Symantec's August 2011 Intelligence Report reveals that once more spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit.
2. The Symantec Intelligence Report
The new Symantec Intelligence Report combines the best
research and analysis from Symantec:
• Symantec.cloud MessageLabs Intelligence Report
• Symantec State of Spam & Phishing Report
The Symantec Intelligence Report integrated report provides the
latest analysis of cyber security threats, trends and insights from
the Symantec Intelligence team
Symantec Intelligence 2
3. August 2011 Highlights
• Spam – 75.9 percent in August
• Phishing – One in 207.7 emails identified as phishing
• Malware – One in 203.3 emails in August contained malware
• Malicious Web sites – 3,441 Web sites blocked per day
• 34.1 percent of all malicious domains blocked were new in August
• 17.3 percent of all Web-based malware blocked was new in August
• Global Debt Crises News Drives Pump-and-Dump Stock Scams
• Are MBR Infections Back in Fashion?
• Phishing Apple’s iDisk
• Phishing Brazilian Brands
• The Truth Behind the Shady RAT
• Spammers take advantage of Unicode normalisation to hide URLs
• Best Practices for Enterprises and Users
Symantec Intelligence 3
7. Phishing Apple’s iDisk
http://******.com/test?authenticate_username=******
[Domain name and User name removed]
Symantec Intelligence 7
8. Phishing Brazilian Brands
• 12 hosting sites were used to host 4% of
the phishing sites on Brazilian brands
• Banking made up about 39% of the
brands targeted
• Social networking attacks targeted one
brand and comprised 61%of the total
• 0.5% spoofed a major airline
• Approximately 64% of the phishing sites
were created using automated phishing
toolkits; the remaining 36% were unique
URLs
http://***.***.***.***/~namo/login011/?accounts/ServiceLogin?
http://***.***.***.***/~namo/login008/?accounts/ServiceLogin?
[IP addresses removed]
Symantec Intelligence 8
9. The Truth Behind the Shady RAT
Example attachment names included:
•Participant_Contacts.xls
•2011 project budget.xls
•Contact List -Update.xls
•The budget justification.xls
Symantec Intelligence 9
10. The Truth Behind the Shady RAT
• www.comto[REMOVED].com/wak/mansher0.gif
• www.kay[REMOVED].net/images/btn_topsec.jpg
• www.swim[REMOVED[.net/images/sleepyboo.jpg
• www.comto[REMOVED].com/Tech/Lesson15.htm
Symantec Intelligence 10
11. Spammers take advantage of Unicode normalisation to
hide URLs
For example, a spam message contains the following URL:
Unicode character U+217C ("SMALL ROMAN NUMERAL FIFTY")
http://example․ⅼy/xyz
Unicode character U+2024 ("ONE DOT LEADER")
Symantec Intelligence 11
15. Spam Subject Line Analysis
August 2011 No. of July 2011 No. of
Rank Total Spam: Top Subject Lines Days Total Spam: Top Subject Lines Days
1 (blank subject line) 31 drop me a line 30
ED-Meds-Antidepressants-And-Pain 31
2 r u online now? 30
Relief-Meds-8O%-OFF
Buy Advanced Penis Enlargement 31
3 hi darling.. 30
Pill now, it is selling fast.
Made of the most potent clinically 31
4 new email 30
proven natural herbs.
Permanently increases length and 31
5 width of your erection. Advanced found you :) 30
Penis Enlargement Pill.
Advanced Penis Enlargement Pill. 31
6 Permanently increases length and im online now 30
width of your erection.
7 my hot pics :) 23 my new pics :) 30
8 found you :) 23 my new email 30
9 new pics for you.. 24 my hot pics :) 30
10 im online now 23 I'm online now… 30
Symantec Intelligence 15
16. Additional Spam Metrics
Spam URL TLD Distribution
Change
TLD August July
(% points)
.com 57.6% 54.9% +2.7
.ru 7.1% 10.6% -3.5
.info 18.4% 18.3% +0.1
.net 5.8% 6.2% -0.4
Average Spam Message Size
Change
Message Size August July
(% points)
0Kb – 5Kb 49.7% 65.1% -15.4
5Kb – 10Kb 35.2% 21.2% +14.0
>10Kb 15.0% 13.7% +1.3
Symantec Intelligence 16
19. Phishing Rate & Sources
P h is h in g W e b S it e s L o c a tio n s
C o u n try Ju ly
August J uJuly
ne
2
5 U n it e d S t a t e s 4 9 .8 % 49.5%
4 3
G e rm a n y 6 .5 % 6.5%
1
U n i t e d K in g d o m 3 .8 % 3.7%
C anada 3 .7 % 3.3%
R u s s ia 3 .0 % 2.7%
F ra n c e 2 .7 % 3.1%
B ra z il 2 .6 % 2.2%
N e t h e rla n d s 2 .3 % 2.1%
P o la n d 1 .6 % 1.7%
C h in a 2 .5 % 2.8%
A u g u s t 2 0 11
• The number of phishing Web sites decreased by 6.75% in August
• The number of phishing Web sites created by automated toolkits decreased by 18.3%
• The number of unique phishing URLs decreased by 1.67%
• Phishing Web sites using IP addresses in place of domain names (e.g.
http://255.255.255.255), increased by 18.34%
• Legitimate hosting services accounted for approximately 9% of all phishing sites, a
decrease of 16.81% since July
• The number of non-English phishing sites saw an increase of 9.07%
• The most common non-English languages identified in phishing Web sites during August
included Portuguese, French, Italian and Spanish.
19
26. Most Frequently Blocked Malware at the Endpoint
Malware Name % Malware
W32.Ramnit!html 8.68%
W32.Sality.AE 8.44%
Trojan.Bamital 8.10%
W32.Ramnit.B!inf 6.84%
W32.Downadup.B 3.63%
W32.SillyFDC.BDP!lnk 2.59%
W32.Virut.CF 2.58%
W32.Almanahe.B!inf 2.38%
W32.SillyFDC 1.75%
Trojan.ADH.2 1.74%
[1] For further information on these threats, please visit: http://www.symantec.com/business/security_response/landing/threats.jsp
Symantec Intelligence 26
27. Where to next?
• Web:
– www.symanteccloud.com/intelligence
– www.symantec.com/spam
• Twitter:
– @symanteccloud
Symantec Intelligence 27