View
7
Download
0
Category
Preview:
Citation preview
SYMANTEC INTELLIGENCE REPORTNOVEMBER 2014
p. 2
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
CONTENTS
3 Summary
4 TARGETED ATTACKS + DATA BREACHES
5 Targeted Attacks
5 Attachments Used in Spear-Phishing Emails
5 Spear-Phishing Attacks by Size of Targeted Organization
5 Average Number of Spear-Phishing Attacks Per Day
6 Top-Ten Industries Targeted in Spear-Phishing Attacks
7 Data Breaches
7 Timeline of Data Breaches
8 Total Identities Exposed
8 Top Causes of Data Breaches
8 Total Data Breaches
9 Top-Ten Types of Information Breached
10 MALWARE TACTICS
11 Malware Tactics
11 Top-Ten Malware
11 Top-Ten Mac OSX Malware Blocked on OSX Endpoints
12 Ransomware Over Time
12 Top-Ten Botnets
13 Vulnerabilities
13 Number of Vulnerabilities
13 Zero-Day Vulnerabilities
14 Browser Vulnerabilities
14 Plug-in Vulnerabilities
15 SOCIAL MEDIA + MOBILE THREATS
16 Mobile
16 Mobile Malware Families by Month, Android
17 Mobile Threat Classifications
18 Social Media
18 Social Media
19 PHISHING, SPAM + EMAIL THREATS
20 Phishing and Spam
20 Phishing Rate
20 Global Spam Rate
21 Email Threats
21 Proportion of Email Traffic Containing URL Malware
21 Proportion of Email Traffic in Which Virus Was Detected
22 About Symantec
22 More Information
p. 3
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Summary
Welcome to the November edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources.
There was a significant jump in emails containing malicious URLs during the month of November, where 41 percent of email-borne malware contained a link to a malicious or compromised website. The last time we saw this level of activity was back in August of 2013. Since then, URL malware had been present in 3 to 16 percent of malicious emails each month, until this recent surge.
We have reason to believe that the Cutwail botnet is responsible for some of this increase. However, this botnet only makes up 3.7 percent of total botnet activity tracked in November. Kelihos and Gamut appear to be in the number one and two positions, comprising 19.2 and 18.8 percent respectively.
The topics in the campaigns we’ve seen so far include fake telecom billing notices, as well as fax and voicemail spam, and government levied fines. The URLs in the first two campaigns appear to be downloaders that will install further malware on a compromised computer, while the third campaign leads to fake captcha sites hosting crypto-ransomware.
Ransomware as a whole continues to decline as the year progresses. However, the amount of crypto-ransomware seen continues to comprise a larger portion of this type of malware. This particularly aggressive form of ransomware made up 38 percent of all ransomware in the month of November.
We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback.
Ben Nahorney, Cyber Security Threat Analyst symantec_intelligence@symantec.com
p. 4
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
TAR
GETED
ATTACKS
+ DATA
BR
EACHES
p. 5
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
At a Glance
• The average number of spear-phishing attacks dropped to 43 per day in November, down from 45 in October.
• The .doc file type was the most common attachment type used in spear-phishing attacks. The .exe file type came in second.
• Organizations with 2500+ employees were the most likely to be targeted in November.
• Non-Traditional Services narrowly lead the Top-Ten Industries targeted, followed by Manufacturing. The difference between the two industries was 0.07 percentage points.
Targeted Attacks
Average Number of Spear-PhishingAttacks Per DaySource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
25
50
75
100
125
150
175
200
225
250
NOSAJJMAMFJ
2014
D
54 53 45 43
20
54
141
84 84
54
88
165
Attachments Used in Spear-Phishing Emails
Source: Symantec :: NOVEMBER 2014
Executable type November October
.doc 25.9% 62.5%
.exe 16.4% 14.4%
.au3 8.6% –
.scr 5.3% 0.1%
.jpg 4.8% 0.2%
.class 2.2% –
.pdf 1.6% 4.4%
.bin 1.6% –
.txt 1.3% 11.2%
.dmp 1.0% 0.1%
Spear-Phishing Attacks by Size of Targeted OrganizationSource: Symantec :: NOVEMBER 2014
Organization Size November October
1-250 34.4% 27.1%
251-500 8.4% 6.6%
501-1000 8.8% 8.9%
1001-1500 3.2% 2.9%
1501-2500 4.5% 11.2%
2500+ 40.7% 43.3%
p. 6
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Top-Ten Industries Targeted in Spear-Phishing AttacksSource: Symantec :: NOVEMBER 2014
Construction
Mining
Retail
Public Administration
Transportation, communications, electric
Wholesale
Services - Professional
Finance, insurance& Real Estate
Manufacturing
Services - Non Traditional 20%
20 17
11 10
7 5
3 1 1
p. 7
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Data Breaches
At a Glance
• The two largest data breaches reported to have occurred in November resulted in the exposure of 3.6 million and 2.7 million identities each.
• Hackers have been responsible for 57 percent of data breach-es in the last 12 months.
• Real names, government ID numbers, such as Social Security numbers, and home addresses were the top three types of data exposed in data breaches.
20
40
60
80
100
120
140
160
NOSAJJMAMFJ2014
D
NU
MB
ER O
F IN
CID
ENTS
IDEN
TITI
ES E
XPO
SED
(MIL
LIO
NS)
INCIDENTS IDENTITIES EXPOSED (Millions)
Timeline of Data BreachesSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
147
59
1
78
31.5
101
6.41.72.68.1
130
24
5
10
15
20
25
30
35
40
3027
2527
2220 19
15 16
12
21
p. 8
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Top Causes of Data BreachesSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
Insider Theft
Theft or Lossof Computeror Drive
AccidentallyMade Public
Hackers 57%
18%
18%
7%
Numberof Incidents
147
46
46
19
258TOTAL
Total DataBreaches DECEMBER 2013 — NOVEMBER 2014
258
Total IdentitiesExposed DECEMBER 2013 — NOVEMBER 2014
476Million
p. 9
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Top-Ten Types of Information BreachedSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
Real Names
Gov ID numbers (Soc Sec)
Home Address
Birth Dates
Financial Information
Medical Records
Email Addresses
Phone Numbers
Usernames & Passwords
Insurance
01
02
03
04
05
06
07
08
09
10
67%
43%
42%
38%
35%
28%
21%
19%
16%
9%
MethodologyThis data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model that measures the levels of threats, including malicious software, fraud, identity theft, spam, phishing, and social engineering daily. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information.
In some cases a data breach is not publicly reported during the same month the incident occurred, or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months when a new report is released.
p. 10
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
MA
LWA
RE TAC
TICS
p. 11
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Malware Tactics
At a Glance
• W32.Ramnit variants continue to dominate the top-ten malware list.
• The most common OSX threat seen on OSX was OSX.Flashback.K, making up 15.7 percent of all OSX malware found on OSX Endpoints.
• Overall ransomware activity has remained low since March of this year. However, crypto-style ransomware continues to make up a larger percent-age of ransomware, comprising 38 percent in November.
• Kelihos and Gamut are the two most commonly encountered botnets, making up 19.2 and 18.8 percent of botnet traffic respectively.
Top-Ten MalwareSource: Symantec :: NOVEMBER 2014
Rank Name November October
1 W32.Sality.AE 4.8% 4.1%
2 W32.Almanahe.B!inf 4.5% 3.7%
3 W32.Ramnit!html 4.4% 4.0%
4 W32.Ramnit.B 2.7% 2.7%
5 W32.Downadup.B 3.0% 2.5%
6 W32.Ramnit.B!inf 2.3% 2.1%
7 W32.SillyFDC.BDP!lnk 1.6% 1.4%
8 W32.Virut.CF 1.5% 1.3%
9 Trojan.Zbot 1.5% 1.3%
10 Trojan.Swifi 1.4% –
Top-Ten Mac OSX Malware Blocked on OSX EndpointsSource: Symantec :: NOVEMBER 2014
Rank Malware Name November October
1 OSX.Flashback.K 15.7% 5.4%
2 OSX.Okaz 13.4% 28.8%
3 OSX.Keylogger 11.8% 9.3%
4 OSX.RSPlug.A 11.0% 14.0%
5 OSX.Klog.A 8.4% 5.2%
6 OSX.Stealbit.B 7.6% 4.7%
7 OSX.Crisis 3.7% 4.8%
8 OSX.Netweird 3.7% 3.7%
9 OSX.Flashback 3.3% 4.0%
10 OSX.Imuler 2.5% –
p. 12
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Top-Ten BotnetsSource: Symantec :: NOVEMBER 2014
Rank Country/Region Percent
1 Kelihos 19.2%
2 Gamut 18.8%
3 Snowshoe 8.0%
4 Cutwail 3.7%
5 Darkmailer 1.0%
6 Asprox 0.7%
7 Grum 0.03%
8 Festi 0.0165%
9 Esxvaql 0.0162%
10 Darkmailer2 0.0151%
Ransomware Over TimeSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
THO
USA
ND
S
100
200
300
400
500
600
700
800
NOSAJJMAMFJ
2014
D
660
465
342
425
156 143230 183
14995 80 77
p. 13
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Number of VulnerabilitiesSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
100
200
300
400
500
600
700
800
NOSAJJMAMFJ2014
D
438
575 600 596
457399
471
542 562 579
473
555
Zero-Day VulnerabilitiesSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
1
2
3
4
5
6
7
8
NOSAJJMAMFJ2014
D
0 0 0 0 0
22
0
5
0
1
4
Vulnerabilities
At a Glance
• There were 457 vulner-abilities disclosed during the month of November.
• Internet Explorer has reported the most brows-er vulnerabilities in the last 12 months.
• Oracle’s Java reported the most plug-in vulner-abilities over the same time period.
p. 14
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Browser VulnerabilitiesSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
20
40
60
80
100
NOSAJJMAMFJ2014
D
Opera
Mozilla Firefox
Microsoft Internet Explorer
Google Chrome
Apple Safari
Plug-in VulnerabilitiesSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
10
20
30
40
50
60
70
80Java
Apple
Adobe
ActiveX
NOSAJJMAMFJ2014
D
p. 15
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
SOCIA
L MED
IA
+ MO
BILE TH
REATS
p. 16
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Mobile
Mobile Malware Families by Month, AndroidSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
8
4
2
4
2 2
3
5
3
4 4
3
1
2
3
4
5
6
7
8
9
10
NOSAJJMAMFJ2014
D
At a Glance
• There were eight Android malware families discov-ered in November.
• Of the threats discovered in the last 12 months, 26 percent are tradi-tional threats, such as back door Trojans and downloaders.
• In terms of social networking scams, 29 percent were fake offer-ings, while 59 percent were manually shared scams.
p. 17
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Mobile Threat ClassificationsSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
Track User Risks that spy on the individual using the device, collecting SMS messages or phone call logs, tracking GPS coordinates, recording phone calls, or gathering pictures and video taken with the device.
Steal Information This includes the collection of both device- and user-specific data, such as device information, configuration data, or banking details.
Traditional Threats Threats that carry out traditional malware functions, such as back doors and downloaders.
Recon�gure Device These types of risks attempt to elevate privileges or simply modify various settings within the operating system.
Adware/Annoyance Mobile risks that display advertising or generally perform actions to disrupt the user.
Send Content These risks will send text messages to premium SMS numbers, ultimately appearing on the bill of the device’s owner. Other risks can be used to send spam messages.
5
10
15
20
25
30%
AdwareAnnoyance
ReconfigureDevice
SendContent
TraditionalThreats
TrackUser
StealInformation
7%
12%
26%
23%
13%
19%
p. 18
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Social Media
Social MediaSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
Fake Offers These scams invite social network users to join a fake event or group with incentives such as free gift cards. Joining often requires the user to share credentials with the attacker or send a text to a premium rate number.
Manual Sharing Scams These rely on victims to actually do the work of sharing the scam by presenting them with intriguing videos, fake offers or messages that they share with their friends.
Likejacking Using fake “Like” buttons, attackers trick users into clicking website buttons that install malware and may post updates on a user’s newsfeed, spreading the attack.
Comment Jacking Similar to likejacking, this type of scam relies on users clicking links that are added to comments by attackers. The links may lead to malware or survey scams.
Fake App Users are invited to subscribe to an application that appears to be integrated for use with a social network, but is not as described and may be used to steal credentials or harvest other personal data.
10
20
30
40
50
60
70
80
90
100%
CommentJacking
FakeApps
LikejackingManualSharing
FakeOffering
2% .6%
29%
59%
9%
p. 19
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
PHISH
ING
, SPAM
+ EMA
IL THR
EATS
p. 20
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Phishing and Spam
Phishing RateSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
1 in 0
1 in 500
1 in 1000
1 in 1500
1 in 2000
1 in 2500NOSAJJMAMFJ
2014
D
2041
1610
647306401 478
370
731
395496
1290
1587
At a Glance
• The phishing rate rose in November, at one in 647 emails, up from one in 1,610 emails in October.
• The global spam rate was 54.6 percent for the month of November.
• One out of every 246 emails contained a virus.
• Of the email traffic in the month of November, 41.3 percent contained a mali-cious URL.
Global Spam RateSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
10
20
30
40
50
60
70
80
90
100%
NOSAJJMAMFJ2014
D
55
71
62 62
66
59
61 6064 63
58 55
p. 21
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
Email Threats
Proportion of Email Traffic Containing URL MalwareSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
10
20
30
40
50
60
70
80
90
100%
NOSAJJMAMFJ2014
D
6 7
41
14 16 146 3
147 8
3
1 in 50
1 in 100
1 in 150
1 in 200
1 in 250
1 in 300
1 in 350
1 in 400
1 in 450
1 in 500NOSAJJMAMFJ
2014D
Proportion of Email Traffic in Which Virus Was DetectedSource: Symantec :: DECEMBER 2013 — NOVEMBER 2014
351
329
246
112
207188
141
234
183
232
351
270
p. 22
Symantec CorporationSymantec Intelligence Report :: NOVEMBER 2014
About Symantec
More Information
• Symantec Worldwide: http://www.symantec.com/
• ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/
• Symantec Security Response: http://www.symantec.com/security_response/
• Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/
• Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/
Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more go to www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.
For specific country offices and contact numbers,
please visit our website.
For product information in the U.S.,
call toll-free 1 (800) 745 6054.
Symantec Corporation World Headquarters
350 Ellis Street
Mountain View, CA 94043 USA
+1 (650) 527 8000
1 (800) 721 3934
www.symantec.com
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners
Recommended