An emerging trend among cybercriminals is to target victims based on their geo location. Cybercrime is now a global problem affecting individuals, organisations and governments thus cybercriminals are benefiting by creating an industry out of cybercrime. Most perpetrators of cybercrime consider their criminal activities as their enterprise. Subsequently, as most genuine businesses are dynamic, similarly cybercriminals have opted to make their criminal activities diverse, broad and extensive covering all spheres of the web.
Location based cyber threats are known as “geo-malware” and cybercriminals are shifting towards creating regionalised email attacks. Cyber attackers are now increasing their revenue per victim and the efficiency of a cyber attack by targeting individuals based on their native country employing a range of methods including email targeting, traffic direction services and geo IP lookups.
Natural geo-targeting: email country codes
Targeting an individual based on their country does not necessarily require a cybercriminal to have an advanced malware. Email addresses can be used to figure out what country the victim is residing in by selecting the country code extension.
The email targeting is also tailored to be seasonal for example during the tax return period spam emails will be sent out to correlate timing of genuine tax emails. These spam emails are accurately timed as well as being location specific. Similarly, during the festive season of Christmas when individuals are expected to order many items online, the spam emails relate to fraudulent missed postal delivery notifications.
Furthermore, with an advanced attack a cybercriminal will target individual cyber users by impersonating local companies ensuring the correct language and grammar is used to ensure the scam is effective. Usually, users are educated to spot grammar or spelling errors thus cyber scammers are opting to create well crafted emails to determine the scam remains unrecognised.
IP lookups and traffic direction services
Malware that is geo-targeted based on the IP address or the language of a computer is used to undertake sophisticated attacks. For example, refined cybercriminals avoid directly infecting computer systems, consequently use services provided by other cybercriminals who may have infected thousands of computers. Those infected computers are turned into bots which are then sold on to cybercriminals who wish to indirectly infect computers. Selling of bot machines is usually done on the highest bidder wins system.
Criminals are using the black market to use compromised traffic direction services (TDS) that provide traffic direction and real-time bidding services. This service is used to find the most relevant victims. The operation process of the traffic direction can be compared to a legitimate advertising network service that shows the most relevant ad when a website is visited. An IP address shows the location of a computer which is detected by the malicious server therefore the victim is shown the malware designed for that region. For instance, if a cybercriminal wishes to infect computers in Germany with a banking malware, then the IP lookup technique suits the cybercriminal because there is a high chance that most victims will be banking with Deutsche Bank. Consequently, malware targeting Deutsche Bank will be used.
TechDecoded recommends the following tips to avoid location-based cyber threats.
Individual users should:
- Use unique passwords with strong combinations of letters, numbers and special characters.
- Update computer systems regularly with the latest software update and ensure the most advanced security system is installed and operating to avoid cyber security breaches.
- Take extra caution when opening emails because most location-based threats are spread via emails. Avoid clicking on URL links within emails or downloading attachments unless authenticity of the sender is verified.
- Back up files regularly to ensure that no files are lost in a malware or ransomware attack. Moreover, ensure at least one back up is kept offline.
Business users should:
- Take business cybersecurity as utmost priority. Provide business data with extra layers of protection such as encryption to protect against sophisticated attacks.
- Take active measures to segment company networks. Separate different areas with firewalls for example the client and server networks to ensure access is limited to when necessary.
- Provide employees with adequate training about malicious documents, spam emails and compromised URL links.
- Have stringent cybersecurity policies which are enforced.
- Disable macros. Many ransomware attacks are designed to be distributed in Office documents prompting users to enable macros.
- Limit how much connectivity or work is undertaken while logged in as Administrator. Avoid opening documents, browsing the Internet or other regular work activities while using the Administrator account.
- Apply all the necessary software patches to all computer systems and other devices connecting to the work network.
- Back up all business data regularly.