Malware in July: Cybercriminals Switch to Payments in Frequent Flyer Miles and Release New ‘Spy’ for Android

09 Aug 2011
Virus News

The experts at Kaspersky Lab present their monthly report about malicious activity on users’ computers and on the Internet.

July in figures. The following statistics were compiled in July using data from computers running Kaspersky Lab products:

  • 182,045,667 network attacks blocked;
  • 75,604,730 attempted web-borne infections prevented;
  • 221,278,929 malicious programs detected and neutralized on users’ computers;
  • 94,004,507 heuristic verdicts registered.

This is how the situation looks when compared to June:

Number of threats detected in various categories. Source: KSN data

Trojan’s Mobile versions. As protection of online banking security continues to develop, cybercriminals are increasingly supplementing spy Trojans operating on users’ computers with mobile modules so they have a better chance of stealing money from the victims’ bank accounts.

A new version of the mobile spy Trojan ZitMo was detected in July capable of stealing mTAN codes, one-time passwords used when performing a remote transaction and sent to the bank customer via SMS. The mobile version of the notorious ZeuS Trojan has already been detected running on Symbian, Windows Mobile and BlackBerry platforms and now it has added Android devices to its list.

If a user’s computer is infected with ZeuS, and the mobile phone is infected with ZitMo, the cybercriminals gain access to the victim’s bank account and can intercept the one-time transaction password sent by the bank to the user. In this case, even authentication using mTAN codes cannot prevent the victim’s money from being stolen from their bank account.

Forbidden domain. It’s not only antivirus vendors who give cybercriminals a hard time. Last month Google excluded more than 11 million URLs with * addresses from its search results. The ‘blocked’ domain zone is among the largest globally, ranking fourth after .com, .de and .net in terms of registered domain names. In most cases the domain’s URLs are used by cybercriminals to spread rogue antivirus programs or conduct drive-by attacks. However, it is difficult to say how successful Google’s campaign has been: there are indeed fewer cybercriminals using the domains, but they have merely started using the services of other domain zone registrars.

Flying phish. Once again our prediction that 2011 would be the year that cybercriminals target absolutely any kind of data has proved only too true. In July, the experts at Kaspersky Lab uncovered an interesting development: Brazilian phishers have started stealing the ‘miles’ accrued by frequent flyers. Not only are they using them to buy tickets but also as a form of currency. In one IRC message, a cybercriminal was selling access to a Brazilian botnet that sends spam in exchange for 60,000 miles, while in another message air miles were offered for stolen credit cards.

Malware rating. Drive-by-download attacks remain one of the most popular methods of infecting users’ computers with malicious programs. Every month new entries that facilitate such attacks – redirectors, script downloaders and exploits – appear in the Top 20 malicious programs on the Internet. There were a total of 11 in July.

More detailed information about the IT threats detected by Kaspersky Lab on the Internet and on users' computers in July 2011 is available at: