Australia and New Zealand Threat Landscape Report
Contents Introduction... 2 Cybercrime in ANZ region... 4 Ransomware... 4 Mobile Threats... 6 Online Banking Threats... 9 Point-of-Sale (PoS) Malware... 11 Trend Micro Threat Intelligence Through the Smart Protection Network... 14 Blocked Malicious Sites and Hosted Domains in ANZ... 14 Phishing in the ANZ region... 16 Spam-sending IPs Hosted in ANZ... 17 Malware Detections in ANZ... 18 Top Malware in ANZ... 19 Other Threats Affecting ANZ in 2014... 22 Conclusion... 23 TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an as is condition. 2
Introduction Our 2014 security roundup showed how destructive attacks could be to individuals and companies alike. 1 The ramifications of losing confidential data to attackers were huge - substantial financial losses and irreparable reputation damage to name a few. With both the global and Australia and New Zealand (ANZ) region threat landscapes not having much difference, ANZ faces these serious security issues as well. We previously reported about TorrentLocker attacks in the ANZ region aimed at Australian individuals and businesses. 2 This wave of TorrentLocker outbreak offers a glimpse into the region s threat landscape: malicious files, websites, and spammed emails, among other infection vectors. We also published a report on the threat landscape of Australia in which we analyzed the general Web surfing behavior in the country. In a data set used in the report, 1.7 million IP addresses of the 16.2 million observed in the country attempted to visit at least one malicious site. 3 This number poses a considerable risk. Moreover, a Gartner survey reported that 66% of Australian and New Zealand chief information officers (CIOs) conceded that the discipline of risk management in the digital world not keeping up. 4 CIOs in the region would therefore need to adapt a security risk management strategy that enterprise decision makers should adhere to. Our security roundup for the global threat landscape in 2014 echoes the result shown in the Gartner survey: reactive measures to threats as they surface is no longer enough. Acting on risk assessment results prior to security incidents is a more beneficial and sustainable option. NOTE: All mentions of detections within the text refer to instances when threats were found on users computers and subsequently blocked by any Trend Micro security software. Unless otherwise stated, the figures featured in this report came from data gathered by the Trend Micro Smart Protection Network cloud security infrastructure, which uses a combination of in-the-cloud technologies and client-based techniques to support onpremise products and hosted services. 1 Trend Micro Incorporated. (February 12, 2015). Trend Micro Security Intelligence. Magnified Losses, Amplified Need for Cyberattack Preparedness. Last accessed April 08, 2015, http://www.trendmicro.com/vinfo/us/security/research-and-analysis/threatreports/roundup/. 2 Paul Pajares. (January 11, 2015). TrendLabs Security Intelligence Blog. TorrentLocker Ransomware Hits ANZ Region. Last accessed April 08, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/torrentlocker-ransomware-hits-anz-region/. 3 Christopher Ke, Yang Xiang, Jon Oliver, Romeo Dela Cruz, Paul Pajares, Adremel Redondo, Lala Manly, and Nazario Tolentino. (2014). Trend Micro Security Intelligence. Australian Web Threat Landscape (2014): Observation of TorrentLocker Attacks. Last accessed April 08, 2015, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-australianweb-threat-landcsape-2014.pdf. 4 Gartner Incorporated. (November 18, 2014). Gartner Newsroom. Gartner Survey Finds Australia and New Zealand CIOs Know They Need to Change Their Leadership Style to Grasp the Digital Opportunity. Last accessed April 08, 2015, http://www.gartner.com/newsroom/id/2913218. 3
Cybercrime in ANZ region Ransomware As already made evident by the TorrentLocker attacks in Australia and New Zealand, the ANZ region became a target ripe for the picking by cybercriminals who are out to make a quick profits. Based on our analysis, TorrentLocker employs a spammed email message purporting as penal notices from the New South Wales government or shipping details from the Australia Post. Victims were instructed to buy Bitcoins from among the suggested providers to pay the required ransom, which is AU$598. Our findings showed that one in nine Australia-based IP addresses was exposed to TorrentLocker attacks and other Web threats. 5 Other ransomware that figured prominently in ANZ are the REVETON and RANSOM malware families, both of which topped the ransomware detections in the region in 2014. REVETON 6 is a ransomware application that claims to be from legitimate law enforcement authorities. Both REVETON and RANSOM prevent users from accessing their systems, demanding that a fee must be paid to restore normal access. Another prevalent ransomware seen in the region is the CRILOCK malware family, known to be delivered by Cutwail botnet. CRILOCK is also one of the most commonly seen malware in relation to C&C botnet activity. 7,8 5 Deakin University and Trend Micro, Inc. (January 12, 2015). Trend Micro Threat Encyclopedia. TorrentLocker and Its Effect on the Australian Web Threat Landscape. Last accessed April 30, 2015, http://www.trendmicro.com/cloudcontent/us/pdfs/security-intelligence/white-papers/wp-australian-web-threat-landcsape-2014.pdf. 6 Alvin Bacani. (December 11, 2015). TrendLabs Security Intelligence Blog. REVETON Ransom Spreads with Old Tactics, New Infection Method. Last accessed April 08, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/revetonransomware-spreads-with-old-tactics-new-infection-method/. 7 Trend Micro Incorporated. (2014). Trend Micro Threat Encyclopedia. CRILOCK. Last accessed April 08, 2015, http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/crilock. 8 Trend Micro Incorporated. (2015). TrendLabs Security Intelligence Blog. Investigating and Detecting Command and Control Servers. Last accessed April 30, 2015, http://blog.trendmicro.com/trendlabs-security-intelligence/investigating-and-detectingcommand-and-control-servers/. 4
Family Percentage REVETON 53% RANSOM 23% CRILOCK 13% Others 11% TOTAL 100% Figure 1. The top ransomware families seen affecting Australia. REVETON was last seen spreading in Australia at the latter part of 2014 with new infection methods. Although ransomware mostly affect home users, we also observed that in 2014, nearly 20% of enterprises are also hit by the said threat globally. For affected small and medium-sized businesses, we saw an increase from 9.61% to 11.66%. This shows that ransomware has the potential to affect businesses in a much larger scale and become a serious problem where critical and daily operations are concerned. If file storage servers become infected by ransomware, this will pose huge security and productivity risks. Backing up of files becomes all the more important in this scenario. Figure 2. Ransomware global distribution by segment comparison for 2013 and 2014. 5
Mobile Threats The global number of Android malware and high-risk apps increased throughout 2014. 9 This increase is mirrored in the ANZ region, where aggressive adware is the dominant threat in the Android platform. The mobile threats we noted in 2014 were composed of fake banking apps, which rose along with the increased adoption of mobile banking. 9,000 8,000 7,000 6,000 5,000 4,000 3,000 Australia New Zealand 2,000 1,000 Q1 Q2 Q3 Q4 Figure 4. Less than 1% of the total mobile threats in the ANZ region were found in Australia. 9 Trend Micro Incorporated. (2015). Trend Micro Threat Encyclopedia. Masque, FakeID, and Other Notable Mobile Threats of 2H 2014. Last accessed April 30, 2015, http://www.trendmicro.com/vinfo/us/security/news/mobile-safety/masque-fakeid-andother-notable-mobile-threats-of-2h-2014. 6
Below are the top Android malware detected in the ANZ region. Rank Detection Name Threat Type Description 1 ANDROIDOS_ADRD.CT Adware Aggressively pushes advertisements. 2 ANDROIDOS_ADLEAK.MSA Adware Aggressively pushes advertisements. 3 ANDROIDOS_MINIMOB.MSA Adware Aggressively pushes advertisements. 4 ANDROIDOS_EROP.HATB Chargeware Performs transactions and purchases without users authorization and knowledge. 5 ANDROIDOS_PLANKTON.MS A Adware Aggressively pushes advertisements. 6 ANDROIDOS_WALLIEN.HBT Spyware Tracks GPS location and sends to other party. Monitors SMS and calls. 7 ANDROIDOS_JUMPTAP.MXN Adware Aggressively pushes advertisements. 8 ANDROIDOS_ARPUSH.VTD Adware Aggressively pushes advertisements. 9 ANDROIDOS_ARPUSH.MSA Adware Aggressively pushes advertisements. 10 ANDROIDOS_REVMOB.MXN Adware Aggressively pushes advertisements. Figure 5. Adware dominates mobile malware in Australia. 7
Rank Detection Name Threat Type Description 1 ANDROIDOS_ADLEAK.MSA Adware Aggressively pushes advertisements. 2 ANDROIDOS_MINIMOB.MSA Adware Aggressively pushes advertisements. 3 ANDROIDOS_WALLIEN.HBT Spyware Tracks GPS location and sends to other party. Monitors SMS and calls. 4 ANDROIDOS_PLANKTON.MSA Adware Aggressively pushes advertisements. 5 ANDROIDOS_ARPUSH.VTD Adware Aggressively pushes advertisements. 6 ANDROIDOS_FLEXLEAK.HBT Adware Aggressively pushes advertisements. 7 ANDROIDOS_SMSROOT.HBT Backdoor Expose functions bypassing that normal authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed app. 8 ANDROIDOS_ARPUSH.MSA Adware Aggressively pushes advertisements. 9 ANDROIDOS_JUMPTAP.MXN Adware Aggressively pushes advertisements. 10 ANDROIDOS_FAKEAPP.HATA Info leak Steals and sends specific information from the user s phone to cybercriminals. Figure 6. Similar to Australia, adware dominates the list of mobile malware in New Zealand. 8
Majority of users in Australia use their mobile devices for online banking, 10 accessing social media apps, and watching of videos online. In New Zealand, 11 the top smartphone activities include sending emails, browsing the Internet, accessing apps, and online banking. While consumerization and bring-your-own device (BYOD) trends provide benefits for enterprises, such as reduced costs and increased productivity, these also pose risks to company data. Once employees bring their personal mobile devices and connect these to enterprise networks, contents from accessed email inboxes, contacts, and calendars may leak to third parties: The use of consumer apps, like cloud storage platforms, can also introduce risks to data. Online Banking Threats Users across the globe still fall for cybercriminals social engineering lures delivered through various infection vectors, some of which eventually lead to online banking malware download. Incremental changes month over month were seen in the number of online banking malware on a global scale. However, the same cannot be said for Australia as the numbers rose and fell in 2014. 4,500 4,000 3,500 3,000 2,500 2,000 1,500 Australia New Zealand 1,000 500 Q1 Q2 Q3 Q4 Figure 7. Number of PCs infected by online banking threats in Australia and New Zealand did not show a specific trend in 2014. The online banking malware infections in Australia comprise more than 2% of the global total count. On the other hand, the infection in New Zealand was less than 1%. 10 Australian Payments Clearing Association. (2014). Australian Payments Fraud Details and Data. Last accessed April 30, 2015, http://apca.com.au/docs/fraud-statistics/australian-payments-fraud-details-and-data-2014.pdf. 11 Emily Rogers. (April 17, 2014). Haptic Generation Market Data. Smartphone andtablet usage Data for New Zealand. Last accessed April 30, 2015, http://www.hapticgeneration.com.au/smartphone-and-tablet-usage-data-for-new-zealand/. 9
The top online banking threats affecting users in ANZ region are the following: Rank Detection Name Description 1 ZBOT Information stealers that typically arrives via spam pretending to come from legitimate sources 2 RAMNIT Steals sensitive information such as saved FTP credentials and browser cookies. It does this by querying the registry information to get the user's default browser 3 FAREIT Downloads other malware such as ZeuS/ZBOT. Its variants typically steal user names and passwords on stored in Web browsers 4 VAWTRAK Steals banking data from certain banking institutions in Japan. It also prevents users from running files related to antivirus software. 5 DORKBOT Also known asngrbot is an Internet Relay Chat (IRC) bot used to initiate distributed denial-of-service (DDoS) attacks. It can gather several user information and propagate via instant messaging applications (IM) and social networking sites 6 SINOWAL Collects information 7 BANKER Steals sensitive information, such as banking credentials and email account details. It employs phishing pages that mimic the official banking sites to get a user s bank information 8 DOFOIL Connects to malicious sites to send and receive information 9 DLOADR Downloads malicious files on the system 10 URSNIF Data-stealing malware Figure 8. 2014 top online banking threats seen in ANZ. 10
Point-of-Sale (PoS) Malware We saw point-of-sale (PoS) RAM scrapers hit high-profile targets globally last year, resulting to millions in losses, cementing itself as a mainstream threat. Retailers are not the only industry targeted by this threat as attackers also go after hotels, restaurants, and parking services among others. 12 Figure 9. Country distribution of systems where PoS malware were found in 2014. The U.S. registered the most number of systems infected by PoS malware, with Australia following close behind. This finding raises the risk of payment methods, such as EFTPOS devices, in the ANZ region and it is imperative to keep them safe, both for the protection of users and businesses. 13 Targeted Attacks Targeted attacks, also known as advanced persistent threats (APT), are a category of threats that aim to stay hidden in the network for longer periods of time in order to exfiltrate confidential company data. In our 2014 annual report 14 on targeted attacks, we observed that various countries accessed C&C servers related to targeted attacks. The targets are no longer limited to United States, Russia, and China as previously observed. 12 Trend Micro Incorporated. (2015). Trend Micro Threat Encyclopedia. Magnified Losses, amplified Need for Cyber-attack Preparedness. Last accessed April 30, 2015, http://www.trendmicro.com/vinfo/us/security/research-and-analysis/threatreports/roundup/. 13 Australian Payments Clearing Association. About Payments. Last accessed April 30, 2015, http://www.apca.com.au/aboutpayments/payments-today. 14 Trend Micro Incorporated. (April 14, 2015). Trend Micro Threat Encyclopedia. Targeted Attack Campaigns and Trends: 2014 Annual Report. Last accessed April 30, 2015, http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/targetedattack-campaigns-and-trends-2014-annual-report. 11
The heat map below shows the global distribution of targets accessing C&C servers. Figure 10. Top countries that communicated with targeted attack C&C servers in 2014. Based on the cases monitored in 2014, some of the countries that hosted targeted attack C&C servers are Australia, Brazil, China, Egypt, and Germany. Note that attackers do not necessarily have to reside in a country as they may access these servers remotely. 12
Figure 11. Top countries where targeted attack C&C servers were hosted in 2014. According to a 2014 ANZ survey, 15 86% of executives in the utilities and infrastructure industries revealed that they encountered at least one security breach that resulted in business disruptions and loss of critical data. 15 Australian Security Magazine. (August 28, 2014). Cyber Resilience. Unisys Survey Reveals 86 Percent of Critical Infrastructure Providers in Australia and New Zealand Have Been Breached in the Past Year. Last accessed April 30, 2015, https://www.australiansecuritymagazine.com.au/2014/08/unisys-survey-reveals-86-percent-critical-infrastructure-providersaustralia-new-zealand-breached-past-year/. 13
Trend Micro Threat Intelligence Through the Smart Protection Network The data listed in this report was collected via the Trend Micro Smart Protection Network, a global threat intelligence that promptly and accurately collects and identifies new threats. This report covers the entire 2014 calendar year threat landscape, detailing the data on Web-based threats, email threats, and file-based threats, among others. Blocked Malicious Sites and Hosted Domains in ANZ The Smart Protection Network includes a wide range of data from different threat vectors, such as URLs, IPs, and domains. The Trend Micro Web Reputation Service offers protection against malicious URLs and domains for Trend Micro customers. The data listed below shows the Web Reputation Service that covers the ANZ region. The global data from our 2014 security roundup shows that we were able to block close to 4 billion user queries from accessing malicious sites or up to 7,000 clicks per minute. Countries Count Australia 141,500,227 New Zealand 12,353,665 Total (global) 3,674,951,628 Figure 12. Hits to malicious URLs per country in 2014. Users in Australia accessed more than 140 million malicious URLs while users in New Zealand accessed around 12 million. Australia makes up around 4% of the global total of about 3.7 billion user visits. 14
The Smart Protection Network includes a wide range of data from different threat vectors, such as URLs, IPs, and domains. 50,000,000 45,000,000 40,000,000 35,000,000 30,000,000 25,000,000 20,000,000 15,000,000 10,000,000 5,000,000 Q1 Q2 Q3 Q4 Australia New Zealand Figure 13. 2014 quarter-on-quarter (QoQ) comparison of malicious URL hits for Australia and New Zealand. One of the possible reasons behind the spike in malicious URLs accessed in the 3Q and 4Q of 2014 may have been the series of TorrentLocker outbreaks. We also monitored the number of hits to sites/urls hosted in Australia and New Zealand. Countries Count Australia 7,219,169 New Zealand 517,915 Figure 14. Number of malicious domains hosted per country in 2014. 15
1,400,000 1,200,000 1,000,000 800,000 600,000 Australia New Zealand 400,000 200,000 Q1 Q2 Q3 Q4 Figure 15. 2014 QoQ comparison of malicious URLs hosted in Australia and New Zealand. The last quarter of 2014 saw the most number of malicious domains hosted in Australia. The malicious domains in New Zealand, on the other hand, were constantly on the rise, which can be attributed to the growing Internet and mobile penetration rate in the country. 16 Based on our findings, the year-on-year growth of malicious URLs hosted in ANZ region from 2013 to 2014 can be attributed to the fact that some C&C servers seen are hosted in Australia. Phishing in the ANZ region As part of our malicious URLs monitoring, we also examined the types of sites commonly used in phishing emails so as to steal user credentials and personal identifiable information (PII). Based on our findings, financial service providers, such as Paypal, Commonwealth Bank, St. George Bank, ANZ Internet Banking, and National Australia Bank, are the top entities targeted for phishing. Retail-related sites and file storage URLs are also hit by phishing attacks. 16 Simon Kemp. (March 11, 2015). We Are Social Singapore. Digital, Social, and Mobile in APAC 2015. Last accessed April 08, 2015, http://www.slideshare.net/wearesocialsg/digital-social-mobile-in-apac-in-2015. 16
Figure 16. Sites commonly targeted by phishing attacks in ANZ. Spam-sending IPs Hosted in ANZ Blocking spam-sending IPs is a crucial step in breaking the infection chain in any attack. The Trend Micro Email Reputation-based technology stops email threats by blocking the IP addresses of malicious email servers. The data below shows the query results related to malicious or spam activities in 2014. More specifically, data on spam-sending IPs hosted in Australia and New Zealand. Countries Count Australia 43,736,128 New Zealand 11,456,278 Figure 17. Number of spam-sending IPs hosted per country in 2014. We queried more than 43 million spam-sending IPs hosted in Australia and around 11 million spam-sending IPs in New Zealand. Australia hosts 0.35% of the global total of spam-sending IPs, while New Zealand hosts 0.09% against the global total. 17
20,000,000 18,000,000 16,000,000 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 Q1 Q2 Q3 Q4 Australia New Zealand Figure 18. 2014 QoQ comparison of spam-sending IPs hosted in Australia and New Zealand. The number of spamsending IPs hosted in both countries had a downward trend. The proactive efforts of Trend Micro in listing newborn spam-sending IPs and immediately blocking them have contributed to the declining numbers in the region. Malware Detections in ANZ The data from the Trend Micro File Reputation-based technology shows the volume of malware infections based on all scanned files. Trend Micro blocked about 11 billion requests to access or download malicious files in 2014, almost twice the number recorded in 2013. Around 21,000 file reputation queries per minute turned out to be malicious. The volume for Australia and New Zealand can be found below. Countries Count Australia 46,298,334 New Zealand 5,673,386 Figure 19. Number of malware detections in Australia and New Zealand. Malware detections in Australia comprise 2.64% of the global total. Malware detections in New Zealand comprise less than 1%. 18
16,000,000 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 Australia New Zealand 4,000,000 2,000,000 Q1 Q2 Q3 Q4 Figure 20. 2014 QoQ comparison of malware detections in Australia and New Zealand. Malware detections in Australia were at its highest in 3Q, possibly due to the series of TorrentLocker outbreaks that same period. The file, email, Web, and mobile reputation technologies behind Smart Protection Network enable Trend Micro to gather intelligence on the kinds of threats that affect users, including profiles of who are affected and where they come from. Top Malware in ANZ Data from the Smart Protection Network shows that PASSVIEW, VOBFUS, and FORUCON were the top malware that infected Australia in 2014. PASSVIEW is a hacking tool used as a password-recovery tool for variety of Windows applications. VOBFUS is polymorphic malware that infects the system with other types of malware. This malware is also the payload of the botnet operation dubbed as Beebone. Just recently, Trend Micro researchers collaborated with other security vendors and the Federal Bureau of Investigation (FBI) to takedown the said botnet operation. 17 SOHAND, MOONLIGHT, and VB, on the other hand, are the top malware detections that plagued New Zealand. SOHAND is a malware family of worms that propagate via instant messaging applications, as well as network shares and removable drives. 17 Dianne Lagrimas. (2015). Trend Micro Threat Encyclopedia. Beebone Botnet takedown: Trend Micro Solutions. Last accessed April 30, 2015, http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-microsolutions. 19
Here are quick descriptions for all the listed top malware detections in ANZ region: Detection Name Description PASSVIEW VOBFUS Cracks or breaks computer and network security measures. Known to spread by dropping copies of themselves onto removable drives connected to infected systems. They take advantage of the Windows AutoRun feature in order to spread via removable drives. They may be dropped or downloaded by other malware onto users systems or may be unknowingly downloaded when visiting malicious sites. FORUCON Arrives in systems as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. ZBOT Arrives via spam appearing to come from legitimate sources. Information stealing malware. EXPLOIT Used to execute an exploit code. Once successful, it is capable of downloading and executing other possibly malicious files from a certain URL. FAKEAV VB Displays fake alerts and rides on popular events and news for its social engineering lures Malware created with Visual Basic KULUOZ A malware distributed by the Asprox botnet. It can download FAKEAV and ZACCESS malware onto the affected systems. VARNEP DLOADER Family of Trojans that arrives in systems as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Downloads malicious files Figure 21. Top malware affecting Australia in 2014. 20
Detection Name Description SOHAND MOONLIGHT Uses instant messaging applications to spread to other computers. However, other variants propagate via network shares and via removable drives. Drops files VB Malware created using Visual Basic VBNA Executes commands from a remote malicious users, modifies HOSTS files PASSVIEW Cracks or breaks computer and network security measures. RONTKBR SALITY FORUCON Spreads across systems via removable drives. Earlier versions of this malware spread to other systems by harvesting email addresses from affected systems and sending out copies of itself via SMTP. File infectors that infect.scr and.exe files Family of Trojans that drops various files UPATRE Downloads and executes additional malware on the affected system such as ZEUS, CRILOCK, DYREZA and ROVNIX variants. VARNEP A family of Trojans that arrive as file dropped by other malware or downloaded file Figure 22. Top malware affecting New Zealand in 2014. 21
Other Threats Affecting ANZ in 2014 Based on external reports, a growing number of threats originate in the ANZ region. This includes several cases of malware that were used to launch DDoS attacks in 2014. According to the Business Spectator, Australian Internet service providers received a daily average of 16,500 malware case reports in 2014. 18 One of the notable incidents would be the DDoS attack 19 against New Zealand s ISP Spark that rendered high traffic loads, as well as outages. The impact had a high probability of resulting in operational losses and service disruptions. Apart from DDoS attacks, phishing hit ANZ users hard as financial services customers fell victim to phishing scams embedded with malicious links. 20 Phishing scams are just one of the major issues that companies face not just in the region but across the globe. The Australian pointed to a study that showed companies in Australia were not confident that their organizations were properly equipped to detect sophisticated attacks. 21 Figure 23. Phishing scam sample that hit users in Australia. 18 Matt Miller. (February 06, 2015). Business Spectator. Australian Businesses Caught in the Cyber Crosshairs. Last accessed April 08, 2015, http://www.businessspectator.com.au/article/2015/2/6/technology/australian-businesses-caught-cybercrosshairs. 19 The Web Host Industry Review (WHIR). (2015). Web Hosting News. DDoS Attack Causes Weekend Outages at New Zealand ISP Spark. Last accessed April 30, 2015, http://www.thewhir.com/web-hosting-news/ddos-attack-causes-weekend-outages-newzealand-isp-spark. 20 SPAMfighter News. (October 20, 2014). News. ANZ Bank Customers Hit with Phishing Scam. Last accessed April 08, 2015, http://www.spamfighter.com/news-19251-anz-bank-customers-hit-with-phishing-scam.htm. 21 David Swan. (November 04, 2014). The Australian Business Review. Most cyber Attacks Now Come from Outside. Last accessed April 08, 2015, http://www.theaustralian.com.au/business/latest/most-cyber-attacks-now-come-from-outside/storye6frg90f-1227111843932.
Conclusion This report showcases that the various security threats plaguing ANZ region are broadly similar from the threats seen in the global scale. Such threats include ransomware, mobile threats, and online banking malware that affected users. It is interesting to note that we may see further rise in ransomware attacks, as evidenced by the burgeoning volume of ransomware seen in the latter part of 2014. Based on our 2014 Annual Threat Roundup report, 14 the number of systems infected with ransomware increased in Australia from 5.67% (2013) to 6.42% (2014).Crypto-ransomware attacks, in particular, have been plaguing the ANZ region, forcing victims to pay ransom in exchange for decryption keys. Because of this, we may be seeing another trend in malware in 2015 for the ANZ region that relies on exploiting unwitting users. Figure 24. Country Distribution of Ransomware Detections, 2013 Versus 2014 23
Targeted attacks also figured in ANZ threat landscape in 2014, cementing the fact that targeted attacks remain to be a global problem. Given the prevalence of this category of threats, enterprises and large organizations are recommended to use an advanced security platform and Custom Defense strategy that could detect malicious activity in the network, thus breaking the attack cycle before it reaches the data exfiltration stage. We also observed that there s an increase in the number of hits to malicious URLs hosted in ANZ. One factor that may have contributed to this is that some known C&C servers were hosted in the said region. In addition, Australia is one of the top countries that accessed malicious URLs that could be attributed to the increase in Web-based attacks. In a study made by Australian Crime Commission (ACC), 22 malicious software would be one of the top threats to watch out for in Australia in the next five years. Based on our data, Web-based threats that employ multicomponents, such as URL, spam, and malware, are prevalent in the ANZ region. As such, we recommend a comprehensive multilayer protection that can detect these threats at the exposure layer before devices get infected. User awareness and education is also critical in avoiding system infection and possible information theft and loss. 22 Leon Spencer. (April 22, 2015). ZDNet Article. Malware Tops Australia s Online Crime Threat: ACC. Last accessed April 30, 2015, http://www.zdnet.com/article/malware-tops-australias-online-crime-threat-acc/#ftag=rssbaffb68. 24
Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro Smart Protection Network, and are supported by over 1,200 threat experts around the globe. For more information, visit www.trendmicro.com. 2015 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 10101 N. De Anza Blvd. Cupertino, CA 95014 U.S. toll free: 1 +800.228.5651 Phone: 1 +408.257.1500 Fax: 1 +408.257.2003