December 2010 Report #48

Transcription

1 December 2010 Report #48 With the holidays in full gear, Symantec observed an increase of 30 percent in the product spam category as spammers try to push Christmas gifts and other products. While the increase is an expected behavior for spammers, what s surprising is another steep drop in overall spam volume in November, which is unusual for this time of the year. The drop in overall spam volume also brought down the overall spam percentage. Spam made up percent of all messages in November, compared with percent in October. This is the lowest spam percentage since January 2009, when spam levels were recovering from the McColo shutdown. While spam declined, the overall phishing attacks increased by 37 percent this month. This change was primarily due to an increase in both automated toolkit attacks and unique phishing websites. Phishing websites created by automated toolkits increased significantly by about 90 percent. The rise in toolkit phishing was attributed to a phishing attack that spoofed a popular American bank. In addition, unique URLs increased by 18 percent, while phishing websites with IP domains (i.e. domains like increased by about 41 percent. Webhosting services comprised 12 percent of all phishing in November, an increase of 15 percent from the previous month. The number of non-english phishing sites increased by 10 percent. Among non-english phishing sites, French and Portuguese were the highest in November. In comparison to the previous months, phishing sites in Portuguese have surpassed Italian sites because of an increased attack on social networking sites that were in Brazilian Portuguese. The following trends are highlighted in the December 2010 report: What s Happening to Spam Volume? 2011 Spam Predictions Buyers Beware! Holiday Do s and Don ts Fake Security for Indonesian Facebook Users Phishers Roving Eyes Target Indian Educational Institutions Dylan Morss Executive Editor Antispam Engineering David Cowings Executive Editor Security Response Eric Park Editor Antispam Engineering Mathew Maniyara Editor Security Response Sagar Desai PR contact sagar_desai@symantec.com

2 Metrics Digest Global Spam Categories Spam URL TLD Distribution Average Spam Message Size Spam Attack Vectors

3 Metrics Digest Spam Regions of Origin Geo-Location of Phishing Lures Geo-Location of Phishing Hosts

4 Metrics Digest Phishing Tactic Distribution Phishing Target Sectors

5 What s Happening to Spam Volume? Spam volume continued to decline in November, with the average daily spam volume dropping down 17.4 percent month-over-month. Compared to August, spam volume was down over 56 percent. What s the reason for this downtrend? In addition to the Zeus ring arrests and spamit.com shutdown mentioned in the previous report, the Bredolab botnet takedown in late October has also contributed to the overall decline in spam volume. Furthermore, in early December, the Mega-D botnet author was arrested by the FBI. With this background, Symantec expects the low volume of spam to continue through the end of the year. Typically, there is an increase in global spam volume as well as overall spam percentage towards the end of the year. Spammers have been known to take advantage of the holiday season to promote product spam. They also send other types of spam messages often using a holiday related subject line as a hook to trick users. However, this year is turning out to be different due to some of the legal actions mentioned above. In the first chart, the overall spam percentages from September to December 2009, shows an increase in November and December.

6 What s Happening to Spam Volume? (continued) Even though we do not have the data for the month of December yet, this year s data clearly shows an ongoing downtrend. Will the spam volume return to its highs? Or will the overall spam percentage continue to decline? These questions are answered in the next section, along with few other predictions for what to expect in Spam Predictions As 2010 comes to close, it is time to make some predictions for 2011 with respect to the spam and phishing threat landscape. Symantec expects three major trends of 2010 to continue into Use of current events and news as subject lines 2010 was all about disastrous earthquakes, World Cup Football, auto recalls, and Gulf of Mexico oil spill. In addition to using these real news and events, spammers will continue to use fake news and events to generate interest. Exploiting social networks As social networks continue to grow, Symantec expects that spammers and phishers will continue to leverage popular social networking brands to launch unique attacks that threaten identity and information thefts.

7 Spam Predictions (continued) Lower volume, more targeted attacks In 2010, we observed that spammers are getting more sophisticated with their scam and phishing tactics. These targeted attacks will continue in Additional trends for 2011: Spammers will struggle to match their former glory Overall spam volume dropped significantly over the past few months due to several legal actions. Symantec expects the volume to return more slowly than when spam dropped post- McColo shutdown. Users are more aware of online threats than they were two years ago, and authorities are certainly taking more action to stop spammers. These will prevent spammers from returning to their former glory faster than they would like. Year of Malware Spam Symantec expects more malware spam in Spammers have lost a great part of their infected machines due to recent shutdowns. In order to make up for the loss and rebuild their army of compromised machines, spammers will launch more malware message attacks. Buyers Beware! Holiday Do s and Don ts With the holidays fast approaching, users must be careful in their online activities. Some items to watch out for are: Spammers love to use holiday themes. Symantec has observed the holiday angle used in spam messages from fake online pharmacy spam, gift cards, electronic greeting cards, to year end auto clearance events. We typically see holiday themed spam messages, especially those that look like greeting cards, containing either attached malware or links to malware. Phishing attacks have been observed using holiday themes, with links directing users to a fake bank or online retailer websites. Users should ensure that they are running up to date operating systems and browsers with the latest comprehensive security suite. Do not: Open unknown attachments. Reply to spam. Buy products or services from spam messages. Fill out forms in messages that ask for personal/financial information or passwords. A reputable company is unlikely to ask for personal details via . When in doubt, contact the company directly through an independent, trusted mechanism, such as a verified telephone number, or a known internet address that you type into a new browser window (do not click or cut and paste from a link in the message).

8 Fake Security for Indonesian Facebook Users Recently, Symantec observed a phishing website spoofing the brand Facebook which claimed to be an alert from the Facebook security system. The phishing page was in Indonesian, and subsequently targeted Facebook users in Indonesia. The phishing site was titled cancellation of blocking accounts and the page stated the user s account had been reported by other users for violation of security rules. The phishing page warned that the user must confirm his or her identity within 24 hours by providing login credentials, and if the user didn t comply, the security system would permanently close the account. The sensitive information requested in the phishing site was address, password, and the user s date of birth. The message was allegedly from Facebook s security system but ironically, the phishing site was created with the motive to steal user credentials. Upon entering the credentials, the phishing page returned an error stating that the information entered was invalid. If the credentials are entered a second time, the phishing page redirects to the legitimate Facebook Web site. The phishing site was hosted on a free Web hosting site.

9 Phishers Roving Eyes Target Indian Educational Institutions Recently, Symantec observed a phishing website that spoofed a popular service brand. While service phishing attacks are common, the domain name that was used in hosting the phishing site is what made this particular phishing attempt interesting. The phishing site s domain name belonged to a popular government educational institution in India. Phishers are known for compromising legitimate websites and hosting their phishing sites on them. However, websites belonging to government, military, or educational institutions are usually more secure and are seldom compromised. In the past six months, several colleges and schools in India have been attacked by phishers. These include colleges that offer education in engineering, health sciences, management studies, gemological studies, and commerce. Let s have a look at the statistics involving the domain names of Indian educational institutes that were compromised and used as hosts for phishing sites during the past six months: Some noteworthy figures: There were 13 educational institutes whose websites were compromised. These domain names were used to spoof 16 brands. Domain names belonging to the colleges of Uttar Pradesh were found to be the highest in phishing in comparison to other states in India. This attack was about 43% of the phishing attacks, followed by Tamil Nadu and Delhi, comprising 27% and 15% respectively. Around 79% of these phishing sites targeted banking sector brands; 12.9% were e- commerce brands, and the remainder were information services, insurance, and mobile/ cellular brands. Brands based in the USA, UK, France, and Australia were all affected by these phishing sites. The average lifespan of these phishing sites was evaluated and found to be about four to five days. This short life span is probably due to the fact that educational institutions will remove phishing pages from their domain as soon as such a threat is reported, in order to maintain online security. Though the life spans of these phishing sites are short, given the statistics, it appears that this type of phishing attack is consistently observed every month.

10 Checklist: Protecting your business, your employees and your customers Do Unsubscribe from legitimate mailings that you no longer want to receive. When signing up to receive mail, verify what additional items you are opting into at the same time. Deselect items you do not want to receive. Be selective about the Web sites where you register your address. Avoid publishing your address on the Internet. Consider alternate options for example, use a separate address when signing up for mailing lists, get multiple addresses for multiple purposes, or look into disposable address services. Using directions provided by your mail administrators report missed spam if you have an option to do so. Delete all spam. Avoid clicking on suspicious links in or IM messages as these may be links to spoofed websites. We suggest typing web addresses directly in to the browser rather than relying upon links within your messages. Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite. For details on Symantec s offerings of protection visit Consider a reputable antispam solution to handle filtering across your entire organization such as Symantec Brightmail messaging security family of solutions. Keep up to date on recent spam trends by visiting the Symantec State of Spam site which is located here. Do Not Open unknown attachments. These attachments could infect your computer. Reply to spam. Typically the sender s address is forged, and replying may only result in more spam. Fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details via . When in doubt, contact the company in question via an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message). Buy products or services from spam messages. Open spam messages. Forward any virus warnings that you receive through . These are often hoaxes. * Spam data is based on messages passing through Symantec Probe Network. * Phishing data is aggregated from a combination of sources including strategic partners, customers and security solutions.