There was a significant jump in emails containing malicious URLs during the month of November, where 41 percent of emailborne malware contained a link to a malicious or compromised website. The last time we saw this level of activity was back in August of 2013. Since then, URL malware had been present in 3 to 16 percent of malicious emails each month, until this recent surge.
We have reason to believe that the Cutwail botnet is responsible for some of this increase. However, this botnet only makes up 3.7 percent of total botnet activity tracked in November. Kelihos and Gamut appear to be in the number one and two positions, comprising 19.2 and 18.8 percent respectively.
The topics in the campaigns we’ve seen so far include fake telecom billing notices, as well as fax and voicemail spam, and government levied fines. The URLs in the first two campaigns appear to be downloaders that will install further malware on a compromised computer, while the third campaign leads to fake captcha sites hosting crypto-ransomware.
Ransomware as a whole continues to decline as the year progresses. However, the amount of crypto-ransomware seen continues to comprise a larger portion of this type of malware. This particularly aggressive form of ransomware made up 38 percent of all ransomware in the month of November.
2. p. 2
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
CONTENTS
3 Summary
4 TARGETED ATTACKS + DATA BREACHES
5 Targeted Attacks
5 Attachments Used in Spear-Phishing
Emails
5 Spear-Phishing Attacks by Size of
Targeted Organization
5 Average Number of Spear-Phishing
Attacks Per Day
6 Top-Ten Industries Targeted
in Spear-Phishing Attacks
7 Data Breaches
7 Timeline of Data Breaches
8 Total Identities Exposed
8 Top Causes of Data Breaches
8 Total Data Breaches
9 Top-Ten Types of Information Breached
10 MALWARE TACTICS
11 Malware Tactics
11 Top-Ten Malware
11 Top-Ten Mac OSX Malware Blocked on OSX Endpoints
12 Ransomware Over Time
12 Top-Ten Botnets
13 Vulnerabilities
13 Number of Vulnerabilities
13 Zero-Day Vulnerabilities
14 Browser Vulnerabilities
14 Plug-in Vulnerabilities
15 SOCIAL MEDIA
+ MOBILE THREATS
16 Mobile
16 Mobile Malware Families by Month,
Android
17 Mobile Threat Classifications
18 Social Media
18 Social Media
19 PHISHING, SPAM + EMAIL THREATS
20 Phishing and Spam
20 Phishing Rate
20 Global Spam Rate
21 Email Threats
21 Proportion of Email Traffic
Containing URL Malware
21 Proportion of Email Traffic
in Which Virus Was Detected
22 About Symantec
22 More Information
3. p. 3
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Summary
Welcome to the November edition of the
Symantec Intelligence report. Symantec
Intelligence aims to provide the latest
analysis of cyber security threats, trends,
and insights concerning malware, spam, and
other potentially harmful business risks.
Symantec has established the most
comprehensive source of Internet threat
data in the world through the Symantec™
Global Intelligence Network, which is made
up of more than 41.5 million attack sensors
and records thousands of events per second.
This network monitors threat activity in
over 157 countries and territories through
a combination of Symantec products and
services such as Symantec DeepSight™
Threat Management System, Symantec™
Managed Security Services, Norton™
consumer products, and other third-party
data sources.
There was a significant jump in emails containing malicious
URLs during the month of November, where 41 percent of email-
borne malware contained a link to a malicious or compromised
website. The last time we saw this level of activity was back in
August of 2013. Since then, URL malware had been present in 3
to 16 percent of malicious emails each month, until this recent
surge.
We have reason to believe that the Cutwail botnet is responsible
for some of this increase. However, this botnet only makes up
3.7 percent of total botnet activity tracked in November. Kelihos
and Gamut appear to be in the number one and two positions,
comprising 19.2 and 18.8 percent respectively.
The topics in the campaigns we’ve seen so far include fake
telecom billing notices, as well as fax and voicemail spam, and
government levied fines. The URLs in the first two campaigns
appear to be downloaders that will install further malware on a
compromised computer, while the third campaign leads to fake
captcha sites hosting crypto-ransomware.
Ransomware as a whole continues to decline as the year
progresses. However, the amount of crypto-ransomware seen
continues to comprise a larger portion of this type of malware.
This particularly aggressive form of ransomware made up 38
percent of all ransomware in the month of November.
We hope that you enjoy this month’s report and feel free to
contact us with any comments or feedback.
Ben Nahorney, Cyber Security Threat Analyst
symantec_intelligence@symantec.com
5. p. 5
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
At a Glance
• The average number of
spear-phishing attacks
dropped to 43 per day in
November, down from 45 in
October.
• The .doc file type was the
most common attachment
type used in spear-phishing
attacks. The .exe file type
came in second.
• Organizations with 2500+
employees were the most
likely to be targeted in
November.
• Non-Traditional Services
narrowly lead the Top-
Ten Industries targeted,
followed by Manufacturing.
The difference between the
two industries was 0.07
percentage points.
Targeted Attacks
Average Number of Spear-Phishing
Attacks Per Day
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
25
50
75
100
125
150
175
200
225
250
NOSAJJMAMFJ
2014
D
54 53
45 43
20
54
141
84 84
54
88
165
Attachments Used in Spear-Phishing
Emails
Source: Symantec :: NOVEMBER 2014
Executable type November October
.doc 25.9% 62.5%
.exe 16.4% 14.4%
.au3 8.6% –
.scr 5.3% 0.1%
.jpg 4.8% 0.2%
.class 2.2% –
.pdf 1.6% 4.4%
.bin 1.6% –
.txt 1.3% 11.2%
.dmp 1.0% 0.1%
Spear-Phishing Attacks by Size
of Targeted Organization
Source: Symantec :: NOVEMBER 2014
Organization Size November October
1-250 34.4% 27.1%
251-500 8.4% 6.6%
501-1000 8.8% 8.9%
1001-1500 3.2% 2.9%
1501-2500 4.5% 11.2%
2500+ 40.7% 43.3%
6. p. 6
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Top-Ten Industries Targeted in
Spear-Phishing Attacks
Source: Symantec :: NOVEMBER 2014
Construction
Mining
Retail
Public Administration
Transportation,
communications, electric
Wholesale
Services - Professional
Finance, insurance
& Real Estate
Manufacturing
Services - Non Traditional 20%
20
17
11
10
7
5
3
1
1
7. p. 7
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Data Breaches
At a Glance
• The two largest data breaches reported to have occurred in
November resulted in the exposure of 3.6 million and 2.7
million identities each.
• Hackers have been responsible for 57 percent of data breach-
es in the last 12 months.
• Real names, government ID numbers, such as Social Security
numbers, and home addresses were the top three types of
data exposed in data breaches.
20
40
60
80
100
120
140
160
NOSAJJMAMFJ
2014
D
NUMBEROFINCIDENTS
IDENTITIESEXPOSED(MILLIONS)INCIDENTS IDENTITIES EXPOSED (Millions)
Timeline of Data Breaches
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
147
59
1
78
31.5
10
1
6.4
1.72.6
8.1
130
24
5
10
15
20
25
30
35
40
30
27
25
27
22
20 19
15 16
12
21
8. p. 8
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Top Causes of Data Breaches
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
Insider Theft
Theft or Loss
of Computer
or Drive
Accidentally
Made Public
Hackers
57%
18%
18%
7%
Number
of Incidents
147
46
46
19
258TOTAL
Total Data
Breaches
DECEMBER 2013 — NOVEMBER 2014
258
Total Identities
Exposed
DECEMBER 2013 — NOVEMBER 2014
476Million
9. p. 9
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Top-Ten Types of Information Breached
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
Real Names
Gov ID numbers (Soc Sec)
Home Address
Birth Dates
Financial Information
Medical Records
Email Addresses
Phone Numbers
Usernames & Passwords
Insurance
01
02
03
04
05
06
07
08
09
10
67%
43%
42%
38%
35%
28%
21%
19%
16%
9%
Methodology
This data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model
that measures the levels of threats, including malicious software, fraud, identity theft, spam,
phishing, and social engineering daily. The data breach section of the Norton CCI is derived from
data breaches that have been reported by legitimate media sources and have exposed personal
information.
In some cases a data breach is not publicly reported during the same month the incident occurred,
or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in
the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months
when a new report is released.
11. p. 11
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Malware Tactics
At a Glance
• W32.Ramnit variants
continue to dominate the
top-ten malware list.
• The most common
OSX threat seen on OSX
was OSX.Flashback.K,
making up 15.7 percent
of all OSX malware found
on OSX Endpoints.
• Overall ransomware
activity has remained low
since March of this year.
However, crypto-style
ransomware continues to
make up a larger percent-
age of ransomware,
comprising 38 percent in
November.
• Kelihos and Gamut are
the two most commonly
encountered botnets,
making up 19.2 and 18.8
percent of botnet traffic
respectively.
Top-Ten Malware
Source: Symantec :: NOVEMBER 2014
Rank Name November October
1 W32.Sality.AE 4.8% 4.1%
2 W32.Almanahe.B!inf 4.5% 3.7%
3 W32.Ramnit!html 4.4% 4.0%
4 W32.Ramnit.B 2.7% 2.7%
5 W32.Downadup.B 3.0% 2.5%
6 W32.Ramnit.B!inf 2.3% 2.1%
7 W32.SillyFDC.BDP!lnk 1.6% 1.4%
8 W32.Virut.CF 1.5% 1.3%
9 Trojan.Zbot 1.5% 1.3%
10 Trojan.Swifi 1.4% –
Top-Ten Mac OSX Malware Blocked
on OSX Endpoints
Source: Symantec :: NOVEMBER 2014
Rank Malware Name November October
1 OSX.Flashback.K 15.7% 5.4%
2 OSX.Okaz 13.4% 28.8%
3 OSX.Keylogger 11.8% 9.3%
4 OSX.RSPlug.A 11.0% 14.0%
5 OSX.Klog.A 8.4% 5.2%
6 OSX.Stealbit.B 7.6% 4.7%
7 OSX.Crisis 3.7% 4.8%
8 OSX.Netweird 3.7% 3.7%
9 OSX.Flashback 3.3% 4.0%
10 OSX.Imuler 2.5% –
12. p. 12
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Top-Ten Botnets
Source: Symantec :: NOVEMBER 2014
Rank Botnet name Percent
1 Kelihos 19.2%
2 Gamut 18.8%
3 Snowshoe 8.0%
4 Cutwail 3.7%
5 Darkmailer 1.0%
6 Asprox 0.7%
7 Grum 0.03%
8 Festi 0.0165%
9 Esxvaql 0.0162%
10 Darkmailer2 0.0151%
Ransomware Over Time
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
THOUSANDS
100
200
300
400
500
600
700
800
NOSAJJMAMFJ
2014
D
660
465
342
425
156 143
230 183
149
95 80 77
13. p. 13
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Number of Vulnerabilities
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
100
200
300
400
500
600
700
800
NOSAJJMAMFJ
2014
D
438
575
600 596
457
399
471
542 562 579
473
555
Zero-Day Vulnerabilities
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
1
2
3
4
5
6
7
8
NOSAJJMAMFJ
2014
D
0 0 0 0 0
22
0
5
0
1
4
Vulnerabilities
At a Glance
• There were 457 vulner-
abilities disclosed during
the month of November.
• Internet Explorer has
reported the most brows-
er vulnerabilities in the
last 12 months.
• Oracle’s Java reported
the most plug-in vulner-
abilities over the same
time period.
14. p. 14
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Browser Vulnerabilities
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
20
40
60
80
100
NOSAJJMAMFJ
2014
D
Opera
Mozilla Firefox
Microsoft Internet Explorer
Google Chrome
Apple Safari
Plug-in Vulnerabilities
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
10
20
30
40
50
60
70
80
Java
Apple
Adobe
ActiveX
NOSAJJMAMFJ
2014
D
16. p. 16
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Mobile
Mobile Malware Families by Month,
Android
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
8
4
2
4
2 2
3
5
3
4 4
3
1
2
3
4
5
6
7
8
9
10
NOSAJJMAMFJ
2014
D
At a Glance
• There were eight Android
malware families discov-
ered in November.
• Of the threats discovered
in the last 12 months,
26 percent are tradi-
tional threats, such as
back door Trojans and
downloaders.
• In terms of social
networking scams, 29
percent were fake offer-
ings, while 59 percent
were manually shared
scams.
17. p. 17
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Mobile Threat Classifications
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
Track User Risks that spy on the individual using the device, collecting SMS
messages or phone call logs, tracking GPS coordinates, recording phone calls,
or gathering pictures and video taken with the device.
Steal Information This includes the collection of both device- and user-specific
data, such as device information, configuration data, or banking details.
Traditional Threats Threats that carry out traditional malware functions,
such as back doors and downloaders.
Reconfigure Device These types of risks attempt to elevate privileges
or simply modify various settings within the operating system.
Adware/Annoyance Mobile risks that display advertising or generally perform
actions to disrupt the user.
Send Content These risks will send text messages to premium SMS numbers,
ultimately appearing on the bill of the device’s owner. Other risks can be used to
send spam messages.
5
10
15
20
25
30%
Adware
Annoyance
Reconfigure
Device
Send
Content
Traditional
Threats
Track
User
Steal
Information
7%
12%
26%
23%
13%
19%
18. p. 18
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Social Media
Social Media
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
Fake Offers These scams invite social network users to join a fake event or group
with incentives such as free gift cards. Joining often requires the user to share
credentials with the attacker or send a text to a premium rate number.
Manual Sharing Scams These rely on victims to actually do the work of sharing
the scam by presenting them with intriguing videos, fake offers or messages that they
share with their friends.
Likejacking Using fake “Like” buttons, attackers trick users into clicking website
buttons that install malware and may post updates on a user’s newsfeed, spreading the
attack.
Comment Jacking Similar to likejacking, this type of scam relies on users clicking
links that are added to comments by attackers. The links may lead to malware or survey
scams.
Fake App Users are invited to subscribe to an application that appears to be
integrated for use with a social network, but is not as described and may be used to
steal credentials or harvest other personal data.
10
20
30
40
50
60
70
80
90
100%
Comment
Jacking
Fake
Apps
LikejackingManual
Sharing
Fake
Offering
2% .6%
29%
59%
9%
20. p. 20
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Phishing and Spam
Phishing Rate
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
1 in 0
1 in 500
1 in 1000
1 in 1500
1 in 2000
1 in 2500
NOSAJJMAMFJ
2014
D
2041
1610
647306
401 478
370
731
395
496
1290
1587
At a Glance
• The phishing rate rose in
November, at one in 647
emails, up from one in
1,610 emails in October.
• The global spam rate
was 54.6 percent for the
month of November.
• One out of every 246
emails contained a virus.
• Of the email traffic in the
month of November, 41.3
percent contained a mali-
cious URL.
Global Spam Rate
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
10
20
30
40
50
60
70
80
90
100%
NOSAJJMAMFJ
2014
D
55
71
62 62
66
59
61 60
64 63
58 55
21. p. 21
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
Email Threats
Proportion of Email Traffic
Containing URL Malware
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
10
20
30
40
50
60
70
80
90
100%
NOSAJJMAMFJ
2014
D
6 7
41
14 16 14
6 3
14
7 8
3
1 in 50
1 in 100
1 in 150
1 in 200
1 in 250
1 in 300
1 in 350
1 in 400
1 in 450
1 in 500
NOSAJJMAMFJ
2014
D
Proportion of Email Traffic
in Which Virus Was Detected
Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014
351
329
246
112
207
188
141
234
183
232
351
270
22. p. 22
Symantec Corporation
Symantec Intelligence Report :: NOVEMBER 2014
About Symantec
More Information
• Symantec Worldwide: http://www.symantec.com/
• ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/
• Symantec Security Response: http://www.symantec.com/security_response/
• Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/
• Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/
Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps
people, businesses and governments seeking the freedom to unlock the opportunities
technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune
500 company, operating one of the largest global data-intelligence networks, has
provided leading security, backup and availability solutions for where vital information
is stored, accessed and shared. The company’s more than 20,000 employees reside in
more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec
customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more go to
www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.