Ce rapport présente un état des lieux de l'activité des menaces au cours de l’année 2012. À partir des données du GIN, les experts Symantec analysent les tendances en matière d'attaques, de vulnérabilités, de cibles...
Internet Security Threat Report 2013 (Livre Blanc en anglais)
internet security THREAT REPORT 20132012 Trends, Volume 18, Published April 2013
p. 2Symantec CorporationInternet Security Threat Report 2013 :: Volume 18CONTENTS03 Introduction04 Executive Summary06 2012 Security Timeline09 2012 in Numbers13 Targeted Attacks, Hacktivism, and Data Breaches14 Introduction14 Data17 DDoS Used as a Diversion17 Data Breaches19 Analysis19 Cyberwarfare, Cybersabotage, and Industrial Espionage20 Advanced Persistent Threats and Targeted Attacks20 Social Engineering and Indirect Attacks21 Watering Hole Attacks23 Vulnerabilities, Exploits, and Toolkits24 Introduction24 Data26 Analysis26 Web-based Attacks on the Rise27 The Arms Race to Exploit New Vulnerabilities27 Malvertising and Website Hacking28 Web Attack Toolkits29 Website Malware Scanning and Website Vulnerability Assessment29 The Growth of Secured Connections29 Norton Secured Seal and Trust Marks29 Stolen Key-signing Certificates31 Social Networking, Mobile, and the Cloud32 Introduction32 Data35 Analysis35 Spam and Phishing Move to Social Media37 Mobile Threats38 Cloud Computing Risks40 Malware, Spam, and Phishing41 Introduction42 Data42 Spam45 Phishing46 Malware48 Website Exploits by Type of Website49 Analysis49 Macs Under Attack50 Rise of Ransomware51 Long-term Stealthy Malware51 Email Spam Volume Down51 Advanced Phishing53 Looking ahead56 Endnotes57 About Symantec57 More Information
p. 3Symantec CorporationInternet Security Threat Report 2013 :: Volume 18IntroductionSymantec has established some of the mostcomprehensive sources of Internet threatdata in the world through the Symantec™Global Intelligence Network, which is madeup of approximately 69 million attacksensors and records thousands of eventsper second. This network monitors threatactivity in over 157 countries and territoriesthrough a combination of Symantecproducts and services such as SymantecDeepSight™ Threat Management System,Symantec™ Managed Security Services andNorton™ consumer products, and otherthird-party data sources.In addition, Symantec maintains one of the world’s mostcomprehensive vulnerability databases, currently consisting ofmore than 51,644 recorded vulnerabilities (spanning more thantwo decades) from over 16,687 vendors representing over 43,391products.Spam, phishing, and malware data is captured through a varietyof sources, including the Symantec Probe Network, a systemof more than 5 million decoy accounts; Symantec.cloud anda number of other Symantec security technologies. Skeptic™,the Symantec.cloud proprietary heuristic technology, is able todetect new and sophisticated targeted threats before reachingcustomers’ networks. Over 3 billion email messages and morethan 1.4 billion Web requests are processed each day across14 data centers. Symantec also gathers phishing informationthrough an extensive antifraud community of enterprises,security vendors, and more than 50 million consumers.Symantec Trust Services provides 100 percent availability andprocesses over 4.5 billion Online Certificate Status Protocol(OCSP) look-ups per day, which are used for obtaining therevocation status of X.509 digital certificates around the world.These resources give Symantec’s analysts unparalleled sourcesof data with which to identify, analyze, and provide informedcommentary on emerging trends in attacks, malicious codeactivity, phishing, and spam. The result is the annual SymantecInternet Security Threat Report, which gives enterprises, smallbusinesses, and consumers the essential information to securetheir systems effectively now and into the future.
p. 4Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Executive SummaryThreats to online security have grown and evolved considerably in 2012. From the threats ofcyberespionage and industrial espionage to the widespread, chronic problems of malwareand phishing, we have seen constant innovation from malware authors.We have also seen an expansion of traditional threats into new forums. In particular, socialmedia and mobile devices have come under increasing attack in 2012, even as spam andphishing attacks via traditional routes have fallen. Online criminals are following users ontothese new platforms.The most important trends in 2012 were:Small Businesses Are the Path of Least Resistancefor AttackersLast year’s data made it clear that any business, no matter itssize, was a potential target for attackers. This was not a fluke. In2012, 50 percent of all targeted attacks were aimed at businesseswith fewer than 2,500 employees. In fact, the largest growth areafor targeted attacks in 2012 was businesses with fewer than 250employees; 31 percent of all attacks targeted them.This is especially bad news because based on surveys conductedby Symantec, small businesses believe they are immune toattacks targeted at them. However, money stolen from a smallbusiness is as easy to spend as money stolen from a largebusiness. And while small businesses may assume that theyhave nothing a targeted attacker would want to steal, theyforget that they retain customer information, create intellectualproperty, and keep money in the bank. While it can be arguedthat the rewards of attacking a small business are less thanwhat can be gained from a large enterprise, this is more thancompensated by the fact that many small companies aretypically less careful in their cyberdefenses. Criminal activity isoften driven by crimes of opportunity. With cybercrimes, thatopportunity appears to be with small businesses.Even worse, the lack of adequate security practices by smallbusinesses threatens all of us. Attackers deterred by a largecompany’s defenses often choose to breach the lesser defensesof a small business that has a business relationship with theattacker’s ultimate target, using the smaller company to leapfrog into the larger one.Additionally, small businesses and organizations can becomepawns in more sophisticated attacks. Driven by attack toolkits,in 2012 the number of Web-based attacks increased by one thirdand many of these attacks originated from the compromisedwebsites of small businesses. These massive attacks increasethe risk of infection for all of us. But even more nefariously, asreported in our Elderwood white paper last year, the websitesof small businesses and organizations are even being usedin targeted attacks. Supplementing their phishing attacks,cyberespionage gangs now hijack these websites, lying in waitfor their targets to visit so that they can infect them. Thistype of attack, called a watering hole, is another way attackersleverage weak security of one entity to defeat the strong securityof another.Malware Authors Act as Big BrotherIf you think someone is violating your privacy online, you areprobably right. Fifty percent of mobile malware created in 2012attempted to steal our information or track our movements.Whether they are attacking our computers, mobile phones orsocial networks, Cyber-criminals are looking to profit by spyingon us. Their ultimate goal is to make money. Their method is tolearn our banking information, the phone numbers and emailaddresses of our friends and business associates, our personalinformation, and even how to become us by stealing our identity.But the most ominous example of malware authors knowingall about us is in targeted attacks. Creating successful targetedattacks requires attackers to learn about us. They will researchour email addresses, our job, our professional interests, and eventhe conferences we attend and the websites we frequent. Allof this information is compiled to launch a successful targetedattack. Once on our devices, the attacker’s tools are designedto pull as much data as possible. Undiscovered targeted attackscan collect years of our email, files, and contact information.These tools also contain the ability to log our keystrokes, viewour computer screens, and turn on our computers’ microphonesand cameras. Targeted attackers truly act as an Orwellianincarnation of Big Brother.
p. 5Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Those jobs most targeted for attack in 2012 were knowledgeworkers who create the intellectual property that attackers want(27 percent of all targets in 2012) and those in sales (24 percentin 2012). Interest in targeting the CEO of an organization wanedin 2012; those attacks decreased by 8 percent.With Mobile, It’s Not the Vulnerability that Will Get YouAs expected, the amount of mobile malware in 2012 continues torise. 2012 saw a 58 percent increase in mobile malware familiescompared to 2011. The year’s total now accounts for 59 percentof all malware to-date. With a 32 percent increase in the numberof vulnerabilities reported in mobile operating systems, it mightbe tempting to blame them for the increase. However, this wouldbe wrong. In the PC space, a vulnerability drives attacks asnew vulnerabilities are incorporated into commonly availabletoolkits. The more they’re used, the faster they spread. This isnot occurring in the mobile space. Today, mobile vulnerabilitieshave little or no correlation to mobile malware. In fact, whileApple’s iOS had the most documented vulnerabilities in 2012,there was only one threat created for the platform. Compare thisto the Android OS; although only thirteen vulnerabilities werereported, it led all mobile operating systems in the amount ofmalware written for the platform.Vulnerabilities likely will become a factor in mobile malware,but today Android’s market share, the openness of the platform,and the multiple distribution methods available to applicationsembedded with malware make it the go-to platform of malwareauthors.Zero-day Vulnerabilities Available When AttackersNeed ThemZero-day vulnerabilities continue to trend upward; 14 werereported in 2012. In the last three years much of the growthin zero-day vulnerabilities used in attacks can be attributed totwo groups; the authors of Stuxnet and the Elderwood Gang. In2010, Stuxnet was responsible for 4 of the 14 discovered zero-dayvulnerabilities. The Elderwood Gang was responsible for 4 of the14 discovered in 2012. The Elderwood Gang also used zero-daythreats in 2010 and 2011, and they’ve used at least one sofar in 2013.Attackers use as many zero-day vulnerabilities as they need, notas many as they have. And Stuxnet and Elderwood make for aninteresting contrast in the strategy of their use. Stuxnet remainsthe aberration, using multiple zero-day exploits in one attack.From what we know today, it was a single attack that was directedat a single target. Multiple zero-day exploits were used to ensuresuccess so they would not need to attack a second time.By contrast the Elderwood Gang has used one zero-day exploitin each attack, using it continually until that exploit becomespublic. Once that occurs they move on to a new exploit. Thismakes it seem that the Elderwood Gang has a limitless supplyof zero-day vulnerabilities and is able to move to a new exploitas soon as one is needed. It is our hope that this is not the case.Attribution Is Never EasySome targeted attacks make no attempt to stay undetected. Apiece of malware named Shamoon was discovered in August. Itspurpose was to wipe computer hard drives of energy companiesin the Middle East. A group calling itself the “Cutting Sword ofJustice” claimed responsibility. Throughout 2012, DDoS attackswere launched against financial institutions. A group called Izzad-Din al-Qassam Cyber Fighters claimed responsibility.These attacks and others appear to be classic cases ofhacktivism. However, proving attribution and motive are noteasy, even when someone claims responsibility. There hasbeen much speculation, some reportedly from the intelligencecommunity, that the Cutting Sword of Justice and the QassamCyber Fighters are fronts for a nation state. Complicatingwhat appeared to be simple hactivism even further is theFBI’s warning to financial institutions that some DDoSattacks are actually being used as a “distraction.” Theseattacks are launched before or after cybercriminals engagein an unauthorized transaction, and are an attempt to avoiddiscovery of the fraud and prevent attempts to stop it.
p. 7Symantec CorporationInternet Security Threat Report 2013 :: Volume 182012 Security TimelineData breach:24 million identities stolen in data breach atZappos apparel company.Malcode:A scam involving malicious browser plug-ins forFirefox and Chrome is discovered.01January04April02February05May03March06JuneMac:Over 600,000 Mac computers are infectedby the OSX.Flashback Trojan through anunpatched Java exploit.Mac:A second Mac Trojan is discovered,OSX.Sabpab, which also uses Java exploitsto compromise a computer.Botnet:Kelihos botnet returns, four months after beingtaken down.Mobile:Google announces Google Bouncer, an appscanner for the Google Play market.Social networking:Scammers are discovered leveraging socialnetworks Tumblr and Pinterest.Malware:The cyberespionage threat W32.Flamer isdiscovered.Certificate Authorities:Comodo, a large Certificate Authority,authenticated and issued a legitimate code-signing certificate to a fictitious organizationrun by cybercriminals. This was notdiscovered until August.Botnet:Researchers take down new variant of the Kelihosbotnet, which reappears in a new form later inthe month.Hacks:Six individuals are arrested as alleged membersof the hacking collective LulzSec.Botnet:Security researchers take down key servers forthe Zeus botnet.Data breach:A payment processor for a number of well-known credit card companies, including Visa andMasterCard was compromised, exposing detailsof 1.5 million accounts.1Mobile:A non-malware-based scam involving theOpfake gang is found that targets iPhone users.Data breach:LinkedIn suffers data breach, exposing millionsof accounts.Malware:A Trojan by the name of Trojan.Milicenso isdiscovered, which causes networked printersto print large print jobs containing illegiblecharacters.
p. 8Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Botnet:Security researchers disable the Grum botnet.Malware:Windows malware is discovered in Apple’s AppStore, embedded in an application.Mac:A new Mac threat called OSX.Crisis opens a backdoor on compromised computers.Botnet:DNS servers, maintained by the FBI in order tokeep computers previously infected with theDNSChanger Trojan safe, are shut off.Malware:A Trojan used to steal information from theJapanese government is discovered afterbeing in operation for two years.Malware:A second printer-related threat calledW32.Printlove, which causes large print jobs toprint garbage, is discovered.Malware:A new version of the Blackhole attack toolkit,dubbed Blackhole 2.0, is discovered.Botnet:Security researchers disable an up-and-comingbotnet known as “Nitol.”Mobile:A vulnerability is discovered in Samsung’sversion of Android™ that allows a phone to beremotely wiped.DDoS:FBI issues warning about possible DDoS attacksagainst financial institutions as part of a“distraction” technique.2Hacks:Burglars found using a known exploit in a brandof hotel locks to break into hotel rooms.Malware:A ransomware threat distributed through SkypeIM is discovered.Data breach:Customer data is stolen from Barnes & Noblepayment keypads.Attackers are discovered using a DDoS attackas a distraction in order to gather informationthat allowed them to later steal money from atargeted bank.Malware:Infostealer.Dexter Trojan horse discoveredtargeting point-of-sale systems.Hacks:Attackers exploit a vulnerability in Tumblr,spreading spam throughout the social network.Hacks:Reuters news service suffers a series of hacksresulting in fake news stories posted on itswebsite and Twitter account.Malware:Crisis malware is discovered targeting VMware®virtual machine images.Malware:W32.Gauss is discovered. The scope of the threatis concentrated in the Middle East, in a similarway to W32.Flamer.Certificate Authorities:Comodo incident from May discovered anddetails published.09September07July10October11November12December08August
p. 10Symantec CorporationInternet Security Threat Report 2013 :: Volume 182012 in numbersNew VulnerabilitiesNew Vulnerabilities4,9894,98920116,25320105,2915,2912012Average Number ofIdentities ExposedPer Breach in 2012Average Number ofIdentities ExposedPer Breach in 20122011 3152012 4152010 163MobileVulnerabilitiesMobileVulnerabilitiesTargetedAttacksin 2012TargetedAttacksin 201242% INCREASE604,8262012 in Numbers
p. 11Symantec CorporationInternet Security Threat Report 2013 :: Volume 182012 in numbersEstimated GlobalEmail Spam Per Day(in billions)Estimated GlobalEmail Spam Per Day(in billions)OVERALL SPAM RATE62 89%201042 75%201130 69%2012291Overall Email Virus Rate, 1 In:Overall Email Virus Rate, 1 In:201020122011414Overall Email Phishing Rate, 1 In:Overall Email Phishing Rate, 1 In:2010201220112011201220112012% of All EmailMalware asURL% of All EmailMalware asURL24%39%23%20102010%ofAllSpamwith Dating& Sexual%ofAllSpamwith Dating& Sexual15%55%3%442299239282
p. 12Symantec CorporationInternet Security Threat Report 2013 :: Volume 182012 in numbers4.5Bot Zombies(in millions)Bot Zombies(in millions)Mobile MalwareFamilies Increase2011–2012Mobile MalwareFamilies Increase2011–2012New Zero-DayVulnerabilitiesNew Zero-DayVulnerabilitiesWeb AttacksBlocked Per DayWeb AttacksBlocked Per Day2010 2011 201214 8 143.42011 3.120122010New UniqueMalicious Web DomainsNew UniqueMalicious Web Domains2012 74,0002011 55,0002010 43,0002011190,370190,370247,350201258%
p. 14Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Targeted attacks, hacktivism, and data breaches“Just as nuclear was the strategic warfare of the industrialera, cyberwarfare has become the strategic war of theinformation era,” says U.S. Secretary of Defense Leon Panetta.3Cyberespionage and cybersabotage are already a reality.Outside the realm of states and their proxies, corporate spiesare using increasingly advanced techniques to steal companysecrets or customer data for profit. Hactivists with political andantibusiness agendas are also busy.The string of media revelations about security breaches thisyear suggests that the business world is just as vulnerable toattack as ever.At a Glance• Targeted attack global average per day: 116.• Increasing levels of industrial espionage and data theft.• More insidious targeted attacks, with new “watering hole”attacks and sophisticated social engineering.• Fewer big data breaches, but the median number of identitiesstolen per breach has increased by 3.5 times.Introduction255075100125150175200225250DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJANDataThis client was a large banking organization, who had not previouslybeen a Symantec customer, and approached Symantec for help toremove an existing infection. The infection was removed; however,a large wave of targeted attacks followed as the attackers sought toregain access, ultimately failing.We witnessed one large attack in April against a single client thatmore than doubled the number of attacks per day for that month;and while events like this are extremely rare, we have not includedit in this calculation in order to portray a more realistic outlook. Thisincident would have skewed the global annual average number ofattacks per day from 116 to 143.Targeted Attacks Per Day in 2012Source: Symantec
p. 15Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Targeted attacks, hacktivism, and data breachesManufacturing was the most-targeted sector in 2012, with 24 percent of targeted attacks destined for thissector, compared with 15 percent in 2011. Attacks against government and public sector organizationsfell from 25 percent in 2011, when it was the most targeted sector, to 12 percent in 2012. It’s likely thefrontline attacks are moving down the supply chain, particularly for small to medium-sized businesses.(Categories based on Standard Industrial Classification codes.)Top 10 Industries Attacked in 2012Source: Symantec0 5 10 15 20 25%Finance, Insurance & Real Estate 19Services – Non-Traditional 17Energy/Utilities 10Government 12Services – Professional 8Aerospace 2Retail 2Wholesale 2Transportation,Communications, Electric, Gas 1Manufacturing 24%
p. 16Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Targeted attacks, hacktivism, and data breachesAttacks by Size of Targeted OrganizationSource: Symantec1 to 250251 to 500501 to 1,0001,001 to 1,5001,501 to 2,50050% 2,501+50% 2,501+ 50% 1 to 2,50050% 1 to 2,500Employees2,501+50%50%31%31%9%3%2%5%50%in 201150%in 201118%in 201118%in 2011Targeted attacks destined for Small Business(1 to 250 employees) accounted for 31 percentof all attacks, compared with 18 percent in 2011,an increase of 13 percentage points.The volume of attacks against SMBs increasedthreefold, compared with 2011, resulting in itspercentage almost doubling from 18 percentto 31 percent.Organizations with 2,501+ employees were themost targeted with 50 percent of targeted attacksdestined for this size of organization, almostexactly the same percentage as in 2011.The volume of targeted attacks againstorganizations with 2,501+ employees doubledcompared with 2011, although its overallpercentage remains the same at 50 percent.
p. 17Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Targeted attacks, hacktivism, and data breachesIn 2012, the most frequentlytargeted job role was in R&D,which accounted for 27percent of attacks (9 percentin 2011). The second mostnotable increase was againstsales representatives, probablybecause their contact detailsare more widely available in thepublic domain, with 24 percentof attacks in 2012 versus 12percent in 2011. In 2011,C-level executives were the mosttargeted, with 25 percent, butthis number fell to 17 percentin 2012.-15% -10% -5 0 5 10 15 20 25 30%2012 % CHANGE2011Shared Mailboxinfo@, sales@, etc.Senior ManagementSalesHuman ResourcesResearch & DevelopmentPersonal AssistantPR and MarketingChief Exec. or Board LevelTargeted Attack Recipients by Role in 2012Source: SymantecDDoS Used as a DiversionIn September, the FBI issued a warning to financial institutionsthat some DDoS attacks are actually being used as a “distraction.”These attacks are launched before or after cybercriminals engagein an unauthorized transaction and are an attempt to avoiddiscovery of the fraud and prevent attempts to stop it.In these scenarios, attackers target a company’s website witha DDoS attack. They may or may not bring the website down,but that’s not the main focus of such an attack; the real goal isto divert the attention of the company’s IT staff towards theDDoS attack. Meanwhile, the hackers attempt to break into thecompany’s network using any number of other methods that maygo unnoticed as the DDoS attack continues in the background.4Data BreachesThe overall number of data breaches is down by 26 percent,according to the Norton Cybercrime Index,5though over 93million identities were exposed during the year, a decrease of 60percent over last year. The average number of identities stolenis also down this year: at 604,826 per breach, this is significantlysmaller than the 1.1 million per breach in 2011.So why are the number of breaches and identities stolen down in2012? For starters, there were five attacks in which more than 10million identities were stolen in 2011. In 2012 there was only one,which results in a much smaller spread from the smallest to thelargest data breach. However, the median number—the midpointof the data set—increased by 3.5 times in 2012, from 2,400 to8,350 per breach. Using the median is a useful measure becauseit ignores the extremes, the rare events that resulted in largenumbers of identities being exposed, and is more representativeof the underlying trend.Part of the wide difference between data breaches in 2011 and2012 is likely down due to a concerted effort by the notorioushacker groups Anonymous and LulzSec to publicize hacksduring 2011—something that was not seen to the same extent in2012. It’s possible that companies are paying more attention toprotecting customer databases or that hackers have found other,more valuable targets, or that they are still stealing the data butnot being detected.
p. 18Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Targeted attacks, hacktivism, and data breachesHealthcare, education, and government accounted for nearlytwo-thirds of all identities breached in 2012. This suggeststhat the public sector should further increase efforts toprotect personal information, particularly consideringhow these organizations are often looked upon as thecustodians of information for the most vulnerable in society.Alternatively, this could indicate that the private sector maynot be reporting all data breaches, given how many publicsector organizations are required by law to report breaches.The vast majority (88 percent) of reported data breacheswere due to attacks by outsiders. But it is safe to assume thatunreported data breaches outnumber reported ones. Whetherit is lost laptops, misplaced memory sticks, deliberate datatheft by employees or accidents, the insider threat alsoremains high. To illustrate this point, the UK InformationCommissioner’s Office fined and prosecuted more businessesbecause of insider slipups than because of outsider attacks.Most SMBs should worry about someone in accounts just asmuch as they should worry about an anonymous hacker. At 36 percent, the healthcare industry continues to be thesector responsible for the largest percentage of discloseddata breaches by industry.Healthcare36%Education16%Government13%9% Accounting6% Computer Software6% Financial5% Information Technology4% Telecom3% Computer Hardware3% Community and NonprofitData Breaches by Sector in 2012Source: SymantecJanuary saw the largest numberof identities stolen in 2012, dueto one breach of over 24 millionidentities, while the numbersof the rest of the year mostlyfluctuated between one and12 million identities stolen permonth.The average number of breachesfor the first half of the year was11, and rose to 15 in the secondhalf of the year– a 44 percentincrease.Timeline of Data BreachesSource: SymantecINCIDENTS SUM05101520253035DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN05101520253035DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJANSUMOFIDENTITIESBREACHED(MILLIONS)NUMBEROFINCIDENTS31MILLIONBREACHES IN JAN.
p. 19Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Targeted attacks, hacktivism, and data breachesHackers continue to be responsible for the largest number ofdata breaches, making up 40 percent of all breaches.At US$194, the United States is the country with highest in costper capita, with Denmark a close second at $191 per capita.Top Causes of Data Breaches in 2012Source: SymantecAverage Cost Per Capita of a Data Breach 6Source: SymantecCountry Average Cost Per CapitaU.S. $194Denmark $191France $159Australia $145Japan $132UK $124Italy $102Indonesia $420 10 20 30 40 5040%Hackers23% Accidentallymade publicInsider theft23%8%Unknown6%Fraud1%Theft or lossof computeror driveAnalysisCyberwarfare, Cybersabotage,and Industrial EspionageTargeted attacks have become an established part of the threatlandscape and safeguarding against them has become one ofthe main concerns of CISOs and IT managers. Targeted attacksare commonly used for the purposes of industrial espionage togain access to the confidential information on a compromisedcomputer system or network. They are rare but potentially themost difficult attacks to defend against.It is difficult to attribute an attack to a specific group or agovernment without sufficient evidence. The motivation andthe resources of the attacker sometimes hint to the possibilitythat the attacker could be state sponsored, but finding clearevidence is difficult. Attacks that could be state sponsored,but appear to be rare in comparison with regular cybercrime,have often gained more notoriety. They can be among themost sophisticated and damaging of these types of threats.Governments are undoubtedly devoting more resources todefensive and offensive cyberwarfare capabilities. In 2012, itwas still unlikely that most businesses would encounter suchan attack, and the greatest risk comes from the more prevalenttargeted attacks that are created for the purposes of industrialespionage. Increasingly, small to medium-sized businesses(SMB) are finding themselves on the frontline of these targetedattacks as they have fewer resources to combat the threatand a successful attack here may subsequently be used as thespringboard to further attacks against a larger organization towhich they may be a supplier.Malware such as Stuxnet in 2010, Duqu in 2011, and Flamer andDisttrack in 2012 show increasing levels of sophistication anddanger. For example, the malware used in the Shamoon attackson a Saudi oil firm had the ability to wipe hard drives.7The same techniques used by cybercriminals for industrialespionage, may also be used by states and state proxies forcyber attacks and political espionage. Sophisticated attacks maybe reverse-engineered and copied so that the same or similar
p. 20Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Targeted attacks, hacktivism, and data breachestechniques can be used in less discriminate attacks. A furtherrisk is that malware developed for cybersabotage may spreadbeyond its intended target and infect other computers in a kindof collateral damage.Advanced Persistent Threats and Targeted AttacksTargeted attacks combine social engineering and malware totarget individuals in specific companies with the objectiveof stealing confidential information such as trade secrets orcustomer data. They often use custom-written malware andsometimes exploit zero-day vulnerabilities, which makes themharder to detect and potentially more infective.Targeted attacks use a variety of vectors as their main deliverymechanism, such as malware delivered in an email, or drive-by downloads from an infected website the intended recipientis known to frequent, a technique known as a ”watering hole”attack.APTs are often highly sophisticated and more insidious thantraditional attacks, relying on highly customized intrusiontechniques. While targeted attacks are growing increasinglymore common, the resources required to launch an advancedpersistent threat campaign means they are limited to well-funded groups attacking high-value targets.Symantec saw a 42 percent increase in the targeted attack ratein 2012 compared with the preceding 12 months. While themanufacturing industry has become the main target accountingfor 24 percent of attacks, we also saw a wide range of companiescoming under attack, not only large businesses, but increasinglySMBs as well. In 2011, 18 percent of targeted attacks were aimedat companies with fewer than 250 employees, but by the end of2012, they accounted for 31 percent.Social Engineering and Indirect AttacksAttackers may be targeting smaller businesses in the supplychain because they are more vulnerable, have access toimportant intellectual property, and offer a stepping stoneinto larger organizations. In addition, they are also targetedin their own right. They are more numerous than enterprises,have valuable data, and are often less well-protected thanlarger companies. For example, an attacker may infiltrate asmall supplier in order to use it as a spring board into a largercompany. They might use personal information, emails, and filesfrom an individual in such a smaller company to create a well-2012201120102009RSA Attacks• August 2011Hydraq• January 2010• Operation “Aurora”Sykipot / TaidoorAttacks• Targeting DefenseIndustry andGovernmentsElderwood Project• September 2012• Main Target: Defense.Same group identifiedusing Hydraq (Aurora)in 2009Ghostnet• March 2009• Large-scaleCyberspyingOperationStuxnet• June 2010Nitro Attacks• July–October 2011• Against ChemicalIndustryFlamer & Gauss• May 2012 – Aug 2012• Highly SophisticatedThreat• Targets Middle EastTimeline of Targeted Attacks 8Source: Symantec
p. 22Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Targeted attacks, hacktivism, and data breachesAssume You’re a Target.Small size and relative anonymity are not defenses against themost sophisticated attacks. Targeted attacks threaten smallcompanies as well as large ones. Attackers could also use yourwebsite as a way to attack other people. If you assume youare a potential target and improve your defenses against themost serious threats, you will automatically improve yourprotection against other threats.Defense in Depth.Emphasize multiple, overlapping, and mutually supportivedefensive systems to guard against single-point failures inany specific technology or protection method. This shouldinclude the deployment of regularly updated firewalls, as wellas gateway antivirus, intrusion detection, intrusion protectionsystems, and Web security gateway solutions throughout thenetwork. Endpoints must be secured by more than signature-based antivirus technology.Educate Employees.Raise employees’ awareness about the risks of socialengineering and counter it with staff training. Similarly, goodtraining and procedures can reduce the risk of accidental dataloss and other insider risks. Train staff about the value ofdata and how to protect it.Data Loss Prevention.Prevent data loss and exfiltration with data loss protectionsoftware on your network. Use encryption to protect data intransit, whether online or via removable storage.Recommendations
p. 24Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Vulnerabilities, exploits, and toolkitsRecent research by the Ponemon Institute suggests that thecost of cybercrime rose by six percent in 2012 with a 42 percentincrease in the number of cyberattacks. The cost is significantwith businesses incurring an average cost of $591,780.12Giventhe increase availability of vulnerabilities and exploits it comesas no surprise that the cybercriminals have increased theirability to make a profit.Quite a few diverse skills are needed to find vulnerabilities,create ways to exploit them, and then run attacks using them.Fortunately for the cybercriminal, a black market exists wherethese skills can be purchased in the form of toolkits. Hackersfind and exploit and or sell vulnerabilities. Toolkit authors findor buy exploit code and incorporate it into their “products.”Cybercriminals in turn buy or steal the latest versions of toolkitswhich allow them to run massive attacks without the trouble oflearning the skills needed to run the whole operation.At a Glance• Usage of zero-day vulnerabilities is up, from 8 to 14 in 2012.• There is an increasingly sophisticated black market serving amulti-billion dollar online crime industry.• These vulnerabilities are later commercialized and addedto Web-attack toolkits, usually after they become publishedpublicly.• In 2012, drive-by Web attacks increased by one third, possiblydriven by malvertising.• Around 600,000 Macs were infected with Flashback malwarethis year.• The Sakura toolkit, which had little impact in 2011, nowaccounts for approximately 22 percent of Web-based toolkitattacks, overtaking Blackhole during some points of the year.DataIntroductionBrowser Vulnerabilities 2010 – 2012Source: SymantecPlug-in Vulnerabilities 2010 – 2012Source: Symantec5101520253035404550%Apple SafariGoogle ChromeMozilla FirefoxMicrosoft Internet ExplorerOpera2012201120101052030251540354550%201220112010Adobe Flash PlayerOracle Sun JavaAdobe Acrobat ReaderApple QuickTime
p. 25Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Vulnerabilities, exploits, and toolkits123DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN• A zero-day vulnerability isone that is reported to havebeen exploited in the wildbefore the vulnerability ispublic knowledge and priorto a patch being publiclyavailable.• There were 14 zero-dayvulnerabilities reported in2012.• There were up to 3 zero-dayvulnerabilities reported eachmonth.Total VulnerabilitiesSource: SymantecZero-day VulnerabilitiesSource: Symantec• There were 5,291vulnerabilities reported in2012, compared with 4,989in 2011.• Reported vulnerabilities permonth in 2012 fluctuatedroughly between 300 and500 per month.• In 2012, there were 85public SCADA (SupervisoryControl and Data Acquisition)vulnerabilities, a massivedecrease over the 129vulnerabilities in 2011.• There were 415 mobilevulnerabilities identified in2012, compared with 315 in2011.0100200300400500600DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN100200300400500600DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN
p. 27Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Vulnerabilities, exploits, and toolkitsMalvertising and Website HackingHow does a hacker add his code to a legitimate website? Toolkitsare available that make it easy. For example, in May 2012, theLizaMoon toolkit used a SQL injection technique to affect atleast a million websites.13Other approaches include:• Exploiting a known vulnerability in the website hosting orcontent management software• Using phishing, spyware, or social engineering to get thewebmaster’s password• Hacking through the Web server backend infrastructure,such as control panels or databases• Paying to host an advertisement that contains the infectionThis last technique, known as malvertising, means that legitimatewebsites can be impacted without even being compromised. Thisform of attack appears to be very common. Using experimentalscanning software (see “Website Malware Scanning and WebsiteVulnerability Assessment” later in this section), Symantec foundthat half of the tested sites were infected by malvertising.Malvertising opens an avenue of attack that hackers can useto compromise a website without having to directly hackthe website itself. Using these malicious ads allows them tosilently infect users, often installing dynamically createdmalware that antivirus alone is unable to detect.A sign of the seriousness of the problem is that Googleand other search engines scan for malware and blacklistsites that contain malware. There have been occasionswhen prominent advertising networks have fallen prey tomalvertising, impacting some of the biggest names in onlinemedia.14Situations like this can have a serious impact onwebsites whose bottom line often depends on revenue, evendiminishing their credibility in the eyes of their readers.With dozens of advertising networks and constantly rotatingadverts, tracking malvertising and preventing it is a hugechallenge.Online advertisement for a malware toolkit.
p. 28Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Vulnerabilities, exploits, and toolkitsWeb Attack Toolkits Over TimeSource: SymantecBlackhole41%Sakura22%Others20%10% Phoenix7% RedkitApproximately 41 percent of Web-based toolkit attacksin 2012 related to the Blackhole toolkit, compared with44 percent in 2011. The Sakura toolkit was not in thetop 10 for 2011, and now accounts for approximately22 percent of Web-based toolkit attacks, overtakingBlackhole at some points in the year.Top Web Attack Toolkits by PercentSource: SymantecOthersBlackholeSakuraNuclearRedkitPhoenixDECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN102030405060708090%Web Attack ToolkitsIt’s one thing to discover new vulnerabilities, but anothermatter to implement a way to exploit them. Criminalentrepreneurs turn them into toolkits that less sophisticatedusers can buy and use. Like commercial software, they eveninclude support and warranties. Authors accept paymentsusing online payment services with anonymous numberedaccounts.Attack toolkits exist for creating a variety of malware andfor attacking websites. The popular Blackhole toolkit is anotorious example. This updating strategy suggests that it hasa kind of brand loyalty and that the authors are building onthat in the same way that legitimate software vendors do withtheir updates and new editions.Blackhole continued to make its presence felt in 2012,making up for 41 percent of all Web-based attacks. We alsosaw the release of an updated version of the toolkit, dubbedBlackhole 2.0, back in September. However, Blackhole’s overalldominance may have begun to decline, as another Web attacktoolkit surpassed Blackhole during a few months in the latterhalf of 2012. Sakura, a new entrant to the market, at its peakmade up as much of 60 percent of all toolkit activity, and 22percent of overall toolkit usage in 2012.
p. 29Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Vulnerabilities, exploits, and toolkitsWebsite Malware Scanning and WebsiteVulnerability AssessmentIn 2012, Symantec’s Trust Services (formerly VeriSign)technology scanned over 1.5 million websites as part of itsWebsite Malware Scanning and Vulnerability Assessmentservices. Over 130,000 URLs were scanned for malware eachday, with 1 in 532 of websites found to be infected withmalware. The most common form of compromise was forthe use of drive-by downloads.Furthermore, in assessing potentially exploitable vulnerabilitieson websites, over 1,400 vulnerability scans were performed eachday. Approximately 53 percent of websites scanned were foundto have unpatched, potentially exploitable vulnerabilities (36percent in 2011), of which 24 percent were deemed to be critical(25 percent in 2011). The most common vulnerability found wasfor cross-site scripting vulnerabilities.The Growth of Secured ConnectionsOne of the ways to judge the growth of usage for SSL is tomonitor the change in statistics for OCSP (Online CertificateStatus Protocol, which is used for obtaining the revocationstatus of a digital certificate) and CRL (Certificate RevocationList) lookups. When an SSL secured connection is initiated, arevocation check is performed using OCSP or CRL and we trackthe number of lookups that go through our systems. This is agrowth indicator for the number of SSL secured sessions thatare performed online. This implies that more people are goingonline and using secured connections (for example, representinga growth of eCommerce transactions on the Web). It also mayshow the impact of the adoption of SSL more widely, in moreplaces and for more uses, such as the growing use of ExtendedValidation SSL Certificates, which trigger browsers to indicatewhether a user is on a secured site by turning the address bargreen, and for “Always On SSL” (adopted heavily through 2012by social networks, search services, and online email providers).Further, it may be a result of devices other than traditionaldesktops and laptops that enable online access; for example,smartphones and tablets.In 2012, Symantec identified the average number of OCSPlookups grew by 31 percent year on year between 2011 and2012, with more than 4.8 billion lookups performed each day in2012. The high-water-mark of OCSP lookups was 5.8 billion ina single day in 2012. It is worth noting that OCSP is the modernrevocation checking methodology.Additionally, Symantec’s CRL lookups increased by 45 percentyear on year between 2011 and 2012, with approximately1.4 billion per day, and a high-water-mark of 2.1 billion.CRL is the older lookup technology that OCSP supersedes.Norton Secured Seal and Trust MarksIn 2012, more consumers were visiting websites with trustmarks (such as the Norton Secured Seal) in 2012. Based onanalysis of the statistics from Symantec’s own trust marks, wesaw an 8 percent increase in 2012. The Symantec trust markwas viewed up to 750 million times a day in 2012 as more onlineusers are necessitating stronger security to safeguard theironline activities.Stolen Key-signing Certificates2012 continued to show that organizations large and small weresusceptible to becoming unwitting players in the global malwaredistribution network. We’ve seen increased activity of malwarebeing signed with legitimate code-signing certificates. Since themalware code is signed, it appears to be legitimate, which makeit easier to spread.Malware developers often use stolen code-signing privatekeys. They attack Certificate Authorities and once insidetheir networks, they seek out and steal private keys. In othercases, poor security practices allow them to buy legitimatecertificates with fake identities. For example, in May 2012,Comodo, a large Certificate Authority, authenticated andissued a legitimate code-signing certificate to a fictitiousorganization run by cybercriminals.15
p. 30Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Vulnerabilities, exploits, and toolkitsUse a Full Range of Protection Technology.If the threat landscape was less advanced, then file scanningtechnology (commonly called antivirus) would be sufficientto prevent malware infections. However, with toolkits forbuilding malware-on-demand, polymorphic malware andzero-day exploits, antivirus is not enough. Network-basedprotection and reputation technology must be deployed onendpoints to help prevent attacks. And behavior blocking andscheduled file scanning must be used to help find malwarethat avoid preventative defense.Protect Your Public-facing Websites.Consider Always On SSL to encrypt visitors’ interactionswith your site across the whole site, not just on the checkoutor sign-up pages. Make sure you update your contentmanagement system and Web server software just as youwould a client PC. Run vulnerability and malware scanningtools on your websites to detect problems promptly. To protectthese credentials against social engineering and phishing, usestrong passwords for admin accounts and other services. Limitlogin access to important Web servers to users that need it.Protect Code-signing Certificates.Certificate owners should apply rigorous protection andsecurity policies to safeguard keys. This means effectivephysical security, the use of cryptographic hardware securitymodules, and effective network and endpoint security,including data loss prevention on servers involved in signingcode, and thorough security for applications used to sign code.In addition, Certificate Authorities need to ensure that theyare using best practices in every step of the authenticationprocess.Adopting an Always On SSL approach helps to safeguardaccount information from unencrypted connections and thusrender end users less vulnerable to a man-in-the-middle attack.Be Aggressive on Your Software Updating and ReviewYour Patching Processes.The majority of Web-based attacks exploit the top 20 mostcommon vulnerabilities. Consequently, installing patches forknown vulnerabilities will prevent the most common attacks.It’s essential to update and patch all your software promptly.In particular, with risks like the Flashback attacks that usedJava, it’s important to run the latest version of that softwareor do without it altogether. This is equally true for CIOsmanaging thousands of users, small business owners withdozens of users, or individual users at home.Update, patch, and migrate from outdated and insecurebrowsers, applications, and browser plug-ins to the latestavailable versions using the vendors’ automatic updatemechanisms, especially for the top software vulnerabilitiesbeing exploited. Most software vendors work diligentlyto patch exploited software vulnerabilities; however, suchpatches can only be effective if adopted in the field. Be wary ofdeploying standard corporate images containing older versionsof browsers, applications, and browser plug-ins that areoutdated and insecure. Consider removing vulnerable plug-insfrom images for employees that have no need for that software.Wherever possible, automate patch deployments to maintainprotection against vulnerabilities across the organization.Recommendations
p. 33Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Social networking, mobile, and the cloud20406080100120DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN121MOBILEVULNERABILITIESIN MARCH• March was the most activemonth of 2012, with 121vulnerabilities reported.• There were 415 mobilevulnerabilities identifiedin 2012, compared with315 in 2011.Mobile VulnerabilitiesSource: SymantecInformation stealing tops the listof activities carried out by mobilemalware, with 32 percent of allthreats recording some sort ofinformation in 2012.Mobile Threats in 2012Source: Symantec25%15%32%Traditional ThreatsTrack UserSteal InformationReconfigure DeviceSend Content8%Adware/Annoyance8%13%
p. 34Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Social networking, mobile, and the cloudMobile Threats by Device Type in 2012Source: SymantecDevice Type Number of ThreatsAndroid malware 103Symbian malware 3Windows Mobile malware 1iOS malware 1In contrast to vulnerabilities,Android was by far the mostcommonly targeted mobileplatform in 2012, comprising103 out of 108 unique threats.VARIANTS FAMILIES020406080100120140160180200JAN, 2012JAN, 2011JAN, 201005001,0001,5002,0002,5003,0003,5004,0004,5005,000JAN 2012JAN 2011FAMILIES(CUMULATIVE)VARIANTS(CUMULATIVE)Cumulative Mobile Android Malware, Families and Variants 2010 to 2012Source: Symantec• 2012 saw a 58 percent increase in mobile malware families compared to 2011. The year’s totalnow accounts for 59 percent of all malware to-date.• At the same time the number of variants within each family has increased dramatically, froman average ratio of variants per family of 5:1 in 2011 to 38:1 in 2012. This indicates that threatauthors are spending more time repackaging or making minor changes to their threats, in orderto spread them further and avoid detection.
p. 35Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Social networking, mobile, and the cloudSpam and Phishing Move to Social MediaIn the last few years, we’ve seen a significant increase in spamand phishing on social media sites. Criminals follow users topopular sites. As Facebook and Twitter have grown in popularityfor users, they have also attracted more criminal activity.However, in the last year, online criminals have also startedtargeting newer, fast-growing sites such as Instagram,Pinterest, and Tumblr.Typical threats include fake gift cards and survey scams. Thesekinds of fake offer scams account for more than half (56 percent)of all social media attacks. For example, in one scam the victimsees a post on somebody’s Facebook wall or on their Pinterestfeeds (where content appears from the people they follow or inspecific categories) that says “Click here for a $100 gift card.”When the user clicks on the link, they go to a website wherethey are asked to sign up for any number of offers, turning overpersonal details in the process. The spammers get a fee for eachregistration and, of course, there’s no gift card at theend of the process.AnalysisTypical social media scam.Fake website with bogus survey.Platform Documented VulnerabilitiesApple iOS 387Android 13BlackBerry 13Nokia 0LG Electronics 0Windows Mobile 2The vast majority of vulnerabilitieson mobile systems were on the iOSplatform. However, the higher numberof vulnerabilities is not indicative of ahigher level of threat, because mostmobile threats have not used softwarevulnerabilities.Mobile Vulnerabilities by OSSource: Symantec
p. 36Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Social networking, mobile, and the cloudWe also documented a similar spam campaign onthe popular photo-sharing app Instagram.17Another trick is to use a fake website to persuade a victim toreveal their personal details and passwords; for example, theirFacebook or Twitter account information. These phishingscams are insidious and often exploit people’s fascination withcelebrities such as professional athletes, film stars, or singers.We have seen an increase in phishing scams that target specificcountries and their celebrities.In 2012, we have seen ever more threats targeted on socialmedia websites as well as more and more new channels andplatforms opening up, especially those that are available only asmobile applications. It is likely that these mobile social channelswill become more targeted in 2013, especially those that areaimed specifically at teenagers and young adults, who may notknow how to recognize such attacks and may be a little freerwith their personal details.Phishing site spoofing a social networking site promoting soccer star Lionel Messi.
p. 37Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Social networking, mobile, and the cloudMobile ThreatsIn the last year, we have seen a further increase in mobilemalware. This correlates with increasing numbers of Internet-connected mobile devices. Android has a 72 percent marketshare with Apple® iOS a distant second with 14 percent,according to Gartner.18As a result of its market share and moreopen development environment, Android is the main target formobile threats.Typically, people use phones to store personal information andcontact information and increasingly they have high-speedInternet connections. The smartphone has become a powerfulcomputer in its own right, and this makes these attractivedevices to criminals. They also have the added advantage ofbeing tied to a payment system—the owner’s phone contract—which means that they offer additional ways for criminals tosiphon off money from the victim.We’ve seen a big rise in all kinds of mobile phone attacks:• Android threats were more commonly found in EasternEurope and Asia; however, during the last year, the numberof Android threats in the rest of Europe and the UnitedStates has increased.• Privacy leaks that disclose personal information, includingthe release of surveillance software designed to covertlytransmit the owner’s location.19• Premium number fraud where malicious apps send expensivetext messages. This is the quickest way to make money frommobile malware. One mobile botnet Symantec observedused fake mobile apps to infect users and by our calculationthe botmaster is generating anywhere between $1,600 to$9,000 per day and $547,500 to $3,285,000 per year.20• Mobile botnets. Just as spammers have linked networks ofPCs into botnets to send out unwanted email, now criminalshave begun using Android botnets the same way.21Thissuggests that attackers are adapting techniques used onPCs to work on smartphones.Historically, malware infected smartphones through rogue appmarkets and users sideloading apps directly onto their devices.However, legitimate app stores are not immune. In 2012, we sawrogue software masquerading as popular games on the Google®Play market, having bypassed Google’s automated screeningprocess.22Businesses are increasingly allowing staff to “bring yourown device” (BYOD) to work, either by allowing them to usepersonal computers, tablets, or smartphones for work, evensubsidizing their purchase. Even when companies provide theirown equipment, the trend towards consumerization meansthat companies often turn to consumer technology, such asfile-sharing websites, and devices, such as consumer laptopsor tablets, to reduce costs. These two trends open the door toa greater risk to businesses from mobile devices because theyoften lack security features such as encryption, access control,and manageability.We have seen far more vulnerabilities for the iOS platform,which makes up 93 percent of those published, than for Androidin 2012, but yet Android dominates the malware landscape, with97 percent of new threats.While seemingly contradictory at first, there is a good reasonfor this: jailbreaking iOS devices. In order to install applicationsthat are not available on the Apple App Store, a user must runan exploit against a vulnerability in the software. While not thesafest approach from a security standpoint, this is the only wayto install applications that are not available through the AppleApp Store.In contrast, the Android platform provides the option toinstall apps from unofficial markets by simply changing settingsin the operating system. Since no exploit is needed, the sameincentives aren’t present as there are on iOS. Android users arevulnerable to a whole host of threats; however, very few haveutilized vulnerabilities to spread threats.While Android clocks in with 103 threats in 2012, this numbermay appear small compared to other estimates on the scope ofthe mobile threat landscape. Many estimates are larger becausethey provide a count of overall variants, as opposed to new,unique threats. While many of these variants simply undergoneminor changes in an attempt to avoid antivirus scannersdetecting them, Symantec counted at least 3,906 differentmobile variants for the year.There’s an important distinction between old and new Androidversions regarding security features. Google added a feature inAndroid version 4.x to allow users to block any particular appfrom pushing notifications into the status bar. This came inresponse to feedback from users of older versions, annoyed byad platforms that push notifications to the status bar.Also, due to the rise of threats that silently send premium textmessages—Android.Opfake, Android.Premiumtext, Android.Positmob, and Android.Rufraud, for instance—Google added afeature in Android 4.2 to prompt the user to confirm sendingsuch premium text messages. This can be very helpful inprotecting most users.However, at around 10 percent market penetration at the end of2012,23Android 4.2 devices account only for a small percentage
p. 38Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Social networking, mobile, and the cloudof the total devices out there. The Android ecosystem makes itharder to keep everyone up to date. Google released the officialplatform that works out of the box only on Nexus devices—Google’s own branded device. From there each manufacturermodifies and releases its own platform, which is in turn pickedup by mobile network operators who also customize thoseplatforms.This makes it impossible for any change coming from Googleto be quickly available to all in-field devices. Any change to theplatform requires thorough testing by each manufacturer andthen each operator, all adding to the time needed to reach users.Having so many device models also multiplies the amount ofresources all these companies have to allocate for each update,leading to infrequently released updates or in some cases noupdates for older devices.For most exploits in the OS, Google released quick fixes;however, users still had long waits before they received thefix from their network operators. Some exploits are not in theoriginal OS itself but in the custom modifications made bymanufacturers, such as the exploit for Samsung models thatappeared in 2012. Samsung was quick to fix it, but the fix stillhad to propagate through network operators to reach users.Tighter control from Google over the platform can solve some ofthe “fragmentation” issues, but this could affect the relationshipit has with manufacturers. A cut-off point for older Androidusers could help to mitigate the risk, but it is usually themanufacturers that do this.Cloud Computing RisksThe cloud services market was expected to grow by 20 percentin 2012, according to Gartner.24Cloud computing promisesbusinesses a way to enhance their IT without heavy upfrontcapital costs and, for smaller businesses, it offers access toenterprise-class business software at an affordable price. Ona fundamental level, it offers huge and growing economies ofscale as Internet bandwidth and processing power continue toincrease rapidly.Cloud computing offers some potential security benefits,especially for smaller companies without dedicated IT securitystaff. Well-run cloud applications are more likely to be patchedand updated efficiently. They are also more likely to be resilient,secure, and backed up than on-premises systems.However, cloud computing presents some security concerns, too:• Privacy. Well-run cloud companies will have strongpolicies about who can access customer data (for example,for troubleshooting) and under what circumstances.Information should only be entrusted to a third party overthe Internet where there is sufficient assurance as to howthat data will be managed and accessed.• Data Liberation. Cloud computing businesses make it easyto get started, and reputable companies make it easy toextract your data (for example, archived emails or customerrecords) if you want to change providers. Before entrustingtheir data to a cloud provider, potential users shouldfully evaluate the terms and conditions of extracting andrecovering that data at a later date.• Eggs in One Basket. As we have seen from large-scale databreaches in the last few years, attackers tend to go wherethey can score the most data for the least effort. If a cloudservices provider stores confidential information for alarge number of customers, it becomes a bigger target forattackers. A single breach at a cloud provider could be agold mine of personal data for an attacker.• Consumerization. Companies face a significant risk ofaccidental or deliberate data loss when their employeesuse unapproved cloud systems on an ad-hoc basis. Forexample, if company policies make it difficult to emaillarge files to third parties, employees may decide to usefree online file sharing applications instead. The risk isthat these systems may fall short of company standardsfor security. For example, one popular file-sharing site leftall its user accounts unlocked for four hours.25In addition,where employees use unauthorized cloud applications fortheir work, such as social networking sites for marketingpurposes, they open up the company to attack from Web-based malware.• Infrastructure. Although not in the wild, there is atheoretical risk that in a virtualized, multi-tenantarchitecture, a malicious user could rent a virtual machineand use it to launch an attack against the system byexploiting a vulnerability in the underlying hypervisor anduse this to gain access to other virtual machines running inthe same environment. Consideration should also be given todata encryption within the virtual machine to minimize therisk from unauthorized access to the physical hard disks.
p. 39Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Social networking, mobile, and the cloudSocial Media Threats Are a Business Issue.Companies are often unwilling to block access to socialmedia sites altogether, but they need to find ways to protectthemselves against Web-based malware on these and othersites. This means multi-layer security software at the gatewayand on client PCs. It also requires aggressive patching andupdating to reduce the risk of drive-by infections. Lastly, usereducation and clear policies are essential, especially regardingthe amount of personal information users disclose online.Cloud Security Advice.26Carry out a full risk assessment before signing up. Secureyour own information and identities. Implement a stronggovernance framework.Protect Your Mobile Devices.Consider installing security software on mobile devices.Also, users need to be educated about the risks ofdownloading rogue applications and how to use their privacyand permission settings. For company-provided devices,consider locking them down and preventing the installationof unapproved applications altogether.Recommendations
p. 41Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishingMalware, spam, and social engineering continue to be massive,chronic problems. Although they have been around for a longtime, attacks continue to evolve and they still have the potentialto do serious damage to consumers and businesses.In addition, they hurt everyone by undermining confidencein the Internet. These chronic threats do not get much newscoverage because they are “background noise” but that doesn’tmean that they are unimportant. A useful comparison is thedifference between plane crashes and car crashes. A single planecrash makes the national news, but the daily death toll on theroads goes unreported despite killing significantly more peopleeach year.27The popularity of ransomware is an example of all these themes.It permanently locks people out of their computer unless theypay a swinging “fine” to the perpetrators. It’s corrosive to trust,expensive to remedy, and reveals a new level of ruthlessness andsophistication.The numbers are telling. In one example, malware calledReveton (aka Trojan.Ransomlock.G), was detected attemptingto infect 500,000 computers over a period of 18 days. Accordingto a recent Symantec survey of 13,000 adults in 24 countries,average losses per cybercrime incident are $197.28In the last 12months an estimated 556 million adults worldwide experiencedsome form of cybercrime.At a Glance• With ransomware, malware has become more vicious and moreprofitable.• Email spam volumes fall again, down 29 percent in 2012, asspammers move to social media.• Phishing becomes more sophisticated and targets socialnetworking sites.IntroductionIrreversible ransomware lockspeople out of their computerunless they pay a “fine,” whichin most cases does not unlockthe computer.
p. 42Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishingSpamSpam rates declined for a second year in a row, dropping from75 percent in 2011 to 69 percent of all email in 2012. In 2011we were reluctant to call this decrease in spam a permanenttrend. Botnets can be rebuilt, new ones created. But severalfactors appear to be keeping spam rates lower than in previousyears.The takedowns of spam botnets continued in 2012. In March2012 a resurrected Kelihos botnet was taken down for a secondtime. In July the Grum botnet was taken down. While both weresignificant spam botnets and contributed to the reduction inspam, undoubtedly email spammers are still feeling the painof botnet takedowns from 2011.Additionally, pharmaceutical spam continues to decline,apparently unable to recover from the loss of the major playersin the online pharmaceutical business.29Given advancementsin anti-spam technology, plus the migration of many users tosocial networks as a means of communication, spammers maybe diversifying in order to stay in business.This is not to say that the problem of spam has been solved.At 69 percent of all email, it still represents a significantamount of unwanted messages.As email spam rates continue to decline, we see the same socialengineering techniques that have been used in email spamcampaigns increasingly being adopted in spam campaigns andbeing promoted through social networking channels.DataTop 5 Activity for Spam Destination by GeographyCountry %Saudi Arabia 79%Bulgaria 76%Chile 74%Hungary 74%China 73%Top 5 Activity for Spam Destination by IndustryIndustry %Marketing/Media 69%Manufacturing 69%Recreation 69%Agriculture 69%Chemical/Pharmaceutical 69%Top 5 Activity for Spam Destination by Company SizeOrganization Size %1-250 68%251-500 68%501-1,000 68%1,001-1,500 69%1,501-2,500 69%2,501+ 68%
p. 43Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishingThe overall average global spamrate for 2012 was 69 percent,compared with 75 percent in2011.Global Spam Rate – 2012 vs 2011Source: Symantec102030405060708090%DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN2011 2012BILLIONS0102030405060DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN• Spam volumes werehighest in August.• The estimated projectionof global spam volumesdecreased by 29 percent,from 42 billion spam emailsper day in 2011, to 30billion in 2012.Global Spam Volume Per Day in 2012Source: Symantec
p. 44Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishing• Pharmaceutical spam makesup 21 percent of all spam, butwas overtaken by the Adult/Sex/Dating category, whichnow makes up 55 percent ofspam.• Pharmaceutical spam in 2012declined by approximately 19percentage points comparedwith 2011.Pharmaceutical Spam – 2012 vs 2011Source: Symantec2011 201210203040506070%DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJANAdult/Sex/Dating Spam – 2012 vs 2011Source: Symantec2011 2012102030405060708090%DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN• Adult/Dating spam in 2012increased by approximately40 percentage pointscompared with 2011.• This suggests an almostdirect correlationbetween the decline inpharmaceutical spam andthe increase in dating spam.• The proportion of adult/sex/dating spam wasgreater in 2012 than forpharmaceutical spam in2011, but the actual volumeof adult/sex/dating spamin 2012 was lower than forpharmaceutical spam in2011, since overall spamvolumes were lower in 2012than in the previous year.
p. 45Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishingPhishingEmail phishing rates are also down this year, from one in299 emails in 2011 to one in 414 in 2012.The decline in the use of email as a method to spread spamand carry out phishing attacks does not likely indicate adrop in activity by attackers. Rather, it appears that weare seeing a shift in activity from email to other formsof online communication, such as social networks.• Phishing rates have droppeddrastically in 2012, in manycases less than half thenumber for that month inthe previous year.• The overall average phishingrate for 2012 was 1 in 414emails, compared with1 in 299 in 2011.Phishing Rate – 2012 vs 2011Source: Symantec2011 20121 in 6001 in 5001 in 4001 in 3001 in 2001 in 100DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJANTop 5 Activity for Phishing Destination by GeographyCountry 1 inNetherlands 1 in 123South Africa 1 in 177United Kingdom 1 in 191Denmark 1 in 374China 1 in 382Top 5 Activity for Phishing Destination by Company SizeCompany Size 1 in1-250 1 in 294251-500 1 in 501501-1,000 1 in 6711,001-1,500 1 in 6071,501-2,500 1 in 7392,501+ 1 in 346Top 5 Activity for Phishing Destination by IndustryIndustry 1 inPublic Sector 1 in 95Finance 1 in 211Education 1 in 223Accommodation/Catering 1 in 297Marketing/Media 1 in 355
p. 46Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishingMalwareOne in 291 emails contained a virus in 2012, which is down fromone in 239 in 2011. Of that email-borne malware, 23 percent ofit contained URLs that pointed to malicious websites. This isalso down from 2011, where 39 percent of email-borne malwarecontained a link to a malicious website.Much like the drop in spam and phishing rates, a drop in emailsthat contain viruses does not necessarily mean that attackershave stopped targeting users. Rather, it more likely points to ashift in tactics, targeting other online activities, such as socialnetworking.Top 5 Activity for Malware Destination by IndustryIndustry 1 inPublic Sector 1 in 72Education 1 in 163Finance 1 in 218Marketing/Media 1 in 235Accommodation/Catering 1 in 236Top 5 Activity for Malware Destination by Company SizeCompany Size 1 in1-250 1 in 299251-500 1 in 325501-1,000 1 in 3141,001-1,500 1 in 2951,501-2,500 1 in 422,501+ 1 in 252Top 5 Activity for Malware Destination by GeographyCountry 1 inNetherlands 1 in 108Luxembourg 1 in 144United Kingdom 1 in 163South Africa 1 in 178Germany 1 in 196• Overall numbers declined,with one in 291 emailscontaining a virus.• In 2011, the average rate foremail-borne malware was1 in 239Proportion of Email Traffic in Which Virus Was Detected – 2012 vs 2011Source: Symantec2011 2012DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN1 in 3501 in 3001 in 4001 in 2501 in 2001 in 1501 in 1001 in 50
p. 47Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishing2011 201210203040506070%DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJAN• Emails that contained amalicious URL droppedsignificantly in 2012. Insome months it was morethan half the rate as it wasthat month in 2011.• In 2012, approximately 23percent of email malwarecontained a URL rather thanan attachment, comparedwith 39 percent in 2011.Proportion of Email Traffic Containing URL Malware – 2012 vs 2011Source: Symantec• In 2012, approximately247,350 Web-based attackswere blocked each day.• In 2011, this figure wasapproximately 190,370per day. This represents anincrease of 30 percent.Website Malware Blocked Per DaySource: Symantec2011 2012050100150200250300350400DECNOVOCTSEPAUGJULJUNMAYAPRMARFEBJANDECNOVOCTSEPAUGJULTHOUSANDS
p. 48Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishingWebsite Exploits by Type of WebsiteBased on Norton Safe Web data, the Symantec technology thatscans the Web looking for websites hosting malware, we’vedetermined that 61 percent of malicious sites are actuallyregular websites that have been compromised and infectedwith malicious code.We see Business, which covers consumer and industrial goodsand service sectors, listed at the forefront this year. This couldbe due to the contribution of compromised sites from manySMBs that do not invest in appropriate resources to protectthem. Hacking, which includes sites that promote or provide themeans to carry out hacking activities, jumped to second, thoughit didn’t appear in the top 15 in 2011.Although the Technology and Telecommunication category,which provides information pertaining to computers, theInternet and telecommunication, ranks third this year, it sees5.7 percent of the total compromised sites, only a 1.2 percentdrop from 2011. Shopping sites that provide the means topurchase products or services online remain in the top five,but Shopping sees a drop of 4.1 percent.It is interesting to note that Hosting, which ranked secondin 2011, has moved down to seventh this year. This coversservices that provide individuals or organizations access toonline systems for websites or storage. Due to this increase inreliable and free cloud-based hosting solutions, provided bythe likes of Google, Dropbox and others, we see usage movingaway from unreliable hosting solutions, which could havecontributed towards the drop. Blogging has also experienced asignificant drop in 2012, moving down to fourth position. Thiscould support the theory that people are moving towards socialnetworking and exchanging information through such networks.Malware developers find it easy to insert malicious code in suchsites and spread them using various means.Website Exploits by Type of WebsiteSource: SymantecRankTop Domain Categories thatGot Exploited by # of Sites# of InfectedSites/Total # ofInfected Sites1 Business 7.7%2 Hacking 7.6%3 Technology and Telecommunication 5.7%4 Blogging 4.5%5 Shopping 3.6%6 Known Malware Domain 2.6%7 Hosting 2.3%8 Automotive 1.9%9 Health 1.7%10 Educational 1.7%Top 10 Malware in 2012Source: SymantecRank Malware Name %1 W32.Sality.AE 6.9%2 W32.Ramnit.B 5.1%3 W32.Downadup.B 4.4%4 W32.Virut.CF 2.2%5 W32.SillyFDC 1.1%6 W32.Mabezat.B 1.1%7 W32.Xpaj.B 0.6%8 W32.Changeup 0.6%9 W32.Downadup 0.5%10 W32.Imaut 0.4%
p. 49Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishing10MAC THREATFAMILIES IN 201212345678910201220112010200920082007AnalysisMacs Under AttackHistorically, Mac users have felt less vulnerable to malware thanPC users. As Apple has gained market share, Macs have becomea more attractive target. In fact, 2012 saw the first significantMac malware outbreak. The Flashback attack exploited avulnerability in Java to create a cross-platform threat.30It wasincorporated into the Blackhole attack toolkit and used bycriminals to infect 600,000 Macs,31which is approximately oneMac in 100. Like more and more attacks in 2012, as discussed inthe “Web Attack Toolkits” section, it spread when users visitedinfected websites. Although the Flashback malware was mainlyused for advertising click fraud, it had other capabilities, such asgiving hackers remote access to infected computers.32Becausemost Mac users do not have antivirus software, the chances ofdetection, once infected, were small.Does this indicate that hackers are going to start paying furtherattention to Macintosh computers as a platform to target? Notnecessarily. While Mac users may encounter an occasionalthreat here or there, the vast majority of what they encounter ismalware aimed at Windows computers. In fact, of all the threatsencountered by Symantec customers who used Mac computersin the last quarter of 2012, only 2.5 percent of them wereactually written specifically for Macs.This isn’t to say that Macs are a safer alternative to PCs; as we’veseen, they’re just as susceptible to attacks. There were morethreats created specifically for the Mac in 2012 than in yearspast and the trend appears to be rising.There were more unique threatsfor OS X in 2012 than any yearpreviously.Mac-specific Threats by YearSource: Symantec
p. 50Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishingRise of RansomwareRansomware became a bigger challenge in 2012 as its popularityamong malware authors increased. Unlike scareware, whichencouraged you to buy fake antivirus protection, ransomwarejust locks your computer and demands a release fee. Themalware is often quite sophisticated, difficult to remove, and insome cases it persists in safe mode, blocking attempts at remotesupport.Victims usually end up with ransomware from drive-bydownloads when they are silently infected visiting websitesthat host Web attack toolkits. This ransomware is often fromlegitimate sites that have been compromised by hackers whoinsert the malicious download code. Another source of infectionis malvertisements where criminals buy advertising spaceon legitimate websites and use it to hide their attack code, asdiscussed in the malvertisement section.The perpetrators use social engineering to increase the chancesof payment. The locking screen often contains a fake warningfrom local law enforcement and the ransom is presented as afine for criminal activity online. In some cases, ransomware alsotakes a photo of the victim using a webcam and displays thisimage in the locking screen, which can be unnerving for victims.Criminals use anonymous money transfer systems or prepaidcredit cards to receive the payments. The ransom typicallyranges between $50 and $400. In many cases, payment doesn’tunlock the computer. Symantec monitored a ransomwarecommand and control server and saw 5,300 computers infected.About three percent of victims paid the ransom, which nettedthe criminals about $30,000.Typical ransomware locking screen showing a fake police warning.
p. 51Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishingLong-term Stealthy MalwareInternet criminals are also making money from malware thatstays hidden on the victims’ computers. Operating in botnetswith many thousands of computers acting collectively, thesestealthy programs send out spam or generate bogus clicks onwebsite advertisements (which generate referral income for thesite owners). These techniques don’t generate rapid returns likeransomware; however, they are much less likely to be discoveredand, thanks to clever coding, are more difficult to remove.Consequently, they can generate a constant stream of revenueover time.Email Spam Volume DownAfter decreases in 2011, this year saw a further reduction in thevolume of email spam from 76 percent of all email messagesto 69 percent. There are several reasons for this. First, lawenforcement action has closed down several botnets, reducingthe number of messages being sent.33Second, spammers areincreasingly redirecting their efforts to social media sitesinstead of email. Lastly, spammers are improving the quality andtargeting of their spam messages in an effort to bypass filtersand this has led to a reduction in the overall numbers being sent.Advanced PhishingWhile spam has declined slightly in 2012, phishing attacks haveincreased. Phishers are using very sophisticated fake websites—in some cases, perfect replicas of real sites—to trick victims intorevealing personal information, passwords, credit card details,and bank credentials. In the past they relied more on fakeemails, but now those emails coupled with similar links postedon social media sites are used to lure the victim to these moreadvanced phishing websites.Typical fake sites include banks and credit card companies, asyou’d expect, but also popular social media sites. The numberof phishing sites that spoofed social network sites increased123 percent in 2012.If criminals can capture your social media login details, they canuse your account to send phishing emails to all your friends. Amessage that seems to come from a friend appears much moretrustworthy. Another way to use a cracked social media accountis to send out a fake message to someone’s friends about somekind of emergency. For example, “Help! I’m stuck overseasand my wallet has been stolen. Please send $200 as soon aspossible.”In an attempt to bypass security and filtering software,criminals use complex website addresses and nested URLshortening services. They also use social engineering tomotivate victims to click on links. In the last year, they havefocused their messages around celebrities, movies, sportspersonalities, and attractive gadgets such as smartphonesand tablets. The number of phishing websites that used SSLcertificates in an attempt to lull victims into a false sense ofsecurity increased by 46 percent in 2012 compared with theprevious year.We saw a significant (threefold) rise in non-English phishing in2012. In particular, we saw a significant increase in South Korea.The non-English languages that had the highest number ofphishing sites were French, Italian, Portuguese, Chinese,and Spanish.
p. 52Symantec CorporationInternet Security Threat Report 2013 :: Volume 18Malware, spam, and phishingProtect Yourself Against Social Engineering.For individuals as well as for businesses, it’s essential thatpeople learn to spot the telltale signs of social engineering,which can include undue pressure, titillation or a false senseof urgency, an offer that is literally too good to be true, bogus“officialese” in an attempt to make something look authentic(for example, lengthy reference numbers), implausiblepretexts (for example, a Microsoft “representative” calls totell you that your computer has a virus), and false quid-pro-quo offers (for example, receive a free gift when you providepersonal or confidential information).Avoid Ransomware.Avoid marginal websites and, in particular, pirate softwareand adult sites. Do not install unsolicited plug-ins orexecutables if prompted to do so, even on legitimate websites.Consider using advertising blocker software in your browser.Ensure that your computer is up to date with the latestpatches and updates to increase your resistance to drive-byWeb infections. Keep backups and recovery disks so you canunlock your computer in an emergency. And, of course, haveeffective, up-to-date security software.Think Before You Click.That unsolicited email from a known acquaintance, such asyour mother or coworker, may not be legit. Their accountmay have been compromised, if they’ve fallen for a socialengineering trick.Antivirus on Endpoints Is Not Enough.On endpoints (desktops/laptops), signature-based antivirusalone is not enough to protect against today’s threats andWeb-based attack toolkits. Deploy and use a comprehensiveendpoint security product that includes additional layers ofprotection, including:• Endpoint intrusion prevention that protects againstunpatched vulnerabilities from being exploited, protectsagainst social engineering attacks, and stops malwarefrom ever making it onto endpoints;• Browser protection for protection against obfuscated Web-based attacks;• Heuristic file-based malware prevention to provide moreintelligent protection against unknown threats;• File and Web-based reputation solutions that provide arisk-and-reputation rating of any application and websiteto prevent rapidly mutating and polymorphic malware;• Behavioral prevention capabilities that look at thebehavior of applications and malware and preventmalware;• Application control settings that can prevent applicationsand browser plug-ins from downloading unauthorizedmalicious content;• Device control settings that prevent and limit the types ofUSB devices to be used.Recommendations