2012 Trends, Volume 18, Published April 2013
internet security THREAT REPORT GOVERNMENT 2013 p. 2
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
CONTENTS
03 Introduction 31 Social Networking, Mobile, and the Cloud 04 Executive Summary 32 Introduction 32 Data 06 2012 Security Timeline 35 Analysis 09 2012 in Numbers 35 Spam and Phishing Move to Social Media 37 Mobile Threats 13 Targeted Attacks, Hacktivism, and Data Breaches 38 Cloud Computing Risks 14 Introduction 14 Data 40 Malware, Spam, and Phishing 17 DDoS Used as a Diversion 41 Introduction 17 Data Breaches 42 Data 19 Analysis 42 Spam 19 Cyberwarfare, Cybersabotage, and Industrial Espionage 45 Phishing 20 Advanced Persistent Threats and Targeted Attacks 46 Malware 20 Social Engineering and Indirect Attacks 48 Website Exploits by Type of Website 21 Watering Hole Attacks 49 Analysis 49 Macs Under Attack 23 Vulnerabilities, Exploits, and Toolkits 50 Rise of Ransomware 24 Introduction 51 Long-term Stealthy Malware 24 Data 51 Email Spam Volume Down 26 Analysis 51 Advanced Phishing 26 Web-based Attacks on the Rise 27 The Arms Race to Exploit New Vulnerabilities 53 Looking ahead 27 Malvertising and Website Hacking 56 Endnotes 28 Web Attack Toolkits 57 Appendix 29 Website Malware Scanning and Website Vulnerability Assessment 29 The Growth of Secured Connections 29 Norton Secured Seal and Trust Marks 29 Stolen Key-signing Certificates p. 3
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Introduction
Symantec has established some of the most In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of comprehensive sources of Internet threat more than 51,644 recorded vulnerabilities (spanning more than data in the world through the Symantec™ two decades) from over 16,687 vendors representing over 43,391 Global Intelligence Network, which is made products. Spam, phishing, and malware data is captured through a variety up of approximately 69 million attack of sources, including the Symantec Probe Network, a system sensors and records thousands of events of more than 5 million decoy accounts; Symantec.cloud and per second. This network monitors threat a number of other Symantec security technologies. Skeptic™, the Symantec.cloud proprietary heuristic technology, is able to activity in over 157 countries and territories detect new and sophisticated targeted threats before reaching through a combination of Symantec customers’ networks. Over 3 billion email messages and more than 1.4 billion Web requests are processed each day across products and services such as Symantec 14 data centers. Symantec also gathers phishing information DeepSight™ Threat Management System, through an extensive antifraud community of enterprises, Symantec™ Managed Security Services and security vendors, and more than 50 million consumers. Norton™ consumer products, and other Symantec Trust Services provides 100 percent availability and processes over 4.5 billion Online Certificate Status Protocol third-party data sources. (OCSP) look-ups per day, which are used for obtaining the revocation status of X.509 digital certificates around the world. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises, small businesses, and consumers the essential information to secure their systems effectively now and into the future. p. 4
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Executive Summary
Internet security threats are a growing and unique challenge to governments and public sector organizations. First, they must protect themselves against the same threats as the business sector: malware, data theft, vandalism, and hacktivism. Then they are targets in their own right for persistent attacks, espionage, and potentially even cyber attacks. Finally, government bodies, in collaboration with the private sector, have a responsibility to protect citizens, the economy, and national infrastructure against attack by hostile governments and non-state actors such as terrorist groups, often in collaboration with the private sector. 1 In a recent speech to business executives, the U.S. Secretary of Defense summarized the 01 See http://www.defense. threat in powerful terms: gov/transcripts/transcript. aspx?transcriptid=5136. “I know that when people think of cybersecurity today, they worry about hackers and criminals who prowl the Internet, steal people’s identities, steal sensitive business information, steal even national security secrets. Those threats are real and they exist today. But the even greater danger – the greater danger facing us in cyberspace goes beyond crime and it goes beyond harassment. A cyber attack perpetrated by nation states [and] violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber- terrorist attack could virtually paralyze the nation.”
The most important trends in 2012 were:
Cyberespionage and Targeted Attacks on the Rise Specialist Information Brokers We saw a 42 percent increase in targeted attacks with more It looks increasingly likely that specialist information brokerage attacks aimed at smaller businesses, perhaps using them businesses are the hired guns of cyberespionage. The scope and as a Trojan horse into their customers. This suggests that scale of attacks suggest that well-resourced organizations are organizations need to pay attention to the security of their able to attack dozens of targets simultaneously and continuously entire supplier ecosystem as well as their own systems. research new zero-day attacks and attack software. Attackers focus their attacks on junior employees just as much (if not more) as they do on executives and VIPs, often because their accounts are less well protected. Attackers Moving Away from Email Attackers continued to develop increasingly sophisticated ways Spam rates are down 29 percent, phishing attempts are down to to infiltrate protected systems. For example, they started using one in 608 emails, and one in 291 emails contains a virus. While watering hole attacks, a technique where malware on infected these attacks are in relative decline, social media is a new and third-party websites is used to target employees who might visit growing battlefield. On the face of it, social networking doesn’t those websites. In this type of attack, attackers might infect appear to be a threat for the public sector but in reality it gives lobby groups or policy think tanks to infect government workers attackers a treasure trove of personal information for identity who might browse their sites. theft and targeted attacks. It’s also a new way to install malware on people’s computers. p. 5
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Ill-protected Websites Put Us at Risk Data Breaches Gain Focus We saw a threefold increase in the number of Web-based At first glance, the numbers for data breaches paint a picture attacks. Online criminals are using different techniques of an attack method in decline: there were fewer high-profile to infect legitimate websites, including attack toolkits and attacks, and the average number of identities exposed is down malvertising. A line or two of code on a Web page can be very significantly. Where there were 1.1 million identities exposed difficult to detect and it can infect thousands of visitors a day. per breach in 2011, this number decreased by nearly half, Websites that are not well protected put other Web users at to 604,826 in 2012. These numbers are likely down due to a risk. As with watering hole attacks, the vulnerability of websites concerted effort by hacker groups Anonymous and LULZSec to provides attackers with new and rapidly evolving ways to target publicize hacks during 2011—something that was not seen to individuals and organizations. the same extent in 2012. However, the global median is up, from 2,400 to 8,350 identities stolen per breach. Government agencies are particularly attractive targets for data thieves because they Zero-day Vulnerabilities often hold valuable intellectual property (for example, patent There were more zero-day vulnerabilities found actively being offices) or personal information (for example, tax offices). exploited in the wild than in years past. These are cases where an attack exploits a previously unknown vulnerability, as opposed to after a patch is made available by the vendor. While there were 8 zero-day vulnerabilities discovered in 2011, 14 were found in The U.S. government has been warning public sector 2012. The rise of zero-day attacks and polymorphic malware organizations for several years about the whole spectrum of renders moot any defense based purely on virus signature Internet security threats. More recently, other governments recognition; organizations need multi-layered defenses. have started addressing the issue. Governments around the world are waking up to the need to educate their constituents Mac Attacks about security and devote resources to improving defenses. Failure threatens more than a “cyber Pearl Harbor”; it could 2012 was the end of the era in which Mac® computer users mean a loss of economic competitiveness and long-term could plausibly claim immunity from malware. At least 600,000 economic decline. Mac users were infected with the Flashback threat via a Java vulnerability. Having said that, beyond this one prevalent threat, Mac threats do not appear to have increased to any great extent. While the number of unique threats targeted at the Mac are up, only about 2.5 percent of the threats targeted Mac OS; the rest targeted Windows. p. 6
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 2012 SECURITY TIMELINE 2012 SECURITY p. 7
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
2012 Security Timeline
Data breach: Mac: 01 24 million identities stolen in data breach at 04 Over 600,000 Mac computers are infected January Zappos apparel company. April by the OSX.Flashback Trojan through an Malcode: unpatched Java exploit. A scam involving malicious browser plug-ins for Mac: Firefox and Chrome is discovered. A second Mac Trojan is discovered, OSX.Sabpab, which also uses Java exploits to compromise a computer. Botnet: 02 Kelihos botnet returns, four months after being February taken down. Social networking: Mobile: 05 Scammers are discovered leveraging social May networks Tumblr and Pinterest. Google announces Google Bouncer, an app scanner for the Google Play market. Malware: The cyberespionage threat W32.Flamer is discovered. Botnet: Certificate Authorities: 03 Researchers take down new variant of the Kelihos Comodo, a large Certificate Authority, March botnet, which reappears in a new form later in authenticated and issued a legitimate code- the month. signing certificate to a fictitious organization Hacks: run by cybercriminals. This was not discovered until August. Six individuals are arrested as alleged members of the hacking collective LulzSec. Botnet: Data breach: Security researchers take down key servers for 06 LinkedIn suffers data breach, exposing millions the Zeus botnet. June of accounts. Data breach: Malware: A payment processor for a number of well- A Trojan by the name of Trojan.Milicenso is known credit card companies, including Visa and discovered, which causes networked printers MasterCard was compromised, exposing details to print large print jobs containing illegible 02 See http://krebsonsecurity. 2 of 1.5 million accounts. characters. com/2012/03/mastercard- visa-warn-of-processor- Mobile: breach/. A non-malware-based scam involving the Opfake gang is found that targets iPhone users. p. 8
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Botnet: Malware: 07 Security researchers disable the Grum botnet. 09 A new version of the Blackhole attack toolkit, July September Malware: dubbed Blackhole 2.0, is discovered. Windows malware is discovered in Apple’s App Botnet: Store, embedded in an application. Security researchers disable an up-and-coming Mac: botnet known as “Nitol.” A new Mac threat called OSX.Crisis opens a back Mobile: door on compromised computers. A vulnerability is discovered in Samsung’s Botnet: version of Android™ that allows a phone to be remotely wiped. DNS servers, maintained by the FBI in order to keep computers previously infected with the DDoS: DNSChanger Trojan safe, are shut off. FBI issues warning about possible DDoS attacks Malware: against financial institutions as part of a “distraction” technique.3 A Trojan used to steal information from the 03 See http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf Japanese government is discovered after being in operation for two years. Malware: Malware: 10 A ransomware threat distributed through Skype A second printer-related threat called October IM is discovered. W32.Printlove, which causes large print jobs to Data breach: print garbage, is discovered. Customer data is stolen from Barnes & Noble payment keypads. Hacks: Attackers are discovered using a DDoS attack as a distraction in order to gather information 08 Reuters news service suffers a series of hacks that allowed them to later steal money from a August resulting in fake news stories posted on its targeted bank. website and Twitter account. Malware: Crisis malware is discovered targeting VMware® Hacks: virtual machine images. 11 Burglars found using a known exploit in a brand November Malware: of hotel locks to break into hotel rooms. W32.Gauss is discovered. The scope of the threat is concentrated in the Middle East, in a similar way to W32.Flamer. Malware: Certificate Authorities: 12 Infostealer.Dexter Trojan horse discovered December targeting point-of-sale systems. Comodo incident from May discovered and details published. Hacks: Attackers exploit a vulnerability in Tumblr, spreading spam throughout the social network. p. 9
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 2012 in num b ers p. 10
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
2012 in numbers
2012 in Numbers
Targeted Attacks in 2012 42% INCREASE
New Vulnerabilities Average Number of Identities Exposed 2010 2011 2012 Per Breach in 2012
6,253 4,989 5,291 604,826
Mobile 2012 Vulnerabilities 415 2011 315 2010 163 p. 11
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
2012 in numbers
Estimated Global % of All Spam % of All Email Email Spam Per Day with Dating Malware as (in billions) & Sexual URL
OVERALL SPAM RATE 3% 24% 2010 2010 15% 39% 2011 2011 89% 62 2010 55% 23% 2012 2012
Overall Email Virus Rate, 1 In: 75% 42 2011 2010 282 2011 239
2012 291
69% Overall Email Phishing Rate, 1 In: 30 2012 2010 442
2011 299
2012 414 p. 12
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
2012 in numbers
Bot Zombies New Zero-Day (in millions) Vulnerabilities
14 8 14
2010 2011 2012
2010 4.5 Web Attacks 2011 3.1 Blocked Per Day 1
2012 1 3.4 0 190,370 2 2 1
0 247,350 Mobile Malware 2 Families Increase 2011–2012 New Unique Malicious Web Domains % 2010 43,000 58 2011 55,000 2012 74,000 p. 13
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 Ta ha A N r c k D da g ete tivism t a b re d a d a tt
a c c h k s es
p. 14
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Targeted attacks, hacktivism, and data breaches
Introduction
“Just as nuclear was the strategic warfare of the industrial era, cyberwarfare has become the strategic war of the At a Glance Aviation Week & Space 04 4 Technology, October 22, information era,” says U.S. Secretary of Defense Leon Panetta. • Targeted attack global average per day: 116. Cyberespionage and cybersabotage are already a reality. 2012, 82. • Increasing levels of industrial espionage and data theft. Outside the realm of states and their proxies, corporate spies • More insidious targeted attacks, with new “watering hole” are using increasingly advanced techniques to steal company attacks and sophisticated social engineering. secrets or customer data for profit. Hactivists with political and • Fewer big data breaches, but the median number of identities antibusiness agendas are also busy. stolen per breach has increased by 3.5 times. The string of media revelations about security breaches this year suggests that the business world is just as vulnerable to attack as ever.
Data
Targeted Attacks Per Day in 2012 Source: Symantec
250
225
200
175
150
125
100
75
50
25
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
The global average number of attacks per day in 2012 was 116, This client was a large banking organization, who had not previously compared with 82 in 2011 and 77 in 2010. We witnessed one been a Symantec customer, and approached Symantec for help to large attack in April, and while events like this are extremely rare, remove an existing infection. The infection was removed; however, it resulted in a large jump for that month. Without accounting for a large wave of targeted attacks followed as the attackers sought to this, the global average would be nearer to 143 per day with this regain access, ultimately failing. company included. p. 15
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Targeted attacks, hacktivism, and data breaches
Top 10 Industries Attacked in 2012 Source: Symantec
Manufacturing 24% Finance, Insurance & Real Estate 19 Services – Non-Traditional 17 Government 12 Energy/Utilities 10 Services – Professional 8 Aerospace 2 Retail 2 Wholesale 2 Transportation, Communications, Electric, Gas 1
0 5 10 15 20 25%
Manufacturing was the most-targeted sector in 2012, with 24 percent of targeted attacks destined for this sector, compared with 15 percent in 2011. Attacks against government and public sector organizations fell from 25 percent in 2011, when it was the most targeted sector, to 12 percent in 2012. It’s likely the frontline attacks are moving down the supply chain, particularly for small to medium-sized businesses. (Categories based on Standard Industrial Classification codes.) p. 16
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Targeted attacks, hacktivism, and data breaches
Attacks by Size of Targeted Organization Source: Symantec 50% 2,501+ 50% 1 to 2,500
Employees 9% 1,501 to 2,500 2,501+ 2% 1,001 to 1,500 3% 501 to 1,000 5% 251 to 500 50% 50% 13% increase
31% 1 to 250 18% in 2011 2012
Organizations with 2,501+ employees Targeted attacks destined for Small were the most targeted with 50 percent Business (1 to 250 employees) of targeted attacks destined for this size accounted for 31 percent of all of organization, almost exactly the attacks, compared with 18 percent same percentage as in 2011. in 2011, an increase of 13 percent. p. 17
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Targeted attacks, hacktivism, and data breaches
Targeted Attack Recipients by Role in 2012 Source: Symantec
In 2012, the most frequently targeted job role was in R&D, 2011 2012 % CHANGE which accounted for 27 percent of attacks (9 percent Chief Exec. or Board Level in 2011). The second most notable increase was against PR and Marketing sales representatives, probably because their contact details Personal Assistant are more widely available in the public domain, with 24 percent Research & Development of attacks in 2012 versus 12 percent in 2011. In 2011, Human Resources C-level executives were the most targeted, with 25 percent, but Sales this number fell to 17 percent in 2012. Senior Management Shared Mailbox info@, sales@, etc.
-15% -10% -5 0 5 10 15 20 25 30%
DDoS Used as a Diversion In September, the FBI issued a warning to financial institutions So why are the number of breaches and identities stolen down in that some DDoS attacks are actually being used as a “distraction.” 2012? For starters, there were five attacks in which more than 10 These attacks are launched before or after cybercriminals engage million identities were stolen in 2011. In 2012 there was only one, 05 See http://www.ic3.gov/media/2012/ in an unauthorized transaction and are an attempt to avoid which results in a much smaller spread from the smallest to the FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf discovery of the fraud and prevent attempts to stop it. largest data breach. However, the median number—the midpoint of the data set—increased by 3.5 times in 2012, from 2,400 to In these scenarios, attackers target a company’s website with 8,350 per breach. Using the median is a useful measure because a DDoS attack. They may or may not bring the website down, it ignores the extremes, the rare events that resulted in large but that’s not the main focus of such an attack; the real goal is numbers of identities being exposed, and is more representative to divert the attention of the company’s IT staff towards the of the underlying trend. DDoS attack. Meanwhile, the hackers attempt to break into the 06 The data for the data breaches that could lead to identity company’s network using any number of other methods that may Part of the wide difference between data breaches in 2011 and theft is procured from the Norton Cybercrime Index (CCI). go unnoticed as the DDoS attack continues in the background.5 2012 is likely down due to a concerted effort by the notorious The Norton CCI is a statistical model that measures the hacker groups Anonymous and LulzSec to publicize hacks levels of threats including malicious software, fraud, during 2011—something that was not seen to the same extent in identity theft, spam, phishing, and social engineering Data Breaches 2012. It’s possible that companies are paying more attention to daily. Data for the CCI is primarily derived from Symantec The overall number of data breaches is down by 26 percent, protecting customer databases or that hackers have found other, Global Intelligence Network and for certain data from ID according to the Norton Cybercrime Index,6 though over 93 more valuable targets, or that they are still stealing the data but Analytics. The majority of the Norton CCI’s data comes million identities were exposed during the year, a decrease of 60 not being detected. from Symantec’s Global Intelligence Network, one of the percent over last year. The average number of identities stolen industry’s most comprehensive sources of intelligence is also down this year: at 604,826 per breach, this is significantly about online threats. The data breach section of the smaller than the 1.1 million per breach in 2011. Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information, including name, address, Social Security numbers, credit card numbers, or medical history. Using publicly available data the Norton CCI determines the sectors that were most often affected by data breaches, as well as the most common causes of data loss. p. 18
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Targeted attacks, hacktivism, and data breaches
Healthcare, education, and government accounted for nearly two-thirds of all identities breached in 2012. This suggests Data Breaches by Sector in 2012 that the public sector should further increase efforts to Source: Symantec protect personal information, particularly considering Government how these organizations are often looked upon as the Education 13% custodians of information for the most vulnerable in society. 16% Alternatively, this could indicate that the private sector may 9% Accounting not be reporting all data breaches, given how many public sector organizations are required by law to report breaches. 6% Computer Software The vast majority (88 percent) of reported data breaches were due to attacks by outsiders. But it is safe to assume that Healthcare 6% Financial unreported data breaches outnumber reported ones. Whether it is lost laptops, misplaced memory sticks, deliberate data 36% 5% Information Technology theft by employees or accidents, the insider threat also 4% Telecom remains high. To illustrate this point, the UK Information 3% Computer Hardware Commissioner’s Office fined and prosecuted more businesses 3% Community and Nonprofit because of insider slipups than because of outsider attacks. Most SMBs should worry about someone in accounts just as much as they should worry about an anonymous hacker. At 36 percent, the healthcare industry continues to be the sector responsible for the largest percentage of disclosed data breaches by industry.
31 MILLION Timeline of Data Breaches BREACHES IN JAN. 35 35 Source: Symantec
January saw the largest number 30 30 of identities stolen in 2012, due to one breach of over 24 million 25 25 identities, while the numbers of the rest of the year mostly 20 20 fluctuated between one and 12 million identities stolen per 15 15 month.
The average number of breaches 10 10 NUMBER OF INCIDENTS for the first half of the year was 11, and rose to 15 in the second 5 5
half of the year– a 44 percent
(MILLIONS) SUM OF IDENTITIES BREACHED SUM OF IDENTITIES BREACHED 0 increase. 0 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
INCIDENTS SUM p. 19
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Targeted attacks, hacktivism, and data breaches
07 See http://www. symantec.com/content/ Average Cost Per Capita of a Data Breach 7 Top Causes of Data Breaches in 2012 en/us/about/media/ Source: Symantec Source: Symantec pdfs/b-ponemon-2011- cost-of-data-breach- 0 10 20 30 40 50 global.en-us.pdf. Country Average Cost Per Capita
U.S. $194 % Hackers40 Denmark $191 % Accidentally 23 made public France $159 % Theft or loss Australia $145 23 of computer or drive % Japan $132 8 Insider theft UK $124 6% Unknown Italy $102 1% Fraud Indonesia $42
At US$194, the United States is the country with highest in cost Hackers continue to be responsible for the largest number of per capita, with Denmark a close second at $191 per capita. data breaches, making up 40 percent of all breaches.
Analysis
Cyberwarfare, Cybersabotage, to defensive and offensive cyberwarfare capabilities. In 2012, and Industrial Espionage it was still unlikely that most businesses would encounter such an attack, and the greatest risk comes from the more prevalent Targeted attacks have become an established part of the threat targeted attacks that are created for the purposes of industrial landscape and safeguarding against them has become one of espionage. Increasingly, small to medium-sized businesses the main concerns of CISOs and IT managers. Targeted attacks (SMB) are finding themselves on the frontline of these targeted are commonly used for the purposes of industrial espionage to attacks as they have fewer resources to combat the threat gain access to the confidential information on a compromised and a successful attack here may subsequently be used as the computer system or network. They are rare but potentially the springboard to further attacks against a larger organization to most difficult attacks to defend against. which they may be a supplier. It is difficult to attribute an attack to a specific group or a Malware such as Stuxnet in 2010, Duqu in 2011, and Flamer and government without sufficient evidence. The motivation and Disttrack in 2012 show increasing levels of sophistication and the resources of the attacker sometimes hint to the possibility danger. For example, the malware used in the Shamoon attacks that the attacker could be state sponsored, but finding clear on a Saudi oil firm had the ability to wipe hard drives.8 08 See http://www.symantec. evidence is difficult. Attacks that could be state sponsored, com/connect/blogs/ The same techniques used by cybercriminals for industrial but appear to be rare in comparison with regular cybercrime, shamoon-attacks. though they have often gained more notoriety. They can be espionage, may also be used by states and state proxies for among the most sophisticated and damaging of these types of cyber attacks and political espionage. Sophisticated attacks may threats. Governments are undoubtedly devoting more resources be reverse-engineered and copied so that the same or similar p. 20
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Targeted attacks, hacktivism, and data breaches
09 Internet Security Threat Report, April Timeline of Targeted Attacks 9 2012, “Targeted Source: Symantec Attacks,” 16.
Ghostnet Stuxnet Nitro Attacks Flamer & Gauss • March 2009 • June 2010 • July–October 2011 • May 2012 – Aug 2012 • Large-scale • Against Chemical • Highly Sophisticated Cyberspying Industry Threat Operation • Targets Middle East
2009 2010 2011 2012
Hydraq RSA Attacks Sykipot / Taidoor Elderwood Project • January 2010 • August 2011 Attacks • September 2012 • Operation “Aurora” • Targeting Defense • Main Target: Defense. Industry and Same group identified Governments using Hydraq (Aurora) in 2009
techniques can be used in less discriminate attacks. A further persistent threat campaign means they are limited to well- risk is that malware developed for cybersabotage may spread funded groups attacking high-value targets. beyond its intended target and infect other computers in a kind Symantec saw a 42 percent increase in the targeted attack rate of collateral damage. in 2012 compared with the preceding 12 months. While the manufacturing industry has become the main target accounting Advanced Persistent Threats and Targeted Attacks for 24 percent of attacks, we also saw a wide range of companies coming under attack, not only large businesses, but increasingly Targeted attacks combine social engineering and malware to SMBs as well. In 2011, 18 percent of targeted attacks were aimed target individuals in specific companies with the objective at companies with fewer than 250 employees, but by the end of of stealing confidential information such as trade secrets or 2012, they accounted for 31 percent. customer data. They often use custom-written malware and sometimes exploit zero-day vulnerabilities, which makes them harder to detect and potentially more infective. Social Engineering and Indirect Attacks Targeted attacks use a variety of vectors as their main delivery Attackers may be targeting smaller businesses in the supply mechanism, such as malware delivered in an email, or drive- chain because they are more vulnerable, have access to by downloads from an infected website the intended recipient important intellectual property, and offer a stepping stone is known to frequent, a technique known as a ”watering hole” into larger organizations. In addition, they are also targeted attack. in their own right. They are more numerous than enterprises, have valuable data, and are often less well-protected than APTs are often highly sophisticated and more insidious than larger companies. For example, an attacker may infiltrate a traditional attacks, relying on highly customized intrusion small supplier in order to use it as a spring board into a larger techniques. While targeted attacks are growing increasingly company. They might use personal information, emails, and files more common, the resources required to launch an advanced from an individual in such a smaller company to create a well- p. 21
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Targeted attacks, hacktivism, and data breaches
10 10 See http://www. Web Injection Process Used in Watering Hole Attacks symantec.com/ Source: Symantec content/en/us/ crafted email aimed at someone in a target company. enterprise/media/ security_response/ In 2012, we saw a big increase in attacks on people in whitepapers/the- Watering Hole Attacks R&D and sales roles compared to the previous year. elderwood-project.pdf. This suggests that attackers are casting a wider net and targeting less senior positions below the executive level in 1. Attacker profiles victims and order to gain access to companies. The increase in attacks the kind of websites they go to. has been particularly high overall in these two areas. Still, attacks in other areas, such as back-office roles, are still a significant threat. Attackers continue to use social engineering techniques in targeted attacks. For example, messages impersonating EU officials, messages that appear to come from security agencies in the United States and target other government officials, or messages that piggyback announcements 2. Attacker then tests these websites about new procurement plans from potential government for vulnerabilities. clients such as the U.S. Air Force. This shows extensive research, a sophisticated understanding of the motivation of recipients, and makes it much more likely that victims will open attachments that contain malware.
Watering Hole Attacks The biggest innovation in targeted attacks was the When the attacker finds a website emergence of watering hole attacks. This involves 3. compromising a legitimate website that a targeted victim that he can compromise, he injects might visit and using it to install malware on their JavaScript or HTML, redirecting the computer. For example, this year we saw a line of code in a tracking script11 on a human rights organization’s website 11 See http://www.symantec. victim to a separate site that hosts the com/connect/blogs/cve- with the potential to compromise a computer. It exploited 2012-1875-exploited-wild- exploit code for the chosen vulnerability. a new, zero-day vulnerability in Internet Explorer® to part-1-trojannaid. infect visitors. Our data showed that within 24 hours, people in 500 different large companies and government organizations visited the site and ran the risk of infection. The attackers in this case, known as the Elderwood Gang, used sophisticated tools and exploited zero-day vulnerabilities in their attacks, pointing to a well- resourced team backed by a large criminal organization or a nation state.12 12 See http://www.symantec. 4. The compromised website is com/content/en/us/ now “waiting” to infect the profiled enterprise/media/ victim with a zero-day exploit, security_response/ whitepapers/the- just like a lion waiting at a elderwood-project.pdf. watering hole. p. 22
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Targeted attacks, hacktivism, and data breaches
Recommendations
Assume You’re a Target. Educate Employees. Small size and relative anonymity are not defenses against the Raise employees’ awareness about the risks of social most sophisticated attacks. Targeted attacks threaten small engineering and counter it with staff training. Similarly, good companies as well as large ones. Attackers could also use your training and procedures can reduce the risk of accidental data website as a way to attack other people. If you assume you loss and other insider risks. Train staff about the value of are a potential target and improve your defenses against the data and how to protect it. most serious threats, you will automatically improve your protection against other threats. Data Loss Prevention. Prevent data loss and exfiltration with data loss protection Defense in Depth. software on your network. Use encryption to protect data in Emphasize multiple, overlapping, and mutually supportive transit, whether online or via removable storage. defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network. Endpoints must be secured by more than signature- based antivirus technology. p. 23
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 a e V x ulner n ploits d toold ab k its ilities p. 24
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerabilities, exploits, and toolkits
Introduction
Recent research by the Ponemon Institute suggests that the cost of cybercrime rose by six percent in 2012 with a 42 percent At a Glance increase in the number of cyberattacks. The cost is significant • Usage of zero-day vulnerabilities is up, from 8 to 14 in 2012. 13 See http://www. with businesses incurring an average cost of $591,780.13 Given • There is an increasingly sophisticated black market serving a symantec.com/ the increase availability of vulnerabilities and exploits it comes multi-billion dollar online crime industry. connect/blogs/cost- as no surprise that the cybercriminals have increased their cybercrime-2012. • These vulnerabilities are later commercialized and added ability to make a profit. to Web-attack toolkits, usually after they become published Quite a few diverse skills are needed to find vulnerabilities, publicly. create ways to exploit them, and then run attacks using them. • In 2012, drive-by Web attacks increased by one third, possibly Fortunately for the cybercriminal, a black market exists where driven by malvertising. these skills can be purchased in the form of toolkits. Hackers • Around 600,000 Macs were infected with Flashback malware find and exploit and or sell vulnerabilities. Toolkit authors find this year. or buy exploit code and incorporate it into their “products.” • The Sakura toolkit, which had little impact in 2011, now Cybercriminals in turn buy or steal the latest versions of toolkits accounts for approximately 22 percent of Web-based toolkit which allow them to run massive attacks without the trouble of attacks, overtaking Blackhole during some points of the year. learning the skills needed to run the whole operation.
Data
Browser Vulnerabilities 2010 – 2012 Plug-in Vulnerabilities 2010 – 2012 Source: Symantec Source: Symantec
Apple Safari 50% Adobe Flash Player Google Chrome 50% Oracle Sun Java 45 Mozilla Firefox 45 Microsoft Internet Explorer Adobe Acrobat Reader 40 Opera 40 Apple QuickTime
35 35
30 30
25 25
20 20
15 15
10 10
5 5
2010 2011 2012 2010 2011 2012 p. 25
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerabilities, exploits, and toolkits
Total Vulnerabilities Source: Symantec
• There were 5,291 600 vulnerabilities reported in 2012, compared with 4,989 in 2011. 500 • Reported vulnerabilities per month in 2012 fluctuated 400 roughly between 300 and 500 per month. 300 • In 2012, there were 85 public SCADA (Supervisory 200 Control and Data Acquisition) vulnerabilities, a massive 100 decrease over the 129 vulnerabilities in 2011.
0 • There were 415 mobile JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC vulnerabilities identified in 2012, compared with 315 in 2011.
Zero-day Vulnerabilities Source: Symantec
• A zero-day vulnerability is 3 one that is reported to have been exploited in the wild before the vulnerability is public knowledge and prior to a patch being publicly 2 available. • There were 14 zero-day vulnerabilities reported in 2012. 1 • There were up to 3 zero-day vulnerabilities reported each month.
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC p. 26
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerabilities, exploits, and toolkits
Analysis
Web-based Attacks on the Rise The Arms Race to Exploit New Vulnerabilities We have seen the number of Web-based attacks increase by We have witnessed an increase in zero-day vulnerabilities this almost a third. These attacks silently infect enterprise and year. There were 14 unreported vulnerabilities first seen being consumer users when they visit a compromised website. In used in the wild in 2012. This is up from 8 in 2011. Overall, other words, you can be infected simply by visiting a legitimate reported vulnerabilities are up slightly in 2012, from 4,989 in website. Typically, attackers infiltrate the website to install their 2011 to 5,291 in 2012. Mobile vulnerabilities are also up, from attack toolkits and malware payloads, unbeknown to the site 315 in 2011 to 415 reported in 2012. owner or the potential victims. Organized groups, such as the team behind the Elderwood The malware payload that is dropped by Web-attack toolkits attacks, have worked to discover new weaknesses in everyday is often server-side polymorphic or dynamically generated, software such as Web browsers and browser plug-ins. When one rendering enterprises that rely on signature-based antivirus vulnerability becomes public, they are able to quickly deploy protection unable to protect themselves against these silent a new one, which speaks to the sophistication of the groups attacks. A hidden piece of JavaScript™ or a few lines of code creating vulnerabilities. linking to another website can install malware that is very There is an arms race between Internet criminals and legitimate difficult to detect. It then checks the system of each visitor for software developers. Criminals’ ability to quickly find and browser or operating system vulnerabilities until it finds one exploit new vulnerabilities is not matched by software vendors’ that is likely to succeed and it uses that to install malware on ability to fix and release patches. Some software companies the visitor’s computer. only patch once a quarter; others are slow to acknowledge These attacks are successful because enterprise and consumer vulnerabilities. Even if they do a good job with updates, systems are not up to date with the latest patches for browser companies are often slow to deploy them. plug-ins, such as Adobe’s Flash Player® and Acrobat Reader®, While zero-day vulnerabilities present a serious security threat, as well as Oracle’s Java™ platform. While a lack of attentiveness known (and even patched) vulnerabilities are dangerous if ignored. can be blamed for consumers remaining out of date, often in Many companies and consumers fail to apply published updates larger companies, older versions of these plug-ins are required in a timely way. Toolkits that target well-known vulnerabilities to run critical business systems, making it harder to upgrade make it easy for criminals to target millions of PCs and find the to the latest versions. Such patch management predicaments, ones that remain open to infection. In fact, the vulnerabilities that with slow patch deployment rates, make companies especially are exploited the most often are not the newest. vulnerable to Web-based attacks. It’s important to note that the volume of vulnerabilities doesn’t correlate to increased levels of risk. One single vulnerability in an application may present a critical risk to an organization, if exploited successfully. Analysis of risk from vulnerabilities exploited in Web-based attack toolkits is an area that Symantec will explore further in 2013. The key is that it’s not the latest zero-day vulnerability that is responsible for the widespread success of Web-based attacks. The rate of attacks from compromised websites has increased by 30 percent, while the rate of discovery of vulnerabilities has only increased by 6 percent. In a nutshell, it’s older, non-patched vulnerabilities that cause most systems to get compromised. p. 27
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerabilities, exploits, and toolkits
Malvertising and Website Hacking How does a hacker add his code to a legitimate website? Toolkits are available that make it easy. For example, in May 2012, the LizaMoon toolkit used a SQL injection technique to affect at See http://www. 14 least a million websites.14 Other approaches include: symantec.com/ connect/blogs/ • Exploiting a known vulnerability in the website hosting or lizamoon-mass-sql- content management software injection-tried-and- • Using phishing, spyware, or social engineering to get the tested-formula. webmaster’s password • Hacking through the Web server backend infrastructure, such as control panels or databases • Paying to host an advertisement that contains the infection This last technique, known as malvertising, means that legitimate websites can be impacted without even being compromised. This form of attack appears to be very common. Using experimental scanning software (see “Website Malware Scanning and Website Vulnerability Assessment” later in this section), Symantec found that half of the tested sites were infected by malvertising. Malvertising opens an avenue of attack that hackers can use to compromise a website without having to directly hack the website itself. Using these malicious ads allows them to silently infect users, often installing dynamically created malware that antivirus alone is unable to detect. A sign of the seriousness of the problem is that Google Online advertisement for a malware toolkit. and other search engines scan for malware and blacklist sites that contain malware. There have been occasions when prominent advertising networks have fallen prey to malvertising, impacting some of the biggest names in online media.15 Situations like this can have a serious impact on 15 See http://www. websites whose bottom line often depends on revenue, even symantec.com/connect/ diminishing their credibility in the eyes of their readers. blogs/danger-malware- With dozens of advertising networks and constantly rotating ahead-please-not-my- site. adverts, tracking malvertising and preventing it is a huge challenge. p. 28
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerabilities, exploits, and toolkits
Web Attack Toolkits It’s one thing to discover new vulnerabilities, but another Top Web Attack Toolkits by Percent matter to implement a way to exploit them. Criminal Source: Symantec entrepreneurs turn them into toolkits that less sophisticated users can buy and use. Like commercial software, they even include support and warranties. Authors accept payments 10% Phoenix using online payment services with anonymous numbered Sakura accounts. 22% Attack toolkits exist for creating a variety of malware and 7% Redkit for attacking websites. The popular Blackhole toolkit is a notorious example. This updating strategy suggests that it has a kind of brand loyalty and that the authors are building on that in the same way that legitimate software vendors do with Blackhole Others their updates and new editions. 20% Blackhole continued to make its presence felt in 2012, 41% making up for 41 percent of all Web-based attacks. We also saw the release of an updated version of the toolkit, dubbed Blackhole 2.0, back in September. However, Blackhole’s overall dominance may have begun to decline, as another Web attack toolkit surpassed Blackhole during a few months in the latter Approximately 41 percent of Web-based toolkit attacks half of 2012. Sakura, a new entrant to the market, at its peak in 2012 related to the Blackhole toolkit, compared with made up as much of 60 percent of all toolkit activity, and 22 44 percent in 2011. The Sakura toolkit was not in the percent of overall toolkit usage in 2012. top 10 for 2011, and now accounts for approximately 22 percent of Web-based toolkit attacks, overtaking Blackhole at some points in the year.
Web Attack Toolkits Over Time Source: Symantec
Others 90%
80 Blackhole 70
60 Sakura 50
40 Nuclear
30
20 Redkit
10 Phoenix
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC p. 29
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerabilities, exploits, and toolkits
Website Malware Scanning and Website Additionally, Symantec’s CRL lookups increased by 45 percent Vulnerability Assessment year on year between 2011 and 2012, with approximately 1.4 billion per day, and a high-water-mark of 2.1 billion. In 2012, Symantec’s Trust Services (formerly VeriSign) CRL is the older lookup technology that OCSP supersedes. technology scanned over 1.5 million websites as part of its Website Malware Scanning and Vulnerability Assessment services. Over 130,000 URLs were scanned for malware each Norton Secured Seal and Trust Marks day, with 1 in 532 of websites found to be infected with In 2012, more consumers were visiting websites with trust malware. The most common form of compromise was for marks (such as the Norton Secured Seal) in 2012. Based on the use of drive-by downloads. analysis of the statistics from Symantec’s own trust marks, we Furthermore, in assessing potentially exploitable vulnerabilities saw an 8 percent increase in 2012. The Symantec trust mark on websites, over 1,400 vulnerability scans were performed each was viewed up to 750 million times a day in 2012 as more online day. Approximately 53 percent of websites scanned were found users are necessitating stronger security to safeguard their to have unpatched, potentially exploitable vulnerabilities (36 online activities. percent in 2011), of which 24 percent were deemed to be critical (25 percent in 2011). The most common vulnerability found was Stolen Key-signing Certificates for cross-site scripting vulnerabilities. 2012 continued to show that organizations large and small were susceptible to becoming unwitting players in the global malware The Growth of Secured Connections distribution network. We’ve seen increased activity of malware One of the ways to judge the growth of usage for SSL is to being signed with legitimate code-signing certificates. Since the monitor the change in statistics for OCSP (Online Certificate malware code is signed, it appears to be legitimate, which make Status Protocol, which is used for obtaining the revocation it easier to spread. status of a digital certificate) and CRL (Certificate Revocation Malware developers often use stolen code-signing private List) lookups. When an SSL secured connection is initiated, a keys. They attack Certificate Authorities and once inside revocation check is performed using OCSP or CRL and we track their networks, they seek out and steal private keys. In other the number of lookups that go through our systems. This is a cases, poor security practices allow them to buy legitimate growth indicator for the number of SSL secured sessions that certificates with fake identities. For example, in May 2012, are performed online. This implies that more people are going Comodo, a large Certificate Authority, authenticated and online and using secured connections (for example, representing issued a legitimate code-signing certificate to a fictitious a growth of eCommerce transactions on the Web). It also may organization run by cybercriminals.16 16 See http://www. show the impact of the adoption of SSL more widely, in more securityweek.com/comodo- places and for more uses, such as the growing use of Extended certificates-used-sign- Validation SSL Certificates, which trigger browsers to indicate banking-trojans-brazil. whether a user is on a secured site by turning the address bar green, and for “Always On SSL” (adopted heavily through 2012 by social networks, search services, and online email providers). Further, it may be a result of devices other than traditional desktops and laptops that enable online access; for example, smartphones and tablets. In 2012, Symantec identified the average number of OCSP lookups grew by 31 percent year on year between 2011 and 2012, with more than 4.8 billion lookups performed each day in 2012. The high-water-mark of OCSP lookups was 5.8 billion in a single day in 2012. It is worth noting that OCSP is the modern revocation checking methodology. p. 30
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerabilities, exploits, and toolkits
Recommendations
Use a Full Range of Protection Technology. If the threat landscape was less advanced, then file scanning Adopting an Always On SSL approach helps to safeguard technology (commonly called antivirus) would be sufficient account information from unencrypted connections and thus to prevent malware infections. However, with toolkits for render end users less vulnerable to a man-in-the-middle attack. building malware-on-demand, polymorphic malware and zero-day exploits, antivirus is not enough. Network-based Be Aggressive on Your Software Updating and Review protection and reputation technology must be deployed on Your Patching Processes. endpoints to help prevent attacks. And behavior blocking and scheduled file scanning must be used to help find malware The majority of Web-based attacks exploit the top 20 most that avoid preventative defense. common vulnerabilities. Consequently, installing patches for known vulnerabilities will prevent the most common attacks. It’s essential to update and patch all your software promptly. Protect Your Public-facing Websites. In particular, with risks like the Flashback attacks that used Consider Always On SSL to encrypt visitors’ interactions Java, it’s important to run the latest version of that software with your site across the whole site, not just on the checkout or do without it altogether. This is equally true for CIOs or sign-up pages. Make sure you update your content managing thousands of users, small business owners with management system and Web server software just as you dozens of users, or individual users at home. would a client PC. Run vulnerability and malware scanning Update, patch, and migrate from outdated and insecure tools on your websites to detect problems promptly. To protect browsers, applications, and browser plug-ins to the latest these credentials against social engineering and phishing, use available versions using the vendors’ automatic update strong passwords for admin accounts and other services. Limit mechanisms, especially for the top software vulnerabilities login access to important Web servers to users that need it. being exploited. Most software vendors work diligently to patch exploited software vulnerabilities; however, such Protect Code-signing Certificates. patches can only be effective if adopted in the field. Be wary of Certificate owners should apply rigorous protection and deploying standard corporate images containing older versions security policies to safeguard keys. This means effective of browsers, applications, and browser plug-ins that are physical security, the use of cryptographic hardware security outdated and insecure. Consider removing vulnerable plug-ins modules, and effective network and endpoint security, from images for employees that have no need for that software. including data loss prevention on servers involved in signing Wherever possible, automate patch deployments to maintain code, and thorough security for applications used to sign code. protection against vulnerabilities across the organization. In addition, Certificate Authorities need to ensure that they are using best practices in every step of the authentication process. p. 31
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 a mo S oci d t n d b ile a h e l networ clou d k in g p. 32
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Social networking, mobile, and the cloud
Introduction
Online criminals and spammers are less interested in email as Moreover, many mobile applications frequently rely on cloud- an infection vector than they were. Why? Because social media based storage, and without an Internet connection are often is becoming so popular and it gives them many new ways to limited in their functionality. Many more people and businesses steal people’s identities or personal information and infect their are routinely using cloud-based systems, sometimes without computers with malware. even realising it. Social media combines two behaviors that are useful for The bank robber Willie Sutton famously explained why he robbed criminals: social proof and sharing. Social proofing is the banks: “Because that’s where the money is.” Online criminals psychological mechanism that convinces people to do things target social media because that’s where the victims are. because their friends are doing it. For example, if you get a Facebook users can report potential Facebook phishing message on your Facebook wall from a trusted friend, you’re scams to the company through the following email address: more likely to click on it. [email protected]. Sharing is what people do with social networks: they share personal information such as their birthday, home address, and other contact details. This type of information is very useful for At a Glance identity thieves. For example, your social media profile might • Scammers continue to use social media as spam and phishing contain clues to security questions a hacker would need to reset tools, including newer sites such as Pinterest and Instagram. your password and take control of your account. • Mobile malware has increased significantly in 2012 with new People are spending more time online, and the most popular threats such as mobile botnets. activity is for social networking. Furthermore, younger users are • Thirty-two percent of all mobile malware steals information more commonly using mobile devices to access the Internet and from the compromised device. 17 17 See http://blog.nielsen. social media applications. • Fast-growing trends towards cloud computing, bring your com/nielsenwire/ own device, and consumerization create additional risks for social/2012/ businesses.
Data
Top 5 Social Media Attacks in 2012 Source: Symantec
• Fake Offering. These scams invite social network users to join a fake event or group with incentives such as free gift cards. Joining often 1 % Fake requires the user to share credentials with the attacker or send a 56 Offering text to a premium rate number. • Manual Sharing Scams. These rely on victims to actually do the Manual hard work of sharing the scam by presenting them with intriguing 2 % videos, fake offers or messages that they share with their friends. Sharing 18 • Likejacking. Using fake “Like” buttons, attackers trick users into clicking website buttons that install malware and may post updates 3 % on a user’s newsfeed, spreading the attack. 10 Likejacking • Fake Plug-in Scams. Users are tricked into downloading fake browser extensions on their machines. Rogue browser extensions 4 % can pose like legitimate extensions but when installed can steal 5 Fake Plug-in sensitive information from the infected machine. • Copy and Paste Scams. Users are invited to paste malicious JavaScript code directly into their browser’s address bar in the 5 % hope of receiving a gift coupon in return. 3 Copy and Paste p. 33
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Social networking, mobile, and the cloud
Mobile Vulnerabilities Source: Symantec 121 MOBILE VULNERABILITIES • March was the most active IN MARCH month of 2012, with 121 vulnerabilities reported. 120 • There were 415 mobile vulnerabilities identified 100 in 2012, compared with 315 in 2011. 80
60
40
20
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Mobile Threats in 2012 Source: Symantec
Information stealing tops the list of activities carried out by mobile malware, with 32 percent of all threats recording some sort of 32% 13% information in 2012. Steal Information Send Content 25% 8% Traditional Threats Reconfigure Device 15% 8% Track User Adware/Annoyance p. 34
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Social networking, mobile, and the cloud
Cumulative Mobile Android Malware, Families and Variants 2010 to 2012 Source: Symantec
200 5,000
180 4,500
160 4,000
140 3,500
120 3,000
100 2,500
80 2,000
60 1,500
VARIANTS (CUMULATIVE) VARIANTS
(CUMULATIVE) FAMILIES 40 1,000
20 500
0 0 JAN 2011 JAN 2012 JAN, 2010 JAN, 2011 JAN, 2012 VARIANTS FAMILIES
• 2012 saw a 58 percent increase in mobile malware families compared to 2011. The year’s total now accounts for 59 percent of all malware to-date. • At the same time the number of variants within each family has increased dramatically, from an average ratio of variants per family of 5:1 in 2011 to 38:1 in 2012. This indicates that threat authors are spending more time repackaging or making minor changes to their threats, in order to spread them further and avoid detection.
Mobile Threats by Device Type in 2012 Source: Symantec
In contrast to vulnerabilities, Device Type Number of Threats Android was by far the most Android malware 103 commonly targeted mobile platform in 2012, comprising Symbian malware 3 103 out of 108 unique threats. Windows Mobile malware 1
iOS malware 1 p. 35
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Social networking, mobile, and the cloud
Mobile Vulnerabilities by OS Source: Symantec
The vast majority of vulnerabilities Platform Documented Vulnerabilities on mobile systems were on the iOS Apple iOS 387 platform. However, the higher number Android 13 of vulnerabilities is not indicative of a higher level of threat, because most BlackBerry 13 mobile threats have not used software Nokia 0 vulnerabilities. LG Electronics 0
Windows Mobile 2
Analysis
Spam and Phishing Move to Social Media In the last few years, we’ve seen a significant increase in spam and phishing on social media sites. Criminals follow users to popular sites. As Facebook and Twitter have grown in popularity for users, they have also attracted more criminal activity. However, in the last year, online criminals have also started targeting newer, fast-growing sites such as Instagram, Pinterest, and Tumblr. Typical threats include fake gift cards and survey scams. These kinds of fake offer scams account for more than half (56 percent) of all social media attacks. For example, in one scam the victim sees a post on somebody’s Facebook wall or on their Pinterest feeds (where content appears from the people they follow or in Typical social media scam. specific categories) that says “Click here for a $100 gift card.” When the user clicks on the link, they go to a website where they are asked to sign up for any number of offers, turning over personal details in the process. The spammers get a fee for each registration and, of course, there’s no gift card at the end of the process.
Fake website with bogus survey. p. 36
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Social networking, mobile, and the cloud
Phishing site spoofing a social networking site promoting soccer star Lionel Messi.
Another trick is to use a fake website to persuade a victim to reveal their personal details and passwords; for example, their Facebook or Twitter account information. These phishing scams are insidious and often exploit people’s fascination with celebrities such as professional athletes, film stars, or singers. We have seen an increase in phishing scams that target specific countries and their celebrities. In 2012, we have seen ever more threats targeted on social media websites as well as more and more new channels and platforms opening up, especially those that are available only as mobile applications. It is likely that these mobile social channels will become more targeted in 2013, especially those that are aimed specifically at teenagers and young adults, who may not know how to recognize such attacks and may be a little freer with their personal details.
18 See http://www. symantec.com/ connect/blogs/ instaspam- instagram-users- receive-gift-card- We also documented a similar spam campaign on 18 spam. the popular photo-sharing app Instagram. p. 37
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Social networking, mobile, and the cloud
Mobile Threats In the last year, we have seen a further increase in mobile that companies often turn to consumer technology, such as malware. This correlates with increasing numbers of Internet- file-sharing websites, and devices, such as consumer laptops connected mobile devices. Android has a 72 percent market or tablets, to reduce costs. These two trends open the door to share with Apple® iOS a distant second with 14 percent, a greater risk to businesses from mobile devices because they 19 See http://www. according to Gartner.19 As a result of its market share and more often lack security features such as encryption, access control, gartner.com/it/page. open development environment, Android is the main target for and manageability. jsp?id=2237315. mobile threats. We have seen far more vulnerabilities for the iOS platform, Typically, people use phones to store personal information and which makes up 93 percent of those published, than for Android contact information and increasingly they have high-speed in 2012, but yet Android dominates the malware landscape, with Internet connections. The smartphone has become a powerful 97 percent of new threats. computer in its own right, and this makes these attractive While seemingly contradictory at first, there is a good reason devices to criminals. They also have the added advantage of for this: jailbreaking iOS devices. In order to install applications being tied to a payment system—the owner’s phone contract— that are not available on the Apple App Store, a user must run which means that they offer additional ways for criminals to an exploit against a vulnerability in the software. While not the siphon off money from the victim. safest approach from a security standpoint, this is the only way We’ve seen a big rise in all kinds of mobile phone attacks: to install applications that are not available through the Apple App Store. • Android threats were more commonly found in Eastern Europe and Asia; however, during the last year, the number In contrast, the Android platform provides the option to of Android threats in the rest of Europe and the United install apps from unofficial markets by simply changing settings 20 See http://en.wikipedia. org/wiki/FinFisher and States has increased. in the operating system. Since no exploit is needed, the same incentives aren’t present as there are on iOS. Android users are http://www.nytimes. • Privacy leaks that disclose personal information, including vulnerable to a whole host of threats; however, very few have com/2012/08/31/ the release of surveillance software designed to covertly utilized vulnerabilities to spread threats. technology/finspy-software- transmit the owner’s location.20 is-tracking-political- While Android clocks in with 103 threats in 2012, this number dissidents.html?_r=1. • Premium number fraud where malicious apps send expensive may appear small compared to other estimates on the scope of text messages. This is the quickest way to make money from the mobile threat landscape. Many estimates are larger because mobile malware. One mobile botnet Symantec observed they provide a count of overall variants, as opposed to new, 21 See http://www.symantec. used fake mobile apps to infect users and by our calculation unique threats. While many of these variants simply undergone com/connect/blogs/ the botmaster is generating anywhere between $1,600 to minor changes in an attempt to avoid antivirus scanners androidbmaster-million- $9,000 per day and $547,500 to $3,285,000 per year.21 dollar-mobile-botnet. detecting them, Symantec counted at least 3,906 different • Mobile botnets. Just as spammers have linked networks of mobile variants for the year. PCs into botnets to send out unwanted email, now criminals 22 See http://www.symantec. There’s an important distinction between old and new Android have begun using Android botnets the same way.22 This com/connect/blogs/ versions regarding security features. Google added a feature in suggests that attackers are adapting techniques used on androidbmaster-million- Android version 4.x to allow users to block any particular app dollar-mobile-botnet. PCs to work on smartphones. from pushing notifications into the status bar. This came in Historically, malware infected smartphones through rogue app response to feedback from users of older versions, annoyed by 23 See http://news.cnet. markets and users sideloading apps directly onto their devices. ad platforms that push notifications to the status bar. com/8301-1009_3- However, legitimate app stores are not immune. In 2012, we saw Also, due to the rise of threats that silently send premium text 57470729-83/malware- rogue software masquerading as popular games on the Google® messages—Android.Opfake, Android.Premiumtext, Android. went-undiscovered-for- Play market, having bypassed Google’s automated screening Positmob, and Android.Rufraud, for instance—Google added a weeks-on-google-play. process.23 feature in Android 4.2 to prompt the user to confirm sending 24 See http://developer.android. Businesses are increasingly allowing staff to “bring your such premium text messages. This can be very helpful in com/about/dashboards/ own device” (BYOD) to work, either by allowing them to use protecting most users. index.html. personal computers, tablets, or smartphones for work, even However, at around 10 percent market penetration at the end of subsidizing their purchase. Even when companies provide their 2012,24 own equipment, the trend towards consumerization means Android 4.2 devices account only for a small percentage p. 38
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Social networking, mobile, and the cloud
of the total devices out there. The Android ecosystem makes it Information should only be entrusted to a third party over harder to keep everyone up to date. Google released the official the Internet where there is sufficient assurance as to how platform that works out of the box only on Nexus devices— that data will be managed and accessed. Google’s own branded device. From there each manufacturer • Data Liberation. Cloud computing businesses make it easy modifies and releases its own platform, which is in turn picked to get started, and reputable companies make it easy to up by mobile network operators who also customize those extract your data (for example, archived emails or customer platforms. records) if you want to change providers. Before entrusting This makes it impossible for any change coming from Google their data to a cloud provider, potential users should to be quickly available to all in-field devices. Any change to the fully evaluate the terms and conditions of extracting and platform requires thorough testing by each manufacturer and recovering that data at a later date. then each operator, all adding to the time needed to reach users. • Eggs in One Basket. As we have seen from large-scale data Having so many device models also multiplies the amount of breaches in the last few years, attackers tend to go where resources all these companies have to allocate for each update, they can score the most data for the least effort. If a cloud leading to infrequently released updates or in some cases no services provider stores confidential information for a updates for older devices. large number of customers, it becomes a bigger target for For most exploits in the OS, Google released quick fixes; attackers. A single breach at a cloud provider could be a however, users still had long waits before they received the gold mine of personal data for an attacker. fix from their network operators. Some exploits are not in the • Consumerization. Companies face a significant risk of original OS itself but in the custom modifications made by accidental or deliberate data loss when their employees manufacturers, such as the exploit for Samsung models that use unapproved cloud systems on an ad-hoc basis. For appeared in 2012. Samsung was quick to fix it, but the fix still example, if company policies make it difficult to email had to propagate through network operators to reach users. large files to third parties, employees may decide to use Tighter control from Google over the platform can solve some of free online file sharing applications instead. The risk is the “fragmentation” issues, but this could affect the relationship that these systems may fall short of company standards it has with manufacturers. A cut-off point for older Android for security. For example, one popular file-sharing site left users could help to mitigate the risk, but it is usually the all its user accounts unlocked for four hours.26 In addition, 26 See http://www.wired. manufacturers that do this. where employees use unauthorized cloud applications for com/threatlevel/2011/06/ their work, such as social networking sites for marketing dropbox/. Cloud Computing Risks purposes, they open up the company to attack from Web- based malware. The cloud services market was expected to grow by 20 percent 25 • Infrastructure. Although not in the wild, there is a 25 See http://www.gartner.com/ in 2012, according to Gartner. Cloud computing promises it/page.jsp?id=2163616. businesses a way to enhance their IT without heavy upfront theoretical risk that in a virtualized, multi-tenant capital costs and, for smaller businesses, it offers access to architecture, a malicious user could rent a virtual machine enterprise-class business software at an affordable price. On and use it to launch an attack against the system by a fundamental level, it offers huge and growing economies of exploiting a vulnerability in the underlying hypervisor and scale as Internet bandwidth and processing power continue to use this to gain access to other virtual machines running in increase rapidly. the same environment. Consideration should also be given to data encryption within the virtual machine to minimize the Cloud computing offers some potential security benefits, risk from unauthorized access to the physical hard disks. especially for smaller companies without dedicated IT security staff. Well-run cloud applications are more likely to be patched and updated efficiently. They are also more likely to be resilient, secure, and backed up than on-premises systems. However, cloud computing presents some security concerns, too: • Privacy. Well-run cloud companies will have strong policies about who can access customer data (for example, for troubleshooting) and under what circumstances. p. 39
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Social networking, mobile, and the cloud
Recommendations
Social Media Threats Are a Business Issue. Protect Your Mobile Devices. Companies are often unwilling to block access to social Consider installing security software on mobile devices. media sites altogether, but they need to find ways to protect Also, users need to be educated about the risks of themselves against Web-based malware on these and other downloading rogue applications and how to use their privacy sites. This means multi-layer security software at the gateway and permission settings. For company-provided devices, and on client PCs. It also requires aggressive patching and consider locking them down and preventing the installation updating to reduce the risk of drive-by infections. Lastly, user of unapproved applications altogether. education and clear policies are essential, especially regarding the amount of personal information users disclose online.
27 For more advice about cloud Cloud Security Advice.27 adoption, see https://www4. Carry out a full risk assessment before signing up. Secure symantec.com/mktginfo/. your own information and identities. Implement a strong governance framework. p. 40
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 a a sp lwMa n d p d m h is a re h in g p. 41
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Introduction
Malware, spam, and social engineering continue to be massive, The numbers are telling. In one example, malware called chronic problems. Although they have been around for a long Reveton (aka Trojan.Ransomlock.G), was detected attempting time, attacks continue to evolve and they still have the potential to infect 500,000 computers over a period of 18 days. According to do serious damage to consumers and businesses. to a recent Symantec survey of 13,000 adults in 24 countries, average losses per cybercrime incident are $197.29 29 See http://www. In addition, they hurt everyone by undermining confidence In the last 12 symantec.com/about/ in the Internet. These chronic threats do not get much news months an estimated 556 million adults worldwide experienced some form of cybercrime. news/release/article. coverage because they are “background noise” but that doesn’t jsp?prid=20120905_02. mean that they are unimportant. A useful comparison is the difference between plane crashes and car crashes. A single plane At a Glance crash makes the national news, but the daily death toll on the roads goes unreported despite killing significantly more people • With ransomware, malware has become more vicious and more 28 In the United States, for each year.28 profitable. example, the NTSB reports The popularity of ransomware is an example of all these themes. • Email spam volumes fall again, down 29 percent in 2012, as that 472 people died in spammers move to social media. aircraft accidents in 2010 It permanently locks people out of their computer unless they • Phishing becomes more sophisticated and targets social compared with 32,885 in pay a swinging “fine” to the perpetrators. It’s corrosive to trust, networking sites. highway accidents. See expensive to remedy, and reveals a new level of ruthlessness and http://www.ntsb.gov/data/ sophistication. index.html.
Irreversible ransomware locks people out of their computer unless they pay a “fine,” which in most cases does not unlock the computer. p. 42
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Data
Spam Spam rates declined for a second year in a row, dropping from Top 5 Activity for Spam Destination by Geography 75 percent in 2011 to 69 percent of all email in 2012. In 2011 Country % we were reluctant to call this decrease in spam a permanent Saudi Arabia 79% trend. Botnets can be rebuilt, new ones created. But several factors appear to be keeping spam rates lower than in previous Bulgaria 76% years. Chile 74% The takedowns of spam botnets continued in 2012. In March Hungary 74% 2012 a resurrected Kelihos botnet was taken down for a second China 73% time. In July the Grum botnet was taken down. While both were significant spam botnets and contributed to the reduction in Top 5 Activity for Spam Destination by Industry spam, undoubtedly email spammers are still feeling the pain of botnet takedowns from 2011. Industry % Marketing/Media 69% Additionally, pharmaceutical spam continues to decline, apparently unable to recover from the loss of the major players Manufacturing 69% 30 See http://www.npr.org/blogs/ in the online pharmaceutical business.30 Given advancements Recreation 69% money/2013/01/15/169424047/ in anti-spam technology, plus the migration of many users to Agriculture 69% episode-430-black-market- social networks as a means of communication, spammers may Chemical/Pharmaceutical 69% pharmacies-and-the-spam- be diversifying in order to stay in business. empire-behind-them. This is not to say that the problem of spam has been solved. Top 5 Activity for Spam Destination by Company Size At 69 percent of all email, it still represents a significant amount of unwanted messages. Organization Size % 1-250 68% As email spam rates continue to decline, we see the same social engineering techniques that have been used in email spam 251-500 68% campaigns increasingly being adopted in spam campaigns and 501-1,000 68% being promoted through social networking channels. 1,001-1,500 69% 1,501-2,500 69% 2,501+ 68% p. 43
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Global Spam Volume Per Day in 2012 Source: Symantec
• Spam volumes were 60 highest in August. • The estimated projection 50 of global spam volumes decreased by 29 percent, from 42 billion spam emails 40 per day in 2011, to 30 billion in 2012. 30
20
BILLIONS 10
0 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Global Spam Rate – 2012 vs 2011 Source: Symantec
The overall average global spam 90% rate for 2012 was 69 percent, compared with 75 percent in 80 2011. 70
60
50
40
30
20
10
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012 p. 44
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Pharmaceutical Spam – 2012 vs 2011 Source: Symantec
• Pharmaceutical spam makes 70% up 21 percent of all spam, but was overtaken by the Adult/ 60 Sex/Dating category, which now makes up 55 percent of 50 spam. • Pharmaceutical spam in 2012 40 declined by approximately 19 percentage points compared 30 with 2011.
20
10
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012
Adult/Sex/Dating Spam – 2012 vs 2011 Source: Symantec
• Adult/Dating spam in 2012 90% increased by approximately 40 percentage points 80 compared with 2011.
70 • This suggests an almost direct correlation 60 between the decline in 50 pharmaceutical spam and the increase in dating spam. 40 • The proportion of adult/ 30 sex/dating spam was greater in 2012 than for 20 pharmaceutical spam in 10 2011, but the actual volume of adult/sex/dating spam in 2012 was lower than for JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC pharmaceutical spam in 2011 2012 2011, since overall spam volumes were lower in 2012 than in the previous year. p. 45
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Phishing Email phishing rates are also down this year, from one in Top 5 Activity for Phishing Destination by Geography 299 emails in 2011 to one in 414 in 2012. Country 1 in The decline in the use of email as a method to spread spam Netherlands 1 in 123 and carry out phishing attacks does not likely indicate a South Africa 1 in 177 drop in activity by attackers. Rather, it appears that we United Kingdom 1 in 191 are seeing a shift in activity from email to other forms of online communication, such as social networks. Denmark 1 in 374 China 1 in 382
Top 5 Activity for Phishing Destination by Company Size Top 5 Activity for Phishing Destination by Industry Company Size 1 in Industry 1 in 1-250 1 in 294 Public Sector 1 in 95 251-500 1 in 501 Finance 1 in 211 501-1,000 1 in 671 Education 1 in 223 1,001-1,500 1 in 607 Accommodation/Catering 1 in 297 1,501-2,500 1 in 739 Marketing/Media 1 in 355 2,501+ 1 in 346
Phishing Rate – 2012 vs 2011 Source: Symantec
• Phishing rates have dropped drastically in 2012, in many cases less than half the 1 in 100 number for that month in the previous year.
1 in 200 • The overall average phishing rate for 2012 was 1 in 414 emails, compared with 1 in 300 1 in 299 in 2011.
1 in 400
1 in 500
1 in 600 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012 p. 46
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Malware One in 291 emails contained a virus in 2012, which is down from Top 5 Activity for Malware Destination by Industry one in 239 in 2011. Of that email-borne malware, 23 percent of Industry 1 in it contained URLs that pointed to malicious websites. This is Public Sector 1 in 72 also down from 2011, where 39 percent of email-borne malware contained a link to a malicious website. Education 1 in 163 Much like the drop in spam and phishing rates, a drop in emails Finance 1 in 218 that contain viruses does not necessarily mean that attackers Marketing/Media 1 in 235 have stopped targeting users. Rather, it more likely points to a Accommodation/Catering 1 in 236 shift in tactics, targeting other online activities, such as social networking. Top 5 Activity for Malware Destination by Company Size
Top 5 Activity for Malware Destination by Geography Company Size 1 in Country 1 in 1-250 1 in 299 Netherlands 1 in 108 251-500 1 in 325 Luxembourg 1 in 144 501-1,000 1 in 314 United Kingdom 1 in 163 1,001-1,500 1 in 295 South Africa 1 in 178 1,501-2,500 1 in 42 Germany 1 in 196 2,501+ 1 in 252
Proportion of Email Traffic in Which Virus Was Detected – 2012 vs 2011 Source: Symantec
• Overall numbers declined, with one in 291 emails containing a virus. 1 in 50 • In 2011, the average rate for 1 in 100 email-borne malware was 1 in 239 1 in 150
1 in 200
1 in 250
1 in 300
1 in 350
1 in 400 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012 p. 47
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Proportion of Email Traffic Containing URL Malware – 2012 vs 2011 Source: Symantec
• Emails that contained a 70% malicious URL dropped significantly in 2012. In 60 some months it was more than half the rate as it was 50 that month in 2011. • In 2012, approximately 23 40 percent of email malware contained a URL rather than 30 an attachment, compared with 39 percent in 2011. 20
10
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012
Website Malware Blocked Per Day Source: Symantec
• In 2012, approximately 400 247,350 Web-based attacks were blocked each day. 350 • In 2011, this figure was 300 approximately 190,370 per day. This represents an 250 increase of 30 percent.
200
THOUSANDS 150
100
50
0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012 p. 48
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Website Exploits by Type of Website Based on Norton Safe Web data, the Symantec technology that Website Exploits by Type of Website scans the Web looking for websites hosting malware, we’ve Source: Symantec determined that 61 percent of malicious sites are actually regular websites that have been compromised and infected # of Infected with malicious code. Top Domain Categories that Rank Sites/Total # of Got Exploited by # of Sites We see Business, which covers consumer and industrial goods Infected Sites and service sectors, listed at the forefront this year. This could be due to the contribution of compromised sites from many 1 Business 7.7% SMBs that do not invest in appropriate resources to protect 2 Hacking 7.6% them. Hacking, which includes sites that promote or provide the means to carry out hacking activities, jumped to second, though 3 Technology and Telecommunication 5.7% it didn’t appear in the top 15 in 2011. 4 Blogging 4.5% Although the Technology and Telecommunication category, which provides information pertaining to computers, the 5 Shopping 3.6% Internet and telecommunication, ranks third this year, it sees 5.7 percent of the total compromised sites, only a 1.2 percent 6 Known Malware Domain 2.6% drop from 2011. Shopping sites that provide the means to 7 Hosting 2.3% purchase products or services online remain in the top five, but Shopping sees a drop of 4.1 percent. 8 Automotive 1.9%
It is interesting to note that Hosting, which ranked second 9 Health 1.7% in 2011, has moved down to seventh this year. This covers services that provide individuals or organizations access to 10 Educational 1.7% online systems for websites or storage. Due to this increase in reliable and free cloud-based hosting solutions, provided by the likes of Google, Dropbox and others, we see usage moving Top 10 Malware in 2012 away from unreliable hosting solutions, which could have Source: Symantec contributed towards the drop. Blogging has also experienced a significant drop in 2012, moving down to fourth position. This Rank Malware Name % could support the theory that people are moving towards social networking and exchanging information through such networks. 1 W32.Sality.AE 6.9% Malware developers find it easy to insert malicious code in such sites and spread them using various means. 2 W32.Ramnit.B 5.1%
3 W32.Downadup.B 4.4%
4 W32.Virut.CF 2.2%
5 W32.SillyFDC 1.1%
6 W32.Mabezat.B 1.1%
7 W32.Xpaj.B 0.6%
8 W32.Changeup 0.6%
9 W32.Downadup 0.5%
10 W32.Imaut 0.4% p. 49
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Analysis
Macs Under Attack 31 See http://www.symantec.com/ security_response/writeup. Historically, Mac users have felt less vulnerable to malware than Does this indicate that hackers are going to start paying further jsp?docid=2012-041001-0020-99. PC users. As Apple has gained market share, Macs have become attention to Macintosh computers as a platform to target? Not a more attractive target. In fact, 2012 saw the first significant necessarily. While Mac users may encounter an occasional 32 See http://www.symantec. Mac malware outbreak. The Flashback attack exploited a threat here or there, the vast majority of what they encounter is com/connect/blogs/ vulnerability in Java to create a cross-platform threat.31 It was malware aimed at Windows computers. In fact, of all the threats flashback-cleanup-still- incorporated into the Blackhole attack toolkit and used by encountered by Symantec customers who used Mac computers underway-approximately- criminals to infect 600,000 Macs,32 which is approximately one in the last quarter of 2012, only 2.5 percent of them were 140000-infections. Mac in 100. Like more and more attacks in 2012, as discussed in actually written specifically for Macs. the “Web Attack Toolkits” section, it spread when users visited This isn’t to say that Macs are a safer alternative to PCs; as we’ve 33 See http://www.symantec. infected websites. Although the Flashback malware was mainly seen, they’re just as susceptible to attacks. There were more com/connect/blogs/both- used for advertising click fraud, it had other capabilities, such as threats created specifically for the Mac in 2012 than in years mac-and-windows-are- 33 giving hackers remote access to infected computers. Because past and the trend appears to be rising. targeted-once. most Mac users do not have antivirus software, the chances of detection, once infected, were small. 10 MAC THREAT FAMILIES IN 2012 There were more unique threats for OS X in 2012 than any year 10 previously. 9
8
7
6
5
4
3
2
1
2007 2008 2009 2010 2011 2012 p. 50
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Rise of Ransomware Ransomware became a bigger challenge in 2012 as its popularity The perpetrators use social engineering to increase the chances among malware authors increased. Unlike scareware, which of payment. The locking screen often contains a fake warning encouraged you to buy fake antivirus protection, ransomware from local law enforcement and the ransom is presented as a just locks your computer and demands a release fee. The fine for criminal activity online. In some cases, ransomware also malware is often quite sophisticated, difficult to remove, and in takes a photo of the victim using a webcam and displays this some cases it persists in safe mode, blocking attempts at remote image in the locking screen, which can be unnerving for victims. support. Criminals use anonymous money transfer systems or prepaid Victims usually end up with ransomware from drive-by credit cards to receive the payments. The ransom typically downloads when they are silently infected visiting websites ranges between $50 and $400. In many cases, payment doesn’t that host Web attack toolkits. This ransomware is often from unlock the computer. Symantec monitored a ransomware legitimate sites that have been compromised by hackers who command and control server and saw 5,300 computers infected. insert the malicious download code. Another source of infection About three percent of victims paid the ransom, which netted is malvertisements where criminals buy advertising space the criminals about $30,000. on legitimate websites and use it to hide their attack code, as discussed in the malvertisement section.
Typical ransomware locking screen showing a fake police warning. p. 51
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Long-term Stealthy Malware Internet criminals are also making money from malware that If criminals can capture your social media login details, they can stays hidden on the victims’ computers. Operating in botnets use your account to send phishing emails to all your friends. A with many thousands of computers acting collectively, these message that seems to come from a friend appears much more stealthy programs send out spam or generate bogus clicks on trustworthy. Another way to use a cracked social media account website advertisements (which generate referral income for the is to send out a fake message to someone’s friends about some site owners). These techniques don’t generate rapid returns like kind of emergency. For example, “Help! I’m stuck overseas ransomware; however, they are much less likely to be discovered and my wallet has been stolen. Please send $200 as soon as and, thanks to clever coding, are more difficult to remove. possible.” Consequently, they can generate a constant stream of revenue In an attempt to bypass security and filtering software, over time. criminals use complex website addresses and nested URL shortening services. They also use social engineering to Email Spam Volume Down motivate victims to click on links. In the last year, they have After decreases in 2011, this year saw a further reduction in the focused their messages around celebrities, movies, sports volume of email spam from 76 percent of all email messages personalities, and attractive gadgets such as smartphones to 69 percent. There are several reasons for this. First, law and tablets. The number of phishing websites that used SSL enforcement action has closed down several botnets, reducing certificates in an attempt to lull victims into a false sense of 34 security increased by 46 percent in 2012 compared with the 34 See http://krebsonsecurity. the number of messages being sent. Second, spammers are com/tag/planet-money/. increasingly redirecting their efforts to social media sites previous year. instead of email. Lastly, spammers are improving the quality and We saw a significant (threefold) rise in non-English phishing in targeting of their spam messages in an effort to bypass filters 2012. In particular, we saw a significant increase in South Korea. and this has led to a reduction in the overall numbers being sent. The non-English languages that had the highest number of phishing sites were French, Italian, Portuguese, Chinese, Advanced Phishing and Spanish. While spam has declined slightly in 2012, phishing attacks have increased. Phishers are using very sophisticated fake websites— in some cases, perfect replicas of real sites—to trick victims into revealing personal information, passwords, credit card details, and bank credentials. In the past they relied more on fake emails, but now those emails coupled with similar links posted on social media sites are used to lure the victim to these more advanced phishing websites. Typical fake sites include banks and credit card companies, as you’d expect, but also popular social media sites. The number of phishing sites that spoofed social network sites increased 123 percent in 2012. p. 52
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Malware, spam, and phishing
Recommendations
Protect Yourself Against Social Engineering. Antivirus on Endpoints Is Not Enough. For individuals as well as for businesses, it’s essential that On endpoints (desktops/laptops), signature-based antivirus people learn to spot the telltale signs of social engineering, alone is not enough to protect against today’s threats and which can include undue pressure, titillation or a false sense Web-based attack toolkits. Deploy and use a comprehensive of urgency, an offer that is literally too good to be true, bogus endpoint security product that includes additional layers of “officialese” in an attempt to make something look authentic protection, including: (for example, lengthy reference numbers), implausible • Endpoint intrusion prevention that protects against pretexts (for example, a Microsoft “representative” calls to unpatched vulnerabilities from being exploited, protects tell you that your computer has a virus), and false quid-pro- against social engineering attacks, and stops malware quo offers (for example, receive a free gift when you provide from ever making it onto endpoints; personal or confidential information). • Browser protection for protection against obfuscated Web- based attacks; Avoid Ransomware. • Heuristic file-based malware prevention to provide more Avoid marginal websites and, in particular, pirate software intelligent protection against unknown threats; and adult sites. Do not install unsolicited plug-ins or executables if prompted to do so, even on legitimate websites. • File and Web-based reputation solutions that provide a Consider using advertising blocker software in your browser. risk-and-reputation rating of any application and website Ensure that your computer is up to date with the latest to prevent rapidly mutating and polymorphic malware; patches and updates to increase your resistance to drive-by • Behavioral prevention capabilities that look at the Web infections. Keep backups and recovery disks so you can behavior of applications and malware and prevent unlock your computer in an emergency. And, of course, have malware; effective, up-to-date security software. • Application control settings that can prevent applications and browser plug-ins from downloading unauthorized Think Before You Click. malicious content; That unsolicited email from a known acquaintance, such as • Device control settings that prevent and limit the types of your mother or coworker, may not be legit. Their account USB devices to be used. may have been compromised, if they’ve fallen for a social engineering trick. p. 53
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 L g ah oo k in g e ad p. 54
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Looking Ahead
“Never make predictions,” said a wise man, “especially about the future.” But we can extrapolate from this year’s data to speculate on future trends in the hope that this will help organizations and individuals protect themselves more effectively. Looking ahead, here are our priorities and concerns for the coming year:
More State-sponsored Cyber Attacks Social Media Will Be a Major Security Battleground The last few years have seen increasingly sophisticated and Social media websites already combine elements of an widespread use of cyber attacks. In peacetime, they provide operating system, a communications platform, and an plausible deniability; in wartime, they could be an essential advertising network. As they go mobile and add payment tool. Cyber attacks will continue to be an outlet where tensions mechanisms, they will attract even more attention from online between countries are played out. Moreover, in addition to criminals with malware, phishing, spam, and scams. Traditional state-sponsored attacks, non-state sponsored attacks, including spam, phishing, and malware will hold steady or decline attacks by nationalist activists against those whom they perceive somewhat; however, social media attacks will grow enormously. to be acting against their country’s interest, will continue. As new social media tools emerge and become popular, criminals Security companies and businesses need to be prepared for will target them. Further, we think that the intersection of blowback and collateral damage from these attacks and, as smartphones and social media will become an important ever, they need to make strenuous efforts to protect themselves security battleground as criminals target teenagers, young against targeted attacks of all kinds. adults, and other people who may be less guarded about their personal data and insufficiently security-minded to protect their Sophisticated Attack Techniques Trickle Down devices and avoid scams. Know-how used for industrial espionage or cyberwarfare will be reverse-engineered by criminal hackers for commercial gain. For Attacks Against Cloud Providers Will Increase example, the zero-day exploits used by the Elderwood Gang will So far, the very big data breaches have occurred in businesses be exploited by other malware authors. Similarly the “open- that collect a lot of personal data, such as healthcare providers, sourcing” of malware toolkits such as Zeus (also known as Zbot), online retailers or games companies. In 2013 we expect to see a perhaps in an effort to throw law enforcement off the trail of the variety of attacks against cloud software providers. original authors, will make it easier for authors to create new malware. Increasingly Vicious Malware Malware has advanced from being predominantly about data Websites Will Become More Dangerous theft and botnets (although both are still very common) through Drive-by infections from websites will become even more fake antivirus scams to increased ransomware attacks in 2012. common and even harder to block without advanced security We expect to see these attacks become harder to undo, more software. Criminals will increasingly attack websites, using aggressive, and more professional over time. Once criminals malvertising and website attack kits, as a means of infecting see that they can get a high conversion rate from this kind of users. Software vendors will come under pressure to increase extortion, we may see other manifestations, such as malware their efforts in fixing vulnerabilities promptly. Users and that threatens to and then actually deletes the contents of companies that employ them will need to be more proactive your hard disk. This was the case of the Shamoon attacks that about maintaining their privacy and security in this new social occurred in August and erased data from the infected computer. media world. Essentially, if it is possible, someone will try it; if it is profitable, many people will do it. p. 55
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Mobile Malware Comes of Age Persistent Phishing Just as social media is becoming the new “operating system” for Identities are valuable, so criminals will continue to try to steal computers, mobile phones and tablets are becoming the new them. Phishing attacks will continue to get smarter and more hardware platform. Tablet adoption and smartphone market sophisticated. For example, we’ll see more perfect site replicas penetration will continue and this will attract criminals. What and SSL-encryption phishing sites. Phishing will become more has evolved over a decade on PCs is emerging more rapidly on regional and it will appear in a wider variety of languages, smartphones and tablets. We’ll see ransomware and drive-by making it harder to block and more effective. It will continue website infections on these new platforms in the coming year. its spread on social media websites where it will exploit the For businesses that use these new devices or allow employees medium’s virality and trusted messaging. to bring their own to work, this will present a serious security problem in 2013. p. 56
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Endnotes
01 See http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5136. 02 See http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/. 03 See http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf.f 04 Aviation Week & Space Technology, October 22, 2012, 82. 05 See http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf. 06 The data for the data breaches that could lead to identity theft is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model that measures the levels of threats including malicious software, fraud, identity theft, spam, phishing, and social engineering daily. Data for the CCI is primarily derived from Symantec Global Intelligence Network and for certain data from ID Analytics. The majority of the Norton CCI’s data comes from Symantec’s Global Intelligence Network, one of the industry’s most comprehensive sources of intelligence about online threats. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information, including name, address, Social Security numbers, credit card numbers, or medical history. Using publicly available data the Norton CCI determines the sectors that were most often affected by data breaches, as well as the most common causes of data loss. 07 See http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-global.en-us.pdf. 08 See http://www.symantec.com/connect/blogs/shamoon-attacks. 09 Internet Security Threat Report, April 2012, “Targeted Attacks,” 16. 10 See http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf. 11 See http://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid. 12 See http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf. 13 See http://www.symantec.com/connect/blogs/cost-cybercrime-2012. 14 See http://www.symantec.com/connect/blogs/lizamoon-mass-sql-injection-tried-and-tested-formula. 15 See http://www.symantec.com/connect/blogs/danger-malware-ahead-please-not-my-site. 16 See http://www.securityweek.com/comodo-certificates-used-sign-banking-trojans-brazil. 17 See http://blog.nielsen.com/nielsenwire/social/2012/. 18 See http://www.symantec.com/connect/blogs/instaspam-instagram-users-receive-gift-card-spam. 19 See http://www.gartner.com/it/page.jsp?id=2237315. 20 See http://en.wikipedia.org/wiki/FinFisher and http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking- political-dissidents.html?_r=1. 21 See http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet. 22 See http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet. 23 See http://news.cnet.com/8301-1009_3-57470729-83/malware-went-undiscovered-for-weeks-on-google-play. 24 See http://developer.android.com/about/dashboards/index.html. 25 See http://www.gartner.com/it/page.jsp?id=2163616. 26 See http://www.wired.com/threatlevel/2011/06/dropbox/. 27 For more advice about cloud adoption, see https://www4.symantec.com/mktginfo/. 28 In the United States, for example, the NTSB reports that 472 people died in aircraft accidents in 2010 compared with 32,885 in highway accidents. See http://www.ntsb.gov/data/index.html. 29 See http://www.symantec.com/about/news/release/article.jsp?prid=20120905_02. 30 See http://www.npr.org/blogs/money/2013/01/15/169424047/episode-430-black-market-pharmacies-and-the-spam-empire-behind- them. 31 See http://www.symantec.com/security_response/writeup.jsp?docid=2012-041001-0020-99. 32 See http://www.symantec.com/connect/blogs/flashback-cleanup-still-underway-approximately-140000-infections. 33 See http://www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once. 34 See http://krebsonsecurity.com/tag/planet-money/. 2012 Trends, Volume 18, Published April 2013
internet security THREAT REPORT APPENDIX 2013 p. 58
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
CONTENTS
61 Appendix :: A 78 Malicious Web Activity: Fake Antivirus by Category, 2012 Threat Activity Trends 79 Malicious Web Activity: Browser Exploits by Category, 2012
79 Malicious Web Activity: 63 Malicious Activity by Source Social Networking Attacks by Category, 2012 64 Malicious Activity by Source: Overall Rankings, 2011–2012
65 Malicious Activity by Source: Malicious Code, 2011–2012 81 Bot-infected Computers
65 Malicious Activity by Source: Spam Zombies, 2011–2012 82 Table of Top 10 Bot Locations by Average Lifespan of Bot, 2011–2012 66 Malicious Activity by Source: Phishing Hosts, 2011–2012 66 Malicious Activity by Source: Bots, 2011–2012 83 Analysis of Mobile Threats
67 Malicious Activity by Source: Web Attack Origins, 2011–2012 83 Android Mobile Threats: Newly Discovered Malicious Code, 2011–2012 67 Malicious Activity by Source: Network Attack Origins, 2011–2012 84 Android Mobile Threats: Cumulative Number of Malware Families, 69 Malicious Web-based Attack Prevalence 2010–2012 85 Mobile Threats: Malicious Code by Type, 2012 69 Malicious Website Activity, 2011–2012 85 Mobile Threats: Malicious Code by Type – Additional Detail, 2012
71 Analysis of Malicious Web Activity 86 Documented Mobile Vulnerabilities, 2012 by Attack Toolkits
71 Malicious Website Activity: Attack Toolkit Trends, 2012 89 Data Breaches that Could Lead to Identity Theft
72 Malicious Website Activity: 90 Timeline of Data Breaches Overall Frequency of Major Attack Toolkits, 2012 Showing Identities Breached in 2012, Global
90 Data Breaches that Could Lead to Identity Theft 73 Analysis of Web-based Spyware, Adware, (Top 10 Sectors by Number of Data Breaches) and Potentially Unwanted Programs 91 Data Breaches that Could Lead to Identity Theft 73 Potentially Unwanted Programs: (Top 10 Sectors by Number of Identities Exposed) Spyware and Adware Blocked, 2012 91 Average Number of Identities Exposed Per Data Breach by Notable Sector 75 Analysis of Web Policy Risks 92 Data Breaches that Could Lead to Identity Theft from Inappropriate Use by Number of Breaches Web Policies that Triggered Blocks, 2011–2012 75 92 Data Breaches that Could Lead to Identity Theft by Number of Identitites Exposed
77 Analysis of Website Categories Exploited 93 Average Number of Identities Exposed Per Data Breach by Cause to Deliver Malicious Code 93 Type of Information Exposed in Deliberate Breaches 77 Malicious Web Activity: Categories that Delivered Malicious Code, 2012 94 Threat Activity Trends Endnotes 78 Malicious Web Activity: Malicious Code by Number of Infections Per Site, 2012 p. 59
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
95 Appendix :: B 115 Appendix :: C Malicious Code Trends Spam and Fraud Activity Trends
97 Top Malicious Code Families 117 Analysis of Spam Activity Trends
98 Overall Top Malicious Code Families, 2012 117 Global Spam Volume in Circulation, 2012
99 Relative Volume of Reports of Top 10 Malicious Code Families 118 Proportion of Email Traffic Identified as Spam, 2011–2012 in 2012 by Percentage
99 Relative Proportion of Top 10 Malicious Code Blocked in Email 119 Analysis of Spam Activity by Geography, Traffic by Symantec.cloud in 2012 by Percentage and Ratio Industry Sector, and Company Size
100 Trend of Malicious Code Blocked in Email Traffic by Symantec.cloud 119 Proportion of Email Traffic Identified as Spam – 2011 vs 2012 by Industry Sector, 2012
100 Relative Proportion of Top 10 Malicious Code Blocked in Web 120 Proportion of Email Traffic Identified as Spam Traffic by Symantec.cloud in 2012 by Percentage and Ratio by Organization Size, 2012
120 Proportion of Email Traffic Identified as Spam 102 Analysis of Malicious Code Activity by Geography, by Geographic Location, 2012 Industry Sector, and Company Size
102 Proportion of Email Traffic Identified as Malicious, 122 Analysis of Spam Delivered by Botnets by Industry Sector, 2012 122 Percentage of Spam Sent from Botnets in 2012 103 Proportion of Email Traffic Identified as Malicious by Organization Size, 2012 123 Analysis of Spam-sending Botnet Activity, 2012
103 Proportion of Email Traffic Identified as Malicious by Geographic Location, 2012 124 Significant Spam Tactics 124 Frequency of Spam Messages by Size, 2012
105 Propagation Mechanisms 125 Proportion of Spam Messages Containing URLs, 2012 Propagation Mechanisms 106 125 Analysis of Top-level Domains Used in Spam URLs, 2012
108 Industrial Espionage: Targeted Attacks 126 Spam by Category and Advanced Persistent Threats (APTs) 127 Spam by Category, 2012 109 Average Number of Targeted Email Attacks Per Day, 2012 128 Spam by Category, 2012 111 Targeted Attacks by Company Size, 2012
111 Targeted Attacks Against Job Function, 2012 129 Phishing Activity Trends
112 Breakdown of Document Types Being Attached 129 Phishing Rates, 2011–2012 to Targeted Attacks, 2012 130 Phishing Category Types, Top 200 Organizations, 2012 113 Analysis of Targeted Attacks by Top 10 Industry Sectors, 2012 130 Tactics of Phishing Distribution, 2012 114 Malicious Code Trends Endnotes 132 Analysis of Phishing Activity by Geography, Industry Sector, and Company Size
132 Proportion of Email Traffic Identified as Phishing by Industry Sector, 2012 p. 60
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
133 Proportion of Email Traffic Identified as Phishing 151 Appendix :: E by Organization Size, 2012 Government Threat Activity Trends 133 Proportion of Email Traffic Identified as Phishing by Geographic Location, 2012 153 Malicious Activity by Critical Infrastructure Sector
135 Spam and Fraud Activity Endnotes 153 Malicious Activity by Critical Infrastructure Sector
154 Sources of Origin 136 Appendix :: D for Government-targeted Attacks Vulnerability Trends 154 Sources of Origin for Government-targeted Attacks
156 Attacks by Type – 138 Total Number of Vulnerabilities Overall Government and Critical Infrastructure Organizations
139 Total Vulnerabilities Identified, 2006–2012 157 Attacks by Type – Notable Critical Infrastructure Sectors 139 New Vulnerabilities Month by Month, 2011 and 2012
140 Most Frequently Attacked Vulnerabilities in 2012 158 Government Threat Activity Endnotes
142 Zero-day Vulnerabilities 159 About Symantec 142 Volume of Zero-day Vulnerabilities, 2006–2012
143 Zero-day Vulnerabilities Identified in 2012 159 More Information
144 Web Browser Vulnerabilities
144 Browser Vulnerabilities, 2011 and 2012
146 Web Browser Plug-in Vulnerabilities
147 Browser Plug-in Vulnerabilities in 2011 and 2012
148 Web Attack Toolkits
149 SCADA Vulnerabilities
150 Vulnerability Trends Endnotes p. 61
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 APPENDIX APPENDIX Th T rends reat A ctivit :: A y y p. 62
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Threat Activity Trends
The Symantec Global Internet Security Threat Report provides an analysis of threat activity, as well as other malicious activity, data breaches, and Web-based attacks that Symantec observed in 2012. The malicious activity discussed in this section not only includes threat activity, but also phishing, malicious code, spam zombies, bot-infected computers, and attack origins. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activities can be found in their respective sections within this report.
This section covers the following metrics and provides analysis and discussion of the trends indicated by the data:
• Malicious Activity by Source • Malicious Web-based Attack Prevalence • Analysis of Malicious Web Activity by Attack Toolkits • Analysis of Web-based Spyware, Adware, and Potentially Unwanted Programs • Analysis of Web Policy Risks from Inappropriate Use • Analysis of Website Categories Exploited to Deliver Malicious Code • Bot-infected Computers • Analysis of Mobile Threats • Data Breaches that Could Lead to Identity Theft p. 63
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Malicious Activity by Source
Background Methodology Malicious activity usually affects computers that are connected This metric assesses the sources from which the largest amount to high-speed broadband Internet because these connections are of malicious activity originates. To determine malicious activity attractive targets for attackers. Broadband connections provide by source, Symantec has compiled geographical data on larger bandwidth capacities than other connection types, numerous malicious activities, namely: malicious code reports, faster speeds, the potential of constantly connected systems, spam zombies, phishing hosts, bot-infected computers, network and a typically more stable connection. Symantec categorizes attack origins, and Web-based attack origins. The proportion malicious activities as follows: of each activity originating in each source is then determined. The mean of the percentages of each malicious activity that Malicious code: This includes programs such as viruses, originates in each source is calculated. This average determines worms, and Trojans that are covertly inserted into programs. the proportion of overall malicious activity that originates The purposes of malicious code include destroying data, from the source in question and the rankings are determined running destructive or intrusive programs, stealing sensitive by calculating the mean average of the proportion of these information, or compromising the security or integrity of a malicious activities that originated in each source. victim’s computer data. Spam zombies: These are remotely controlled, compromised systems specifically designed to send out large volumes of junk or unsolicited email messages. These email messages can be used to deliver malicious code and phishing attempts. Phishing hosts: A phishing host is a computer that provides website services in order to illegally gather sensitive user information while pretending that the attempt is from a trusted, well-known organization by presenting a website designed to mimic the site of a legitimate business. Bot-infected computers: Malicious programs have been used to compromise these computers to allow an attacker to control the targeted system remotely. Typically, a remote attacker controls a large number of compromised computers over a single, reliable channel in a botnet, which can then be used to launch coordinated attacks. Network attack origins: This measures the originating sources of attacks from the Internet. For example, attacks can target SQL protocols or buffer overflow vulnerabilities. Web-based attack origins: This measures attack sources that are delivered via the Web or through HTTP. Typically, legitimate websites are compromised and used to attack unsuspecting visitors. p. 64
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Data
Figure A.1. Malicious Activity by Source: Overall Rankings, 2011–2012 Source: Symantec
10 8 6 5
1 7 2 9 3
4
2012 2011 2012 2011 Geography Overall Overall Change World Rank World Rank Average Average
United States 1 22.7% 1 21.1% 1.6%
China 2 11.0% 2 9.2% 1.8%
India 3 6.5% 3 6.2% 0.3%
Brazil 4 4.0% 4 4.1% -0.1%
Germany 5 3.4% 5 3.9% -0.5%
Netherlands 6 2.7% 20 1.1% 1.6%
Italy 7 2.4% 9 2.7% -0.3%
United Kingdom 8 2.4% 7 3.2% -0.8%
Taiwan 9 2.3% 8 3.0% -0.7%
Russia 10 2.2% 6 3.2% -1.0% p. 65
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.2. Malicious Activity by Source: Malicious Code, 2011–2012 Source: Symantec
2012 2012 2011 2011 Geography Malicious Malicious Malicious Malicious Change Code Rank Code % Code Rank Code %
United States 1 17.2% 2 13.3% 3.9%
India 2 16.2% 1 15.3% 0.9%
China 3 6.1% 4 5.1% 0.9%
Indonesia 4 3.9% 3 8.0% -4.1%
Japan 5 3.4% 11 2.2% 1.2%
Vietnam 6 3.0% 6 3.8% -0.8%
Brazil 7 2.9% 8 2.8% 0.0%
United Kingdom 8 2.7% 5 4.0% -1.3%
Egypt 9 2.6% 7 3.4% -0.8%
Germany 10 2.5% 15 1.5% 1.0%
Figure A.3. Malicious Activity by Source: Spam Zombies, 2011–2012 Source: Symantec
2012 2012 2011 2011 Geography Spam Spam Spam Spam Change Zombies Rank Zombies % Zombies Rank Zombies %
India 1 17.1% 1 17.5% -0.3%
Saudi Arabia 2 7.0% 19 1.5% 5.6%
Netherlands 3 6.5% 27 0.7% 5.8%
Brazil 4 5.5% 5 6.0% -0.5%
United States 5 4.2% 15 1.8% 2.4%
Spain 6 4.0% 21 1.4% 2.6%
Argentina 7 3.8% 12 2.2% 1.6%
Germany 8 3.6% 23 1.2% 2.4%
China 9 3.1% 9 2.6% 0.5%
Russia 10 2.7% 3 7.8% -5.0% p. 66
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.4. Malicious Activity by Source: Phishing Hosts, 2011–2012 Source: Symantec
2012 2012 2011 2011 Geography Phishing Phishing Phishing Phishing Change Hosts Rank Hosts % Hosts Rank Hosts %
United States 1 50.0% 1 48.5% 1.4%
Germany 2 6.2% 2 6.8% -0.6%
United Kingdom 3 3.9% 3 3.6% 0.2%
Brazil 4 3.6% 8 2.3% 1.3%
China 5 3.2% 5 3.1% 0.2%
Canada 6 2.9% 4 3.3% -0.4%
France 7 2.7% 7 2.4% 0.3%
Russia 8 2.4% 9 2.3% 0.0%
Netherlands 9 2.3% 6 2.4% -0.1%
Poland 10 1.6% 12 1.6% -0.1%
Figure A.5. Malicious Activity by Source: Bots, 2011–2012 Source: Symantec
2012 2012 2011 2011 Geography Change Bots Rank Bots % Bots Rank Bots %
United States 1 15.3% 1 12.6% 2.8%
China 2 15.0% 6 6.6% 8.4%
Taiwan 3 7.9% 2 11.4% -3.5%
Brazil 4 7.8% 3 8.9% -1.1%
Italy 5 7.6% 4 8.3% -0.7%
Japan 6 4.6% 8 4.6% 0.0%
Poland 7 4.4% 7 5.4% -1.0%
Hungary 8 4.2% 9 4.3% -0.1%
Germany 9 4.0% 5 7.0% -2.9%
Spain 10 3.2% 11 2.6% 0.6% p. 67
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.6. Malicious Activity by Source: Web Attack Origins, 2011–2012 Source: Symantec
2012 Web 2011 Web 2012 Web 2011 Web Attacking Attacking Geography Attacking Attacking Change Countries Countries Countries % Countries % Rank Rank United States 1 34.4% 1 33.5% 0.9%
China 2 9.4% 2 11.0% -1.6%
Korea, South 3 3.0% 3 4.4% -1.4%
Germany 4 2.6% 4 3.5% -0.9%
Netherlands 5 2.4% 8 2.0% 0.5%
India 6 1.7% 14 1.0% 0.6%
Japan 7 1.6% 6 2.2% -0.6%
Russia 8 1.5% 7 2.1% -0.6%
United Kingdom 9 1.5% 5 2.3% -0.8%
Brazil 10 1.3% 11 1.3% 0.0%
Figure A.7. Malicious Activity by Source: Network Attack Origins, 2011–2012 Source: Symantec
2012 2011 2012 2011 Network Network Network Network Geography Attacking Attacking Change Attacking Attacking Countries Countries Countries % Countries % Rank Rank China 1 29.2% 1 26.9% 2.3%
United States 2 14.9% 2 16.9% -1.9%
Russia 3 3.7% 5 3.4% 0.3%
United Kingdom 4 3.1% 3 4.1% -0.9%
Brazil 5 3.0% 6 3.2% -0.2%
Netherlands 6 2.6% 21 0.8% 1.8%
Japan 7 2.4% 8 2.5% 0.0%
India 8 2.4% 11 2.0% 0.4%
Italy 9 2.4% 7 2.8% -0.4%
France 10 2.3% 10 2.1% 0.2% p. 68
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Commentary • In 2012, corresponding with their large Internet populations, the United States and China remained the top two sources overall for malicious activity: The overall average proportion of attacks originating from the United States in 2012 increased by 1.6 percentage points compared with 2011, while the same figure for China saw an increase by 1.8 percentage points compared with 2011. Malicious activity in the Netherlands also increased by 1.6 percentage points, resulting in the country being ranked in sixth position, compared with twentieth in 2011. • 29.2 percent of network attacks originated in China: China 01 Internet population and penetration rates in has the largest population of Internet users1 in the Asia 2012 courtesy of Internet Word Stats http:// region, with its Internet population growing to 564 million www.internetworldstats.com in 2012. • 50.0 percent of phishing websites were hosted in the United States: In 2012, with approximately 275 million Internet users, the United States has the second largest population of Internet users in the world. • The United States was ranked in first position for the source of all activities except for spam zombies and network attacks, for which India was ranked in first position for spam zombies and China the latter. • 15.3 percent of bot activity originated in the United States: The United States was the main source of bot-infected computers, an increase of 2.8 percentage points compared with 2011. • 34.4 percent of Web-based attacks originated in the United States: Web-based attacks originating from the United States increased by 0.9 percentage points in 2012. • 17.1 percent of spam zombies were located in India, a decrease of 0.3 percentage points compared with 2011: The proportion of spam zombies located in the United States rose by 2.4 percentage points to 4.2 percent, resulting in the United States being ranked in fifth position in 2012, compared with fifteenth position in 2011. • 17.2 percent of all malicious code activities originated from the United States, an increase of 3.9 percentage points compared with 2011, overtaking India as the main source of malicious code activity in 2012: With 16.2 percent of malicious activity originating in India, the country was ranked in second position. India has approximately 150 million Internet users, which is the third largest population of Internet users in the world. p. 69
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Malicious Web-based Attack Prevalence
Background Methodology The circumstances and implications of Web-based attacks vary This metric assesses changes to the prevalence of Web-based widely. They may target specific businesses or organizations, attack activity by comparing the overall volume of activity and or they may be widespread attacks of opportunity that exploit the average number of attacks per day in each month during the current events, zero-day vulnerabilities, or recently patched and current and previous reporting periods. publicized vulnerabilities that many users have yet to protect themselves against. While major attacks may have individual importance and often receive significant attention when they occur, examining overall Web-based attacks provides insight into the threat landscape and how attack patterns may be shifting. Analysis of the underlying trend can provide insight into potential shifts in Web-based attack usage and can assist in determining if attackers are more or less likely to employ Web-based attacks in the future. To see which vulnerabilities are being exploited by Web-based attacks, see Appendix D: Vulnerability Trends.
Data
Figure A.8. Malicious Website Activity, 2011–2012 Source: Symantec
400
350
300
250
200
THOUSANDS 150
100
50
0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012 p. 70
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Commentary • The average number of malicious websites blocked each day rose by approximately 30 percent for all of 2012 to an average of 247,350, compared with 190,370 in the second half of 2011. A rise in attacks at the beginning of the year contributed in large part to this increase. • The average number of websites blocked each day in the first half of 2012 compared with the second half of 2011, rose by 48 percent to an average of 281,283. • The average number of websites blocked each day in the second half of 2012 compared with the second half of 2011 rose by 12 percent to an average of 213,417. • The peak rate of malicious activity was 339,078 blocks per day in March 2012, when the number of malicious blocks was 37 percent higher than the annual average. • The lowest rate of malicious activity was 125,384 blocks per day in December 2012, when the number of malicious blocks was 49 percent lower than the annual average. • Further analysis of malicious code activity may be found in Appendix B: Malicious Code Trends: Overall Top Malicious Code Families, 2012. p. 71
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Analysis of Malicious Web Activity by Attack Toolkits
Background Methodology The increasing pervasiveness of Web browser applications, This metric assesses the top Web-based attack activity grouped along with increasingly common, easily exploited Web browser by exploit “Web kit” families. These attacks originated from application security vulnerabilities, has resulted in the compromised legitimate sites and intentionally malicious sites widespread growth of Web-based threats. Attackers wanting to set up to target Web users in 2012. To determine this, Symantec take advantage of client-side vulnerabilities no longer need to ranked attack activity by the number of associated incidents actively compromise specific networks to gain access to those associated with each given Web kit. computers. These attacks work by infecting enterprise and consumers that visit mainstream websites hosting Web-attack toolkits, and silently infect them with a variety of malware. Symantec analyzes attack activity to determine which types of attacks and attack toolkits attackers are utilizing. This can provide insight into emerging Web attack trends and may indicate the types of attacks with which attackers are having the most success.
Data
Figure A.9. Malicious Website Activity: Attack Toolkit Trends, 2012 Source: Symantec
Others 90%
80 Blackhole 70
60 Sakura 50
40 Nuclear
30
20 Redkit
10 Phoenix
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC p. 72
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.10. Malicious Website Activity: Overall Frequency of Major Attack Toolkits, 2012 Source: Symantec
45% 41 40
35
30
25 22 20 17 15 10 10 7 5 3 0 BLACKHOLE SAKURA PHOENIX REDKIT NUCLEAR OTHERS
Commentary • Blackhole continues to be the most dominant Web attack kit in 2012, accounting for 40.7 percent of attacks blocked from Web attack toolkits, compared with 44.3 percent in 2011. The Sakura toolkit was ranked second, accounting for 22 percent of attacks blocked and was not ranked in the top 10 in 2011. • The Sakura Web attack kit was updated to version 1.1 in early 2012. And many of the more common attack toolkits were updated in 2012 to include exploits for the Java Runtime Environment, including CVE-2012-0507, CVE- 2012-1723, and CVE-2012-4681. • The Blackhole kit was updated frequently and the code is highly obfuscated. It is often used to deploy ransomware and fake security software. p. 73
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Analysis of Web-based Spyware, Adware, and Potentially Unwanted Programs
Background Methodology One of the main goals of a drive-by Web-based installation is the This metric assesses the prevalence of Web-based spyware and deployment of malicious code, but often a compromised website adware activity by tracking the trend in the average number of is also used to install spyware or adware code. This is because spyware and adware related websites blocked each day by users the cybercriminals pushing the spyware and adware in this way of Symantec.cloud Web security services. Underlying trends are being paid a small fee for each installation. However, most observed in the sample data provide a reasonable representation adware vendors, such as those providing add-in toolbars for of overall malicious Web-based activity trends. Web browsers, are not always aware how their code came to be installed on the users’ computers. The expectation is that it is with the permission of the end user, when this is typically not the case in a drive-by installation and may be in breach of the vendors’ terms and conditions of use.
Data
Figure A.11. Potentially Unwanted Programs: Spyware and Adware Blocked, 2012 Source: Symantec.cloud
Rank Top 10 Potentially Unwanted Programs %
1 Application.DirectDownloader.A 94.2%
2 Spyware.PCAcme 1.5%
3 Adware.JS.Script.C 0.2%
4 Application:Android/Counterclank.A 0.2%
5 Application.InstallCore.E 0.2%
6 Adware:W32/CDN.A 0.2%
7 Adware.Solimba.C 0.2%
8 Spyware.Ardakey 0.2%
9 Adware:Android/AirPush.A 0.2%
10 Spyware.Keylogger 0.1% p. 74
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Commentary • It is sometimes the case that potentially unwanted programs are legitimate programs that have been installed as part of a drive-by download and the installation is performed without the permission of the user. This is typically when the third party behind the installation is being rewarded for the number of installations of a particular program, irrespective of whether the user has granted permission and is often without the knowledge of the original vendor, and may be in breach of their affiliate terms and conditions. • The most frequently blocked installation of potentially unwanted programs in 2012 was for the DirectDownload software. 02 http://www.symantec.com/security_response/ 2 writeup.jsp?docid=2012-012709-4046-99 • Similarly, Counterclank was ranked fourth in 2012, and was one of two Android-based potentially unwanted programs blocked. Due to the combined behavior of the applications and negative feedback from users who installed the 03 http://www.symantec.com/connect/blogs/ applications, Symantec attempted to have Counterclank3 update-androidcounterclank removed from the Android Market in 2012, but Google replied quickly, informing us the applications met their Terms of Service and they will not be removed. We expect in the future there may be many similar situations where we will inform users about an application, but the application will remain in the Google Android Market. • In 2012, three of the top 10 potentially unwanted programs were classified as spyware, compared with two in 2011. • Figure A.11 accounts for approximately 19 percent of all spyware and adware blocked in 2012. The remainder was blocked using generic detection techniques. p. 75
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Analysis of Web Policy Risks from Inappropriate Use
Background Methodology Many organizations implement an acceptable usage policy This metric assesses the classification of prohibited websites to limit employees’ use of Internet resources to a subset of blocked by users of Symantec.cloud Web security services. The websites that have been approved for business use. This enables policies are applied by the organization from a default selection an organization to limit the level of risk that may arise from of rules that may also be refined and customized. This metric users visiting inappropriate or unacceptable websites, such as shows the most frequently blocked websites (by category) those containing sexual images and other potentially illegal that breach acceptable use policies defined by clients using or harmful content. Often there will be varying degrees of the service. In some cases, users will repeatedly try to access granularity imposed on such restrictions, with some rules being unauthorized content; for example, by clicking on different applied to groups of users or rules that only apply at certain URLs returned in a search results page. Sometimes policies may times of the day; for example, an organization may wish to define that only certain groups within an organization may have limit employees access to video sharing websites to only Friday access to restricted content (such as social networking), or the lunchtime, but may also allow any member of the PR and access may be limited to certain periods of the day. marketing teams access at any time of the day. This enables an organization to implement and monitor its acceptable usage policy and reduce its exposure to certain risks that may also expose the organization to legal difficulties.
Data
Figure A.12. Web Policies that Triggered Blocks, 2011–2012 Source: Symantec.cloud
Rank Top 10 Category 2012 2011 Change
1 Advertisement and Pop-ups 31.8% 46.6% -14.8%
2 Social Networking 24.1% 22.7% 1.4%
3 Streaming Media 9.0% 18.9% -9.9%
4 Chat 4.7% 3.2% 1.5%
5 Computing and Internet 4.0% <0.5% New
6 Peer-to-Peer 3.3% <0.5% New
7 Hosting Sites 2.8% 1.6% 1.2%
8 Games 1.9% 0.6% 1.3%
9 News 1.7% <0.5% New
10 Search 1.7% <0.5% New p. 76
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Commentary • 31.8 percent of Web activity blocked through policy controls was related to advertisement and pop-ups. Web- based advertisements pose a potential risk though the use of “malvertisements,” or malicious advertisements. These may occur as the result of a legitimate online ad-provider being compromised and a banner ad being used to serve malware on an otherwise harmless website. • The second most frequently blocked traffic was categorized as social networking, accounting for 24.1 percent of policy-based filtering activity blocked, equivalent to approximately one in every four websites blocked. Many organizations allow access to social networking websites, but in some cases implement policies to only permit access at certain times of the day and block access at all other times. • Activity related to streaming media policies resulted in 9 percent of policy-based filtering blocks in 2012. Streaming media is increasingly popular when there are major sporting events or high profile international news stories. This activity often results in an increased number of blocks, as businesses seek to preserve valuable bandwidth for other purposes. This rate is equivalent to one in every 11 websites blocked. The proportion of streaming media blocks made in 2012 was half of the 2011 figure, despite the London Olympics. p. 77
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Analysis of Website Categories Exploited to Deliver Malicious Code
Background Methodology As organizations seek to implement appropriate levels of control This metric assesses the classification of malicious websites 4 in order to minimize risk levels from uncontrolled Web access, it blocked by users of Norton Safe Web technology. Data is 04 For more details about Norton Safe Web, please visit is important to understand the level of threat posed by certain collected anonymously from over 50 million computers http://safeweb.norton.com/ classifications of websites and categories in order to provide worldwide, where customers voluntarily contribute to this better understanding of the types of legitimate websites that technology, including Norton Community Watch. Norton may be more susceptible to being compromised and potentially Safe Web is processing more than two billion real-time rating expose users to greater levels of risk. requests each day, and monitoring over 12 million daily. Web-based malware is increasingly more likely to be found on Reputation ratings are being tracked for more than 25 million a legitimate website that has been compromised and used to websites. host malicious content. It is therefore increasingly important This metric provides an indication of the levels of infection of that proactive security countermeasures are able to block legitimate websites that have been compromised or abused for such malware before it can reach a company’s network. This malicious purposes. The malicious URLs identified by the Safe technique has also been employed in some targeted attacks, Web technology were classified by category using the Symantec known as a “watering hole” attack, where the intended recipient Rulespace5 technology. RuleSpace proactively categorizes 05 For more details about Symantec Rulespace, is known to frequent a particular website and that website has websites into more than 80 categories in 17 languages. please visit http://www.symantec.com/theme. been compromised. jsp?themeid=rulespace
Data
Figure A.13. Malicious Web Activity: Categories that Delivered Malicious Code, 2012 Source: Symantec
Top 10 Most Frequently Exploited % of Total Number of Rank Categories of Websites Infected Websites
1 Business 7.7%
2 Hacking 7.6%
3 Technology and Telecommunication 5.7%
4 Blogging 4.5%
5 Shopping 3.6%
6 Known Malware Domain 2.6%
7 Hosting 2.3%
8 Automotive 1.9%
9 Health 1.7%
10 Educational 1.7% p. 78
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.14. Malicious Web Activity: Malicious Code by Number of Infections Per Site, 2012 Source: Symantec
Top 10 Potentially Most Average Number of Major Threat Type Rank Harmful Categories of Threats Found on Infected Detected Websites Website
1 Pornography 4.4 Trojans: 82%
2 Placeholder 3.3 Pay Per Click: 73%
3 Plagiarism 3.2 Malware: 49%
4 Automotive 3.1 Pay Per Click: 66%
5 Gore 3.0 Fake Antivirus: 74%
6 Military 3.0 Malware: 53%
7 Lifestyles 2.8 Fake Antivirus: 53%
8 Automated Web Application 2.8 Malware: 100%
9 Abortion 2.8 Malware: 79%
10 Art and Museums 2.7 Fake Antivirus: 54%
Figure A.15. Malicious Web Activity: Fake Antivirus by Category, 2012 Source: Symantec
Top 10 Potentially Most % of Fake Antivirus % of Threats Found Rank Harmful Categories of Attacks Found Within Within Same Category Websites - Fake Antivlrus Top 10 Categories
1 Religion 43% 4%
2 Sports 41% 5%
3 Shopping 39% 18%
4 Health 34% 7%
5 Business 29% 28%
6 Travel 29% 4%
7 Educational 22% 5%
8 Blogging 20% 11%
Technology and 9 15% 10% Telecommunication
10 Hacking 9% 8% p. 79
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.16. Malicious Web Activity: Browser Exploits by Category, 2012 Source: Symantec
Top 10 Potentially Most % of Browser Exploits Harmful Categories % of Threats Found Rank Found Within of Websites - Browser Within Same Category Top 10 Categories Exploits
1 Anonymizer 32% 8%
2 Blogging 30% 61%
3 Known Malware Domain 6% 7%
4 Dynamic 4% 2%
5 Hosting 4% 4%
6 Hacking 2% 8%
7 Educational 2% 1%
8 Business 1% 5%
Technology and 9 1% 3% Telecommunication
10 Shopping 1% 1%
Figure A.17. Malicious Web Activity: Social Networking Attacks by Category, 2012 Source: Symantec
Top 10 Potentially Most Harmful % Used to Deliver Social Networking Rank Categories of Websites - Social Attacks Networking
1 Blogging 43%
2 Hacking 14%
3 Dynamic 11%
4 Business 5%
5 Hosting 4% p. 80
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Commentary • Approximately 63 percent of websites used to distribute • The Dynamic category is used to classify websites that have malware were identified as legitimate, compromised been found to contain both appropriate and inappropriate websites that could be classified, an increase of two user-generated content, such as social networking or percentage points compared with 2011. This figure excludes blogging websites. Also, websites in which the page content URLs that contained just an IP address and did not include changes based how the user is interacting with it general domain parking and pay-per-click websites. (for example, an Internet search). • 7.7 percent of malicious website activity was classified in • The Known Malware Domain category are sites that have the Blogging category. no specific broad classification, but where the domain was found to either contain malware or take advantage of • Websites classified as pornography were found to host the other exploits to deliver adware, spyware or malware. For greatest number of threats per site than other categories, example, underground websites that may be used to openly with an average of 4.4 threats per website, the majority of discuss and share malcode and related research. which related to Trojans (82 percent). • The category refers to any domain name that is • Analysis of websites that were used to deliver drive-by fake Placeholder registered, but may be for sale or has recently expired and antivirus attacks revealed that 4 percent of threats found is redirected to a domain parking page. on compromised religion sites were related to fake antivirus software. 43 percent of fake antivirus attacks were found on compromised religion sites. 28 percent of attacks found on compromised business sites were fake antivirus. • Analysis of websites that were used to deliver attacks using browser exploits revealed that 8 percent of threats found on compromised anonymizer sites were related to browser exploits. 32 percent of browser exploit attacks were found on compromised anonymizer sites. 59 percent of browser exploits were found on compromised blogging sites. • 43 percent of attacks used on social networking websites were related to malware hosted on compromised blogging sites. This is where a URL hyperlink for a compromised website is shared on a social network. Websites dedicated to the discussion of hacking accounted for 14 percent of social networking attacks. • The Hacking category is used to classify websites that promote or provide the means to practice illegal or unauthorized acts of computer crime or related programming skills. p. 81
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Bot-infected Computers
Background Methodology Bot-infected computers, or bots, are programs that are covertly A bot-infected computer is considered active on a given day if installed on a user’s machine in order to allow an attacker to it carries out at least one attack on that day. This does not have control the targeted system remotely through a communication to be continuous; rather, a single such computer can be active channel, such as Internet relay chat (IRC), P2P, or HTTP. These on a number of different days. A distinct bot-infected computer channels allow the remote attacker to control a large number is a distinct computer that was active at least once during the of compromised computers over a single, reliable channel in a period. Of the bot-infected computer activities that Symantec botnet, which can then be used to launch coordinated attacks. tracks, they can be classified as actively attacking bots or bots Bots allow for a wide range of functionality and most can be that send out spam; for example, spam zombies. updated to assume new functionality by downloading new code Distributed denial-of-service (DDoS) campaigns may not always and features. Attackers can use bots to perform a variety of be indicative of bot-infected computer activity, DDoS activity can tasks, such as setting up denial-of-service (DoS) attacks against occur without the use of bot-infected computers. For example, an organization’s website, distributing spam and phishing systems that participated in the high-profile DDoS Operation attacks, distributing spyware and adware, propagating malicious Payback attacks in 2010 and 2011 used publically available code, and harvesting confidential information that may be used software such as Low Orbit Ion Cannon (LOIC) in a coordinated in identity theft from compromised computers—all of which effort to disrupt many businesses, website operations. Users can lead to serious financial and legal consequences. Attackers sympathetic to the Anonymous cause could voluntarily 6 06 Command and control favor bot-infected computers with a decentralized C&C model download the free tool from the Web and participate en masse in because they are difficult to disable and allow the attackers to a coordinated DDoS campaign and required very little technical hide in plain sight among the massive amounts of unrelated knowledge. traffic occurring over the same communication channels, such The analysis reveals the average lifespan of a bot-infected as P2P. Most importantly, botnet operations can be lucrative for computer for the highest populations of bot-infected computers. their controllers because bots are also inexpensive and relatively To be included on the list, the geography must account for at easy to propagate. least 0.1 percent of the global bot population. p. 82
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Data
Figure A.18. Table of Top 10 Bot Locations by Average Lifespan of Bot, 2011–2012 Source: Symantec
Average Lifespan Average Lifespan Rank - % of World Bots - % of World Bots - Geography of Bot (Days) - of Bot (Days) - Rank - 2011 2012 2012 2011 2012 2011
1 Romania 24 0.16% 29 0.14% 1
2 Bulgaria 17 0.10% 14 0.13% 2
3 United States 13 15.34% 13 12.56% 3
4 Indonesia 12 0.12% 10 0.14% 6
5 Israel 11 1.34% 5 1.64% 29
6 Egypt 10 0.11% 8 0.11% 14
7 Korea, South 10 0.99% 12 0.99% 4
8 Pakistan 10 0.12% 9 0.25% 10
9 Philippines 10 0.16% 10 0.18% 6
10 Ukraine 10 0.15% 10 0.20% 6
Commentary • Bots located in Romania were active for an average of 24 days in 2012, compared with 29 days in 2011; 1 in 622 of bots were located in Romania, compared with 1 in 737 in 2011. • It takes almost twice as long to identify and clean up a bot- infected computer in Romania than in the United States, although the number of infections in the United States is on a magnitude of more than a hundred times greater than that of Romania. One factor contributing to this disparity may be a low level of user-awareness of the issues involved combined with the lower availability of remediation guidance and support tools in the Romanian language. • In the United States, which was home to 1 in 7 (15 percent) of global bot-infected computers, the average lifespan for a bot was 13 days, unchanged from 2011. • All other countries outside the top ten had a lifespan of 9 days or less. The overall average lifespan was 6 days. • Additionally, 68 percent of bots were controlled using HTTP-based command and control channels, compared with 65 percent in 2011. p. 83
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Analysis of Mobile Threats
Background Methodology Since the first smartphone arrived in the hands of consumers, In 2012, there was a significant number of vulnerabilities speculation about threats targeting these devices has abounded. reported that affected mobile devices. Symantec documented While threats targeted early “smart” devices such as those based 415 vulnerabilities in mobile device operating systems in 2012, on Symbian and Palm OS in the past, none of these threats compared to 315 in 2011 and 163 in 2010; an increase of 32 ever became widespread and many remained proof of concept. percent. Recently, with the growing uptake in smartphones and tablets, Symantec tracks the number of threats discovered against and their increasing connectivity and capability, there has mobile platforms by tracking malicious threats identified by been a corresponding increase in attention, both from threat Symantec’s own security products and confirmed vulnerabilities developers and security researchers. documented by mobile vendors. While the number of immediate threats to mobile devices Currently, most malicious code for mobile devices consists of remains relatively low in comparison to threats targeting PCs, Trojans that pose as legitimate applications. These applications there have been new developments in the field. And as malicious are uploaded to mobile application (“app”) marketplaces in the code for mobile begins to generate revenue for malware authors, hope that users will download and install them, often trying to there will be more threats created for these devices, especially as pass themselves off as legitimate apps or games. Attackers have people increasingly use mobile devices for sensitive transactions also taken popular legitimate applications and added additional such as online shopping and banking. code to them. Symantec has classified the types of threats into a As with desktop computers, the exploitation of a vulnerability variety of categories based on their functionality. can be a way for malicious code to be installed on a mobile device.
Data
Figure A.19. Android Mobile Threats: Newly Discovered Malicious Code, 2011–2012 Source: Symantec
24 22 20 18 16 14 12 TREND 10 8 6 4 2 0
JAN APR JUL OCT JAN APR JUL OCT 2011 2012 p. 84
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.20. Android Mobile Threats: Cumulative Number of Malware Families, 2010–2012 Source: Symantec
200
180
160
140
120
100
80
60
40
20 0 JAN DEC JAN DEC 2011 2012 p. 85
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.21. Mobile Threats: Malicious Code by Type, 2012 Source: Symantec
32% 13% Steal Information Send Content
25% 8% Traditional Threats Reconfigure Device
15% 8% Track User Adware/Annoyance
Figure A.22. Mobile Threats: Malicious Code by Type – Additional Detail, 2012 Source: Symantec
Steals Device Data 27 Spies on User 12 Sends Premium SMS 11 Downloader 11 Back Door 13 Steal Information Tracks Location 3 Traditional Threats Modifies Settings 5 Track User Spam 2 Steals Media 2 Send Content Elevates Privileges 3 Reconfigure Device Banking Trojan 2 SEO Poisoning <0.1% Adware/Annoyance 8 DDoS Utility 1 Hacktool 1
5 10 15 20 25 30% p. 86
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.23. Documented Mobile Vulnerabilities, 2012 Source: Symantec
140 121 120
100
77 80 72
60 46 40 36 23 20 18 9 4 5 3 0 1 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Platform Documented Vulnerabilities %
Apple iOS/iPhone/iPad 387 93.3%
Android 13 3.1%
BlackBerry 13 3.1%
Nokia 0 0%
WebOS 0 0%
Windows Mobile 2 0.5%
TOTAL 415 p. 87
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
07 International Mobile Equipment Identity The following are specific definitions of each subcategory: ranging from configuration data to banking details. This information can be used in a number of ways, but for the • Collects Device Data gathers information that is specific most part, it is fairly innocuous with IMEI7 8 to the functionality of the device, such as IMEI, IMSI, and IMSI operating system, and phone configuration data. numbers taken by attackers as a way to uniquely identify a device. More concerning is data gathered about the 08 International Mobile Subscriber Identity • Spies on User intentionally gathers information from the device software, such as operating system (OS) version or device to keep monitor a user, such as phone logs and SMS applications installed, to carry out further attacks (say, by messages, and sends them to a remote source. exploiting a software vulnerability). Rarer, but of greatest • Sends Premium SMS sends SMS messages to premium-rate concern is when user-specific data, such as banking numbers that are charged to the user’s mobile account. details, is gathered in an attempt to make unauthorized transactions. While this category covers a broad range of • Downloader can download other risks on to the data, the distinction between device and user data is given compromised device. in more detail in the subcategories below. • Back door opens a back door on the compromised device, • Track User. The next most common purpose was to track a allowing attackers to perform arbitrary actions. user’s personal behavior and actions. These risks take data • Tracks Location gathers GPS information from the device specifically to spy on the individual using the phone. This specifically to track the user’s location. is done by gathering up various communication data, such • Modifies Settings changes configuration settings on the as SMS messages and phone call logs, and sending them to compromised device. another computer or device. In some instances they may even record phone calls. In other cases these risks track GPS • Spam sends spam email messages from the compromised coordinates, essentially keeping tabs on the location of the device. device (and their user) at any given time. Gathering pictures • Steals Media sends media, such as pictures, to a remote taken with the phone also falls into this category. source. • Send Content. The third-largest group of risks is bad apps • Elevates Privileges attempts to gain privileges beyond those that send out content. These risks are different from the laid out when installing the app bundled with the risk. first two categories because their direct intent is to make money for the attacker. Most of these risks will send a text • Banking Trojan monitors the device for banking message to a premium SMS number, ultimately appearing transactions, gathering the sensitive details for further on the mobile bill of the device’s owner. Also within this malicious actions. category are risks that can be used as email spam relays, • SEO Poisoning periodically sends the phone’s browser to controlled by the attackers and sending unwanted emails predetermined URLs in order to boost search rankings. from addresses registered to the device. One threat in this • Adware/Annoyance contains mobile adware that uses category constantly sent HTTP requests in the hopes of techniques to place advertising in the device’s photo bumping certain pages within search rankings. albums and calender entries, and may push messages to the • Traditional Threats. The fourth group contains more notification bar. It may even replace the default ringtone traditional threats, such as back doors and downloaders. with an ad. Attackers often port these types of risks from PCs to mobile Apps with malicious intentions can present serious risks to devices. users of mobile devices. These metrics show the different • Change Settings. Finally, there are a small number of risks functions that these bad mobile apps performed during the that focus on making configuration changes. These types year. The data was compiled by analyzing the key functionality attempt to elevate privileges or simply modify various of malicious mobile apps. Symantec has identified five primary settings within the operating system. The goal for this mobile risk types: final group seems to be to perform further actions on the • Collect Data. Most common among bad mobile apps was the compromised devices. collection of data from the compromised device. This was typically done with the intent to carry out further malicious activities, in much the way an information-stealing Trojan might. This includes both device- and user-specific data, p. 88
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Commentary In 2012, Android users especially were potentially vulnerable to actually degrade the performance on older models if pushed a wider variety of threats, predominantly due to the widespread out universally. Of course, some commentators argue that popularity of the Android platform. However, very few of these manufacturers and operators are not really motivated to release threats have utilized vulnerabilities in the Android OS in order so many updates in order to encourage people to purchase to spread. Rather, the threats tend to masquerade as legitimate the newer phones, but we cannot comment on this. For most apps and attempt to coerce the user into installing them. exploits in the OS, Google quickly releases the fixes, but it still Exploits accounted for a minority of the infections, but there entails a long time for most users to receive the appropriate fix are certainly more of them for older platforms (for example, for their device from their network operators. 2.x.x), so a lot of these users were more vulnerable to malicious Some exploits are not in the original OS itself, but in the custom apps that carry these exploits and use then to obtain “root” modifications made by manufacturers, such as the recent super-user privileges (examples of threats that do this include Samsung exploit for Galaxy S2/S3, Note, etc. Although they were Basebridge, Bmaster, Gonfu.D, Gmaster, and Zeahache). quick to fix it, the fix still had to propagate through network There are two important distinctions between older and newer operators to reach users. In the event that a major vulnerability Android versions regarding security features: appeared that was being exploited in huge numbers of older versions of Android, we don’t think Google (or the phone • In response to feedback from users annoyed by advertising manufacturers) would have any choice but to release an OTA platforms that push notifications to the status bar, Google patch for it. The question is would it reach all Android users and added a feature in 4.x to identify the app that generates a how long would it take? certain notification and even block that app from pushing notifications. Tighter control from Google over the platform may resolve some of the “fragmentation” issues, but this could have a knock-on • Owing to the rise of threats that silently send premium text effect and in turn impact the relationship it has with the device messages (Opfake, Premiumtext, Positmob, Rufraud, etc.), manufacturers. And there is an argument about drawing a line Google added in 4.2 a feature to prompt the user to confirm and forcing a cut-off point for older Android users, but it is sending such premium text messages (they compiled a usually the manufacturers that determine this; they are the ones list of ranges of short-code numbers for many countries). to say whether or not they will continue to upgrade a particular This can be very helpful in protecting most users, however model to support a newer version of Android. As devices pass Android 4.2 devices account only for 1.4 percent of users at their end-of-life support period, they may still be usable and 09 http://developer.android.com/about/ the time of writing.9 dashboards/index.html adequately functional, but they are unlikely to receive support We haven’t seen a large number of Android vulnerabilities in from the manufacturers in terms of updates and patches. In 2012, and phone manufacturers pushed (over the air) updates general, Google would only have to win from having most users for the more serious ones. The Android ecosystem makes it using up-to-date versions of Android, but with the current more challenging to keep everyone up to date. Google controls model, they may not have much say in the matter. the official reference platform that works out of the box only on Nexus devices. From there each manufacturer modifies and releases its own platform updates, which are picked up by mobile network operators, which in turn also customize for their platforms. This makes it very difficult for any change coming from Google to be pushed out quickly to in-the-field devices. Any change to the platform requires thorough testing, which is performed by each manufacturer and operator, all adding to the time required to deploy to the end users. Having so many device models also multiplies the amount of resources all these companies have to allocate for each update, which may partly explain why these updates are infrequently released. Another factor is that the newest platforms are optimized for the latest, more powerful hardware, which could p. 89
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Data Breaches that Could Lead to Identity Theft
Background Methodology Hacking continued to be the primary way data breaches occurred The data for the data breaches that could lead to identity theft in 2012, in much the same way as it was in 2011. However, where is procured from the Norton Cybercrime Index (CCI). The Norton politically motivated hacktivism in 2011 resulted in some of the CCI is a statistical model that measures the levels of threats, biggest data breaches we’ve seen, such activity waned somewhat including malicious software, fraud, identity theft, spam, in 2012. This is most apparent when looking at the biggest phishing, and social engineering daily. The majority of the caches of stolen identities. In 2011, there were five data breaches Norton CCI’s data comes from Symantec’s Global Intelligence that netted hackers 10 million or more identities, the largest of Network, one of the industry’s most comprehensive sources of which was a massive breach of 70 million identities. In contrast, intelligence about online threats.11 The data breach section of 11 http://www.idanalytics.com/ 2012 saw only one breach larger than 10 million identities. the Norton CCI is derived from data breaches that have been As a result the overall average size of breaches has dropped reported by legitimate media sources and have exposed personal significantly, down from 1.1 million to 604,826 identities per information, including name, address, Social Security numbers, breach. credit card numbers, or medical history. Using publicly available That’s not to say that the threat posed by data breaches has data, the Norton CCI determines the sectors that were most dropped in the last year. While the average size has declined, the often affected by data breaches, as well as the most common medium number of identities stolen is up, and significantly at causes of data loss. that. Where the median number of identities stolen was 2,400 The sector that experienced the loss along with the cause of loss per breach in 2011, this number is up to 8,350 in 2012. That’s that occurred is determined through analysis of the organization an increase of around 3.5 times. Using the median is a useful reporting the loss and the method that facilitated the loss. measure because it ignores the extremes, the rare events that The data also reflects the severity of the breach by measuring resulted in large numbers of identities being exposed, and is the total number of identities exposed to attackers, using the more representative of the underlying trend. same publicly available data. An identity is considered to be There were many high-profile hacking breaches last year that exposed if personal or financial data related to the identity received lots of media attention for obvious reasons. Hacking is made available through the data breach. Data may include can undermine institutional confidence in a company, and names, government-issued identification numbers, credit card loss of personal data can result in damage to an organizations information, home addresses, or email information. A data reputation. Despite the media hype around these breaches, breach is considered deliberate when the cause of the breach is hacking came in second to old-fashioned theft as the greatest due to hacking, insider intervention, or fraud. A data breach is source of data breaches last year according to the Norton considered to be caused by hacking if data related to identity Cybercrime Index data.10 In the event of a data breach, many theft was exposed by attackers, external to an organization, 10 http://www.nortoncybercrimeindex.com/ countries have existing data breach notification legislation gaining unauthorized access to computers or networks. (Hacking that regulates the responsibilities of organizations conducting is an intentional act with the objective of stealing data that can business after a data breach has occurred. be used for purposes of identity theft or other fraud.) It should be noted that some sectors may need to comply with more stringent reporting requirements for data breaches than others do. For instance, government organizations are more likely to report data breaches, either due to regulatory obligations or in conjunction with publicly accessible audits and performance reports.12 Conversely, organizations that rely on consumer confidence may be less inclined to report such breaches for fear 12 For example, the Fair and Accurate Credit of negative consumer, industry, or market reaction. As a result, Transactions Act of 2003 (FACTA) of sectors that are not required or encouraged to report California. For more on this act, please data breaches may be under-represented in this data set. see http://www.privacyrights.org/fs/fs6a- facta.htm. Another example is the Health Insurance Portability and Accountability Act of 1996. For more information see: http:// www.cms.hhs.gov/HIP AAGenInfo/ p. 90
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.24. Timeline of Data Breaches Showing Identities Breached in 2012, Global Source: Based on data provided by Norton Cyber Crime Index
35 35 31 30 30
25 25
20 20
15 13 15
12 12 NUMBER OF INCIDENTS 10 8 10 6
5 4 5
(MILLIONS) SUM OF IDENTITIES BREACHED SUM OF IDENTITIES BREACHED 3 2 1 .1 1
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
INCIDENTS SUM
Data and Commentary for Data Breaches that Could Lead to Identity Theft by Sector
Figure A.25. Data Breaches that Could Lead to Identity Theft (Top 10 Sectors by Number of Data Breaches) Source: Based on data provided by Norton Cyber Crime Index
• Healthcare and education sectors ranked top for Government 9% Accounting number of data breaches, 13% making up just over 50 percent of all data Computer Software Education 6% breaches. However, retail 16% and the government sectors represent more than half of Financial 6% the identities exposed. • This indicates that the 5% Information Technology sectors responsible for the Healthcare most data breaches don’t 36% 4% Telecommunications necessarily result in the largest caches of stolen 3% Computer Hardware identities. 3% Community and Non-profit p. 91
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.25. Data Breaches that Could Lead to Identity Theft (Top 10 Sectors by Number of Identities Exposed) Source: Based on data provided by Norton Cyber Crime Index
10% Telecommunications Computer Hardware 14% 9% Computer Software
Government 7% Accounting 24%
3% Financial
Retail 2% Healthcare 27% 2% Information Technology 2% Social Networking
Figure A.26. Average Number of Identities Exposed Per Data Breach by Notable Sector Source: Based on data provided by Norton Cyber Crime Index
The largest number of identities Retail 12 exposed per breach Telecom 1.7 in 2012 occurred Accounting .6 in the retail sector, where one breach Government 1.4 topped 10 million Social Networking .5 identities. Financial .4
Computer Software 1.2 Information Tech .3 Hospitality .1 Computer Hardware 3.1
0 2 4 6 8 10 12 MILLIONS p. 92
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Data and Commentary for Data Breaches that Could Lead to Identity Theft by Cause
Figure A.27. Data Breaches that Could Lead to Identity Theft by Number of Breaches Source: Based on data provided by Norton Cyber Crime Index
Hackers were the top cause for data breaches: The most frequent cause of data breaches (across all sectors) that could Accidentally Theft or Loss facilitate identity theft in 2012 Made Public of Computer 23% or Drive was hacking attempts, which 23% accounted for 40 percent of breaches that could lead to identities being exposed and 8% Insider Theft this equated to approximately 18.5 million identities exposed Hackers in total. 40% 6% Unknown
0.6% Fraud
Figure A.27. Data Breaches that Could Lead to Identity Theft by Number of Identitites Exposed Source: Based on data provided by Norton Cyber Crime Index
Theft or Loss of Computer or Drive 23% Hackers 3% Accidentally Made Public 79% 1% Unknown 0.3% Insider Theft p. 93
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Figure A.28. Average Number of Identities Exposed Per Data Breach by Cause Source: Based on data provided by Norton Cyber Crime Index
• Hacking was the leading source for Hackers 1,192,092 reported identities exposed. Hackers were Theft or Loss of 429,462 responsible for almost Computer or Drive 80 percent of the identities exposed in Unknown 138,295 the largest data breaches that Accidentally Made Public 77,028 occurred in 2012. • The average number Insider Theft 21,801 of identities exposed per data breach in Fraud <100 hacking incidents was approximately 1.2 million. 0 200,000 400,000 600,000 800,000 1,000,000 1,200,000
Figure A.29. Type of Information Exposed in Deliberate Breaches Source: Based on data provided by Norton Cyber Crime Index
• The most common types Real Names 61 of identity information leaked in deliberate Gov ID Numbers (SSN) 42 data breaches were Usernames and Passwords 41 real names, accounting for two-thirds of the Home Address 32 identities breached in Email Addresses 31 2012. Birth Dates 30 • Government ID numbers, such as Social Medical Records 29 Security numbers, were Phone Numbers 16 found in 42 percent of Financial Information 15 breaches • Usernames and Insurance 6 passwords were identified in 41 percent 0 20 30 40 50 60% 10 of the identity breaches. p. 94
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Threat Activity Trends
Threat Activity Trends Endnotes
01 Internet population and penetration rates in 2012 courtesy of Internet Word Stats http://www.internetworldstats.com. 02 See http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99. 03 See http://www.symantec.com/connect/blogs/update-androidcounterclank. 04 For more details about Norton Safe Web, please visit http://safeweb.norton.com/. 05 For more details about Symantec Rulespace, please visit http://www.symantec.com/theme.jsp?themeid=rulespace. 06 Command and control. 07 International Mobile Equipment Identity. 08 International Mobile Subscriber Identity. 09 See http://developer.android.com/about/dashboards/index.html. 10 See http://www.nortoncybercrimeindex.com/. 11 See http://www.idanalytics.com/. 12 For example, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) of California. For more on this act, please see http://www.privacyrights.org/fs/fs6a-facta.htm. Another example is the Health Insurance Portability and Accountability Act of 1996. For more information see: http://www.cms.hhs.gov/HIP AAGenInfo/. p. 95
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 APPENDIX APPENDIX M T rends alicious :: C B ode p. 96
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Malicious Code Trends
Symantec collects malicious code information from our large global customer base through a series of opt-in anonymous telemetry programs, including Norton Community Watch, Symantec Digital Immune System, and Symantec Scan and Deliver technologies. Well over 133 million clients, servers, and gateway systems actively contribute to these programs. New malicious code samples, as well as detection incidents from known malicious code types, are reported back to Symantec. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in malicious code activity in the threat landscape. Reported incidents are considered potential infections if an infection could have occurred in the absence of security software to detect and eliminate the threat.
In this section, the following malicious code trends are analyzed for 2012:
• Top Malicious Code Families • Analysis of Malicious Code Activity by Geography, Industry Sector, and Company Size • Propagation Mechanisms • Industrial Espionage: Targeted Attacks and advanced Persistent Threats (APTs)
p. 97
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Top Malicious Code Families
Background Methodology Malicious code threats are classified into four main types— A malicious code family is initially compromised up of a distinct backdoors, viruses, worms, and Trojans: malicious code sample. As variants to the sample are released, the family can grow to include multiple variants. Symantec • Backdoors allow an attacker to remotely access determines the most prevalent malicious code families by compromised computers. collating and analyzing anonymous telemetry data gathered for • Viruses propagate by infecting existing files on affected the reporting period. computers with malicious code. Malicious code family rankings tend to be weighted towards file- • Worms are malicious code threats that can replicate on infecting threats due to their nature. These threats tend to infect infected computers or in a manner that facilitates them large numbers of executable files in the hopes that they will being copied to another computer (such as via USB storage spread or be shared out to other computers. This propagation devices). approach increases their overall presence when looking at • Trojans are malicious code that users unwittingly install the total number of malicious files in the threat landscape. In onto their computers, most commonly through either contrast, a threat like a Trojan, which doesn’t use automatic opening email attachments or downloading from the propagation techniques, will not rank as highly. As a result, Internet. Trojans are often downloaded and installed by malicious code families that include file-infecting functionality other malicious code as well. Trojan horse programs differ are picked up by antivirus sensors more frequently and will rank from worms and viruses in that they do not propagate higher in overall numbers. themselves. Overall, the top ten list of malicious code families accounted for Many malicious code threats have multiple features; for 41.2 percent of all potential infections blocked in 2012. example, a backdoor will always be categorized in conjunction with another malicious code feature. Typically, backdoors are also Trojans; however, many worms and viruses also incorporate backdoor functionality. In addition, many malicious code samples can be classified as both worm and virus due to the way they propagate. One reason for this is that threat developers try to enable malicious code with multiple propagation vectors in order to increase their odds of successfully compromising computers in attacks. Symantec analyzes new and existing malicious code families to determine which threat types and attack vectors are being employed in the most prevalent threats. This information also allows system administrators and users to gain familiarity with threats that attackers may favor in their exploits. Insight into emerging threat development trends can help them to bolster security measures and mitigate future attacks. The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway or cloud-based filtering. p. 98
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Figure B.1. Overall Top Malicious Code Families, 2012 Source: Symantec
Propagation % Rank Name Type Impacts/Features Mechanisms Overall
Infects various file types, including executable files, and Executable files and copies itself to removable drives. It then relies on AutoPlay 1 W32.Ramnit Virus/Worm 15.4% removable drives functionality to execute when the removable drive is accessed on other computers.
Uses polymorphism to evade detection. Once running on an infected computer, it infects executable files on local, Executable files and 2 W32.Sality Virus/Worm removable, and shared network drives. It then connects to a 7.6% removable drives P2P botnet, downloads and installs additional threats. The virus also disables installed security software. The worm disables security applications and Windows Update functionality and allows remote access to the infected P2P/CIFS/remote 3 W32.Downadup Worm/Backdoor computer. Exploits vulnerabilities to copy itself to shared 5.4% vulnerability network drives. It also connects to a P2P botnet and may download and install additional threats.
Infects various file types, including executable files, and copies itself to local, removable, and shared network drives. It 4 W32.Virut Virus/Backdoor Executables 3.7% also establishes a backdoor that may be used to download and install additional threats.
Downloads additional threats and copies itself to removable 5 W32.SillyFDC Worm Removable drives drives. It then relies on AutoPlay functionality to execute when 3.1% the removable drive is accessed on other computers.
Disables security software by ending related processes. It also CIFS/mapped drives/ infects executable files and copies itself to local, removable, 6 W32.Almanahe Virus/Worm removable drives/ 2.1% and shared network drives. The worm may also download and executables install additional threats.
Copies itself to local, removable, and shared network drives. SMTP/CIFS/removable Infects executables and encrypts various file types. It may 7 W32.Mabezat Virus/Worm 1.5% drives also use the infected computer to send spam email containing infected attachments.
Searches across the network and accesses files on other 8 W32.Chir Worm SMTP engine computers. However, due to a bug, these files are not modified 1.2% in any way.
The primary function of this threat is to download more Removable and mapped malware on to the compromised computer. It is likely drives/file sharing 9 W32.Changeup Worm that the authors of the threat are associated with affiliate 0.6% programs/Microsoft schemes that are attempting to generate money through the vulnerability distribution of malware.
Executables/removable, Infects .dll, .exe, .scr, and .sys files on the compromised 10 W32.Xpaj Virus mapped, and network 0.6% computer. drives p. 99
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Figure B.2. Relative Volume of Reports of Top 10 Malicious Code Families in 2012 by Percentage Source: Symantec
W32.Ramnit 15% 8% W32.Sality
Others 5% W32.Downadup 59% 4% W32.Virut 3% W32.SillyFDC 2% W32.Almanahe 2% W32.Mabezat 1% W32.Chir 1% W32.Changeup 1% W32.Xpaj
Figure B.3. Relative Proportion of Top 10 Malicious Code Blocked in Email Traffic by Symantec.cloud in 2012 by Percentage and Ratio Source: Symantec
Rank Malware % of Email Malware Equivalent Ratio in Email
1 Exploit/SpoofBBB 1.58% 1 in 63.4
2 Trojan.Bredolab 1.46% 1 in 68.7
3 EML/Worm.XX.dam 0.85% 1 in 117.5
4 Exploit/SuspLink 0.78% 1 in 127.9
5 Exploit/LinkAliasPostcard-4733 0.66% 1 in 151.0
6 W32/Netsky.c-mm 0.58% 1 in 171.1
7 Trojan.Sasfis.dam 0.53% 1 in 187.5
8 Exploit/Link-FakeACHUpdate 0.52% 1 in 190.7
9 Exploit/FakeAttach 0.51% 1 in 194.7
10 W32/Netsky.P-mm 0.51% 1 in 196.7 p. 100
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Figure B.4. Trend of Malicious Code Blocked in Email Traffic by Symantec.cloud – 2011 vs 2012 Source: Symantec.cloud
1 in 50
1 in 100
1 in 150
1 in 200
1 in 250
1 in 300
1 in 350
1 in 400 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012
Figure B.5. Relative Proportion of Top 10 Malicious Code Blocked in Web Traffic by Symantec.cloud In 2012 by Percentage and Ratio Source: Symantec.cloud
Rank Name % of Email Malware Equivalent Ratio in Email
1 Trojan.JS.Iframe.AOX 10.6% 1 in 9.5
2 Trojan.Iframe.XI 7.1% 1 in 14.2
3 Infostealer.Gampass 5.2% 1 in 19.3
4 Dropped:Rootkit.49324 4.6% 1 in 21.6
5 Exploit.Link-JavaScript-4cda 4.4% 1 in 22.9
6 Exploit.Link-JavaScript-3f9f 4.0% 1 in 25.1
7 Suspicious.Emit 3.3% 1 in 30.1
8 Trojan.Script.12023 3.2% 1 in 31.5
Dropped:Trojan.PWS. 9 3.1% 1 in 32.0 OnlineGames.KDVN
10 W32.Almanahe.B 2.2% 1 in 46.3 p. 101
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Commentary • Ramnit again beats Sality to become the most prevalent was 39.1 percent in 2010, an indication that cybercriminals malicious code family in 2012. Ranked first again in 2011, are attempting to circumvent security countermeasures the top malicious code family by volume of potential by changing the vector of attacks from purely email to the infections in 2012 was Ramnit. Web. Samples of the Ramnit family of malware were responsible • In 2012, 12.6 percent of malicious code detected was for significantly more potential infections (15.4 percent) identified and blocked using generic detection technology. than the second ranked malicious code family in 2012, Many new viruses and Trojans are based on earlier versions, Sality (7.6 percent). where code has been copied or altered to create a new strain, or variant. Often these variants are created using toolkits First discovered in 2010, W32.Ramnit has been a prominent and hundreds of thousands of variants can be created from feature of the threat landscape since then, often switching the same piece of malware. This has become a popular places with Sality throughout the year as the two families tactic to evade signature-based detection, as each variant jockey for first position. would traditionally need its own signature to be correctly Ramnit spreads by encrypting and then appending itself identified and blocked. By deploying techniques, such as to DLL, EXE, and HTML files. It can also spread by copying heuristic analysis and generic detection, it’s possible to itself to the recycle bin on removable drives and creating correctly identify and block several variants of the same an AUTORUN.INF file so that the malware is potentially malware families, as well as identify new forms of malicious automatically executed on other computers. This can occur code that seek to exploit certain vulnerabilities that can be when an infected USB device is attached to a computer. The identified generically. reliable simplicity of spreading via USB devices and other • was the most frequently blocked media makes malicious code families such as Ramnit, and Exploit/SpoofBBB malware in email traffic by Symantec.cloud in 2012, with Sality (as well as SillyFDC and others) effective vehicles for taking the second position. installing additional malicious code on computers. Trojan.Bredolab • Trojan.JS.Iframe.AOX was the most frequently blocked • The Sality family of malware, ranked second, remains malicious activity in Web traffic filtered by Symantec.cloud attractive to attackers because it uses polymorphic in 2012. Detection for a malicious IFRAME is triggered in code that can hamper detection. Sality is also capable HTML files that contain hidden IFRAME elements with of disabling security services on affected computers. JavaScript code that attempts to perform malicious actions These two factors may lead to a higher rate of successful on the computer; for example, when visiting a malicious installations for attackers. Sality propagates by infecting Web page, the code attempts to quietly direct the user to a executable files and copying itself to removable drives such malicious URL while the current page is loading. as USB devices. Similar to Ramnit, Sality also relies on AUTORUN.INF functionality to potentially execute when • Stuxnet in 2012: Despite being developed for a very specific those drives are accessed. type of target, the number of reports of potential Stuxnet infections observed by Symantec in 2012 placed the • Downadup gains a bit of momentum: Downadup (a.k.a. worm at a rank beyond 30 among malicious code families, Conficker) was ranked in third position in 2012, compared compared with 18 in 2011. The Stuxnet worm generated with 2011 when it was ranked fourth-most malicious code a significant amount of attention in 2010 because it was family by volume of potential infections in 2011. Downadup the first malicious code designed specifically to attack propagates by exploiting vulnerabilities in order to copy Programmable Logic Controller (PLC) industry control itself to network shares. Downadup was estimated to have systems.2 Notably, Stuxnet was the first malicious code infected slightly more than 2 million PCs worldwide at the 02 See http://www.symantec.com/ family that may directly affect the physical world and 01 http://www. end of 2012,1 compared with approximately 3 million at the security_response/writeup. proves the feasibility for malicious code to cause potentially confickerworkinggroup. end of 2011. jsp?docid=2010-071400-3123-99 org/wiki/pmwiki.php/ANY/ dramatic physical destruction. • Overall in 2012, 1 in 281.8 emails was identified as InfectionTracking#toc15 malicious, compared with 1 in 238.8 in 2011; 22.5 percent of email-borne malware comprised hyperlinks that referenced malicious code, in contrast with malware that was contained in an attachment to the email. This figure p. 102
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Analysis of Malicious Code Activity by Geography, Industry Sector, and Company Size
Background Malicious code activity trends can also reveal patterns that in forming the social engineering behind subsequent attacks may be associated with particular geographical locations, or to the main target, using the SMB as a springboard for these hotspots. This may be a consequence of social and political later attacks. SMBs are perceived to be a softer target because changes in the region, such as increased broadband penetration they are less likely to have the same levels of in-depth and increased competition in the marketplace that can drive defenses as a larger organization, which is more likely to down prices, increasing adoption rates. Of course, there may have greater budgetary expenditure applied to their security also be other factors at work, based on the local economic countermeasures. conditions that may present different risk factors. Similarly, the industry sector may also have an influence on an organization’s risk factor, where certain industries may be exposed to different Methodology levels of threat, by the nature of their business. Analysis of malicious code activity based on geography, Moreover, the size of an organization can also play a part in industry, and size are based on the telemetry analysis from determining their exposure to risk. Small to medium-sized Symantec.cloud clients for of threats detected and blocked businesses (SMBs) may find themselves the target of a malicious against those organizations in email traffic during 2012. attack by virtue of the relationships they have with other This analysis looks at the profile of organizations being organizations; for example, a company may be subjected to subjected to malicious attacks, in contrast to the source of the an attack because they are a supplier to a larger organization attack. and attackers may seek to take advantage of this relationship
Data
Figure B.6. Proportion of Email Traffic Identified as Malicious by Industry Sector, 2012 Source: Symantec.cloud
Gov/Public Sector
Education
Finance
Marketing/Media
Accom/Catering
Non-Profit
Estate Agents
Chem/Pharm
Recreation
Prof Services
1 in 1 in 1 in 1 in 1 in 1 in 1 in 1 in 400 350 300 250 200 150 100 50 2011 2012 p. 103
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Figure B.7. Proportion of Email Traffic Identified as Malicious by Organization Size, 2012 Source: Symantec.cloud
1-250
251-500
501-1000
1001-1500
1501-2500
2501+
1 in 1 in 1 in 1 in 1 in 1 in 1 in 1 in 1 in 1 in 450 405 360 315 270 225 180 135 90 45 2011 2012
Figure B.8. Proportion of Email Traffic Identified as Malicious by Geographic Location, 2012 Source: Symantec.cloud
Netherlands
Luxenbourg
United Kingdom
South Africa
Germany
Australia
Bahrain
Austria
Hungary
Canada
1 in 1 in 1 in 1 in 1 in 1 in 1 in 1 in 400 350 300 250 200 150 100 50 2011 2012 p. 104
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Commentary • The rate of malicious attacks carried by email has increased for four of the top 10 geographies being targeted and decreased for the other six; malicious email threats fell in 2011 for organizations in Luxembourg, United Kingdom, South Africa, Bahrain, Hungary, and Canada. • Businesses in the Netherlands were subjected to the highest average ratio of malicious email-borne email in 2012, with 1 in 108.0 emails blocked as malicious, compared with 1 in 266.8 in 2011. • Globally, organizations in the Government and Public sector were subjected to the highest level of malicious attacks in email traffic, with 1 in 72.2 emails blocked as malicious in 2012, compared with 1 in 41.1 for 2011. • Malicious email threats have increased for all sizes of organizations, with 1 in 252.1 emails being blocked as malicious for large enterprises with more than 2,500 employees in 2012, compared with 1 in 205.1 in 2011. • 1 in 299.2 emails were blocked as malicious for SMBs with between 1-250 employees in 2012, compared with 1 in 267.9 in 2011 p. 105
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Propagation Mechanisms
Background Methodology Worms and viruses use various means to spread from one This metric assesses the prominence of propagation computer to another. These means are collectively referred to as mechanisms used by malicious code. To determine this, propagation mechanisms. Propagation mechanisms can include Symantec analyzes the malicious code samples that propagate a number of different vectors, such as instant messaging (IM), and ranks associated propagation mechanisms according to Simple Mail Transfer Protocol (SMTP), Common Internet File the related volumes of potential infections observed during the System (CIFS), peer-to-peer file transfers (P2P), and remotely reporting period.4 04 Because malicious code samples often use exploitable vulnerabilities.3 Some malicious code may even use 03 CIFS is a file sharing protocol that allows more than one mechanism to propagate, other malicious code as a propagation vector by locating files and other resources on a computer cumulative percentages may exceed 100 to be shared with other computers across a computer that has been compromised through a backdoor percent. the Internet. One or more directories on server and using it to upload and install itself. a computer can be shared to allow other computers to access the files within. p. 106
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Data
Figure B.9. Propagation Mechanisms Source: Symantec
2012 2011 Rank Propagation Mechanisms Change Percentage Percentage
Executable file sharing. The malicious code creates copies of itself or infects 1 executable files. The files are distributed to other users, often by copying them to 71% -5% 76% removable drives such as USB thumb drives and setting up an autorun routine.
File transfer, CIFS CIFS. This is a file sharing protocol that allows files and other resources on a computer to be shared with other computers across the Internet. One 2 or more directories on a computer can be shared to allow other computers to access 33% -10% 43% the files within. Malicious code creates copies of itself on shared directories to affect other users who have access to the share.
Remotely exploitable vulnerability. The malicious code exploits a 3 26% -2% 28% vulnerability that allows it to copy itself to or infect another computer.
File transfer, email attachment. The malicious code sends spam email that 4 contains a copy of the malicious code. Should a recipient of the spam open the 8% -6% 14% attachment, the malicious code will run and their computer may be compromised.
File transfer, P2P. The malicious code copies itself to folders on an infected computer that are associated with P2P file sharing applications. When the 5 4% -3% 7% application runs, the malicious file will be shared with other users on the same P2P network.
File transfer, non-executable file sharing. The malicious code infects non- 6 3% +1% 2% executable files.
File transfer, HTTP, embedded URL, instant messenger. The malicious code 7 sends or modifies instant messages with an embedded URI that, when clicked by the 3% +2% 1% recipient, will launch an attack and install a copy of the malicious code.
SQL. The malicious code accesses SQL servers, by exploiting a latent SQL 8 vulnerability or by trying default or guessable administrator passwords, and copies 1% -0% 1% itself to the server.
File Transfer, Instant Messenger. The malicious code sends or modifies instant messages that contain a copy of the malicious code. Should a recipient of the 9 1% -4% 5% spam open the attachment, the malicious code will run and their computer may be compromised.
File transfer, HTTP, embedded URI, email message body. The malicious code 10 sends spam email containing a malicious URI that, when clicked by the recipient, will <1% = <1% launch an attack and install a copy of the malicious code. p. 107
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Commentary As malicious code continues to become more sophisticated, many threats employ multiple mechanisms. • Executable file sharing activity decreases: In 2012, 71 percent of malicious code propagated as executables, a decrease from 76 percent in 2011. This propagation mechanism is typically employed by viruses and some worms to infect files on removable media. For example, variants of Ramnit and Sality use this mechanism, and both families of malware were significant contributing factors in this metric, as they were ranked as the two most common potential infections blocked in 2012. • Remotely exploitable vulnerabilities decrease: The percentage of malicious code that propagated through remotely exploitable vulnerabilities in 2012 at 26 percent was 2 percentage points lower than in 2011. Examples of attacks employing this mechanism also include Downadup, which gains a bit of momentum and is still a major contributing factor to the threat landscape, ranked third position in 2012. • File transfer using CIFS is in decline: The percentage of malicious code that propagated through CIFS file transfer fell by 10 percentage points between 2011 and 2012, a deeper decline than the one seen in 2011. Fewer attacks exploited CIFS as an infection vector in 2012. • File transfer via email attachments continues to decline: It is worth noting the continued decline in the percentage of malicious code that propagated through email attachments for the fifth year running. Between 2011 and 2012, the proportion of malware using this mechanism fell by six percentage points. • While this propagation mechanism is still effective, it was expected that this downward trend would contine; however, the shift towards using malicious URLS that was observed in 2011 did not continue as expected into 2012. p. 108
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs)
Background With targeted attacks and advanced persistent threats being Another characteristic of an APT is that it will be part of a very much in the news in 2012, in this section we review longer-term campaign and not follow the opportunistic “smash- targeted attacks and look more closely at what has been and-grab” approach typical of most malware in circulation today. described as “advanced persistent threats” or APTs. Terms such Its purpose will be to remain undetected for as long as possible, as APT have been overused and sometimes misused, but APTs perhaps using a variety of attacks over that period. If one attack are a real threat to some companies and industries. fails, then a different approach—one more likely to succeed—will be taken in the weeks to come. If successful, an attacker can As noted earlier in this section, overall in 2012, 1 in 281.8 use the compromised systems as a beachhead for subsequent emails were identified as malicious, but approximately 0.2 attacks. percent of those were highly targeted. This means that highly targeted attacks, which may be the precursor to an APT, account All of which illustrate how these attacks can be both advanced for approximately one in every two million emails, still a rare and persistent threats. They are advanced because of the incident rate. However, targeted malware in general has grown methods employed to avoid detection, such as the use of in volume and complexity in recent years, but as it is designed zero-day exploits, and the means used to communicate with to steal company secrets, it can be very difficult for recipients the command and control network; command and control to recognize, especially when the attacker employs compelling instructions often involve encrypted traffic, typically sent in social engineering techniques, as we highlight in this report. small bursts and disguised as normal network traffic. The key to ensuring that any stolen information can be exfiltrated without Targeted attacks have been around for a number of years now, detection requires the attacker to avoid using easily detectable and when they first surfaced back in 2005, Symantec.cloud encryption, and to use common protocol channels that would identified and blocked approximately one attack each week. not look out of place, but while making sure the data remains Over the course of the following year, this number rose to one hidden. or two per day, and over the following years it rose still further. The global average number of attacks per day in 2012 was Furthermore, they can be described as persistent because 116, compared with 82 in 2011 and 77 in 2010. We witnessed the aim is to maintain a foothold within the compromised one large attack in April (see Figure B.10). Events like this are company’s infrastructure, and in order to achieve this, the extremely rare, and this particular attack resulted in a large attacker will use numerous methods. The attackers have a very jump for that month. Without adjusting for this, the global clear and specific objective, they are well-funded and well- average would be nearer to 143 per day with this company organized, and without the right protection in place, these included. threats have both the capability and the intent to achieve their desired goals. A highly targeted attack is typically the precursor to an APT, and the typical profile of a highly targeted attack will commonly exploit a maliciously crafted document or executable, which is emailed to a specific individual, or small group of individuals. Methodology These emails will be dressed up with a social engineering Defining what is meant by targeted attacks and APT is element to make it more interesting and relevant. important in order to better understand the nature of this mounting threat and to make sure that you have invested in the The term “APT” has evolved to describe a unique category right kinds of defenses for your organization. of targeted attacks that are specifically designed to target a particular individual or organization. APTs are designed to stay The types of organizations being targeted are often thought to below the radar, and remain undetected for as long as possible, be large, well-known multi-national organizations, often within a characteristic that makes them especially effective, moving particular industries, including the public sector, defense, quietly and slowly in order to evade detection. Unlike the fast- energy, and pharmaceutical. In more recent years the scope has money schemes typical of more common targeted attacks, APTs widened to include almost any organization, including SMBs. may have international espionage and/or sabotage objectives. But what do we really mean by targeted attacks and advanced persistent threats? The objective of an APT may include military, political or economic intelligence gathering, confidential or trade secret An attack can be considered as targeted if it is intended for threat, disruption of operations, or even the destruction of a specific person or organization, typically created to evade equipment. traditional security defenses and frequently using advanced p. 109
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
social engineering techniques. However, not all targeted attacks Data and Commentary lead to an APT; for example, the Zeus banking Trojan can be Malware such as Stuxnet in 2010, Duqu in 2011, and Flamer targeted and will use social engineering in order to trick the and Disttrack in 2012 show increasing levels of sophistication recipient into activating the malware. But Zeus is not an APT. and danger. For example, the Disttrack malware used in the The attacker doesn’t necessarily care about who the individual Shamoon attacks on a Saudi oil firm had the ability to wipe hard recipient is; they may have been selected simply because the drives.5 See http://www.symantec.com/connect/blogs/ attacker is able to exploit information gathered about that 05 shamoon-attacks. individual, typically harvested through social networking The same techniques used by cybercriminals for industrial websites. espionage may also be used by states and state proxies for cyber attacks and political espionage. Sophisticated attacks may Social engineering has always been at the forefront of many of be reverse-engineered and copied so that the same or similar these more sophisticated types of attack. Without strong social techniques can be used in less discriminate attacks. A further engineering, or “head-hacking,” even the most technically risk is that malware developed for cybersabotage may spread sophisticated attacks are unlikely to succeed. Many socially beyond its intended target and infect other computers in a kind engineered attacks are based on information harvested through of collateral damage. social networking and social media websites. Once the attackers are able to understand their targets’ interests, hobbies, with whom they socialize, and who else may be in their networks, they are often able to construct more believable and convincing attacks. The data in this section is based on analysis of targeted email malware identified and blocked by Symantec.cloud on behalf of its customers in 2012.
Figure B.10. Average Number of Targeted Email Attacks Per Day, 2012 Source: Symantec.cloud
250
200
150
100
50
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC p. 110
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Targeted attacks have become an established part of the threat attack can go on for months. The attack will change over time, landscape and safeguarding against them has become one of with new social engineering, new malware, and often leveraging the main concerns of CISOs and IT managers. Targeted attacks multiple zero-day vulnerabilities. What our research does not are commonly used for the purposes of industrial espionage to show is attackers giving up after one attempt to breach an gain access to the confidential information on a compromised organization. computer system or network. They are fewer but potentially the most difficult attacks to defend against. It is difficult to attribute The Characteristics of a Targeted Attack an attack to a specific group or a government without sufficient When comparing the number of targeted attacks directed at evidence. The motivation and the resources of the attacker companies with 2,500 or more employees and companies with sometimes hint to the possibility that the attacker could be fewer than 2,500, we see an equal split. state sponsored, but finding clear evidence is difficult. Attacks that could be state sponsored appear to be rare in comparison Thirty-five percent of all targeted attacks are targeted at with regular cybercrime, though they have often gained companies with fewer than 500 employees, as illustrated in more notoriety. They can be among the most sophisticated figure B.13. And despite the commonly held belief of small and damaging of these types of threats. Governments are businesses that they would never be the victims of a targeted undoubtedly devoting more resources to defensive and offensive attack, 30.8 percent of all targeted attacks are directed at cyberwarfare capabilities. In 2012, it was still unlikely that most companies with up to 250 employees. businesses would encounter such an attack, and the greatest risk comes from the more prevalent targeted attacks that are created for the purposes of industrial espionage. Increasingly, SMBs are finding themselves on the frontline of these attacks as they have fewer resources to combat the threat and a successful attack here may subsequently be used as the springboard to further attacks against a larger organization to which they may be a supplier. To understand the nature of targeted attacks, Symantec collected data on over 55,000 attacks that could clearly be identified as targeted. These attacks were email-based and contained a malicious payload. We saw a 41.5 percent increase in targeted attacks with more attacks aimed at companies with fewer than 250 staff members. One possible explanation is that attackers have accelerated their use of small companies as a way to infiltrate larger organizations further up the supply chain. Attackers started using watering hole attacks, a technique where malware on infected third-party websites is used to target employees of companies who might visit those websites. The total number of attacks aimed at organizations with fewer than 2,500 employees is roughly equal to attacks aimed at organizations with greater than 2,500 employees. R&D, sales, C-level, and senior employees were the most targeted in the same order. Attackers want to capture the knowledge workers who have access to intellectual property (IP), but they don’t have to attack them directly to get the information they want. Too often organizations think that if they are not the target of a high profile attack, or if one attack has been blocked, that their troubles are over. However, our research shows that a targeted p. 111
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Figure B.11. Targeted Attacks by Company Size, 2012 Source: Symantec.cloud
1-250 31% 2,501+ 50% 5% 251-500
3% 501-1,000
2% 1,001-1,500
9% 1,501-2,500
Figure B.12. Targeted Attacks Against Job Function, 2012 Source: Symantec.cloud
Chief Exec. or Board Level
PR and Marketing 2011 2012 Personal Assistant % CHANGE
Research and Development
Human Resources
Sales
Senior Management
Shared Mailbox info@, sales@, etc.
-15% -10% -5 0 5 10 15 20 25 30% p. 112
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
While 55 percent of the mailboxes targeted for attack are malicious DOCs and PDFs are commonly used by attackers high-level executives, senior managers and people in R&D, the (44.4 percent of the attacks). majority of targets are people that are unlikely to have such Looking at the break out of targeted attacks by industry, information. Why then are they targeted? Manufacturing was the most-targeted sector in 2012, with 24.3 As we’ve said, they provide a stepping stone to the ultimate percent of targeted attacks destined for this sector, compared target. And in the case of personal assistants, sales and media with 15 percent in 2011. Attacks against government and public (public relations), they work closely with people who are the sector organizations fell from 25 percent in 2011, when it was ultimate target. But just as important, these people are also easy the most targeted sector, to 12 percent in 2012. It’s likely the to find and research online: email addresses for public relations frontline attacks are moving down the supply chain, particularly people, shared mailboxes, and recruiters are commonly found on for small to SMBs. a company’s website. Additionally, these people are used to being contacted by people Conclusion they do not know. And in many cases part of the job requires Targeted attacks should be concern for all organization, large them to open unsolicited files from strangers. Think of how and small. While C-level executives and those that work with many resumes a recruiter receives each day in a document or a company’s IP should be careful, everyone in an organization PDF file attachment. Finally, under the illusion that targeted is at risk of being targeted. This is especially true of workers attacks are only aimed at high-level executives or those working who in the course of their jobs typically receive email from with the company’s intellectual property (IP), they are less people they don’t know. In the end, no matter the size or type likely to have their guard up against social engineering. of organization you have or your role in that organization, you In Figure B.16, we can see that malicious EXEs are largely are at risk and best practices must be followed to protect the used in targeted attacks (over one-third of attacks). However, organization. Don’t become the weakest link in the supply chain.
Figure B.13. Breakdown of Document Types Being Attached to Targeted Attacks, 2012 Source: Symantec.cloud
45%
40 39%
35 34%
30
25
20
15 11% 10
5 5% 2% 2% 2% 2% 1% 1%
EXE DOC PDF XLS SCR BIN LNK CHM DMP DLL p. 113
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Figure B.14. Analysis of Targeted Attacks by Top 10 Industry Sectors, 2012 Source: Symantec.cloud
Manufacturing 24% Finance, Insurance and Real Estate 19% Services - Non-Traditional 17%
Government 12%
Energy/Utilities 10%
Services - Professional 8%
Aerospace 2%
Retail 2%
Wholesale 2% Transportation, Communications, 1% Electric, Gas, and Sanitary 5% 10% 15% 20% 25% 30% p. 114
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
MALICIOUS CODE Trends
Malicious Code Trends Endnotes
01 See http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking#toc15. 02 See http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99. 03 CIFS is a file sharing protocol that allows files and other resources on a computer to be shared with other computers across the Internet. One or more directories on a computer can be shared to allow other computers to access the files within. 04 Because malicious code samples often use more than one mechanism to propagate, cumulative percentages may exceed 100 percent. 05 See http://www.symantec.com/connect/blogs/shamoon-attacks. p. 115
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 APPENDIX APPENDIX A S pam A ctivit nd F y T y :: rends C raud p. 116
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Spam and Fraud Activity Trends
Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking (or spoofing) a specific, usually well-known brand. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they can then use to commit fraudulent acts. Phishing generally requires victims to provide their credentials, often by duping them into filling out an online form. This is one of the characteristics that distinguish phishing from spam-based scams (such as the widely disseminated “419 scam”1 01 See http://www.symantec.com/connect/ and other social engineering scams). blogs/419-oldest-trick-book-and-yet- Spam is usually defined as junk or unsolicited email sent by a third party. While it is certainly another-scam. an annoyance to users and administrators, spam is also a serious security concern because it can be used to deliver Trojans, viruses, and phishing attacks. Spam can also include URLs that link to malicious sites that, without the user being aware of it, attack a user’s system upon visitation. Large volumes of spam could also cause a loss of service or degradation in the performance of network resources and email services.
This section covers phishing and spam trends. It also discusses activities observed on underground economy servers because that is where much of the profit is made from phishing and spam attacks.
• Analysis of Spam Activity Trends • Analysis of Spam Activity by Geography, Industry Sector, and Company Size • Analysis of Spam Delivered by Botnets • Significant Spam Tactics • Spam by Category • Phishing Activity Trends • Analysis of Phishing Activity by Geography, Industry Sector, and Company Size p. 117
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Analysis of Spam Activity Trends
Background This section discusses the patterns and trends relating to spam message volumes and the proportion of email traffic identified as spam during 2012
Methodology The analysis for this section is based on global spam and overall email volumes for 2012. Global values are determined based on the statistically representative sample provided by Symantec’s 02 See http://www. Brightmail2 operations and spam rates include spam blocked by symantec.com/ Symantec.cloud. security_response/ landing/spam/.
Data and Commentary
Figure C.1. Global Spam Volume in Circulation, 2012 Source: Symantec
There were approximately 60 30 billion spam emails in circulation worldwide each day overall in 2012, compared with 50 42.1 billion in 2011; a decrease of 28.6 percent in global spam 40 volume.
30
20
BILLIONS Grum Botnet Spam dip seen due to 10 Takedown reduced quiet FESTI botnet in spam activity – October, but active in July 15-17. early September. 0 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC p. 118
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Figure C.2. Proportion of Email Traffic Identified as Spam, 2011–2012 Source: Symantec.cloud
Overall for 2012, 68.5 percent 90% of email traffic was identified as spam, compared with 75.1 80 percent in 2011; a decrease of 70 6.6 percentage points.
60
50
40
30
20
10
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012 p. 119
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Analysis of Spam Activity by Geography, Industry Sector, and Company Size
Background Spam activity trends can also reveal patterns that may be the target of a spam attack because SMBs are perceived to be associated with particular geographical locations or hotspots. softer targets because they are less likely to have the same levels This may be a consequence of social and political changes in the of security countermeasures as larger organizations, which are region, such as increased broadband penetration and increased more likely to have greater budgetary expenditure applied to competition in the marketplace that can drive down prices, their anti-spam and security countermeasures. increasing adoption rates. Of course, there may also be other factors at work based on the local economic conditions that may present different risk factors. Similarly, the industry sector may Methodology also have an influence on an organization’s risk factor, where Analysis of spam activity based on geography, industry, and certain industries may be exposed to different levels of threat size is determined from the patterns of spam activity for based on the nature of their business. Symantec.cloud clients for threats during 2012. Moreover, the size of an organization can also play a part in determining their exposure to risk. SMBs may find themselves
Data
Figure C.3. Proportion of Email Traffic Identified as Spam by Industry Sector, 2012 Source: Symantec.cloud
Marketing/Media
Manufacturing
Recreation
Agriculture
Chem/Pharm
Building/Cons
Telecoms
IT Services
Wholesale
Professional Services
0 10 20 30 40 50 60 70 80 90% 2011 2012 p. 120
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Figure C.4. Proportion of Email Traffic Identified as Spam by Organization Size, 2012 Source: Symantec.cloud
90%
80
70
60
50
40
30
20
15 0.0 1-250 251-500 501-1,000 1,001-1,500 1,501-2,500 2,501+ 2011 2012
Figure C.5. Proportion of Email Traffic Identified as Spam by Geographic Location, 2012 Source: Symantec.cloud
Saudi Arabia
Bulgaria
Chile
Hungary
China
Sri Lanka Tanzania, United Republic of
Qatar
Brazil
Oman
10 20 30 40 50 60 70 80 90% 2011 2012 p. 121
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Commentary • The spam rate has decreased across all top 10 geographies in 2012. The highest rate for spam is for organizations in Saudi Arabia, with an overall average spam rate of 79.1 percent. In 2011, the highest rate was in Saudi Arabia, with an overall average spam rate of 80.9 percent. • The spam rate has decreased across all top 10 industry sectors in 2012. Organizations in the Marketing/Media sector were subjected to the highest spam rate of 69.3 percent in 2012; in 2011, the automotive sector had the highest spam rate of 77.9 percent. • The spam rate has decreased for all sizes of organization in 2012. 68.4 percent of emails sent to large enterprises with more than 2,500 employees in 2012 were identified as spam, compared with 75.2 percent in 2011. • 68.4 percent of emails sent to SMBs with up to 250 employees in 2012 were identified as spam, compared with 74.6 percent in 2011. p. 122
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Analysis of Spam Delivered by Botnets
Background Methodology This section discusses botnets and their use in the sending of Symantec.cloud spam honeypots collected between 5–10 spam. Like ballistics analysis in the real world can reveal the million spam emails each day during 2011. These are classified gun used to fire a bullet, botnets can similarly be identified according to a series of heuristic rules applied to the SMTP by common features within the structure of email headers conversation and the email header information. 3 and corresponding patterns during the SMTP transactions. A variety of internal and external IP reputation lists are also Spam emails are classified for further analysis according to the 03 Simple Mail Transfer Protocol used in order to classify known botnet traffic based on the originating botnet during the SMTP transaction phase. This source IP address of the sending machine. Information is shared analysis only reviews botnets involved in sending spam and does with other security experts to ensure data is up to date and not look at botnets used for other purposes, such as for financial accurate. fraud or DDoS attacks.
Data
Figure C.6. Percentage of Spam Sent from Botnets in 2012 Source: Symantec.cloud
90%
80
70 TREND
60
50
40
30
20
10
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC p. 123
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Figure C.7. Analysis of Spam-sending Botnet Activity, 2012 Source: Symantec.cloud
Botnet Name % of Botnet Spam Est. Spam Per Day Top Sources of Spam from Botnet
LETHIC 43.4% 9,632,000,000 India (14%) Vietnam (6%) Poland (5%)
CUTWAIL 21.8% 4,838,000,000 India (15%) Russia (6%) Brazil (6%)
GRUM 16.2% 3,585,000,000 India (18%) Vietnam (13%) Pakistan (10%)
FESTI 15.0% 3,331,000,000 Saudi Arabia (39%) India (24%) Turkey (12%)
MAAZBEN 1.3% 277,000,000 Brazil (12%) India (10%) United States (8%)
GHEG 0.7% 149,000,000 Indonesia (14%) India (12%) Vietnam (9%)
KELIHOS 0.6% 140,000,000 India (20%) Peru (14%) Turkey (12%)
XARVESTER 0.4% 90,000,000 UK (13%) Italy (8%) India (7%)
WALEDAC 0.2% 52,000,000 India (10%) Kazakhstan (5%) Brazil (5%)
BAGLE 0.2% 48,000,000 United States (20%) China (18%) Brazil (10%)
Commentary • In 2011, approximately 78.8 percent of all spam was distributed by spam-sending botnets, compared with 88.2 percent in 2011, a decrease of 9.4 percentage points. This was in large part owing to the disruption of the Rustock botnet on 16 March 2011. By the end of 2011, this number rose to 81.2 percent. • In the 7 days prior to the disruption of the Rustock botnet, each day approximately 51.2 billion spam emails were in circulation worldwide. In the 7 days following, this number fell to 31.7 billion, a decrease of 38.0 percent in global spam volume. • The global spam rate during the 7 days prior to when the Rustock botnet ceasing spamming was 78.2 percent, compared with 70.0 percent in the 7 days after. • During the second half of 2011, the change in frequency of botnet spam being distributed from botnets became much more noticeable, as shown in figure C.6. Large spam runs often lasted for only two or three days and when the spam run ceased, the volume of botnet-spam fell considerably; however, when Rustock was in operation during 2010 and during the first quarter of 2011, it was almost continually sending spam at a fairly regular and steady rate. p. 124
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Significant Spam Tactics
Background This section discusses significant spam tactics used throughout 2012, including the size of spam messages and the languages used in spam emails.
Size of Spam Messages
Figure C.8. Frequency of Spam Messages by Size, 2012 Source: Symantec
• In 2012, 49 percent of spam 60% messages were less than 5 KB in size. For spammers, smaller file sizes mean more 50 49% messages can be sent using the same resources. 40 • Increased sizes are often associated with malicious 30 29% activity, where email attachments contain 20 malicious executable code. 16%
10 3% 4%
<5 KB 5 KB-10 KB 10 KB-50 KB 50 KB-100 KB >100 KB p. 125
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Proportion of Spam Messages Containing URLs
Figure C.9. Proportion of Spam Messages Containing URLs, 2012 Source: Symantec
In 2012, 85.3 percent of spam 100% 96 95 messages contained at least 91 one URL hyperlink, compared 88 90 86 85 TREND 82 84 86 82 with 86.2 percent in 2011, a 80 77 78 decrease of 0.9 percentage points. 70
60
50
40
30
20
10
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Top-level Domains (TLD) Identified in Spam URLs
Figure C.10. Analysis of Top-level Domains Used in Spam URLs, 2012 Source: Symantec
70% 63% 60
50
40
30
20
10 8% 7% 6% 5% 3%
COM RU INFO NET ORG BR p. 126
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Spam by Category
Background Methodology Spam is created in a variety of different styles and complexities. Once per month, several thousand random spam samples are Some spam is plain text with a URL; some is cluttered with collected and classified by Symantec.cloud using a combination images and/or attachments. Some comes with very little in of electronic and human analysis into one of the following terms of text, perhaps only a URL. And, of course, spam is categories: distributed in a variety of different languages. It is also common • Casino/Gambling for spam to contain “Bayes poison” (random text added to messages that has been haphazardly scraped from websites to • Degrees/Diplomas “pollute” the spam with words bearing no relation to the intent • Diet/Weight Loss of the spam message itself). Bayes poison is used to thwart spam • Jobs/Money Mules filters that typically try to deduce spam based on a database of words that are frequently repeated in spam messages. • Malware Any automated process to classify spam into categories would • Mobile Phones need to overcome this randomness issue. For example, the • Pharmaceutical word “watch” may appear in the random text included in a pharmaceutical spam message, posing a challenge as to • Phishing classifying the message as pharmaceutical spam or in the • Scams/Fraud/419s watches/jewelry category. Another challenge occurs when a • Sexual/Dating pharmaceutical spam contains no obvious pharmaceutical- related words, but only an image and a URL. • Software Spammers attempt to get their messages through to recipients • Unknown/Other without revealing too many clues that the message is spam. • Unsolicited Newsletters Clues found in the plain text content of the email can be • Watches/Jewelry examined using automated anti-spam techniques. A common way to overcome automated techniques is by using random text. An equally effective way is to include very little in the way of extra text in the spam, instead including a URL in the body of the message. Spam detection services often resist classifying spam into different categories because it is difficult to do (for the reasons above) and because the purpose of spam detection is to determine whether the message is spam and to block it, rather than to identify its subject matter. The most accurate way to overcome the ambiguity faced by using automated techniques to classify spam is to have someone classify unknown spam manually. While time-consuming, this process provides much more accurate results. An analyst can read the message, understand the context of the email, view images, follow URLs, and view websites in order to gather the bigger picture around the spam message. p. 127
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Data
Figure C.11. Spam by Category, 2012 Source: Symantec.cloud
Category 2012 2011 Change
Pharmaceutical 21.1% 39.6% -18.5%
Watches/Jewelry 9.2% 18.6% -9.4%
Sexual/Dating 54.6% 14.7% 39.9%
Unsolicited Newsletters 7.4% 10.1% -2.7%
Casino/Gambling 1.6% 7.9% -6.3%
Diet/Weight Loss 1.0% 3.5% -2.5%
Malware 1.9% 3.0% -1.1%
Unknown/Other 2.4% 2.8% -0.4%
Scams/Fraud/419s 0.4% 1.8% -1.4%
Software 2.1% 0.8% 1.3%
Jobs/Money Mules 4.4% 0.5% 3.9%
Degrees/Diplomas 0.3% 0.4% -0.1%
Mobile Phones 0.6% 0.3% 0.4%
Phishing 0.4% 0.3% 0.2% p. 128
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Figure C.12. Spam by Category, 2012 Source: Symantec.cloud
Pharmaceutical Watches/Jewelry Sexual/Dating Unsolicited Newsletters Casino/Gambling Diet/Weight Loss Malware Unknown/Other Scams/Fraud/419s Software Jobs/Money Mules Degrees/Diplomas Mobile Phones Phishing
0 5 10 15 20 25 30 35 40 45 50 55 60% 2011 2012
Commentary • Adult spam dominates this year, with more than half (54.6 emails were sent globally each day in 2012. Where some of percent) of all spam in 2012 related to adult spam, an the categories listed earlier represent 0.4 percent of spam, increase of 39.9 percentage points compared with 2011. this figure equates to more than 120 million spam emails in These are often email messages inviting the recipient to a single day. connect to the scammer through instant messaging, or a • Spam in the categories Watches/Jewelry, Casino/Gambling, URL hyperlink where they are then typically invited to a Unsolicited Newsletters, and Scams/Fraud all decreased. pay-per-view adult-content Web cam site. Often any IM conversation would be handled by a bot responder, or a person working in a low-pay, offshore call center. • The disruption of the Grum and Festi botnet in July and October 2012 respectively had a major impact on the decline in pharmaceutical spam products. • A category with a low percentage still means millions of spam messages. Although it is difficult to be certain what the true volume of spam in circulation is at any given time, Symantec estimates that approximately 30 billion spam p. 129
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Phishing Activity Trends
Background Methodology This section discusses the proportion of malicious email activity The data for this section is based on the analysis of email traffic that is categorized as phishing attacks and looks more closely collected from Symantec.cloud global honeypots and from the at emerging trends, particularly social engineering techniques analysis of malicious and unwanted email traffic data collected and how attackers can automate the use of RSS news feeds to from customers worldwide. The analysis of phishing trends 4 incorporate news and current affairs stories into their scams. is based on emails processed by Symantec.cloud Skeptic™ 04 See http://www.symanteccloud.com/ technology and analysis of phishing emails collected in spam sv/se/globalthreats/learning_center/ honeypots. Symantec.cloud spam honeypots collected between what_is_skeptic. 2–5 million spam emails each day during 2012.
Data
Figure C.13. Phishing Rates, 2011–2012 Source: Symantec.cloud0
1 in 100
1 in 200
1 in 300
1 in 400
1 in 500
1 in 600 JAN APR JUL OCT JAN APR JUL OCT 2011 2012 p. 130
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Figure C.14. Phishing Category Types, Top 200 Organizations, 2012 Source: Symantec.cloud
22% Communications
20% Telecom Information Services Computer 27% Software 34% Financial 12% Retail 69% 10% Entertainment
5% Other
0.2% Government
Figure C.15. Tactics of Phishing Distribution, 2012 Source: Symantec.cloud
Other Unique Domains 39%
4% Free Web-hosting Sites Automated Toolkits 3% IP Address Domains 54% 1% Typosquatting p. 131
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Commentary • Overall for 2012, 1 in 414.3 emails was identified and blocked as a phishing attack, compared with 1 in 298.9 in 2011; an decrease of 0.09 percentage points. • 67.3 percent of phishing attacks in 2012 related to spoofed financial organizations, compared with 85.2 percent in 2011. • Phishing attacks on organizations in the Information Services sector accounted for 27.2 percent of phishing attacks in 2012. • Phishing URLs spoofing banks attempt to steal a wide variety of information that can be used for identity theft and fraud. Attackers seek information such as names, government-issued identification numbers, bank account information, and credit card numbers. Cybercriminals are more focused on stealing financial information that can make them large amounts of money quickly versus goods that require a larger time investment, such as scams. • Phishing schemes continued to use major events to entice recipients: One scam featured references to increased numbers of Syrian refuges in southern Turkey as a result of the ongoing struggle in Syria, stating, “But you must assure me that you will use at least 50 percent of my wealth to help the Syrian refugees in Turkey. Turkish Disaster Management Agency (AFAD) said that the Syrian refugees in southern Turkey has risen to 101, 834. You must promise me that you will use 50 percent of my wealth to help the Syria people that are suffering in Turkey.” The Syrian conflict again featured in scams such as, “I am Sgt Douglas Miller Owen, a U.S Army being deployed from Afghanistan to Damascus, Syria on a 6 month mission before i finally return back home […] Out of the total fund my share was $12,000,000 (Twelve Million US Dollars)” The Libyan revolution and Arab Spring continued to be referenced in scams during 2012, including, “My name is Aisha daughter of Shukri Ghanem. We fled from Libya last year following the uprising against Col Muammar Gaddafi. [...] My father’s death is no longer news but my mother’s deteriorating health made me want to do this despite the fact that I barely know you.” • 53.7 percent of phishing attacks were conducted through the use of phishing toolkits. p. 132
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Analysis of Phishing Activity by Geography, Industry Sector, and Company Size
Background Methodology Phishing activity trends can also reveal patterns that may be Analysis of phishing activity based on geography, industry, associated with particular geographical locations or hotspots, and size is determined from the patterns of spam activity for for example, the industry sector may also have an influence on Symantec.cloud clients for threats during 2012. an organization’s risk factor, where certain industries may be exposed to different levels of threat because of the nature of their business. Moreover, the size of an organization can also play a part in determining their exposure to risk. SMBs may find themselves the target of a spam attack because SMBs are perceived to be softer targets because they are less likely to have the same levels of in-depth defenses, while larger organizations are more likely to have greater budgetary expenditure applied to their antispam and security countermeasures.
Figure C.16. Proportion of Email Traffic Identified as Phishing by Industry Sector, 2012 Source: Symantec.cloud
Gov/Public Sector
Finance
Education
Accom/Catering
Marketing/Media
Non-Profit
General Services
Unknown
Estate Agents
Agriculture
1 in 1 in 1 in 1 in 1 in 1 in 1 in 1 in 1 in 1 in 500 450 400 350 300 250 200 150 100 50 2011 2012 p. 133
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Figure C.17. Proportion of Email Traffic Identified as Phishing by Organization Size, 2012 Source: Symantec.cloud
1 in 0
1 in 100
1 in 200
1 in 300
1 in 400
1 in 500
1 in 600
1 in 700
1 in 800 1-250 251-500 501-1,000 1,001-1,500 1,501-2,500 2,501+
2011 2012
Figure C.18. Proportion of Email Traffic Identified as Phishing by Geographic Location, 2012 Source: Symantec.cloud
Netherlands
South Africa
United Kingdom
Denmark
China
Canada
Australia
Cook Islands
Ireland
Italy
1 in 1,200 1 in 1,000 1 in 800 1 in 600 1 in 400 1 in 200 2011 2012 p. 134
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Commentary • The phishing rate has significantly increased for six of the top 10 geographies in 2012. The highest average rate for phishing activity in 2012 was for organizations in the Netherlands, with an overall average phishing rate of 1 in 123.1. In 2011, the highest rate was also for South Africa, with an overall average phishing rate of 1 in 96.3. • The phishing rate has decreased across nine of the top 10 industry sectors in 2012, except for Finance. Organizations in the Government and Public Sector were subjected to the highest level of phishing activity in 2012, with 1 in 95.4 emails identified and blocked as phishing attacks. In 2011 the sector with the highest average phishing rate was also the Government and Public Sector, with a phishing rate of 1 in 49.4. • The phishing rate has decreased for all sizes of organization in 2012. 1 in 346.0 emails sent to large enterprises with more than 2,500 employees in 2012 were identified and blocked as phishing attacks, compared with 1 in 250.5 in 2011. • 1 in 293.8 emails sent to businesses with up to 250 employees in 2012 were identified and blocked as phishing attacks, compared with 1 in 266.1 in 2011. p. 135
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Spam and fraud activity trends
Spam and Fraud Activity Endnotes
01 See http://www.symantec.com/connect/blogs/419-oldest-trick-book-and-yet-another-scam. 02 See http://www.symantec.com/security_response/landing/spam/. 03 Simple Mail Transfer Protocol. 04 See http://www.symanteccloud.com/sv/se/globalthreats/learning_center/what_is_skeptic p. 136
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 APPENDIX APPENDIX T V rends ulnerabilit :: D y y p. 137
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Vulnerability Trends
A vulnerability is a weakness that allows an attacker to compromise the availability, confidentiality, or integrity of a computer system. Vulnerabilities may be the result of a programming error or a flaw in the design that will affect security. Vulnerabilities can affect both software and hardware. It is important to stay abreast of new vulnerabilities being identified in the threat landscape because early detection and patching will minimize the chances of being exploited.
This section covers selected vulnerability trends and provides analysis and discussion of the trends indicated by the data. The following metrics are discussed:
• Total Number of Vulnerabilities • Zero-day Vulnerabilities • Web Browser Vulnerabilities • Web Browser Plug-in Vulnerabilities • Web Attack Toolkits p. 138
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Total Number of Vulnerabilities
Background Methodology The total number of vulnerabilities for 2012 is based on research Information about vulnerabilities is made public through from independent security experts and vendors of affected a number of sources. These include mailing lists, vendor products. The yearly total also includes zero-day vulnerabilities advisories, and detection in the wild. Symantec gathers that attackers uncovered and were subsequently identified this information and analyzes various characteristics of post-exploitation. Calculating the total number of vulnerabilities the vulnerabilities, including technical information and provides insight into vulnerability research being conducted in ratings in order to determine the severity and impact of the the threat landscape. There are many motivations for conducting vulnerabilities. This information is stored in the DeepSight vulnerability research, including security, academic, promotional, vulnerability database, which houses over 52,795 distinct software quality assurance, and, of course, the malicious vulnerabilities spanning a period of over 20 years. As part of motivations that drive attackers. Symantec gathers information the data gathering process, Symantec scores the vulnerabilities on all of these vulnerabilities as part of its DeepSight according to version 2.0 of the community-based CVSS (Common vulnerability database and alerting services. Examining these Vulnerability Scoring System).1 Symantec adopted version 2.0 of 01 See http://www.first.org/cvss/cvss-guide.html. trends also provides further insight into other topics discussed in the scoring system in 2008. The total number of vulnerabilities this report. is determined by counting all of the vulnerabilities published Discovering vulnerabilities can be advantageous to both sides during the reporting period. All vulnerabilities are included, of the security equation: legitimate researchers may learn regardless of severity or whether or not the vendor who produced how better to defend against attacks by analyzing the work of the vulnerable product confirmed them. attackers who uncover vulnerabilities; conversely, cybercriminals can capitalize on the published work of legitimate researchers to advance their attack capabilities. The vast majority of vulnerabilities that are exploited by attack toolkits are publicly known by the time they are exploited. p. 139
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Data
Figure D.1. Total Vulnerabilities Identified, 2006–2012 Source: Symantec
6,253 6,000 5,562 5,291 4,842 5,000 4,644 4,814 4,814
4,000
3,000
2,000
1,000
2006 2007 2008 2009 2010 2011 2012
Figure D.2. New Vulnerabilities Month by Month, 2011 and 2012 Source: Symantec
600
500
400
300
200
100
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC 2011 2012 p. 140
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Figure D.3. Most Frequently Attacked Vulnerabilities in 2012 Source: Symantec
70 62 60
50
40
MILLIONS 30
20 11 11 11 11 10
BID 31874 BID 8234 BID 10127 BID 6005 BID 8811
BID Detail
BID 31874 Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
BID 8234 Microsoft Windows RPC Service Denial of Service Vulnerability
BID 10127 Microsoft Windows RPCSS DCOM Interface Denial of Service Vulnerability
BID 6005 Microsoft Windows RPC Service Denial of Service Vulnerability
BID 8811 Microsoft Windows RPCSS Multi-thread Race Condition Vulnerability
Commentary • Actual number of new vulnerabilities reported is up, not the newest. Our data show that the most commonly and trend is still upwards: The total number of new attacked component by a wide margin is the Microsoft vulnerabilities reported in 2012 stood at 5,291. This figure Windows RPC component. The attacks against this works out to approximately 101 new vulnerabilities a component are mostly using the Microsoft Windows Server week. Compared with the number from 2011, which was Service RPC Handling Remote Code Execution Vulnerability 2 02 See http://www.securityfocus. 4,989, it represents an increase of 6 percent from that (BID 31874 ). This vulnerability was first reported back in com/bid/31874 of 2011. We can see that the overall pattern is still on an October 2008 and Symantec blocked 61.9 million attempts upward trajectory. The number of vulnerabilities reported to exploit it in 2012. This figure represents 5.7 times the in January 2013 amounts to 503, which is more than the volume of the second most exploited vulnerability, the numbers reported in the same month last year. Microsoft Windows RPCSS DCOM Interface Denial of 03 See http://www.securityfocus. Service Vulnerability (BID 82343), from July 2003. com/bid/8234 • The most often exploited vulnerabilities are not the newest: From observation of in-field telemetry, we can see • The next two most often used vulnerabilities are the that the most frequently used vulnerability in attacks is Microsoft Windows RPCSS DCOM Interface Denial of p. 141
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
04 See http://www.securityfocus. Service Vulnerability (BID 101274), dating from April 2004, reported. PDF files containing vulnerabilities are often com/bid/10127 and the Microsoft Windows RPC Service Denial of Service associated with Advanced Persistent Threat (APT10) style Vulnerability (BID 60055), from October 2002. attacks, rather than self-replicating malware. However, 05 See http://www.securityfocus. in this particular case, the vulnerability in question was • Finally, the fifth most exploited vulnerability is the 10 See http://go.symantec.com/apt com/bid/6005 most often used in Web toolkit-based attacks. This attack Microsoft Windows RPCSS Multi-thread Race Condition scenario involves creating malicious websites to host Vulnerability (BID 88116), reported in October 2003. 06 See http://www.securityfocus. exploit code. Users may then be tricked into visiting these • com/bid/8811 All of the top five vulnerabilities are several years old malicious toolkit websites either by website redirection (for with patches available: So why are they used so often even example, malicious IFRAMEs), SEO poisoning or by sending several years after patches are available? There could be out spam emails, instant messages or social media updates several reasons why this is the case: with links to the malicious website. More information 07 See http://www. • Trading of vulnerabilities7 either through legitimate or on Web browser vulnerabilities can be found later in this darkreading.com/ clandestine channels has given exploitable vulnerabilities report. vulnerability- a significant monetary value. Because of the restricted management/167901026/ • One thing to note, websites hosting malicious toolkits often information available on some of these new vulnerabilities, security/attacks- contain multiple exploits that can be tried against the breaches/231900575/ criminals may not be able to take advantage of them unless visitor. In some cases, the kit will attempt to use all exploits more-exploits-for-sale- they are willing to pay the often substantial asking prices. at its disposal in a non-intelligent fashion whereas in more means-better-security. If they are unable or unwilling to pay, they may resort to modern advanced kits, the website code will attempt to html existing, widely available, tried-and-tested vulnerabilities fingerprint the software installed on the computer before to achieve their goals, even if it may potentially be less deciding which exploit(s) to send to maximize the success effective. rate. The fact that there are so many Web-kit-based exploit • For those willing to pay, they will want to ensure maximum attempts made using this old vulnerability may suggest that return on their investment. This could mean they will use it a considerable number of users have not updated their PDF discretely and selectively rather than making a big splash readers to a non-vulnerable version. and arousing the attention of security vendors and other criminal groups looking for new vulnerabilities to use. • Older vulnerabilities have a more established malware 08 See http://www.symantec.com/ user base and so account for a greater amount of traffic. security_response/writeup. For example, widespread and well-established malware jsp?docid=2008-112203-2408-99 threats, such as W32.Downadup8 and its variants, use the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which continues to register over 150,000 hits each day. Because these threats use vulnerabilities to spread in an automated fashion, the number of attacks they can launch would generally be far higher than for targeted attacks. 09 See http://www.securityfocus.com/ bid/35759 • For various reasons, not all of the user population applies security patches quickly or at all. This means older vulnerabilities can often still be effective, even years after patches are available. Because of this, there will always a window of opportunity for criminals to exploit and they are all too aware of this. • File-based vulnerabilities: The most commonly exploited data file format is the PDF file format. One of the PDF related vulnerabilities, Adobe Acrobat, Adobe Reader, and Adobe Flash Player Remote Code Execution Vulnerability (BID 357599) registered as the fifth most often used vulnerability in 2011 with just over 1 million attacks p. 142
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Zero-day Vulnerabilities
Background Methodology A zero-day vulnerability is one that is reported to have been Zero-day vulnerabilities are a sub-set of the total number of exploited in the wild before the vulnerability is public knowledge vulnerabilities documented over the reporting period. A zero- and prior to a patch being publicly available. The absence day vulnerability is one that appears to have been exploited in of a patch for a zero-day vulnerability presents a threat to the wild prior to being publicly known. It may not have been organizations and consumers alike, because in many cases known to the affected vendor prior to exploitation and, at the these threats can evade purely signature-based detection until a time of the exploit activity, the vendor had not released a patch. patch is released. The unexpected nature of zero-day threats is a The data for this section consists of the vulnerabilities that serious concern, especially because they may be used in targeted Symantec has identified that meet the above criteria. attacks and in the propagation of malicious code.
Data
Figure D.4. Volume of Zero-day Vulnerabilities, 2006–2012 Source: Symantec
20
15 15 14 14 13 12
10 9 8
5
2006 2007 2008 2009 2010 2011 2012 p. 143
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Figure D.5. Zero-day Vulnerabilities Identified in 2012 Source: Symantec
CVE Detail
CVE-2012-0003 Microsoft Windows Media Player “winmm.dll” MIDI File Parsing Remote Buffer Overflow Vulnerability
CVE-2012-0056 Linux Kernel CVE-2012-0056 Local Privilege Escalation Vulnerability
CVE-2012-0507 Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability
CVE-2012-0767 Adobe Flash Player CVE-2012-0767 Cross Site Scripting Vulnerability
CVE-2012-0779 Adobe Flash Player CVE-2012-0779 Object Type Confusion Remote Code Execution Vulnerability
CVE-2012-1535 Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability
CVE-2012-1856 Microsoft Windows Common Controls ActiveX Control CVE-2012-1856 Remote Code Execution Vulnerability
CVE-2012-1875 Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability
CVE-2012-1889 Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability
CVE-2012-4792 Microsoft Internet Explorer “CDwnBindInfo” Use-After-Free Remote Code Execution Vulnerability
CVE-2012-4969 Microsoft Internet Explorer Image Arrays Use-After-Free Remote Code Execution Vulnerability
CVE-2012-5076 Oracle Java SE CVE-2012-5076 Remote Java Runtime Environment Vulnerability
CVE-MAP-NOMATCH Parallels Plesk Panel Unspecified Remote Security Vulnerability
CVE-MAP-NOMATCH Microsoft Windows Digital Certificates Spoofing Vulnerability
Commentary • 2012 sees an increase in number of zero-day vulnerabilities • While the overall number of zero-day vulnerabilities is up, compared to 2011. There was a 75 percent increase in attacks using these vulnerabilities continue to be successful. vulnerabilities seen in 2012 compared with 2011. However, Some of these vulnerabilities are leveraged in targeted the number of vulnerabilities seen in 2012 was inflated due attacks. Adobe Flash Player and Microsoft Windows ActiveX to Microsoft file-based vulnerabilities whereas Adobe based- Control vulnerabilities are widely used in targeted attacks, vulnerabilities total up to three compared to four in 2011, and vulnerabilities in Microsoft technologies accounted for when they topped the chart. almost 50 percent of the zero-day vulnerabilities seen in 2012. • There were three zero-day browser vulnerabilities seen in 2012, an increase of 2 from 2011. This corresponds with • Most of the attack scenarios are planned in such a way that the dramatic increase in browser vulnerabilities compared an attacker crafts a malicious Web page to leverage the issue to the total seen in 2011. With the trend moving into and uses email or other means to distribute the page and Web attacks, more and more browser vulnerabilities are entices an unsuspecting user to view it. When the victim leveraged by the attackers. views the page, the attacker-supplied code is run. p. 144
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Web Browser Vulnerabilities
Background Methodology Web browsers are ever-present components for computing Browser vulnerabilities are a sub-set of the total number of for both enterprise and individual users on desktop and on vulnerabilities cataloged by Symantec throughout the year. To mobile devices. Web browser vulnerabilities are a serious determine the number of vulnerabilities affecting browsers, security concern due to their role in online fraud and in the Symantec considers all vulnerabilities that have been publicly propagation of malicious code, spyware, and adware. In addition, reported, regardless of whether they have been confirmed by Web browsers are exposed to a greater amount of potentially the vendor. While vendors do confirm the majority of browser untrusted or hostile content than most other applications and vulnerabilities that are published, not all vulnerabilities may are particularly targeted by multi-exploit attack kits. have been confirmed at the time of writing. Vulnerabilities that Web-based attacks can originate from malicious websites as are not confirmed by a vendor may still pose a threat to browser well as from legitimate websites that have been compromised users and are therefore included in this study. to serve malicious content. Some content, such as media files or documents are often presented in browsers via browser plug- in technologies. While browser functionality is often extended by the inclusion of various plug-ins, the addition of plug-in components also results in a wider potential attack surface for client-side attacks.
Data
Figure D.6. Browser Vulnerabilities, 2011 and 2012 Source: Symantec
This metric examines the total 600 number of vulnerabilities affecting the following Web browsers: 500 • Apple Safari
400 • Google Chrome • Microsoft Internet Explorer 300 • Mozilla Firefox • Opera 200
100
APPLE SAFARI GOOGLE MICROSOFT MOZILLA FIREFOX OPERA CHROME INTERNET EXPLORER 2011 2012 p. 145
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Commentary • All vulnerabilities dramatically increased in 2012, except Opera and Microsoft Internet Explorer, which saw a slight increase. • Chrome vulnerabilities increased dramatically in 2012 (268). This could be due to the series of exploits developed to prove that Chrome is not unbreakable. After a spike in 2010 (191), the documented vulnerabilities for Chrome browser dropped to 62 for 2011, which is a similar level as in previous years. Several bug bounty programs were organized in 2012, which has contributed to the exposure of a lot of Chrome vulnerabilities. • These five browsers combined had 891 reported vulnerabilities in total in 2012, which is a strong increase from 351 in 2011. This increase is due to dramatically increased vulnerabilities seen in Safari, Chrome, and Firefox. p. 146
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Web Browser Plug-in Vulnerabilities
Background Methodology This metric examines the number of vulnerabilities affecting Web browser plug-in vulnerabilities comprise a sub-set of plug-ins for Web browsers. Browser plug-ins are technologies the total number of vulnerabilities cataloged by Symantec that run inside the Web browser and extend its features, such over the reporting period. The vulnerabilities in this section as allowing additional multimedia content from Web pages cover the entire range of possible severity ratings and include to be rendered. Although this is often run inside the browser, vulnerabilities that are both unconfirmed and confirmed by the some vendors have started to use sandbox containers to execute vendor of the affected product. Confirmed vulnerabilities consist plug-ins in order to limit the potential harm of vulnerabilities. of security issues that the vendor has publicly acknowledged, Unfortunately, Web browser plug-ins continue to be one of by either releasing an advisory or otherwise making a public the most exploited vectors for Web-based attacks and drive-by statement to concur that the vulnerability exists. Unconfirmed downloads silently infecting consumer and enterprise users. vulnerabilities are vulnerabilities that are reported by third Many browsers now include various plug-ins in their default parties, usually security researchers, which have not been installation and provide a framework to ease the installation publicly confirmed by the vendor. That a vulnerability is of additional plug-ins. Plug-ins now provide much of the unconfirmed does not mean that the vulnerability report is expected or desired functionality of Web browsers and are often not legitimate, only that the vendor has not released a public required in order to use many commercial sites. Vulnerabilities statement to confirm the existence of the vulnerability. affecting these plug-ins are an increasingly favored vector for a range of client-side attacks, and the exploits targeting these vulnerabilities are commonly included in attack kits. Web attack kits can exploit up to 25 different browser and browser plug-in vulnerabilities at one time and then have full access to download any malware to the endpoint system. Some plug-in technologies include automatic update mechanisms that aid in keeping software up to date, which may aid in limiting exposure to certain vulnerabilities. Enterprises that choose to disable these updating mechanisms, or continue to use vulnerable versions, will continue to put their enterprises at considerable risk to silent infection and exploitation. With the hundreds of millions of drive-by download attacks that Symantec identified in 2011, Web attacks continue to be a favorite infection vector for hackers and malware authors to breach enterprises and consumer systems. To help mitigate the risk, some browsers have started to check for the version of installed third-party plug-ins and inform the user if there are any updates available for install. Enterprises should also check if every browser plug-in is needed and consider removing or disabling potentially vulnerable software. p. 147
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Data
Figure D.7. Browser Plug-in Vulnerabilities in 2011 and 2012 Source: Symantec
Symantec identified the 120 following plug-in technologies as having the most reported vulnerabilities in 2012: 100 • Adobe Reader
80 • Adobe Flash Player • Apple QuickTime 60 • Microsoft ActiveX • Mozilla Firefox extensions 40 • Oracle Sun Java Platform Standard Edition (Java SE) 20
ADOBE ACROBAT ADOBE ACTIVE X APPLE FIREFOX ORACLE READER FLASH QUICKTIME EXTENSION SUN JAVA 2011 2012
Commentary • In 2012, 312 vulnerabilities affecting browser plug-ins were documented by Symantec, a very slight increase compared to 308 vulnerabilities affecting browser plug-ins in 2011. • ActiveX vulnerabilities increased in 2012, which may be due to the increase in Internet Explorer vulnerabilities. • Adobe Flash Player and Java vulnerabilities increased in 2012. This trend was already visible in 2011 and grew again. This is also reflected in the vulnerability usage in attack toolkits, which have focused around Adobe Flash Player, Adobe PDF Reader, and Java in 2012. p. 148
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Web Attack Toolkits
Background Web attack toolkits are a collection of scripts, often PHP files, which are used to create malicious websites that will use Web exploits to infect visitors. There are a few dozen known families used in the wild. Many toolkits are traded or sold on underground forums for US$100-1,000. Some are actively developed and new vulnerabilities are added over time, such as the Blackhole and Eleonore toolkits, which both added exploits for a variety of vulnerabilities during 2012. Each new toolkit version released during the year was accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. Since many toolkits often use the same exploits, it is often difficult to identify the specific attack toolkit behind each infection attempt. On average, an attack toolkit contains around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities found in applications such as Adobe Flash Player, PDF viewers, and Java. In general, older exploits are not removed from the toolkits, since some systems may still be unpatched. This is perhaps why many of the toolkits still contain an exploit for the old Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462) from 2006. The malicious script will test all possible exploits in sequence until one succeeds. This may magnify the attack numbers seen for older vulnerabilities, even if they were unsuccessful. For more information on Web attack toolkits, please read Appendix A: Threat Activity Trends: Analysis of Malicious Web Activity by Attack Toolkits. p. 149
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
SCADA Vulnerabilities
Background Commentary This metric will examine the SCADA (Supervisory Control and Since the emergence of Stuxnet in 2010, the security of SCADA Data Acquisition) security threat landscape. SCADA represents systems has been an area of concern. SCADA systems are a wide range of protocols and technologies for monitoring generally not designed to be connected to the public Internet, and managing equipment and machinery in various sectors of but as Stuxnet demonstrated, this is not always a guarantee critical infrastructure and industry. This includes—but is not of security as locally connected networks may become limited to—power generation, manufacturing, oil and gas, water compromised and USB devices may also be used as an infection treatment, and waste management. Therefore, the security vehicle. As new vulnerabilities are discovered, the importance of SCADA technologies and protocols is a concern related to of providing a fix quickly is even greater for SCADA systems, national security because the disruption of related services can but they can sometimes remain unpatched for longer than result in the failure of infrastructure and potential loss of life, traditional software vulnerabilities. among other consequences.
Methodology This discussion is based on data surrounding publicly known vulnerabilities affecting SCADA technologies. The purpose of the metric is to provide insight into the state of security research in relation to SCADA systems. To a lesser degree, this may provide insight into the overall state of SCADA security. Vulnerabilities affecting SCADA systems may present a threat to critical infrastructure that relies on these systems. Due to the potential for disruption of critical services, these vulnerabilities may be associated with politically motivated or state-sponsored attacks. This is a concern for governments and/or enterprises that are involved in the critical infrastructure sector. While this metric provides insight into public SCADA vulnerability disclosures, due to the sensitive nature of vulnerabilities affecting critical infrastructure there is likely private security research conducted by SCADA technology and security vendors. Symantec does not have insight into any private research because the results of such research are not publicly disclosed.
Data The number of SCADA vulnerabilities decreased dramatically in 2012. In 2012, there were 85 public SCADA vulnerabilities, a massive decrease when compared to the 129 vulnerabilities in 2011. p. 150
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Vulnerability trends
Vulnerability Trends Endnotes
01 See http://www.first.org/cvss/cvss-guide.html. 02 See http://www.securityfocus.com/bid/31874. 03 See http://www.securityfocus.com/bid/8234. 04 See http://www.securityfocus.com/bid/10127. 05 See http://www.securityfocus.com/bid/6005. 06 See http://www.securityfocus.com/bid/8811. 07 See http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/231900575/more-exploits- for-sale-means-better-security.html. 08 See http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99. 09 See http://www.securityfocus.com/bid/35759. 10 See http://go.symantec.com/apt. p. 151
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18 APPENDIX APPENDIX A G ctivit overnment y trends y :: E Th reat p. 152
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Government threat activity Trends
Government Threat Activity Trends
Whether the purposes behind government-targeted attacks involve disagreements with policies or programs, or are motivated by espionage or attempts to steal classified information for profit or other reasons, such attacks can have serious ramifications on organizations and those they serve. The Symantec Global Internet Security Threat Report provides an analysis of threat activity trends relating to government and Critical Infrastructure Protection (CIP), including malicious activity that Symantec observed in 2012. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activities can be found in their respective sections within this report.
This section covers the following metrics and provides analysis and discussion of the trends indicated by the data:
• Malicious Activity by Critical Infrastructure Sector • Sources of Origin for Government-targeted Attacks • Attacks by Type: Notable Critical Infrastructure Sectors p. 153
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Government threat activity Trends
Malicious Activity by Critical Infrastructure Sector
Background Data This metric indicates the level to which government and critical infrastructure organizations may have been compromised and Figure E.1 Malicious Activity by Critical Infrastructure Sector are being used by attackers as launching pads for malicious Source: Symantec activity. These attacks could potentially expose sensitive and confidential information, which could have serious ramifications % of CIP Source % of CIP Source Industry Sector for government and critical infrastructure organizations. Such Activity IP Addresses information could be used for strategic purposes in the case of Financial Services 72.2% 9.6% state- or group-sponsored attacks, especially since attackers who Manufacturing 16.0% 71.5% use compromised computers for malicious activity can mask Biotech / Pharmaceutical 4.7% 6.0% their actual location. Government 2.2% 1.7% Methodology Aerospace 1.9% 7.3% This metric evaluates the amount of malicious activity Government - National 1.2% 0.8% originating from computers and networks that are known to Government - State 0.9% 0.8% belong to government and critical infrastructure sectors. To 01 SIC codes are the standard Utilities/Energy 0.3% 0.3% measure this, Symantec cross-references the IP addresses industry codes that are used by Internet Service Provider 0.3% 1.7% the United States Securities and of known malicious computers with standard industrial 1 Telecommunications 0.1% 0.1% Exchange Commission to identify classification (SIC ) codes that are assigned to each industry and organizations belonging to each provided by a third-party service.2 Symantec has compiled data Government - Local <0.1% 0.2% industry. For more information, on numerous malicious activities that were detected originating Health Care <0.1% <0.1% please see http://www.sec.gov/. from the IP address space of these organizations. These Transportation <0.1% 0.1% activities include bot-infected computers, phishing hosts, spam zombies, and network attack origins.
02 See http://www.digitalenvoy. Commentary net/. • Financial Services was the top sector for malicious activity, The Financial Services sector was the origin for the most malicious activity in 2012, accounting for 72.2 percent of attacks and 9.6 percent of source IP addresses originating from CIP networks. • One-third of attacks originating from Financial Services infrastructure related to denial-of-service (DoS) attacks, including UDP flood attacks. • Organizations within this sector are likely to have high-bandwidth capacity networks that would enable an attacker to carry out sizeable attacks, such as for launching distributed denial of service (DDoS) attacks to disrupt other Internet services to deny legitimate users access to those services. High-bandwidth capacity networks may also allow an attacker to hide attack and bot traffic more effectively, especially for HTTP-based bot command-and-control (C&C) servers, where HTTP bot traffic is virtually indistinguishable from regular traffic, making it difficult to filter. p. 154
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Government threat activity Trends
Sources of Origin for Government-targeted Attacks
Background Data Attacks targeting government organizations may serve as a means of expressing disagreement with policies and programs Figure E.2 Sources of Origin for Government-targeted Attacks
that the government has developed and implemented. Such Source: Symantec attacks are likely to be carried out for a variety of reasons, including blocking access to government Internet-based % of Source % of Source IP Row Labels resources, gaining access to potentially sensitive information, Activity Addresses and discrediting the government itself. In addition, attacks United States 73.67% 16.73% may be motivated by espionage and attempts to steal government-classified information. These attacks may result China 11.88% 54.56% in the disruption of critical services, as with DoS attacks, United Kingdom 2.23% 1.98% or the exposure of highly sensitive information. An attack Netherlands 2.17% 3.28% that disrupts the availability of a high-profile government Russia 2.10% 7.22% organization website will get much wider notice than one that takes a single user offline. In addition, malicious code Taiwan 1.92% 4.92% attacks targeting governments can be motivated by profit Brazil 1.68% 5.89% because governments store considerable amounts of personal Germany 1.54% 2.47% identification data that could be used for fraudulent purposes, Korea, South 1.41% 1.70% such as identity theft. Personal data can include names, France 1.40% 1.25% addresses, government-issued identification numbers, and bank account credentials, all of which can be effectively exploited for fraud by attackers. Government databases also store information that could attract politically motivated attacks, including critical Commentary infrastructure information and other sensitive intelligence. In February, several attacks targeting a government organization • The United States and China were the top two sources of consisted of spoofed emails sent to U.S. military officials origin for attacks that targeted the Government sector in 03 See http://www.huffingtonpost. with subjects like “U.S.Air Force Procurement Plan 2012” and 2012. com/2011/01/05/white-house- “[UNCLASSIFIED]2012 U.S.Army orders for weapons.” This • This could be a consequence of having large numbers of christmas-email_n_804547.html. prompted recipients to click on a link, which would download insecure systems in the United States and China, which may malicious code in an attempt to steal confidential information.3 be used for staging an attack.
Methodology This metric will assess the top sources of origin for government- targeted attacks by determining the location of computers from which the attack occurred. It should be noted that attackers often attempt to obscure their tracks by redirecting attacks through one or more servers that may be located anywhere in the world; thus, the attacker may be located somewhere other than from where the attacks appear to originate. p. 155
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Government threat activity Trends
Attacks by Type: Notable Critical Infrastructure Sectors
Background This section of the Symantec Government Internet Security to protect against external attacks and allow access only to Threat Report focuses on the types of attacks detected by trusted users and entities, for email to function effectively sensors deployed in notable critical infrastructure sectors. for organizations, it has to be available both internally and Government and critical infrastructure organizations are the externally to other email servers. The necessity of allowing both target of a wide variety of attack types. The ability to identify internal and external access increases the probability that a attacks by type assists security administrators in evaluating successful attack will improve the attackers’ chances of gaining which assets may be targeted and may assist them in securing access to the network. those assets receiving a disproportionate number of attacks. Denial-of-Service (DoS) Attacks: DoS attacks are a threat to The following sectors will be discussed in detail: government and critical infrastructures because the purpose of such attacks is to disrupt the availability of high-profile • Government websites or other network services and make them inaccessible • Biotech/Pharmaceutical to users and employees. A successful DoS attack could result • Healthcare in the disruption of internal and external communications, making it practically impossible for employees and users to • Financial Services access potentially critical information. Because these attacks • Transportation often receive greater exposure than those that take a single user • Telecommunications offline, especially for high-profile government websites, they could also result in damage to the organization’s reputation. • Utilities A successful DoS attack on a government network could also severely undermine confidence in government competence and Methodology impair the defense and protection of government networks. The following types of attacks are considered for this metric: Backscatter: Generally, backscatter is considered to be a type of Internet background noise, which is typically ignored. While not Attacks on Web Servers: Web servers facilitate a variety of a direct attack, backscatter is evidence that a DoS attack against services for government and critical infrastructure sectors, such another server on the Internet is taking place and is making use as hosting publicly available information, customer support of spoofed IP addresses. When one of these spoofed IP addresses portals, and online stores. Some Web servers also host remotely matches the address of a Symantec sensor, any error messages accessible interfaces that employees use to perform routine, that the attacked server sends to the spoofed address will be job-related tasks from remote locations. Furthermore, a Web detected by a Symantec sensor as backscatter. server may be a portal to an organization’s internal network and database systems. Shellcode/Exploit Attacks: Shellcode is a small piece of code used as the payload in the exploitation of a vulnerability. An Attacks on Web Browsers: Web browsers are exposed to a attacker can exploit a vulnerability to gain access to a system, greater amount of potentially untrusted or hostile content inject this code, and use a command shell to take control of a than most other applications. As the Internet has become compromised machine. By remotely controlling a compromised commonplace among business and leisure activities, there is system, an attacker can gain access to an organization’s network an increased reliance on browsers and their plug-ins. Attacks and, from there, perpetrate additional attacks. Moreover, this on Web browsers can originate from malicious websites as well type of attack can monopolize valuable resources that may be as legitimate websites that have been compromised to serve critical to government operations. malicious content. Browsers can also facilitate client-side attacks because of their use of plug-ins and other applications in handling potentially malicious content served from the Web, such as compromised documents and media files. Attacks on SMTP (Simple Mail Transfer Protocol): SMTP is designed to facilitate the delivery of email messages across the Internet. Email servers using SMTP as a service are likely targeted by attackers because external access is required to deliver email. While most services can be blocked by a firewall p. 156
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Government threat activity Trends
Data and Commentary
Figure E.3 Attacks by Type – Overall Government and Critical Infrastructure Organizations Source: Symantec
6% DoS <0.1% Backscatter <0.1% DNS 5% Shellcode/Exploit Web (server) <0.1% Misc. 79% 7% P2P <0.1% Bruteforce 2% Web (browser) <0.1% Footprinting 1% SMTP (email)
• Web server attacks were the most common type of attack for government and critical infrastructure: In 2012, the most common attack type seen by all sensors in the government and critical infrastructure sectors related to attacks on Web servers and accounted for 78.48 percent of all attacks. • P2P attacks were the second-most common type of attack for government and critical infrastructure, accounting for 7.21 percent of attacks. P2P attacks are comprised of general ones such as DoS, Man-in-the-middle and Worm propagation attacks, and specific ones such as Rational attacks, file poisoning, etc. • DoS attacks are often associated with social and political protests, since they are intended to render a site inaccessible to legitimate users of those services. Man-in- the-middle attacks are where the attacker inserts himself undetected between two nodes. He can then choose to stay undetected and spy on the communication or more actively manipulate the communication. p. 157
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Government threat activity Trends
Figure E.4 Attacks by Type – Notable Critical Infrastructure Sectors Source: Symantec
Government Biotech/Pharmaceutical
6% DoS DoS 42% 9% Shellcode/Exploit Shellcode /Exploit 23% SMTP (email) 2% Web (server) 51% 1% SMTP (email) P2P 46% 14% Web (server)
Financial Services Healthcare
Shellcode /Exploit 8% Web (server) P2P 21% 20% Shellcode 5% DoS /Exploit 6% DoS 75% Web 3% P2P (server) 27% 1% Web (browser)
Transportation Telecommunications
20% Shellcode/Exploit 13% DoS Web (server) 1% Shellcode/Exploit DoS 16% Web (server) 86% 64% <0.1% DNS 1% Web (browser)
Utilities
13% Shellcode/Exploit DoS 2% Web (browser) 81% 1% Web (server) 1% DNS p. 158
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
Government threat activity Trends
• The Financial Services and Transportation sectors were predominantly targeted by Web server attacks in 2012. These two sectors contribute to the majority of Web server attacks seen in critical infrastructure sectors overall. This may indicate that attackers were specifically targeting these sectors and attempting to disrupt Web services, which are the backbone of these sectors. • Shellcode/Exploit attacks have become the most common for the government sector and healthcare. A shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called “shellcode” because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode can either be local or remote, depending on whether it gives an attacker control over the machine it runs on (local) or over another machine through a network (remote). • DoS attacks predominate Biotech, Telecommunications and Utilities sectors, attempting to disrupt services and communications within them.
Government Threat Activity Endnotes
01 SIC codes are the standard industry codes that are used by the United States Securities and Exchange Commission to identify organizations belonging to each industry. For more information, please see http://www.sec.gov/. 02 See http://www.digitalenvoy.net/. 03 See http://www.huffingtonpost.com/2011/01/05/white-house-christmas-email_n_804547.html. p. 159
Symantec Corporation Internet Security Threat Report 2013 :: Volume 18
About Symantec
Symantec protects the world’s information and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment—from the smallest mobile device to the enterprise data center to cloud- based systems. Our world-renowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia.
More Information
• Symantec.cloud Global Threats: http://www.symanteccloud.com/en/gb/globalthreats/. • Symantec Security Response: http://www.symantec.com/security_response/. • Internet Security Threat Report Resource Page: http://www.symantec.com/threatreport/. • Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/. • Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/. Confidence in a connected world.
For specific country offices and contact numbers, please visit our website. For product information in the U.S., call toll-free 1 (800) 745 6054.
Symantec Corporation World Headquarters 350 Ellis Street Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com
Copyright © 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
03/13 21284431