Cyber Intelligence Report Whitepaper by Cyveillance


Published on

The second half of 2010 saw online fraud scams continue to grow and evolve in geographical reach and technical complexity. User protection against these blended malware-based scams such as traditional antivirus (AV) products still cannot adequately detect and protect against new and quickly changing threats on the Internet, leaving consumers exposed to the shifting cyber dangers.

Learn what kind of fraud attacks are on the rise so you can combat them before they hit your credit union members and learn what the experts at Cyveillance see coming this year. Learn more about Cyveillance, online fraud, anti-phishing and secure social media management at

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cyber Intelligence Report Whitepaper by Cyveillance

  1. 1. WHITE PAPERCyber Intelligence ReportA Cyveillance ReportMarch 2011
  2. 2. Cyber Intelligence ReportEXECUTIVE SUMMARYThe second half of 2010 saw online fraud scams continue togrow and evolve in geographical reach and technical complexity.User protection against these blended malware-based scamssuch as traditional antivirus (AV) products still cannot adequate-ly detect and protect against new and quickly changing threatson the Internet, leaving consumers exposed to the shifting cyberdangers.The majority of malware threats on the Internet continue tooriginate within the United States and China. These two coun-tries lead in almost every significant malware statistical catego-ry, which is not surprising given both countries’ large populationand significant Internet presence. Other developed countries donot provide the same volume of threats as the U.S. and China,but still pose significant danger to Internet users.Phishing attack volume declined during the second half of 2010compared to the first half of the year, averaging over 19,000 con-firmed, unique attacks per month. However, the level of sophis-tication and emphasis on targeted attacks continues to rise. As aresult, despite the number of attacks going down, the ability ofphishers to be successful has risen significantly as evidenced bythe growing number of highly-targeted spear phishing attacksand Advanced Persistent Threats (APTs) reported during the half.Overall, phishing continued to grow as a global problem, withnearly half of all new financial targets based in India and theMiddle East.»2
  3. 3. Cyber Intelligence ReportCYBER INTELLIGENCE USED IN THIS REPORTExcept where otherwise noted, the cyber intelligence included in this report includes data col-lected and analyzed between July 1, 2010 and December 31, 2010. The report illustrates aggre-gate cyber intelligence findings that Cyveillance has delivered to its customers and partners.The intelligence detailed in this report includes the following: • Analysis of malware detection rates of leading AV products • Phishing trends along with industries and unique businesses targeted by phishing attacks • A breakdown of the malware distribution chain by geographic locationAPPROACHTo produce the cyber intelligence used in this report, Cyveillance has leveraged its patentedInternet-monitoring technology platform. The technology continually sweeps the Internet, col-lecting information from more than 200 million unique domain names and 190 million uniqueWeb sites, 80 million blogs, 90,000 message boards, thousands of IRC/chat channels, billionsof spam emails, shortened URLs and more.Unless otherwise stated, it is also important to note that all figures and statistics included inthis report are actual measurements as collected by Cyveillance Internet-monitoring technolo-gy rather than statistical projections based upon sample datasets.DOES ANTIVIRUS SOFTWARE PROVIDE ADEQUATE PROTECTION AGAINST MAL-WARE?To better understand the risks consumers face daily from the Internet and given the contin-ued rise of active malware on the Internet, Cyveillance tested malware uncovered on the Internetagainst many of the top AV products.On a daily basis, Cyveillance detects hundreds to thousands of new malware attacks. To measure theeffectiveness of some of the most widely used solutions, Cyveillance ran these active attacks through13 of the top AV vendor offerings. All AV offerings were continuously patched and updated with thelatest signatures. The data was delivered in real time and consisted of only confirmed malicious files.The average non-detection rates of the solutions used during the second half of 2010 are below:Figure 1 – Percent of Malware Not Detected on Day One Source: Cyveillance These companies have U.S. copyrights for their corporate names and/or products listed in the chart above, and are listed only to indicate the research results for informational purposes and no other.»3
  4. 4. Cyber Intelligence ReportAs the results show, almost all of the most popular AV solutions detect less than half of thelatest malware threats on day one. So if you visit a malicious website you could have a morethan one in two chance of being infected with malware.MALWARESince 2006, Cyveillance has tracked an online “fraud chain” comprising malware componentsthat store and serve malware executables, distribute malware to consumers, and receive andstore the confidential information collected from infected computers. The following are defini-tions related to the fraud chain components analyzed in this report: 1. Malware Hosting Sites - sites hosting and serving up the actual binary malware files 2. Malware Distribution Sites -tainted Web sites that distribute malware to their visitors 3. Malware Drop Sites - sites that collect sensitive and personally identifiable informationUNITED STATES AND CHINA HOST OVER A THIRD OF ALL MALWARE EXECUTABLESMalware hosting sites store and serve up malware executables. These sites typically deliver theirbinary files based upon inline references located on the malware distribution sites. Servers locat-ed in the United States and China host over a third of all malware executables, representing 38%of malware binaries found during the second half of 2010.Figure 2 – Top Malware Hosting Locations 2H 2010 % of All Country Sites United States 25% China 13% United Kingdom 11% Germany 6% Korea 3% Russian Federation 3% Canada 2% France 2% Brazil 2% Netherlands 1% All Others 33% Source: CyveillanceUNITED STATES AND CHINA DISTRIBUTE MORE THAN HALF OF ALL MALWAREMalware distribution sites are used to attract Web surfers for the purpose of installing mali-cious code on their computers. Visitors to these sites are infected with malicious software thatis installed from the malware hosting sites previously described. Distribution sites are typicallyestablished as a means of targeting specific types of Internet users. As illustrated below andsimilar to results of the preceding section, the United States and China are responsible for dis-tributing well over half of all malware on the Internet.»4
  5. 5. Cyber Intelligence ReportFigure 3 – Top Malware Distribution Site Locations 2H 2010 % of All Country Sites China 32% United States 27% United Kingdom 12% Korea 4% Canada 4% Germany 2% Spain 2% Russian Federation 2% France 2% Netherlands 2% All Others 9% Source: Cyveillance MALWARE USED FOR FINANCIAL FRAUD There are many types of malware, ranging from “bot” programs used to launch spam and denial of service (DoS) attacks to keyloggers and backdoor Trojan viruses used for stealing sensitive information. While all malware presents a threat, the variations used for financial fraud typically cause the most harm to consumers. The following types of malware usually reside unnoticed on the user’s computer while forwarding personal information to a master server controlled by criminals: • Keyloggers: programs that, without user knowledge, track and record activities such as sites visited and keystrokes made; these are then uploaded to an outside Web server • Downloaders: programs that contain location and login information for malware servers. When evoked, the programs contact the remote malware server to facilitate additional malware downloads to the host computer • Backdoors: programs that allow unauthorized access to information or computer resources by bypassing security mechanisms • Bot Clients: applications that allow unauthorized access to and/or control over a user’s computer in order to help facilitate malicious activity such as spamming or DoS attacks • Re-Directors: applications that redirect a browser to a fraudulent website when the user enters a legitimate URL in the browser’s address bar • Data Miners: programs that collect and analyze information without the user’s knowledge»5
  6. 6. Cyber Intelligence Report USA, GERMANY AND CHINA HOST OVER HALF OF ALL MALWARE DROP SITES Malware drop sites are established to collect the information from infected computers that use key- loggers, screen scrapers and other approaches to passively harvest sensitive personal information. Three countries, the United States, Germany and China, host over half of all malware drop sites on the Internet. Figure 4 – Top Malware Drop Site Locations 2H 2010 % of All Country Sites United States 23% Germany 16% China 15% Russian Federation 5% India 5% Taiwan 5% Brazil 4% Poland 2% Korea 2% Spain 1% All Others 23% Source: CyveillancePHISHINGDuring the second half of 2010, Cyveillance detected a total of 114,797 phishing attacks for anaverage of over 19,000 unique attacks per month for the period. The amount of attacks seenmonthly is down compared to the first half of the year and could be related to the recentdecline in spam, but the overall volume confirms that the problem of phishing is still easily oneof the top threats on the Internet. Specifically, the use of more sophisticated and targetedattacks result in greater success and more lucrative opportunities for online criminals. Whilethe number of spam attacks is down, the threat of phishing attacks continues to remain highas phishers become cleverer in their attack schemes.Figure 5 – Phishing Attack Volume 2H 2010 Source: Cyveillance»6
  7. 7. Cyber Intelligence ReportUNITED STATES HOSTS NEARLY HALF OF ALL PHISHING ATTACKS Phishing is a social engineer-The United States hosted 41% of all phishing attacks for the 2nd half of 2010, more than the ing scam that relies on bothremainder of the top 10 countries combined. technology and human inter- action to carry out onlineFigure 6 – Phishing Hosting Location 2H 2010 fraud, identity theft or attempts to breach corporate Country % of All Sites networks. The schemes are United States 41% varied but typically involve a Netherlands 6% spoofed (spam) email that Great Britain 5% mimics an email from a legiti- Germany 4% Canada 4% mate and respected organiza- France 3% tion. The email solicits the Italy 2% recipient to click on a link in Australia 2% order to update account infor- Malaysia 2% mation or view a marketing Russian Federation 2% promotion. After clicking on All Others 28% the link, the individual is con- Source: Cyveillance nected to a counterfeit web- site that requests sensitive84 ORGANIZATIONS WERE PHISHING TARGETS FOR THE FIRST TIME IN SECOND personal information (e.g.,HALF OF 2010 username and password,During the second half of 2010, 84 brands were first-time targets of phishing attacks, which is credit card number, Sociala decrease from the first half of the year. As usual, the overwhelming majority of the new tar- Security number, etc.). Thegets are related to the financial industry. A large portion of these new targets are based in India information collected is thenand the Middle East, providing further evidence that the problem of phishing continues to grow used for purposes of identityglobally and criminals are constantly looking for new revenue growth opportunities. Overall, theft or accessing secureCyveillance has documented nearly 3,000 unique brands attacked since 2005. data.Figure 7 – Total Unique Brands Phished through 2H 2010 Source: Cyveillance»7
  8. 8. Cyber Intelligence ReportFigure 8 – New Brands Attacked 1H – 2009 2H -2009 1H - 2010 2H - 2010 200 399 109 84 Source: CyveillanceFigure 9 – New Brands Attacked for First Time in 2H 2010 by Industry Source: CyveillanceFigure 10 – Total Unique Brands Attacked Since 2005 by Industry Source: Cyveillance»8
  9. 9. Cyber Intelligence Report MANY PHISHING TACTICS RELATIVELY UNCHANGED As illustrated in Figure 11 and based on sampled data, phishers’ use of a target’s brand name or variation of the brand name in the domain name remains low at 8% of attacks. However, the use of a target’s brand name in the overall phishing attack URL rather than just the domain name is significantly higher at 60%. The cause for the disparity between the two stats is due to the extra effort required from the phisher to obtain the domain as well as increased likelihood of the attack being detected from anti-phishing companies monitoring new domain name registrations. Including the target’s brand name in the URL involves nothing more than a few keystrokes while setting up the attack. Additionally, phishers frequently launch attacks using compromised Web servers. While there is not a practical way to secure all servers on the Internet, Web masters could make setting up attacks more difficult for the phishers simply by keeping their software up to date and moni- toring file structures. Figure 12 – Phishing Attack Trends 1H 2010 1H 2009 2H 2009 1H 2010 2H 2010 Percentage of phishing attacks that only use an IP address: 8% 10% 9% 8% Percentage of phishing URLs that use brand name: 46% 49% 52% 60% Percentage of phishing domains that use brand name: 4% 4% 3% 3% Percentage of phishing attacks that use a compromised site: 59% 56% 62% 64% Source: Cyveillance CONCLUSION The online fraud environment continued to flourish for cyber criminals in the second half of 2010, posing serious danger to both consumers and businesses. Attacks continued to become more distributed, operating from regions around the globe and leveraging distributed resources to evade detection and law enforcement efforts. With nearly half of all new financial phishing targets based in India and the Middle East, the increasing global nature of online fraud is evi- dent. Cyveillance also continued to see growth in the volume of highly targeted attacks such as spear and whale phishing, frequently associated with Advanced Persistent Threats (APTs). As evi- denced in the Aurora attack earlier in 2010, the impact of these attacks can be devastating if undetected over a period of time. Looking forward to first half of 2011 and beyond, Cyveillance expects to see: • Traditional phishing attacks remaining a significant issue for organizations due to the continued expansion of attack vectors such as blended attacks with malware.»9
  10. 10. Cyber Intelligence Report • Increased use of advanced technologies such as the automation of spear phishing attacks, especially for attacks attempting to gain access to corporate networks and secure data • Increased targeting of cell phones and mobile devices for malware attacks and fraud schemes. • Targeting of medical records and exploiting social media sites where people disclose their illnesses. • More targeted malware to penetrate specific industrial platforms. • The continued exploitation by criminals of social networking sites and Web 2.0 functionality for purposes of online fraud, malware distribution and accessing corporate networks for data exfiltration. • The continued use of brand abuse tactics for the distribution of malware, deceiving consumers and impacting the credibility of company brands. ABOUT CYVEILLANCE Cyveillance, a world leader in cyber intelligence, provides an intelligence-led approach to security. Through continuous, comprehensive Internet monitoring and sophisticated intelligence analysis, Cyveillance proactively identifies and eliminates threats to information, infrastructure, individuals and their interactions, enabling its customers to preserve their reputation, revenues, and cus- tomer trust. Cyveillance serves the Global 2000 and OEM Data Partners – protecting the majority of the Fortune 50, regional financial institutions nationwide, and more than 100 million global consumers through its partnerships with security and service providers that include AOL and Microsoft. Cyveillance is a wholly owned subsidiary of QinetiQ North America. For more informa- tion, please visit or Copyright © 2011 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names are trademarks or registered trademarks of their respective owners. Cyveillance, Inc, 1555 Wilson Boulevard Suite 406 Arlington, VA 22209-2405 888.243.0097» 10