symantec intelligence report december 2014
TRANSCRIPT
SYMANTEC INTELLIGENCE REPORTDECEMBER 2014
p. 2
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
CONTENTS
3 Summary
4 TARGETED ATTACKS + DATA BREACHES
5 Targeted Attacks
5 Attachments Used in Spear-Phishing Emails
5 Spear-Phishing Attacks by Size of Targeted Organization
5 Average Number of Spear-Phishing Attacks Per Day
6 Top-Ten Industries Targeted in Spear-Phishing Attacks
7 Data Breaches
7 Timeline of Data Breaches
8 Top-Ten Types of Information Breached
9 MALWARE TACTICS
10 Malware Tactics
10 Top-Ten Malware
10 Top-Ten Mac OSX Malware Blocked on OSX Endpoints
11 Ransomware Over Time
12 Vulnerabilities
12 Number of Vulnerabilities
12 Zero-Day Vulnerabilities
13 Browser Vulnerabilities
13 Plug-in Vulnerabilities
14 MOBILE THREATS
15 Mobile
15 Mobile Malware Families by Month, Android
16 PHISHING, SPAM + EMAIL THREATS
17 Phishing and Spam
17 Phishing Rate
17 Global Spam Rate
18 Email Threats
18 Proportion of Email Traffic Containing URL Malware
18 Proportion of Email Traffic in Which Virus Was Detected
19 About Symantec
19 More Information
p. 3
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Summary
Welcome to the December edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources.
This month’s report takes us through December with a number of rolling 12-month metrics that we’ve tracked over the last year. However, it’s important to point out that this is a snapshot of monthly data for December, as opposed to a year-end summary of activity in 2014. We will be exploring 2014 as a whole in the upcoming Internet Security Threat Report XX, scheduled for publication in the coming months.
In December there were eight data breaches reported that took place within the month of December. This number is likely to rise as more data breaches that occurred during the month are reported in the future. For instance, there were 14 new data breaches reported during December that took place between January and November.
The most commonly encountered malware in December was Trojan.Swifi. This threat is a Trojan horse that may be down-loaded from a Web site and exploits a vulnerability in Adobe Flash Player.
A new zero-day vulnerability was also disclosed during the month of December. The Adobe Flash Player CVE-2014-9163 Stack Based Buffer Overflow Vulnerability may allow attackers to execute arbitrary code within the context of the affected application or result in denial-of-service conditions if the exploit fails.
We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback.
Ben Nahorney, Cyber Security Threat Analyst [email protected]
p. 4
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
TAR
GETED
ATTACKS
+ DATA
BR
EACHES
p. 5
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
At a Glance
• The average number of spear-phishing attacks dropped to 33 per day in December, down from 43 in November.
• The .doc file type was the most common attachment type used in spear-phishing attacks. The .exe file type came in second.
• Organizations with 2500+ employees were the most likely to be targeted in December.
• Manufacturing lead the Top-Ten Industries targeted, followed by Finance, Insur-ance, & Real Estate.
Targeted Attacks
Average Number of Spear-PhishingAttacks Per DaySource: Symantec :: JANUARY 2014 — DECEMBER 2014
25
50
75
100
125
150
175
200
225
250
DNOSAJJMAMFJ
2014
54 53 45 43
2033
141
84 84
54
88
165
Attachments Used in Spear-Phishing Emails
Source: Symantec :: DECEMBER 2014
Executable type December November
.doc 26.7% 25.9%
.exe 15.7% 16.4%
.au3 8.2% 8.6%
.scr 5.0% 5.3%
.jpg 4.6% 4.8%
.class 3.4% 2.2%
.pdf 1.6% 1.6%
.bin 1.5% 1.6%
.txt 1.4% 1.3%
.dmp 1.0% 1.0%
Spear-Phishing Attacks by Size of Targeted OrganizationSource: Symantec :: DECEMBER 2014
Organization Size December November
1-250 31.5% 34.4%
251-500 11.5% 8.4%
501-1000 6.6% 8.8%
1001-1500 3.5% 3.2%
1501-2500 9.3% 4.5%
2500+ 37.6% 40.7%
p. 6
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Top-Ten Industries Targeted in Spear-Phishing AttacksSource: Symantec :: DECEMBER 2014
Consulting
Construction
Public Administration
Retail
Transportation, Communications, & Electric
Services - Non Traditional
Services - Professional
Wholesale
Finance, Insurance, & Real Estate
Manufacturing 27%
24 13 12
11 4
2 1 1 1
p. 7
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Data Breaches
At a Glance
• There were eight data breaches reported this month that took place during the month of December. This number is likely to rise as more data breaches that occurred during the month are reported.
• In comparison, there were 14 new data breaches reported during December that took place between January and November.
• Real names, government ID numbers, such as Social Security numbers, and home addresses are currently the top three types of data exposed in data breaches.
20
40
60
80
100
120
140
160
DNOSAJJMAMFJ2014
NU
MB
ER O
F IN
CID
ENTS
IDEN
TITI
ES E
XPO
SED
(MIL
LIO
NS)
INCIDENTS IDENTITIES EXPOSED (Millions)
Timeline of Data BreachesSource: Symantec :: JANUARY 2014 — DECEMBER 2014
147
59
1
78
31.5
101
6.4.051.72.68.1
24
5
10
15
20
25
30
35
40
3027
2527
2220 19 19
2018
8
21
p. 8
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Top-Ten Types of Information BreachedSource: Symantec :: JANUARY 2014 — DECEMBER 2014
Real Names
Gov ID numbers (Soc Sec)
Home Address
Birth Dates
Financial Information
Medical Records
Email Addresses
Phone Numbers
Usernames & Passwords
Insurance
01
02
03
04
05
06
07
08
09
10
66%
45%
43%
36%
36%
24%
21%
20%
16%
10%
MethodologyThis data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model that measures the levels of threats, including malicious software, fraud, identity theft, spam, phishing, and social engineering daily. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information.
In some cases a data breach is not publicly reported during the same month the incident occurred, or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months when a new report is released.
p. 9
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
MA
LWA
RE TAC
TICS
p. 10
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Malware Tactics
At a Glance
• Trojan.Swifi was the most common malware blocked in December, up from tenth place in November.
• W32.Ramnit variants continue to dominate the top-ten malware list.
• The most common OSX threat seen on OSX was OSX.Keylogger, making up 16.3 percent of all OSX malware found on OSX Endpoints.
• The amount of ransom-ware seen during December increased when compared to previ-ous months. Overall ransomware activity has remained low since March of this year.
Top-Ten MalwareSource: Symantec :: DECEMBER 2014
Rank Name December November
1 Trojan.Swifi 7.0% 1.4%
2 W32.Almanahe.B!inf 5.2% 4.5%
3 W32.Ramnit!html 5.1% 4.4%
4 W32.Sality.AE 5.0% 4.8%
5 W32.Ramnit.B 3.7% 2.7%
6 W32.Downadup.B 2.4% 3.0%
7 W32.Ramnit.B!inf 2.3% 2.3%
8 W32.Virut.CF 1.7% 1.5%
9 W32.SillyFDC.BDP!lnk 1.6% 1.6%
10 W32.SillyFDC 1.1% 1.4%
Top-Ten Mac OSX Malware Blocked on OSX EndpointsSource: Symantec :: DECEMBER 2014
Rank Malware Name December November
1 OSX.Keylogger 16.3% 11.8%
2 OSX.Wirelurker 13.6% –
3 OSX.Okaz 11.2% 13.4%
4 OSX.RSPlug.A 10.1% 11.0%
5 OSX.Luaddit 9.3% –
6 OSX.Klog.A 7.6% 8.4%
7 OSX.Flashback.K 6.3% 15.7%
8 OSX.Stealbit.B 4.1% 7.6%
9 OSX.Freezer 2.7% –
10 OSX.Netweird 2.2% 3.7%
p. 11
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Ransomware Over TimeSource: Symantec :: JANURARY 2014 — DECEMBER 2014
THO
USA
ND
S
100
200
300
400
500
600
DNOSAJJMAMFJ
2014
468
365
518
349
236 230183
149
95 78 77116
p. 12
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Number of VulnerabilitiesSource: Symantec :: JANUARY 2014 — DECEMBER 2014
100
200
300
400
500
600
700
800
DNOSAJJMAMFJ2014
438
575 600 596
457428399
542 562 579
473
555
Zero-Day VulnerabilitiesSource: Symantec :: JANUARY 2014 — NOVEMBER 2014
1
2
3
4
5
6
7
8
DNOSAJJMAMFJ2014
0 0 0 0 0
1
2
0
5
0
1
4
Vulnerabilities
At a Glance
• There were 428 vulner-abilities disclosed during the month of December.
• There was one zero-day vulnerability disclosed during December (CVE-2014-9163).
• Internet Explorer has reported the most brows-er vulnerabilities during the month of December.
• Adobe, reporting on Acro-bat and Flash programs, disclosed the most plug-in vulnerabilities over the same time period.
p. 13
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Browser VulnerabilitiesSource: Symantec :: JANUARY 2014 — DECEMBER 2014
20
40
60
80
100
DNOSAJJMAMFJ2014
Opera
Mozilla Firefox
Microsoft Internet Explorer
Google Chrome
Apple Safari
Plug-in VulnerabilitiesSource: Symantec :: JANUARY 2014 — DECEMBER 2014
10
20
30
40
50
60
70
80Java
Apple
Adobe
ActiveX
DNOSAJJMAMFJ2014
p. 14
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
MO
BILE TH
REATS
p. 15
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Mobile
Mobile Malware Families by Month, AndroidSource: Symantec :: JANUARY 2014 — DECEMBER 2014
8
6
2
4
2 2
3
5
3
4 4
3
1
2
3
4
5
6
7
8
9
10
DNOSAJJMAMFJ2014
At a Glance
• There were six Android malware families discov-ered in December.
p. 16
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
PHISH
ING
, SPAM
+ EMA
IL THR
EATS
p. 17
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Phishing and Spam
Phishing RateSource: Symantec :: JANUARY 2014 — DECEMBER 2014
1 in 0
1 in 500
1 in 1000
1 in 1500
1 in 2000
1 in 2500DNOSAJJMAMFJ
2014
2041
1610
647
1517
401 478
370
731
395496
1290
1587
At a Glance
• The phishing rate dropped in December, at one in 1,517 emails, down from one in 647 emails in December.
• The global spam rate was 55.3 percent for the month of December.
• One out of every 195 emails contained a virus.
• Of the email traffic in the month of December, 14 percent contained a mali-cious URL.
Global Spam RateSource: Symantec :: JANUARY 2014 — DECEMBER 2014
10
20
30
40
50
60
70
80
90
100%
DNOSAJJMAMFJ2014
55 5562 62
66
59
61 6064 63
58 55
p. 18
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
Email Threats
Proportion of Email Traffic Containing URL MalwareSource: Symantec :: JANUARY 2014 — DECEMBER 2014
10
20
30
40
50
60
70
80
90
100%
DNOSAJJMAMFJ2014
6 7
41
1416 146 3
147 8
3
1 in 50
1 in 100
1 in 150
1 in 200
1 in 250
1 in 300
1 in 350
1 in 400
1 in 450
1 in 500DNOSAJJMAMFJ
2014
Proportion of Email Traffic in Which Virus Was DetectedSource: Symantec :: JANUARY 2014 — DECEMBER 2014
351
329
246
195
207188
141
234
183
232
351
270
p. 19
Symantec CorporationSymantec Intelligence Report :: DECEMBER 2014
About Symantec
More Information
• Symantec Worldwide: http://www.symantec.com/
• ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/
• Symantec Security Response: http://www.symantec.com/security_response/
• Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/
• Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/
Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more go to www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.
For specific country offices and contact numbers,
please visit our website.
For product information in the U.S.,
call toll-free 1 (800) 745 6054.
Symantec Corporation World Headquarters
350 Ellis Street
Mountain View, CA 94043 USA
+1 (650) 527 8000
1 (800) 721 3934
www.symantec.com
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners