Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
Watch the full episode on Youtube: https://youtu.be/M5Gsjwsnxtg
More than 10 million Android users have been saddled with a malware called GriftHorse that’s trojanizing various applications and secretly subscribing victims to premium mobile services – a type of billing fraud that researchers categorize as “fleeceware.”
Zimperium uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing, researchers said. In either case, once installed, they lead to victims being billed for premium services – but phone-owners are usually none the wiser until they take a look at their mobile bills.
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
Watch the full episode on Youtube: https://youtu.be/M5Gsjwsnxtg
More than 10 million Android users have been saddled with a malware called GriftHorse that’s trojanizing various applications and secretly subscribing victims to premium mobile services – a type of billing fraud that researchers categorize as “fleeceware.”
Zimperium uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing, researchers said. In either case, once installed, they lead to victims being billed for premium services – but phone-owners are usually none the wiser until they take a look at their mobile bills.
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
This brief presentation gives you a quick overview on how the Cyber Threat Landscape is shaping up in 2017 for individuals and business owners alike. It puts forth some important trends and predictions.
Security weekly september 28 october 4, 2021 Roen Branham
Watch the full episode on Youtube: https://youtu.be/Tl3pVMaCN60
Security weekly september 28 october 4, 2021
We review the Cyber Security news events that happened from September 28 - October 4, 2021.
Symantec's Internet Security Threat Report for the Government SectorSymantec
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 60,000 recorded vulnerabilities (spanning more than two decades) from over 19,000 vendors representing over 54,000 products.
Spam, phishing, and malware data is captured through a variety of sources including the Symantec Probe Network, a system of more than 5 million decoy accounts, Symantec.cloud, and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology, is able to detect new and sophisticated targeted threats before they reach customers’ networks. Over 8.4 billion email messages are processed each month and more than 1.7 billion web requests filtered each day across 14 data centers. Symantec also gathers phishing information through an extensive anti-fraud community of enterprises, security vendors, and more than 50 million consumers.
Symantec Trust Services provides 100 percent availability and processes over 6 billion Online Certificate Status Protocol (OCSP) look-ups per day, which are used for obtaining the revocation status of X.509 digital certificates around the world. These resources give Symantec analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises, small businesses, and consumers essential information to secure their system effectively now and into the future.
Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec
Symantec's 2011 Internet Security Threat Report, Volume 17 shows that while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Symantec Intelligence Report - Oct 2015CheapSSLUSA
Explore this PDF to know Symantec intelligence report for OCT 2015 from Symantec Global Intelligence Network.
Enjoy this report and feel free to contact us with any comments or feedback.
Important points you have to note down from this report:
- The number of new malware
- Spam have been increasing over the last few month
- Finance, Insurance, & Real Estate sector was the most targeted sector in OCT month
This brief presentation gives you a quick overview on how the Cyber Threat Landscape is shaping up in 2017 for individuals and business owners alike. It puts forth some important trends and predictions.
Security weekly september 28 october 4, 2021 Roen Branham
Watch the full episode on Youtube: https://youtu.be/Tl3pVMaCN60
Security weekly september 28 october 4, 2021
We review the Cyber Security news events that happened from September 28 - October 4, 2021.
Symantec's Internet Security Threat Report for the Government SectorSymantec
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 60,000 recorded vulnerabilities (spanning more than two decades) from over 19,000 vendors representing over 54,000 products.
Spam, phishing, and malware data is captured through a variety of sources including the Symantec Probe Network, a system of more than 5 million decoy accounts, Symantec.cloud, and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology, is able to detect new and sophisticated targeted threats before they reach customers’ networks. Over 8.4 billion email messages are processed each month and more than 1.7 billion web requests filtered each day across 14 data centers. Symantec also gathers phishing information through an extensive anti-fraud community of enterprises, security vendors, and more than 50 million consumers.
Symantec Trust Services provides 100 percent availability and processes over 6 billion Online Certificate Status Protocol (OCSP) look-ups per day, which are used for obtaining the revocation status of X.509 digital certificates around the world. These resources give Symantec analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises, small businesses, and consumers essential information to secure their system effectively now and into the future.
Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec
Symantec's 2011 Internet Security Threat Report, Volume 17 shows that while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Symantec Intelligence Report - Oct 2015CheapSSLUSA
Explore this PDF to know Symantec intelligence report for OCT 2015 from Symantec Global Intelligence Network.
Enjoy this report and feel free to contact us with any comments or feedback.
Important points you have to note down from this report:
- The number of new malware
- Spam have been increasing over the last few month
- Finance, Insurance, & Real Estate sector was the most targeted sector in OCT month
First Catalogue / Primer Catalogo / Primer Catàleg DICOMOL 1979DICOMOL SL
We please enclosed our first catalogue, printed on 1979 few months later of our establishment.
___________
Adjunto podrán encontrar nuestro primer catalógo, impreso en 1979, pocos meses posteriores a nuestra apertura.
___________
Adjunt podreu trobar el nostre primer catàleg, imprès l'any 1979, pocs mesos desprès de la nostra obertura.
Ransomware-as-a-Service: The business of distributing cyber attacksΔρ. Γιώργος K. Κασάπης
Ransomware is proving to be a profitable endeavor for cyber criminals. It is also what is fueling a newer trend: the business of offering management of ransomware attacks, or Ransomware-as-a-Service (RaaS).
Fueled in part by the ability to use cryptocurrency to avoid detection, cyber criminals are setting up shop as a managed service provider, helping other cyber criminals conduct business on their platforms for a fee. For that fee, cyber criminal groups get personalize access to platforms, complete with dashboard capabilities, that allow them to easily distribute their ransomware. Also included – technical support. Such full-service offerings mean that nearly anyone with internet access can launch a ransomware attack without any technical knowledge needed.
And why not? The estimated return on investment from ransomware campaigns can easily reach 1400%. The lure of a lucrative return could well attract beginners or anyone with a grudge. For organizations, the threat coming from a well-backed beginner is as damaging as one coming from a career criminal.
Legal deficiency of cybercrime in nigeria need for urgent legal reform (cha...Gamaliel Olayiwola Fasuyi
This Study focuses on the legal framework prohibiting Cybercrimes in Nigeria. Cybercrime
involves using computers and internet by individuals to commit crime. The people across the globe are technologically transformed to the extent that life
depends on technology. The application of ICT covers every facet of human life and that has led
to the birth of unanticipated rates of crimes coming in a borderless form. The paper examines the
types of cybercrimes prevalent in Nigeria, international conventions approach and other
jurisdictional practices with a view to abreast the application of legal framework of cybercrimes
both in the Nigerian context and international community.
The findings of the paper are that the Nigerian legislations on the subject acknowledge
the existing challenges and are on the right track, but need to be strengthened to achieve the desired
purpose. It further observed that there is no unanimous definition of the concept in all jurisdictions
which add issue to the subject in terms of challenges. The study recommends that the recently signed Nigerian Cybercrimes (Prohibition & Prevention Act) 2015 should be actively enforced
with a view to bringing our legal framework on par with other jurisdictions as well as proffering
other reforms to enhance Cybersecurity in Nigeria.
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted...eraser Juan José Calderón
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth
Sergio Pastrana
Universidad Carlos III de Madrid*
Guillermo Suarez-Tangil
King’s College London
Abstract—Illicit crypto-mining leverages resources stolen from
victims to mine cryptocurrencies on behalf of criminals. While recent works have analyzed one side of this threat, i.e.: web-browser
cryptojacking, only white papers and commercial reports have
partially covered binary-based crypto-mining malware. In this
paper, we conduct the largest measurement of crypto-mining
malware to date, analyzing approximately 4.4 million malware
samples (1 million malicious miners), over a period of twelve
years from 2007 to 2018. Our analysis pipeline applies both static
and dynamic analysis to extract information from the samples,
such as wallet identifiers and mining pools. Together with OSINT
data, this information is used to group samples into campaigns.
We then analyze publicly-available payments sent to the wallets
from mining-pools as a reward for mining, and estimate profits
for the different campaigns.
Our profit analysis reveals campaigns with multi-million earnings, associating over 4.3% of Monero with illicit mining. We
analyze the infrastructure related with the different campaigns,
showing that a high proportion of this ecosystem is supported by
underground economies such as Pay-Per-Install services. We also
uncover novel techniques that allow criminals to run successful
campaigns.
One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware,
and its numerous variants, which encrypts the files on a user’s computer and demands the user to pay a ransom, usually in Bitcoins, in order to receive the key to decrypt the files. But Cryptolocker is just one approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take effective countermeasures against this evolving threat.
The Dark web - Why the hidden part of the web is even more dangerous?Pierluigi Paganini
Bad Actors (cyber criminals, terrorists, foreign spies) and their Tactics, Techniques, and Procedures (TTPS).
How is evolving the criminal underground in the Dark Web?
The response of the law enforcement.
2014 Cybercrime Roundup: The Year of the POS BreachEMC
This RSA fraud report summarizes cybercrime in 2014 and includes the number of phishing attacks globally, top hosting countries for phishing attacks, the financial impact of global fraud losses, and a monthly highlight.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
2. Table of Contents
Overview
3
Digital Laundry
4
Cybercrime
5
Browsing underground: Delving into the Deep Web
5
Malware, vulnerabilities, and hacking
9
The Bitcoin saga (continued)
10
Actions against cybercriminals
11
Hacktivism
11
Mobile Threats
12
General Malware Threats
14
Ransomware
19
Network Threats
20
Web Threats
22
Phishing 25
Spam URLs
26
Messaging Threats
27
Spam volume
27
Spam travels the world via snowshoes
30
Botnet breakdowns
31
Messaging botnet prevalence
32
About the Authors
About McAfee Labs
2
33
33
McAfee Labs Threats Report: Third Quarter 2013
3. Overview
McAfee Labs researchers have analyzed the threats of the third quarter of 2013. We’ve seen several familiar trends; others
are new:
• Steady
• A
growth in mobile and overall malware
sharp upturn in worldwide spam
• An
increase in the use of digital currencies by cybercriminals to maintain anonymity for their illegal activities
• The
shutdown of the online market Silk Road, which sold drugs and other illegal products
• The
emergence of the “Deep Web,” an online supply for cybercriminals
The McAfee report Digital Laundry: An analysis of online currencies, and their use in cybercrime1 looks into online
currencies and the advantages they offer criminals to buy and sell drugs, malware exploits, and other services without
using traceable credit cards or other common forms of payment. Law enforcement and the courts are striking back; but as
one currency dies, another takes its place.
Our timeline of significant hacks shows the major criminal activity that took place this quarter. Online currency Bitcoin
remained in the news. In addition to our profile in Digital Laundry, we highlight recent Bitcoin events, including hidden
attempts to hijack systems to “mine” further Bitcoins and judgments regarding the currency’s legal status.
The shutdown of the online black market Silk Road was a victory for law enforcement. However, at least one similar site
sprang up within hours of Silk Road’s disappearance. We examine some of the features of the Deep Web, where online
criminals operate mostly unimpeded. It’s disturbing to find weapons, child pornography, and even murder-for-hire available
for a price.
Activist hackers defaced sites and inspired counterattacks from their opponents. The Middle East was a busy region for political
expression, with the Syrian Electronic Army again making headlines by hacking The New York Times and other targets.
Our count of mobile malware rose by 33 percent this quarter. New malware of all types exceeded 20 million this period,
pushing our all-time tally to more than 172 million binaries. New rootkits, which tunnel into systems and remain hidden,
doubled in number this quarter. AutoRun threats, often spread via USB drives, remain numerous. Signed malware, which
poses as approved legitimate software, continues to set records, increasing by almost 50 percent.
Ransomware, which holds a computer hostage until the victim pays to free it, is a bad problem getting worse. The number
of new samples declined a bit from last quarter, but the overall numbers remain very high. Not only do criminals make
relatively safe money from this scheme, they often do not remove their malware—leaving the poor victims’ systems as
dead as before.
From the McAfee Global Threat Intelligence network we see that browser-based threats, such as hidden iframes and
malicious Java code, comprise almost half of the Internet’s malicious activity.
Our analysis of web threats found that the number of new suspicious URLs, many in the United States, increased by 14
percent this quarter. The leading industries suffering phishing attacks are online-auction and financial organizations. Spam
levels are rising rapidly: This quarter volume reached 4 trillion messages in September, the highest figure we’ve seen since
2010. We continue to report on the variety of spam subjects and botnet prevalence in selected countries around the world.
3
McAfee Labs Threats Report: Third Quarter 2013
4. Digital Laundry
A fresh report from McAfee examines the role that “Internet money” plays in supporting crime. In Digital Laundry: An
analysis of online currencies, and their use in cybercrime,2 we learn that recent actions by law enforcement, and the charges
brought by prosecutors, add weight to the theory that digital currencies are a key service for criminals to launder money.
Before its operations were closed, the Liberty Reserve digital currency service was used to launder US$6 billion, a sum that
constituted the largest international money-laundering prosecution in history. However, Liberty Reserve is not the only
virtual currency that has been used by criminals, and the proliferation of these services helps fuel the growth in cybercrime,
and other forms of digital disruption. Further, the challenges facing such currencies go beyond their propensity for use
within money laundering—with targeted attacks on financial exchanges, and malware developed to target digital wallets.
Some currencies, such as Bitcoin, allow the creation of new currency through a process known as mining. While initially
people used their own computing resources for mining, in June 2011 a JavaScript Bitcoin generator (miner), allowed hightraffic sites to employ visitors’ computers to produce Bitcoins. Although in some cases the site would explain this to visitors,
the procedure could be done without their knowledge as well—in effect creating malicious bots. One rogue employee of
the E-Sports Entertainment Association installed such a miner on some 14,000 computers to secretly mine Bitcoins.
The European Central Bank (ECB) points out notable differences between virtual currency and electronic money schemes.
Electronic money uses a traditional unit of currency and is regulated; virtual currencies are unregulated and use an
invented currency.
In the report Redefining Virtual Currency,3 the Yankee Group estimated that the virtual currencies market has grown to
US$47.5 billion in 2012, and projected a further increase of 14 percent during the next five years to as much as US$55.4
billion in 2017. The report went on to suggest that this remarkable growth can largely be attributed to the proliferation of
mobile devices, which hints at an expanding noncriminal market.
Virtual currencies offer a number of benefits to customers: They are reliable, relatively instant, and anonymous. Even when
privacy issues have been raised with particular currencies (notably Bitcoin), the market has responded with extensions
to provide greater anonymity. Market response is an important point because regardless of law enforcement actions
against virtual currency companies, users quickly identify new platforms to launder their funds; shutting down the leading
platform will not solve the problem.
Attempts to close down virtual currency services have historically resulted in criminals simply moving their businesses
elsewhere, with the migration to and from Liberty Reserve serving as an example. Despite such an attractive proposition
for criminals, global law enforcement is collaborating in its efforts both internationally and with the private sector to
identify, seize, and arrest those individuals operating such platforms for money laundering.
Virtual currencies will not go away. Despite the apparent challenges posed by denial of service attacks, the use of these
exchanges for money laundering, and the facilitation of cybercrime, opportunities also abound for legitimate uses.
Ignoring this market opportunity is likely to cost potential legitimate investors significant revenue, but failure to address
the potential risks may cost a lot more.
4
McAfee Labs Threats Report: Third Quarter 2013
5. Cybercrime
Browsing underground: Delving into the Deep Web
Sefnit botnet
Since mid-August the anonymity network Tor has grown from 500,000 users per day to around 4 million per day. This
increase is attributed to a botnet whose components are known as Mevade or Sefnit. According to some reports, this
botnet seems to be run by a Ukrainian gang specializing in click fraud.
Deep Web Marketplaces
When researchers speak about Tor, the Deep Web, and Bitcoin, they often highlight the underground marketplace Silk
Road. Created in February 2011 but closed by the US Federal Bureau of Investigation on October 1,4 this online cybercrime
supermarket operated solely on Bitcoin. It was a bazaar, like eBay or Craigslist, in which those who wished to sell or buy
could connect. This location was primarily known as a drug market, but goods were available in more than 200 categories,
including other illegal services such as hacking ATMs.
Today, Silk Road is gone, but it was only the tip of the iceberg. Thousands of other locations welcome Bitcoin as payment.
Let’s look at a few others.
Silk Road had competitors that are still active. Some of them present their products according to the same model as Silk Road:
5
McAfee Labs Threats Report: Third Quarter 2013
6. Elsewhere, online shoppers can buy European premium credit cards. The example below is from France. The price is US$40
(0.3 BTC) each:
US credit cards are less expensive (about US$4). The following screenshot is from another well-stocked service, in which a
buyer can search by state and city:
6
McAfee Labs Threats Report: Third Quarter 2013
7. European citizens can buy weapons:
Some examples:
• A
Walther PPK, 7.65mm, for €600 (5.8 BTC)
• A
Desert Eagle IMI, .44 caliber, for €1,250 (12 BTC)
• A
SIG Sauer P226 AL SO DAO, 9mm, for €790 (7.7 BTC)
It is also possible to find false papers, such as this fake doctor template:
7
McAfee Labs Threats Report: Third Quarter 2013
8. It seems a buyer can even pay for murder. There is no indication that such an offer would actually fulfill its promise (the
site is now unreachable), and verifying this would likely come at some personal risk. Still, such sites demonstrate that
confidence in the privacy of virtual currencies has enabled the sale of some frightening services.
Despite the closure of the Freedom Hosting site, the child pornography community is still active:
As are opportunities to donate to Al Qaeda:
8
McAfee Labs Threats Report: Third Quarter 2013
9. Malware, vulnerabilities, and hacking
AUG 2
JV/BackDoor-FAZY
JUL 8-17
Rex Mundi
Blackmailing
JUL 2
Android/
AntiObscan
JUL 28
W64/Expiro
July 2013
JUL 8
Operation Troy
JUL 22
Exposed
British Royal
Baby Scams
Andromeda Botnet
Vertexnet Botnet
AUG 7
SEA Hacks the
Channel 4 Blog
August 2013
AUG 7
Linux “Hand of Thief”
JUL 30
SEA hijacks the
Thomson Reuters
Twitter Feed
SEP 26
OSX/Leverage
September 2013
Hesperbot
SEP 17
CVE-2013-3893
JUL 26
Istanbul Airport
Cyberattack
• July
2: McAfee Mobile Security announced it had identified a new Android Trojan, Android/AntiObscan, embedded in a
pirated copy of an exclusive app from rapper Jay-Z.5
• July
8: McAfee exposed Operation Troy, a long-running case of cyberespionage in South Korea.6
• July
17: The Rex Mundi group published stolen customer data from 6,000 customers and prospects of Numericable after
the cable TV company refused to pay a ransom of €22,000.7 On July 8, the same group targeted Websolutions.it.8
• July
22: As expected, news of the birth in the British royal family became a powerful lure for malware delivery. McAfee
recorded a high number spam messages regarding the event.9
• July
26: The passport control system at the departure terminal of the Istanbul Atatürk Airport was hit by a cyberattack.
Meanwhile, local media said the passport control system at the Sabiha Gökçen International Airport in Istanbul also
broke down.10
• July
28: McAfee announced detection for W64/Expiro, a new version of an old malware. This version can infect 32- and
64-bit files.11
• July
30: The Syrian Electronic Army hijacked Thomson Reuters’ Twitter feed.12 The group posted seven violent and
graphic cartoons. The same day, the group announced it compromised three personal email accounts belonging to staff
members at the US White House.13
• August
2: McAfee received the malware binary JV/BackDoor-FAZY, a JAR package that opens a back door for an attacker
to execute commands and acts as a bot after infection.14
• August
7: The British Channel 4 blog was hacked by the Syrian Electronic Army.15
• August
7: RSA announced the “Hand of Thief,” a Linux financial Trojan including form grabbers and backdoor capabilities.16
In August, McAfee spotted an increase in the use of AutoIt scripts by malware authors. These malicious scripts primarily
concerned Bitcoin miners.17 In September, further alerts concerned the Andromeda botnet,18 and the Vertexnet botnet.19
• September
6: McAfee announced that the Hesperus, or Hesperbot, banker malware was very active in Turkey and the
Czech Republic.20
• September
17: Microsoft issued Security Advisory KB2887505 to address an actively exploited remote code execution
vulnerability in Internet Explorer (CVE-2013-3893).21 The exploit code was widely available.
• September
26: The new Trojan OSX/Leverage targeted Apple OS X computers and attempted to install a permanent
backdoor. After infection, it connects to its control server on port 7777. The malware exploits the Java vulnerabilities
CVE-2013-2465 and CVE-2013-2471.22
9
McAfee Labs Threats Report: Third Quarter 2013
10. The Bitcoin saga (continued)
The Bitcoin Saga
AUG 10
Android Flaw
Exploited
ESEA Class-Action
Lawsuit
JUL 5
1BTC = US$74
July 2013
JUN 25
CVE-2013-1690
Published
AUG 16
Bitcoin a
“private money”
(Germany)
JUL 31
Freedom Hosting
Administrator Arrested
August 2013
JUL 23
Ponzi Scheme
Dismantled
NYSDFS Subpoenas 22
Digital Currency Companies
SEP 26
1BTC = US$136
September 2013
SEP 8
Bitcoin ATM
Announcement (Canada)
OCT 1
Silk Road
Seized by FBI
AUG 7
Bitcoin “a currency or
form of money” (Texas)
In the last edition of the McAfee Labs Threats Report, we published a timeline of news related to online currencies. You’ll
find further details in our report Digital Laundry, summarized on Page 4. Other highlights:
•
In April, an employee at the ESEA gaming network used the company’s servers to generate Bitcoins for personal use.23 At
the start of July, the company was served with a class action lawsuit following these revelations.24
• July
23: The US Securities and Exchange Commission sued a Texas man over claims he operated a Ponzi scheme involving
Bitcoin. According to the SEC, starting in September 2011 the suspect raised at least 700,000 Bitcoin through his firm
Bitcoin Savings and Trust and improperly used the currency from new investors to cover withdrawals. He falsely promised
investors as much as 7 percent interest weekly on purported trades, including selling the online currency to individuals
who wished to buy it “off the radar” quickly or in large quantities, the SEC said.25
• July
31: An alleged child porn peddler was arrested in Ireland. He was accused of owning and operating Freedom
Hosting, the biggest service provider on the anonymous Tor network.26 The United States has formally sought his
extradition. The authorities described him as the “largest facilitator of child porn on the planet.” According to the
DailyDot website,27 the suspect two years ago created Onion Bank, operated by Freedom Hosting and offering anonymity
for escrow, mixing, and merchant payments. According to some advertising available on a hidden wiki, this bank worked
“like PayPal for Bitcoins.” During the Blackhat 2013 conference in Las Vegas, an announcement revealed that a Mozilla
Firefox zero-day attack specifically targeting the Tor Browser Bundle28 (CVE-2013-1690/MFSA 2013-53, published June
25) was possibly used by the FBI and National Security Agency to identify the suspect.
• August
7: A federal judge in Texas recognized Bitcoin as “a currency or form of money” and declared that its investment
funds and transactions fell under the jurisdiction of US securities law.29 The New York State Department of Financial
Services subpoenaed the major Bitcoin players to learn more about Bitcoin.30 It asked them to hand over information
regarding their money-laundering controls, consumer protection practices, sources of funding, pitch books (for Bitcoin
startups), and investment strategies (for Bitcoin investors).
• August
10: Users on the bitcointalk.org forums noticed more than 55 BTC were stolen thanks to a severe vulnerability
in the Android implementation of the Java SecureRandom random number generator.31 Four Android Bitcoin clients—
Bitcoin Wallet, Blockchain, Mycelium Bitcoin Wallet, and BitcoinSpinner—were fixed, according to a notice on Bitcoin.org
the next day.
• August
16: The German Finance Ministry recognized the digital currency as a “private money” that can be used like cash
in multilateral clearing circles.32
• September:
The press announced the first Bitcoin ATMs would operate in October in Vancouver, Canada. (This is not the
first time such an announcement has been made; others have failed to appear.)33
10
McAfee Labs Threats Report: Third Quarter 2013
11. Actions against cybercriminals
During the quarter, we noted the following law enforcement efforts:
• July:
US federal authorities charged four Russians and a Ukrainian with stealing more than 160 million credit card
numbers, which the prosecution says has resulted in hundreds of millions of dollars in losses for major corporations
worldwide. The gang is thought to be responsible for the 2007 breach at credit card processor Heartland Payment
Systems that exposed some 130 million card numbers, as well as the 2011 breach at Global Payments that involved
nearly a million accounts and cost the company almost US$100 million.34
• A
major player in “high roller” poker tournaments around the world was arrested with eight other people for his
company’s involvement in an alleged malware ring that netted nearly US$4 million.35 They allegedly used the malware
program Android/Enesoluty to collect information on victims’ mobile phones and send invitations to a bogus dating
website that charged users but provided no actual services. In total, the malware was claimed to collect more than 37
million email addresses from 810,000 Android phones and tablets.
• September
19–20: London police arrested eight men in connection with a £1.3 million (US$2.1 million) computer-aided
robbery from a Barclays Plc branch in the UK’s capital. Investigators discovered a KVM switch36 attached to a 3G router
that was connected to one of the branch computers. This was the second time in a week that London police announced
arrests over suspected bank hacking. On September 13, the Metropolitan Police detained 12 men due to an attempt to
hack into Banco Santander SA computers, using similar equipment.37
Hacktivism
Hacktivism
AUG
Afghan Hackers vs.
Pakistan
JUL 5
Egyptian Ministry
Defaced
SEP 18
Manchurian Incident
Anniversary
AUG
Indian Hackers vs.
Pakistani Hackers
July 2013
JUL 23
Announcement for
#OpAbabil Phase 4
August 2013
AUG 15
Washington Post
AUG 21
ShareThis.com
September 2013
SEP 2
Marine Corps
SEP 10
Fox TV
AUG 27
New York Times,
Huffington Post
SEA
In August, an FBI official told The Huffington Post that various arrests in 2012 had stopped the expansion of the
Anonymous movement.38 (McAfee Labs foresaw the decline of Anonymous in our 2013 Threats Predictions.)39 Indeed,
the hacker collective did not conduct any high-profile cyberattacks this quarter, leaving the field open to various “pseudo”
cyberarmies and their more obscure objectives.
On July 5, a hacker claiming to be part of Anonymous Jordan defaced eight Egyptian Ministry websites to protest the
removal of the Muslim Brotherhood government.40
On August 14, Pakistan celebrated its independence day. The day after, the same celebration occurred in India. For
hackers, these days were an occasion to express some ill-suited patriotism. In India, several websites, including Mumbai’s
Mahanagar Telephone Nigam Limited and Pune Traffic Police, were hacked—apparently by Pakistani hackers from the
Napsters Crew.41 Returning the favor, Indian hackers targeted sites in Pakistan. A hacker known as Godzilla breached and
defaced the official website of the Pakistan Army. In addition to reaching the website, he also gained unauthorized access
to three Pakistani Army Facebook pages.42 During the same period, a hacker group calling itself the Afghan Cyber Army
defaced roughly 300 Pakistani government and business websites with nationalistic messages decrying rocket attacks
against Afghan villagers along the Pakistani border.43
11
McAfee Labs Threats Report: Third Quarter 2013
12. In previous McAfee Labs Threats Reports, we have highlighted activities from two groups: the Iranian Izz ad-Din al-Qassam
Cyber Fighters and the Syrian Electronic Army. The first are known for launching a series of attacks against US banks and
financial-services companies. They justified the attacks as a response to the “Innocence of Muslims” video they wish to see
removed from Internet. The latter support the Syrian regime of President Bashar al-Assad and attack interests and media
from countries they consider as enemies.
On July 23, the Cyber Fighters announced the upcoming launch of Phase 4 of Operation Ababil. On August 15, the US
banks JPMorgan Chase and Citigroup were victims of distributed denial of service attacks.44
Also on August 15, the SEA hacked the Washington Post website and redirected some readers to their own site.
Furthermore, one Post staff writer’s personal account was used to send out an SEA message.45
Other attacks followed:
• August
21: The SEA redirected the online content-sharing site ShareThis.com to its official website.46
27: Several domains, including those of The New York Times and The Huffington Post, were redirected after the
SEA compromised the companies domain name registrar, Melbourne IT.47
• August
• September
2: The SEA defaced the US Marine Corps recruitment website. The SEA, which supports Syria’s embattled
regime, left a statement denouncing President Obama and urged Marines to disobey any orders to fight in Syria.
• September
10: The official Hootsuite account of Fox TV was hacked and used to post online content to international
Fox television networks around the world.48 The SEA claimed to have accessed to more than 200 linked Facebook and
Twitter accounts.
These attacks on government and media giants have caused the FBI, on August 30, to officially place the SEA on an advisory
list. The FBI calls the SEA a “proregime hacker group” that emerged during Syrian antigovernment protests in 2011.49
Despite these hacking successes, some people wonder about the SEA’s skills. On August 31, the French site reflets.info
announced a group claiming association with Anonymous compromised the SEA databases and servers.50 The leaked
data, said to be available on the Deep Web, includes hundreds of working usernames and passwords to various Hotmail,
Outlook, and Gmail accounts, as well as more than six gigabytes of email messages downloaded from those accounts.51
Elsewhere in the world, the Chinese hacktivists of the Honker Union marked the anniversary of the Japanese invasion of
Manchuria (September 18, 1931) by launching online attacks against Japanese targets.52 The day before, a reverse attack
took place: Unknown hackers posted pictures critical of the Chinese government on the Shaoxing government website.53
Mobile Threats
To speak of malware that infects mobile devices is to speak of Android malware. Threats against other mobile operating
systems, including Apple’s iOS, are insignificant compared with malicious Android apps. This quarter our count of Android
malware grew by one-third, to more than 680,000 samples. That’s a steeper increase than between the two previous
quarters. Will we soon see numbers that exceed the high-water mark of late 2012?
New Android Malware
1,000,000
900,000
800,000
700,000
600,000
500,000
400,000
300,000
200,000
100,000
0
Q2
2011
12
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
McAfee Labs Threats Report: Third Quarter 2013
Q4
2012
Q1
2013
Q2
2013
Q3
2013
13. This quarter we saw one major mobile threat, Exploit/MasterKey.A, that affected many versions of Android. We also
observed two-part malware, consisting of a Trojan app that downloads a second-stage malware to a device. Attackers
have not forgotten about where the money is and have released a new banking Trojan.
The key to all Androids?
A vulnerability that affects nearly all Android devices has been discovered by computer security researchers. This vulnerability
allows an attacker to bypass the signature checking of installed apps. Known as MasterKey, this bug was publicly announced
at the Black Hat computer security conference. The researchers had earlier informed Google and provided full details on the
vulnerability. Google has produced a patch and has provided it to manufacturers of Android devices.
Digital certificates are used to sign Android apps (APKs) and verify that they come from the same developer. When you
upgrade an app, Android checks if the upgrade was signed by the original developer. This prevents criminals from creating
a bad or malicious upgrade that can take over your phone. Currently an attacker needs to craft a special Android app and
have a victim install it. APKs modified this way are detected as Exploit/MasterKey.A.
Google claims that no specially crafted APKs exploiting the MasterKey vulnerability are in the official Play store. Those who
acquire apps from third-party stores or websites should make sure to install mobile security software.
Two-part malware
Attackers often attempt to avoid detection by breaking up the functionality of their malware among a number of
components. One part will do nothing but access the Internet to download a second or third malicious part. Because the
user doesn’t download the malicious portion, the malware as a whole can get on a device without raising suspicions.
The Android/Repane family consists of a downloader, Android/RepaneDropper.A, and a malicious portion that sends user
information to the attacker. The dropper tries hard to not be noticed by the user, pretending to be an app that lets users
x-ray things with their Android devices. Because neither phone nor tablet cameras emit x-rays, there is no technical way
for the app to work. That doesn’t stop attackers from trying to get the gullible to run it, nor does it stop users from trying
to scan their friends or dogs. Unfortunately the only thing that happens is that the phone ends up with a download of
Android/Repane.A.
Android/Repane.A is delivered as a novelty x-ray app.
Once Android/Repane.A is downloaded, the victim still needs to install it. That’s solved by Android/RepaneDropper.A telling
users that they should install a new mandatory system library so they can go back to scanning their friends.
13
McAfee Labs Threats Report: Third Quarter 2013
14. Banking Trojans look for the money
Attackers know that bank accounts tend to hold more money than wallets, so they continue to go after the bigger prize.
This quarter Android/Hesperbot attacked users in Turkey and the United Kingdom.
Android/Hesperbot.A also tries to hide from its victims. It deletes its icon so that it won’t be noticed. It’s still visible in
the process list, but under the misleading name Certificate. That’s not something a user would typically try to delete; a
certificate sounds like something essential.
The malware pretends to be an app that produces authentication codes for online banking, but instead steals the victim’s
login information. An unsuspecting user will type in the code to get the final authentication code to log into the bank.
However, the malware actually sends the user-entered code to the attacker, allowing the bad guys use the code to
generate a valid authentication code and access the account.
General Malware Threats
Malware growth declined slightly this quarter, but that’s no comfort because this period’s 20 million new threats represent
the second highest quarter we’ve recorded. We now have almost 172 million samples in our malware “zoo.”
Total Malware Samples in the McAfee Labs Database
200,000,000
180,000,000
160,000,000
140,000,000
120,000,000
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
0
OCT NOV DEC JAN
FEB MAR APR MAY JUN
JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
New Malware
25,000,000
20,000,000
15,000,000
10,000,000
5,000,000
0
14
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
McAfee Labs Threats Report: Third Quarter 2013
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Q3
2013
15. Rootkits, or stealth malware, are designed to evade detection and reside on a system for prolonged periods. Growth in
new rootkit samples had been on a downward trend since the middle of 2011, but this quarter rebounded, as we counted
more than twice as many new samples as last quarter. (You’ll notice the total number of ZeroAccess files exceeds that of
all new rootkits. That’s because ZeroAccess is a malware family that uses a rootkit, but not all ZeroAccess files are rootkits.)
New Rootkit Samples
250,000
200,000
150,000
100,000
50,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Q3
2013
Q4
2012
Q1
2013
Q2
2013
Q3
2013
New Koutodoor Samples
200,000
180,000
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Q1
2011
15
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
McAfee Labs Threats Report: Third Quarter 2013
Q3
2012
16. New TDSS Samples
200,000
180,000
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Q3
2013
Q4
2012
Q1
2013
Q2
2013
Q3
2013
New ZeroAccess Samples
250,000
200,000
150,000
100,000
50,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
AutoRun malware, which often hides on USB drives and can allow an attacker to take control of a system, doubled at
the start of the year and remains high this quarter. The number of fake AV (malware) products—which scare victims into
believing their systems are infected—has fallen from a record high of almost a million new samples in 2012 to 356,000
this quarter. Password-stealing Trojans, which attempt to raid victims’ bank accounts, fell by more than 20 percent, to
fewer than 1.2 million new samples—still a very large number.
16
McAfee Labs Threats Report: Third Quarter 2013
18. Signed malware continued its rapid rise, increasing by almost 50 percent this quarter and recording another new high
mark, with more than 1.5 million new samples discovered.
Total Malicious Signed Binaries
6,000,000
5,000,000
4,000,000
3,000,000
2,000,000
1,000,000
0
OCT 1
2012
NOV 1
2012
DEC 1
2012
JAN 1
2012
FEB 1
2012
MAR 1
2012
APR 1
2013
MAY 1
2013
JUN 1
2013
JUL 1
2013
AUG 1
2013
SEP 1
2013
New Malicious Signed Binaries
1,800,000
1,600,000
1,400,000
1,200,000
1,000,000
800,000
600,000
400,000
200,000
0
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Q3
2013
In the second quarter, new malware that attacks the Mac more than tripled, after declining for three quarters. This quarter
that figure declined by about 10 percent, to 300 new samples.
New Mac Malware Samples
700
600
500
400
300
200
100
0
18
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
McAfee Labs Threats Report: Third Quarter 2013
Q4
2012
Q1
2013
Q2
2013
Q3
2013
19. One strain of malware targets a computer’s master boot record (MBR)—an area that performs key startup operations.
Compromising the MBR offers an attacker a wide variety of control, persistence, and deep penetration. Two quarters ago
we saw this threat reach a record level; this quarter’s figure shows a slight increase from the last period.
New Master Boot Record-Related Threats
800,000
700,000
600,000
Variants of Families with
Known MBR Payloads
500,000
400,000
Identified MBR Components
300,000
200,000
100,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Q3
2013
Ransomware
Ransomware has become an increasing problem during the last several quarters, and the situation continues to worsen.
The number of new, unique samples this quarter is greater than 312,000, slightly less than last quarter but still the secondhighest figure we’ve recorded.
One reason for ransomware’s growth is that it is a very efficient means for criminals to earn money because they use
various anonymous payment services. This method of cash collection is superior to that used by fake AV products, for
example, which must process credit card orders for the fake software. Another reason is that an underground ecosystem
is already in place to help with services such as pay-per-install on computers that are infected by other malware, such as
Citadel, and easy-to-use crime packs are available in the underground market.
New Ransomware Samples
400,000
350,000
300,000
250,000
200,000
150,000
100,000
50,000
0
Q1
2011
19
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
McAfee Labs Threats Report: Third Quarter 2013
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Q3
2013
20. Network Threats
Browser-based threats dropped to 45 percent of all attacks we measured, compared with 73 percent last quarter,
according to the McAfee Global Threat Intelligence network. Remote procedure calls doubled, to 22 percent of attacks this
quarter. The first pair of the following four very common detection signatures this quarter underline that browser attacks
were the most frequently blocked. The latter two are remote procedure call attacks:
•
HTTP: Mozilla Firefox Click Event Classification Vulnerability
•
RTSP: Apple QuickTime Overly Long Content-Type Buffer Overflow
•
DCERPC: Suspicious DCERPC Call
•
NETBIOS-SS: Microsoft Server Service Remote Code Execution Vulnerability
Top Network Attacks
Browser
Remote Procedure Call
SQL Injection
Cross-Site Scripting
Others
As the host of SQL-injection attacks, which poison legitimate websites, the United States’ piece of the pie grew again this
quarter, to almost half of all incidents. China moved into second place, hosting 9 percent. Most victims of these attacks
(56 percent, down from 60 percent last period) are in the United States.
Top SQL-Injection Attackers
Top SQL-Injection Victims
United States
United States
China
China
Spain
Taiwan
United Kingdom
Spain
South Korea
South Korea
Morocco
United Kingdom
Others
Germany
Others
20
McAfee Labs Threats Report: Third Quarter 2013
21. In our botnets tracking, the United States and the rest of the top countries recorded almost identical results as last quarter,
both in location of control servers and of victims.
Top Botnet Control Servers
Top Botnet Victims
United States
United States
Germany
Turkey
Turkey
Taiwan
China
Brazil
Russia
Canada
United Kingdom
India
Netherlands
Spain
Others
Others
The United States doesn’t lead the world in everything: With cross-site scripting threats, Brazil takes first place as the origin
of attacks, while India suffers more assaults than any other country.
Top Cross-Site Scripting Attackers
Top Cross-Site Scripting Victims
Brazil
India
United States
United States
Turkey
Taiwan
Canada
Turkey
Algeria
China
Others
Others
I
21
McAfee Labs Threats Report: Third Quarter 2013
22. Web Threats
Websites can gain bad or malicious reputations for a variety of reasons. Reputations are determined at specific domains,
subdomains, IP addresses, and specific URLs, as well as by many other network and file attributes, to help users understand
the risk level of particular web objects. Malicious reputations are influenced by the hosting of malware, potentially unwanted
programs, registrations, hosting patterns, and other aspects. Often we observe combinations of questionable code and
functionality. These are just a few of the factors that contribute to our rating of a site’s reputation.
By September’s end, the total number of suspect URLs tallied by McAfee Labs surpassed 85 million, which represents
a 14 percent increase over the previous quarter. These URLs refer to 30 million domain names, up 3 percent from the
previous period.
Risk Level of Suspect URLs
Risk Level of Suspect Domains
Minimal
Minimal
Unverified
Unverified
Medium
Medium
High
High
This quarter, we recorded an average of 3.5 million new suspect URLs per month related to about 330,000 domains.
New Suspect URLs
16,000,000
14,000,000
URLs
12,000,000
Associated Domains
10,000,000
8,000,000
6,000,000
4,000,000
2,000,000
0
Q2 2012
22
Q3 2012
Q4 2012
McAfee Labs Threats Report: Third Quarter 2013
Q1 2013
Q2 2013
Q3 2013
23. Most of these suspicious URLs (94 percent) host malware, code, or exploits that have been designed specifically to
compromise computers. Phishing and spam email represent 3.5 percent and 0.4 percent, respectively.
Distribution of New Suspect URLs
New Phishing URLs
New Malware URLs
Others
New Spam Email URLs
Others
Distribution at the domain level gives us a different outlook, with 20 percent phishing domains and 4 percent spam
email domains.
Distribution of New Suspect Domains
New Phishing Domains
New Malware Domains
Others
New Spam Email Domains
Others
The domains associated with newly suspect URLs are mainly located in North America (chiefly the United States) and
Europe and the Middle East (chiefly Germany). This trend is not new; North America historically hosts quite a bit of
malware and suspect content. However, its scope has decreased to 51 percent this quarter compared with 74 percent in
the first quarter of 2013.
40
35 Location of Servers Hosting Suspect Content
30
25
20
15
10
5
0
Africa
Asia-Pacific
Australia
Europe–Middle East
Latin America
North America
23
McAfee Labs Threats Report: Third Quarter 2013
24. Digging into the location of servers hosting malicious content in other countries we see quite a global diversity. Apart from
Europe, each region has one or two clearly dominant players:
Location of Servers Hosting Malicious Content
Africa
Asia-Pacific
South Africa
China
Morocco
Japan
Egypt
Hong Kong
Kenya
South Korea
Seychelles
Malaysia
Tunisa
Singapore
Zimbabwe
Vietnam
Others
Thailand
Others
Europe and Middle East
Australia–South Pacific
Australia
Germany
New Zealand
Czech Republic
Russia
Netherlands
United Kingdom
France
Others
North America
Latin America
Brazil
United States
British Virgin Islands
Canada
Argentina
Bahamas
Chile
Others
24
McAfee Labs Threats Report: Third Quarter 2013
25. Phishing
After peaking during the last quarter 2012, the number of new phishing URLs dropped considerably in the first half of
2013. We observed another increase this quarter.
New Phishing URLs
450,000
400,000
350,000
URLs
300,000
Associated Domains
250,000
200,000
150,000
100,000
50,000
0
Q2 2012
Q3 2012
Q4 2012
Q1 2013
Q2 2013
Q3 2013
Most of these URLs are hosted in the United States.
Top Countries Hosting Phishing URLs
United States
Germany
United Kingdom
Brazil
France
British Virgin Islands
Canada
Others
Phishers go after several key industries. The top three are online auctions, finance, and government.
Phishing Targets by Industry
Online Auctions
Finance
Government
Healthcare
Shopping
Others
25
McAfee Labs Threats Report: Third Quarter 2013
26. Spam URLs
Spam URLs are those that arrive in unsolicited spam emails. Also included in this family are sites built only for spamming
purposes, such as spam blogs or comment spam.
New Spam URLs
160,000
140,000
URLs
120,000
Associated Domains
100,000
80,000
60,000
40,000
20,000
0
Q2 2012
Q3 2012
Q4 2012
Q1 2013
Q2 2013
Q3 2013
The main countries hosting these URLs are the United States, China, Germany, and Russia.
Countries Hosting Spam URLs
United States
China
Germany
Russia
France
Czech Republic
Japan
Others
26
McAfee Labs Threats Report: Third Quarter 2013
27. Messaging Threats
After a slight decline in May and June the volume of worldwide spam has more than doubled this quarter. Spam volume
hasn’t been this high since August 2010.
Global Email Volume, in Trillions of Messages
4.5
4.0
3.5
Monthly Spam
3.0
Legitimate Email
2.5
2.0
1.5
1.0
0.5
0
OCT NOV DEC JAN
FEB MAR APR MAY JUN
JUl AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
Spam volume
Looking closely at new spam senders in various countries, our statistics show marked differences from quarter to quarter.
China and Italy had an increase of greater than 50 percent this period. Meanwhile, Kazakhstan (down 61 percent), Belarus
(down 55 percent), and Ukraine (down 51 percent) enjoyed large declines.
Spam Volume From New Senders
Australia
Argentina
14,000,000
1,400,000
12,000,000
1,200,000
10,000,000
1,000,000
8,000,000
800,000
6,000,000
600,000
4,000,000
400,000
2,000,000
200,000
0
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
Belarus
Brazil
160,000,000
20,000,000
140,000,000
18,000,000
16,000,000
120,000,000
14,000,000
100,000,000
12,000,000
80,000,000
10,000,000
60,000,000
8,000,000
6,000,000
40,000,000
4,000,000
20,000,000
2,000,000
0
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
27
McAfee Labs Threats Report: Third Quarter 2013
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
28. Spam Volume From New Senders
China
Chile
7,000,000
12,000,000
6,000,000
10,000,000
5,000,000
8,000,000
4,000,000
6,000,000
3,000,000
4,000,000
2,000,000
2,000,000
1,000,000
0
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
France
Germany
10,000,000
12,000,000
8,000,000
10,000,000
8,000,000
6,000,000
6,000,000
4,000,000
4,000,000
2,000,000
2,000,000
0
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
India
Italy
30,000,000
14,000,000
25,000,000
12,000,000
10,000,000
20,000,000
8,000,000
15,000,000
6,000,000
10,000,000
4,000,000
5,000,000
2,000,000
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
Japan
3,000,000
Kazakhstan
40,000,000
35,000,000
2,500,000
30,000,000
2,000,000
25,000,000
1,500,000
20,000,000
15,000,000
1,000,000
10,000,000
500,000
5,000,000
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
28
McAfee Labs Threats Report: Third Quarter 2013
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
29. Spam Volume From New Senders
Romania
Peru
25,000,000
25,000,000
20,000,000
20,000,000
15,000,000
15,000,000
10,000,000
10,000,000
5,000,000
5,000,000
0
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
South Korea
Russia
7,000,000
25,000,000
6,000,000
20,000,000
5,000,000
15,000,000
4,000,000
3,000,000
10,000,000
2,000,000
5,000,000
1,000,000
0
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
Spain
Ukraine
14,000,000
40,000,000
12,000,000
35,000,000
10,000,000
30,000,000
25,000,000
8,000,000
20,000,000
6,000,000
15,000,000
4,000,000
10,000,000
2,000,000
5,000,000
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
0
United Kingdom
United States
14,000,000
180,000,000
12,000,000
160,000,000
140,000,000
10,000,000
120,000,000
8,000,000
100,000,000
6,000,000
80,000,000
60,000,000
4,000,000
40,000,000
2,000,000
20,000,000
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
29
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
McAfee Labs Threats Report: Third Quarter 2013
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
30. Spam travels the world via snowshoes
The most popular type of spam this quarter was “snowshoe” spam, so named because it spreads the load across many IP
addresses to avoid rapid eviction by ISPs. Most of the countries we track saw a predominance of snowshoe spam—often
representing 85 percent to 95 percent of the high-volume subject types. We see this as a sign of a country’s excess hosting
capacity being put to use: This type of spam generally involves renting servers in hosting facilities and sending spam until
the hosting facility evicts the spammer or gets blacklisted.
In Belarus “419” scams are most popular. These are appeals to send money to some unfortunate, usually a “wealthy”
African, who will later richly reward anyone who helps. You can guess what happens after you send money. In Australia
and the United States, delivery service notifications (DSNs) are common. Drugs and online bride spam are big in Russia. In
the United States spammers employ a balanced attack, with bogus news and jobs as well as drugs as leading lures. Our
“worldwide” pie represents only the countries shown on this page, not the entire globe.
Worldwide
Argentina
Australia
Spam Types
419 Scams
Dating
Drugs
DSN
Jobs
Marketing
News
Belarus
Brazil
France
Phishing
Snowshoe
Travel
India
Spain
United Kingdom
30
Russia
United States
Venezuela
McAfee Labs Threats Report: Third Quarter 2013
31. Botnet breakdowns
Infections from messaging botnets have showed an overall decline since May 2012. Quarter after quarter, however, we
saw some ups and downs with a small general upward trend.
Global Messaging Botnet Infections
6,000,000
5,000,000
4,000,000
3,000,000
2,000,000
1,000,000
0
OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP
2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2013 2013
Cutwail remains in first place among botnets, while Kelihos, which was first seen at the end of 2012, is again number two.
Slenfbot, which started in the first quarter of 2013, continues in third place.
Spam Botnet Prevalence
Cutwail
Kelihos
Slenfbot
Maazben
Festi
Others
Leading Global Botnet Infections
3,500,000
3,000,000
CUTWAIL
2,500,000
KELIHOS
2,000,000
SLENFBOT
1,500,000
MAAZBEN
FESTI
1,000,000
500,000
0
OCT
2012
31
NOV
2012
DEC
2012
JAN
2013
FEB
2013
MAR
2013
APR
2013
McAfee Labs Threats Report: Third Quarter 2013
MAY
2013
JUN
2013
JUL
2013
AUG
2013
SEP
2013
32. Messaging botnet prevalence
Our breakdown of botnets shows how the five most widespread botnet families are represented in various countries
around the globe. Cutwail is the global leader; Kelihos came close to the top spot in September.
Australia
Belarus
Brazil
Spam Types
Cutwail
Darkmailer
Festi
Kelihos
Maazben
Others
Slenfbot
Chile
Colombia
Germany
India
Japan
Kazakhstan
Russia
South Korea
Ukraine
32
China
United Kingdom
United States
McAfee Labs Threats Report: Third Quarter 2013
33. About the Authors
This report was prepared and written by Benjamin Cruz, Paula Greve, François Paget, Craig Schmugar, Jimmy Shah,
Dan Sommer, Bing Sun, Adam Wosotowsky, and Chong Xu of McAfee Labs.
About McAfee Labs
McAfee Labs is the global research team of McAfee. With the only research organization devoted to all threat vectors—
malware, web, email, network, and vulnerabilities—McAfee Labs gathers intelligence from its millions of sensors and its cloudbased service McAfee Global Threat Intelligence. The McAfee Labs team of 500 multidisciplinary researchers in 30 countries
follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and
enabling instant remediation to protect enterprises and the public. http://www.mcafee.com/us/threat-center.aspx
About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and
home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions
and services for systems, networks, and mobile devices around the world. With its visionary Security Connected strategy,
innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAfee is relentlessly
focused on keeping its customers safe. http://www.mcafee.com.
33
McAfee Labs Threats Report: Third Quarter 2013