april 2012 threats trend report

Internet Threats Trend Report

April 2012

April 2012 Threat Report

The following is a condensed version of the April 2012 Commtouch Internet Threats Trend Report

You can download the complete report at http://www.commtouch.com/threat-report-april-2012

Copyright© 2012 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch.

http://www.commtouch.com/threat-report-april-2012







April 2012 Threat Report

Key Highlights

Trends Malware, Spam, Web Security, Compromised Websites and Zombies

1

2

Key Highlights for Q1 2012

Key Security Highlights

Average daily spam/phishing emails sent

94 Billion

Spam levels dropped in Q1

270,000 Zombies

Spam Zombie daily turnover


Up from 209,000 in Q4, 2011 (Zombie turnover is the number of zombies turned off and on daily)

Most popular blog topic on user generated content sites

Streaming media/ downloads (22%)


Streaming media & downloads remains in top spot

Includes sites with MP3 files or music related sites such as fan

pages (these might also be categorized as entertainment)


Most popular spam topic

Pharmacy Ads (39% of all spam)

Up 8% over Q4 2011 2nd place Replica spam also increased by over 5%

Country with the most Zombies

India (19.2%)


India still #1 but dropped from nearly 24% in Q4 2011.

Website category most likely to be compromised with malware

Pornography/Explicit


• “Parked domains” dropped to 2nd spot • New entrant “Fashion & Beauty” captured 3rd place

Trends in Q1 2012…

Spam Trends

Q1 Spam Trends • Marginal increase in spam during the December 2011 holiday season

• Otherwise, spam remained low vs. Q1 2011 – avg decrease nearly 40% • Average daily spam levels dropped to 94 billion spam and phishing

emails/day

January February March December Source: Commtouch

Spam levels – Dec 2011 to March 2012

• Spam averaged 75% of all emails in Q1

Q1 Spam Trends

January February March December

Source: Commtouch

Spam % of all emails - Dec 2011 to Mar 2012

Q1 Spam Trends Replica spam affiliate program “GlavTorg” closes

• Spam affiliate programs provide the link between fake

pharmaceuticals and replica manufacturers and spammers • Dec 2011 - GlavTorg (affiliate focused on replica handbags and

clothing) announced it would stop affiliates payouts at end of Jan’12

• Commtouch Labs evaluated the effect of the closure with introduction of the “spam-subject cloud tool” – Samples thousands of spam messages at definable intervals – Frequency of spam terms indicated by text size

• Spam subjects used in massive quantities are instantly distinguishable.

Q1 Spam Trends

• Spam topics cloud for the end of January 2012 shows no evidence of GlavTorg related products

• Spam levels for the period show no obvious increase or decrease around dates when payments were stopped

• Conclusion: Spammers have apparently easily realigned their activities.

Source: Commtouch

Spam Topics Cloud for End of January 2012

Q1 Spam Trends

Subjects include: • Pharmaceuticals (Viagra, Cialis) • Replicas (Rolex, Breitling) • Enhancers • Software (CS5, Windows, Adobe) • “Dating”

– Present, but due to the great variance of subject words, are less prominent

Source: Commtouch

Spam Topics Cloud for Q1 2012

Spam cloud for Entire Q1 2012

Q1 Spam Trends

• Pharmacy spam continued to increase, as it did last quarter, to nearly 39% of all spam (~8% more than the previous quarter)

• Replica-themed spam also increased in Q1 by over 5%

Spam Topics in Q1

Source: Commtouch

Q1 Spam Trends

Top Faked (Spoofed) Spam Sending Domains*

Source: Commtouch * Domains used by spammers in the “from”

field of the spam emails.

• gmail.com is once again the most spoofed domain (increasing above 25% for the first time)

• The top 15 features popular social networking and mail sites (AOL, Yahoo, Facebook, LinkedIn, MySpace) as well as DHL.com – often used as part of email malware attacks

Q1 Spam Trends

Find out more about Spam Trends in Q1 by downloading the complete April

Internet Threats Trend Report http://www.commtouch.com/threat-report-april-2012



Malware Trends

Did cybercriminals target accountants?

• The scale of a February attack was so large that it certainly must have worked on many CPAs – but also many other individuals

• Attacks included subjects such as: • “Fraudulent tax return assistance accusations” • “Your accountant license can be revoked” • “Your accountant cpa license termination” • “Income tax return fraud accusations”

Q1 Malware Trends

Q1 Malware Trends

How it worked • Clicking on the link downloaded a short HTML page that

promises “Page is loading, please wait. You will see tax info on this screen.”

• In the background, a small script creates a nested iFrame, which brought in more JavaScript, creating further dynamic content

• The process repeated until a large portion of malware code was activated

Phony accountant tax fraud emails lead to malware

Source: Commtouch

Q1 Malware Trends

• 2 weeks later a similarly sized attack targeted accounting practitioners and the small business market

• Method this time was by describing fictitious purchases of Intuit accounting software.

• Subjects lines included: – Your QuickBooks software order – Your Intuit.com order – Your Intuit.com invoice – Please confirm your Intuit.com invoice

• The malware downloaded and deployed in the same way as described above in previous attack

Source: Commtouch

Q1 Malware Trends

Email attached malware levels generally low Q1 2012

• Malware distributors generally stuck to popular malware topics, such as Fedex delivery notices.

• Several other interesting social engineering techniques were also used during the quarter: – Google have received your CV (with an attached CV submission form) – Your friend invited you to Twitter (with an attached “invitation card”) – Someone wanting to be your friend on Hi5 (a social network) – Shipping updates for your Amazon.com order (with attached “shipping

documents”)

Q1 Malware Trends

– American Airlines ticket confirmations – “I love you” (containing only the text “lovely :-)” and phony assurance

that F-Secure Antivirus had found no virus in the attachment – Sex pictures (with an attached zip refering to www.freeporn4all. Once

extracted, a typical Explorer view shows a file named “document.txt”. Widening the filename column reveals the true “.exe” extension of the malware (following multiple space characters) – an old trick but probably still effective

Q1 Malware Trends

Top 10 Malware of Q1 2012

Source: Commtouch

Rank Malware name Rank Malware name

1 W32/InstallCore.A2.gen!Eldorado 6 W32/Sality.gen2

2 W32/RLPacked.A.gen!Eldorado 7 W32/HotBar.L.gen!Eldorado

3 W32/Sality.C.gen!Eldorado 8 W32/Vobfus.AD.gen!Eldorado

4 W32/Heuristic-210!Eldorado 9 JS/Pdfka.CI.gen

5 W32/RAHack.A.gen!Eldorado 10 W32/Korgo.V

Q1 Malware Trends

For a complete analysis of Malware in Q1 and the specific attacks employed, download the complete

April 2012 Internet Threats Trend Report http://www.commtouch.com/threat-report-april-2012



Web Security

Facebook “unwatchable video” scam • Several variants of this scam have appeared on Facebook in the last

few months • January’s version starts with a friend’s post that looks something

like this:

• The link takes clickers to a Blogspot page which has been very convincingly designed to look like a Facebook page with an embedded video player. – None of the buttons on the page are actually clickable

Q1 Web Security

Source: Commtouch

Q1 Web Security • Visitors are informed that

they need the Divx plugin/ YouTube Premium plugin

• Clicking on the download link runs a malicious link that: – Posts a link on the user’s wall to attract more users to

click on the link – Installs Firefox or Chrome extensions (depending on

browser), used to redirect users to several further scams. – Redirections happen regardless of the site user actually

intended to go to. One of the redirections is to a scam offering a $50 Starbucks gift card. After coaxing the Facebook user to like and share the link they are led to an affiliate marketing site.

Q1 Compromised Websites

Download the complete April 2012 Internet

Threats Trend Report for more details http://www.commtouch.com/threat-report-april-2012

See more examples of compromised websites








Website categories infected with malware


• Pornographic sites climbed back up to the top spot pushing down Parked domains. As noted in previous reports, the hosting of malware may well be the intention of the owners of the parked domains and pornography sites.

• A new entry into the top 3 is “Fashion and Beauty” sites

Source: Commtouch

Rank Category Rank Category

1 Pornography/Sexually Explicit 6 Education

2 Parked Domains 7 Health & Medicine

3 Fashion and Beauty 8 Computers & Technology

4 Portals 9 Business

5 Entertainment 10 Leisure & Recreation

Q1 Compromised Websites Compromised Websites: An Owner’s Perspective

• Commtouch, in cooperation with StopBadware, undertook a survey of webmasters whose sites had been compromised

• The report presents statistics & opinions on how site owners navigate the process of learning their sites have been hacked and repairing the damage

• Some results – Over 90% of respondents didn't notice any strange activity, despite the fact

that their sites were being abused to send spam, host phishing pages, or distribute malware.

– Nearly two-thirds of the webmasters surveyed didn't know how the compromise had happened

– About half of site owners discovered the hack when they attempted to visit their own site and received a browser or search engine warning

View the complete list of findings by downloading the full report

http://www.commtouch.com/compromised-websites-report-2012










Phishing Trends • Phishing attacks target account

information for many services: – Banks, email and social network

accounts, and online games.

• Commtouch’s Security Blog has also featured phishing aimed at Google Adwords customers.

• In January, a similar phishing attack was directed at Microsoft adCenter users. The links in the email led to a very convincing replica of the adCenter login page.


• During the first quarter of 2012, Commtouch analyzed which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner).

• Portals (offering free website hosting) jumped into the highest position. Sites related to games (the previous leader), dropped off the list.

Rank Category Rank Category

1 Portals 6 Sports

2 Shopping 7 Leisure & Recreation

3 Fashion & Beauty 8 Health and medicine

4 Education 9 Real Estate 5 Business 10 Personal sites

Source: Commtouch

Website categories infected with phishing


Zombie Trends

Q1 Zombie Trends

• Average turnover: 270,000 newly activated each day sending spam (increase from 209,000 in Q4 2011)

• Large drop at start of Nov apparently result of Esthost botnet takedown • Although Esthost primarily used for DNS changing (redirecting Web

requests to malicious sites), some apparently also used to send spam • Since start of 2012, spammers have worked to source new zombies

Daily Turnover of Zombies in Q1

Sou

rce:

Com

mto

uch

Daily newly activated spam zombies: Oct 2011 to mar 2012

Q1 Zombie Trends Worldwide Zombie Distribution in Q1

• India again claimed top zombie producer title, but dropped below 20% from nearly 24% in Q4 2011

• Brazil and Russian Federation both climbed back up to the 2nd and 3rd positions, respectively

• Argentina, Poland and Italy joined the top 15, displacing The United States, Romania and Ukraine

Source: Commtouch



Q4 Zombie Trends









Web 2.0 Trends

Q1 Web 2.0 Trends

• “Streaming media and downloads” was the most popular blog or page topic again in Q2, remaining at 22%.

Web 2.0 Trends

Source: Commtouch

The streaming media & downloads category includes sites with MP3 files or music related sites such as fan pages.

Rank Category % Rank Category %

1 Streaming Media & Downloads 22% 8 Religion 5%

2 Computers & Technology 8% 9 Sports 4%

3 Entertainment 7% 10 Education 4%

4 Pornography/Sexually Explicit 5% 11 Leisure & Recreation 3%

5 Restaurants & Dining 5% 12 Health & Medicine 3%

6 Fashion & Beauty 5% 13 Games 3%

7 Arts 5% 14 Sex Education 2%

Download the complete April 2012 Internet Threats Trend Report

at http://www.commtouch.com/threat-report-april-2012








For more information contact: [email protected]

650 864 2000 (Americas) +972 9 863 6895 (International)

Web: www.commtouch.com

Blog: http://blog.commtouch.com

mailto:[email protected]

http://www.commtouch.com/

http://blog.commtouch.com/