internet threats trend report february...
TRANSCRIPT
Internet Threats Trend Report February 2013
Page 1
blog.commtouch.com www.commtouch.com
Internet Threats Trend Report - February 2013
Overview The fourth quarter of 2012 showed exponentially increased levels of Android malware as well as Web threats (phishing) that truly threatened mobile users. Email-attached malware was also sent in large quantities in Q4 but completely tailed off in the new year. Spam levels remained constant and spammers generally stuck to tried and tested methods for tricking mail recipients into visiting online pharmacies.
Malware Trends 178,000 Android malware samples The Android OS is now installed on hundreds of millions of devices. In Q3 2012 alone, 122 million Android devices were sold, compared to 60 million for the same period in 2011 (Gartner – November 2012). Cybercriminals have clearly taken notice of the huge number of devices, as evidenced by the explosive growth of Android malware over the last year.
Although January’s level was still astonishingly high (over 178,000 unique samples) it did represent a 16% drop from the over 214,000 samples collected in December 2012. Commtouch’s AV Lab analysts have explained that the December levels may have been an anomaly.
Levels of email attached malware increased in the fourth quarter of 2012 as illustrated by several high peaks in the graph below. The attacks used emails describing an attachment as being the scan from a Xerox Workcenter. This is not a new ploy and was last seen in February last year. Last year’s version was an actual PDF file with an embedded malicious script. These emails featured a zipped executable.
Source: Commtouch
Page 2
blog.commtouch.com www.commtouch.com
Internet Threats Trend Report - February 2013
The attacks continued with “eFaxCorporate”, announcing the arrival of a (21 page) fax message. Once again the attachment was an executable file pretending to be a PDF. The file was detected as W32/Trojan2.NTLB by Commtouch’s Antivirus. The malware scanned the infected system for FTP programs – looking for FTP credentials that could be stolen to access and compromise Web servers (which can then be used to serve malware links).
Since mid-December attached-malware levels have fallen to year-low levels.
Email Attached Malware
levels –Oct 2012 to
Feb 2013
Source: Commtouch
Page 3
blog.commtouch.com www.commtouch.com
Internet Threats Trend Report - February 2013
Spam Trends In addition to the obvious-named-spam (emails with Viagra blatantly written in the subject line), spammers continued to use phony LinkedIn and Facebook-like notifications to trick recipients into visiting their sites. These were supplemented with “support center” and “notification” emails. Samples are shown here:
Spam levels since October 2012 are shown below.
Source: Commtouch
Spam email
samples
Spam levels –Oct
2012 to Feb 2013
Page 4
blog.commtouch.com www.commtouch.com
Internet Threats Trend Report - February 2013
Spam levels remained fairly constant with the expected drop around the Christmas and New Year period. The average daily spam level was 90 billion messages per day a slight increase over Q3 2012. The lowest level was 52 billion recorded on the last day of 2012 and the highest was an unusual spike of 134 billion at the start of December. Spam averaged between 71% and 80% of all emails sent globally.
Spam Topics Commtouch’s spam topics cloud tool samples thousands of spam messages at definable intervals and plots frequently occurring terms in proportionally larger text. Spam subjects that have been sent in massive quantities therefore become instantly distinguishable. The spam cloud for the entire fourth quarter is shown below. Traditional spam topics such as pharmaceuticals, replicas and “enhancers” are clearly visible.
Spam topics cloud for Q4
2012
Source: Commtouch
Spam % of all emails – Oct 2012 – Feb 2013
Source: Commtouch
Page 5
blog.commtouch.com www.commtouch.com
Internet Threats Trend Report - February 2013
Web security Trends Harvard University’s Department of online pharmacy The “Education” category regularly features top 10 for sites that have been compromised with malware or that are hiding phishing sites. For Q4 1012 “education” was in fact the category most likely to unknowingly host malware. During Q4, Harvard University’s Department of Government website was hacked and used to host a pharmacy page. Although this is not malware or phishing it illustrates the point that these sites are vulnerable.
During the fourth quarter of 2012, Commtouch analyzed which categories of Web sites were most likely to be compromised with malware. The top 10 is summarized in the table below.
Website categories infected with malware
Rank Category Rank Category
1 Education 6 Health & Medicine
2 Travel 7 Restaurants & Dining
3 Sports 8 Streaming Media & Downloads
4 Business 9 Leisure & Recreation
5 Entertainment 10 Pornography/Sexually explicit
Source: Commtouch
Spam pharmacy page in hacked Harvard University server.
Source: Commtouch
Source: anchous.info
Page 6
blog.commtouch.com www.commtouch.com
Internet Threats Trend Report - February 2013
Similarly, the table below summarizes the categories of legitimate Web sites that were most likely to be hiding phishing pages. The “Portals” category represents free webpage services which are easily abused to host phishing pages.
Website categories infected with phishing
Rank Category Rank Category
1 Portals 6 Restaurants & Dining
2 Computers & Technology 7 Business
3 Shopping 8 Streaming Media
4 Education 9 Health & Medicine
5 Fashion & Beauty 10 Travel
A PayPal phishing attack from November clearly illustrates the need for Web security on mobile devices. The attack starts with the traditional email warning of a “limited account”. Clicking on the links reveals a well-constructed PayPal phishing page. On a mobile device the URL looks quite genuine. In actual fact the URL is unusually long - the full URL is:
http://service.confirm.paypal.cmd.cgi-bin.2466sd4f3e654sqd4e6d23sd8ed52s3d24e8d4sd8e74ds4d3d.dsqd56d5e8d25s.fdsf456e6d5sde8d56s4d.d545d4e84d5d.d89d98jhnd9ed.5455d57s5656.friponne.fr/
Source: Commtouch
PayPal phishing – email message (left)
and phishing site (right) with seemingly
genuine part of URL: displayed by browser
Source: Commtouch
Page 7
blog.commtouch.com www.commtouch.com
Internet Threats Trend Report - February 2013
Zombie Hot Spots India dropped below 20% of the world’s spam sending zombies, settling on just over 17%. Brazil dropped from second place with over 8% to 12th place. Romania and Columbia dropped out of the top 15, replaced by the US and first time top-15 entrant Taiwan.
SillySpam And finally – evidence of over-excitable spammers who may not have taken the time to proof-read their message:
Worldwide Zombie
distribution in Q4 2012
Source: Commtouch
Internet Threats Trend Report - February 2013
About Commtouch Commtouch® (NASDAQ: CTCH) is a leading provider of Internet security technology and cloud-based services for vendors and service providers, increasing the value and profitability of customers’ solutions by protecting billions of Internet transactions on a daily basis. With six global data centers and renowned technology, Commtouch’s email, Web, and antivirus capabilities easily integrate into customers’ products and solutions, keeping more than 350 million end users safe. To learn more, visit http://www.commtouch.com/.
References and Notes Reported global spam levels are based on Internet email traffic as measured from unfiltered data
streams, not including internal corporate traffic. Therefore global spam levels will differ from the quantities reaching end user inboxes, due to several possible layers of filtering. Spam levels do not include emails with attached malware.
http://www.anchous.info/vse-eshhe-udalyaete-spam-ne-chitaya
Visit us: www.commtouch.com and blog.commtouch.com Email us: [email protected] Call us: Americas: +1-650-864-2000, EMEA: +49-30-5200-560 APAC: +972-9-863-6888 Copyright© 2013 Commtouch Software Ltd. Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch.. Android is a trademark of Google Inc.
Internet Threats Trend Report February 2013
About CommtouchCommtouch® (NASDAQ: CTCH) is a leading provider of Internet security technology and cloud-based services for vendors and service providers, increasing the value and profitability of customers’ solutions by protecting billions of Internet transactions on a daily basis. With six global data centers and renowned technology, Commtouch’s email, Web, and antivirus capabilities easily integrate into customers’ products and solutions, keeping more than 350 million end users safe. To learn more, visit http://www.commtouch.com/.
April 2011 Internet Threats Trend Report
About Commtouch Commtouch® (NASDAQ: CTCH) provides proven Internet security technology to more than 150 security companies and service providers for integration into their solutions. Commtouch’s GlobalView™ and patented Recurrent Pattern Detection™ (RPD™) technologies are founded on a unique cloud-based approach, and work together in a comprehensive feedback loop to protect effectively in all languages and formats. Commtouch’s Command Antivirus utilizes a multi-layered approach to provide award winning malware detection and industry-leading performance. Commtouch technology automatically analyzes billions of Internet transactions in real-time in its global data centers to identify new threats as they are initiated, enabling our partners and customers to protect end-users from spam and malware, and enabling safe, compliant browsing. The company’s expertise in building efficient, massive-scale security services has resulted in mitigating Internet threats for thousands of organizations and hundreds of millions of users in 190 countries. Commtouch was founded in 1991, is headquartered in Netanya, Israel, and has a subsidiary with offices in Sunnyvale, California and Palm Beach Gardens, Florida.
References and Notes Reported global spam levels are based on Internet email traffic as measured from unfiltered data streams,
not including internal corporate traffic. Therefore global spam levels will differ from the quantities reaching end user inboxes, due to several possible layers of filtering.
http://blog.commtouch.com/cafe/email-security-news/ups-malware-now-sent-via-dhl/
http://blog.commtouch.com/cafe/email-security-news/huge-amounts-of-ups-and-facebook-malware-attachments/
http://blog.commtouch.com/cafe/anti-spam/ipad-2-affiliate-marketing-scams-and-incompetent-spammers/
http://blog.commtouch.com/cafe/malware/t-online-used-for-fake-av/
http://blog.commtouch.com/cafe/anti-spam/has-the-reported-disruption-of-rustock-affected-spam-levels/
http://blog.commtouch.com/cafe/anti-spam/loads-of-phony-twitter-emails/
http://blog.commtouch.com/cafe/phishing/how-to-scale-phishing-by-using-the-cloud/
http://blog.commtouch.com/cafe/anti-spam/free-hosting-of-spam-content-on-forum-sites/
http://blog.commtouch.com/cafe/spam-favorites/the-apologetic-spammer/
http://blog.commtouch.com/cafe/spam-favorites/spammers-feel-the-love-on-valentine%e2%80%99s-day/
http://blog.commtouch.com/cafe/malware/how-pdf-files-hide-malware-example-pdf-scan-from-xerox/
http://blog.commtouch.com/cafe/email-marketing/mass-emailings-support-change-in-egypt-and-now-syria/
http://blog.commtouch.com/cafe/malware/malware-spread-via-facebook-chat/
http://blog.commtouch.com/cafe/malware/kama-sutra-virus-%e2%80%93-a-position-you-don%e2%80%99t-want-to-get-into%e2%80%a6/
http://blog.commtouch.com/cafe/data-and-research/spammers-return-from-holiday/
http://blog.commtouch.com/cafe/data-and-research/spam-declines-30pc-in-q4-2010/
Visit us: www.commtouch.com and blog.commtouch.com Email us: [email protected] Call us: 650 864 2000 (US) or +972 9 863 6888 (International)
Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch..
About Alt-N TechnologiesAlt-N Technologies develops affordable and secure messaging and collaboration solutions designed for, and trusted by, small-to-medium businesses in over 90 countries and 25 languages worldwide. The company’s flagship solutions, the MDaemon® Messaging Server and the SecurityGateway for Exchange/SMTP Servers, install in minutes, include the latest email security technologies, and require minimal support and administration to operate and maintain. The company uses a network of global distributors and resellers for the sales and support of its products.
References and Notes• Reported global spam levels are based on Internet email traffic as measured from unfiltered data streams, not including internal
corporate traffic. Therefore global spam levels will differ from the quantities reaching end user inboxes, due to several possible layers of
filtering. Spam levels do not include emails with attached malware.
• http://www.anchous.info/vse-eshhe-udalyaete-spam-ne-chitaya
© 2012 Commtouch Software [email protected]
Phone: 650-864-2114 (US) +972-9-863-6895 (International)Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and
Commtouch is a registered trademark, of Commtouch Software Ltd. U.S. Patent No. 6,330,590 is owned by Commtouch.
www.blog.commtouch.comwww.commtouch.com
www.AltN.com Phone: 866-601-ALTN (2586) © 2013 Alt-N Technologies, Ltd.MDaemon, WorldClient, RealyFax, and Alt-N are trademarks of Alt-N Technologies, Ltd. All trademarks are property of their respective owners.04.08.2013