Internet Threats Trend Report April 2012 - Alt

Internet Threats Trend Report
April 2012
Internet Threats Trend Report – April 2012
In This Report
Is 100 billion the new spam peak?
Page 2
Replica spam affiliate program “GlavTorg” closes – No visible effect on spam levels
Page 3
Malware attacks focus on US tax season – Accountants and customers targeted
Page 5
Compromised websites – an owner’s perspective
Page 10
Zombie hotspots – Global weight shifts away from India again
Page 13
Q1 2012 Highlights
94 billion
Pharmacy ads
Average daily spam/phishing emails sent
Most popular spam topic (38.5% of spam)
Page 2
Page 3
270,000 Zombies
India
Daily turnover
Country with the most zombies (19.2%)
Page 12
Page 13
Streaming media/
Downloads
Pornography/
Explicit
Most popular blog topic on user-generated
content sites
Website category most likely to be contain
malware
Page 13
Page 9
blog.commtouch.com
w w w. a l t n . c o m
www.commtouch.com
April 2012 Internet Threats Trend Report
Overview
Industry and government efforts have dealt a significant blow to spam in the past year. In the
first quarter of 2012, an average of 94 billion spam emails were sent per day compared to
over 150 billion per day prior to the Rustock botnet takedown in March 2011.
Specific social engineering campaigns of note this quarter focused on the U.S. tax season,
targeting both consumers and members of the accounting profession. Facebook remains a
popular outlet, with a social engineering campaign featuring “an unwatchable video.”
Spam trends
Spam levels remained low relative to the same period last year. The average decrease
compared to Q1 2011 was nearly 40%, with the average daily level dropping to 94 billion
spam and phishing emails per day. This decrease followed a marginal increase during the
December 2011 holiday season. Spam averaged 75% of all emails sent during the first
quarter.
A year has now passed since the Rustock botnet takedown that resulted in a significant drop in
global spam. There is no sign of a return to pre-Rustock spam levels. The sustained decrease
has been attributed to many additional factors including: other botnet takedowns, increased
prosecution of spammers and the source industries such as fake pharmaceuticals and replicas,
and increased revenues for cybercriminals from other avenues such as banking fraud. At this
point it is tempting to conclude that the decade-long growth of spam has been permanently
reversed. Time will tell.
Spam
levels –
Dec 2011
to March
2012
Source: Commtouch
Spam % of
all emails Dec 2011 to
March 2012
Source: Commtouch
Page 2
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
Replica spam affiliate program “GlavTorg” closes
Spam affiliate programs provide the link between fake pharmaceuticals and replica
manufacturers and spammers. GlavTorg was one such program that
focused on replica handbags and clothing. In December 2011
GlavTorg announced that it would stop payouts to affiliates at the
end of January 2012. To evaluate the effect of the closure
Commtouch Labs introduced the “spam-subject cloud
Spam topics
tool”.
The tool samples thousands of spam
cloud for endJan 2012
messages at definable intervals and plots frequently
occurring terms in larger text. Spam subjects that
have been sent in massive quantities become instantly
distinguishable. The spam-subject cloud (right) for the end of
January show no evidence of GlavTorg related products. In addition
the spam levels for the period show no obvious influence (increase
or decrease) around the dates of the announcement or the date
when payments were stopped. Spammers have apparently easily
Source: Commtouch
realigned their activities.
The spam cloud for the entire first quarter is shown below. Pharmaceuticals (Viagra, Cialis)
and replicas (Rolex, Breitling) clearly lead with enhancers and software (CS5, Windows,
Adobe) also featuring. “Dating” subjects also feature but due to the great variance of subject
words, are less prominent.
Spam topics
cloud for Q1
2012
Source: Commtouch
Page 3
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
Pharmacy spam increased once again, as it did last quarter, to reach nearly 39% of all spam
(around 8% more than the previous quarter). Replica-themed spam also increased in the first
quarter of the year by over 5%.
Spam topics in
Q1 2012
Source: Commtouch
Spam domains
As part of Commtouch’s analysis of spam trends, Commtouch Labs monitors the domains that
are used by spammers in the “from” field of the spam emails. The addresses are typically
faked in order to give the impression of a reputable, genuine source.
Top spoofed
“from”
domains in Q1
2012
Source: Commtouch
This quarter, gmail.com is once again the most spoofed domain (increasing above 25% for the
first time). The top 15 features popular social networking and mail sites (AOL, Yahoo,
Page 4
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
Facebook, LinkedIn, MySpace) as well as DHL.com – often used as part of email malware
attacks.
Malware trends
Blended attacks target accountants?
Did cybercriminals target accountants? The scale of a February attack was so large that it
certainly must have reached many CPAs – but also many other individuals. Many of the
recipients (Accountant or not) may have clicked on the links out of sheer curiosity. The attacks
included subjects such as:




fraudulent tax return assistance accusations.
your accountant license can be revoked.
your accountant cpa license termination.
income tax return fraud accusations.
Phony
accountant tax
fraud emails lead
to malware
Source: Commtouch
Clicking on the link downloaded a short HTML page that promises “Page is loading, please
wait. You will see tax info on this screen.” In the background, the small script creates a nested
iFrame which brings in more JavaScript, creating further dynamic content. The process repeats
until a large portion of malware code is activated.
Within 2 weeks a similarly sized attack seemed to again target accounting practitioners and
the small business market, this time by describing fictitious purchases of Intuit accounting
software. The subjects included:
Page 5
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report




Your QuickBooks software order
Your Intuit.com order
Your Intuit.com invoice
Please confirm your Intuit.com invoice
The malware downloaded and deployed in the same way as described above.
Phony
Accounting
software email –
links lead to
malware
Source: Commtouch
Email malware
Levels of email attached malware were generally low in the first quarter of 2012. Malware
distributors generally stuck to their favorite themes such as Fedex delivery notices. Several
other interesting social engineering techniques were also used during the quarter:







Google have received your CV – with an attached CV submission form
Your friend invited you to Twitter – with an attached “invitation card”
Someone wanting to be your friend on Hi5 (a social network)
Shipping updates for your Amazon.com order – with attached “shipping documents”
American Airlines ticket confirmations
“I love you” – contains only the text “lovely :-)” and phony assurance that F-Secure
Antivirus has found no virus in the attachment
Sex pictures – the attached zip refers to www.freeporn4all. Once extracted a typical
Explorer view shows a file named “document.txt”. Widening the filename column
Page 6
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
reveals the true .exe extension of the malware (following multiple space characters) – an
old trick but probably still effective.
Malware email
levels – Jan to
Dec 2011
Source: Commtouch
Email with
attached
malware in Q1
2012.
Source: Commtouch
Page 7
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
Top 10 Malware
The table below presents the top 10 most detected malware during the first quarter of 2012
as compiled by Commtouch’s Antivirus Lab.
Top 10 Detected Malware
Rank
Malware name
Rank
Malware name
1
W32/InstallCore.A2.gen!Eldorado
6
W32/Sality.gen2
2
W32/RLPacked.A.gen!Eldorado
7
W32/HotBar.L.gen!Eldorado
3
W32/Sality.C.gen!Eldorado
8
W32/Vobfus.AD.gen!Eldorado
4
W32/Heuristic-210!Eldorado
9
JS/Pdfka.CI.gen
5
W32/RAHack.A.gen!Eldorado
10
W32/Korgo.V
Source: Commtouch
Web security
Facebook “unwatchable video” scam
Several variants of this scam have appeared on Facebook in the last few months. January’s
version starts with a friend’s post that looks something like this:
Facebook post describes
“unwatchable” video
(with link to Blogspot
page)
Source: Commtouch
The link takes clickers to a Blogspot page which has been very convincingly designed to
look like a Facebook page with an embedded video player. (none of the Facebook Source: Commtouch
elements on the top of the page are actually clickable). Visitors are informed that they
need the Divx plugin/Youtube Premium plugin.
Blogspot page hosts
fake vide player and
malware download
Source: Commtouch
Page 8
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
Clicking on the download link runs a malicious script that performs several actions:
1) A link is posted on the user wall – Facebook extracts the content for the post from the
page itself which includes data specifically formatted for this purpose:




<title>95% 0f All People Cant even Watch This Video F0r More Than 20
Seconds</title>
<meta property=”og:title” content=”95% 0f All People Cant even Watch This Video
F0r More Than 20 Seconds” />
<meta property=”og:image” content=”http://i.imgur.com/0F–s.jpg” />
<meta property=”og:description” content=”i dare you to get past the 25 seconds.Just
click play” />
2) The script then installs Firefox or Chrome extensions depending on the browser used.
These extensions are used to redirect users to several further scams. The redirections
happen no matter what sites the user actually intended to go to. One of the redirections
is to a scam offering a $50 Starbucks gift card. After coaxing the Facebook user to like and
share the link they are led to an affiliate marketing site.
Phony Starbuck voucher
coaxes users to like and
share
Source: Commtouch
Compromised websites store malware
Many of the emails carrying malware links this quarter either hosted the malware on
compromised websites or used these as a platform for redirection. An example of one of the
attacks is shown below. This is the screen that would be shown to anyone clicking on the
links of the “CPA malware” attacks (see page 5).
Compromised website
used to host malware message shown on
screen while malware
loads
Source: Commtouch
The malware loads in the background while this screen is shown. Meanwhile the host site
continues to function normally.
Page 9
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
Homepage of
compromised
website used to
host malware
During the first quarter of 2012, Commtouch analyzed which categories of Web sites were
most likely to be compromised with malware. Pornographic sites climbed back up to the top
spot pushing down Parked domains. As noted in previous reports, the hosting of malware
may well be the intention of the owners of the parked domains and pornography sites. A new
entry into the top 3 is “Fashion and Beauty” sites - .
Source: Commtouch
Website categories infected with malware
Rank
Category
Rank
Category
1
Pornography/Sexually Explicit
6
Education
2
Parked Domains
7
Health & Medicine
3
Fashion and Beauty
8
Computers & Technology
4
Portals
9
Business
5
Entertainment
10
Leisure & Recreation
Source: Commtouch
Compromised Websites: An Owner’s Perspective
Having observed the phenomenon of hacked websites for some time, Commtouch, in
cooperation with StopBadware, undertook a survey of webmasters whose sites had been
compromised. The report presents statistics and opinions on how site owners navigate the
process of learning their sites have been hacked and repairing the damage.
Data from the poll reveals that malicious actors are often able to compromise legitimate
websites without the site owners' knowledge: over 90% of respondents didn't notice any
strange activity, despite the fact that their sites were being abused to send spam, host
Page 10
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
phishing pages, or distribute malware. Nearly two-thirds of the webmasters surveyed didn't
know how the compromise had happened.
Other highlights from analysis of the survey's responses include:



About half of site owners discovered the hack when they attempted to visit their own site
and received a browser or search engine warning.
26% of site owners had not yet figured out how to resolve the problem at the time they
completed the survey.
40% of survey respondents changed their opinion of their web hosting provider following
a compromise.
In addition to analysis and quotes from site owners, the report provides tips to help
webmasters prevent their sites from being compromised. More details, including an
infographic and a brief presentation summarizing the report are available at:
http://www.commtouch.com/compromised-websites-report-2012.
Phishing Trends
Phishing attacks target account information for many services: banks, email and social network
accounts, and online games. Commtouch’s Security Blog has also featured phishing aimed at
Google Adwords customers. In January, a similar phishing attack was directed at Microsoft
adCenter users. The links in the email below led to a very convincing replica of the adCenter
login page.
Microsoft adCenter
phishing attack
Source: Commtouch
Page 11
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
During the first quarter of 2012, Commtouch analyzed which categories of legitimate
Web sites were most likely to be hiding phishing pages (usually without the knowledge
of the site owner). Portals (offering free website hosting) jumped into the highest
position. Sites related to games (the previous leader), dropped off the list.
Website categories infected with phishing
Rank
Category
Rank
Category
1
Portals
6
Sports
2
Shopping
7
Leisure & Recreation
3
Fashion & Beauty
8
Health and medicine
4
Education
9
Real Estate
5
Business
10
Personal sites
Source: Commtouch
Zombie trends
The first quarter saw an average turnover of 270,000 zombies each day that were newly
activated for sending spam. This number is an increase over the 209,000 of the fourth
quarter of 2011. The large drop at the start of November appears to be a result of the
Esthost botnet takedown. Although this botnet was primarily used for DNS changing
(redirecting Web requests to malicious sites), it appears that some portion was also used
to send spam. Spammers have worked to source new zombies since the start of 2012.
Daily newly
activated spam
zombies: Oct
2011 to Mar
2012
Source: Commtouch
Page 12
blog.commtouch.com
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
Zombie Hot Spots
India again claimed the top zombie producer title, but dropped below 20% from nearly
24% in Q4 2011. Brazil and the Russian Federation both climbed back up to the 2 nd and
3rd positions. Argentina, Poland and Italy joined the top 15, displacing The United States,
Romania and Ukraine.
Worldwide
Zombie
distribution in
Q1 2012
Source: Commtouch
Web 2.0 trends
Commtouch’s GlobalView Cloud tracks billions of Web browsing sessions and URL
requests, and its Web Filtering service includes highly granular categorization of Web 2.0
content. In addition to filtering accuracy, this provides insight into the most popular user
generated content sites. Once again, “streaming media and downloads” was the most
popular blog or page topic staying at 22%. The streaming media & downloads category
includes sites with MP3 files or music related sites such as fan pages.
Most popular categories of user-generated content
Rank
Category
Percentage
Rank
1
Streaming Media & Downloads
22%
8
Religion
5%
2
Computers & Technology
8%
9
Sports
4%
3
Entertainment
7%
10
Education
4%
4
Pornography/Sexually Explicit
5%
11
Leisure & Recreation
3%
5
Restaurants & Dining
5%
12
Health & Medicine
3%
6
Fashion & Beauty
5%
13
Games
3%
7
Arts
5%
14
Sex Education
2%
.
Page 13
blog.commtouch.com
Category
Percentage
Source: Commtouch
www.altn.com
www.commtouch.com
April 2012 Internet Threats Trend Report
April 2011 Internet Threats Trend Report
About Commtouch
About Commtouch
Commtouch® (NASDAQ: CTCH) safeguards the world’s leading security companies and service providers with cloud-based
Internet
security services.
Real-time
threat intelligence
from
Commtouch’s
GlobalView™
Commtouch®
(NASDAQ:
CTCH) safeguards
the world’s
leading
security companies
andCloud powers Web security, email
security
and
antivirus
solutions,
protecting
thousands
of
organizations
and
hundreds
of
service providers with cloud-based Internet security services. Real-time threat intelligencemillions of users worldwide.
from Commtouch’s GlobalView™
Cloud (NASDAQ:
powers Web
emailInternet
security
and technology
antivirus to more than
Commtouch®
CTCH) security,
provides proven
security
solutions, protecting thousands
of organizations
hundreds
of into
userstheir solutions.
150 security
companies andand
service
providersof formillions
integration
Commtouch’s GlobalView™ and patented Recurrent Pattern Detection™ (RPD™)
worldwide.
About Commtouch
technologies are founded on a unique cloud-based approach, and work together in a
comprehensive feedback loop to protect effectively in all languages and formats.
Commtouch’s Command Antivirus utilizes a multi-layered approach to provide award
winning malware detection and industry-leading performance. Commtouch technology
Alt-N Technologies develops affordable
and
secure
messaging
andtransactions
collaboration
solutions
automatically
analyzes
billions
of Internet
in real-time
in itsdesigned
global datafor, and trusted by,
small-to-medium businesses incenters
over to
90identify
countries
and 25
worldwide.
company’s
flagship solutions, the
new threats
as languages
they are initiated,
enabling ourThe
partners
and customers
to protect
from spam and
and enablingServers,
safe, compliant
browsing.
The
MDaemon® Messaging Server and
the end-users
SecurityGateway
formalware,
Exchange/SMTP
install
in minutes,
include the latest
company’s
expertise
in
building
efficient,
massive-scale
security
services
has
resulted
in The company uses
email security technologies, and require minimal support and administration to operate and maintain.
mitigating Internet threats for thousands of organizations and hundreds of millions of users
a network of global distributorsin and
resellersCommtouch
for the sales
and support
products.in Netanya, Israel,
190 countries.
was founded
in 1991,of
is its
headquartered
and has a subsidiary with offices in Sunnyvale, California and Palm Beach Gardens, Florida.

Reported global spam levels are based on Internet email traffic as measured from unfiltered data streams,
not including internal corporate traffic. Therefore global spam levels will differ from the quantities reaching
end user inboxes, due to several possible layers of filtering. Spam levels do not include emails with
attached malware.

http://krebsonsecurity.com/2012/01/glavmed-sister-program-glavtorg-to-close/

http://blog.commtouch.com/cafe/web-security/facebook-95-0f-all-people-cant-even-watch-this-videoReported global spam levels are based on Internet email traffic as measured from unfiltered data streams,
• Reported global spam levels arebased
on Internet email traffic as measured from unfiltered data streams, not including internal
not including internal corporate traffic. Therefore global spam levels will differ from the quantities reaching
f0r-more-than-20-seconds/
end user
inboxes,
to several
possible
of filtering.
corporate
traffic. Therefore global spam
levels
willduediffer
from
the layers
quantities
reaching end user inboxes, due to several possible layers of

http://blog.commtouch.com/cafe/anti-spam/the-spam-cloud-ep01-2/

http://blog.commtouch.com/cafe/email-security-news/ups-malware-now-sent-via-dhl/

http://blog.commtouch.com/cafe/email-security-news/bs-microsoft-adcenter-phishing/
filtering.
Spam
levels do not include
emails
with attached malware.

http://blog.commtouch.com/cafe/email-security-news/huge-amounts-of-ups-and-facebook-malware
http://blog.commtouch.com/cafe/data-and-research/infographic-compromised-websites-an-ownersattachments/
• http://krebsonsecurity.com/2012/01/glavmed-sister-program-glavtorg-to-close/
perspective/

http://blog.commtouch.com/cafe/anti-spam/ipad-2-affiliate-marketing-scams-and-incompetent-
About Alt-N Technologies
References and Notes
References andReferences
Notes and Notes
spammers/
• http://blog.commtouch.com/cafe/web-security/facebook-95-0f-all-people-cant-even-watch-this-video-f0r-more-than-20-seconds/

http://blog.commtouch.com/cafe/malware/t-online-used-for-fake-av/

http://blog.commtouch.com/cafe/anti-spam/has-the-reported-disruption-of-rustock-affected-spam• http://blog.commtouch.com/cafe/anti-spam/the-spam-cloud-ep01-2/
levels/
• http://blog.commtouch.com/cafe/email-security-news/bs-microsoft-adcenter-phishing/

http://blog.commtouch.com/cafe/anti-spam/loads-of-phony-twitter-emails/

http://blog.commtouch.com/cafe/phishing/how-to-scale-phishing-by-using-the-cloud/
• http://blog.commtouch.com/cafe/data-and-research/infographic-compromised-websites-an-owners-perspective/

http://blog.commtouch.com/cafe/anti-spam/free-hosting-of-spam-content-on-forum-sites/

http://blog.commtouch.com/cafe/spam-favorites/spammers-feel-the-love-on-valentine%e2%80%99sday/
http://blog.commtouch.com/cafe/malware/how-pdf-files-hide-malware-example-pdf-scan-from-xerox/
http://blog.commtouch.com/cafe/email-marketing/mass-emailings-support-change-in-egypt-and-nowsyria/
http://blog.commtouch.com/cafe/malware/malware-spread-via-facebook-chat/
http://blog.commtouch.com/cafe/malware/kama-sutra-virus-%e2%80%93-a-position-youdon%e2%80%99t-want-to-get-into%e2%80%a6/
http://blog.commtouch.com/cafe/data-and-research/spammers-return-from-holiday/
http://blog.commtouch.com/cafe/data-and-research/spam-declines-30pc-in-q4-2010/

http://blog.commtouch.com/cafe/spam-favorites/the-apologetic-spammer/
• http://blog.commtouch.com/cafe/email-security-news/twice-as-bad-traffic-ticket-with-attached-malware/






Visit us: www.commtouch.com and blog.commtouch.com
Email us: [email protected]
Call us: 650 864 2000 (US) or +972 9 863 6888 (International)
Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are
trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered
trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch..
Visit us: www.commtouch.com and blog.commtouch.com
Email us: [email protected]
Call us: 650
864 866-601-ALTN
2000 (US) or(2586)
+972 9 863 6888 (International)
www.AltN.com
Phone:
© 1996 - 2012 Alt-N Technologies, Ltd.
MDaemon, WorldClient, RealyFax, and Alt-N are trademarks of Alt-N Technologies, Ltd.
Copyright©
Commtouch
Software
Ltd. Recurrent
Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks,
All trademarks
are 2012
property
of their
respective
owners.
and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of
04.17.2012
Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch..
© 2012 Commtouch Software Ltd.
[email protected]
Phone: 650-864-2114 (US) +972-9-863-6895 (International)
Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and
Commtouch is a registered trademark, of Commtouch Software Ltd. U.S. Patent
No. 6,330,590 is owned by Commtouch.
www.blog.commtouch.com
www.commtouch.com