According to SophosLabs, the latest trend among hackers is to choose their victims by location when creating ransomware.
In order to draw more victims with their attacks, hackers are currently creating customized spam to carry threats using regional vernacular, brands and payment methods for better cultural compatibility.
The customized ransomware is smartly disguised as authentic email notifications and completed with counterfeit local logos to look even more believable. Besides, due to the fact that it is highly clickable, the infection is more financially rewarding to the attacker now.
To become more effective, the scam emails now impersonate local postal companies, tax and law enforcement agencies and utility firms, including phony shipping notices, refunds, speeding tickets and electricity bills. Besides, the grammar in the emails is more often properly written and perfectly punctuated, which is a significant improvement for cyber criminals.
“You have to look harder to spot fake emails from real ones,” said the senior security advisor at Sophos, Chester Wisniewski. “Being aware of the tactics used in your region is becoming an important aspect of security.”
According to security experts, there is also historic trends of different ransomware strains which targeted specific locations. For instance, various versions of CryptoWall predominantly attack users in the U.S., U.K., Canada, Australia, Germany and France.
TorrentLocker attacked generally the U.K., Italy, Australia and Spain, while TeslaCrypt hit victims in the U.K., U.S., Canada, Singapore and Thailand.
“Even money laundering is localized to be more lucrative. Credit card processing can be risky for criminals, so they started using anonymous Internet payment methods to extort money from ransomware victims,” said Wisniewski. “We have seen cybercrooks using local online cash-equivalent cards and purchasing locations, such as prepaid Green Dot MoneyPak cards from Walgreens in the U.S. and Ukash, which is now paysafecard, from various retail outlets in the U.K.”
Lately, the concept of filtering out specific countries has also emerged as a trend.
“Cybercriminals are programming attacks to avoid certain countries or keyboards with a particular language,” stated Wisniewski. “This could be happening for many reasons. Maybe the crooks don’t want attacks anywhere near their launch point to better avoid detection. It could be national pride or perhaps there’s a conspiratorial undertone to create suspicion about a country by omitting it from an attack.”
For example, banking shows how hackers are using location-based malware to be more prosperous. A research of Sophos reveals historically how Trojans and malware used to infiltrate banks and financial institutions converges on specific regions:
- Brazilian banker Trojans and variants pinpoint Brazil
- Dridex is predominant in the U.S. and Germany
- Trustezeb is most prevalent in German speaking counties
- Yebot is popular in Hong Kong and Japan
- Zbot is wider spread, but mostly in the U.S., U.K., Canada, Germany, Australia, Italy, Spain and Japan.
“There is an entire cottage industry of uniquely-crafted Trojans just targeting banks in Brazil,” Chester Wisniewski concluded.