The second half of 2010 saw online fraud scams continue to grow and evolve in geographical reach and technical complexity. User protection against these blended malware-based scams such as traditional antivirus (AV) products still cannot adequately detect and protect against new and quickly changing threats on the Internet, leaving consumers exposed to the shifting cyber dangers.
Learn what kind of fraud attacks are on the rise so you can combat them before they hit your credit union members and learn what the experts at Cyveillance see coming this year. Learn more about Cyveillance, online fraud, anti-phishing and secure social media management at http://www.nafcu.org/cyveillance.
2. Cyber Intelligence Report
EXECUTIVE SUMMARY
The second half of 2010 saw online fraud scams continue to
grow and evolve in geographical reach and technical complexity.
User protection against these blended malware-based scams
such as traditional antivirus (AV) products still cannot adequate-
ly detect and protect against new and quickly changing threats
on the Internet, leaving consumers exposed to the shifting cyber
dangers.
The majority of malware threats on the Internet continue to
originate within the United States and China. These two coun-
tries lead in almost every significant malware statistical catego-
ry, which is not surprising given both countries’ large population
and significant Internet presence. Other developed countries do
not provide the same volume of threats as the U.S. and China,
but still pose significant danger to Internet users.
Phishing attack volume declined during the second half of 2010
compared to the first half of the year, averaging over 19,000 con-
firmed, unique attacks per month. However, the level of sophis-
tication and emphasis on targeted attacks continues to rise. As a
result, despite the number of attacks going down, the ability of
phishers to be successful has risen significantly as evidenced by
the growing number of highly-targeted spear phishing attacks
and Advanced Persistent Threats (APTs) reported during the half.
Overall, phishing continued to grow as a global problem, with
nearly half of all new financial targets based in India and the
Middle East.
»2
3. Cyber Intelligence Report
CYBER INTELLIGENCE USED IN THIS REPORT
Except where otherwise noted, the cyber intelligence included in this report includes data col-
lected and analyzed between July 1, 2010 and December 31, 2010. The report illustrates aggre-
gate cyber intelligence findings that Cyveillance has delivered to its customers and partners.
The intelligence detailed in this report includes the following:
• Analysis of malware detection rates of leading AV products
• Phishing trends along with industries and unique businesses targeted by phishing attacks
• A breakdown of the malware distribution chain by geographic location
APPROACH
To produce the cyber intelligence used in this report, Cyveillance has leveraged its patented
Internet-monitoring technology platform. The technology continually sweeps the Internet, col-
lecting information from more than 200 million unique domain names and 190 million unique
Web sites, 80 million blogs, 90,000 message boards, thousands of IRC/chat channels, billions
of spam emails, shortened URLs and more.
Unless otherwise stated, it is also important to note that all figures and statistics included in
this report are actual measurements as collected by Cyveillance Internet-monitoring technolo-
gy rather than statistical projections based upon sample datasets.
DOES ANTIVIRUS SOFTWARE PROVIDE ADEQUATE PROTECTION AGAINST MAL-
WARE?To better understand the risks consumers face daily from the Internet and given the contin-
ued rise of active malware on the Internet, Cyveillance tested malware uncovered on the Internet
against many of the top AV products.
On a daily basis, Cyveillance detects hundreds to thousands of new malware attacks. To measure the
effectiveness of some of the most widely used solutions, Cyveillance ran these active attacks through
13 of the top AV vendor offerings. All AV offerings were continuously patched and updated with the
latest signatures. The data was delivered in real time and consisted of only confirmed malicious files.
The average non-detection rates of the solutions used during the second half of 2010 are below:
Figure 1 – Percent of Malware Not Detected on Day One
Source: Cyveillance
These companies have U.S. copyrights for their corporate names and/or products listed in the chart
above, and are listed only to indicate the research results for informational purposes and no other.
»3
4. Cyber Intelligence Report
As the results show, almost all of the most popular AV solutions detect less than half of the
latest malware threats on day one. So if you visit a malicious website you could have a more
than one in two chance of being infected with malware.
MALWARE
Since 2006, Cyveillance has tracked an online “fraud chain” comprising malware components
that store and serve malware executables, distribute malware to consumers, and receive and
store the confidential information collected from infected computers. The following are defini-
tions related to the fraud chain components analyzed in this report:
1. Malware Hosting Sites - sites hosting and serving up the actual binary malware files
2. Malware Distribution Sites -tainted Web sites that distribute malware to their visitors
3. Malware Drop Sites - sites that collect sensitive and personally identifiable information
UNITED STATES AND CHINA HOST OVER A THIRD OF ALL MALWARE EXECUTABLES
Malware hosting sites store and serve up malware executables. These sites typically deliver their
binary files based upon inline references located on the malware distribution sites. Servers locat-
ed in the United States and China host over a third of all malware executables, representing 38%
of malware binaries found during the second half of 2010.
Figure 2 – Top Malware Hosting Locations 2H 2010
% of All
Country
Sites
United States 25%
China 13%
United Kingdom 11%
Germany 6%
Korea 3%
Russian Federation 3%
Canada 2%
France 2%
Brazil 2%
Netherlands 1%
All Others 33%
Source: Cyveillance
UNITED STATES AND CHINA DISTRIBUTE MORE THAN HALF OF ALL MALWARE
Malware distribution sites are used to attract Web surfers for the purpose of installing mali-
cious code on their computers. Visitors to these sites are infected with malicious software that
is installed from the malware hosting sites previously described. Distribution sites are typically
established as a means of targeting specific types of Internet users. As illustrated below and
similar to results of the preceding section, the United States and China are responsible for dis-
tributing well over half of all malware on the Internet.
»4
5. Cyber Intelligence Report
Figure 3 – Top Malware Distribution Site Locations 2H 2010
% of All
Country
Sites
China 32%
United States 27%
United Kingdom 12%
Korea 4%
Canada 4%
Germany 2%
Spain 2%
Russian Federation 2%
France 2%
Netherlands 2%
All Others 9%
Source: Cyveillance
MALWARE USED FOR FINANCIAL FRAUD
There are many types of malware, ranging from “bot” programs used to launch spam and
denial of service (DoS) attacks to keyloggers and backdoor Trojan viruses used for stealing
sensitive information. While all malware presents a threat, the variations used for financial
fraud typically cause the most harm to consumers. The following types of malware usually
reside unnoticed on the user’s computer while forwarding personal information to a master
server controlled by criminals:
• Keyloggers: programs that, without user knowledge, track and record activities such
as sites visited and keystrokes made; these are then uploaded to an outside Web
server
• Downloaders: programs that contain location and login information for malware
servers. When evoked, the programs contact the remote malware server to facilitate
additional malware downloads to the host computer
• Backdoors: programs that allow unauthorized access to information or computer
resources by bypassing security mechanisms
• Bot Clients: applications that allow unauthorized access to and/or control over a
user’s computer in order to help facilitate malicious activity such as spamming or
DoS attacks
• Re-Directors: applications that redirect a browser to a fraudulent website when the
user enters a legitimate URL in the browser’s address bar
• Data Miners: programs that collect and analyze information without the user’s
knowledge
»5
6. Cyber Intelligence Report
USA, GERMANY AND CHINA HOST OVER HALF OF ALL MALWARE DROP SITES
Malware drop sites are established to collect the information from infected computers that use key-
loggers, screen scrapers and other approaches to passively harvest sensitive personal information.
Three countries, the United States, Germany and China, host over half of all malware drop sites on
the Internet.
Figure 4 – Top Malware Drop Site Locations 2H 2010
% of All
Country
Sites
United States 23%
Germany 16%
China 15%
Russian Federation 5%
India 5%
Taiwan 5%
Brazil 4%
Poland 2%
Korea 2%
Spain 1%
All Others 23%
Source: Cyveillance
PHISHING
During the second half of 2010, Cyveillance detected a total of 114,797 phishing attacks for an
average of over 19,000 unique attacks per month for the period. The amount of attacks seen
monthly is down compared to the first half of the year and could be related to the recent
decline in spam, but the overall volume confirms that the problem of phishing is still easily one
of the top threats on the Internet. Specifically, the use of more sophisticated and targeted
attacks result in greater success and more lucrative opportunities for online criminals. While
the number of spam attacks is down, the threat of phishing attacks continues to remain high
as phishers become cleverer in their attack schemes.
Figure 5 – Phishing Attack Volume 2H 2010
Source: Cyveillance
»6
7. Cyber Intelligence Report
UNITED STATES HOSTS NEARLY HALF OF ALL PHISHING ATTACKS Phishing is a social engineer-
The United States hosted 41% of all phishing attacks for the 2nd half of 2010, more than the ing scam that relies on both
remainder of the top 10 countries combined. technology and human inter-
action to carry out online
Figure 6 – Phishing Hosting Location 2H 2010 fraud, identity theft or
attempts to breach corporate
Country % of All Sites
networks. The schemes are
United States 41% varied but typically involve a
Netherlands 6%
spoofed (spam) email that
Great Britain 5%
mimics an email from a legiti-
Germany 4%
Canada 4% mate and respected organiza-
France 3% tion. The email solicits the
Italy 2% recipient to click on a link in
Australia 2% order to update account infor-
Malaysia 2% mation or view a marketing
Russian Federation 2%
promotion. After clicking on
All Others 28%
the link, the individual is con-
Source: Cyveillance nected to a counterfeit web-
site that requests sensitive
84 ORGANIZATIONS WERE PHISHING TARGETS FOR THE FIRST TIME IN SECOND personal information (e.g.,
HALF OF 2010 username and password,
During the second half of 2010, 84 brands were first-time targets of phishing attacks, which is credit card number, Social
a decrease from the first half of the year. As usual, the overwhelming majority of the new tar- Security number, etc.). The
gets are related to the financial industry. A large portion of these new targets are based in India information collected is then
and the Middle East, providing further evidence that the problem of phishing continues to grow used for purposes of identity
globally and criminals are constantly looking for new revenue growth opportunities. Overall, theft or accessing secure
Cyveillance has documented nearly 3,000 unique brands attacked since 2005. data.
Figure 7 – Total Unique Brands Phished through 2H 2010
Source: Cyveillance
»7
8. Cyber Intelligence Report
Figure 8 – New Brands Attacked
1H – 2009 2H -2009 1H - 2010 2H - 2010
200 399 109 84
Source: Cyveillance
Figure 9 – New Brands Attacked for First Time in 2H 2010 by Industry
Source: Cyveillance
Figure 10 – Total Unique Brands Attacked Since 2005 by Industry
Source: Cyveillance
»8
9. Cyber Intelligence Report
MANY PHISHING TACTICS RELATIVELY UNCHANGED
As illustrated in Figure 11 and based on sampled data, phishers’ use of a target’s brand name
or variation of the brand name in the domain name remains low at 8% of attacks. However,
the use of a target’s brand name in the overall phishing attack URL rather than just the
domain name is significantly higher at 60%. The cause for the disparity between the two stats
is due to the extra effort required from the phisher to obtain the domain as well as increased
likelihood of the attack being detected from anti-phishing companies monitoring new domain
name registrations. Including the target’s brand name in the URL involves nothing more than a
few keystrokes while setting up the attack.
Additionally, phishers frequently launch attacks using compromised Web servers. While there
is not a practical way to secure all servers on the Internet, Web masters could make setting up
attacks more difficult for the phishers simply by keeping their software up to date and moni-
toring file structures.
Figure 12 – Phishing Attack Trends 1H 2010
1H 2009 2H 2009 1H 2010 2H 2010
Percentage of phishing attacks that only use an IP address: 8% 10% 9% 8%
Percentage of phishing URLs that use brand name: 46% 49% 52% 60%
Percentage of phishing domains that use brand name: 4% 4% 3% 3%
Percentage of phishing attacks that use a compromised site: 59% 56% 62% 64%
Source: Cyveillance
CONCLUSION
The online fraud environment continued to flourish for cyber criminals in the second half of
2010, posing serious danger to both consumers and businesses. Attacks continued to become
more distributed, operating from regions around the globe and leveraging distributed resources
to evade detection and law enforcement efforts. With nearly half of all new financial phishing
targets based in India and the Middle East, the increasing global nature of online fraud is evi-
dent.
Cyveillance also continued to see growth in the volume of highly targeted attacks such as spear
and whale phishing, frequently associated with Advanced Persistent Threats (APTs). As evi-
denced in the Aurora attack earlier in 2010, the impact of these attacks can be devastating if
undetected over a period of time.
Looking forward to first half of 2011 and beyond, Cyveillance expects to see:
• Traditional phishing attacks remaining a significant issue for organizations due to the
continued expansion of attack vectors such as blended attacks with malware.
»9