The Commtouch Quarterly Internet Threats Trend Report provides insight on the latest spam, malware, phishing schemes and other web security threats.
The January 2012 edition provides analysis of Internet security threats that occurred during the fourth quarter of 2011. This edition also provides an overview of Facebook attacks that occurred throughout 2011.
3. January 2012 Threat Report
1 Key Highlights
Facebook Attacks
2 Feature – The year in review
Malware, Spam, Web Security,
3 Trends Compromised Websites and
Zombies
5. Key Security Highlights
Average daily spam/phishing
emails sent
101 Billion
Spam levels increased marginally in
November and December 2011
6. Key Security Highlights
Spam Zombie daily turnover
209,000 Zombies
A very large decrease compared to the
336,000 in Q3
(Zombie turnover is the number of zombies turned off and on daily)
7. Key Security Highlights
Most popular blog topic on
user generated content sites
Streaming media/
downloads (22%)
Streaming media & downloads remains in top
spot but dropped 2% from Q3
Includes sites with MP3 files or music related sites such as fan
pages (these might also be categorized as entertainment)
9. Key Security Highlights
Country with the
most Zombies
India (23.5%)
India increased its share in Q4 to nearly one
quarter of the world’s zombies
10. Key Security Highlights
Website category most likely to
be compromised with malware
Parked Domains
“Parked domains” and “Portals” remained in
the top 2 positions with “pornographic sites”
in 3rd position
11. Feature…
Facebook Attacks
– The year in review
12. Facebook Attacks – 2011
Facebook Attacks in 2011
• Continues to be an attractive target for attacks from
malware distributors, scammers and plain old jokers
• Most Facebook attacks ultimately lead victims to
affiliate marketing/survey sites
• Q4 2011 saw increases in free-merchandise scams
13. Lifecycle of Facebook Attacks
The 3 Stages of Facebook Attacks
Stage 1 – The Catch
The
Catch Enticing offer or information inspiring
action by a Facebook user
Spreading Stage 2 – Spreading the Attack
the Ensure the attacks continues/spreads
Attack
Stage 3 – The Goal
The Goal What the cybercriminals wants
to gain or achieve
14. The Catch - 4 Tactics
The 4 ways Facebook users are tricked into “liking”,
following a link or adding add an app
1. Free goods
– Items ranging from
headphones to gift cards
to unreleased Facebook
phones
2. Sensational headlines on current news issues
Examples:
– Death of Osama Bin videos
– Death of Steve Jobs “free
iPad/iPhone” scams
15. The Catch - 4 Tactics
3. Must see tragic/amazing events with call to action
– Users follow a link, or click
on Like to see a shocking
video/photo, or forward a
chain message
The Spanish in the example above translates to “Look what happens”.
4. Must-have Facebook app download
Example of popular attack:
– Mythical app allowing users
to see who has been viewing
their profile and get a
breakdown of boy and girl
views of their profile
16. The Catch – Summary
Summary of Catch Tactics
• Social engineering is the key to the tactics used to “catch”
Facebook victims
• The tactics are spread nearly evenly between the four tactics
described above
– Most used tactic – “must see this” (36%)
– Most common tactic in second half of 2011 – 26 “free stuff” (26%)
17. Spreading Attacks
How Facebook Attacks are Propagated
• Cybercriminals abuse the inherent trust of Facebook
friends
• 4 main methods for spreading attacks:
1. Tricking users into sharing
2. Likejacking
3. Rogue applications
4. Malware and “self-XSS”
18. Spreading Attacks
Tricking users into sharing
• Users aware that they are liking/sharing a page, but
do so under false pretenses
• Example attacks:
– Scams promising free gift cards
in exchange for like/share
– Users post a hoax they believe
to be true warning other users
about a (nonexistent) virus or
telling them the sad tale of a
(nonexistent) abused child
19. Spreading Attacks
Likejacking
• A common tactic is to entice users to see a video
• The video player may be functional but the page includes
scripts that use any mouse click to generate a “like”
• Users unaware that they have liked a page, but the “like” is
used to lead more friends to the video
20. Spreading Attacks
Rogue applications
• Apps users believe provide worthwhile functionality
– Example: An app promising to reveal who has been
viewing your profile
• Users grant these apps permission to access parts of
their user profile as well as post on their wall
– Wall posts are then used
by the rogue app to
spread out further within
Facebook
21. Spreading Attacks
Malware and “self-XSS”
• Malware unwittingly installed a user's PC hijacks
their Facebook session for posts and other activity
• How it works
– Traditional cross site scripting (XSS) attacks rely on a
hidden script within a webpage to hijacks a Facebook
session
– Self-XSS means that malicious script was activated by a
user (the “self”) giving another site access to the Facebook
session
22. Spreading Attacks
– Users are tricked into activating a script by copying it
directly into their browser
– In most cases scripts will direct to an external site (the
“cross-site” of “cross-site scripting”) and then post a wall
post or an event invite, which others view and in turn
help to further
propagate the
attack
23. Goal of Attacks
Goal of the Facebook Attack
The goal of Cybercriminals with Facebook attacks can
be divided into the following categories:
• Marketing affiliate/survey sites
• Chain posts and hoaxes
• Other
24. Goal of Attacks
Marketing affiliate/survey sites
• Benefit to Cybercriminals:
– Affiliate payments for driving users to specific sites
– Collection of personal data to be used in identity theft
• Users are led to believe that
completion of a form will
result in a free gift (iPhone,
gift card, cap, etc.)
• They may also be tricked
into signing up for
unwanted products
25. Goal of Attacks
Chain Posts and Hoaxes
• The Benefit to Cybercriminals:
– Pranksters having a laugh at the expense of unaware
Internet users
• Users like or share stories of abused children or
devastating computer viruses
• Many of the fake stories were email chain emails
many years ago and have been reused
26. Goal of Attacks
Other types of attack
• Defacement
– Benefit to Cybercriminal: Embarrass Facebook
• Spreading malware
– Benefit to Cybercriminal: Spread malware that steal
passwords or sends spam
• Collecting Likes
– Benefit to Cybercriminal: Generate an enormous number
of likes of a page (several hundred thousand in some
cases) but with no clear further malicious purpose
27. Facebook Attacks Summary
Summary of 2011 Facebook Attacks
Some progress made during 2011 to stop attacks
• Various attacks more quickly detected and removed by
Facebook
• Almost no recent reports of rogue applications compared to
the numerous examples from the first half of the year
• Some attack methods, such as the self-XSS, almost completely
eliminated (due to security updates by major browser
vendors)
• “Free merchandise” scams are still common
28. Q4 Malware Trends
For a complete analysis of Facebook attacks
in 2011, download the complete
January 2012 Internet Threats Trend Report
http://www.commtouch.com/threat-report-january-2012
30. Q4 Malware Trends
• The large amounts of email-malware in 2011 were a
surprise to many analysts
• Analysts had predicted the continued demise of
the spam threat vector following a quiet 2010
• The mass Malware-attachment outbreaks of late Q3
subsided in Q4, as can be seen in the chart below
• Multiple “blended threat” email outbreaks were
tracked by Commtouch in Q4
• Involved emails and malware hosted on
compromised websites
32. Q4 Malware Trends
Top 10 Malware of Q4 2011
Rank Malware name Rank Malware name
1 W32/Swizzor-based!Maximus 6 W32/MyWeb.D
2 W32/Brontok.A.gen!Eldorado 7 W32/Tibs.K.gen!Eldorado
3 JS/IFrame.HC.gen 8 W32/Mabezat.A-2
4 W32/Virut.9264 9 W32/Virtumonde.T.gen!Eldorado
5 W32/Heuristic-210!Eldorado 10 W32/Mywebsearch.B.gen!Eldorado
Source: Commtouch
33. Q4 Malware Trends
For a complete analysis of Malware in Q4 and the
specific attacks employed, download the complete
January 2012 Internet Threats Trend Report
http://www.commtouch.com/threat-report-january-2012
35. Q4 Spam Trends
• Spam levels increased marginally in Nov & Dec but
remained at their lowest in years following the Rustock
botnet takedown in March
• Q3 average spam levels approached 101 billion email
messages
Spam levels – Jan to Dec 2011
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Source: Commtouch
36. Q4 Spam Trends
• Spam averaged 77% of all emails in Q4 (excluding emails
with malware attachments)
Spam % of all emails - Jan to Dec 2011
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Source: Commtouch
37. Q4 Spam Trends
November Spam Tactics
– Sending spam containing URLs not yet registered
• Several hundred million emails sent out with many thousands of
unregistered URLs
How it Works
• Spam filters with URL reputation systems check if URLs are registered and
when they were registered
– Bad sites usually have registrations that are only several hours old
• If a site is not registered when checked, many URL reputation systems will
not blacklist the site and not pursue further checks
• This loophole allows spammers to send out emails linking to unregistered
URLs and then register them an hour
or so after the outbreak in order to
prevent the URLs from being blocked
38. Q4 Spam Trends
Top Faked (Spoofed) Spam Sending Domains*
• Gmail.com once again the
most spoofed domain
• Facebook related addresses
(unsubscribe.facebook.com)
and facebookmail.com both
feature in the top 15 (often
part of phishing or malware
attacks)
* The domains that are used by spammers
Source: Commtouch in the “from” field of the spam emails.
39. Q4 Spam Trends
Spam Topics
• “Pharmacy spam” increases for second straight quarter (about 2% over
Q3) reaching 31% of all spam
• Dating related spam increased from 2.3% to nearly 12% in the last
quarter of the year
Source: Commtouch
40. Q4 Spam Trends
Find out more about Spam Trends in Q4 by
downloading the complete January
Internet Threats Trend Report
http://www.commtouch.com/threat-report-january-2012
42. Q4 Compromised Websites
Trend: Compromised Websites Store Malware
• Most of the emails carrying malware links in Q4 used
compromised websites
• Example:
The “speeding fine”
link directs to
JavaScript malware on
a legitimate site called
“jemgaming.net”.
Source: Commtouch
43. Q4 Compromised Websites
Trend: Compromised sites used as redirect points to
pharmacy and enhancer websites
• Majority of the exploited sites were using the WordPress
content management system
• Spammers exploited a vulnerability in WordPress or in a
plugin in order to hide the redirect pages
• Before being redirected users are shown an initial page
hidden within one of the WordPress subdirectories (see image
below)
44. Q4 Compromised Websites
Compromised
site shows
message before
redirecting
Destination
enhancer site
Homepage of the
compromised
WordPress site
with no change
in functionality
45. Q4 Compromised Websites
Website categories infected with malware
• Parked domains and Portals remained in the top 2 positions
with pornographic sites in 3rd position
(As noted in previous reports, the hosting of malware may well be the
intention of the owners of the parked domains and pornography sites)
Rank Category Rank Category
1 Parked Domains 6 Entertainment
2 Portals 7 Shopping
3 Pornography/Sexually Explicit 8 Health & Medicine
4 Education 9 Travel
5 Business 10 Computers & Technology
Source: Commtouch
Portals category includes sites offering free homepages, which are
often abused to host phishing and malware content or redirects to
other sites with this content
46. Q4 Compromised Websites
Website categories infected with phishing
• This is an analysis of which categories of legitimate Web sites
were most likely to be hiding phishing pages (usually without
the knowledge of the site owner)
• Sites related to games ranked highest in Q4, similar to Q3
Rank Category Rank Category
1 Games 6 Sports
2 Portals 7 Business
3 Shopping 8 Leisure & Recreation
4 Education 9 Entertainment
5 Fashion & Beauty 10 Real Estate
Source: Commtouch
Portals category includes sites offering free homepages, which are
abused to host phishing and malware content.
47. Q4 Compromised Websites
Download the complete January 2012 Internet
Threats Trend Report for more details
http://www.commtouch.com/threat-report-january-2012
49. Q4 Zombie Trends
Daily Turnover of Zombies in Q4
• Q4 saw an average turnover of 209,000 zombies each day
that were newly activated for sending spam
• A very large decrease compared to the 336,000 of Q3 2011
• Average turnover for all of 2011 – 297,500 zombies per day
Daily newly activated spam zombies: Jan to Dec 2011
Source: Commtouch
50. Q4 Zombie Trends
Worldwide Zombie Distribution in Q4
Source: Commtouch
• India again claimed the top zombie producer title, increasing its
share to nearly a quarter of the world’s zombies
• Brazil, once a fixture in first position, continued to drop
– this quarter to 6th position (a further drop of around 3%)
• Peru and Kazakhstan joined the top 15, displacing Saudi Arabia
and Columbia
51. Q4 Zombie Trends
Download the complete January 2012 Internet
Threats Trend Report for more details
http://www.commtouch.com/threat-report-january-2012
53. Q4 Web 2.0 Trends
Web 2.0 Trends
• “Streaming media and downloads” was again the most
popular blog or page topic, but dropped 2% in Q4
Rank Category Percentage Rank Category Percentage
1 Streaming Media & Downloads 22% 8 Arts 5%
2 Computers & Technology 8% 9 Sports 4%
3 Entertainment 7% 10 Education 4%
4 Pornography/Sexually Explicit 6% 11 Leisure & Recreation 3%
5 Fashion & Beauty 5% 12 Health & Medicine 3%
6 Restaurants & Dining 5% 13 Games 3%
7 Religion 5% 14 Sex Education 2%
Source: Commtouch
The streaming media & downloads category includes sites with MP3 files or
music related sites such as fan.
55. Review of Q4 2011
October November December
Lowest Most
spam per Speeding Spam ratio Phony airline spam per Better
ticket email- reaches low Facebook itineraries lead Facebook day: 138 business
day: 60
malware of 73% defacement to malware free gift billion bureau
billion
attack card scams malware
Pizza
Free iPhone Compromised ACH malware
Unregistered “look what
scams WordPress transaction James
domains used happens”
following sites host cancelled Cameron
in spam Facebook
death of malware malware new movie
emails bikini girl
Steve Jobs emails malware
likejacking
Source: Commtouch
56. Download the complete January 2012
Internet Threats Trend Report
at
http://www.commtouch.com/threat-report-january-2012
57. For more information contact:
info@commtouch.com
650 864 2000 (Americas)
+972 9 863 6895 (International)
Web: www.commtouch.com
Blog: http://blog.commtouch.com