Internet Threats Trend Report April 2012
Internet Threats Trend Report April 2012 In This Report Is 100 billion the new spam peak? Page 2 Replica spam affiliate program GlavTorg closes No visible effect on spam levels Page 3 Malware attacks focus on US tax season Accountants and customers targeted Page 5 Compromised websites an owner s perspective Page 10 Zombie hotspots Global weight shifts away from India again Page 13 Q1 2012 Highlights 94 billion Average daily spam/phishing emails sent Page 2 270,000 Zombies Daily turnover Page 12 Streaming media/ Downloads Most popular blog topic on user-generated content sites Page 13 Pharmacy ads Most popular spam topic (38.5% of spam) Page 3 India Country with the most zombies (19.2%) Page 13 Pornography/ Explicit Website category most likely to be contain malware Page 9
Overview Industry and government efforts have dealt a significant blow to spam in the past year. In the first quarter of 2012, an average of 94 billion spam emails were sent per day compared to over 150 billion per day prior to the Rustock botnet takedown in March 2011. Specific social engineering campaigns of note this quarter focused on the U.S. tax season, targeting both consumers and members of the accounting profession. Facebook remains a popular outlet, with a social engineering campaign featuring an unwatchable video. Spam trends Spam levels remained low relative to the same period last year. The average decrease compared to Q1 2011 was nearly 40%, with the average daily level dropping to 94 billion spam and phishing emails per day. This decrease followed a marginal increase during the December 2011 holiday season. Spam averaged 75% of all emails sent during the first quarter. A year has now passed since the Rustock botnet takedown that resulted in a significant drop in global spam. There is no sign of a return to pre-rustock spam levels. The sustained decrease has been attributed to many additional factors including: other botnet takedowns, increased prosecution of spammers and the source industries such as fake pharmaceuticals and replicas, and increased revenues for cybercriminals from other avenues such as banking fraud. At this point it is tempting to conclude that the decade-long growth of spam has been permanently reversed. Time will tell. Spam levels Dec 2011 to March 2012 Spam % of all emails - Dec 2011 to March 2012 Page 2
Replica spam affiliate program GlavTorg closes Spam affiliate programs provide the link between fake pharmaceuticals and replica manufacturers and spammers. GlavTorg was one such program that focused on replica handbags and clothing. In December 2011 GlavTorg announced that it would stop payouts to affiliates at the end of January 2012. To evaluate the effect of the closure Commtouch Labs introduced the spam-subject cloud tool. The tool samples thousands of spam messages at definable intervals and plots frequently occurring terms in larger text. Spam subjects that have been sent in massive quantities become instantly Spam topics cloud for end- Jan 2012 distinguishable. The spam-subject cloud (right) for the end of January show no evidence of GlavTorg related products. In addition the spam levels for the period show no obvious influence (increase or decrease) around the dates of the announcement or the date when payments were stopped. Spammers have apparently easily realigned their activities. The spam cloud for the entire first quarter is shown below. Pharmaceuticals (Viagra, Cialis) and replicas (Rolex, Breitling) clearly lead with enhancers and software (CS5, Windows, Adobe) also featuring. Dating subjects also feature but due to the great variance of subject words, are less prominent. Spam topics cloud for Q1 2012 Page 3
Pharmacy spam increased once again, as it did last quarter, to reach nearly 39% of all spam (around 8% more than the previous quarter). Replica-themed spam also increased in the first quarter of the year by over 5%. Spam topics in Q1 2012 Spam domains As part of Commtouch s analysis of spam trends, Commtouch Labs monitors the domains that are used by spammers in the from field of the spam emails. The addresses are typically faked in order to give the impression of a reputable, genuine source. Top spoofed from domains in Q1 2012 This quarter, gmail.com is once again the most spoofed domain (increasing above 25% for the first time). The top 15 features popular social networking and mail sites (AOL, Yahoo, Page 4
Facebook, LinkedIn, MySpace) as well as DHL.com often used as part of email malware attacks. Malware trends Blended attacks target accountants? Did cybercriminals target accountants? The scale of a February attack was so large that it certainly must have reached many CPAs but also many other individuals. Many of the recipients (Accountant or not) may have clicked on the links out of sheer curiosity. The attacks included subjects such as: fraudulent tax return assistance accusations. your accountant license can be revoked. your accountant cpa license termination. income tax return fraud accusations. Phony accountant tax fraud emails lead to malware Clicking on the link downloaded a short HTML page that promises Page is loading, please wait. You will see tax info on this screen. In the background, the small script creates a nested iframe which brings in more JavaScript, creating further dynamic content. The process repeats until a large portion of malware code is activated. Within 2 weeks a similarly sized attack seemed to again target accounting practitioners and the small business market, this time by describing fictitious purchases of Intuit accounting software. The subjects included: Page 5
Your QuickBooks software order Your Intuit.com order Your Intuit.com invoice Please confirm your Intuit.com invoice The malware downloaded and deployed in the same way as described above. Phony Accounting software email links lead to malware Email malware Levels of email attached malware were generally low in the first quarter of 2012. Malware distributors generally stuck to their favorite themes such as Fedex delivery notices. Several other interesting social engineering techniques were also used during the quarter: Google have received your CV with an attached CV submission form Your friend invited you to Twitter with an attached invitation card Someone wanting to be your friend on Hi5 (a social network) Shipping updates for your Amazon.com order with attached shipping documents American Airlines ticket confirmations I love you contains only the text lovely :-) and phony assurance that F-Secure Antivirus has found no virus in the attachment Sex pictures the attached zip refers to www.freeporn4all. Once extracted a typical Explorer view shows a file named document.txt. Widening the filename column Page 6
reveals the true.exe extension of the malware (following multiple space characters) an old trick but probably still effective. Malware email levels Jan to Dec 2011 Email with attached malware in Q1 2012. Page 7
Top 10 Malware The table below presents the top 10 most detected malware during the first quarter of 2012 as compiled by Commtouch s Antivirus Lab. Web security Top 10 Detected Malware Rank Malware name Rank Malware name 1 W32/InstallCore.A2.gen!Eldorado 6 W32/Sality.gen2 2 W32/RLPacked.A.gen!Eldorado 7 W32/HotBar.L.gen!Eldorado 3 W32/Sality.C.gen!Eldorado 8 W32/Vobfus.AD.gen!Eldorado 4 W32/Heuristic-210!Eldorado 9 JS/Pdfka.CI.gen 5 W32/RAHack.A.gen!Eldorado 10 W32/Korgo.V Facebook unwatchable video scam Several variants of this scam have appeared on Facebook in the last few months. January s version starts with a friend s post that looks something like this: Facebook post describes unwatchable video (with link to Blogspot page) The link takes clickers to a Blogspot page which has been very convincingly designed to look like a Facebook page with an embedded video player. (none of the Facebook elements on the top of the page are actually clickable). Visitors are informed that they need the Divx plugin/youtube Premium plugin. Blogspot page hosts fake vide player and malware download Page 8
Clicking on the download link runs a malicious script that performs several actions: 1) A link is posted on the user wall Facebook extracts the content for the post from the page itself which includes data specifically formatted for this purpose: <title>95% 0f All People Cant even Watch This Video F0r More Than 20 Seconds</title> <meta property= og:title content= 95% 0f All People Cant even Watch This Video F0r More Than 20 Seconds /> <meta property= og:image content= http://i.imgur.com/0f s.jpg /> <meta property= og:description content= i dare you to get past the 25 seconds.just click play /> 2) The script then installs Firefox or Chrome extensions depending on the browser used. These extensions are used to redirect users to several further scams. The redirections happen no matter what sites the user actually intended to go to. One of the redirections is to a scam offering a $50 Starbucks gift card. After coaxing the Facebook user to like and share the link they are led to an affiliate marketing site. Phony Starbuck voucher coaxes users to like and share Compromised websites store malware Many of the emails carrying malware links this quarter either hosted the malware on compromised websites or used these as a platform for redirection. An example of one of the attacks is shown below. This is the screen that would be shown to anyone clicking on the links of the CPA malware attacks (see page 5). Compromised website used to host malware - message shown on screen while malware loads The malware loads in the background while this screen is shown. Meanwhile the host site continues to function normally. Page 9
Homepage of compromised website used to host malware During the first quarter of 2012, Commtouch analyzed which categories of Web sites were most likely to be compromised with malware. Pornographic sites climbed back up to the top spot pushing down Parked domains. As noted in previous reports, the hosting of malware may well be the intention of the owners of the parked domains and pornography sites. A new entry into the top 3 is Fashion and Beauty sites -. Website categories infected with malware Rank Category Rank Category 1 Pornography/Sexually Explicit 6 Education 2 Parked Domains 7 Health & Medicine 3 Fashion and Beauty 8 Computers & Technology 4 Portals 9 Business 5 Entertainment 10 Leisure & Recreation Compromised Websites: An Owner s Perspective Having observed the phenomenon of hacked websites for some time, Commtouch, in cooperation with StopBadware, undertook a survey of webmasters whose sites had been compromised. The report presents statistics and opinions on how site owners navigate the process of learning their sites have been hacked and repairing the damage. Data from the poll reveals that malicious actors are often able to compromise legitimate websites without the site owners' knowledge: over 90% of respondents didn't notice any strange activity, despite the fact that their sites were being abused to send spam, host Page 10
phishing pages, or distribute malware. Nearly two-thirds of the webmasters surveyed didn't know how the compromise had happened. Other highlights from analysis of the survey's responses include: About half of site owners discovered the hack when they attempted to visit their own site and received a browser or search engine warning. 26% of site owners had not yet figured out how to resolve the problem at the time they completed the survey. 40% of survey respondents changed their opinion of their web hosting provider following a compromise. In addition to analysis and quotes from site owners, the report provides tips to help webmasters prevent their sites from being compromised. More details, including an infographic and a brief presentation summarizing the report are available at: http:///compromised-websites-report-2012. Phishing Trends Phishing attacks target account information for many services: banks, email and social network accounts, and online games. Commtouch s Security Blog has also featured phishing aimed at Google Adwords customers. In January, a similar phishing attack was directed at Microsoft adcenter users. The links in the email below led to a very convincing replica of the adcenter login page. Microsoft adcenter phishing attack Page 11
During the first quarter of 2012, Commtouch analyzed which categories of legitimate Web sites were most likely to be hiding phishing pages (usually without the knowledge of the site owner). Portals (offering free website hosting) jumped into the highest position. Sites related to games (the previous leader), dropped off the list. Zombie trends Website categories infected with phishing Rank Category Rank Category 1 Portals 6 Sports 2 Shopping 7 Leisure & Recreation 3 Fashion & Beauty 8 Health and medicine 4 Education 9 Real Estate 5 Business 10 Personal sites The first quarter saw an average turnover of 270,000 zombies each day that were newly activated for sending spam. This number is an increase over the 209,000 of the fourth quarter of 2011. The large drop at the start of November appears to be a result of the Esthost botnet takedown. Although this botnet was primarily used for DNS changing (redirecting Web requests to malicious sites), it appears that some portion was also used to send spam. Spammers have worked to source new zombies since the start of 2012. Daily newly activated spam zombies: Oct 2011 to Mar 2012 Page 12
Zombie Hot Spots India again claimed the top zombie producer title, but dropped below 20% from nearly 24% in Q4 2011. Brazil and the Russian Federation both climbed back up to the 2 nd and 3 rd positions. Argentina, Poland and Italy joined the top 15, displacing The United States, Romania and Ukraine. Worldwide Zombie distribution in Q1 2012 Web 2.0 trends Commtouch s GlobalView Cloud tracks billions of Web browsing sessions and URL requests, and its Web Filtering service includes highly granular categorization of Web 2.0 content. In addition to filtering accuracy, this provides insight into the most popular user generated content sites. Once again, streaming media and downloads was the most popular blog or page topic staying at 22%. The streaming media & downloads category includes sites with MP3 files or music related sites such as fan pages. Most popular categories of user-generated content. Rank Category Percentage Rank Category Percentage 1 Streaming Media & Downloads 22% 8 Religion 5% 2 Computers & Technology 8% 9 Sports 4% 3 Entertainment 7% 10 Education 4% 4 Pornography/Sexually Explicit 5% 11 Leisure & Recreation 3% 5 Restaurants & Dining 5% 12 Health & Medicine 3% 6 Fashion & Beauty 5% 13 Games 3% 7 Arts 5% 14 Sex Education 2% Page 13
About Commtouch Commtouch (NASDAQ: CTCH) safeguards the world s leading security companies and service providers with cloud-based Internet security services. Real-time threat intelligence from Commtouch s GlobalView Cloud powers Web security, email security and antivirus solutions, protecting thousands of organizations and hundreds of millions of users worldwide. References and Notes Reported global spam levels are based on Internet email traffic as measured from unfiltered data streams, not including internal corporate traffic. Therefore global spam levels will differ from the quantities reaching end user inboxes, due to several possible layers of filtering. Spam levels do not include emails with attached malware. http://krebsonsecurity.com/2012/01/glavmed-sister-program-glavtorg-to-close/ http:///cafe/web-security/facebook-95-0f-all-people-cant-even-watch-this-videof0r-more-than-20-seconds/ http:///cafe/anti-spam/the-spam-cloud-ep01-2/ http:///cafe/email-security-news/bs-microsoft-adcenter-phishing/ http:///cafe/data-and-research/infographic-compromised-websites-an-ownersperspective/ Visit us: and Email us: info@commtouch.com Call us: 650 864 2000 (US) or +972 9 863 6888 (International) Copyright 2012 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch..