Commtouch’s quarterly Internet Threats Trend Report covers Web threats, phishing, malware, and spam. The first quarter of 2013 saw significant growth in unwanted and dangerous emails with a significant spike in levels occurring in March. The spike affected spam and phishing as well as malware emails. Pump and dump spam made a massive comeback. Spammers and particularly malware senders increasingly exploited current news events in their campaigns. In Web security, the first quarter of 2013 saw extensive use made of the Blackhole exploit kit.

1. 1 | Trend Report Overview Real Security. In Real Time.
Internet Threats
Trend Report
April 2013

2. 2 | Trend Report Overview Real Security. In Real Time.
The following is a condensed version
of the April 2013 Commtouch
Internet Threats Trend Report
You can download the complete report at
http://www.commtouch.com/threat-report-april-2013
Copyright© 2013 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView
are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are
registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch.
April 2013 Threat Report

3. Spam Trends

4. 4 | Trend Report Overview Real Security. In Real Time.
 Average 97.4 billion spam emails sent worldwide each day
 In March average rose to 117.8 billion
• March: 78.1 percent of all email were spam, a significant increase
from January when the spam share was as low as 60 percent
Spam levels

5. 5 | Trend Report Overview Real Security. In Real Time.
 Spammers use
current news topics
of the day to lure
recipients into
opening messages or
clicking on links
• Examples: New Pope
election, Cyprus
financial crisis
Event related spam

6. 6 | Trend Report Overview Real Security. In Real Time.
 Re-emergence of pump and dump or penny stock spam
• 43% in Q1
 (part of “other” category)
Spam Topics

7. 7 | Trend Report Overview Real Security. In Real Time.
Origins of spam

8. Zombie Trends

9. 9 | Trend Report Overview Real Security. In Real Time.
 Not related to spam zombie levels
• Daily levels were basically constant during the attacks
• Reports suggested that the attack was the work of one or more
organizations who resented their inclusion in one or more of the
Spamhaus blocklists
Spamhaus DDoS attack

10. 10 | Trend Report Overview Real Security. In Real Time.
 India still hosts over 12% of the world’s spam sending
zombies
• Zombie distribution was dominated by Asia (the top three and five
out of the top ten), South America (three) and Eastern Europe (two).
Zombie Hotspots

11. Malware Trends

12. 12 | Trend Report Overview Real Security. In Real Time.
 Q1 average: 973 million malware emails sent each day
• In March, volume rose by 75.1 percent compared to February
 More localized email-malware campaigns
• Eg: Zalando, hotel.de, flugladen.de
Email-attached-malware levels

13. 13 | Trend Report Overview Real Security. In Real Time.
 Single link emails sent from the compromised Yahoo
accounts
 Links lead to compromised websites which redirect to
“distribution sites”
 Distribution sites direct the visitor based on the browser type
 PC visitors sent to diet scam pages
Android targeted attacks (1)

14. 14 | Trend Report Overview Real Security. In Real Time.
 Android visitors sent to
malware download page
 Commtouch’s Antivirus
detects malware:
AndroidOS/NotCom.A
• Acts as a proxy so it’s
able to transmit and
receive network data
through the infected
android device. This
means it can steal all
kinds of sensitive data
sent or received through
the device network
connection
Android targeted attacks (2)

15. Web Security Trends

16. 16 | Trend Report Overview Real Security. In Real Time.
 The first quarter of 2013 saw extensive use made of the
Blackhole exploit kit.
• The JavaScript on the page scans the visiting system to determine
the versions of popular and operating system software such as
Adobe Flash, Adobe Reader, Java, Windows, and browsers.
• Once the kit has determined that there is vulnerability – for
example, in an older version of Adobe Flash found on the visiting
system – the relevant exploit is loaded allowing the controller to gain
a foothold on the infected system.
• Finally the Blackhole controller, having gained control of the
visitor, can now deliver further malicious content. This could include
a wide range of badware such as fake AV, ransomware, or logging
software to steal banking and Web credentials.
Blackhole exploit kit (1)

17. 17 | Trend Report Overview Real Security. In Real Time.
 A range of emails were used to drive recipients to Blackhole
hosting sites
Blackhole exploit kit (2)

18. 18 | Trend Report Overview Real Security. In Real Time.
Rank Category Rank Category
1 Education 6 Health & Medicine
2 Business 7 Transportation
3 Travel 8 Leisure & Recreation
4 Sports 9
Pornography/Sexually
explicit
5 Entertainment 10 Free Web Pages
 Analysis of which categories of legitimate Web sites were
most likely to be hiding malware pages (usually without the
knowledge of the site owner)
 Education category on top again
Web categories: malware

19. 19 | Trend Report Overview Real Security. In Real Time.
Rank Category Rank Category
1 Free Web Pages Portals 6 Shopping
2 Education 7 Travel
3 Computers & Technology 8 Real Estate
4 Business 9 Streaming Media
5 Sports 10 Health & Medicine
 Analysis of which categories of legitimate Web sites were
most likely to be hiding phishing pages (usually without the
knowledge of the site owner)
 Portals (offering free website hosting) remained at the
highest position
Web categories: phishing

20. Further Info

21. 21 | Trend Report Overview Real Security. In Real Time.
You can download the complete report at
http://www.commtouch.com/threat-report-april-2013

22. 22 | Trend Report Overview Real Security. In Real Time.
For more information contact:
sales@commtouch.com
888 974 5805 (Americas)
+49 30 5200 560 (EMEA)
+972 9 863 6888 (APAC)
Web: www.commtouch.com
Blog: http://blog.commtouch.com