The Commtouch Quarterly Trends Threat Report provides insight on the latest spam, malware, phishing schemes and other web security threats. The July 2011 edition provides analysis of Internet security threats that occurred during the second quarter of 2011.
3. October 2011 Threat Report
1 Key Highlights
What is behind the huge return
2 Feature of email malware?
Malware, Spam, Web Security,
3 Trends Compromised Websites and
Zombies
5. Key Security Highlights
Average daily spam/phishing
emails sent
93 billion
Average daily spam continues to decline
Lowest levels in years
6. Key Security Highlights
Spam Zombie daily turnover
336,000 Zombies
Q3 saw a slight decline from the 377,000 in Q2
(Zombie turnover is the number of zombies turned off and on daily)
7. Key Security Highlights
Most popular blog topic on
user generated content sites
Streaming media/
downloads (24%)
Streaming media & downloads increased its
share to nearly one quarter of all UGC
Includes sites with MP3 files or music related sites such as fan
pages (these might also be categorized as entertainment)
8. Key Security Highlights
Most popular spam topic
Pharmacy Ads
(29%)
After decreasing for 6 consecutive quarters,
Pharmacy Ads increased 5% in Q3
10. Key Security Highlights
Website category most likely to
be compromised with malware
Parked Domains
“Pornographic and sexually explicit sites”
(1st in Q2) was pushed into 3rd spot by “Parked
Domains” and “Portals”
11. Feature…
What is behind the huge
return of email malware?
12. Q3 Malware Trends
• In August, Commtouch Labs registered major
malware email outbreaks
• The following Chart shows the scale of these attacks
Malware email levels – June to Sept 2011
13. Q3 Malware Trends
Analysis of August 2011 Outbreaks
• Campaigns have been successful
• Infection rate generally linear
• More malware emailed = more infections
• Range of malware families detected in outbreaks
• Variants of Sasfis, SpyEye, Zeus, fake antivirus,
and others
• In most cases the malware contacts external servers
and downloads additional malware files to run on
the infected machine
14. Q3 Malware Trends
Analysis cont…
At present, no clear reason for the build-up in bots
1. No increase in spam
• A common result of large malware outbreaks
2. Most of the malware seen generally associated
with specific attacks (e.g., Zeus – banking fraud)
• So far, no increase in these attacks
Possible reasons for new bot network
• Large scale banking fraud
• Facebook/Gmail/Yahoo account theft
• Distributed denial of service (DDOS)
• Other criminal activity
15. Q3 Malware Trends
Top 10 Malware of Q3 2011
Rank Malware name Rank Malware name
1 W32/Oficla.FO 6 W32/Patched.G
2 W32/RAHack.A.gen!Eldorado 7 W32/Damaged_File.B.gen!Eldorado
3 W32/Adware.PAP 8 W32/Bredolab.AP.gen!Eldorado
4 W32/Sality.gen2 9 W32/MalwareF.AFPRH
5 JS/Pdfka.BG 10 W32/Heuristic-210!Eldorado
Source: Commtouch
16. Q3 Malware Trends
For a complete analysis of Malware in Q3 and the
specific attacks employed, download the complete
October 2011 Internet Threats Trend Report
www.commtouch.com/threat-report-Oct2011
18. Q3 Spam Trends
• Spam levels remain at their lowest in years
following the Rustock botnet takedown in March
• Aug and Sept attacks had no effect on spam levels
• Q3 average spam levels near 93 billion email
messages/day
Mar Apr May Jun Jul Aug Sep
19. Q3 Spam Trends
• Spam averaged 76% of all emails sent during Q3
(excluding emails with malware attachments)
Mar Apr May Jun Jul Aug Sep
20. Q3 Spam Trends
Top Faked (Spoofed) Spam Sending Domains*
• Gmail.com once again the
most spoofed domain
• 14th place again held by
ups.com due to the very
large numbers of fake UPS
notification emails sent as
part of the Q3 outbreaks
* The domains that are used by spammers
Source: Commtouch in the “from” field of the spam emails.
21. Compromised Accounts
• In addition to spoofed emails (shown above), a
percentage of emails from Gmail, Hotmail and
Yahoo come from genuine accounts – compromised
accounts (though some are accounts specifically
created by spammers for spamming)
• In the Q2 2011 Trend Report, Commtouch revealed
an increased use of compromised accounts to
spread spam
(Compromised accounts offer several advantages, including
the fact that they are difficult to block using IP reputation
implemented by many anti-spam solutions)
22. Compromised Accounts
Analysis of spam “from” Gmail & Hotmail – Q2/Q3 2011
• Hotmail: 28-35% of the spam from Hotmail actually comes
from compromised or spammer Hotmail accounts
• Gmail: Most Gmail Spam (96-97%) comes from zombies
that simply forge Gmail addresses
• Q3 saw growth in use of Hotmail & Gmail compromised
accounts in comparison to Q2
Source: Commtouch
23. Compromised Accounts
Compromised Accounts Analysis
• Having observed greater use of compromised
accounts, Commtouch undertook primary
research into the use of these accounts for
sending spam
• The research included the surveying of people
whose accounts had been compromised
• Results confirm Commtouch observations with
regard to the increased use of compromised
accounts for sending spam
24. Compromised Accounts
What Compromised Accounts Used For
• Mort than half of the
accounts were used to send
spam or scams
• 23% of respondents not
sure what their accounts
were used for
• Compromised Facebook
accounts generally used to
further the spread of
malware or post links to
marketing scam websites
25. Compromised Accounts
Compromised Accounts Survey
Review the full survey report and find out…
1. Which accounts were affected
2. How accounts were compromised
3. Activity account was used for – e.g., spam, scam, etc.
4. How account owners found out
5. Action owners took to regain control of their account
Full results of the survey can be found at
http://www.commtouch.com/hacked-accounts-
report-Oct2011
26. Q3 Spam Trends
Spam Topics
• Top topic “pharmacy spam” stopped its downward slide of
the past six quarters, adding 5% to reach 29% of all spam
• “Enhancers” added 5 points, accounting for > 17% of spam
Source: Commtouch
27. Q3 Spam Trends
Find out more about Spam Trends in Q3 by
downloading the complete October2011
Internet Threats Trend Report
www.commtouch.com/threat-report-Oct2011
29. Q3 Facebook Threats
Exploits in Q3 2011
Facebook continues to draw the attention
of malware authors
30. Q3 Facebook Threats
August 2011 “Friend” malware
• A range of “friend request” emails were sent to draw
recipients to download a banking Trojan
31. Q3 Facebook Threats
September 2011 “Like” Scams
How scams worked
The Trap: Offers to get “free” merchandise
“The First 50.000 participants Get an iPhone 4 for free”
“The first 25,000 that signup get a free pair of Beats by Dre headphones”
“The first 1,000 participants Will Get An Facebook Phone for Free”
“The First 25,000 Participants Will Get A Free Facebook Hoodie”
What Facebook users had to do:
Like several pages, provide their shipping addresses and forward the invite
on to 100 or so friends (thus ensuring the spread of the scam)
Result:
Pages liked by hundreds of thousands of users
33. Q3 Facebook Threats
How the Scammers Benefitted
Improved visibility/promotion of the scammer page:
• Like appears on the Liker’s Wall and may appear in News Feeds
• Liker displayed on the Page that was liked and ads about Page
• Liked Facebook Pages can post updates to the Liker’s News Feed
or send them messages
• Liker’s connection to the page may also be shared with apps on
the Facebook Platform
Also…
• Scammers got people’s shipping addresses (helpful in ID theft)
• “Facebook Hoodie” offer linked to external site with further
links to marketing scams brining the scammer per-click
revenues
34. Q3 Web Security Threats
Learn more about other Web Security Threats
in Q3:
• PHP Thumbs exploit
• Others
Download the complete October 2011 Internet
Threats Trend Report for more details
www.commtouch.com/threat-report-Oct2011
35. Q3 Compromised Websites
Website categories infected with malware
• Pornographic and sexually explicit sites were pushed down to
the 3rd spot by parked domains and portals
(As noted in previous reports, the hosting of malware may well be the
intention of the owners of the parked domains and pornography sites)
Rank Category Rank Category
1 Parked Domains 6 Business
2 Portals 7 Computers & Technology
3 Pornography/Sexually Explicit 8 Health & Medicine
4 Education 9 Shopping
5 Entertainment 10 Travel
Source: Commtouch
Portals category includes sites offering free homepages, which are
abused to host phishing and malware content or redirects to other
sites with this content
36. Q3 Compromised Websites
Website categories infected with phishing
• This is an analysis of which categories of legitimate Web sites
were most likely to be hiding phishing pages (usually without
the knowledge of the site owner)
• Games retained ranking as highest, similar to last Q2 2011
Rank Category Rank Category
1 Games 6 Sports
2 Portals 7 Leisure & Recreation
3 Shopping 8 Business
4 Fashion & Beauty 9 Health & Medicine
5 Education 10 Entertainment
Source: Commtouch
Portals category includes sites offering free homepages, which are
abused to host phishing and malware content.
38. Q3 Zombie Trends
Daily Turnover of Zombies in Q3
• Q3 saw an average turnover of 336,000 zombies each day
that were newly activated for sending spam
• Slight decrease compared to the 377,000 from Q2
Source: Commtouch
39. Q3 Zombie Trends
Worldwide Zombie Distribution in Q2
Source: Commtouch
• India once again claimed the top zombie producer title, increasing
its share to over 18%
• Brazil dropped to 3rd position by decreasing its share of global
zombie population by nearly 3%
• The US and Iran joined top 15, displacing Poland and Italy
41. Q3 Web 2.0 Trends
Web 2.0 Trends
• “Streaming media and downloads” was again the most
popular blog or page topic in Q3 (up to 24% of all UGC)
Rank Category Percentage Rank Category Percentage
Streaming Media &
1 24% 8 Arts 5%
Downloads
2 Entertainment 9% 9 Sports 4%
3 Computers & Technology 8% 10 Education 4%
Pornography/Sexually
4 6% 11 Leisure & Recreation 3%
Explicit
5 Fashion & Beauty 5% 12 Health & Medicine 3%
6 Religion 5% 13 Games 3%
7 Restaurants & Dining 5% 14 Sex Education 2%
Source: Commtouch
The streaming media & downloads category includes sites with MP3 files or
music related sites such as fan pages (these might also be categorized as
entertainment).
43. Review of Q3 2011
July August September
Android 25 billion Gap
Spam ratio malware added Email- malware Facebook Athleta
reaches low of to extended malware emails in “like” fake order
74% Wildlist outbreaks one day scams malware
start
“map of
Most spam Twitter love” email
per day: 120 notifications PHP Thumbs Facebook malware
billion lead to Web explot Right-to-Left friend Lowest
spam override notifications spam per
used in led to day: 64
malware malware billion
Source: Commtouch
44. Download the complete October 2011
Internet Threats Trend Report
at
www.commtouch.com/threat-report-Oct2011
45. For more information contact:
info@commtouch.com
650 864 2000 (Americas)
+972 9 863 6895 (International)
Web: www.commtouch.com
Blog: http://blog.commtouch.com