April 2012 Threats Trend Report

  • 7,087 views
Uploaded on

The Commtouch Quarterly Internet Threats Trend Report provides insight on the latest spam, malware, phishing schemes and other web security threats. The April 2012 edition provides analysis of …

The Commtouch Quarterly Internet Threats Trend Report provides insight on the latest spam, malware, phishing schemes and other web security threats. The April 2012 edition provides analysis of Internet security threats that occurred during the first quarter of 2012.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
7,087
On Slideshare
0
From Embeds
0
Number of Embeds
43

Actions

Shares
Downloads
26
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Internet ThreatsTrend ReportApril 2012
  • 2. April 2012 Threat Report The following is a condensed version of the April 2012 Commtouch Internet Threats Trend Report You can download the complete report at http://www.commtouch.com/threat-report-april-2012Copyright© 2012 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, andCommtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. PatentNo. 6,330,590 is owned by Commtouch.
  • 3. April 2012 Threat Report1 Key Highlights Malware, Spam, Web 2 Trends Security, Compromised Websites and Zombies
  • 4. Key Highlights for Q1 2012
  • 5. Key Security HighlightsAverage daily spam/phishing emails sent 94 Billion Spam levels dropped in Q1
  • 6. Key Security Highlights Spam Zombie daily turnover 270,000 Zombies Up from 209,000 in Q4, 2011(Zombie turnover is the number of zombies turned off and on daily)
  • 7. Key Security Highlights Most popular blog topic on user generated content sites Streaming media/ downloads (22%) Streaming media & downloads remains in top spotIncludes sites with MP3 files or music related sites such as fan pages (these might also be categorized as entertainment)
  • 8. Key Security Highlights Most popular spam topic Pharmacy Ads (39% of all spam) Up 8% over Q4 20112nd place Replica spam also increased by over 5%
  • 9. Key Security HighlightsCountry with the most Zombies India (19.2%)India still #1 but dropped from nearly 24% in Q4 2011.
  • 10. Key Security Highlights Website category most likely to be compromised with malware Pornography/Explicit• “Parked domains” dropped to 2nd spot• New entrant “Fashion & Beauty” captured 3rd place
  • 11. Trends in Q1 2012… Spam Trends
  • 12. Q1 Spam Trends• Marginal increase in spam during the December 2011 holiday season• Otherwise, spam remained low vs. Q1 2011 – avg decrease nearly 40%• Average daily spam levels dropped to 94 billion spam and phishing emails/day Spam levels – Dec 2011 to March 2012December January February March Source: Commtouch
  • 13. Q1 Spam Trends• Spam averaged 75% of all emails in Q1 Spam % of all emails - Dec 2011 to Mar 2012 December January February March Source: Commtouch
  • 14. Q1 Spam TrendsReplica spam affiliate program “GlavTorg” closes• Spam affiliate programs provide the link between fake pharmaceuticals and replica manufacturers and spammers• Dec 2011 - GlavTorg (affiliate focused on replica handbags and clothing) announced it would stop affiliates payouts at end of Jan’12• Commtouch Labs evaluated the effect of the closure with introduction of the “spam-subject cloud tool” – Samples thousands of spam messages at definable intervals – Frequency of spam terms indicated by text size• Spam subjects used in massive quantities are instantly distinguishable.
  • 15. Q1 Spam Trends• Spam topics cloud for the end of January 2012 shows no evidence of GlavTorg related products• Spam levels for the period show Spam Topics Cloud for End of no obvious increase or decrease January 2012 around dates when payments were stopped• Conclusion: Spammers have apparently easily realigned their activities. Source: Commtouch
  • 16. Q1 Spam Trends Spam cloud for Entire Q1 2012Subjects include: Spam Topics Cloud for Q1 2012• Pharmaceuticals (Viagra, Cialis)• Replicas (Rolex, Breitling)• Enhancers• Software (CS5, Windows, Adobe)• “Dating” – Present, but due to the great variance of subject words, are less prominent Source: Commtouch
  • 17. Q1 Spam Trends Spam Topics in Q1• Pharmacy spam continued to increase, as it did last quarter, to nearly 39% of all spam (~8% more than the previous quarter)• Replica-themed spam also increased in Q1 by over 5% Source: Commtouch
  • 18. Q1 Spam TrendsTop Faked (Spoofed) Spam Sending Domains* • gmail.com is once again the most spoofed domain (increasing above 25% for the first time) • The top 15 features popular social networking and mail sites (AOL, Yahoo, Facebook, LinkedIn, MySpace) as well as DHL.com – often used as part of email malware attacks * Domains used by spammers in the “from” Source: Commtouch field of the spam emails.
  • 19. Q1 Spam TrendsFind out more about Spam Trends in Q1 by downloading the complete April Internet Threats Trend Reporthttp://www.commtouch.com/threat-report-april-2012
  • 20. Trends in Q2 2012… Malware Trends
  • 21. Q1 Malware TrendsDid cybercriminals target accountants?• The scale of a February attack was so large that it certainly must have worked on many CPAs – but also many other individuals• Attacks included subjects such as: • “Fraudulent tax return assistance accusations” • “Your accountant license can be revoked” • “Your accountant cpa license termination” • “Income tax return fraud accusations”
  • 22. Q1 Malware TrendsHow it worked• Clicking on the link downloaded a short HTML page that promises “Page is loading, please wait. You will see tax info on this screen.”• In the background, a small Phony accountant tax fraud emails script creates a nested lead to malware iFrame, which brought in more JavaScript, creating further dynamic content• The process repeated until a large portion of malware code was activated Source: Commtouch
  • 23. Q1 Malware Trends• 2 weeks later a similarly sized attack targeted accounting practitioners and the small business market• Method this time was by describing fictitious purchases of Intuit accounting software.• Subjects lines included: – Your QuickBooks software order – Your Intuit.com order – Your Intuit.com invoice – Please confirm your Intuit.com invoice• The malware downloaded and deployed in the same way as described above in previous attack Source: Commtouch
  • 24. Q1 Malware TrendsEmail attached malware levels generally low Q1 2012• Malware distributors generally stuck to popular malware topics, such as Fedex delivery notices.• Several other interesting social engineering techniques were also used during the quarter: – Google have received your CV (with an attached CV submission form) – Your friend invited you to Twitter (with an attached “invitation card”) – Someone wanting to be your friend on Hi5 (a social network) – Shipping updates for your Amazon.com order (with attached “shipping documents”)
  • 25. Q1 Malware Trends– American Airlines ticket confirmations– “I love you” (containing only the text “lovely :-)” and phony assurance that F-Secure Antivirus had found no virus in the attachment– Sex pictures (with an attached zip refering to www.freeporn4all. Once extracted, a typical Explorer view shows a file named “document.txt”. Widening the filename column reveals the true “.exe” extension of the malware (following multiple space characters) – an old trick but probably still effective
  • 26. Q1 Malware Trends Top 10 Malware of Q1 2012Rank Malware name Rank Malware name 1 W32/InstallCore.A2.gen!Eldorado 6 W32/Sality.gen2 2 W32/RLPacked.A.gen!Eldorado 7 W32/HotBar.L.gen!Eldorado 3 W32/Sality.C.gen!Eldorado 8 W32/Vobfus.AD.gen!Eldorado 4 W32/Heuristic-210!Eldorado 9 JS/Pdfka.CI.gen 5 W32/RAHack.A.gen!Eldorado 10 W32/Korgo.V Source: Commtouch
  • 27. Q1 Malware Trends For a complete analysis of Malware in Q1 and thespecific attacks employed, download the complete April 2012 Internet Threats Trend Report http://www.commtouch.com/threat-report-april-2012
  • 28. Trends in Q1 2012… Web Security
  • 29. Q1 Web SecurityFacebook “unwatchable video” scam• Several variants of this scam have appeared on Facebook in the last few months• January’s version starts with a friend’s post that looks something like this: Source: Commtouch• The link takes clickers to a Blogspot page which has been very convincingly designed to look like a Facebook page with an embedded video player. – None of the buttons on the page are actually clickable
  • 30. Q1 Web Security• Visitors are informed that they need the Divx plugin/ YouTube Premium plugin• Clicking on the download link runs a malicious link that: – Posts a link on the user’s wall to attract more users to click on the link – Installs Firefox or Chrome extensions (depending on browser), used to redirect users to several further scams. – Redirections happen regardless of the site user actually intended to go to. One of the redirections is to a scam offering a $50 Starbucks gift card. After coaxing the Facebook user to like and share the link they are led to an affiliate marketing site.
  • 31. Q1 Compromised WebsitesSee more examples of compromised websites Download the complete April 2012 Internet Threats Trend Report for more details http://www.commtouch.com/threat-report-april-2012
  • 32. Q1 Compromised Websites Website categories infected with malware• Pornographic sites climbed back up to the top spot pushing down Parked domains. As noted in previous reports, the hosting of malware may well be the intention of the owners of the parked domains and pornography sites.• A new entry into the top 3 is “Fashion and Beauty” sites Rank Category Rank Category 1 Pornography/Sexually Explicit 6 Education 2 Parked Domains 7 Health & Medicine 3 Fashion and Beauty 8 Computers & Technology 4 Portals 9 Business 5 Entertainment 10 Leisure & Recreation Source: Commtouch
  • 33. Q1 Compromised WebsitesCompromised Websites: An Owner’s Perspective• Commtouch, in cooperation with StopBadware, undertook a survey of webmasters whose sites had been compromised• The report presents statistics & opinions on how site owners navigate the process of learning their sites have been hacked and repairing the damage• Some results – Over 90% of respondents didnt notice any strange activity, despite the fact that their sites were being abused to send spam, host phishing pages, or distribute malware. – Nearly two-thirds of the webmasters surveyed didnt know how the compromise had happened – About half of site owners discovered the hack when they attempted to visit their own site and received a browser or search engine warningView the complete list of findings by downloading the full report http://www.commtouch.com/compromised-websites-report-2012
  • 34. Q1 Compromised WebsitesPhishing Trends• Phishing attacks target account information for many services: – Banks, email and social network accounts, and online games.• Commtouch’s Security Blog has also featured phishing aimed at Google Adwords customers.• In January, a similar phishing attack was directed at Microsoft adCenter users. The links in the email led to a very convincing replica of the adCenter login page.
  • 35. Q1 Compromised Websites Website categories infected with phishing• During the first quarter of 2012, Commtouch analyzed which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner).• Portals (offering free website hosting) jumped into the highest position. Sites related to games (the previous leader), dropped off the list. Rank Category Rank Category 1 Portals 6 Sports 2 Shopping 7 Leisure & Recreation 3 Fashion & Beauty 8 Health and medicine 4 Education 9 Real Estate 5 Business 10 Personal sites Source: Commtouch
  • 36. Q1 Compromised Websites Download the complete April 2012 Internet Threats Trend Report for more detailshttp://www.commtouch.com/threat-report-april-2012
  • 37. Trends in Q1 2012… Zombie Trends
  • 38. Q1 Zombie Trends Daily Turnover of Zombies in Q1• Average turnover: 270,000 newly activated each day sending spam (increase from 209,000 in Q4 2011)• Large drop at start of Nov apparently result of Esthost botnet takedown• Although Esthost primarily used for DNS changing (redirecting Web requests to malicious sites), some apparently also used to send spam• Since start of 2012, spammers have worked to source new zombies Daily newly activated spam zombies: Oct 2011 to mar 2012 Source: Commtouch
  • 39. Q1 Zombie Trends Worldwide Zombie Distribution in Q1 Source: Commtouch• India again claimed top zombie producer title, but dropped below 20% from nearly 24% in Q4 2011• Brazil and Russian Federation both climbed back up to the 2nd and 3rd positions, respectively• Argentina, Poland and Italy joined the top 15, displacing The United States, Romania and Ukraine
  • 40. Q4 Zombie Trends Download the complete April 2012 Internet Threats Trend Report for more detailshttp://www.commtouch.com/threat-report-april-2012
  • 41. Trends in Q1 2012… Web 2.0 Trends
  • 42. Q1 Web 2.0 Trends Web 2.0 Trends• “Streaming media and downloads” was the most popular blog or page topic again in Q2, remaining at 22%.Rank Category % Rank Category % 1 Streaming Media & Downloads 22% 8 Religion 5% 2 Computers & Technology 8% 9 Sports 4% 3 Entertainment 7% 10 Education 4% 4 Pornography/Sexually Explicit 5% 11 Leisure & Recreation 3% 5 Restaurants & Dining 5% 12 Health & Medicine 3% 6 Fashion & Beauty 5% 13 Games 3% 7 Arts 5% 14 Sex Education 2% Source: CommtouchThe streaming media & downloads category includes sites with MP3 files ormusic related sites such as fan pages.
  • 43. Download the complete April 2012 Internet Threats Trend Report athttp://www.commtouch.com/threat-report-april-2012
  • 44. For more information contact: info@commtouch.com 650 864 2000 (Americas) +972 9 863 6895 (International) Web: www.commtouch.comBlog: http://blog.commtouch.com