July 2011 Internet Threats Trend Report


Published on

The Commtouch Quarterly Trends Threat Report provides insight on the latest spam, malware, phishing schemes and other web security threats. The July 2011 edition provides analysis of Internet security threats that occurred during the second quarter of 2011.

You can download the complete report at http://www.commtouch.com/threat-report-July 2011.

Published in: Technology, News & Politics
  • Be the first to comment

July 2011 Internet Threats Trend Report

  1. 1. Internet ThreatsTrend Report The October 2011 Internet Threat Report is now available! Click here to viewJuly 2011
  2. 2. July 2011 Threat Report The following is a condensed version of the July 2011 Commtouch Internet Threats Trend Report Download the complete report atwww.commtouch.com/threat-report-July2011Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks,and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch.U.S. Patent No. 6,330,590 is owned by Commtouch.
  3. 3. July 2011 Threat Report1 Key Highlights 2 Feature Where did all the spam go? Spam, Malware, Web Security, 3 Trends Compromised Websites, Phishing, Zombies and Web 2.0
  4. 4. Key Highlights for Q2 2011
  5. 5. Key Security HighlightsAverage daily spam/phishing emails sent 113 billionAverage daily spam down from Q1 Lowest level in 3 years
  6. 6. Key Security Highlights Zombie daily turnover 377,000 Zombies Number of zombies turned off and ondaily - up significantly from 258,000 in Q1
  7. 7. Key Security Highlights Most popular blog topic on user generated content sites(No Change) Streaming media/ downloads The streaming media & downloads category includes sites with live or archived media for download or streaming content, such as Internet radio, Internet TV or MP3 files.
  8. 8. Key Security Highlights Most popular spam topic Pharmacy AdsWhile it was the most popular spam topic, it was down to only 24% of all spam, compared to 28% in Q1
  9. 9. Key Security Highlights Country with the most Zombies(No Change) India India continues to lead with 17% of all Zombies
  10. 10. Key Security HighlightsWebsite category most likely tobe compromised with malware Pornography and sexually explicit material
  11. 11. Feature… Where did all the spam go?
  12. 12. Q2 2011 Spam Trends • Q2 spam was at its lowest level in 3 years • June’s spam level (106 billion) • At its lowest point in June, spam accounted for 75% of all emailsAverage daily spam emails sent Source: Commtouch
  13. 13. Q2 2011 Spam Trends Spam Levels & Spam Percentage March - June, 2011MAR APR MAY JUN %spam 16th Mar Spam Rustock takedown Ham Source: Commtouch
  14. 14. Q2 2011 Spam Trends• Indications are that spammer tactics are changing • Mid-March 2011 Microsoft led takedown of the Rustock botnet immediately dropped spam levels by 30% to an average of 119 Billion messages per day • In past, such takedowns have resulted in only temporary spam level drops, followed by increased activity to build new botnets and resume mass mailings
  15. 15. Q2 2011 Spam Trends• Other changes in Q2 spam activity • Rustock takedown followed by large increases in email-borne malware • Number of zombies activated daily more than doubled in weeks following the malware outbreaks • Increased zombie horde not used for vast spam mailings (hence the declining spam numbers) but instead for smaller malware distribution attacks • Spam coming from compromised or spammer accounts as well as compromised mail servers has increased
  16. 16. Q2 2011 Spam Trends Analysis of Compromised AccountsA percentage of emails from Gmail and Hotmail actually comefrom genuine accounts – compromised accounts or accountsspecifically created by spammers • Almost 30% of the spam from Hotmail actually comes from compromised or spammer Hotmail accounts • Gmail spam mostly from zombies that simply forge Gmail addresses Source: Commtouch
  17. 17. Q2 2011 Spam TrendsAnalysis: Things are different this time as spammers are changing their tactics Download the complete July 2011 Internet Threats Trend Report for a complete review of the changing tactics of cybercriminals www.commtouch.com/threat-report-July2011
  18. 18. Trends in Q2 2011… Spam Trends
  19. 19. Spam Trends Spam Sending DomainsCommtouch monitors domains used by spammers inthe “from” field of the spam emails, typically faked inorder to give the impression of a reputable, genuinesource.
  20. 20. Spam TrendsTop Faked Spam Sending Domains* • NOTE “ups.com” in 14th place due to very large numbers of fake UPS notification emails sent in Q2 • See more details on the UPS outbreak in this quarter’s complete Internet Threats Trend Report * The domains that are used by spammers Source: Commtouch in the “from” field of the spam emails.
  21. 21. Spam Trends Spam Topics• Pharmacy spam remained in the top spot but dropped to only 24% (down from 28% in Q1 2011)• 419 fraud, phishing, and pornography all increased Source: Commtouch
  22. 22. Spam Trends• Q2 2011 also saw the emergence of e-cigarette spam French email above promotes health benefits of e-cigarettes due to the absence of 4,000 unwanted substances found in a normal cigarette
  23. 23. Trends in Q2 2011… Malware
  24. 24. Q2 2011 Malware Trends• End of Q1 2011 • Enormous outbreaks of email-borne malware (up to 30% of global email traffic) • Initial attachments were “UPS package notifications” • Then the subjects changed to “DHL package notifications”• Start of Q2 2011 • Attacks continued on smaller scale • Switched to “FedEx notifications”
  25. 25. Examples of MalwareAttack: IRS Payment RejectedPurpose: Most likely password theftHow it works: • Email appears to be from IRS (US government income tax authority) • Message informs recipients their tax payments via electronic payment system rejected • Link provided to receive a “tax transaction report” (actually a .exe file described as a self extracting PDF file )
  26. 26. Examples of Malware• Links lead to one of 2,500 domains registered in the 48 hours before the attack• Upon pressing the link, users gets to a page with a “404 not found” message, which hides the script that starts the virus download
  27. 27. Examples of Malware AttacksAttack: PDF MalwarePurpose: Capture keystrokes and browser activityHow it works: • Targets financially knowledgeable victims using the term “stat arb” (foreign exchange trading term) in the subject • Extracted file appears to be a PDF, but actually an executable file • When file runs, actually shows a non-malicious PDF file in a fake PDF reader window
  28. 28. Examples of Malware AttacksEmail with attachment Fake PDF file and reader
  29. 29. Malware Trends Top 10 Malware of Q2 2011Rank Malware name Rank Malware name 1 IFrame.gen 6 W32/Worm.MWD 2 W32/Ramnit.E 7 W32/VBTrojan.17E!Maximus 3 W32/Worm.BAOX 8 W32/Ramnit.D 4 W32/RAHack.A.gen!Eldorado 9 W32/Mydoom.O@mm 5 W32/Sality.gen2 10 W32/Vobfus.L.gen!Eldorado Source: Commtouch
  30. 30. Malware Trends Read about more Malware attacks in the complete July 2011 Threat Report athttp://www.commtouch.com/threat-report-July2011
  31. 31. Trends in Q2 2011… Web Security
  32. 32. Q2 Threats Facebook’s vast and ever-increasing user base continues to attract cybercriminalsThe Pros:• Trusted friend environment means users don’t suspect a message is coming from a compromised accountThe Cons:• Need compromised accounts to access other accounts• Friend networks rarely exceed a few hundred people• Facebook has implemented mechanisms to detect multiple simultaneous messages postings
  33. 33. Q2 Facebook Threats Exploits in Q2 2011Several techniques combined with socialengineering elements were used tocompromise Facebook user accounts in Q2and increase the scale of attacks.
  34. 34. Q2 Facebook ThreatsExample: Osama Bin Laden death exploited by Affiliate Marketing Groups• Goal of exploit: Affiliates earn money by driving victims to sites that pay bonuses based on clicks or successful sign-ups• How exploit worked: Initial Osama-themed messages sent from several compromised accounts and then quickly spread to draw users to the affiliated sites (see flow on next slide)
  35. 35. Q2 Facebook Threats Osama Bin Laden Affiliate 4 Marketing ExploitWith access to user’s friends, Infected user lead to a site withmalware sends out more YouTube clip of President Obamainvitations to continue the announcing operation.cycle. 2 User receives message or 3 1 Site then quickly event invitation from redirects to an friend promising video of affiliate marketing Bin Laden death. Message page. tricks user into running a malicious JavaScript while Facebook open.
  36. 36. Q2 Facebook ThreatsOsama Bin Laden – users run this script
  37. 37. Q2 Facebook ThreatsAdditional Facebook exploits in Q2: • See who’s been viewing your profile • Free Facebook credits • How many girls and boys have viewed your wall Download the complete July 2011 Internet Threats Trend Report for more details on these exploits www.commtouch.com/threat-report-July2011
  38. 38. Other trends in Q2 2011… Compromised Websites
  39. 39. Compromised Websites Trends in Compromised Websites• Compromised websites being used to hide phishing pages and malware• Benefits to the cybercriminal • Legitimate domains most likely have a good reputation in URL filter engines, so not likely to be blocked • Provides FREE hosting
  40. 40. Compromised WebsitesExample: iPhone 5 Virus (May 2011)• Malicious email distributed with promise of details regarding soon to be released “iPhone 5G S”• Images and links in email point to a file “iphone5.gif”, but it is actually a malware file “iphone5.gif.exe”
  41. 41. Compromised WebsitesExample: iPhone 5 Virus (May 2011)• Examination of the link reveals malware is hidden inside a compromised, legitimate website (see image)
  42. 42. Compromised WebsitesWebsite categories infected with malware Rank Category 1 Pornography/Sexually Explicit 2 Parked domains 3 Portals 4 Education 5 Entertainment 6 Business 7 Health & Medicine 8 Travel 9 Computers & Technology 10 Fashion & BeautyPortals category includes sites offering free homepages, which areabused to host phishing and malware content.
  43. 43. Compromised Websites Download the complete July 2011 Internet Threats Trend Report for more details on Compromised Websiteswww.commtouch.com/threat-report-July2011
  44. 44. Other trends in Q2 2011… Phishing Trends
  45. 45. Phishing Trends Phishing Trends• Phishing attacks continued to target • Local and global banks • Web email users • Facebook accounts • Online gaming sites
  46. 46. Phishing Trends Example – Facebook Phishing Page• Users asked to enter their credentials to overcome a security warning on the page• Entering credentials, they provide the phisher with valid Facebook access details that can be used or sold to other cybercriminal
  47. 47. Phishing Trends Improved Phishing Sites• In an attempt to provide protection from keyloggers, some financial institutions provide a virtual keyboard which users must use to enter their login information and passwords• Phishers have now added these keyboards to their phishing pages (see example on next page)which mimic the original
  48. 48. Phishing Trends Improved Phishing SitesFake Abu Dhabi Commercial Bank (ADCB) site complete withreproduced virtual keyboard
  49. 49. Compromised WebsitesWebsite categories infected with phishing Rank Category 1 Games 2 Portals 3 Shopping 4 Forums/Newsgroups 5 Non-profits & NGO 6 Fashion & Beauty 7 Leisure & Recreation 8 Sports 9 Education 10 BusinessPortals category includes sites offering free homepages, which areabused to host phishing and malware content.
  50. 50. Phishing TrendsDownload the complete July 2011 Internet Threats Trend Report for more details on Phishing www.commtouch.com/threat-report-July2011
  51. 51. Trends in Q2 2011… Zombie Trends
  52. 52. Zombie Trends Daily Turnover of Zombies in Q2• Average of 377,000 zombies newly activated each day for malicious activity• Substantial increase compared to the 258,000 in Q1 Source: Commtouch
  53. 53. Zombie Trends Worldwide Zombie Distribution in Q2 Source: Commtouch• India remains atop the list with 17%• Brazil, Vietnam, and the Russian federation all remained in the same places• Peru and Argentina dropped out of the top 15 replaced by Romania and Morocco
  54. 54. Zombie Trends Zombies and IPv6• As IPv4 addresses reach exhaustion, IPv6 addresses will begin to become more prevalent• Vast number of IPs available to a zombie makes blocking of a specific IP, associated with a Zombie, impossible• Blocking a range of IPs has issues • May block other users/devices that are not malicious (i.e.: generates false positives) • No standard IP range allocation currently defined – it is therefore difficult to know how wide a range of IPs should be blocked
  55. 55. Zombie Trends Zombies and IPv6• Commtouch has begun to monitor spam received from IPv6 sources and future Internet Threat Trend Reports may include relevant data as IPv6 traffic grows• Two on-demand webcasts are available from Commtouch providing information on IPv6 and potential threats: • An introduction to IPv6 • Overview of IPv6 threats
  56. 56. Trends in Q2 2011… Web 2.0 Trends
  57. 57. Web 2.0 TrendsMost Popular User Generated Content Sites Rank Category % 1 Streaming Media & Downloads 21% 2 Entertainment 9% 3 Computers & Technology 8% 4 Pornography/Sexually Explicit 5% 5 Shopping 5% 6 Arts 4% 7 Fashion & Beauty 4% 8 Religion 4% 9 Sports 4% 10 Restaurants & Dining 4% 11 Education 3% 12 Leisure & Recreation 3% 13 Health & Medicine 3% 14 Games 2% Source: Commtouch
  58. 58. Review of Q2 2011
  59. 59. Review of Q2 2011 Source: Commtouch
  60. 60. Download the complete July 2011 Internet Threats Trend Report atwww.commtouch.com/threat-report-July2011
  61. 61. For more information contact: info@commtouch.com 650 864 2000 (Americas) +972 9 863 6895 (International) Web: www.commtouch.comBlog: http://blog.commtouch.com