How cybercrooks hit you where you live using country-specific attacks

Cybercrime today is a global threat, and it’s costing victims tens of millions of dollars each year – at minimum.

Just look at ransomware, which in the past few years has struck victims – from individual users and small businesses to larger organizations like hospitals – by infecting their computers, encrypting their data, and holding the data for a ransom ranging from $300 to as much as $17,000 in bitcoins.

The FBI estimated that the CryptoLocker ransomware cost victims $27 million in just the first two months after it burst on the scene in 2013, while CryptoWall cost victims $18 million in less than a year – and that just in the United States.

Now cybercriminals are attempting to maximize their profits by using tactics borrowed from legitimate businesses.

For example, McDonald’s customizes its menu and advertisements to suit the tastes and cultural sensibilities of customers depending on where they live.

Increasingly, cybercrooks are customizing their attacks to different regions, countries and languages, using different malware and phishing lures.

Chester Wisniewski, Sophos senior security advisor, has written a report published on our Sophos Blog exploring how cybercriminals target victims based on geography.

Chet’s research demonstrates that cybercrooks are using tactics including geo IP lookups and traffic direction services to target their malware at individuals based on their location.

Beyond geographically targeted malware (or “geo-malware”), Chet explains how the crooks are customizing their phishing and email-based malware attacks with carefully-crafted spams that mimic local brands and institutions, and using grammatically correct messages translated into local languages.

His research also shows that cybercrooks have “un-targeted” (excluded) certain countries from attacks, perhaps for political reasons.

I spoke to Chet recently about his research. Below is an excerpt of our chat.

Naked Security: Your research shows that cybercriminals are using a range of tactics to target victims based on their country or language. On a basic level, why would the crooks want to do this kind of targeting? Don’t the crooks want to try to get as many victims as possible?

Chester Wisniewski: Different criminals have different goals. Some criminals seem to be mostly targeting wealthy countries – for example, ransomware doesn’t seem to hit really poor countries. Maybe they think “Americans are more likely to pay a higher ransom so we hit them with ransomware, and the poor countries in Africa probably aren’t going to pay a ransom so we’ll just use them to send spam.”

It’s a way for them to increase the yield per victim. If a crook sends banking Trojans targeting German banks to every bot they infect, you’re wasting a lot of those infections. If I infected 10 million computers with malware for Germany and I only get half a million German computers, the other 9.5 million could have made money sending spam or DDoS-ing somebody or targeting a different bank. Spray and pray is what used to happen. This way they make more money and not waste as much of the victims that they’ve compromised.

NS: So, in the German banking malware example, how do they know which computers are in Germany?

CW: There are several ways they can do this. They could get a bunch of email addresses and use the country codes to target specific countries – hit the .uk emails with UK spam, and send German banking malware only to .de email addresses.

Another way they can do this is using the IP address, which is detected by the compromised web server that’s sending the malicious stuff, or the language the keyboard or Windows is set to. Your IP is always there. For the keyboard language and the Windows language stuff, it’s just an API call. Your computer is already infected with a fully functioning Windows program, and that program asks the operating system what the language is in the same way Word would legitimately. When you launch Word, and you’ve got a US keyboard, Word serves you the American dictionary. The malware does the same thing legitimate programs do.

A third method is to use traffic-directing services to target victims in a given area.

NS: You’ve also said that cybercriminals are choosing to avoid targeting certain countries. Do you have any examples of this?

CW: One of the earliest examples we saw of attackers excluding particular countries was the Conficker virus.

The first version of Conficker used an online geo IP lookup to determine whether you were in the Ukraine or not, and the virus would avoid Ukrainian computers. Later versions of Conficker dropped this behavior.

Locky ransomware has been translated into various languages including Portuguese, Danish, Chinese and Japanese, but for some reason not Arabic or Czech. Locky also checks to see if Windows is set to Russian. If it’s Russian, Locky exits and deletes itself.

NS: You talk in your research about emails targeting specific regions with messages in the local language and spoofing local institutions. Is this how malware is distributed in emails?

CW: In recent months, we’ve seen most ransomware being distributed via attachments in emails, which are carefully crafted to lure you to open the attachment and download the ransomware.

But it’s not always malware. There’s phishing attacks, too. It doesn’t matter what computer you’re on – Windows, Mac, Android or iPhone – you can still be tricked into giving something away like your bank password. Your location is a good way to make the trick more convincing. So stay on guard.


For a more detailed explanation of these tactics, and examples of regional attacks, check out Chet’s fascinating research article on the Sophos Blog. He also offers security tips to help consumers and businesses stay secure from these attacks.