McAfee Threats Report: Second Quarter 2013

Transcription

McAfee Threats Report: Second Quarter 2013
Report
McAfee Threats Report: Second Quarter 2013
By McAfee® Labs
Table of Contents
Introduction
3
Operation Troy
4
Mobile Threats
5
Banking malware
6
Adults only
7
Targeted Trojans
7
Mobile spyware
7
General Malware Threats
Ransomware 7
13
Database Threats
14
Network Threats
15
Web Threats
17
Phishing20
Spam URLs
21
Messaging Threats
22
Spam volume
22
Drugs, DSN, and snowshoes
25
Botnet breakdowns 26
New botnet senders
27
Messaging botnet prevalence
29
Cybercrime
30
Malware, vulnerabilities, and hacking
30
The Bitcoin saga
31
Actions against cybercriminals
32
Hacktivism33
Cyberarmies36
2
About the Authors
37
About McAfee Labs
37
McAfee Threats Report: Second Quarter 2013
Introduction
McAfee Labs researchers have analyzed the threats of the second quarter of 2013. Several trends are familiar: steady
growth in mobile and overall malware. A cyberespionage attack against South Korea and a further increase in worldwide
spam are further attention grabbers.
The Dark Seoul attack against banks and media companies in South Korea inspired McAfee Labs to investigate beyond
the basics of computers disabled by having their master boot records deleted. Behind the scenes we found an ongoing
attempt to infiltrate South Korean military targets in a cyberespionage campaign that began in 2009. Our extensive report,
published in July, explains the history and the coding details behind the damage and attempted surveillance.
Backdoor Trojans and banking malware were the most popular mobile threats this quarter. We counted more than
17,000 new Android samples during this period. The year is certain to establish another record. New malware of all
types exceeded 18 million this quarter, pushing our all-time tally to more than 147 million binaries. AutoRun threats,
often spread via USB drives, remain at record levels, as do password-stealing programs. Signed malware, which poses
as approved legitimate software, continues to set records, increasing by 50 percent this quarter. Malware that attacks
a system’s master boot record declined from last quarter’s record high, but remains very dangerous.
Ransomware, which holds a computer hostage until the victim pays to free it, is a bad problem getting worse. The number
of new samples more than doubled compared with last quarter. Not only do criminals make relatively safe money from this
scheme, they often do not remove their malware—leaving the poor victim’s system as dead as before.
Publicly reported data breaches have averaged a relatively flat line for the past three quarters. Outsiders steal data more
often than insiders, but this is one threat area in which our data comes from victims, who may not feel like exposing all of
their weaknesses. MySQL still leads enterprise databases in the number of reported vulnerabilities.
From the McAfee Global Threat Intelligence network we see that browser-based threats, such as hidden iframes and
malicious Java code, comprise almost three-fourths of the Internet’s malicious activity. IP addresses in the United States are
again both the source and the target of most network threats.
Our analysis of web threats found that the number of new suspicious URLs, mostly in the United States, increased by
16 percent this quarter. Phishing attacks aimed primarily at targets in the United States. The leading industries suffering
phishing attacks are financial and online-auction organizations. Spam levels are bouncing back: This quarter volume
reached 2 trillion messages in April, the highest figure we’ve seen since 2010. We continue to report on the variety of
spam subjects and botnet prevalence in selected countries around the world.
Our timeline of significant hacks shows the major criminal activity that took place this quarter. Online currency Bitcoin
was in the news. One Bitcoin provider suffered DDoS attacks that interrupted service and led to wild swings in value. Law
enforcement officials around the world enjoyed some successes this quarter, with arrests halting gangs responsible for
stealing hundreds of millions to billions of dollars.
Activist hackers demonstrated, defaced, and inspired counterattacks from their opponents. The group Anonymous was
involved in some efforts and likely had its name borrowed to support some others. The Middle East was again a busy
region for political expression.
3
McAfee Threats Report: Second Quarter 2013
Operation Troy
When reports of the March 20 “Dark Seoul” attack on South Korean financial services and media firms emerged, most
of the focus was on the wiping of the master boot record of thousands of computers. PCs infected by the attack had all
of the data on their hard drives erased. Since that time, however, McAfee Labs has discovered that the Dark Seoul attack
included a broad range of technology and tactics beyond cybervandalism.
The forensic data indicates that Dark Seoul was actually just the latest attack to emerge from a malware development
project that has been named Operation Troy. (The name Troy comes from repeated citations of the ancient city found in
the compile path strings of the malware.) The McAfee Labs investigation into the Dark Seoul incident uncovered a longterm attempt at domestic spying, based on code that originated in 2009, against military targets in South Korea.
Software developers (both legitimate and criminal) tend to leave fingerprints and sometimes even footprints in their code.
Forensic researchers can use these prints to identify where and when the code was developed. It’s rare that a researcher
can trace a product back to individual developers (unless they’re unusually careless). But frequently these artifacts can
be used to determine the original source and development legacy of a new “product.” Sometimes the developers insert
such fingerprints on purpose to establish “ownership” of a new threat. McAfee Labs uses sophisticated code analysis and
forensic techniques to identify the sources of new threats because such analysis frequently sheds light on how to best
mitigate an attack or predict how the threat might evolve in the future. McAfee Labs research learned that the Dark Seoul
attack was preceded by years of attempted cyberespionage:
Operation Troy—Domestic Spying Period
2009
US/South
Korean
Military
Attacks
2010
2011
Dark Seoul
2012
2013
Chang
HTTP Troy
Http Dr0pper
Concealment Troy
EagleXP
Mail Attack
Tong
MBR Wiper
March 20,
2013
3Rat Client
NSTAR
TDrop
DDoS Attacks
10 Days of Rain
Media/Broadcast
Attacks
Financial Industry
Attacks
Suspected Link
Solid Link
Highly Probable Link
Our investigation into the cyberattacks in March revealed ongoing covert intelligence-gathering operations. McAfee Labs
concludes that the attacks on March 20 were not an isolated event strictly tied to the destruction of systems, but the latest
in a series of attempts to infiltrate targets since 2009. For details, read the McAfee Labs report Dissecting Operation Troy:
Cyberespionage in South Korea.1
4
McAfee Threats Report: Second Quarter 2013
Mobile Threats
This quarter “backdoor” Trojans, which steal data without the victim’s knowledge, and malware that goes after banking
login information have made up the largest portion of all new mobile malware families. Spyware has also been active, and
malware authors continue to target activists. Halfway through 2013 we have already collected almost as many mobile
malware samples as in all of 2012. Will the count double by the end of the year? That much and more, we expect. This
quarter we added more than 17,000 Android samples to our database.
New Mobile Malware
40,000
35,000
30,000
25,000
20,000
15,000
10,000
5,000
0
2004
2005
2006
2007
2008
2009
Total Mobile Malware by Platform
Android
Symbian
Java ME
Others
5
McAfee Threats Report: Second Quarter 2013
2010
2011
2012
2013
New Android Malware
20,000
18,000
16,000
14,000
12,000
10,000
8,000
6,000
4,000
2,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Banking malware
Banks in Europe and Asia require two-factor authentications via SMS messages. When customers log into their banks, they
are sent a mobile transaction authentication number (mTAN) in a text message. Then they must enter the mTAN code
to get access to their accounts. This step prevents an attacker who steals only username and password from reaching a
victim’s money.
Attackers seeking to bypass two-factor authentication need to get that text message sent by the banks. Once the
attacker has stolen a username and password from a victim’s PC, the thief needs only to get the user to install
SMS‑forwarding malware.
A pair of malware, Android/FakeBankDropper.A and Android/FakeBank.A, take the standard SMS forwarder malware
a step further. Normally we advise users to employ only the official app provided by their banks for any online banking.
Android/FakeBankDropper.A counters that defense by replacing the bank’s official app with Android/FakeBank.A. While
the victims think they have the original app installed, the attacker logs into the users’ accounts to get the latest SMS from
the bank.
A short list of similar SMS forwarders:
• Android/Nopoc.A:
• Android/Pincer.A:
Forwards incoming SMS messages to the attacker’s server
Pretends to install a certificate on the user’s device. Forwards SMS messages to the attacker’s server.
• Android/Stels.A:
Pretends to be an update to the Adobe Flash player. Collects sensitive user information and posts it to
the attacker’s server.
• Android/Wahom.A:
Pretends to be a legitimate app, but displays an error message to the user. The malware hides
its icon to fool the user into thinking it was uninstalled. Collects sensitive user information and forwards SMS to the
attacker’s server.
6
McAfee Threats Report: Second Quarter 2013
Adults only
Adult-entertainment software offers helpful camouflage for attackers. They can gain large profits and they’re less likely to
attract attention from law enforcement. Attackers’ interest in adult-entertainment apps has risen this quarter.
In Japan a large family of potentially unwanted programs (PUPs), Android/DeaiFraud, pretends to be an app for a popular
adult-dating site. Although this malware doesn’t directly harm users, it can lead them to receive spam from the attacker.
It’s also likely that users will be fooled into signing up for the adult-dating site due to the attacker’s partners posing as real
singles on the service.
Apart from PUPs, we also saw Android/NMPHost.A, a malware that convinces users to download a second malware,
Android/NMP.A, which steals user information. Both malware pretend to be adult-entertainment apps. Once installed,
Android/NMP.A collects sensitive user information and sends it to the attacker’s server.
Targeted Trojans
Attackers find legitimate apps very useful as cover for their malicious code. They benefit from the popularity of the app as
well as from how much users trust the app. In the case of Android/Kaospy.A, attackers are using modified versions of the
Kakao talk app and targeting Tibetan activists. This malware is distributed using phishing emails. The malicious spyware
collects a large amount of sensitive user information (contacts, call logs, SMS messages, installed applications, and
location) and uploads the data to the attacker’s server.
Trojanized apps that aren’t so narrowly targeted include Android/BadNews.A. This backdoor Trojan pretends to be a
legitimate game app that includes ads. Instead it collects sensitive user information and sends it to the attacker. It’s also
capable of displaying fake news headlines.
Mobile spyware
Commercial spyware has seen a small increase from the previous quarter. Android./Fzw.A downloads a spyware app from
the attacker’s website. Like other hidden Trojans, it pretends to be a legitimate font installer app. The downloaded spyware
forwards SMS messages, call logs, and location information to the attacker’s server.
Android/Roidsec.A is spyware that pretends to be software for syncing the user’s phone. It really does sync the user’s
sensitive information and SMS messages—only to the attacker’s server. The malware collects location, call logs, and data
about the phone hardware and can record calls, too.
General Malware Threats
Malware shows no sign of changing its steady growth, which has risen steeply during the last three quarters. At the end of
this quarter we now have more than 147 million samples in our malware “zoo.”
Total Malware Samples in the McAfee Labs Database
160,000,000
140,000,000
120,000,000
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
0
JUL AUG SEP
OCT NOV DEC JAN
2012 2012 2012 2012 2012 2012 2013
7
McAfee Threats Report: Second Quarter 2013
FEB MAR APR MAY JUN
2013 2013 2013 2013 2013
New Malware
20,000,000
18,000,000
16,000,000
14,000,000
12,000,000
10,000,000
8,000,000
6,000,000
4,000,000
2,000,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Rootkits, or stealth malware, are designed to evade detection and reside on a system for prolonged periods. Growth in
new rootkit samples has been on a downward trend since the middle of 2011. All three of the rootkits types we track in
this report matched this trend.
New Rootkit Samples
180,000
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Q1
2011
8
Q2
2011
Q3
2011
Q4
2011
Q1
2012
McAfee Threats Report: Second Quarter 2013
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
New Koutodoor Samples
200.000
180.000
160.000
140.000
120.000
100.000
80.000
60.000
40.000
20.000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Q3
2012
Q4
2012
Q1
2013
Q2
2013
New TDSS Samples
200,000
180,000
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
New ZeroAccess Samples
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Q1
2011
9
Q2
2011
Q3
2011
Q4
2011
Q1
2012
McAfee Threats Report: Second Quarter 2013
Q2
2012
AutoRun malware, which often hides on USB drives and can allow an attacker to take control of a system, doubled at
the start of the year and increased slightly again this quarter. The number of fake AV products—which scare victims into
believing their systems are infected—rose during 2012 to a record level but has declined during the last two quarters.
Koobface, which plagues Facebook users, peaked in 2009-10 and has remained at low levels since early 2012. Passwordstealing Trojans, which attempt to raid victims’ bank accounts, established a record high last quarter; this quarter’s figure
was almost as large.
New AutoRun Samples
900,000
800,000
700,000
600,000
500,000
400,000
300,000
200,000
100,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Q3
2012
Q4
2012
Q1
2013
Q2
2013
New Fake AV Samples
1,000,000
900,000
800,000
700,000
600,000
500,000
400,000
300,000
200,000
100,000
0
10
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
McAfee Threats Report: Second Quarter 2013
Q2
2012
New Koobface Samples
2,500
2,000
1,500
1,000
500
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
New Password Stealers Samples
1,600,000
1,400,000
1,200,000
1,000,000
800,000
600,000
400,000
200,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Signed malware rebounded sharply from its decline in the first quarter and again set a new record, with more than
1.2 million new samples discovered this quarter.
Total Malicious Signed Binaries
4,500,000
4,000,000
3,500,000
3,000,000
2,500,000
2,000,000
1,500,000
1,000,000
500,000
0
JUL 1
2012
11
AUG 1
2012
SEP 1
2012
OCT 1
2012
NOV 1
2012
McAfee Threats Report: Second Quarter 2013
DEC 1
2012
JAN 1
2013
FEB 1
2013
MAR 1
2013
APR 1
2013
MAY 1
2013
JUN 1
2013
New Malicious Signed Binaries
1,400,000
1,200,000
1,000,000
800,000
600,000
400,000
200,000
0
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
New malware that attacks the Mac more than tripled, after declining for three quarters. In spite of the small numbers
compared with PC threats, Mac users also need protection.
New Mac Malware
700
600
500
400
300
200
100
0
12
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
McAfee Threats Report: Second Quarter 2013
Q3
2012
Q4
2012
Q1
2013
Q2
2013
One strain of malware targets a computer’s master boot record (MBR)—an area that performs key startup operations.
Compromising the MBR offers an attacker a wide variety of control, persistence, and deep penetration. These attacks,
including mebroot, Tidserv, Cidox, and Shamoon, have rapidly increased their numbers. This quarter saw a drop from last
period’s record level, but it’s still the second-highest figure we have recorded.
New Master Boot Record-Related Threats
800,000
700,000
600,000
Variants of Families with
Known MBR Payloads
500,000
400,000
Identified MBR Components
300,000
200,000
100,000
0
Q1
2011
Q2
2011
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Ransomware
Ransomware has become an increasing problem during the last several quarters, and the situation continues to worsen.
The number of new, unique samples this quarter is greater than 320,000, more than twice as many as last quarter. During
the past two quarters we have catalogued more ransomware than in all previous periods combined. This trend is also
reflected by warnings from law enforcement and federal agencies around the globe.
One reason for ransomware’s growth is that it is a very efficient means for criminals to earn money because they use
various anonymous payment services. This method of cash collection is superior to that used by fake AV products, for
example, which must process credit card orders for the fake software. Another reason is that an underground ecosystem
is already in place to help with services such as pay-per-install on computers that are infected by other malware, such as
Citadel, and easy-to-use crime packs are available in the underground market. These advantages mean that the problem
of ransomware will not disappear anytime soon.
New Ransomware Samples
350,000
300,000
250,000
200,000
150,000
100,000
50,000
0
Q1
2011
13
Q2
2011
Q3
2011
Q4
2011
Q1
2012
McAfee Threats Report: Second Quarter 2013
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Database Threats
When we reported on the numbers of database breaches made public in our Threats Report for the fourth quarter of
2012, we saw a slowdown in break-ins, with just 47 during the quarter. At that time we couldn’t be sure whether we
were observing a trend or an anomaly. Six months later, we can now see some stabilization in this area. This year started
at the same relatively low rate as 2012 ended, with 119 data breaches in first six months of 2013. That’s a little more than
one-third of the 315 breaches during the record-setting 2012. Are we in the middle of a long-term trend or is this just the
calm before the storm?
Data Breaches Made Public
350
300
250
200
150
100
50
0
2007
2008
2009
2010
2011
2012
2013
Source: privacyrights.org
The rate of data breaches caused by outside hackers (criminal or otherwise) dropped considerably in 2012, and has held
relatively steady for the last four quarters. The lower rate of theft by company insiders has also been relatively steady,
though without a dramatic decline. The drop in outsider breaches might point to companies and organizations investing
more heavily in perimeter protections than in database security. However, we have seen database security get much more
attention from medium-sized and big businesses than just one or two years ago.
Sources of Data Breaches
90
80
70
Insiders
60
Hackers
50
40
30
20
10
0
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Source: privacyrights.org
As we can see from the preceding graph, hackers still cause a greater number of breaches than insiders. But we have to
remember that data-breach statistics are rarely objective due to their nature. Hackers publish stolen data more frequently
than a company will confess that it was compromised.
14
McAfee Threats Report: Second Quarter 2013
Database vulnerabilities, reported by the developers or others, continue to be dominated by MySQL, with almost
60 percent of all vulnerabilities discovered during the past six quarters.
New Vulnerabilities in Leading Databases
45
40
SQL Server
35
Sybase
30
PostgreSQL
25
DB2
20
Oracle
15
MySQL
10
5
0
Q1
2012
Q2
2012
Q3
2012
Q4
2012
Q1
2013
Q2
2013
Network Threats
As usual, the United States is both the source and the target of much of the Internet’s malicious activity, according the
McAfee Global Threat Intelligence network. Browser-based threats have increased to 73 percent of all attacks, compared
with 44 percent last quarter. The following detection signatures show which types of attacks McAfee products most
frequently blocked:
•
HTTP: Microsoft JPEG Processing Buffer Overrun
•
HTTP: Multiple Browser Window Injection Vulnerability
•
RTSP: Apple QuickTime Overly Long Content-Type Buffer Overflow
•
HTTP: Microsoft Internet Explorer CHTML Use-After-Free Remote Code Execution
Top Network Attacks
Browser
Remote Procedure Call
SQL Injection
Cross-Site Scripting
Others
15
McAfee Threats Report: Second Quarter 2013
As the host of SQL-injection attacks, which poison legitimate websites, the United States’ piece of the pie shrunk slightly
this quarter, to 32 percent from 35 percent last quarter. Venezuela regained second place, hosting 11 percent. By far most
victims of these attacks (60 percent, up from 55 percent last period) are in the United States.
Top SQL-Injection Attackers
Top SQL-Injection Victims
United States
United States
Venezuela
Taiwan
Spain
China
Taiwan
Russia
China
Spain
Germany
Others
South Korea
Others
In our botnets tracking, the United States again claims first place. The percentage of control servers hosted dropped
3 points to 37 percent. The decrease was larger among botnet victims, falling to 34 percent from 43 percent in the
first quarter.
Top Botnet Control Servers
Top Botnet Victims
United States
United States
Germany
Turkey
China
Taiwan
Turkey
Brazil
Russia
Canada
United Kingdom
Spain
South Korea
India
Others
Others
The United States represents the lion’s share of hosts of PDF-based attacks, climbing to 53 percent this quarter, compared
with 35 percent in the last period. Taiwan, with 8 percent, took second place. China fell to just 2 percent this quarter from
11 percent last time.
Top Malicious PDF Attackers
United States
Taiwan
Spain
United Kingdom
Germany
Canada
Others
16
McAfee Threats Report: Second Quarter 2013
Web Threats
Websites can gain bad or malicious reputations for a variety of reasons. Reputations can be based on full domains and any
number of subdomains, as well as on a single IP address or even a specific URL. Malicious reputations are influenced by
the hosting of malware, potentially unwanted programs, or phishing sites. Often we observe combinations of questionable
code and functionality. These are just a few of the factors that contribute to our rating of a site’s reputation.
At June’s end, the total number of suspect URLs tallied by McAfee Labs overtook 74.7 million, which represents a 16 percent
increase over the first quarter. These URLs refer to 29 million domain names, up 5 percent from the previous period.
Risk Level of Suspect URLs
Risk Level of Suspect Domains
Minimal
Minimal
Unverified
Unverified
Medium
Medium
High
High
This quarter, we recorded per month an average of 3.5 million new suspect URLs related to about 430,000 domains.
New Suspect URLs
16,000,000
14,000.000
URLs
12,000,000
Associated Domains
10,000,000
8,000,000
6,000,000
4,000,000
2,000,000
0
Q2 2012
17
Q3 2012
Q4 2012
McAfee Threats Report: Second Quarter 2013
Q1 2013
Q2 2013
Most of these suspicious URLs (96 percent) host malware, exploits, or codes that have been designed specifically to
compromise computers. Phishing and spam represent 2.1 percent and 0.3 percent, respectively.
Distribution of New Suspect URLs
New Phishing URLs
New Malware URLs
Others
New Spam Email URLs
Others
Distribution at the domains level gives us a different outlook, with 12 percent phishing domains and 2 percent spam domains.
Distribution of New Suspect Domains
New Phishing Domains
New Malware Domains
Others
New Spam Email Domains
Others
The domains associated with newly suspect URLs are mainly located in North America (chiefly the United States) and
Europe–Middle East (chiefly Germany). This trend is not new; North America historically hosts quite a bit of malware and
suspect content. However, its influence has dropped to 52 percent, compared with 74 percent last quarter.
Location of Servers Hosting Suspect Content
North America
Africa
Asia-Pacific
Australia
Europe–Middle East
Latin America
18
McAfee Threats Report: Second Quarter 2013
Digging into the location of servers hosting malicious content in other countries we see quite a global diversity. Each
region has one or two clearly dominant players.
Location of Servers Hosting Malicious Content
Africa
Asia-Pacific
South Africa
China
Kenya
South Korea
Morocco
Japan
Egypt
Hong Kong
Tunisia
Thailand
Others
Others
Europe and Middle East
Australia–South Pacific
Australia
Germany
New Zealand
Netherlands
Russia
United Kingdom
Poland
Others
North America
Latin America
Brazil
United States
Bahamas
Canada
British Virgin Islands
Argentina
Chile
Others
19
McAfee Threats Report: Second Quarter 2013
Phishing
After peaking during the fourth quarter of 2012, the number of new phishing URLs dropped sharply last quarter.
This period saw a modest decrease.
New Phishing URLs
450,000
400,000
350,000
URLs
300,000
Associated Domains
250,000
200,000
150,000
100,000
50,000
0
Q2 2012
Q3 2012
Q4 2012
Q1 2013
Q2 2013
Most of these URLs are hosted in the United States.
Top Countries Hosting Phishing URLs
United States
Germany
United Kingdom
Canada
Netherlands
Others
Companies from the United States are the most frequently targeted, suffering 67 percent of all attacks. They are followed
by United Kingdom and Australia, with 6 percent and 3 percent, respectively. Phishers go after several key industries. The
top 5 are finance (with 42 percent of attacks), online auctions (32 percent), government, shopping, and services.
Phishing Targets by Industry
Finance
Online Auctions
Shopping
Government
Services
Others
20
McAfee Threats Report: Second Quarter 2013
Companies in the United States are the most heavily targeted, followed by the United Kingdom and Australia.
United States
United Kingdom
Australia
Canada
India
Amazon
Barclays
Capital One
HDFC Bank
American Express
HM Revenue & Customs
ANZ (Australia and New
Zealand Banking Group)
Royal Bank of Canada
ICICI Bank
Deloitte
HSBC
eBay
Lloyds TSB
JPMorgan Chase
Natwest
PayPal
Santander
Westpac Bank
TD Bank Group
Wells Fargo
Spam URLs
Spam URLs are links that arrive in unsolicited emails. Also included in this family are sites built only for spamming purposes,
such as spam blogs or comment spam.
New Spam URLs
160,000
140,000
URLs
120,000
Associated Domains
100,000
80,000
60,000
40,000
20,000
0
Q2 2012
Q3 2012
Q4 2012
Q1 2013
Q2 2013
The primary countries hosting these URLs are the United States (with 39 percent of the total). Germany (9 percent) and
Russia (6 percent) follow.
Countries Hosting Spam URLs
United States
Germany
Russia
China
Antarctica
Netherlands
South Korea
Others
21
McAfee Threats Report: Second Quarter 2013
Messaging Threats
In April, spam volume surpassed 2 trillion messages, the highest figure since December 2010. A slight decline in May and
June still left the count higher than any time since May 2011.
Global Email Volume, in Trillions of Messages
2.5
2.0
Monthly Spam
1.5
Legitimate Email
1.0
0.5
0
JUL AUG SEP OCT NOV DEC JAN
FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Spam volume
Examining results by country, our statistics show marked differences from quarter to quarter. Ukraine and Belarus are
the most dramatic examples; each had an increase of greater than 200 percent this period. Japan grew by 142 percent.
Meanwhile, Pakistan (down 59 percent) and Romania (down 56 percent) enjoyed large declines. France fell by 25 percent,
and the United States decreased by 16 percent.
Spam Volume
Australia
Argentina
18,000,000
2,000,000
16,000,000
1,800,000
1,600,000
14,000,000
1,400,000
12,000,000
1,200,000
10,000,000
1,000,000
8,000,000
800,000
6,000,000
600,000
4,000,000
400,000
200,000
2,000,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Belarus
160,000,000
Brazil
30,000,000
140,000,000
25,000,000
120,000,000
20,000,000
100,000,000
80,000,000
15,000,000
60,000,000
10,000,000
40,000,000
5,000,000
20,000,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
22
McAfee Threats Report: Second Quarter 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Spam Volume
China
Chile
12,000,000
12,000,000
10,000,000
10,000,000
8,000,000
8,000,000
6,000,000
6,000,000
4,000,000
4,000,000
2,000,000
2,000,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
France
Germany
14,000,000
18,000,000
12,000,000
16,000,000
14,000,000
10,000,000
12,000,000
8,000,000
10,000,000
6,000,000
8,000,000
6,000,000
4,000,000
4,000,000
2,000,000
2,000,000
0
0
JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Italy
India
70,000,000
7,000,000
60,000,000
6,000,000
50,000,000
5,000,000
40,000,000
4,000,000
30,000,000
3,000,000
20,000,000
2,000,000
10,000,000
1,000,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Japan
Kazakhstan
3,000,000
40,000,000
35,000,000
2,500,000
30,000,000
2,000,000
25,000,000
1,500,000
20,000,000
15,000,000
1,000,000
10,000,000
500,000
5,000,000
0
JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
23
McAfee Threats Report: Second Quarter 2013
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Spam Volume
Romania
Peru
25,000,000
30,000,000
25,000,000
20,000,000
20,000,000
15,000,000
15,000,000
10,000,000
10,000,000
5,000,000
0
5,000,000
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
South Korea
Russia
8,000,000
25,000,000
7,000,000
20,000,000
6,000,000
5,000,000
15,000,000
4,000,000
10,000,000
3,000,000
2,000,000
5,000,000
1,000,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Spain
Ukraine
18,000,000
40,000,000
16,000,000
35,000,000
14,000,000
30,000,000
12,000,000
25,000,000
10,000,000
20,000,000
8,000,000
15,000,000
6,000,000
4,000,000
10,000,000
2,000,000
5,000,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
United Kingdom
United States
200,000,000
14,000,000
180,000,000
12,000,000
160,000,000
10,000,000
140,000,000
8,000,000
120,000,000
6,000,000
80,000,000
100,000,000
60,000,000
4,000,000
40,000,000
2,000,000
20,000,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
24
McAfee Threats Report: Second Quarter 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Drugs, DSN, and snowshoes
As we look at spam subjects around the world, we see that the popularity of drugs just won’t go away. Drug offers in
our selected countries range from a low of 17 percent to more than 50 percent of leading spam subject lines. In Australia,
France, and the United States, delivery service notification (DSN) teasers remain popular. In many countries “snowshoe”
spam appeared on at least one-quarter of the leading subjects. Snowshoe spam spreads the load across many IP addresses
to avoid rapid eviction by ISPs. Lots of spam this quarter contained subject lines related to the Boston Marathon bombings.
Most of these messages contained links to malware. We were surprised to see relatively little spam for replica products,
such as watches and other junk. This has long been a popular subject. We’re sure it hasn’t gone away but it did lose
significant volume.
Argentina
Australia
Brazil
Spam Types
Drugs
DSN
Jobs
Marketing
News
Phishing
Scams
Columbia
France
Germany
Snowshoe
Travel
Webinars
25
India
Italy
Spain
Turkey
United Kingdom
United States
McAfee Threats Report: Second Quarter 2013
Botnet breakdowns
Infections from messaging botnets, which supply spam worldwide, have showed an overall decline since May 2012, but
this quarter’s trend was again upward.
Global Messaging Botnet Infections
6,000,000
5,000,000
4,000,000
3,000,000
2,000,000
1,000,000
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Cutwail remains in first place among botnets, causing more than 6 million new infections during the quarter. Kelihos was
a distant second, at 2.3 million. New last quarter, Slenfbot infected 1.6 million systems this period.
Spam Botnet Prevalence
Cutwail
Kelihos
Slenfbot
Festi
Maazben
Others
Leading Global Botnet Infections
3,000,000
2,500,000
CUTWAIL
2,000,000
KELIHOS
SLENFBOT
1,500,000
FESTI
1,000,000
MAAZBEN
500,000
0
JUL
2012
26
AUG
2012
SEP
2012
OCT
2012
NOV
2012
DEC
2012
McAfee Threats Report: Second Quarter 2013
JAN
2013
FEB
2013
MAR
2013
APR
2013
MAY
2013
JUN
2013
New botnet senders
Country-specific botnet statistics show big variances from quarter to quarter and from country to country. In Peru, for
example, the number of botnet senders increased by almost 300 percent. Among our selected countries, India rose by
14 percent. Belarus dropped by 66 percent, Russia by 46 percent, and China by 31 percent.
New Botnet Senders
Australia
Argentina
25,000
60,000
50,000
20,000
40,000
15,000
30,000
10,000
20,000
5,000
10,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Brazil
Canada
200,000
45,000
175,000
40,000
35,000
150,000
30,000
125,000
25,000
100,000
20,000
75,000
15,000
50,000
10,000
25,000
0
5,000
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
0
Chile
35,000
China
500,000
450,000
30,000
400,000
25,000
350,000
20,000
300,000
15,000
200,000
250,000
10,000
150,000
5,000
100,000
50,000
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
France
Colombia
60,000
35,000
50,000
30,000
25,000
40,000
20,000
30,000
15,000
20,000
10,000
10,000
5,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
27
McAfee Threats Report: Second Quarter 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
New Botnet Senders
India
Germany
140,000
300,000
120,000
250,000
100,000
200,000
80,000
150,000
60,000
100,000
40,000
50,000
20,000
0
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Italy
Japan
50,000
80,000
70,000
40,000
60,000
50,000
30,000
40,000
20,000
30,000
20,000
10,000
10,000
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
0
South Korea
Russia
90,000
45,000
80,000
40,000
70,000
35,000
60,000
30,000
50,000
25,000
40,000
20,000
30,000
15,000
20,000
10,000
10,000
0
5,000
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
0
Spain
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Turkey
90,000
100,000
80,000
90,000
70,000
80,000
70,000
60,000
60,000
50,000
50,000
40,000
40,000
30,000
30,000
20,000
20,000
10,000
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
10,000
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
0
United Kingdom
United States
70,000
600,000
60,000
500,000
50,000
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
400,000
40,000
300,000
30,000
200,000
20,000
100,000
10,000
0
28
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
McAfee Threats Report: Second Quarter 2013
0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Messaging botnet prevalence
Our breakdown of botnets shows how the most widespread botnet families are represented in various countries around
the globe. Cutwail and Kelihos are the global leaders. Other notably predominate botnets:
•
Darkmailer in Belarus, Kazakhstan, Pakistan, and Indonesia
•
Cutwail in Greece, Vietnam, and Iran (greater than 60 percent)
• Slenfbot
in Belarus (81 percent)
• Slenfbot
in Japan and Ukraine
•
Kelihos in Germany, Italy, Argentina, and United Kingdom (greater than 40 percent)
These variances demonstrate that specific countries can have specific attackers.
New Botnet Senders
Australia
Brazil
Chile
Botnets
Cutwail
Festi
Kelihos
Maazben
Others
Slenfbot
29
China
Colombia
Germany
India
Japan
Russia
South Korea
United Kingdom
United States
McAfee Threats Report: Second Quarter 2013
Cybercrime
Malware, vulnerabilities, and hackingMalware, Vulnerabilities, and Hacking
APR 5
LivingSocial
Hack
Android.FakeAlert
APR 19
BadNews
(in Google Play Apps)
APR 11
WordPress
Hack
Carberp
for Free
MAY 1
CVE-2013-1347
(Dept. of Labor Hack)
April 2013
APR 17
CVE-2013-2423
(Exploit Packs
Updated)
May 2013
MAY 3
Sirefef
(Louisiana Board
of Regents Hack)
JUN 30
South Korea
Hack
Carberp
for $5,000
June 2013
JUN 27
Generic PSW.o
(Gulf States and
Caribbean Phishing
Campaign)
• The
scareware Android.Fakedefender, announced in June by various security companies, has apparently spread through
mobile environments since the end of March. Fakedefender locks up an infected device and displays fake security alerts
to convince victims to purchase an app in order to remove nonexistent malware or security risks.
• April
5: LivingSocial, the daily deals site owned in part by Amazon, suffered a massive cyberattack on its computer
systems. The breach impacted 50 million customers of the Washington, D.C., company. They will now be required to
reset their passwords.2
• April
11: The security firm CloudFare warned of a brute-force attack against the WordPress administrative portals. A
botnet appeared to launch the attack and more than tens of thousands of unique IP addresses were recorded attempting
to hack WordPress installations, using the username “admin” and trying thousands of passwords.3
• April
17: The Java exploit CVE-2013-2423 was publicly disclosed.4 Its use was immediately incorporated into various
exploit kits such as WhiteHole, Cool, Neutrino, Styx, Sweet Orange, and others.
• April
19: “BadNews” for millions of users: Malware discovered spreading inside apps in Google Play.5
•
May 1: Invincea reported that the US Department of Labor website was compromised to redirect visitors to a site
that executed a drive-by download exploit of Internet Explorer to install the Poison Ivy backdoor Trojan. Attributed to
the Chinese Deep Panda Group, this type of “watering hole” attack exploits a previously unknown and, at that time,
unpatched security bug in Microsoft’s IE 8 browser (CVE-2013-1347).6
•
May 3: Another watering hole attack was detected on the Louisiana Board of Regents website.7 It distributed the
Sirefef malware.
• Around
June 15, the Carberp banking Trojan toolkit was offered at just US$5,000 through an underground forum. The
previous price has been US$40,000.8 A few days later, the download was available for free.
• June
27: McAfee’s Foundstone Incident Response team obtained a 3MB piece of malware (Generic PWS.o) that was sent
out during a phishing campaign. The campaign targeted several companies and institutes in the United Arab Emirates,
Oman, Bahrain, and a couple of Caribbean islands.9
• June
30: The Seoul Central District Prosecutors’ Office charged two South Koreans with cooperating with North Korean
hackers in China to run illegal websites and steal the personal information of millions of individuals. Investigators
discovered the personal data of 140 million South Koreans on their computers and believe they could have shared the
information with North Korea.10
30
McAfee Threats Report: Second Quarter 2013
The Bitcoin saga
The Bitcoin Saga
APR 18
DDoS at
Blockchain.info
FEB 28
1BTC = $33
APR 3
DDoS at
Mt. Gox
DDoS at
Skill Road
April 2013
MAR 3
DDoS at
BitInstant
APR 21
DDoS at Mt. Gox
Delays Litecoin
Support
APR 10
1BTC = $266
MAY 22
Webroot Announces
DIY Bitcoin Miner
for Sale
May 2013
MAY 16
WebMoney
Offers WMX
JUN 23
DEA Announces
Seizure of Bitcoins
from Silk Road User
JUN 12
BTC Phishing
Campaign
June 2013
JUN 21
1BTC = $110
JUL 5
1BTC = $74
MAY 14
Maryland District Court
Rules Against Mt. Gox
Bitcoin (BTC) virtual money was in the news last quarter. At the end of February, it broke its June 2011 peak trading value,
at more than US$33.11 Some days later, the BitInstant exchange service was forced to shut down after attackers walked
away with more than US$12,000 in BTC.12 And that was just a warm-up for what happened this quarter.
In April, Tokyo-based Mt. Gox, the largest Bitcoin exchange service, suffered various DDoS attacks that disrupted business.
The first assault occurred around April 3; at that time the BTC exchange rate exceed US$140 to 1 BTC.13 On April 10, the
value leaped to US$266 before closing at US$125 the next day.14 This keen interest resulted in 20,000 new accounts
created each day. The number of new user accounts opened at Mt. Gox went from 60,000 in all of March to 75,000 in
just the first few days of April.15
The sudden activity in this market of course attracted the interest of cybercriminals of all kinds. They engaged in further
DDoS actions against Mt. Gox, which had to delay its plan to support Litecoin,16 and new ones against Blockchain.
info.17 Silk Road, the notorious underground marketplace using Bitcoin as e-money, was taken down several times by
DDoS attacks.18
Lawmakers also paid attention to Mt. Gox. On May 14 the U.S. District Court in Maryland ordered the seizure of Mt. Gox’s
funds, which were in an account with Dwolla, a payments company that transferred money from U.S. citizens to Mt. Gox
to buy and sell Bitcoins.19
In May WebMoney began offering “purses,” called WMX, denominated in Bitcoins. Bitcoins are transferred to an address
provided by WebMoney to fund the purse, and Bitcoins can be withdrawn to a Bitcoin address.20 Bitcoins stored in a WMX
purse can be transferred to other purses. In this manner WebMoney can exchange Bitcoins for other currencies supported
by the service.
As the Bitcoin rate has increased, malicious Bitcoin miners have shown a growing interest by infecting victims with
malware that uses computer resources to mine Bitcoin without their knowledge. While the cybercriminals generate profits,
the computers slow down. In May, for example, Webroot posted a blog about a marketplace to customize and buy such
malware.21 It has been available for sale since the first days of February.
On June 13, security researcher Brian Krebs reported a phishing campaign using both Yahoo and Bing search engines and
targeting account holders at MtGox.com.22
On June 23 the US Drug Enforcement Administration (DEA) announced they seized 11.02 BTC from a Silk Road user in
April and charged him with intent to distribute drugs. The seized money was transferred into the DEA’s BTC wallet.23
31
McAfee Threats Report: Second Quarter 2013
Actions against cybercriminals
During this quarter, we learned of a number of law enforcement efforts:
•
In April, the Russian Federal Security Service (FSB) and the Security Service of Ukraine (SBU) announced they arrested
several individuals believed to be involved in the development of the Carberp banking Trojan.24 The leader of the group
was a 28-year-old Russian citizen. The rest of the group—some 20 individuals between 25 and 30 years old—were
arrested in Kiev, Zaporozhye, Lvov, Odessa, and Kherson.25 The ring was said to be responsible for stealing US$250
million (€193 million) in Ukraine and Russia alone.
•
Hamza Bendelladj, a 24-year-old Algerian who was arrested in Thailand in January, was extradited to the United States in
April. Also known as “Bx1,” he was listed in a North District of Georgia indictment as a coconspirator who helped develop
SpyEye components. Known in the underground as “Gribodemon” and “Harderman,” the real name of his partner, the
presumed author of the SpyEye Trojan, was redacted in the indictment because he had not yet been arrested.26
•
On May 9, federal prosecutors unsealed charges against eight New York people linked with an international cybertheft
ring accused of stealing US$45 million from banks around the globe. The alleged crooks used prepaid MasterCard debit
cards that were issued by the National Bank of Ras Al-Khaimah PSC, located in the United Arab Emirates, and the Bank
of Muscat, in Oman. The defendants withdrew US$2.8 million from New York banks in two separate attacks this past
December and February.27 While the eight were taking the money from the New York banks, additional coconspirators
made more than US$42 million in withdrawals at other banks across the world.
•
In May, the founder of digital currency system Liberty Reserve was indicted in the United States along with six other
people for a US$6 billion money-laundering scheme.28 Arthur Budovsky, a Costa Rican citizen of Ukrainian origin and the
founder of the currency system, was arrested in Spain, while others were arrested in Costa Rica and New York. Police in
Costa Rica also raided three homes and five businesses linked to Liberty Reserve, according to the Associated Press. The
digital currency’s site is now offline, with its front page replaced by a notice saying that the domain had been seized by
the United States Global Illicit Financial Team.
•
Liberty Reserve was incorporated in Costa Rica in 2006 and had at least 200,000 customers in the United States.
Suspected of helping cybercriminals in their businesses, it failed to register in the United States as a money-transmitting
service. In the same vein, on June 4 the WM Center e-currency exchange was seized by the US government and closed.29
• Accompanied
by US Marshals, Microsoft technicians seized servers at two data centers in New Jersey and Pennsylvania
on June 5, and with the help of the FBI coordinated with computer emergency response teams and registrars in
87 countries to sinkhole domains used by the 1,452 botnets built with the Citadel malware.30 Some security researchers
criticized this operation, saying it disrupted their ongoing security research efforts by siphoning off the malicious data
they had been tracking.31 Others claimed the long-term effect of this particular takedown will likely be insignificant.32
32
•
In June, the United Kingdom’s Serious Organised Crime Agency announced eleven arrests in a case involving cooperation
from the Vietnamese High-Tech Crime Unit, the Criminal Investigative Division of the Ministry of Public Security of
Vietnam, the Metropolitan Police Central e-Crime Unit, and the FBI. Eight criminals were arrested in Vietnam and three
additional arrests were made in the United Kingdom. All suspects were associated with the “mattfeuter” family of
websites, on which allegedly approximately 16,000 members bought and sold more than 1.1 million credit card data,
facilitating more than US$200 million worth of fraud worldwide.33
•
In June, US federal officials charged eight members of a Ukrainian cybercrime ring after they allegedly tried to illegally
access the networks of a number of financial institutions, including Citibank, JP Morgan Chase, TD Ameritrade, and
PayPal, along with the US Department of Defense’s Finance and Accounting Services.34 From March 2012 to June 2013,
the suspects hacked into these servers, embezzling money from legitimate bank accounts to feed debit cards and cashing
out the accounts via ATMs and by making fake purchases as part of what the federal complaint calls the Sharapka Cash
Out Organization.
•
In France, investigators from OCLCTIC and DCP dismantled a gang of alleged criminals specializing in financial hacking
and arrested five people in June. The crooks may have made €9 million via online shopping. In total, they were able to
divert the bank data of 27,000 people. The money collected was later used to purchase high-end hardware.35
McAfee Threats Report: Second Quarter 2013
Hacktivism
This quarter activities clearly demonstrated that hacktivists
exist in many camps and support many ideologies.
Hacktivism
APR 3
#OpNorthKorea
Release #2
MAY 16
South African Police
Hacked
April 2013
APR 7
#OpIsrael
Reloaded
JUN 20
#OpPetrol
May 2013
MAY 7
#OpUSA
June 2013
JUN 4
#OpTurkey
On April 3, “OpNorthKorea Release #2” was announced on Pastebin.36 It demanded the resignation of North Korean
leader Kim Jong-un, the abandonment of nuclear ambitions, and universal and uncensored Internet access to citizens.
Several websites serving the regime were blocked (via DDoS) or defaced throughout the month. A statement purporting
to come from Anonymous said that they had compromised 15,000 user records hosted on North Korean propaganda site
uriminzokkiri.com. However, when one side makes a statement, the other is likely to reply: During the last week of June,
government websites in both North and South Korea were targeted by attackers who claimed to operate under the banner
of Anonymous. (A so-called official Anonymous channel has denied via tweet having any involvement in the South Korean
attacks.) Some researchers suspect the attackers were the North Korean “Whois Team,” which frequently uses skull bullets
as a symbol of their group. (For more on related attacks, see “Operation Troy,” page 4.)
33
McAfee Threats Report: Second Quarter 2013
After #OpIsrael, which we covered in last quarter’s Threats Report, around 30 hacktivist collectives from around the world
decided to continue the confrontation.37 On April 7, they announced #OpIsraelReloaded. The hackers say they’ve caused
massive damage, but Israeli officials have downplayed the incident, saying the attacks have caused hardly any real losses.38
The hacker Dr FreeDom claims a leak of 30,000 Visa card consumer details.39
These hacks also brought about reprisals. The pro-Israel hacker team Israel Elite Force revealed several names of suspected
#OpIsraelReloaded attackers on a dedicated website. Those named are from Jordan, India, and Lebanon. Other Israeli
supporters defaced the Anonymous #OpIsrael website.40
Operations against the United States and other Western interests were started under the names #OpUSA (May 7–9) and
#OpPetrol (June 20).41 These operations appeared to take place under the Anonymous banner, but when we looked at the
attackers’ signatures, we discovered mostly Middle Eastern and North African-based hacker groups acting contrary to the
ideals of freedom.
Many of these movements are associated with AnonGhost, a hacker team fond of using jihad themes. It is clear that
Middle Eastern sympathizers of all stripes enjoy conducting their protests under the cover of Anonymous.
34
McAfee Threats Report: Second Quarter 2013
In June, the protest movement in Turkey led Anonymous to launch #OpTurkey, a hack of the website of the Radio and
Television Supreme Council (RTUK). Cyberarmies were also active. The Syrian Electronic Army supported President Bashar
al‑Assad’s government by shutting down and defacing various official Turkish websites.42 Two collectives hacked into the
Turkish Prime Ministry’s network and accessed email addresses, passwords, and phone numbers belonging to Prime Minister
Tayyip Erdogan’s staff. (Erdogan has been a vocal critic of Assad’s actions in the Syrian civil war.) Another group, the Crescent
and Star Team, targeted Turkey’s Is Bank, which was said to be among the supporters of the Taksim Gezi Park protests.43
These events demonstrate the growth of hacktivism and show that attacks launched under the Anonymous banner are
only a part of the problem.
In a high-profile doxing campaign (publically exposing private information) in South Africa, Anonymous hacked into an
anonymous whistleblower website run by the South Africa Police Service and revealed the identities of thousands of its
users, possibly jeopardizing their safety.44
The legal side also made news this quarter:
•
In April, contradictory reports about hackers arrested in connection with #OpIsrael circulated in Tunisia, Jordan, and
Morocco. Whether or not the news was true, these states were threatened for their “actions.”
•
Members of the notorious LulzSec hacking gang have been sent to jail:45
–– Jake Davis (aka “Topiary”): 24 months for the ring leader
–– Ryan Cleary (aka “Viral”): 32 months, will serve half that time
–– Mustafa Al-Bassam (aka “T-Flow”): 20 months suspended for two years, and 300 hours of community service
–– Ryan Ackroyd (aka “Kayla”): 30 months, will serve half that time
35
•
In April, FBI raided an Anonymous hacker house suspected of having exposed the Steubenville Rapists. Known as
KYAnonymous, the suspect is said to be the leader of KnightSec, the Anonymous offshoot that carried out “Operation
Roll Red Roll,” which targeted Steubenville over the rape by two football players of a 16-year-old girl.46
•
In May, Italian police arrested four alleged hackers between the ages of 20 and 34. They are accused of monitoring the
Italian branch of the Anonymous network.47 Six more people were placed formally under investigation and a total of
10 premises were raided at the conclusion of the two-year police investigation “Tango Down.”
McAfee Threats Report: Second Quarter 2013
Cyberarmies
The Syrian Electronic Army and the Izz ad-Din al-Qassam Cyber Fighters are often in the spotlight and attracted attention
again this quarter.
In the last two Threats Reports of 2012, we introduced the Iranian group Izz ad-Din al-Qassam Cyber Fighters after they
claimed responsibility for various cyberattacks launched that year on US banks and financial-services companies. Tied to
Iran, those actions are now known as Operation Abadil.
They continued this quarter, as we see in the following graphic:
Cyberarmies
APR 4
Wells Fargo
BB&T
APR 10
Chase
PNC
American Express
Citizens Bank
Regions Bank
APR 2
BB&T
APR 16
Regions Bank
Capital One
Principal
APR 18
Ameriprise Financial
Citizens Bank
M&T Bank
MAY 1
Key Bank
BBVA
Schwab Bank
April 2013
APR 3
Bank of America
Regions Bank
APR 9
Chase
Bank of America
Capital One
American Express
BB&T
Wells Fargo
May 2013
APR 23–24
BB&T
APR 11
Key Bank
HSBC
MAY 2
Union Bank
APR 17
Regions Bank
On May 6, the Cyber Fighters announced they had stopped the attacks so as to not interfere with #OpUSA. On June 12,
Google said in a blog that it had tracked a “significant jump” in the overall volume of phishing activity in and around
Iran as its election neared.48 Some researchers have suggested many attackers focused their skills and firepower internally,
perhaps to gather intelligence about groups and individuals supporting specific candidates.49
The Syrian Electronic Army supports President Assad. This quarter, they continued their actions against media and
Syrian Electronic Army
government targets:
APR 22
FIFA World Cup
APR 16
NPR Media
MAY 17
Financial Times
APR 29
The Guardian
April 2013
APR 20
CBS News
MAY 26
British Sky
Broadcasting
MAY 21
The Telegraph
JUN 5
Turkish
Government
Websites
May 2013
MAY 7
The Onion
APR 23
Associated
Press
MAY 20
Saudi Arabian
Ministry of
Defense
MAY 25
ITV News London
Haifa Water System
• April
16: NPR media network hacked; website defaced
• April
20: Four Twitter accounts belonging to CBS News programs compromised
• April
22: Two FIFA World Cup Twitter accounts hacked
• April
June 2013
23: Hacked AP Twitter feed announced to millions of followers that there had been two explosions in the
White House, leaving President Barack Obama injured. The news disrupts the US stock exchange, briefly wiping out
US$136.5 billion in gains and leaving AP’s Twitter feeds suspended.50
36
McAfee Threats Report: Second Quarter 2013
• April
29: 11 Guardian accounts breached
•
May 7: Satire publication The Onion has Twitter account hacked
•
May 17: Financial Times website and Twitter feeds hacked
•
May 20: The group claimed to have hacked the Saudi Arabian Ministry of Defense email system and distributed several
confidential mail exchanges
•
May 21: Twitter and Facebook accesses for The Telegraph hacked
•
May 25: Israel declared the SEA tried to enter the computers of the Haifa water system
•
May 25: ITV News London hacked
•
May 26: Sky Android apps and Twitter account hacked
• June
5: Some Turkish government websites site jointly breached by Turkish hackers and the SEA
About the Authors
This report was prepared and written by Toralv Dirro, Paula Greve, Haifei Li, François Paget, Vadim Pogulievsky, Craig
Schmugar, Jimmy Shah, Ryan Sherstobitoff, Dan Sommer, Bing Sun, Adam Wosotowsky, and Chong Xu of McAfee Labs.
About McAfee Labs
McAfee Labs is the global research team of McAfee. With the only research organization devoted to all threat vectors—
malware, web, email, network, and vulnerabilities—McAfee Labs gathers intelligence from its millions of sensors and its cloudbased service McAfee Global Threat Intelligence. The McAfee Labs team of 500 multidisciplinary researchers in 30 countries
follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and
enabling instant remediation to protect enterprises and the public. http://www.mcafee.com/us/threat-center.aspx
About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and
home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions
and services for systems, networks, and mobile devices around the world. With its visionary Security Connected strategy,
innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAfee is relentlessly
focused on keeping its customers safe. http://www.mcafee.com.
37
McAfee Threats Report: Second Quarter 2013
http://www.mcafee.com/uk/resources/white-papers/wp-dissecting-operation-troy.pdf
http://www.usatoday.com/story/news/nation/2013/04/26/liviing-social-hacked-passwords-amazon/2116485/
3
http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br
4
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423
5
http://blogs.mcafee.com/consumer/badnews-for-good-people
6
http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/
7
http://news.softpedia.com/news/State-of-Louisiana-Website-Hacked-Spreads-Sirefef-Malware-350944.shtml
8
http://www.theregister.co.uk/2013/06/18/carberp_trojan_source_code_sale/
9
http://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean
10
http://english.chosun.com/site/data/html_dir/2013/04/08/2013040800970.html
11
http://www.bbc.co.uk/news/technology-21601608
12
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html
13
https://mtgox.com/press_release_20130404.html
14
http://dollarvigilante.com/blog/2013/4/17/bitcoin-price-march-15-april-14-2013-the-bubble-heard-round-.html
15
https://mtgox.com/press_release_20130411.html
16
https://mtgox.com/pdf/20130424_ddos_statement_and_faq.pdf
17
http://news.softpedia.com/news/Bitcoin-Block-Explorer-Blockchain-info-Disrupted-by-DDOS-Attack-346497.shtml
18
http://www.wired.co.uk/news/archive/2013-05/3/silk-road-ddos
19
https://s3.amazonaws.com/s3.documentcloud.org/documents/701175/mt-gox-dwolla-warrant-idg-news-service.pdf
20
http://blog.wmtransfer.com/en/blog/wmx-the-new-type-of-title-units
21
http://blog.webroot.com/2013/05/22/new-commercially-available-diy-invisible-bitcoin-miner-spotted-in-the-wild/
22
http://krebsonsecurity.com/2013/06/mtgox-phishing-campaign-hits-bing-yahoo/
23
http://techcrunch.com/2013/06/27/the-dea-seized-bitcoins-in-a-silk-road-drug-raid/
24
http://sbu.gov.ua/sbu/control/uk/publish/article?art_id=116410&cat_id=39574
25
http://www.net-security.org/malware_news.php?id=2458
26
http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/
27
http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051
28
http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/
29
http://www.coindesk.com/wm-center-e-currency-exchange-seized-by-us-government/
30
http://www.eweek.com/security/microsoft-fbi-shutter-citadel-botnets-seeking-to-end-500m-crime-spree/
31
http://www.infoworld.com/t/security/microsoft-accused-of-friendly-fire-in-citadel-botnet-takedown-220438
32
http://nakedsecurity.sophos.com/2013/06/12/microsoft-citadel-takedown/
33
http://garwarner.blogspot.fr/2013/06/vietnamese-carders-arrested-in.html
34
https://threatpost.com/feds-bust-cybercrime-ring-targeting-payroll-financial-firms/
35
http://www.leparisien.fr/espace-premium/actu/les-pirates-du-net-pillent-27-000-coordonnees-bancaires-12-06-2013-2888529.php
36
http://pastebin.com/4g44jfNF
37
http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pdf
38
http://news.softpedia.com/news/Hacktivists-Target-Over-100-000-Israeli-Sites-Officials-Say-There-s-No-Real-Damage-343610.shtml
39
http://technologynewsforday.wordpress.com/2013/04/07/30000-visa-cards-leaked-by-dr-freedom/
40
http://www.dreuz.info/2013/04/attaque-danonymous-israel-leur-a-mis-la-honte-le-w00t-ultime/
41
http://news.softpedia.com/news/Anonymous-Hackers-to-Launch-OpPetrol-on-June-20-Video-352816.shtml
42
http://www.ibtimes.com/opturkey-syrian-electronic-army-joins-anonymous-turkey-protests-hacks-erdogans-network-access-staff
43
http://www.worldbulletin.net/?ArticleID=111010&aType=haber
44
http://www.wired.co.uk/news/archive/2013-05/22/south-africa-whistleblower-leak
45
http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-HomeOffice-agency.html
46
http://gawker.com/the-fbi-raided-steubenville-anonymous-guys-house-here-511634071
47
http://www.pcworld.com/article/2039020/police-arrest-anonymous-suspects-in-italy.html
48
http://googleonlinesecurity.blogspot.fr/2013/06/iranian-phishing-on-rise-as-elections.html
49
http://krebsonsecurity.com/2013/06/iranian-elections-bring-lull-in-bank-attacks/#more-21113
50
http://www2.macleans.ca/2013/04/23/associated-press-twitter-feed-gets-hacked-claiming-explosions-at-white-house-president-injured/
1
2
2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.mcafee.com
McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other
countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are
provided only for information. They are subject to change without notice, and are provided without warranty of any kind, expressed or
implied. Copyright © 2013 McAfee, Inc.
60444rpt_qtr-q2_0813_fnl_ETMG