A Student of Université de Sherbrooke Uncovers and Tracks Down Cybercriminals
Sherbrooke, le 20 janvier 2017 – When Philippe-Antoine Plante was browsing on the Internet on January 13, he visited the site of a PME. The pages, however, didn't display properly and a window popped up indicating that he had to have the Hoefler font installed for the page to display properly. A large green arrow encouraged him to download a document.
Tracking the Source of a Computer Attack
Philippe-Antoine Plante earned an undergraduate degree in computer science in the Faculty of Science at the Université de Sherbrooke. He will soon start his master's degree with Professor Marc Frappier, a specialist in software engineering, with whom he has already worked on research projects. He immediately realized that the window involved risks. But, for him and his colleagues, it represented not so much a trap as a challenge. "As soon as I saw that it was a malicious campaign, I reached out to a colleague to look into how it worked. The colleague—Anthony Branchaud—is a security analyst and an undergraduate student at Université Laval.
In just three days, the duo determined that this campaign to disseminate malicious software (known as malware) had infected thousands of sites worldwide, 5% of which are Canadian. This malware is disseminated via Web sites built with WordPress, Joomla, or Drupal, three highly popular tools that streamline Web-site creation.
On January 16, the researchers took the initiative of informing the Canadian Cyber Incident Response Centre (CCIRC) of the campaign's prevalence, providing all the information needed to pursue the matter, including a list of all the infected Web sites spreading the malware.
This campaign to disseminate malware referred to as EITest has been very well orchestrated. It determines which is the best malware to provide to the user. The campaign's strength lies with the fact that the malware leverages legitimate Web sites. Moreover, it adapts over time, which means it changes the type of software disseminated. For example, the authors could use the campaign to spread ransomware, which is a type of malware that prevents users from accessing their system unless they pay a ransom.
The Supposed Hoefler Font
From the outset, the researchers observed that compromised sites, when visited with Chrome running under Windows via a link (e.g., from a Google or Bing search or a referrer on an infected Web page), displayed an unintelligible page and a pop-up window. The message "The HoeflerText font wasn't found" appears and prompts the user to download the missing font—HoeflerText—to view the page correctly. If the user accepts, a malicious file is downloaded and the compromised page prompts the user to run it. Running the file pulls the computer into a network of zombies, which are computers controlled by cybercriminals without the users' knowledge. When it was discovered, the malware spread through this campaign was using the zombie to commit click fraud, which generates advertising income for the hackers. A few days later, the researchers were also able to confirm that the campaign was targeting other popular Web browsers.
So far, the analysis has revealed a variety of compromised sites spreading the malware such as public administrations (cities, universities, governments) as well as small businesses and individuals all around the globe, including in Quebec and Canada.
Computer Viruses in the World
According to estimates, 32% of the computers in the world are infected by some kind of malware. The losses caused by malware have been estimated at several billion dollars annually. In 2015 alone, users whose computers were infected with a cryptovirus paid out nearly $325 million in ransom. This figure is expected to triple in 2016. Public Safety Canada expects that the current world market for cybersecurity products and services will increase to more than $170 billion by 2020 and that the job market for cybersecurity professionals will grow by 6 million over the next four years. About 70% of Canadian companies have been victims of cyberattacks at a cost of about $15,000 per incident.
"We anticipate new threats in the future," commented Philippe-Antoine Plante, "and, as long as they are effective, they will continue to constitute risks for users. While it's a constant battle, it is reassuring to know that people are becoming more aware of this type of threat."
– 30 –
Note: A detailed report will soon be available setting out what the researchers have done, how to remove this malware, and what signs point to a system being compromised.
Interested persons can contact the researchers at the following email address for more information: email@example.com
Judith Lavallée, Media-Relations Officer
Communications Department | Université de Sherbrooke
819-821-8000, extension 65472 | medias@USherbrooke.ca