McAfee Threats Report: Second Quarter 2013
Transcription
McAfee Threats Report: Second Quarter 2013
Report McAfee Threats Report: Second Quarter 2013 By McAfee® Labs Table of Contents Introduction 3 Operation Troy 4 Mobile Threats 5 Banking malware 6 Adults only 7 Targeted Trojans 7 Mobile spyware 7 General Malware Threats Ransomware 7 13 Database Threats 14 Network Threats 15 Web Threats 17 Phishing20 Spam URLs 21 Messaging Threats 22 Spam volume 22 Drugs, DSN, and snowshoes 25 Botnet breakdowns 26 New botnet senders 27 Messaging botnet prevalence 29 Cybercrime 30 Malware, vulnerabilities, and hacking 30 The Bitcoin saga 31 Actions against cybercriminals 32 Hacktivism33 Cyberarmies36 2 About the Authors 37 About McAfee Labs 37 McAfee Threats Report: Second Quarter 2013 Introduction McAfee Labs researchers have analyzed the threats of the second quarter of 2013. Several trends are familiar: steady growth in mobile and overall malware. A cyberespionage attack against South Korea and a further increase in worldwide spam are further attention grabbers. The Dark Seoul attack against banks and media companies in South Korea inspired McAfee Labs to investigate beyond the basics of computers disabled by having their master boot records deleted. Behind the scenes we found an ongoing attempt to infiltrate South Korean military targets in a cyberespionage campaign that began in 2009. Our extensive report, published in July, explains the history and the coding details behind the damage and attempted surveillance. Backdoor Trojans and banking malware were the most popular mobile threats this quarter. We counted more than 17,000 new Android samples during this period. The year is certain to establish another record. New malware of all types exceeded 18 million this quarter, pushing our all-time tally to more than 147 million binaries. AutoRun threats, often spread via USB drives, remain at record levels, as do password-stealing programs. Signed malware, which poses as approved legitimate software, continues to set records, increasing by 50 percent this quarter. Malware that attacks a system’s master boot record declined from last quarter’s record high, but remains very dangerous. Ransomware, which holds a computer hostage until the victim pays to free it, is a bad problem getting worse. The number of new samples more than doubled compared with last quarter. Not only do criminals make relatively safe money from this scheme, they often do not remove their malware—leaving the poor victim’s system as dead as before. Publicly reported data breaches have averaged a relatively flat line for the past three quarters. Outsiders steal data more often than insiders, but this is one threat area in which our data comes from victims, who may not feel like exposing all of their weaknesses. MySQL still leads enterprise databases in the number of reported vulnerabilities. From the McAfee Global Threat Intelligence network we see that browser-based threats, such as hidden iframes and malicious Java code, comprise almost three-fourths of the Internet’s malicious activity. IP addresses in the United States are again both the source and the target of most network threats. Our analysis of web threats found that the number of new suspicious URLs, mostly in the United States, increased by 16 percent this quarter. Phishing attacks aimed primarily at targets in the United States. The leading industries suffering phishing attacks are financial and online-auction organizations. Spam levels are bouncing back: This quarter volume reached 2 trillion messages in April, the highest figure we’ve seen since 2010. We continue to report on the variety of spam subjects and botnet prevalence in selected countries around the world. Our timeline of significant hacks shows the major criminal activity that took place this quarter. Online currency Bitcoin was in the news. One Bitcoin provider suffered DDoS attacks that interrupted service and led to wild swings in value. Law enforcement officials around the world enjoyed some successes this quarter, with arrests halting gangs responsible for stealing hundreds of millions to billions of dollars. Activist hackers demonstrated, defaced, and inspired counterattacks from their opponents. The group Anonymous was involved in some efforts and likely had its name borrowed to support some others. The Middle East was again a busy region for political expression. 3 McAfee Threats Report: Second Quarter 2013 Operation Troy When reports of the March 20 “Dark Seoul” attack on South Korean financial services and media firms emerged, most of the focus was on the wiping of the master boot record of thousands of computers. PCs infected by the attack had all of the data on their hard drives erased. Since that time, however, McAfee Labs has discovered that the Dark Seoul attack included a broad range of technology and tactics beyond cybervandalism. The forensic data indicates that Dark Seoul was actually just the latest attack to emerge from a malware development project that has been named Operation Troy. (The name Troy comes from repeated citations of the ancient city found in the compile path strings of the malware.) The McAfee Labs investigation into the Dark Seoul incident uncovered a longterm attempt at domestic spying, based on code that originated in 2009, against military targets in South Korea. Software developers (both legitimate and criminal) tend to leave fingerprints and sometimes even footprints in their code. Forensic researchers can use these prints to identify where and when the code was developed. It’s rare that a researcher can trace a product back to individual developers (unless they’re unusually careless). But frequently these artifacts can be used to determine the original source and development legacy of a new “product.” Sometimes the developers insert such fingerprints on purpose to establish “ownership” of a new threat. McAfee Labs uses sophisticated code analysis and forensic techniques to identify the sources of new threats because such analysis frequently sheds light on how to best mitigate an attack or predict how the threat might evolve in the future. McAfee Labs research learned that the Dark Seoul attack was preceded by years of attempted cyberespionage: Operation Troy—Domestic Spying Period 2009 US/South Korean Military Attacks 2010 2011 Dark Seoul 2012 2013 Chang HTTP Troy Http Dr0pper Concealment Troy EagleXP Mail Attack Tong MBR Wiper March 20, 2013 3Rat Client NSTAR TDrop DDoS Attacks 10 Days of Rain Media/Broadcast Attacks Financial Industry Attacks Suspected Link Solid Link Highly Probable Link Our investigation into the cyberattacks in March revealed ongoing covert intelligence-gathering operations. McAfee Labs concludes that the attacks on March 20 were not an isolated event strictly tied to the destruction of systems, but the latest in a series of attempts to infiltrate targets since 2009. For details, read the McAfee Labs report Dissecting Operation Troy: Cyberespionage in South Korea.1 4 McAfee Threats Report: Second Quarter 2013 Mobile Threats This quarter “backdoor” Trojans, which steal data without the victim’s knowledge, and malware that goes after banking login information have made up the largest portion of all new mobile malware families. Spyware has also been active, and malware authors continue to target activists. Halfway through 2013 we have already collected almost as many mobile malware samples as in all of 2012. Will the count double by the end of the year? That much and more, we expect. This quarter we added more than 17,000 Android samples to our database. New Mobile Malware 40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 2004 2005 2006 2007 2008 2009 Total Mobile Malware by Platform Android Symbian Java ME Others 5 McAfee Threats Report: Second Quarter 2013 2010 2011 2012 2013 New Android Malware 20,000 18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Banking malware Banks in Europe and Asia require two-factor authentications via SMS messages. When customers log into their banks, they are sent a mobile transaction authentication number (mTAN) in a text message. Then they must enter the mTAN code to get access to their accounts. This step prevents an attacker who steals only username and password from reaching a victim’s money. Attackers seeking to bypass two-factor authentication need to get that text message sent by the banks. Once the attacker has stolen a username and password from a victim’s PC, the thief needs only to get the user to install SMS‑forwarding malware. A pair of malware, Android/FakeBankDropper.A and Android/FakeBank.A, take the standard SMS forwarder malware a step further. Normally we advise users to employ only the official app provided by their banks for any online banking. Android/FakeBankDropper.A counters that defense by replacing the bank’s official app with Android/FakeBank.A. While the victims think they have the original app installed, the attacker logs into the users’ accounts to get the latest SMS from the bank. A short list of similar SMS forwarders: • Android/Nopoc.A: • Android/Pincer.A: Forwards incoming SMS messages to the attacker’s server Pretends to install a certificate on the user’s device. Forwards SMS messages to the attacker’s server. • Android/Stels.A: Pretends to be an update to the Adobe Flash player. Collects sensitive user information and posts it to the attacker’s server. • Android/Wahom.A: Pretends to be a legitimate app, but displays an error message to the user. The malware hides its icon to fool the user into thinking it was uninstalled. Collects sensitive user information and forwards SMS to the attacker’s server. 6 McAfee Threats Report: Second Quarter 2013 Adults only Adult-entertainment software offers helpful camouflage for attackers. They can gain large profits and they’re less likely to attract attention from law enforcement. Attackers’ interest in adult-entertainment apps has risen this quarter. In Japan a large family of potentially unwanted programs (PUPs), Android/DeaiFraud, pretends to be an app for a popular adult-dating site. Although this malware doesn’t directly harm users, it can lead them to receive spam from the attacker. It’s also likely that users will be fooled into signing up for the adult-dating site due to the attacker’s partners posing as real singles on the service. Apart from PUPs, we also saw Android/NMPHost.A, a malware that convinces users to download a second malware, Android/NMP.A, which steals user information. Both malware pretend to be adult-entertainment apps. Once installed, Android/NMP.A collects sensitive user information and sends it to the attacker’s server. Targeted Trojans Attackers find legitimate apps very useful as cover for their malicious code. They benefit from the popularity of the app as well as from how much users trust the app. In the case of Android/Kaospy.A, attackers are using modified versions of the Kakao talk app and targeting Tibetan activists. This malware is distributed using phishing emails. The malicious spyware collects a large amount of sensitive user information (contacts, call logs, SMS messages, installed applications, and location) and uploads the data to the attacker’s server. Trojanized apps that aren’t so narrowly targeted include Android/BadNews.A. This backdoor Trojan pretends to be a legitimate game app that includes ads. Instead it collects sensitive user information and sends it to the attacker. It’s also capable of displaying fake news headlines. Mobile spyware Commercial spyware has seen a small increase from the previous quarter. Android./Fzw.A downloads a spyware app from the attacker’s website. Like other hidden Trojans, it pretends to be a legitimate font installer app. The downloaded spyware forwards SMS messages, call logs, and location information to the attacker’s server. Android/Roidsec.A is spyware that pretends to be software for syncing the user’s phone. It really does sync the user’s sensitive information and SMS messages—only to the attacker’s server. The malware collects location, call logs, and data about the phone hardware and can record calls, too. General Malware Threats Malware shows no sign of changing its steady growth, which has risen steeply during the last three quarters. At the end of this quarter we now have more than 147 million samples in our malware “zoo.” Total Malware Samples in the McAfee Labs Database 160,000,000 140,000,000 120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0 JUL AUG SEP OCT NOV DEC JAN 2012 2012 2012 2012 2012 2012 2013 7 McAfee Threats Report: Second Quarter 2013 FEB MAR APR MAY JUN 2013 2013 2013 2013 2013 New Malware 20,000,000 18,000,000 16,000,000 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Rootkits, or stealth malware, are designed to evade detection and reside on a system for prolonged periods. Growth in new rootkit samples has been on a downward trend since the middle of 2011. All three of the rootkits types we track in this report matched this trend. New Rootkit Samples 180,000 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 Q1 2011 8 Q2 2011 Q3 2011 Q4 2011 Q1 2012 McAfee Threats Report: Second Quarter 2013 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 New Koutodoor Samples 200.000 180.000 160.000 140.000 120.000 100.000 80.000 60.000 40.000 20.000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2012 Q4 2012 Q1 2013 Q2 2013 New TDSS Samples 200,000 180,000 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 New ZeroAccess Samples 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 Q1 2011 9 Q2 2011 Q3 2011 Q4 2011 Q1 2012 McAfee Threats Report: Second Quarter 2013 Q2 2012 AutoRun malware, which often hides on USB drives and can allow an attacker to take control of a system, doubled at the start of the year and increased slightly again this quarter. The number of fake AV products—which scare victims into believing their systems are infected—rose during 2012 to a record level but has declined during the last two quarters. Koobface, which plagues Facebook users, peaked in 2009-10 and has remained at low levels since early 2012. Passwordstealing Trojans, which attempt to raid victims’ bank accounts, established a record high last quarter; this quarter’s figure was almost as large. New AutoRun Samples 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2012 Q4 2012 Q1 2013 Q2 2013 New Fake AV Samples 1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 0 10 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 McAfee Threats Report: Second Quarter 2013 Q2 2012 New Koobface Samples 2,500 2,000 1,500 1,000 500 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 New Password Stealers Samples 1,600,000 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Signed malware rebounded sharply from its decline in the first quarter and again set a new record, with more than 1.2 million new samples discovered this quarter. Total Malicious Signed Binaries 4,500,000 4,000,000 3,500,000 3,000,000 2,500,000 2,000,000 1,500,000 1,000,000 500,000 0 JUL 1 2012 11 AUG 1 2012 SEP 1 2012 OCT 1 2012 NOV 1 2012 McAfee Threats Report: Second Quarter 2013 DEC 1 2012 JAN 1 2013 FEB 1 2013 MAR 1 2013 APR 1 2013 MAY 1 2013 JUN 1 2013 New Malicious Signed Binaries 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 0 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 New malware that attacks the Mac more than tripled, after declining for three quarters. In spite of the small numbers compared with PC threats, Mac users also need protection. New Mac Malware 700 600 500 400 300 200 100 0 12 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 McAfee Threats Report: Second Quarter 2013 Q3 2012 Q4 2012 Q1 2013 Q2 2013 One strain of malware targets a computer’s master boot record (MBR)—an area that performs key startup operations. Compromising the MBR offers an attacker a wide variety of control, persistence, and deep penetration. These attacks, including mebroot, Tidserv, Cidox, and Shamoon, have rapidly increased their numbers. This quarter saw a drop from last period’s record level, but it’s still the second-highest figure we have recorded. New Master Boot Record-Related Threats 800,000 700,000 600,000 Variants of Families with Known MBR Payloads 500,000 400,000 Identified MBR Components 300,000 200,000 100,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Ransomware Ransomware has become an increasing problem during the last several quarters, and the situation continues to worsen. The number of new, unique samples this quarter is greater than 320,000, more than twice as many as last quarter. During the past two quarters we have catalogued more ransomware than in all previous periods combined. This trend is also reflected by warnings from law enforcement and federal agencies around the globe. One reason for ransomware’s growth is that it is a very efficient means for criminals to earn money because they use various anonymous payment services. This method of cash collection is superior to that used by fake AV products, for example, which must process credit card orders for the fake software. Another reason is that an underground ecosystem is already in place to help with services such as pay-per-install on computers that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the underground market. These advantages mean that the problem of ransomware will not disappear anytime soon. New Ransomware Samples 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 Q1 2011 13 Q2 2011 Q3 2011 Q4 2011 Q1 2012 McAfee Threats Report: Second Quarter 2013 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Database Threats When we reported on the numbers of database breaches made public in our Threats Report for the fourth quarter of 2012, we saw a slowdown in break-ins, with just 47 during the quarter. At that time we couldn’t be sure whether we were observing a trend or an anomaly. Six months later, we can now see some stabilization in this area. This year started at the same relatively low rate as 2012 ended, with 119 data breaches in first six months of 2013. That’s a little more than one-third of the 315 breaches during the record-setting 2012. Are we in the middle of a long-term trend or is this just the calm before the storm? Data Breaches Made Public 350 300 250 200 150 100 50 0 2007 2008 2009 2010 2011 2012 2013 Source: privacyrights.org The rate of data breaches caused by outside hackers (criminal or otherwise) dropped considerably in 2012, and has held relatively steady for the last four quarters. The lower rate of theft by company insiders has also been relatively steady, though without a dramatic decline. The drop in outsider breaches might point to companies and organizations investing more heavily in perimeter protections than in database security. However, we have seen database security get much more attention from medium-sized and big businesses than just one or two years ago. Sources of Data Breaches 90 80 70 Insiders 60 Hackers 50 40 30 20 10 0 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Source: privacyrights.org As we can see from the preceding graph, hackers still cause a greater number of breaches than insiders. But we have to remember that data-breach statistics are rarely objective due to their nature. Hackers publish stolen data more frequently than a company will confess that it was compromised. 14 McAfee Threats Report: Second Quarter 2013 Database vulnerabilities, reported by the developers or others, continue to be dominated by MySQL, with almost 60 percent of all vulnerabilities discovered during the past six quarters. New Vulnerabilities in Leading Databases 45 40 SQL Server 35 Sybase 30 PostgreSQL 25 DB2 20 Oracle 15 MySQL 10 5 0 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Network Threats As usual, the United States is both the source and the target of much of the Internet’s malicious activity, according the McAfee Global Threat Intelligence network. Browser-based threats have increased to 73 percent of all attacks, compared with 44 percent last quarter. The following detection signatures show which types of attacks McAfee products most frequently blocked: • HTTP: Microsoft JPEG Processing Buffer Overrun • HTTP: Multiple Browser Window Injection Vulnerability • RTSP: Apple QuickTime Overly Long Content-Type Buffer Overflow • HTTP: Microsoft Internet Explorer CHTML Use-After-Free Remote Code Execution Top Network Attacks Browser Remote Procedure Call SQL Injection Cross-Site Scripting Others 15 McAfee Threats Report: Second Quarter 2013 As the host of SQL-injection attacks, which poison legitimate websites, the United States’ piece of the pie shrunk slightly this quarter, to 32 percent from 35 percent last quarter. Venezuela regained second place, hosting 11 percent. By far most victims of these attacks (60 percent, up from 55 percent last period) are in the United States. Top SQL-Injection Attackers Top SQL-Injection Victims United States United States Venezuela Taiwan Spain China Taiwan Russia China Spain Germany Others South Korea Others In our botnets tracking, the United States again claims first place. The percentage of control servers hosted dropped 3 points to 37 percent. The decrease was larger among botnet victims, falling to 34 percent from 43 percent in the first quarter. Top Botnet Control Servers Top Botnet Victims United States United States Germany Turkey China Taiwan Turkey Brazil Russia Canada United Kingdom Spain South Korea India Others Others The United States represents the lion’s share of hosts of PDF-based attacks, climbing to 53 percent this quarter, compared with 35 percent in the last period. Taiwan, with 8 percent, took second place. China fell to just 2 percent this quarter from 11 percent last time. Top Malicious PDF Attackers United States Taiwan Spain United Kingdom Germany Canada Others 16 McAfee Threats Report: Second Quarter 2013 Web Threats Websites can gain bad or malicious reputations for a variety of reasons. Reputations can be based on full domains and any number of subdomains, as well as on a single IP address or even a specific URL. Malicious reputations are influenced by the hosting of malware, potentially unwanted programs, or phishing sites. Often we observe combinations of questionable code and functionality. These are just a few of the factors that contribute to our rating of a site’s reputation. At June’s end, the total number of suspect URLs tallied by McAfee Labs overtook 74.7 million, which represents a 16 percent increase over the first quarter. These URLs refer to 29 million domain names, up 5 percent from the previous period. Risk Level of Suspect URLs Risk Level of Suspect Domains Minimal Minimal Unverified Unverified Medium Medium High High This quarter, we recorded per month an average of 3.5 million new suspect URLs related to about 430,000 domains. New Suspect URLs 16,000,000 14,000.000 URLs 12,000,000 Associated Domains 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 Q2 2012 17 Q3 2012 Q4 2012 McAfee Threats Report: Second Quarter 2013 Q1 2013 Q2 2013 Most of these suspicious URLs (96 percent) host malware, exploits, or codes that have been designed specifically to compromise computers. Phishing and spam represent 2.1 percent and 0.3 percent, respectively. Distribution of New Suspect URLs New Phishing URLs New Malware URLs Others New Spam Email URLs Others Distribution at the domains level gives us a different outlook, with 12 percent phishing domains and 2 percent spam domains. Distribution of New Suspect Domains New Phishing Domains New Malware Domains Others New Spam Email Domains Others The domains associated with newly suspect URLs are mainly located in North America (chiefly the United States) and Europe–Middle East (chiefly Germany). This trend is not new; North America historically hosts quite a bit of malware and suspect content. However, its influence has dropped to 52 percent, compared with 74 percent last quarter. Location of Servers Hosting Suspect Content North America Africa Asia-Pacific Australia Europe–Middle East Latin America 18 McAfee Threats Report: Second Quarter 2013 Digging into the location of servers hosting malicious content in other countries we see quite a global diversity. Each region has one or two clearly dominant players. Location of Servers Hosting Malicious Content Africa Asia-Pacific South Africa China Kenya South Korea Morocco Japan Egypt Hong Kong Tunisia Thailand Others Others Europe and Middle East Australia–South Pacific Australia Germany New Zealand Netherlands Russia United Kingdom Poland Others North America Latin America Brazil United States Bahamas Canada British Virgin Islands Argentina Chile Others 19 McAfee Threats Report: Second Quarter 2013 Phishing After peaking during the fourth quarter of 2012, the number of new phishing URLs dropped sharply last quarter. This period saw a modest decrease. New Phishing URLs 450,000 400,000 350,000 URLs 300,000 Associated Domains 250,000 200,000 150,000 100,000 50,000 0 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Most of these URLs are hosted in the United States. Top Countries Hosting Phishing URLs United States Germany United Kingdom Canada Netherlands Others Companies from the United States are the most frequently targeted, suffering 67 percent of all attacks. They are followed by United Kingdom and Australia, with 6 percent and 3 percent, respectively. Phishers go after several key industries. The top 5 are finance (with 42 percent of attacks), online auctions (32 percent), government, shopping, and services. Phishing Targets by Industry Finance Online Auctions Shopping Government Services Others 20 McAfee Threats Report: Second Quarter 2013 Companies in the United States are the most heavily targeted, followed by the United Kingdom and Australia. United States United Kingdom Australia Canada India Amazon Barclays Capital One HDFC Bank American Express HM Revenue & Customs ANZ (Australia and New Zealand Banking Group) Royal Bank of Canada ICICI Bank Deloitte HSBC eBay Lloyds TSB JPMorgan Chase Natwest PayPal Santander Westpac Bank TD Bank Group Wells Fargo Spam URLs Spam URLs are links that arrive in unsolicited emails. Also included in this family are sites built only for spamming purposes, such as spam blogs or comment spam. New Spam URLs 160,000 140,000 URLs 120,000 Associated Domains 100,000 80,000 60,000 40,000 20,000 0 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 The primary countries hosting these URLs are the United States (with 39 percent of the total). Germany (9 percent) and Russia (6 percent) follow. Countries Hosting Spam URLs United States Germany Russia China Antarctica Netherlands South Korea Others 21 McAfee Threats Report: Second Quarter 2013 Messaging Threats In April, spam volume surpassed 2 trillion messages, the highest figure since December 2010. A slight decline in May and June still left the count higher than any time since May 2011. Global Email Volume, in Trillions of Messages 2.5 2.0 Monthly Spam 1.5 Legitimate Email 1.0 0.5 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Spam volume Examining results by country, our statistics show marked differences from quarter to quarter. Ukraine and Belarus are the most dramatic examples; each had an increase of greater than 200 percent this period. Japan grew by 142 percent. Meanwhile, Pakistan (down 59 percent) and Romania (down 56 percent) enjoyed large declines. France fell by 25 percent, and the United States decreased by 16 percent. Spam Volume Australia Argentina 18,000,000 2,000,000 16,000,000 1,800,000 1,600,000 14,000,000 1,400,000 12,000,000 1,200,000 10,000,000 1,000,000 8,000,000 800,000 6,000,000 600,000 4,000,000 400,000 200,000 2,000,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Belarus 160,000,000 Brazil 30,000,000 140,000,000 25,000,000 120,000,000 20,000,000 100,000,000 80,000,000 15,000,000 60,000,000 10,000,000 40,000,000 5,000,000 20,000,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 22 McAfee Threats Report: Second Quarter 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Spam Volume China Chile 12,000,000 12,000,000 10,000,000 10,000,000 8,000,000 8,000,000 6,000,000 6,000,000 4,000,000 4,000,000 2,000,000 2,000,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 France Germany 14,000,000 18,000,000 12,000,000 16,000,000 14,000,000 10,000,000 12,000,000 8,000,000 10,000,000 6,000,000 8,000,000 6,000,000 4,000,000 4,000,000 2,000,000 2,000,000 0 0 JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Italy India 70,000,000 7,000,000 60,000,000 6,000,000 50,000,000 5,000,000 40,000,000 4,000,000 30,000,000 3,000,000 20,000,000 2,000,000 10,000,000 1,000,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Japan Kazakhstan 3,000,000 40,000,000 35,000,000 2,500,000 30,000,000 2,000,000 25,000,000 1,500,000 20,000,000 15,000,000 1,000,000 10,000,000 500,000 5,000,000 0 JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 23 McAfee Threats Report: Second Quarter 2013 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Spam Volume Romania Peru 25,000,000 30,000,000 25,000,000 20,000,000 20,000,000 15,000,000 15,000,000 10,000,000 10,000,000 5,000,000 0 5,000,000 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 South Korea Russia 8,000,000 25,000,000 7,000,000 20,000,000 6,000,000 5,000,000 15,000,000 4,000,000 10,000,000 3,000,000 2,000,000 5,000,000 1,000,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Spain Ukraine 18,000,000 40,000,000 16,000,000 35,000,000 14,000,000 30,000,000 12,000,000 25,000,000 10,000,000 20,000,000 8,000,000 15,000,000 6,000,000 4,000,000 10,000,000 2,000,000 5,000,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 United Kingdom United States 200,000,000 14,000,000 180,000,000 12,000,000 160,000,000 10,000,000 140,000,000 8,000,000 120,000,000 6,000,000 80,000,000 100,000,000 60,000,000 4,000,000 40,000,000 2,000,000 20,000,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 24 McAfee Threats Report: Second Quarter 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Drugs, DSN, and snowshoes As we look at spam subjects around the world, we see that the popularity of drugs just won’t go away. Drug offers in our selected countries range from a low of 17 percent to more than 50 percent of leading spam subject lines. In Australia, France, and the United States, delivery service notification (DSN) teasers remain popular. In many countries “snowshoe” spam appeared on at least one-quarter of the leading subjects. Snowshoe spam spreads the load across many IP addresses to avoid rapid eviction by ISPs. Lots of spam this quarter contained subject lines related to the Boston Marathon bombings. Most of these messages contained links to malware. We were surprised to see relatively little spam for replica products, such as watches and other junk. This has long been a popular subject. We’re sure it hasn’t gone away but it did lose significant volume. Argentina Australia Brazil Spam Types Drugs DSN Jobs Marketing News Phishing Scams Columbia France Germany Snowshoe Travel Webinars 25 India Italy Spain Turkey United Kingdom United States McAfee Threats Report: Second Quarter 2013 Botnet breakdowns Infections from messaging botnets, which supply spam worldwide, have showed an overall decline since May 2012, but this quarter’s trend was again upward. Global Messaging Botnet Infections 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Cutwail remains in first place among botnets, causing more than 6 million new infections during the quarter. Kelihos was a distant second, at 2.3 million. New last quarter, Slenfbot infected 1.6 million systems this period. Spam Botnet Prevalence Cutwail Kelihos Slenfbot Festi Maazben Others Leading Global Botnet Infections 3,000,000 2,500,000 CUTWAIL 2,000,000 KELIHOS SLENFBOT 1,500,000 FESTI 1,000,000 MAAZBEN 500,000 0 JUL 2012 26 AUG 2012 SEP 2012 OCT 2012 NOV 2012 DEC 2012 McAfee Threats Report: Second Quarter 2013 JAN 2013 FEB 2013 MAR 2013 APR 2013 MAY 2013 JUN 2013 New botnet senders Country-specific botnet statistics show big variances from quarter to quarter and from country to country. In Peru, for example, the number of botnet senders increased by almost 300 percent. Among our selected countries, India rose by 14 percent. Belarus dropped by 66 percent, Russia by 46 percent, and China by 31 percent. New Botnet Senders Australia Argentina 25,000 60,000 50,000 20,000 40,000 15,000 30,000 10,000 20,000 5,000 10,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Brazil Canada 200,000 45,000 175,000 40,000 35,000 150,000 30,000 125,000 25,000 100,000 20,000 75,000 15,000 50,000 10,000 25,000 0 5,000 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 0 Chile 35,000 China 500,000 450,000 30,000 400,000 25,000 350,000 20,000 300,000 15,000 200,000 250,000 10,000 150,000 5,000 100,000 50,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 France Colombia 60,000 35,000 50,000 30,000 25,000 40,000 20,000 30,000 15,000 20,000 10,000 10,000 5,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 27 McAfee Threats Report: Second Quarter 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 New Botnet Senders India Germany 140,000 300,000 120,000 250,000 100,000 200,000 80,000 150,000 60,000 100,000 40,000 50,000 20,000 0 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Italy Japan 50,000 80,000 70,000 40,000 60,000 50,000 30,000 40,000 20,000 30,000 20,000 10,000 10,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 0 South Korea Russia 90,000 45,000 80,000 40,000 70,000 35,000 60,000 30,000 50,000 25,000 40,000 20,000 30,000 15,000 20,000 10,000 10,000 0 5,000 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 0 Spain JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Turkey 90,000 100,000 80,000 90,000 70,000 80,000 70,000 60,000 60,000 50,000 50,000 40,000 40,000 30,000 30,000 20,000 20,000 10,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 10,000 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 0 United Kingdom United States 70,000 600,000 60,000 500,000 50,000 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 400,000 40,000 300,000 30,000 200,000 20,000 100,000 10,000 0 28 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 McAfee Threats Report: Second Quarter 2013 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 Messaging botnet prevalence Our breakdown of botnets shows how the most widespread botnet families are represented in various countries around the globe. Cutwail and Kelihos are the global leaders. Other notably predominate botnets: • Darkmailer in Belarus, Kazakhstan, Pakistan, and Indonesia • Cutwail in Greece, Vietnam, and Iran (greater than 60 percent) • Slenfbot in Belarus (81 percent) • Slenfbot in Japan and Ukraine • Kelihos in Germany, Italy, Argentina, and United Kingdom (greater than 40 percent) These variances demonstrate that specific countries can have specific attackers. New Botnet Senders Australia Brazil Chile Botnets Cutwail Festi Kelihos Maazben Others Slenfbot 29 China Colombia Germany India Japan Russia South Korea United Kingdom United States McAfee Threats Report: Second Quarter 2013 Cybercrime Malware, vulnerabilities, and hackingMalware, Vulnerabilities, and Hacking APR 5 LivingSocial Hack Android.FakeAlert APR 19 BadNews (in Google Play Apps) APR 11 WordPress Hack Carberp for Free MAY 1 CVE-2013-1347 (Dept. of Labor Hack) April 2013 APR 17 CVE-2013-2423 (Exploit Packs Updated) May 2013 MAY 3 Sirefef (Louisiana Board of Regents Hack) JUN 30 South Korea Hack Carberp for $5,000 June 2013 JUN 27 Generic PSW.o (Gulf States and Caribbean Phishing Campaign) • The scareware Android.Fakedefender, announced in June by various security companies, has apparently spread through mobile environments since the end of March. Fakedefender locks up an infected device and displays fake security alerts to convince victims to purchase an app in order to remove nonexistent malware or security risks. • April 5: LivingSocial, the daily deals site owned in part by Amazon, suffered a massive cyberattack on its computer systems. The breach impacted 50 million customers of the Washington, D.C., company. They will now be required to reset their passwords.2 • April 11: The security firm CloudFare warned of a brute-force attack against the WordPress administrative portals. A botnet appeared to launch the attack and more than tens of thousands of unique IP addresses were recorded attempting to hack WordPress installations, using the username “admin” and trying thousands of passwords.3 • April 17: The Java exploit CVE-2013-2423 was publicly disclosed.4 Its use was immediately incorporated into various exploit kits such as WhiteHole, Cool, Neutrino, Styx, Sweet Orange, and others. • April 19: “BadNews” for millions of users: Malware discovered spreading inside apps in Google Play.5 • May 1: Invincea reported that the US Department of Labor website was compromised to redirect visitors to a site that executed a drive-by download exploit of Internet Explorer to install the Poison Ivy backdoor Trojan. Attributed to the Chinese Deep Panda Group, this type of “watering hole” attack exploits a previously unknown and, at that time, unpatched security bug in Microsoft’s IE 8 browser (CVE-2013-1347).6 • May 3: Another watering hole attack was detected on the Louisiana Board of Regents website.7 It distributed the Sirefef malware. • Around June 15, the Carberp banking Trojan toolkit was offered at just US$5,000 through an underground forum. The previous price has been US$40,000.8 A few days later, the download was available for free. • June 27: McAfee’s Foundstone Incident Response team obtained a 3MB piece of malware (Generic PWS.o) that was sent out during a phishing campaign. The campaign targeted several companies and institutes in the United Arab Emirates, Oman, Bahrain, and a couple of Caribbean islands.9 • June 30: The Seoul Central District Prosecutors’ Office charged two South Koreans with cooperating with North Korean hackers in China to run illegal websites and steal the personal information of millions of individuals. Investigators discovered the personal data of 140 million South Koreans on their computers and believe they could have shared the information with North Korea.10 30 McAfee Threats Report: Second Quarter 2013 The Bitcoin saga The Bitcoin Saga APR 18 DDoS at Blockchain.info FEB 28 1BTC = $33 APR 3 DDoS at Mt. Gox DDoS at Skill Road April 2013 MAR 3 DDoS at BitInstant APR 21 DDoS at Mt. Gox Delays Litecoin Support APR 10 1BTC = $266 MAY 22 Webroot Announces DIY Bitcoin Miner for Sale May 2013 MAY 16 WebMoney Offers WMX JUN 23 DEA Announces Seizure of Bitcoins from Silk Road User JUN 12 BTC Phishing Campaign June 2013 JUN 21 1BTC = $110 JUL 5 1BTC = $74 MAY 14 Maryland District Court Rules Against Mt. Gox Bitcoin (BTC) virtual money was in the news last quarter. At the end of February, it broke its June 2011 peak trading value, at more than US$33.11 Some days later, the BitInstant exchange service was forced to shut down after attackers walked away with more than US$12,000 in BTC.12 And that was just a warm-up for what happened this quarter. In April, Tokyo-based Mt. Gox, the largest Bitcoin exchange service, suffered various DDoS attacks that disrupted business. The first assault occurred around April 3; at that time the BTC exchange rate exceed US$140 to 1 BTC.13 On April 10, the value leaped to US$266 before closing at US$125 the next day.14 This keen interest resulted in 20,000 new accounts created each day. The number of new user accounts opened at Mt. Gox went from 60,000 in all of March to 75,000 in just the first few days of April.15 The sudden activity in this market of course attracted the interest of cybercriminals of all kinds. They engaged in further DDoS actions against Mt. Gox, which had to delay its plan to support Litecoin,16 and new ones against Blockchain. info.17 Silk Road, the notorious underground marketplace using Bitcoin as e-money, was taken down several times by DDoS attacks.18 Lawmakers also paid attention to Mt. Gox. On May 14 the U.S. District Court in Maryland ordered the seizure of Mt. Gox’s funds, which were in an account with Dwolla, a payments company that transferred money from U.S. citizens to Mt. Gox to buy and sell Bitcoins.19 In May WebMoney began offering “purses,” called WMX, denominated in Bitcoins. Bitcoins are transferred to an address provided by WebMoney to fund the purse, and Bitcoins can be withdrawn to a Bitcoin address.20 Bitcoins stored in a WMX purse can be transferred to other purses. In this manner WebMoney can exchange Bitcoins for other currencies supported by the service. As the Bitcoin rate has increased, malicious Bitcoin miners have shown a growing interest by infecting victims with malware that uses computer resources to mine Bitcoin without their knowledge. While the cybercriminals generate profits, the computers slow down. In May, for example, Webroot posted a blog about a marketplace to customize and buy such malware.21 It has been available for sale since the first days of February. On June 13, security researcher Brian Krebs reported a phishing campaign using both Yahoo and Bing search engines and targeting account holders at MtGox.com.22 On June 23 the US Drug Enforcement Administration (DEA) announced they seized 11.02 BTC from a Silk Road user in April and charged him with intent to distribute drugs. The seized money was transferred into the DEA’s BTC wallet.23 31 McAfee Threats Report: Second Quarter 2013 Actions against cybercriminals During this quarter, we learned of a number of law enforcement efforts: • In April, the Russian Federal Security Service (FSB) and the Security Service of Ukraine (SBU) announced they arrested several individuals believed to be involved in the development of the Carberp banking Trojan.24 The leader of the group was a 28-year-old Russian citizen. The rest of the group—some 20 individuals between 25 and 30 years old—were arrested in Kiev, Zaporozhye, Lvov, Odessa, and Kherson.25 The ring was said to be responsible for stealing US$250 million (€193 million) in Ukraine and Russia alone. • Hamza Bendelladj, a 24-year-old Algerian who was arrested in Thailand in January, was extradited to the United States in April. Also known as “Bx1,” he was listed in a North District of Georgia indictment as a coconspirator who helped develop SpyEye components. Known in the underground as “Gribodemon” and “Harderman,” the real name of his partner, the presumed author of the SpyEye Trojan, was redacted in the indictment because he had not yet been arrested.26 • On May 9, federal prosecutors unsealed charges against eight New York people linked with an international cybertheft ring accused of stealing US$45 million from banks around the globe. The alleged crooks used prepaid MasterCard debit cards that were issued by the National Bank of Ras Al-Khaimah PSC, located in the United Arab Emirates, and the Bank of Muscat, in Oman. The defendants withdrew US$2.8 million from New York banks in two separate attacks this past December and February.27 While the eight were taking the money from the New York banks, additional coconspirators made more than US$42 million in withdrawals at other banks across the world. • In May, the founder of digital currency system Liberty Reserve was indicted in the United States along with six other people for a US$6 billion money-laundering scheme.28 Arthur Budovsky, a Costa Rican citizen of Ukrainian origin and the founder of the currency system, was arrested in Spain, while others were arrested in Costa Rica and New York. Police in Costa Rica also raided three homes and five businesses linked to Liberty Reserve, according to the Associated Press. The digital currency’s site is now offline, with its front page replaced by a notice saying that the domain had been seized by the United States Global Illicit Financial Team. • Liberty Reserve was incorporated in Costa Rica in 2006 and had at least 200,000 customers in the United States. Suspected of helping cybercriminals in their businesses, it failed to register in the United States as a money-transmitting service. In the same vein, on June 4 the WM Center e-currency exchange was seized by the US government and closed.29 • Accompanied by US Marshals, Microsoft technicians seized servers at two data centers in New Jersey and Pennsylvania on June 5, and with the help of the FBI coordinated with computer emergency response teams and registrars in 87 countries to sinkhole domains used by the 1,452 botnets built with the Citadel malware.30 Some security researchers criticized this operation, saying it disrupted their ongoing security research efforts by siphoning off the malicious data they had been tracking.31 Others claimed the long-term effect of this particular takedown will likely be insignificant.32 32 • In June, the United Kingdom’s Serious Organised Crime Agency announced eleven arrests in a case involving cooperation from the Vietnamese High-Tech Crime Unit, the Criminal Investigative Division of the Ministry of Public Security of Vietnam, the Metropolitan Police Central e-Crime Unit, and the FBI. Eight criminals were arrested in Vietnam and three additional arrests were made in the United Kingdom. All suspects were associated with the “mattfeuter” family of websites, on which allegedly approximately 16,000 members bought and sold more than 1.1 million credit card data, facilitating more than US$200 million worth of fraud worldwide.33 • In June, US federal officials charged eight members of a Ukrainian cybercrime ring after they allegedly tried to illegally access the networks of a number of financial institutions, including Citibank, JP Morgan Chase, TD Ameritrade, and PayPal, along with the US Department of Defense’s Finance and Accounting Services.34 From March 2012 to June 2013, the suspects hacked into these servers, embezzling money from legitimate bank accounts to feed debit cards and cashing out the accounts via ATMs and by making fake purchases as part of what the federal complaint calls the Sharapka Cash Out Organization. • In France, investigators from OCLCTIC and DCP dismantled a gang of alleged criminals specializing in financial hacking and arrested five people in June. The crooks may have made €9 million via online shopping. In total, they were able to divert the bank data of 27,000 people. The money collected was later used to purchase high-end hardware.35 McAfee Threats Report: Second Quarter 2013 Hacktivism This quarter activities clearly demonstrated that hacktivists exist in many camps and support many ideologies. Hacktivism APR 3 #OpNorthKorea Release #2 MAY 16 South African Police Hacked April 2013 APR 7 #OpIsrael Reloaded JUN 20 #OpPetrol May 2013 MAY 7 #OpUSA June 2013 JUN 4 #OpTurkey On April 3, “OpNorthKorea Release #2” was announced on Pastebin.36 It demanded the resignation of North Korean leader Kim Jong-un, the abandonment of nuclear ambitions, and universal and uncensored Internet access to citizens. Several websites serving the regime were blocked (via DDoS) or defaced throughout the month. A statement purporting to come from Anonymous said that they had compromised 15,000 user records hosted on North Korean propaganda site uriminzokkiri.com. However, when one side makes a statement, the other is likely to reply: During the last week of June, government websites in both North and South Korea were targeted by attackers who claimed to operate under the banner of Anonymous. (A so-called official Anonymous channel has denied via tweet having any involvement in the South Korean attacks.) Some researchers suspect the attackers were the North Korean “Whois Team,” which frequently uses skull bullets as a symbol of their group. (For more on related attacks, see “Operation Troy,” page 4.) 33 McAfee Threats Report: Second Quarter 2013 After #OpIsrael, which we covered in last quarter’s Threats Report, around 30 hacktivist collectives from around the world decided to continue the confrontation.37 On April 7, they announced #OpIsraelReloaded. The hackers say they’ve caused massive damage, but Israeli officials have downplayed the incident, saying the attacks have caused hardly any real losses.38 The hacker Dr FreeDom claims a leak of 30,000 Visa card consumer details.39 These hacks also brought about reprisals. The pro-Israel hacker team Israel Elite Force revealed several names of suspected #OpIsraelReloaded attackers on a dedicated website. Those named are from Jordan, India, and Lebanon. Other Israeli supporters defaced the Anonymous #OpIsrael website.40 Operations against the United States and other Western interests were started under the names #OpUSA (May 7–9) and #OpPetrol (June 20).41 These operations appeared to take place under the Anonymous banner, but when we looked at the attackers’ signatures, we discovered mostly Middle Eastern and North African-based hacker groups acting contrary to the ideals of freedom. Many of these movements are associated with AnonGhost, a hacker team fond of using jihad themes. It is clear that Middle Eastern sympathizers of all stripes enjoy conducting their protests under the cover of Anonymous. 34 McAfee Threats Report: Second Quarter 2013 In June, the protest movement in Turkey led Anonymous to launch #OpTurkey, a hack of the website of the Radio and Television Supreme Council (RTUK). Cyberarmies were also active. The Syrian Electronic Army supported President Bashar al‑Assad’s government by shutting down and defacing various official Turkish websites.42 Two collectives hacked into the Turkish Prime Ministry’s network and accessed email addresses, passwords, and phone numbers belonging to Prime Minister Tayyip Erdogan’s staff. (Erdogan has been a vocal critic of Assad’s actions in the Syrian civil war.) Another group, the Crescent and Star Team, targeted Turkey’s Is Bank, which was said to be among the supporters of the Taksim Gezi Park protests.43 These events demonstrate the growth of hacktivism and show that attacks launched under the Anonymous banner are only a part of the problem. In a high-profile doxing campaign (publically exposing private information) in South Africa, Anonymous hacked into an anonymous whistleblower website run by the South Africa Police Service and revealed the identities of thousands of its users, possibly jeopardizing their safety.44 The legal side also made news this quarter: • In April, contradictory reports about hackers arrested in connection with #OpIsrael circulated in Tunisia, Jordan, and Morocco. Whether or not the news was true, these states were threatened for their “actions.” • Members of the notorious LulzSec hacking gang have been sent to jail:45 –– Jake Davis (aka “Topiary”): 24 months for the ring leader –– Ryan Cleary (aka “Viral”): 32 months, will serve half that time –– Mustafa Al-Bassam (aka “T-Flow”): 20 months suspended for two years, and 300 hours of community service –– Ryan Ackroyd (aka “Kayla”): 30 months, will serve half that time 35 • In April, FBI raided an Anonymous hacker house suspected of having exposed the Steubenville Rapists. Known as KYAnonymous, the suspect is said to be the leader of KnightSec, the Anonymous offshoot that carried out “Operation Roll Red Roll,” which targeted Steubenville over the rape by two football players of a 16-year-old girl.46 • In May, Italian police arrested four alleged hackers between the ages of 20 and 34. They are accused of monitoring the Italian branch of the Anonymous network.47 Six more people were placed formally under investigation and a total of 10 premises were raided at the conclusion of the two-year police investigation “Tango Down.” McAfee Threats Report: Second Quarter 2013 Cyberarmies The Syrian Electronic Army and the Izz ad-Din al-Qassam Cyber Fighters are often in the spotlight and attracted attention again this quarter. In the last two Threats Reports of 2012, we introduced the Iranian group Izz ad-Din al-Qassam Cyber Fighters after they claimed responsibility for various cyberattacks launched that year on US banks and financial-services companies. Tied to Iran, those actions are now known as Operation Abadil. They continued this quarter, as we see in the following graphic: Cyberarmies APR 4 Wells Fargo BB&T APR 10 Chase PNC American Express Citizens Bank Regions Bank APR 2 BB&T APR 16 Regions Bank Capital One Principal APR 18 Ameriprise Financial Citizens Bank M&T Bank MAY 1 Key Bank BBVA Schwab Bank April 2013 APR 3 Bank of America Regions Bank APR 9 Chase Bank of America Capital One American Express BB&T Wells Fargo May 2013 APR 23–24 BB&T APR 11 Key Bank HSBC MAY 2 Union Bank APR 17 Regions Bank On May 6, the Cyber Fighters announced they had stopped the attacks so as to not interfere with #OpUSA. On June 12, Google said in a blog that it had tracked a “significant jump” in the overall volume of phishing activity in and around Iran as its election neared.48 Some researchers have suggested many attackers focused their skills and firepower internally, perhaps to gather intelligence about groups and individuals supporting specific candidates.49 The Syrian Electronic Army supports President Assad. This quarter, they continued their actions against media and Syrian Electronic Army government targets: APR 22 FIFA World Cup APR 16 NPR Media MAY 17 Financial Times APR 29 The Guardian April 2013 APR 20 CBS News MAY 26 British Sky Broadcasting MAY 21 The Telegraph JUN 5 Turkish Government Websites May 2013 MAY 7 The Onion APR 23 Associated Press MAY 20 Saudi Arabian Ministry of Defense MAY 25 ITV News London Haifa Water System • April 16: NPR media network hacked; website defaced • April 20: Four Twitter accounts belonging to CBS News programs compromised • April 22: Two FIFA World Cup Twitter accounts hacked • April June 2013 23: Hacked AP Twitter feed announced to millions of followers that there had been two explosions in the White House, leaving President Barack Obama injured. The news disrupts the US stock exchange, briefly wiping out US$136.5 billion in gains and leaving AP’s Twitter feeds suspended.50 36 McAfee Threats Report: Second Quarter 2013 • April 29: 11 Guardian accounts breached • May 7: Satire publication The Onion has Twitter account hacked • May 17: Financial Times website and Twitter feeds hacked • May 20: The group claimed to have hacked the Saudi Arabian Ministry of Defense email system and distributed several confidential mail exchanges • May 21: Twitter and Facebook accesses for The Telegraph hacked • May 25: Israel declared the SEA tried to enter the computers of the Haifa water system • May 25: ITV News London hacked • May 26: Sky Android apps and Twitter account hacked • June 5: Some Turkish government websites site jointly breached by Turkish hackers and the SEA About the Authors This report was prepared and written by Toralv Dirro, Paula Greve, Haifei Li, François Paget, Vadim Pogulievsky, Craig Schmugar, Jimmy Shah, Ryan Sherstobitoff, Dan Sommer, Bing Sun, Adam Wosotowsky, and Chong Xu of McAfee Labs. About McAfee Labs McAfee Labs is the global research team of McAfee. With the only research organization devoted to all threat vectors— malware, web, email, network, and vulnerabilities—McAfee Labs gathers intelligence from its millions of sensors and its cloudbased service McAfee Global Threat Intelligence. The McAfee Labs team of 500 multidisciplinary researchers in 30 countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public. http://www.mcafee.com/us/threat-center.aspx About McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its visionary Security Connected strategy, innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAfee is relentlessly focused on keeping its customers safe. http://www.mcafee.com. 37 McAfee Threats Report: Second Quarter 2013 http://www.mcafee.com/uk/resources/white-papers/wp-dissecting-operation-troy.pdf http://www.usatoday.com/story/news/nation/2013/04/26/liviing-social-hacked-passwords-amazon/2116485/ 3 http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br 4 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423 5 http://blogs.mcafee.com/consumer/badnews-for-good-people 6 http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/ 7 http://news.softpedia.com/news/State-of-Louisiana-Website-Hacked-Spreads-Sirefef-Malware-350944.shtml 8 http://www.theregister.co.uk/2013/06/18/carberp_trojan_source_code_sale/ 9 http://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean 10 http://english.chosun.com/site/data/html_dir/2013/04/08/2013040800970.html 11 http://www.bbc.co.uk/news/technology-21601608 12 http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html 13 https://mtgox.com/press_release_20130404.html 14 http://dollarvigilante.com/blog/2013/4/17/bitcoin-price-march-15-april-14-2013-the-bubble-heard-round-.html 15 https://mtgox.com/press_release_20130411.html 16 https://mtgox.com/pdf/20130424_ddos_statement_and_faq.pdf 17 http://news.softpedia.com/news/Bitcoin-Block-Explorer-Blockchain-info-Disrupted-by-DDOS-Attack-346497.shtml 18 http://www.wired.co.uk/news/archive/2013-05/3/silk-road-ddos 19 https://s3.amazonaws.com/s3.documentcloud.org/documents/701175/mt-gox-dwolla-warrant-idg-news-service.pdf 20 http://blog.wmtransfer.com/en/blog/wmx-the-new-type-of-title-units 21 http://blog.webroot.com/2013/05/22/new-commercially-available-diy-invisible-bitcoin-miner-spotted-in-the-wild/ 22 http://krebsonsecurity.com/2013/06/mtgox-phishing-campaign-hits-bing-yahoo/ 23 http://techcrunch.com/2013/06/27/the-dea-seized-bitcoins-in-a-silk-road-drug-raid/ 24 http://sbu.gov.ua/sbu/control/uk/publish/article?art_id=116410&cat_id=39574 25 http://www.net-security.org/malware_news.php?id=2458 26 http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/ 27 http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051 28 http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/ 29 http://www.coindesk.com/wm-center-e-currency-exchange-seized-by-us-government/ 30 http://www.eweek.com/security/microsoft-fbi-shutter-citadel-botnets-seeking-to-end-500m-crime-spree/ 31 http://www.infoworld.com/t/security/microsoft-accused-of-friendly-fire-in-citadel-botnet-takedown-220438 32 http://nakedsecurity.sophos.com/2013/06/12/microsoft-citadel-takedown/ 33 http://garwarner.blogspot.fr/2013/06/vietnamese-carders-arrested-in.html 34 https://threatpost.com/feds-bust-cybercrime-ring-targeting-payroll-financial-firms/ 35 http://www.leparisien.fr/espace-premium/actu/les-pirates-du-net-pillent-27-000-coordonnees-bancaires-12-06-2013-2888529.php 36 http://pastebin.com/4g44jfNF 37 http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pdf 38 http://news.softpedia.com/news/Hacktivists-Target-Over-100-000-Israeli-Sites-Officials-Say-There-s-No-Real-Damage-343610.shtml 39 http://technologynewsforday.wordpress.com/2013/04/07/30000-visa-cards-leaked-by-dr-freedom/ 40 http://www.dreuz.info/2013/04/attaque-danonymous-israel-leur-a-mis-la-honte-le-w00t-ultime/ 41 http://news.softpedia.com/news/Anonymous-Hackers-to-Launch-OpPetrol-on-June-20-Video-352816.shtml 42 http://www.ibtimes.com/opturkey-syrian-electronic-army-joins-anonymous-turkey-protests-hacks-erdogans-network-access-staff 43 http://www.worldbulletin.net/?ArticleID=111010&aType=haber 44 http://www.wired.co.uk/news/archive/2013-05/22/south-africa-whistleblower-leak 45 http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-HomeOffice-agency.html 46 http://gawker.com/the-fbi-raided-steubenville-anonymous-guys-house-here-511634071 47 http://www.pcworld.com/article/2039020/police-arrest-anonymous-suspects-in-italy.html 48 http://googleonlinesecurity.blogspot.fr/2013/06/iranian-phishing-on-rise-as-elections.html 49 http://krebsonsecurity.com/2013/06/iranian-elections-bring-lull-in-bank-attacks/#more-21113 50 http://www2.macleans.ca/2013/04/23/associated-press-twitter-feed-gets-hacked-claiming-explosions-at-white-house-president-injured/ 1 2 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided only for information. They are subject to change without notice, and are provided without warranty of any kind, expressed or implied. Copyright © 2013 McAfee, Inc. 60444rpt_qtr-q2_0813_fnl_ETMG