Illustration of a laptop with a gun
Image by Kaptnali from Thinkstock.com

There’s a large-scale ransomware attack going on this week with attackers using a phony Bank of Montreal template to lure victims into clicking on a malicious attachment, says Chester Wisnewski, a Vancouver-based senior security advisor at Sophos Inc.

He knows because he got one of the messages in his email as he was heading to Las Vegas on Monday for the security vendor’s annual partners conference.

“Literally as I got on the plane I got what looked like a BMO phish, and in fact it was  ransomware,” he said in an interview. “It was amazing how well crafted it was because the Web site booby-trapped with the exploit is literally a carbon copy of the BMO online login landing page.”

He also recently received a phony message purporting to be from Quebec Internet and cable provider Videotron.

These are timely example that illustrates a SophosLabs blog released today pointing to a growing trend of cybercriminals to target and even filter out specific countries when designing ransomware and other malicious cyberattacks.

Based on data collected from Sophos endpoints, firewalls and gateways, it shows attackers are now crafting customized spam to carry threats using regional vernacular, counterfeit logos, and impersonating tax and law enforcement agencies. Tricks include phony shipping notices, refunds, speeding tickets and electricity bills.

Looking for spelling mistakes to tip you off? You may not find them.

In the U.K. an phony home repair invoicing campaign is going on now that inserts recipients’ street addresses to convince people the messages are real, he added. Like the tailored BMO message he got, Wisnewski says criminals likely assembled information from one or more data breaches to tailor attacks at certain countries. That’s why BMO spam is going to Canada, not Germany, he said.

“You have to look harder to spot fake emails from real ones,” Wisnewski said. “There’s not a lot of good answers to that problem,” he admits. “It’s not like we can tell people, ‘Stop opening email and clicking links. I’ve been telling people that for 15 years but nobody’s listening. So we have to find better technological solutions from getting us in trouble from these more socialized lures.”

Patching and updates are crucial, he said. For example, the latest versions of Microsoft Office are better at stopping document malware — for example, giving admins the ability to disable macros in documents that came from the Internet. Similarly Windows 10 is more secure that Win 7, he said. Using a sandbox and Web filtering are also useful, he added.

The report also said researchers have found different ransomware strains target specific locations. For example, versions of CryptoWall predominantly hit victims in the U.S., U.K., Canada, Australia, Germany and France. TorrentLocker has attacked primarily the U.K., Italy, Australia and Spain, while TeslaCrypt honed in on the U.K., U.S., Canada, Singapore and Thailand.

Sophos also said its customer data shows that while Western countries are highly targeted for malware, less developed countries show higher attacks or infections. For example, nations with what Sophos calls a high threat exposure rate (infections/attackers per 1,000 Sophos endpoints) include Algeria (30.7 per cent), Boliva (20.3 per cent), Pakistan (19.9 per cent) and China (18.5 per cent) and India. Nations ranked with the lowest TER include France at 5.2 percent, Canada at 4.6 percent, Australia, and the U.K.

Wisnewski suspects computer users in countries with the higher TER don’t update or patch their systems as often as those in other countries.

Separately Sophos released a report on Microsoft Office exploits found in Q4 2015, which said that — again — CVE-2012‐0158, a critical Windows bug that allows remote control execution was responsible for 48 per cent of Office infections. However, use of the newer CVE‐2015-1641 exploit (15 per cent) is increasing.

The report adds that in many cases the malicious documents contained multiple exploits. The largest used the DL-1 generator (36 per cent), followed by the CVE‐2014‐6352 PowerPoint vulnerability.

“The cybercrime groups find Office documents a convenient way to deliver malicious program to their targets,” says the report. “They have been using this method steadily over the past two years and there is no sign that they intend to give up on this method.

“But their approach is evolving over the time: they use several black market tools to generate the exploited documents, and thanks to the development of these tools they get to use newer Office exploits.

“However, they don’t get to use zero days. Even the freshest exploit in their arsenal was fixed six  months before the widespread usage started. It shouldn’t be difficult to protect against the activities of this group: Just applying the patches for Microsoft Office could disarm the attack.”