for this kind of attack is phishing, but, until now, many phishing attacks failed because people picked up on subtle differences in branding or language that put them on alert.
For example, an email from Apple that begins “Hello Dears,” is a crude phishing attempt as Apple would hopefully never use a salutation like that. Sophisticated hackers realize this and are putting ever more resources into making their scam emails and web pages look authentic – even employing freelance translators who may or may not know they are supporting a criminal enterprise.
‘Tis the Season to be Scammed
Getting a grip on local grammar is not the only way in which the scammers can take advantage of geo-location. They are also able to target their campaigns to lock onto specific customs and events. Taking the USA, for example, phishing campaigns involving mail organizations and couriers are more likely to succeed at a time when people are expecting packages, say around Christmas.
On the other hand, a message from a secret admirer may attract more clicks on St. Valentine’s Day while a link to a major discount for an online store might be more easily swallowed on Cyber Monday. Hackers are really honing in with this sort of fine detail to up their game in the face of a more web-savvy public.
TDS Gone Bad
We now have a good idea of why cybercriminals are keen to get a global fix on your business but how do they turn that goal into action? One way is to tailor malicious content to you and they do by mimicking a legitimate service such as an ad server and by using a traffic redirection system (TDS) to read cookies on your browser.
Amongst the information on a cookie is your device’s IP address. If you happen to stumble upon a compromised renegade TDS, it can be used to direct you to content (e.g. online ads) specifically tailored for your country or region.
Tracing Your IP
A device’s IP address can be used to track down its geographical location using an online lookup service of which there are many (e.g. whatismyipaddress.com, ip-lookup.net, iplocation.net, etc.). If you check out these services, you will usually find that it gives you accurate country data but after that, things get a bit more hit and miss. However, country-level information is a good place to start for most online scam campaigns.
Since hackers hold huge databases of IP addresses, they will generally make use of an API to pull up location data automatically so that they can divide up their targets more efficiently. More about APIs later.
The Easy Email Option
Email is still one of the most common sources of malware infections with malicious code lurking behind website links and in attachments. The email structure also provides a popular, albeit crude, method of geo-location via a domain’s country extension.
Although the widespread usage of the .com domain name extension makes it difficult to target US companies, cyber criminals can achieve greater success in other countries. For example, few companies outside of Germany will use the .de extension and the same goes for .co.uk, .nl and .no to name just a few.
With a little bit of research, even the most clueless scammer would be able to copy the logo of the local postal or tax service and send out a virus disguised as a tax demand or delivery note.
The API Call: System-to-System Communication
API calls are one of the most vital functions that make the modern web go ’round. An Application Programming Interface is a set of instructions that allow apps and services to communicate with one another without user input.
For example, a company website might want to display its stores on a Google Map so when the user types in their zip code, the website makes an “API call” to the Google Maps service for the data it needs to produce the finished map.
API calls are also being made constantly between computer programs and the operating system. Once a malicious payload has been downloaded to a PC, it can begin making calls of its own, extracting information such as language and keyboard settings which can be used to get a fix on your PCs probable location.
Ruling out Location: Two Examples
We have so far looked at how cybercriminals use sophisticated (and blunt) techniques to focus their attacks geographically. These same tools can be used to protect certain countries from an attack.
Why would criminals want to do this? As mentioned above, ignoring less wealthy nations might make a ransomware campaign more efficient, but there are other potential reasons. One famous example of geo-avoidance was with Conficker, a particularly widespread worm which infected tens of millions of machines worldwide – except in the Ukraine (at least in its early versions). This has led many to presume that this was where the malware originated from.
More recently, the notorious Locky trojan, which infected many computers in 2016 disguised as a garbled MS Word doc, will not only leave a Russian OS intact – it will promptly uninstall itself from the machine!
10 Steps to Protect Your Business from Cyber Attacks
In essence, the methods of attack may have been updated, but the same security advice holds true. To protect your business from an increasingly localized global menace, you should:
1. Ensure you have enterprise-grade anti-malware protection installed and keep it updated, opting for automatic updates. You can even take it one step further with the newest NGFWshttps://www.smartfile.com/blog/tech-imitates-life-one-human-vulnerability-affects-security/.
2. Perform regular back-ups including at least one offline backup.
3. When accessing emails, do not click any links or download any attachments from an unrecognized source. For internal email attachment alternatives, try SmartFile.
4. Do not automatically enable macros. Locky breached security by prompting readers to enable macros to make sense of the garbled MS Word document.
5. Always use strong passwords. Using a mixture of upper and lowercase letters, numbers and symbols is wise.
6. Prioritize cybersecurity in your business. Don’t leave it as an afterthought.
7. Pay attention to protecting your entire IT setup, not just files and folders (e.g. databases, mobile devices, email servers, etc.)
8. Have a plan in place for dealing with particularly risky scenarios (e.g. BYOD policies and database migration and database security procedures).
9. Train every member of staff on basic online security – staff negligence is the number one cause of cybersecurity breaches.
10. Train every member of the staff on basic online security – yes, it’s that important!
Follow these tips to help ensure that your business doesn’t become vulnerable to a cybersecurity attack. Keeping your eye out for new strains of ransomware or other malicious code can help to make you stay on top of your security.
Brent Whitfield is CEO of DCG Technical Solutions Inc., a group of IT professionals dedicated to providing quality IT Services Los Angeles companies can afford including IT support, web/email hosting and cloud solutions. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. DGC was recognized among the Top 10 Fastest Growing MSPs in North America by MSP mentor. Twitter @DCGCloud
