Internet Threats

Trend Report

July 2011

The October 2011 Internet Threat Report is now available!

Click here to view

July 2011 Threat Report

The following is a condensed version of the July 2011 Commtouch

Internet Threats Trend Report

Download the complete report at www.commtouch.com/threat-report-July2011

Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks,

and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch.

U.S. Patent No. 6,330,590 is owned by Commtouch.

July 2011 Threat Report

Key Highlights

Trends Spam, Malware, Web Security, Compromised Websites, Phishing, Zombies and Web 2.0

Feature Where did all the spam go?

1

2

3

Key Highlights for Q2 2011

Key Security Highlights

Average daily spam/phishing emails sent

113 billion

Average daily spam down from Q1

Lowest level in 3 years

377,000 Zombies

Zombie daily turnover

Key Security Highlights

Number of zombies turned off and on daily - up significantly from 258,000 in Q1

Most popular blog topic on user generated content sites

Streaming media/ downloads

Key Security Highlights

The streaming media & downloads category includes sites with live or archived media for

download or streaming content, such as Internet radio, Internet TV or MP3 files.

(No Change)

Key Security Highlights

Most popular spam topic

Pharmacy Ads

While it was the most popular spam topic, it was down to only 24% of all spam, compared to 28% in Q1

Country with the most Zombies

India

Key Security Highlights

India continues to lead with 17% of all Zombies

(No Change)

Website category most likely to be compromised with malware

Pornography and sexually explicit material

Key Security Highlights

Feature…

Where did all the spam go?

• Q2 spam was at its lowest level in 3 years

• June’s spam level (106 billion)

• At its lowest point in June, spam accounted for 75% of all emails

Q2 2011 Spam Trends

Source: Commtouch

Ave

rage

dai

ly s

pam

em

ails

sen

t

Q2 2011 Spam Trends

Source: Commtouch

Spam Levels & Spam Percentage March - June, 2011

MAR APR MAY JUN

Spam

Ham

%spam16th MarRustock

takedown

• Indications are that spammer tactics are changing

• Mid-March 2011 Microsoft led takedown of the Rustock botnet immediately dropped spam levels by 30% to an average of 119 Billion messages per day

• In past, such takedowns have resulted in only temporary spam level drops, followed by increased activity to build new botnets and resume mass mailings

Q2 2011 Spam Trends

• Other changes in Q2 spam activity • Rustock takedown followed by large increases in

email-borne malware • Number of zombies activated daily more than

doubled in weeks following the malware outbreaks • Increased zombie horde not used for vast spam

mailings (hence the declining spam numbers) but instead for smaller malware distribution attacks

• Spam coming from compromised or spammer accounts as well as compromised mail servers has increased

Q2 2011 Spam Trends

Q2 2011 Spam Trends

A percentage of emails from Gmail and Hotmail actually come from genuine accounts – compromised accounts or accounts specifically created by spammers

Analysis of Compromised Accounts

• Almost 30% of the spam from Hotmail actually comes from compromised or spammer Hotmail accounts

• Gmail spam mostly from zombies that simply forge Gmail addresses

Source: Commtouch

Q2 2011 Spam Trends

Analysis: Things are different this time as spammers are changing their tactics

Download the complete July 2011 Internet Threats Trend Report for a complete review

of the changing tactics of cybercriminals www.commtouch.com/threat-report-July2011

Trends in Q2 2011…

Spam Trends

Spam Trends

Spam Sending Domains

Commtouch monitors domains used by spammers in the “from” field of the spam emails, typically faked in order to give the impression of a reputable, genuine source.

Spam Trends

Top Faked Spam Sending Domains*

Source: Commtouch

* The domains that are used by spammers in the “from” field of the spam emails.

• NOTE “ups.com” in 14th place due to very large numbers of fake UPS notification emails sent in Q2

• See more details on the UPS outbreak in this quarter’s complete Internet Threats Trend Report

Spam Trends

• Pharmacy spam remained in the top spot but dropped to only 24% (down from 28% in Q1 2011)

• 419 fraud, phishing, and pornography all increased

Source: Commtouch

Spam Topics

Spam Trends

• Q2 2011 also saw the emergence of e-cigarette spam

French email above promotes health benefits of e-cigarettes due to the absence of 4,000 unwanted substances found in a normal cigarette

Trends in Q2 2011…

Malware

• End of Q1 2011 • Enormous outbreaks of email-borne malware

(up to 30% of global email traffic) • Initial attachments were “UPS package notifications” • Then the subjects changed to “DHL package notifications”

• Start of Q2 2011 • Attacks continued on smaller

scale • Switched to “FedEx

notifications”

Q2 2011 Malware Trends

Examples of Malware

• Email appears to be from IRS (US government income tax authority)

• Message informs recipients their tax payments via electronic payment system rejected

• Link provided to receive a “tax transaction report” (actually a .exe file described as a self extracting PDF file )

Attack: IRS Payment Rejected

Purpose: Most likely password theft

How it works:

Examples of Malware

• Links lead to one of 2,500 domains registered in the 48 hours before the attack

• Upon pressing the link, users gets to a page with a “404 not found” message, which hides the script that starts the virus download

Examples of Malware Attacks

• Targets financially knowledgeable victims using the term “stat arb” (foreign exchange trading term) in the subject

• Extracted file appears to be a PDF, but actually an executable file

• When file runs, actually shows a non-malicious PDF file in a fake PDF reader window

Attack: PDF Malware

Purpose: Capture keystrokes and browser activity

How it works:

Examples of Malware Attacks

Fake PDF file and reader

Email with attachment

Malware Trends

Source: Commtouch

Top 10 Malware of Q2 2011

Rank Malware name Rank Malware name

1 IFrame.gen 6 W32/Worm.MWD

2 W32/Ramnit.E 7 W32/VBTrojan.17E!Maximus

3 W32/Worm.BAOX 8 W32/Ramnit.D

4 W32/RAHack.A.gen!Eldorado 9 W32/Mydoom.O@mm

5 W32/Sality.gen2 10 W32/Vobfus.L.gen!Eldorado

Malware Trends

Read about more Malware attacks in the complete July 2011 Threat Report at

http://www.commtouch.com/threat-report-July2011

Trends in Q2 2011…

Web Security

Q2 Threats

The Pros: • Trusted friend environment means users don’t suspect

a message is coming from a compromised account

The Cons: • Need compromised accounts to access other accounts • Friend networks rarely exceed a few hundred people • Facebook has implemented mechanisms to detect

multiple simultaneous messages postings

Facebook’s vast and ever-increasing user base continues to attract cybercriminals

Q2 Facebook Threats

Several techniques combined with social engineering elements were used to compromise Facebook user accounts in Q2 and increase the scale of attacks.

Exploits in Q2 2011

Q2 Facebook Threats

Example: Osama Bin Laden death exploited by Affiliate Marketing Groups

• Goal of exploit:

Affiliates earn money by driving victims to sites that pay

bonuses based on clicks or successful sign-ups

• How exploit worked:

Initial Osama-themed messages sent from several

compromised accounts and then quickly spread to draw

users to the affiliated sites (see flow on next slide)

Q2 Facebook Threats

User receives message or event invitation from friend promising video of Bin Laden death. Message tricks user into running a malicious JavaScript while Facebook open.

With access to user’s friends, malware sends out more invitations to continue the cycle.

Site then quickly redirects to an affiliate marketing page.

1

2

3

4

Infected user lead to a site with YouTube clip of President Obama announcing operation.

Osama Bin Laden Affiliate Marketing Exploit

Q2 Facebook Threats

Osama Bin Laden – users run this script

Q2 Facebook Threats

Additional Facebook exploits in Q2:

• See who’s been viewing your profile • Free Facebook credits • How many girls and boys have viewed your wall

Download the complete July 2011 Internet Threats Trend Report for more details on these exploits www.commtouch.com/threat-report-July2011

Other trends in Q2 2011…

Compromised Websites

Compromised Websites

• Compromised websites being used to hide phishing pages and malware

• Benefits to the cybercriminal • Legitimate domains most likely have a good

reputation in URL filter engines, so not likely to be blocked

• Provides FREE hosting

Trends in Compromised Websites

Compromised Websites

Example: iPhone 5 Virus (May 2011)

• Malicious email distributed with promise of details regarding soon to be released “iPhone 5G S”

• Images and links in email point to a file “iphone5.gif”, but it is actually a malware file “iphone5.gif.exe”

Compromised Websites

Example: iPhone 5 Virus (May 2011)

• Examination of the link reveals malware is hidden inside a compromised, legitimate website (see image)

Website categories infected with malware

Compromised Websites

Rank Category

1 Pornography/Sexually Explicit

2 Parked domains

3 Portals

4 Education

5 Entertainment

6 Business

7 Health & Medicine

8 Travel

9 Computers & Technology

10 Fashion & Beauty

Portals category includes sites offering free homepages, which are abused to host phishing and malware content.

Compromised Websites

Download the complete July 2011 Internet Threats Trend Report for more details

on Compromised Websites www.commtouch.com/threat-report-July2011

Other trends in Q2 2011…

Phishing Trends

Phishing Trends

Phishing Trends

• Phishing attacks continued to target

• Local and global banks

• Web email users

• Facebook accounts

• Online gaming sites

Phishing Trends

• Users asked to enter their credentials to overcome a security warning on the page

• Entering credentials, they provide the phisher with valid Facebook access details that can be used or sold to other cybercriminal

Example – Facebook Phishing Page

Phishing Trends

Improved Phishing Sites

• In an attempt to provide protection from keyloggers, some financial institutions provide a virtual keyboard which users must use to enter their login information and passwords

• Phishers have now added these keyboards to their phishing pages (see example on next page)which mimic the original

Phishing Trends

Improved Phishing Sites

Fake Abu Dhabi Commercial Bank (ADCB) site complete with reproduced virtual keyboard

Website categories infected with phishing

Compromised Websites

Rank Category

1 Games

2 Portals

3 Shopping

4 Forums/Newsgroups

5 Non-profits & NGO

6 Fashion & Beauty

7 Leisure & Recreation

8 Sports

9 Education

10 Business

Portals category includes sites offering free homepages, which are abused to host phishing and malware content.

Phishing Trends

Download the complete July 2011 Internet Threats Trend Report for more details on Phishing

www.commtouch.com/threat-report-July2011

Trends in Q2 2011…

Zombie Trends

Zombie Trends

• Average of 377,000 zombies newly activated each day for malicious activity

• Substantial increase compared to the 258,000 in Q1

Daily Turnover of Zombies in Q2

Source: Commtouch

Zombie Trends Worldwide Zombie Distribution in Q2

• India remains atop the list with 17% • Brazil, Vietnam, and the Russian federation all remained in the

same places • Peru and Argentina dropped out of the top 15 replaced by Romania

and Morocco

Source: Commtouch

Zombie Trends

• As IPv4 addresses reach exhaustion, IPv6 addresses will begin to become more prevalent

• Vast number of IPs available to a zombie makes blocking of a specific IP, associated with a Zombie, impossible

• Blocking a range of IPs has issues • May block other users/devices that are not malicious

(i.e.: generates false positives) • No standard IP range allocation currently defined – it is

therefore difficult to know how wide a range of IPs should be blocked

Zombies and IPv6

Zombie Trends

• Commtouch has begun to monitor spam received from IPv6 sources and future Internet Threat Trend Reports may include relevant data as IPv6 traffic grows

• Two on-demand webcasts are available from Commtouch providing information on IPv6 and potential threats:

• An introduction to IPv6

• Overview of IPv6 threats

Zombies and IPv6

Trends in Q2 2011…

Web 2.0 Trends

Web 2.0 Trends

Most Popular User Generated Content Sites

Rank Category %

1 Streaming Media & Downloads 21%

2 Entertainment 9%

3 Computers & Technology 8%

4 Pornography/Sexually Explicit 5%

5 Shopping 5%

6 Arts 4%

7 Fashion & Beauty 4%

8 Religion 4%

9 Sports 4%

10 Restaurants & Dining 4%

11 Education 3%

12 Leisure & Recreation 3%

13 Health & Medicine 3%

14 Games 2%

Source: Commtouch

Review of Q2 2011

Review of Q2 2011

Source: Commtouch

Download the complete July 2011 Internet Threats Trend Report

at www.commtouch.com/threat-report-July2011

For more information contact: info@commtouch.com

650 864 2000 (Americas) +972 9 863 6895 (International)

Web: www.commtouch.com

Blog: http://blog.commtouch.com