jan 2012 threats trend report

1. Internet ThreatsTrend ReportJanuary 2012

2. January 2012 Threat Report The following is a condensed version of the January 2012 Commtouch Internet Threats Trend Report You can download the complete report at http://www.commtouch.com/threat-report-january-2012Copyright 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, andCommtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. PatentNo. 6,330,590 is owned by Commtouch.

3. January 2012 Threat Report1 Key Highlights Facebook Attacks 2 Feature The year in review Malware, Spam, Web Security, 3 Trends Compromised Websites and Zombies

4. Key Highlights for Q4 2011

5. Key Security HighlightsAverage daily spam/phishing emails sent 101 BillionSpam levels increased marginally in November and December 2011

6. Key Security Highlights Spam Zombie daily turnover 209,000 Zombies A very large decrease compared to the 336,000 in Q3(Zombie turnover is the number of zombies turned off and on daily)

7. Key Security Highlights Most popular blog topic on user generated content sites Streaming media/ downloads (22%)Streaming media & downloads remains in top spot but dropped 2% from Q3Includes sites with MP3 files or music related sites such as fan pages (these might also be categorized as entertainment)

8. Key Security HighlightsMost popular spam topic Pharmacy Ads (31%) Up 2% over Q3

9. Key Security Highlights Country with the most Zombies India (23.5%)India increased its share in Q4 to nearly one quarter of the worlds zombies

10. Key Security Highlights Website category most likely to be compromised with malware Parked DomainsParked domains and Portals remained inthe top 2 positions with pornographic sites in 3rd position

11. Feature Facebook Attacks The year in review

12. Facebook Attacks 2011 Facebook Attacks in 2011 Continues to be an attractive target for attacks from malware distributors, scammers and plain old jokers Most Facebook attacks ultimately lead victims to affiliate marketing/survey sites Q4 2011 saw increases in free-merchandise scams

13. Lifecycle of Facebook Attacks The 3 Stages of Facebook Attacks Stage 1 The Catch TheCatch Enticing offer or information inspiring action by a Facebook user Spreading Stage 2 Spreading the Attack the Ensure the attacks continues/spreads Attack Stage 3 The Goal The Goal What the cybercriminals wants to gain or achieve

14. The Catch - 4 Tactics The 4 ways Facebook users are tricked into liking, following a link or adding add an app1. Free goods Items ranging from headphones to gift cards to unreleased Facebook phones2. Sensational headlines on current news issues Examples: Death of Osama Bin videos Death of Steve Jobs free iPad/iPhone scams

15. The Catch - 4 Tactics3. Must see tragic/amazing events with call to action Users follow a link, or click on Like to see a shocking video/photo, or forward a chain message The Spanish in the example above translates to Look what happens.4. Must-have Facebook app download Example of popular attack: Mythical app allowing users to see who has been viewing their profile and get a breakdown of boy and girl views of their profile

16. The Catch Summary Summary of Catch Tactics Social engineering is the key to the tactics used to catch Facebook victims The tactics are spread nearly evenly between the four tactics described above Most used tactic must see this (36%) Most common tactic in second half of 2011 26 free stuff (26%)

17. Spreading Attacks How Facebook Attacks are Propagated Cybercriminals abuse the inherent trust of Facebook friends 4 main methods for spreading attacks: 1. Tricking users into sharing 2. Likejacking 3. Rogue applications 4. Malware and self-XSS

18. Spreading AttacksTricking users into sharing Users aware that they are liking/sharing a page, but do so under false pretenses Example attacks: Scams promising free gift cards in exchange for like/share Users post a hoax they believe to be true warning other users about a (nonexistent) virus or telling them the sad tale of a (nonexistent) abused child

19. Spreading AttacksLikejacking A common tactic is to entice users to see a video The video player may be functional but the page includes scripts that use any mouse click to generate a like Users unaware that they have liked a page, but the like is used to lead more friends to the video

20. Spreading AttacksRogue applications Apps users believe provide worthwhile functionality Example: An app promising to reveal who has been viewing your profile Users grant these apps permission to access parts of their user profile as well as post on their wall Wall posts are then used by the rogue app to spread out further within Facebook

21. Spreading AttacksMalware and self-XSS Malware unwittingly installed a users PC hijacks their Facebook session for posts and other activity How it works Traditional cross site scripting (XSS) attacks rely on a hidden script within a webpage to hijacks a Facebook session Self-XSS means that malicious script was activated by a user (the self) giving another site access to the Facebook session

22. Spreading Attacks Users are tricked into activating a script by copying it directly into their browser In most cases scripts will direct to an external site (the cross-site of cross-site scripting) and then post a wall post or an event invite, which others view and in turn help to further propagate the attack

23. Goal of Attacks Goal of the Facebook AttackThe goal of Cybercriminals with Facebook attacks canbe divided into the following categories: Marketing affiliate/survey sites Chain posts and hoaxes Other

24. Goal of AttacksMarketing affiliate/survey sites Benefit to Cybercriminals: Affiliate payments for driving users to specific sites Collection of personal data to be used in identity theft Users are led to believe that completion of a form will result in a free gift (iPhone, gift card, cap, etc.) They may also be tricked into signing up for unwanted products

25. Goal of AttacksChain Posts and Hoaxes The Benefit to Cybercriminals: Pranksters having a laugh at the expense of unaware Internet users Users like or share stories of abused children or devastating computer viruses Many of the fake stories were email chain emails many years ago and have been reused

26. Goal of AttacksOther types of attack Defacement Benefit to Cybercriminal: Embarrass Facebook Spreading malware Benefit to Cybercriminal: Spread malware that steal passwords or sends spam Collecting Likes Benefit to Cybercriminal: Generate an enormous number of likes of a page (several hundred thousand in some cases) but with no clear further malicious purpose

27. Facebook Attacks Summary Summary of 2011 Facebook AttacksSome progress made during 2011 to stop attacks Various attacks more quickly detected and removed by Facebook Almost no recent reports of rogue applications compared to the numerous examples from the first half of the year Some attack methods, such as the self-XSS, almost completely eliminated (due to security updates by major browser vendors) Free merchandise scams are still common

28. Q4 Malware Trends For a complete analysis of Facebook attacks in 2011, download the complete January 2012 Internet Threats Trend Reporthttp://www.commtouch.com/threat-report-january-2012

29. Trends in Q4 2011 Malware Trends

30. Q4 Malware Trends The large amounts of email-malware in 2011 were a surprise to many analysts Analysts had predicted the continued demise of the spam threat vector following a quiet 2010 The mass Malware-attachment outbreaks of late Q3 subsided in Q4, as can be seen in the chart below Multiple blended threat email outbreaks were tracked by Commtouch in Q4 Involved emails and malware hosted on compromised websites

31. Q4 Malware TrendsMalware email levels Jan to Dec 2011 Source: Commtouch

32. Q4 Malware Trends Top 10 Malware of Q4 2011Rank Malware name Rank Malware name 1 W32/Swizzor-based!Maximus 6 W32/MyWeb.D 2 W32/Brontok.A.gen!Eldorado 7 W32/Tibs.K.gen!Eldorado 3 JS/IFrame.HC.gen 8 W32/Mabezat.A-2 4 W32/Virut.9264 9 W32/Virtumonde.T.gen!Eldorado 5 W32/Heuristic-210!Eldorado 10 W32/Mywebsearch.B.gen!Eldorado Source: Commtouch

33. Q4 Malware Trends For a complete analysis of Malware in Q4 and thespecific attacks employed, download the complete January 2012 Internet Threats Trend Report http://www.commtouch.com/threat-report-january-2012

34. Trends in Q4 2011 Spam Trends

35. Q4 Spam Trends Spam levels increased marginally in Nov & Dec but remained at their lowest in years following the Rustock botnet takedown in March Q3 average spam levels approached 101 billion email messages Spam levels Jan to Dec 2011Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Source: Commtouch

36. Q4 Spam Trends Spam averaged 77% of all emails in Q4 (excluding emails with malware attachments) Spam % of all emails - Jan to Dec 2011 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Source: Commtouch

37. Q4 Spam TrendsNovember Spam Tactics Sending spam containing URLs not yet registered Several hundred million emails sent out with many thousands of unregistered URLsHow it Works Spam filters with URL reputation systems check if URLs are registered and when they were registered Bad sites usually have registrations that are only several hours old If a site is not registered when checked, many URL reputation systems will not blacklist the site and not pursue further checks This loophole allows spammers to send out emails linking to unregistered URLs and then register them an hour or so after the outbreak in order to prevent the URLs from being blocked

38. Q4 Spam TrendsTop Faked (Spoofed) Spam Sending Domains* Gmail.com once again the most spoofed domain Facebook related addresses (unsubscribe.facebook.com) and facebookmail.com both feature in the top 15 (often part of phishing or malware attacks) * The domains that are used by spammers Source: Commtouch in the from field of the spam emails.

39. Q4 Spam Trends Spam Topics Pharmacy spam increases for second straight quarter (about 2% over Q3) reaching 31% of all spam Dating related spam increased from 2.3% to nearly 12% in the last quarter of the year Source: Commtouch

40. Q4 Spam TrendsFind out more about Spam Trends in Q4 by downloading the complete January Internet Threats Trend Reporthttp://www.commtouch.com/threat-report-january-2012

41. Trends in Q4 2011 Web Security

42. Q4 Compromised WebsitesTrend: Compromised Websites Store Malware Most of the emails carrying malware links in Q4 used compromised websites Example: The speeding fine link directs to JavaScript malware on a legitimate site called jemgaming.net. Source: Commtouch

43. Q4 Compromised WebsitesTrend: Compromised sites used as redirect points to pharmacy and enhancer websites Majority of the exploited sites were using the WordPress content management system Spammers exploited a vulnerability in WordPress or in a plugin in order to hide the redirect pages Before being redirected users are shown an initial page hidden within one of the WordPress subdirectories (see image below)

44. Q4 Compromised WebsitesCompromisedsite showsmessage beforeredirectingDestinationenhancer siteHomepage of thecompromisedWordPress sitewith no changein functionality

45. Q4 Compromised Websites Website categories infected with malware Parked domains and Portals remained in the top 2 positions with pornographic sites in 3rd position (As noted in previous reports, the hosting of malware may well be the intention of the owners of the parked domains and pornography sites) Rank Category Rank Category1 Parked Domains 6 Entertainment2 Portals 7 Shopping3 Pornography/Sexually Explicit 8 Health & Medicine4 Education 9 Travel5 Business 10 Computers & Technology Source: Commtouch Portals category includes sites offering free homepages, which are often abused to host phishing and malware content or redirects to other sites with this content

46. Q4 Compromised Websites Website categories infected with phishing This is an analysis of which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner) Sites related to games ranked highest in Q4, similar to Q3 Rank Category Rank Category 1 Games 6 Sports 2 Portals 7 Business 3 Shopping 8 Leisure & Recreation 4 Education 9 Entertainment 5 Fashion & Beauty 10 Real Estate Source: Commtouch Portals category includes sites offering free homepages, which are abused to host phishing and malware content.

47. Q4 Compromised Websites Download the complete January 2012 Internet Threats Trend Report for more detailshttp://www.commtouch.com/threat-report-january-2012

48. Trends in Q4 2011 Zombie Trends

49. Q4 Zombie Trends Daily Turnover of Zombies in Q4 Q4 saw an average turnover of 209,000 zombies each day that were newly activated for sending spam A very large decrease compared to the 336,000 of Q3 2011 Average turnover for all of 2011 297,500 zombies per day Daily newly activated spam zombies: Jan to Dec 2011 Source: Commtouch

50. Q4 Zombie Trends Worldwide Zombie Distribution in Q4 Source: Commtouch India again claimed the top zombie producer title, increasing its share to nearly a quarter of the worlds zombies Brazil, once a fixture in first position, continued to drop this quarter to 6th position (a further drop of around 3%) Peru and Kazakhstan joined the top 15, displacing Saudi Arabia and Columbia

51. Q4 Zombie Trends Download the complete January 2012 Internet Threats Trend Report for more detailshttp://www.commtouch.com/threat-report-january-2012

52. Trends in Q4 2011 Web 2.0 Trends

53. Q4 Web 2.0 Trends Web 2.0 Trends Streaming media and downloads was again the most popular blog or page topic, but dropped 2% in Q4Rank Category Percentage Rank Category Percentage 1 Streaming Media & Downloads 22% 8 Arts 5% 2 Computers & Technology 8% 9 Sports 4% 3 Entertainment 7% 10 Education 4% 4 Pornography/Sexually Explicit 6% 11 Leisure & Recreation 3% 5 Fashion & Beauty 5% 12 Health & Medicine 3% 6 Restaurants & Dining 5% 13 Games 3% 7 Religion 5% 14 Sex Education 2% Source: Commtouch The streaming media & downloads category includes sites with MP3 files or music related sites such as fan.

54. Review of Q4 2011

55. Review of Q4 2011 October November December Lowest Mostspam per Speeding Spam ratio Phony airline spam per Better ticket email- reaches low Facebook itineraries lead Facebook day: 138 business day: 60 malware of 73% defacement to malware free gift billion bureau billion attack card scams malware Pizza Free iPhone Compromised ACH malware Unregistered look what scams WordPress transaction James domains used happens following sites host cancelled Cameron in spam Facebook death of malware malware new movie emails bikini girl Steve Jobs emails malware likejacking Source: Commtouch

56. Download the complete January 2012 Internet Threats Trend Report athttp://www.commtouch.com/threat-report-january-2012

57. For more information contact: [email protected] 650 864 2000 (Americas) +972 9 863 6895 (International) Web: www.commtouch.comBlog: http://blog.commtouch.com