View
5.278
Download
2
Category
Tags:
Preview:
DESCRIPTION
The Commtouch Quarterly Trends Threat Report provides insight on the latest spam, malware, phishing schemes and other web security threats. The July 2011 edition provides analysis of Internet security threats that occurred during the second quarter of 2011. You can download the complete report at http://www.commtouch.com/threat-report-July 2011.
Citation preview
Internet Threats
Trend Report
July 2011
The October 2011 Internet Threat Report is now available!
Click here to view
July 2011 Threat Report
The following is a condensed version of the July 2011 Commtouch
Internet Threats Trend Report
Download the complete report at www.commtouch.com/threat-report-July2011
Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks,
and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch.
U.S. Patent No. 6,330,590 is owned by Commtouch.
July 2011 Threat Report
Key Highlights
Trends Spam, Malware, Web Security, Compromised Websites, Phishing, Zombies and Web 2.0
Feature Where did all the spam go?
1
2
3
Key Highlights for Q2 2011
Key Security Highlights
Average daily spam/phishing emails sent
113 billion
Average daily spam down from Q1
Lowest level in 3 years
377,000 Zombies
Zombie daily turnover
Key Security Highlights
Number of zombies turned off and on daily - up significantly from 258,000 in Q1
Most popular blog topic on user generated content sites
Streaming media/ downloads
Key Security Highlights
The streaming media & downloads category includes sites with live or archived media for
download or streaming content, such as Internet radio, Internet TV or MP3 files.
(No Change)
Key Security Highlights
Most popular spam topic
Pharmacy Ads
While it was the most popular spam topic, it was down to only 24% of all spam, compared to 28% in Q1
Country with the most Zombies
India
Key Security Highlights
India continues to lead with 17% of all Zombies
(No Change)
Website category most likely to be compromised with malware
Pornography and sexually explicit material
Key Security Highlights
Feature…
Where did all the spam go?
• Q2 spam was at its lowest level in 3 years
• June’s spam level (106 billion)
• At its lowest point in June, spam accounted for 75% of all emails
Q2 2011 Spam Trends
Source: Commtouch
Ave
rage
dai
ly s
pam
em
ails
sen
t
Q2 2011 Spam Trends
Source: Commtouch
Spam Levels & Spam Percentage March - June, 2011
MAR APR MAY JUN
Spam
Ham
%spam16th MarRustock
takedown
• Indications are that spammer tactics are changing
• Mid-March 2011 Microsoft led takedown of the Rustock botnet immediately dropped spam levels by 30% to an average of 119 Billion messages per day
• In past, such takedowns have resulted in only temporary spam level drops, followed by increased activity to build new botnets and resume mass mailings
Q2 2011 Spam Trends
• Other changes in Q2 spam activity • Rustock takedown followed by large increases in
email-borne malware • Number of zombies activated daily more than
doubled in weeks following the malware outbreaks • Increased zombie horde not used for vast spam
mailings (hence the declining spam numbers) but instead for smaller malware distribution attacks
• Spam coming from compromised or spammer accounts as well as compromised mail servers has increased
Q2 2011 Spam Trends
Q2 2011 Spam Trends
A percentage of emails from Gmail and Hotmail actually come from genuine accounts – compromised accounts or accounts specifically created by spammers
Analysis of Compromised Accounts
• Almost 30% of the spam from Hotmail actually comes from compromised or spammer Hotmail accounts
• Gmail spam mostly from zombies that simply forge Gmail addresses
Source: Commtouch
Q2 2011 Spam Trends
Analysis: Things are different this time as spammers are changing their tactics
Download the complete July 2011 Internet Threats Trend Report for a complete review
of the changing tactics of cybercriminals www.commtouch.com/threat-report-July2011
Trends in Q2 2011…
Spam Trends
Spam Trends
Spam Sending Domains
Commtouch monitors domains used by spammers in the “from” field of the spam emails, typically faked in order to give the impression of a reputable, genuine source.
Spam Trends
Top Faked Spam Sending Domains*
Source: Commtouch
* The domains that are used by spammers in the “from” field of the spam emails.
• NOTE “ups.com” in 14th place due to very large numbers of fake UPS notification emails sent in Q2
• See more details on the UPS outbreak in this quarter’s complete Internet Threats Trend Report
Spam Trends
• Pharmacy spam remained in the top spot but dropped to only 24% (down from 28% in Q1 2011)
• 419 fraud, phishing, and pornography all increased
Source: Commtouch
Spam Topics
Spam Trends
• Q2 2011 also saw the emergence of e-cigarette spam
French email above promotes health benefits of e-cigarettes due to the absence of 4,000 unwanted substances found in a normal cigarette
Trends in Q2 2011…
Malware
• End of Q1 2011 • Enormous outbreaks of email-borne malware
(up to 30% of global email traffic) • Initial attachments were “UPS package notifications” • Then the subjects changed to “DHL package notifications”
• Start of Q2 2011 • Attacks continued on smaller
scale • Switched to “FedEx
notifications”
Q2 2011 Malware Trends
Examples of Malware
• Email appears to be from IRS (US government income tax authority)
• Message informs recipients their tax payments via electronic payment system rejected
• Link provided to receive a “tax transaction report” (actually a .exe file described as a self extracting PDF file )
Attack: IRS Payment Rejected
Purpose: Most likely password theft
How it works:
Examples of Malware
• Links lead to one of 2,500 domains registered in the 48 hours before the attack
• Upon pressing the link, users gets to a page with a “404 not found” message, which hides the script that starts the virus download
Examples of Malware Attacks
• Targets financially knowledgeable victims using the term “stat arb” (foreign exchange trading term) in the subject
• Extracted file appears to be a PDF, but actually an executable file
• When file runs, actually shows a non-malicious PDF file in a fake PDF reader window
Attack: PDF Malware
Purpose: Capture keystrokes and browser activity
How it works:
Examples of Malware Attacks
Fake PDF file and reader
Email with attachment
Malware Trends
Source: Commtouch
Top 10 Malware of Q2 2011
Rank Malware name Rank Malware name
1 IFrame.gen 6 W32/Worm.MWD
2 W32/Ramnit.E 7 W32/VBTrojan.17E!Maximus
3 W32/Worm.BAOX 8 W32/Ramnit.D
4 W32/RAHack.A.gen!Eldorado 9 W32/Mydoom.O@mm
5 W32/Sality.gen2 10 W32/Vobfus.L.gen!Eldorado
Malware Trends
Read about more Malware attacks in the complete July 2011 Threat Report at
http://www.commtouch.com/threat-report-July2011
Trends in Q2 2011…
Web Security
Q2 Threats
The Pros: • Trusted friend environment means users don’t suspect
a message is coming from a compromised account
The Cons: • Need compromised accounts to access other accounts • Friend networks rarely exceed a few hundred people • Facebook has implemented mechanisms to detect
multiple simultaneous messages postings
Facebook’s vast and ever-increasing user base continues to attract cybercriminals
Q2 Facebook Threats
Several techniques combined with social engineering elements were used to compromise Facebook user accounts in Q2 and increase the scale of attacks.
Exploits in Q2 2011
Q2 Facebook Threats
Example: Osama Bin Laden death exploited by Affiliate Marketing Groups
• Goal of exploit:
Affiliates earn money by driving victims to sites that pay
bonuses based on clicks or successful sign-ups
• How exploit worked:
Initial Osama-themed messages sent from several
compromised accounts and then quickly spread to draw
users to the affiliated sites (see flow on next slide)
Q2 Facebook Threats
User receives message or event invitation from friend promising video of Bin Laden death. Message tricks user into running a malicious JavaScript while Facebook open.
With access to user’s friends, malware sends out more invitations to continue the cycle.
Site then quickly redirects to an affiliate marketing page.
1
2
3
4
Infected user lead to a site with YouTube clip of President Obama announcing operation.
Osama Bin Laden Affiliate Marketing Exploit
Q2 Facebook Threats
Osama Bin Laden – users run this script
Q2 Facebook Threats
Additional Facebook exploits in Q2:
• See who’s been viewing your profile • Free Facebook credits • How many girls and boys have viewed your wall
Download the complete July 2011 Internet Threats Trend Report for more details on these exploits www.commtouch.com/threat-report-July2011
Other trends in Q2 2011…
Compromised Websites
Compromised Websites
• Compromised websites being used to hide phishing pages and malware
• Benefits to the cybercriminal • Legitimate domains most likely have a good
reputation in URL filter engines, so not likely to be blocked
• Provides FREE hosting
Trends in Compromised Websites
Compromised Websites
Example: iPhone 5 Virus (May 2011)
• Malicious email distributed with promise of details regarding soon to be released “iPhone 5G S”
• Images and links in email point to a file “iphone5.gif”, but it is actually a malware file “iphone5.gif.exe”
Compromised Websites
Example: iPhone 5 Virus (May 2011)
• Examination of the link reveals malware is hidden inside a compromised, legitimate website (see image)
Website categories infected with malware
Compromised Websites
Rank Category
1 Pornography/Sexually Explicit
2 Parked domains
3 Portals
4 Education
5 Entertainment
6 Business
7 Health & Medicine
8 Travel
9 Computers & Technology
10 Fashion & Beauty
Portals category includes sites offering free homepages, which are abused to host phishing and malware content.
Compromised Websites
Download the complete July 2011 Internet Threats Trend Report for more details
on Compromised Websites www.commtouch.com/threat-report-July2011
Other trends in Q2 2011…
Phishing Trends
Phishing Trends
Phishing Trends
• Phishing attacks continued to target
• Local and global banks
• Web email users
• Facebook accounts
• Online gaming sites
Phishing Trends
• Users asked to enter their credentials to overcome a security warning on the page
• Entering credentials, they provide the phisher with valid Facebook access details that can be used or sold to other cybercriminal
Example – Facebook Phishing Page
Phishing Trends
Improved Phishing Sites
• In an attempt to provide protection from keyloggers, some financial institutions provide a virtual keyboard which users must use to enter their login information and passwords
• Phishers have now added these keyboards to their phishing pages (see example on next page)which mimic the original
Phishing Trends
Improved Phishing Sites
Fake Abu Dhabi Commercial Bank (ADCB) site complete with reproduced virtual keyboard
Website categories infected with phishing
Compromised Websites
Rank Category
1 Games
2 Portals
3 Shopping
4 Forums/Newsgroups
5 Non-profits & NGO
6 Fashion & Beauty
7 Leisure & Recreation
8 Sports
9 Education
10 Business
Portals category includes sites offering free homepages, which are abused to host phishing and malware content.
Phishing Trends
Download the complete July 2011 Internet Threats Trend Report for more details on Phishing
www.commtouch.com/threat-report-July2011
Trends in Q2 2011…
Zombie Trends
Zombie Trends
• Average of 377,000 zombies newly activated each day for malicious activity
• Substantial increase compared to the 258,000 in Q1
Daily Turnover of Zombies in Q2
Source: Commtouch
Zombie Trends Worldwide Zombie Distribution in Q2
• India remains atop the list with 17% • Brazil, Vietnam, and the Russian federation all remained in the
same places • Peru and Argentina dropped out of the top 15 replaced by Romania
and Morocco
Source: Commtouch
Zombie Trends
• As IPv4 addresses reach exhaustion, IPv6 addresses will begin to become more prevalent
• Vast number of IPs available to a zombie makes blocking of a specific IP, associated with a Zombie, impossible
• Blocking a range of IPs has issues • May block other users/devices that are not malicious
(i.e.: generates false positives) • No standard IP range allocation currently defined – it is
therefore difficult to know how wide a range of IPs should be blocked
Zombies and IPv6
Zombie Trends
• Commtouch has begun to monitor spam received from IPv6 sources and future Internet Threat Trend Reports may include relevant data as IPv6 traffic grows
• Two on-demand webcasts are available from Commtouch providing information on IPv6 and potential threats:
• An introduction to IPv6
• Overview of IPv6 threats
Zombies and IPv6
Trends in Q2 2011…
Web 2.0 Trends
Web 2.0 Trends
Most Popular User Generated Content Sites
Rank Category %
1 Streaming Media & Downloads 21%
2 Entertainment 9%
3 Computers & Technology 8%
4 Pornography/Sexually Explicit 5%
5 Shopping 5%
6 Arts 4%
7 Fashion & Beauty 4%
8 Religion 4%
9 Sports 4%
10 Restaurants & Dining 4%
11 Education 3%
12 Leisure & Recreation 3%
13 Health & Medicine 3%
14 Games 2%
Source: Commtouch
Review of Q2 2011
Review of Q2 2011
Source: Commtouch
Download the complete July 2011 Internet Threats Trend Report
at www.commtouch.com/threat-report-July2011
For more information contact: info@commtouch.com
650 864 2000 (Americas) +972 9 863 6895 (International)
Web: www.commtouch.com
Blog: http://blog.commtouch.com
Recommended