April 2012 Threats Trend Report


Published on

The Commtouch Quarterly Internet Threats Trend Report provides insight on the latest spam, malware, phishing schemes and other web security threats. The April 2012 edition provides analysis of Internet security threats that occurred during the first quarter of 2012.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

April 2012 Threats Trend Report

  1. 1. Internet ThreatsTrend ReportApril 2012
  2. 2. April 2012 Threat Report The following is a condensed version of the April 2012 Commtouch Internet Threats Trend Report You can download the complete report at http://www.commtouch.com/threat-report-april-2012Copyright© 2012 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, andCommtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. PatentNo. 6,330,590 is owned by Commtouch.
  3. 3. April 2012 Threat Report1 Key Highlights Malware, Spam, Web 2 Trends Security, Compromised Websites and Zombies
  4. 4. Key Highlights for Q1 2012
  5. 5. Key Security HighlightsAverage daily spam/phishing emails sent 94 Billion Spam levels dropped in Q1
  6. 6. Key Security Highlights Spam Zombie daily turnover 270,000 Zombies Up from 209,000 in Q4, 2011(Zombie turnover is the number of zombies turned off and on daily)
  7. 7. Key Security Highlights Most popular blog topic on user generated content sites Streaming media/ downloads (22%) Streaming media & downloads remains in top spotIncludes sites with MP3 files or music related sites such as fan pages (these might also be categorized as entertainment)
  8. 8. Key Security Highlights Most popular spam topic Pharmacy Ads (39% of all spam) Up 8% over Q4 20112nd place Replica spam also increased by over 5%
  9. 9. Key Security HighlightsCountry with the most Zombies India (19.2%)India still #1 but dropped from nearly 24% in Q4 2011.
  10. 10. Key Security Highlights Website category most likely to be compromised with malware Pornography/Explicit• “Parked domains” dropped to 2nd spot• New entrant “Fashion & Beauty” captured 3rd place
  11. 11. Trends in Q1 2012… Spam Trends
  12. 12. Q1 Spam Trends• Marginal increase in spam during the December 2011 holiday season• Otherwise, spam remained low vs. Q1 2011 – avg decrease nearly 40%• Average daily spam levels dropped to 94 billion spam and phishing emails/day Spam levels – Dec 2011 to March 2012December January February March Source: Commtouch
  13. 13. Q1 Spam Trends• Spam averaged 75% of all emails in Q1 Spam % of all emails - Dec 2011 to Mar 2012 December January February March Source: Commtouch
  14. 14. Q1 Spam TrendsReplica spam affiliate program “GlavTorg” closes• Spam affiliate programs provide the link between fake pharmaceuticals and replica manufacturers and spammers• Dec 2011 - GlavTorg (affiliate focused on replica handbags and clothing) announced it would stop affiliates payouts at end of Jan’12• Commtouch Labs evaluated the effect of the closure with introduction of the “spam-subject cloud tool” – Samples thousands of spam messages at definable intervals – Frequency of spam terms indicated by text size• Spam subjects used in massive quantities are instantly distinguishable.
  15. 15. Q1 Spam Trends• Spam topics cloud for the end of January 2012 shows no evidence of GlavTorg related products• Spam levels for the period show Spam Topics Cloud for End of no obvious increase or decrease January 2012 around dates when payments were stopped• Conclusion: Spammers have apparently easily realigned their activities. Source: Commtouch
  16. 16. Q1 Spam Trends Spam cloud for Entire Q1 2012Subjects include: Spam Topics Cloud for Q1 2012• Pharmaceuticals (Viagra, Cialis)• Replicas (Rolex, Breitling)• Enhancers• Software (CS5, Windows, Adobe)• “Dating” – Present, but due to the great variance of subject words, are less prominent Source: Commtouch
  17. 17. Q1 Spam Trends Spam Topics in Q1• Pharmacy spam continued to increase, as it did last quarter, to nearly 39% of all spam (~8% more than the previous quarter)• Replica-themed spam also increased in Q1 by over 5% Source: Commtouch
  18. 18. Q1 Spam TrendsTop Faked (Spoofed) Spam Sending Domains* • gmail.com is once again the most spoofed domain (increasing above 25% for the first time) • The top 15 features popular social networking and mail sites (AOL, Yahoo, Facebook, LinkedIn, MySpace) as well as DHL.com – often used as part of email malware attacks * Domains used by spammers in the “from” Source: Commtouch field of the spam emails.
  19. 19. Q1 Spam TrendsFind out more about Spam Trends in Q1 by downloading the complete April Internet Threats Trend Reporthttp://www.commtouch.com/threat-report-april-2012
  20. 20. Trends in Q2 2012… Malware Trends
  21. 21. Q1 Malware TrendsDid cybercriminals target accountants?• The scale of a February attack was so large that it certainly must have worked on many CPAs – but also many other individuals• Attacks included subjects such as: • “Fraudulent tax return assistance accusations” • “Your accountant license can be revoked” • “Your accountant cpa license termination” • “Income tax return fraud accusations”
  22. 22. Q1 Malware TrendsHow it worked• Clicking on the link downloaded a short HTML page that promises “Page is loading, please wait. You will see tax info on this screen.”• In the background, a small Phony accountant tax fraud emails script creates a nested lead to malware iFrame, which brought in more JavaScript, creating further dynamic content• The process repeated until a large portion of malware code was activated Source: Commtouch
  23. 23. Q1 Malware Trends• 2 weeks later a similarly sized attack targeted accounting practitioners and the small business market• Method this time was by describing fictitious purchases of Intuit accounting software.• Subjects lines included: – Your QuickBooks software order – Your Intuit.com order – Your Intuit.com invoice – Please confirm your Intuit.com invoice• The malware downloaded and deployed in the same way as described above in previous attack Source: Commtouch
  24. 24. Q1 Malware TrendsEmail attached malware levels generally low Q1 2012• Malware distributors generally stuck to popular malware topics, such as Fedex delivery notices.• Several other interesting social engineering techniques were also used during the quarter: – Google have received your CV (with an attached CV submission form) – Your friend invited you to Twitter (with an attached “invitation card”) – Someone wanting to be your friend on Hi5 (a social network) – Shipping updates for your Amazon.com order (with attached “shipping documents”)
  25. 25. Q1 Malware Trends– American Airlines ticket confirmations– “I love you” (containing only the text “lovely :-)” and phony assurance that F-Secure Antivirus had found no virus in the attachment– Sex pictures (with an attached zip refering to www.freeporn4all. Once extracted, a typical Explorer view shows a file named “document.txt”. Widening the filename column reveals the true “.exe” extension of the malware (following multiple space characters) – an old trick but probably still effective
  26. 26. Q1 Malware Trends Top 10 Malware of Q1 2012Rank Malware name Rank Malware name 1 W32/InstallCore.A2.gen!Eldorado 6 W32/Sality.gen2 2 W32/RLPacked.A.gen!Eldorado 7 W32/HotBar.L.gen!Eldorado 3 W32/Sality.C.gen!Eldorado 8 W32/Vobfus.AD.gen!Eldorado 4 W32/Heuristic-210!Eldorado 9 JS/Pdfka.CI.gen 5 W32/RAHack.A.gen!Eldorado 10 W32/Korgo.V Source: Commtouch
  27. 27. Q1 Malware Trends For a complete analysis of Malware in Q1 and thespecific attacks employed, download the complete April 2012 Internet Threats Trend Report http://www.commtouch.com/threat-report-april-2012
  28. 28. Trends in Q1 2012… Web Security
  29. 29. Q1 Web SecurityFacebook “unwatchable video” scam• Several variants of this scam have appeared on Facebook in the last few months• January’s version starts with a friend’s post that looks something like this: Source: Commtouch• The link takes clickers to a Blogspot page which has been very convincingly designed to look like a Facebook page with an embedded video player. – None of the buttons on the page are actually clickable
  30. 30. Q1 Web Security• Visitors are informed that they need the Divx plugin/ YouTube Premium plugin• Clicking on the download link runs a malicious link that: – Posts a link on the user’s wall to attract more users to click on the link – Installs Firefox or Chrome extensions (depending on browser), used to redirect users to several further scams. – Redirections happen regardless of the site user actually intended to go to. One of the redirections is to a scam offering a $50 Starbucks gift card. After coaxing the Facebook user to like and share the link they are led to an affiliate marketing site.
  31. 31. Q1 Compromised WebsitesSee more examples of compromised websites Download the complete April 2012 Internet Threats Trend Report for more details http://www.commtouch.com/threat-report-april-2012
  32. 32. Q1 Compromised Websites Website categories infected with malware• Pornographic sites climbed back up to the top spot pushing down Parked domains. As noted in previous reports, the hosting of malware may well be the intention of the owners of the parked domains and pornography sites.• A new entry into the top 3 is “Fashion and Beauty” sites Rank Category Rank Category 1 Pornography/Sexually Explicit 6 Education 2 Parked Domains 7 Health & Medicine 3 Fashion and Beauty 8 Computers & Technology 4 Portals 9 Business 5 Entertainment 10 Leisure & Recreation Source: Commtouch
  33. 33. Q1 Compromised WebsitesCompromised Websites: An Owner’s Perspective• Commtouch, in cooperation with StopBadware, undertook a survey of webmasters whose sites had been compromised• The report presents statistics & opinions on how site owners navigate the process of learning their sites have been hacked and repairing the damage• Some results – Over 90% of respondents didnt notice any strange activity, despite the fact that their sites were being abused to send spam, host phishing pages, or distribute malware. – Nearly two-thirds of the webmasters surveyed didnt know how the compromise had happened – About half of site owners discovered the hack when they attempted to visit their own site and received a browser or search engine warningView the complete list of findings by downloading the full report http://www.commtouch.com/compromised-websites-report-2012
  34. 34. Q1 Compromised WebsitesPhishing Trends• Phishing attacks target account information for many services: – Banks, email and social network accounts, and online games.• Commtouch’s Security Blog has also featured phishing aimed at Google Adwords customers.• In January, a similar phishing attack was directed at Microsoft adCenter users. The links in the email led to a very convincing replica of the adCenter login page.
  35. 35. Q1 Compromised Websites Website categories infected with phishing• During the first quarter of 2012, Commtouch analyzed which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner).• Portals (offering free website hosting) jumped into the highest position. Sites related to games (the previous leader), dropped off the list. Rank Category Rank Category 1 Portals 6 Sports 2 Shopping 7 Leisure & Recreation 3 Fashion & Beauty 8 Health and medicine 4 Education 9 Real Estate 5 Business 10 Personal sites Source: Commtouch
  36. 36. Q1 Compromised Websites Download the complete April 2012 Internet Threats Trend Report for more detailshttp://www.commtouch.com/threat-report-april-2012
  37. 37. Trends in Q1 2012… Zombie Trends
  38. 38. Q1 Zombie Trends Daily Turnover of Zombies in Q1• Average turnover: 270,000 newly activated each day sending spam (increase from 209,000 in Q4 2011)• Large drop at start of Nov apparently result of Esthost botnet takedown• Although Esthost primarily used for DNS changing (redirecting Web requests to malicious sites), some apparently also used to send spam• Since start of 2012, spammers have worked to source new zombies Daily newly activated spam zombies: Oct 2011 to mar 2012 Source: Commtouch
  39. 39. Q1 Zombie Trends Worldwide Zombie Distribution in Q1 Source: Commtouch• India again claimed top zombie producer title, but dropped below 20% from nearly 24% in Q4 2011• Brazil and Russian Federation both climbed back up to the 2nd and 3rd positions, respectively• Argentina, Poland and Italy joined the top 15, displacing The United States, Romania and Ukraine
  40. 40. Q4 Zombie Trends Download the complete April 2012 Internet Threats Trend Report for more detailshttp://www.commtouch.com/threat-report-april-2012
  41. 41. Trends in Q1 2012… Web 2.0 Trends
  42. 42. Q1 Web 2.0 Trends Web 2.0 Trends• “Streaming media and downloads” was the most popular blog or page topic again in Q2, remaining at 22%.Rank Category % Rank Category % 1 Streaming Media & Downloads 22% 8 Religion 5% 2 Computers & Technology 8% 9 Sports 4% 3 Entertainment 7% 10 Education 4% 4 Pornography/Sexually Explicit 5% 11 Leisure & Recreation 3% 5 Restaurants & Dining 5% 12 Health & Medicine 3% 6 Fashion & Beauty 5% 13 Games 3% 7 Arts 5% 14 Sex Education 2% Source: CommtouchThe streaming media & downloads category includes sites with MP3 files ormusic related sites such as fan pages.
  43. 43. Download the complete April 2012 Internet Threats Trend Report athttp://www.commtouch.com/threat-report-april-2012
  44. 44. For more information contact: info@commtouch.com 650 864 2000 (Americas) +972 9 863 6895 (International) Web: www.commtouch.comBlog: http://blog.commtouch.com