As reported in the ISTR Volume 19, 2013 saw a 500 percent increase in ransomware in the latter part of the year. Overall ransomware levels remained high through March 2014, and then slowly started to decline, in part due to the disruption of the GameOver Zeus botnet back in late May.
In contrast, crypto-style ransomware has seen a 700 percent-plus increase. These file-encrypting versions of ransomware began the year comprising 1.2 percent of all ransomware detec¬tions, but now make up 31 percent at the end of August. One variant known as Trojan.Cryptodefense began to appear in large numbers in early June. By the end of July, it made up 77 percent of all crypto-style ransomware for the year to date. This follows predictions in the ISTR saying this type of malware would become more common in 2014.
Over 31.5 million identities were reported exposed in August, from 12 incidents. The jump in exposed identities is due to a large breach in South Korea, comprising 27 million identities. In the last 12 months 53 percent of data breaches were caused by hacking and 21 percent were accidentally made public.
The average number of spear-phishing emails blocked each day for August was 20, compared with 54 in July and 88 in June. This is below the year-to-date average of 86, which is slightly higher than the daily average of 84 for all if 2013.
The most frequently used malicious file types in these email-based targeted attacks were .exe and .doc file types, with .exe attachments coming out on top this month at 31.8 percent. 29 percent of spear phishing emails were sent to Manufacturing, returning it to the top of the industries targeted.
One in 1,587 emails was identified as a phishing attempt, compared with one in 1,298 for July and one in 496 in June. While at first glance this looks like a big drop, it is not indica¬tive of a wider trend just yet, resulting in only a 0.01 percentage point decrease in the overall phishing rate.
We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback.
2. p. 2
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
CONTENTS
3 Summary
4 TARGETED ATTACKS + DATA BREACHES
5 Targeted Attacks
5 Attachments Used in Spear-Phishing
Emails
5 Spear-Phishing Attacks by Size of
Targeted Organization
5 Average Number of Spear-Phishing
Attacks Per Day
6 Top-Ten Industries Targeted
in Spear-Phishing Attacks
7 Data Breaches
7 Timeline of Data Breaches
8 Total Identities Exposed
8 Top Causes of Data Breaches
8 Total Data Breaches
9 Top-Ten Types of Information Breached
10 MALWARE TACTICS
11 Malware Tactics
11 Top-Ten Malware
11 Top-Ten Mac OSX Malware Blocked on OSX Endpoints
12 Ransomware Over Time
12 Malicious Activity by Source: Bots
13 Vulnerabilities
13 Number of Vulnerabilities
13 Zero-Day Vulnerabilities
14 Browser Vulnerabilities
14 Plug-in Vulnerabilities
15 SOCIAL MEDIA
+ MOBILE THREATS
16 Mobile
16 Mobile Malware Families by Month,
Android
17 Mobile Threat Classifications
18 Social Media
18 Social Media
19 PHISHING, SPAM + EMAIL THREATS
20 Phishing and Spam
20 Phishing Rate
20 Global Spam Rate
21 Email Threats
21 Proportion of Email Traffic
Containing URL Malware
21 Proportion of Email Traffic
in Which Virus Was Detected
22 About Symantec
22 More Information
3. p. 3
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Summary
Welcome to the August edition of the
Symantec Intelligence report. Symantec
Intelligence aims to provide the latest
analysis of cyber security threats, trends,
and insights concerning malware, spam, and
other potentially harmful business risks.
Symantec has established the most
comprehensive source of Internet threat
data in the world through the Symantec™
Global Intelligence Network, which is made
up of more than 41.5 million attack sensors
and records thousands of events per second.
This network monitors threat activity in
over 157 countries and territories through
a combination of Symantec products and
services such as Symantec DeepSight™
Threat Management System, Symantec™
Managed Security Services, Norton™
consumer products, and other third-party
data sources.
As reported in the ISTR Volume 19, 2013 saw a 500 percent
increase in ransomware in the latter part of the year. Overall
ransomware levels remained high through March 2014, and
then slowly started to decline, in part due to the disruption of
the GameOver Zeus botnet back in late May.
In contrast, crypto-style ransomware has seen a 700 percent-plus
increase. These file-encrypting versions of ransomware
began the year comprising 1.2 percent of all ransomware detec-tions,
but now make up 31 percent at the end of August. One
variant known as Trojan.Cryptodefense began to appear in large
numbers in early June. By the end of July, it made up 77 percent
of all crypto-style ransomware for the year to date. This follows
predictions in the ISTR saying this type of malware would
become more common in 2014.
Over 31.5 million identities were reported exposed in August,
from 12 incidents. The jump in exposed identities is due to a
large breach in South Korea, comprising 27 million identities. In
the last 12 months 53 percent of data breaches were caused by
hacking and 21 percent were accidentally made public.
The average number of spear-phishing emails blocked each day
for August was 20, compared with 54 in July and 88 in June. This
is below the year-to-date average of 86, which is slightly higher
than the daily average of 84 for all if 2013.
The most frequently used malicious file types in these email-based
targeted attacks were .exe and .doc file types, with .exe
attachments coming out on top this month at 31.8 percent. 29
percent of spear phishing emails were sent to Manufacturing,
returning it to the top of the industries targeted.
One in 1,587 emails was identified as a phishing attempt,
compared with one in 1,298 for July and one in 496 in June.
While at first glance this looks like a big drop, it is not indica-tive
of a wider trend just yet, resulting in only a 0.01 percentage
point decrease in the overall phishing rate.
We hope that you enjoy this month’s report and feel free to
contact us with any comments or feedback.
Ben Nahorney, Cyber Security Threat Analyst
symantec_intelligence@symantec.com
4. p. 4
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
TARGETED ATTACKS
+ DATA BREACHES
5. p. 5
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
At a Glance
• The average number of
spear-phishing attacks
dropped to 20 per day in
August, the lowest seen in
the last twelve months.
• The .exe file type was the
most common attachment
type used in spear-phishing
attacks, followed by .doc
files.
• Organizations with 2500+
employees were the most
likely to be targeted in
August.
• Manufacturing lead the
Top-Ten Industries targeted,
followed by Professional
Services.
Targeted Attacks
Average Number of Spear-Phishing
Attacks Per Day
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
J F M A M J J A
2014
S O N D
54
21 20
116
54
141
84 84
54
88
103
165
Attachments Used in Spear-Phishing
Emails
Source: Symantec :: AUGUST 2014
Executable type August July
.exe 31.8% 15.10%
.doc 22.8% 19.90%
.txt 9.6% --
.rtf 7.7% --
.scr 4.4% 5.60%
.class 4.2% 2.40%
.pdf 2.8% 2.00%
.tjv 1.1% --
.com 0.8% --
.fas 0.7% --
Spear-Phishing Attacks by Size
of Targeted Organization
Source: Symantec :: AUGUST 2014
Organization Size August July
1-250 28.8% 35.7%
251-500 7.8% 8.5%
501-1000 4.6% 9.0%
1001-1500 6.3% 3.1%
1501-2500 4.6% 4.1%
2500+ 47.8% 39.6%
6. p. 6
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Top-Ten Industries Targeted in
Spear-Phishing Attacks
Source: Symantec :: AUGUST 2014
Logistics
Mining
Retail
Public Administration
Transportation, Gas,
Communications, Electric
Services - Non Traditional
Wholesale
Finance, Insurance
& Real Estate
Services - Professional
Manufacturing 29%
16
15
12
9
7
6
1
1
1
7. p. 7
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Data Breaches
At a Glance
• The largest data breach reported in August resulted in the
exposure of 27 million identities. For the month, 31 million
identities were exposed.
• Hackers have been responsible for 53 percent of data breach-es
in the last 12 months.
• Real names, government ID numbers, such as Social Security
numbers, and home addresses were the top three types of
data exposed in data breaches.
20
40
60
80
100
120
140
160
S O N D J F M A M J J A
NUMBER OF INCIDENTS
IDENTITIES EXPOSED (MILLIONS)
INCIDENTS IDENTITIES EXPOSED (Millions)
Timeline of Data Breaches
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
147
2.8 .9 1.1
31
2.6 1.7 8.1
130
113
159
.8
27
22
22 29
27
25
21
24
15 14
12
21
5
10
15
20
25
30
35
40
8. p. 8
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Top Causes of Data Breaches
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
Insider Theft
Theft or Loss
of Computer
or Drive
Accidentally
Made Public
Hackers 53%
20%
21%
6%
Number
of Incidents
137
55
51
16
TOTAL 259
Total Data
Breaches
SEPTEMBER 2013 — AUGUST 2014
259
Total Identities
Exposed
SEPTEMBER 2013 — AUGUST 2014
598Million
9. p. 9
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Top-Ten Types of Information Breached
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
Real Names
Gov ID numbers (Soc Sec)
Home Address
Birth Dates
Financial Information
Medical Records
Phone Numbers
Email Addresses
Usernames & Passwords
Insurance
01
02
03
04
05
06
07
08
09
10
68%
44%
40%
40%
32%
30%
19%
18%
14%
8%
Methodology
This data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model
that measures the levels of threats, including malicious software, fraud, identity theft, spam,
phishing, and social engineering daily. The data breach section of the Norton CCI is derived from
data breaches that have been reported by legitimate media sources and have exposed personal
information.
In some cases a data breach is not publicly reported during the same month the incident occurred,
or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in
the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months
when a new report is released.
Norton Cybercrime Index
http://us.norton.com/protect-yourself
10. p. 10
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
MALWARE TACTICS
11. p. 11
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Malware Tactics
At a Glance
• W32.Sality and W32.
Ramnit variants continue
to dominate the top-ten
malware list.
• The most common
OSX threat seen on OSX
was OSX.RSPlug.A,
making up 51 percent of
all OSX malware found on
OSX Endpoints.
• Overall ransomware
activity has remained low
since March of this year.
However, crypto-style
ransomware has seen
a 700 percent increase
since January.
• The US and China where
first and second, respec-tively,
in August in terms
of overall botnet source
activity.
Top-Ten Malware
Source: Symantec :: AUGUST 2014
Rank Name August July
1 W32.Sality.AE 4.3% 4.8%
2 W32.Ramnit!html 4.3% 4.3%
3 W32.Almanahe.B!inf 3.6% 3.9%
4 W32.SillyFDC.BDP!lnk 3.0% 2.1%
5 W32.Ramnit.B 2.7% 2.9%
6 W32.Downadup.B 2.3% 2.8%
7 W32.Ramnit.B!inf 1.9% 2.0%
8 W32.Virut.CF 1.2% 1.4%
9 Trojan.Zbot 1.1% 1.4%
10 W32.SillyFDC 0.9% --
Top-Ten Mac OSX Malware Blocked
on OSX Endpoints
Source: Symantec :: AUGUST 2014
Rank Malware Name August July
1 OSX.RSPlug.A 51.2% 38.20%
2 OSX.Flashback.K 8.5% 8.80%
3 OSX.Stealbit.B 8.1% 12.50%
4 OSX.Klog.A 7.2% --
5 OSX.Sabpab 4.2% 5.80%
6 OSX.Netweird 2.7% 2.00%
7 OSX.Flashback 2.6% 2.50%
8 OSX.Crisis 2.2% 5.70%
9 OSX.FakeCodec 1.9% 1.70%
10 OSX.Keylogger 1.6% 2.60%
12. p. 12
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Malicious Activity by Source: Bots
Source: Symantec :: JULY 2014
Rank Country/Region Percent
1 United States 25.2%
2 China 11.7%
3 Taiwan 7.7%
4 Hungary 5.1%
5 Italy 4.2%
6 Brazil 3.1%
7 Canada 3.1%
8 Japan 3.0%
9 France 2.8%
10 Germany 2.5%
Ransomware Over Time
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
THOUSANDS
200
400
600
800
1,000
J F M A M J J A
2014
S O N D
625
419
861
660
465
342
425
156 143
230 183 149
13. p. 13
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Number of Vulnerabilities
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
J F M A M J J A
2014
S O N D
438
575
399
549
438
471
542 562 579
473
663
555
Zero-Day Vulnerabilities
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
J F M A M J J A
2014
S O N D
0 0 0 0 0
2 2
0
5
0
1
4
Vulnerabilities
At a Glance
• There were 399 vulner-abilities
disclosed during
the month of August.
• There were no zero-day
vulnerabilities discovered
in August.
• Internet Explorer has
reported the most brows-er
vulnerabilities in the
last 12 months.
• Oracle’s Java reported
the most plug-in vulner-abilities
over the same
time period.
14. p. 14
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Browser Vulnerabilities
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
20
40
60
80
100
J F M A M J J A
2014
S O N D
Opera
Mozilla Firefox
Microsoft Internet Explorer
Google Chrome
Apple Safari
Plug-in Vulnerabilities
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
10
20
30
40
50
60
70
80
Java
Apple
Adobe
ActiveX
J F M A M J J A
2014
S O N D
15. p. 15
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
SOCIAL MEDIA
+ MOBILE THREATS
16. p. 16
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Mobile
Mobile Malware Families by Month,
Android
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
7
2
4
2
4
2 2
3
4 4 4
3
J F M A M J J A
2014
S O N D
At a Glance
• There were two Android
malware families discov-ered
in July.
• Of the threats discovered
in the last 12 months, 24
percent steal information
from the device and 23
percent track the device’s
user.
• In terms of social
networking scams, 52
percent were fake offer-ings
and 37 percent were
manually shared scams.
17. p. 17
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Mobile Threat Classifications
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
Track User Risks that spy on the individual using the device, collecting SMS
messages or phone call logs, tracking GPS coordinates, recording phone calls,
or gathering pictures and video taken with the device.
Steal Information This includes the collection of both device- and user-specific
data, such as device information, configuration data, or banking details.
Traditional Threats Threats that carry out traditional malware functions,
such as back doors and downloaders.
Recongure Device These types of risks attempt to elevate privileges
or simply modify various settings within the operating system.
Adware/Annoyance Mobile risks that display advertising or generally perform
actions to disrupt the user.
Send Content These risks will send text messages to premium SMS numbers,
ultimately appearing on the bill of the device’s owner. Other risks can be used to
send spam messages.
Adware
Annoyance
Send
Content
Reconfigure
Device
Traditional
Threats
Track
User
Steal
Information
8%
11%
21%
23%
13%
24%
18. p. 18
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Social Media
Social Media
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
52%
Fake Offers These scams invite social network users to join a fake event or group
with incentives such as free gift cards. Joining often requires the user to share
credentials with the attacker or send a text to a premium rate number.
Manual Sharing Scams These rely on victims to actually do the work of sharing
the scam by presenting them with intriguing videos, fake offers or messages that they
share with their friends.
Likejacking Using fake “Like” buttons, attackers trick users into clicking website
buttons that install malware and may post updates on a user’s newsfeed, spreading the
attack.
Comment Jacking Similar to likejacking, this type of scam relies on users clicking
links that are added to comments by attackers. The links may lead to malware or survey
scams.
Fake App Users are invited to subscribe to an application that appears to be
integrated for use with a social network, but is not as described and may be used to
steal credentials or harvest other personal data.
Comment
Jacking
Fake
Apps
Manual Likejacking
Sharing
Fake
Offering
37%
8.5%
1.7% .6%
19. p. 19
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
PHISHING, SPAM + EMAIL THREATS
20. p. 20
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Phishing and Spam
Phishing Rate
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
1 in 200
1 in 400
1 in 600
1 in 800
1 in 1000
1 in 1200
1 in 1400
1 in 1600
J F M A M J J A
2014
S O N D
359
311 236
306
401
478
370
731
395
469
1290
1587
At a Glance
• The phishing rate was
down again in August,
at one in 1,587 emails,
down from one in 1,290
emails in July.
• The global spam rate
was 62.6 percent for the
month of August.
• One out of every 270
emails contained a virus.
• Of the email traffic in
the month of August, 3.2
percent contained a mali-cious
URL.
Global Spam Rate
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
10
20
30
40
50
60
70
80
J F M A M J J A
2014
S O N D
75
64.8
68.8 70.6
62.2 62.1
66.2
58.5
60.6
59.9
63.7
62.6
21. p. 21
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
Email Threats
Proportion of Email Traffic
Containing URL Malware
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
5
10
15
20
25
30
35
40
45
J F M A M J J A
2014
S O N D
14.7
10.5 9.5
13.6
15.6 14.2
5.7
2.6
13.7
7.4
7.9
3.2
1 in 50
1 in 100
1 in 150
1 in 200
1 in 250
1 in 300
1 in 350
1 in 400
1 in 450
1 in 500
J F M A M J J A
2014
S O N D
Proportion of Email Traffic
in Which Virus Was Detected
Source: Symantec :: SEPTEMBER 2013 — AUGUST 2014
206 191
129 112
207
188
141
234
183
232
351
270
22. p. 22
Symantec Corporation
Symantec Intelligence Report :: AUGUST 2014
About Symantec
More Information
• Symantec Worldwide: http://www.symantec.com/
• ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/
• Symantec Security Response: http://www.symantec.com/security_response/
• Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/
• Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/
Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps
people, businesses and governments seeking the freedom to unlock the opportunities
technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune
500 company, operating one of the largest global data-intelligence networks, has
provided leading security, backup and availability solutions for where vital information
is stored, accessed and shared. The company’s more than 20,000 employees reside in
more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec
customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more go to
www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.