Your SlideShare is downloading. ×
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Jan 2012 Threats Trend Report

9,172

Published on

The Commtouch Quarterly Internet Threats Trend Report provides insight on the latest spam, malware, phishing schemes and other web security threats. …

The Commtouch Quarterly Internet Threats Trend Report provides insight on the latest spam, malware, phishing schemes and other web security threats.

The January 2012 edition provides analysis of Internet security threats that occurred during the fourth quarter of 2011. This edition also provides an overview of Facebook attacks that occurred throughout 2011.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
9,172
On Slideshare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Internet ThreatsTrend ReportJanuary 2012
  • 2. January 2012 Threat Report The following is a condensed version of the January 2012 Commtouch Internet Threats Trend Report You can download the complete report at http://www.commtouch.com/threat-report-january-2012Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, andCommtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. PatentNo. 6,330,590 is owned by Commtouch.
  • 3. January 2012 Threat Report1 Key Highlights Facebook Attacks 2 Feature – The year in review Malware, Spam, Web Security, 3 Trends Compromised Websites and Zombies
  • 4. Key Highlights for Q4 2011
  • 5. Key Security HighlightsAverage daily spam/phishing emails sent 101 BillionSpam levels increased marginally in November and December 2011
  • 6. Key Security Highlights Spam Zombie daily turnover 209,000 Zombies A very large decrease compared to the 336,000 in Q3(Zombie turnover is the number of zombies turned off and on daily)
  • 7. Key Security Highlights Most popular blog topic on user generated content sites Streaming media/ downloads (22%)Streaming media & downloads remains in top spot but dropped 2% from Q3Includes sites with MP3 files or music related sites such as fan pages (these might also be categorized as entertainment)
  • 8. Key Security HighlightsMost popular spam topic Pharmacy Ads (31%) Up 2% over Q3
  • 9. Key Security Highlights Country with the most Zombies India (23.5%)India increased its share in Q4 to nearly one quarter of the world’s zombies
  • 10. Key Security Highlights Website category most likely to be compromised with malware Parked Domains“Parked domains” and “Portals” remained inthe top 2 positions with “pornographic sites” in 3rd position
  • 11. Feature… Facebook Attacks – The year in review
  • 12. Facebook Attacks – 2011 Facebook Attacks in 2011• Continues to be an attractive target for attacks from malware distributors, scammers and plain old jokers• Most Facebook attacks ultimately lead victims to affiliate marketing/survey sites• Q4 2011 saw increases in free-merchandise scams
  • 13. Lifecycle of Facebook Attacks The 3 Stages of Facebook Attacks Stage 1 – The Catch TheCatch Enticing offer or information inspiring action by a Facebook user Spreading Stage 2 – Spreading the Attack the Ensure the attacks continues/spreads Attack Stage 3 – The Goal The Goal What the cybercriminals wants to gain or achieve
  • 14. The Catch - 4 Tactics The 4 ways Facebook users are tricked into “liking”, following a link or adding add an app1. Free goods – Items ranging from headphones to gift cards to unreleased Facebook phones2. Sensational headlines on current news issues Examples: – Death of Osama Bin videos – Death of Steve Jobs “free iPad/iPhone” scams
  • 15. The Catch - 4 Tactics3. Must see tragic/amazing events with call to action – Users follow a link, or click on Like to see a shocking video/photo, or forward a chain message The Spanish in the example above translates to “Look what happens”.4. Must-have Facebook app download Example of popular attack: – Mythical app allowing users to see who has been viewing their profile and get a breakdown of boy and girl views of their profile
  • 16. The Catch – Summary Summary of Catch Tactics• Social engineering is the key to the tactics used to “catch” Facebook victims• The tactics are spread nearly evenly between the four tactics described above – Most used tactic – “must see this” (36%) – Most common tactic in second half of 2011 – 26 “free stuff” (26%)
  • 17. Spreading Attacks How Facebook Attacks are Propagated• Cybercriminals abuse the inherent trust of Facebook friends• 4 main methods for spreading attacks: 1. Tricking users into sharing 2. Likejacking 3. Rogue applications 4. Malware and “self-XSS”
  • 18. Spreading AttacksTricking users into sharing• Users aware that they are liking/sharing a page, but do so under false pretenses• Example attacks: – Scams promising free gift cards in exchange for like/share – Users post a hoax they believe to be true warning other users about a (nonexistent) virus or telling them the sad tale of a (nonexistent) abused child
  • 19. Spreading AttacksLikejacking• A common tactic is to entice users to see a video• The video player may be functional but the page includes scripts that use any mouse click to generate a “like”• Users unaware that they have liked a page, but the “like” is used to lead more friends to the video
  • 20. Spreading AttacksRogue applications• Apps users believe provide worthwhile functionality – Example: An app promising to reveal who has been viewing your profile• Users grant these apps permission to access parts of their user profile as well as post on their wall – Wall posts are then used by the rogue app to spread out further within Facebook
  • 21. Spreading AttacksMalware and “self-XSS”• Malware unwittingly installed a users PC hijacks their Facebook session for posts and other activity• How it works – Traditional cross site scripting (XSS) attacks rely on a hidden script within a webpage to hijacks a Facebook session – Self-XSS means that malicious script was activated by a user (the “self”) giving another site access to the Facebook session
  • 22. Spreading Attacks– Users are tricked into activating a script by copying it directly into their browser– In most cases scripts will direct to an external site (the “cross-site” of “cross-site scripting”) and then post a wall post or an event invite, which others view and in turn help to further propagate the attack
  • 23. Goal of Attacks Goal of the Facebook AttackThe goal of Cybercriminals with Facebook attacks canbe divided into the following categories:• Marketing affiliate/survey sites• Chain posts and hoaxes• Other
  • 24. Goal of AttacksMarketing affiliate/survey sites• Benefit to Cybercriminals: – Affiliate payments for driving users to specific sites – Collection of personal data to be used in identity theft• Users are led to believe that completion of a form will result in a free gift (iPhone, gift card, cap, etc.)• They may also be tricked into signing up for unwanted products
  • 25. Goal of AttacksChain Posts and Hoaxes• The Benefit to Cybercriminals: – Pranksters having a laugh at the expense of unaware Internet users• Users like or share stories of abused children or devastating computer viruses• Many of the fake stories were email chain emails many years ago and have been reused
  • 26. Goal of AttacksOther types of attack• Defacement – Benefit to Cybercriminal: Embarrass Facebook• Spreading malware – Benefit to Cybercriminal: Spread malware that steal passwords or sends spam• Collecting Likes – Benefit to Cybercriminal: Generate an enormous number of likes of a page (several hundred thousand in some cases) but with no clear further malicious purpose
  • 27. Facebook Attacks Summary Summary of 2011 Facebook AttacksSome progress made during 2011 to stop attacks• Various attacks more quickly detected and removed by Facebook• Almost no recent reports of rogue applications compared to the numerous examples from the first half of the year• Some attack methods, such as the self-XSS, almost completely eliminated (due to security updates by major browser vendors)• “Free merchandise” scams are still common
  • 28. Q4 Malware Trends For a complete analysis of Facebook attacks in 2011, download the complete January 2012 Internet Threats Trend Reporthttp://www.commtouch.com/threat-report-january-2012
  • 29. Trends in Q4 2011… Malware Trends
  • 30. Q4 Malware Trends• The large amounts of email-malware in 2011 were a surprise to many analysts • Analysts had predicted the continued demise of the spam threat vector following a quiet 2010• The mass Malware-attachment outbreaks of late Q3 subsided in Q4, as can be seen in the chart below• Multiple “blended threat” email outbreaks were tracked by Commtouch in Q4 • Involved emails and malware hosted on compromised websites
  • 31. Q4 Malware TrendsMalware email levels – Jan to Dec 2011 Source: Commtouch
  • 32. Q4 Malware Trends Top 10 Malware of Q4 2011Rank Malware name Rank Malware name 1 W32/Swizzor-based!Maximus 6 W32/MyWeb.D 2 W32/Brontok.A.gen!Eldorado 7 W32/Tibs.K.gen!Eldorado 3 JS/IFrame.HC.gen 8 W32/Mabezat.A-2 4 W32/Virut.9264 9 W32/Virtumonde.T.gen!Eldorado 5 W32/Heuristic-210!Eldorado 10 W32/Mywebsearch.B.gen!Eldorado Source: Commtouch
  • 33. Q4 Malware Trends For a complete analysis of Malware in Q4 and thespecific attacks employed, download the complete January 2012 Internet Threats Trend Report http://www.commtouch.com/threat-report-january-2012
  • 34. Trends in Q4 2011… Spam Trends
  • 35. Q4 Spam Trends • Spam levels increased marginally in Nov & Dec but remained at their lowest in years following the Rustock botnet takedown in March • Q3 average spam levels approached 101 billion email messages Spam levels – Jan to Dec 2011Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Source: Commtouch
  • 36. Q4 Spam Trends• Spam averaged 77% of all emails in Q4 (excluding emails with malware attachments) Spam % of all emails - Jan to Dec 2011 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Source: Commtouch
  • 37. Q4 Spam TrendsNovember Spam Tactics– Sending spam containing URLs not yet registered• Several hundred million emails sent out with many thousands of unregistered URLsHow it Works• Spam filters with URL reputation systems check if URLs are registered and when they were registered – Bad sites usually have registrations that are only several hours old• If a site is not registered when checked, many URL reputation systems will not blacklist the site and not pursue further checks• This loophole allows spammers to send out emails linking to unregistered URLs and then register them an hour or so after the outbreak in order to prevent the URLs from being blocked
  • 38. Q4 Spam TrendsTop Faked (Spoofed) Spam Sending Domains* • Gmail.com once again the most spoofed domain • Facebook related addresses (unsubscribe.facebook.com) and facebookmail.com both feature in the top 15 (often part of phishing or malware attacks) * The domains that are used by spammers Source: Commtouch in the “from” field of the spam emails.
  • 39. Q4 Spam Trends Spam Topics• “Pharmacy spam” increases for second straight quarter (about 2% over Q3) reaching 31% of all spam• Dating related spam increased from 2.3% to nearly 12% in the last quarter of the year Source: Commtouch
  • 40. Q4 Spam TrendsFind out more about Spam Trends in Q4 by downloading the complete January Internet Threats Trend Reporthttp://www.commtouch.com/threat-report-january-2012
  • 41. Trends in Q4 2011… Web Security
  • 42. Q4 Compromised WebsitesTrend: Compromised Websites Store Malware• Most of the emails carrying malware links in Q4 used compromised websites• Example: The “speeding fine” link directs to JavaScript malware on a legitimate site called “jemgaming.net”. Source: Commtouch
  • 43. Q4 Compromised WebsitesTrend: Compromised sites used as redirect points to pharmacy and enhancer websites• Majority of the exploited sites were using the WordPress content management system• Spammers exploited a vulnerability in WordPress or in a plugin in order to hide the redirect pages• Before being redirected users are shown an initial page hidden within one of the WordPress subdirectories (see image below)
  • 44. Q4 Compromised WebsitesCompromisedsite showsmessage beforeredirectingDestinationenhancer siteHomepage of thecompromisedWordPress sitewith no changein functionality
  • 45. Q4 Compromised Websites Website categories infected with malware • Parked domains and Portals remained in the top 2 positions with pornographic sites in 3rd position (As noted in previous reports, the hosting of malware may well be the intention of the owners of the parked domains and pornography sites) Rank Category Rank Category1 Parked Domains 6 Entertainment2 Portals 7 Shopping3 Pornography/Sexually Explicit 8 Health & Medicine4 Education 9 Travel5 Business 10 Computers & Technology Source: Commtouch Portals category includes sites offering free homepages, which are often abused to host phishing and malware content or redirects to other sites with this content
  • 46. Q4 Compromised Websites Website categories infected with phishing• This is an analysis of which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner)• Sites related to games ranked highest in Q4, similar to Q3 Rank Category Rank Category 1 Games 6 Sports 2 Portals 7 Business 3 Shopping 8 Leisure & Recreation 4 Education 9 Entertainment 5 Fashion & Beauty 10 Real Estate Source: Commtouch Portals category includes sites offering free homepages, which are abused to host phishing and malware content.
  • 47. Q4 Compromised Websites Download the complete January 2012 Internet Threats Trend Report for more detailshttp://www.commtouch.com/threat-report-january-2012
  • 48. Trends in Q4 2011… Zombie Trends
  • 49. Q4 Zombie Trends Daily Turnover of Zombies in Q4• Q4 saw an average turnover of 209,000 zombies each day that were newly activated for sending spam• A very large decrease compared to the 336,000 of Q3 2011• Average turnover for all of 2011 – 297,500 zombies per day Daily newly activated spam zombies: Jan to Dec 2011 Source: Commtouch
  • 50. Q4 Zombie Trends Worldwide Zombie Distribution in Q4 Source: Commtouch• India again claimed the top zombie producer title, increasing its share to nearly a quarter of the world’s zombies• Brazil, once a fixture in first position, continued to drop – this quarter to 6th position (a further drop of around 3%)• Peru and Kazakhstan joined the top 15, displacing Saudi Arabia and Columbia
  • 51. Q4 Zombie Trends Download the complete January 2012 Internet Threats Trend Report for more detailshttp://www.commtouch.com/threat-report-january-2012
  • 52. Trends in Q4 2011… Web 2.0 Trends
  • 53. Q4 Web 2.0 Trends Web 2.0 Trends • “Streaming media and downloads” was again the most popular blog or page topic, but dropped 2% in Q4Rank Category Percentage Rank Category Percentage 1 Streaming Media & Downloads 22% 8 Arts 5% 2 Computers & Technology 8% 9 Sports 4% 3 Entertainment 7% 10 Education 4% 4 Pornography/Sexually Explicit 6% 11 Leisure & Recreation 3% 5 Fashion & Beauty 5% 12 Health & Medicine 3% 6 Restaurants & Dining 5% 13 Games 3% 7 Religion 5% 14 Sex Education 2% Source: Commtouch The streaming media & downloads category includes sites with MP3 files or music related sites such as fan.
  • 54. Review of Q4 2011
  • 55. Review of Q4 2011 October November December Lowest Mostspam per Speeding Spam ratio Phony airline spam per Better ticket email- reaches low Facebook itineraries lead Facebook day: 138 business day: 60 malware of 73% defacement to malware free gift billion bureau billion attack card scams malware Pizza Free iPhone Compromised ACH malware Unregistered “look what scams WordPress transaction James domains used happens” following sites host cancelled Cameron in spam Facebook death of malware malware new movie emails bikini girl Steve Jobs emails malware likejacking Source: Commtouch
  • 56. Download the complete January 2012 Internet Threats Trend Report athttp://www.commtouch.com/threat-report-january-2012
  • 57. For more information contact: info@commtouch.com 650 864 2000 (Americas) +972 9 863 6895 (International) Web: www.commtouch.comBlog: http://blog.commtouch.com

×