Symantec MessageLabs Intelligence October 2010 Report – Targeted Email Attacks On The Rise

Even in a world where Internet threats present an ever evolving and increasingly sophisticated danger to businesses, targeted email attacks are the most potent of all – potentially dealing  devastating short and long-term damage to the victims.

Counter to intuitive thinking, a high degree of sophistication gives these low volume, highly personalized emails an edge, and a higher probability of success than mass email blasts.

The goal of targeted attacks is simple – an attempt to gain access to specific sensitive data, intellectual property or confidential internal systems, by targeting specific individuals and companies.

According to Symantec Hosted Services, targeted attacks on the retail sector took a big jump in October, with 25 percent of all targeted attacks directed at this economic sector.

When you consider that in the previous 2 years, less than half of one percent of targeted email attacks were directed at the retail sector – versus the 25% discovered by Symantec Hosted Services in October, it’s evident cyber crooks have a razor sharp focus on the retail sector.

The spam landscape changes constantly, and while your industry sector may not be in the crosshairs currently, given that 200 and 300 organizations are targeted each month with the industry sector varying, it may be only a matter of time.

Knowledge is power, and as computer users we need as much power as we can get in order to stay safe on the Internet, so I encourage you to read the highlights of MessageLabs Intelligence October report, just released today. The full report is available here.

Selected report highlights:

Spam: In October 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 87.5 percent (1 in 1.4 emails), a decrease of 4.2 percentage points since September.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 221.9 emails (0.45 percent) in October, an decrease of .01 percentage points since September. In October, 23.1 percent of email-borne malware contained links to malicious websites, an increase of 15.5 percentage points since September.

Endpoint Threats: Threats against endpoint devices such as laptops, PCs and servers may penetrate an organization in a number of ways, including drive-by attacks from compromised websites, Trojan horses and worms that spread by copying themselves to removable drives. Analysis of the most frequently blocked malware for the last month revealed that the Sality.AE virus was the most prevalent. Sality.AE spreads by infecting executable files and attempts to download potentially malicious files from the Internet.

Phishing: In October, phishing activity was 1 in 488.0 emails (0.20 percent), a decrease of 0.06 percentage points since September.

Web security: Analysis of web security activity shows that 51.3 percent of malicious domains blocked were new in October, an increase of 17.7 percentage points since September. Additionally, 24.7 percent of all web-based malware blocked was new in October, an increase of 2.9 percentage points since last month. MessageLabs Intelligence also identified an average of 2,280 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 23.9 percent since September.

About Message Labs Intelligence:

Symantec’s Message Labs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec:

Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world.  Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

MessageLabs Intelligence: Botnets On The Rise – Pushing Out 11% More Spam

I wrote an article, in June of this year, on FIFA World Cup spammers that turned out to be a popular article (over 4,000 reads) – so, I’ve decided Spam isn’t all bad after all.  🙂

I’m being more than a little facetious, of course. Spam, without a doubt, is one the worst things about the Internet.

MessageLabs Intelligence August 2010, report indicates (surprise, surprise), that there’s been a recent minor reduction in the total amount of spam in circulation. Offsetting this slightly good news though; the same report makes the point that spam, generated by botnets, has increased to 95 percent of all spam – up 11% in just five months.

The Rustock botnet continues to be the main culprit, pumping out 41 percent of all spam in August. This, despite the fact that the Rustock botnet has been reduced in size by roughly half.

Before you think that’s because we’re better at catching botneted machines – it’s not. The fact is, the Rustock botnet is now faster, and more efficient, because it no longer uses TLS encryption.

Selected stats from the report:

This month, there were a significant number of yet-to-be classified botnets responsible for spending 17.6 percent of all spam.

The UK was responsible for 4.5 percent of the world’s spam, more than double the percentage in April, and the UK is now the fourth most frequent source of spam behind the US, India and Brazil.

The US is home to the greatest number of bots, most notably Rustock, Storm and Asprox.

A PDF version of the full report including additional findings on spam and security threats is available here.

About Message Labs Intelligence:

Symantec’s Message Labs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec:

Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world.  Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

FIFA World Cup Scammers Using Double Attack Mode Says Symantec Hosted Services

If one is good, then two must be better, right? FIFA World Cup  scammers apparently believe this double whammy approach will be more successful in helping them overcoming security safeguards, and perhaps even a targeted victim’s reluctance to engage with malicious email.

According to Symantec Hosted Services’ MessageLabs Intelligence unit, they have intercepted “a run of 45 targeted malware emails in route to a number of Brazilian companies across industries”.

The MessageLabs Intelligence unit discovered the attack had been crafted using both an infected  PDF attachment, and a malicious web link. The outcome of this double barreled approach could mean, “even if the malicious PDF attachment is removed by an anti-virus gateway, the malicious link remains in the body of the email and may still be delivered to the recipient” stated Symantec.

As the tournament continues, don’t be surprised to see more World Cup-related spam and malware threats emerge.

You can learn more about World Cup-related spam here.

About MessageLabs Intelligence:

Symantec’s MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec:

Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world.  Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Are You in the Bullseye for Targeted Malware Attacks?

Cybercriminals, driven by opportunity, tend to use the shotgun approach to achieve the highest “market” penetration possible, and to maximize every conceivable opportunity to spread malware.

The bad guys are strategic in their thinking; they plan ahead – and realize that the timing and implementation of tactics, based on their strategy, is critical to achieving maximum “market” penetration.

Now it seems, certain cybercriminals have developed a new strategy, and tactics, focusing on specific targets, sniping if you like, rather than using the well tested shotgun model.

You’re probably familiar with the successful China-based hacker attack against Google, which used a combination of a PDF attachment, coupled with a zero day security hole in Adobe Reader. As it turned out, Google was not the only company to be victimized in this attack. Reportedly, at least 20 other companies were also specifically targeted.

Symantec Hosted Services latest report, which focuses on this issue, is scary stuff. You’ll find that reading this report will assist you understanding the state of the current Internet threat environment, and will be helpful in expanding your sense of threat awareness that an active Internet user requires.

Courtesy of Symantec Hosted Services and MessageLabs Intelligence.

Even in a world where internet threats present an ever-evolving and increasingly sophisticated danger to businesses, targeted attacks are the most potent of all—dealing the most devastating short and long-term damage to the victims.

Counter to intuitive thinking, a high degree of sophistication makes these low volume, highly personalized emails have a higher probability of being successful than the mass email blasts.

Symantec Hosted Services has detected highly targeted attacks on seven specific companies in the education and public sectors. The attack is unique in that it used the Bredolab malware as the payload and the source of the emails are individual webmail accounts powered by one of the largest botnets currently in operation, presumably Cutwail.

This signifies a new level of sophistication on behalf of cyber criminals, where they are combine the strength of a botnet with the razor sharp focus of social engineering and the sense of legitimacy offered by popular webmail providers.

You can learn more about this particular attack on the MessageLabs Intelligence Blog.

Organizations falling foul of a targeted attack can be faced with crushing bills running into hundreds of thousands of dollars. Lost business, bad publicity, plunging share price – these are just some of the potential consequences of a successful attack.

Here’s a look at some of the popular techniques currently being deployed by cyber criminals:

Targeted Trojans – Aimed and delivered with sniper-like precision, the targeted Trojan’s objective is to slip through an organization’s defenses and cleverly dupe the recipient into downloading a malicious ‘Trojan program onto their computer.

The Trojan may, silently and secretly, lie hidden for weeks, months or years, slowly but surely undermining the targeted organization and imperceptibly eroding their performance and ability to compete.

Phishing Attacks – Schemes that trick people into sending money or providing personal information, phishing emails (and variations called “pharming” or “whaling”) are used for identity theft. A cyber-criminal who sends emails that contain authentic information about the user or their company greatly increases the odds of getting a “bite.”

Social Networking – One popular approach is to create a fake profile on a social media website and use it to post malicious links that “phish” for corporate users. In this form of phishing, spammers post blog comments on other members’ pages; obtain the unsuspecting members’ account information; then send messages from the phished accounts to other contacts.

Organizations must balance the business value of social media websites with the risks of many non-secure social media environments.

About Symantec: Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. More information is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

MessageLabs Intelligence – January 2010 Report

We know that running security applications alone, will not ensure your safety on the Internet; education and awareness have taking on a new urgency.

MessageLabs Intelligence, part of Symantec Hosted Services, has just released it’s January 2010 Report , which will help you understand both the state of the current Internet threat environment, and what you can expect in the months ahead.

Reading this type of report (or at least the highlights), is certainly educational, and can be a major step in expanding that sense of threat awareness that active Internet users require.

Here’s a quick awareness tip: Since Valentine’s Day is coming up, we can expect to see major cybercriminal activity relating to this special day.

There is some surprising data contained in this report. Did you know, for example, that Spam borne Viruses, and Phishing attacks, actually dropped in January – at least marginally? Could this be the start of a downward trend?

If in fact, there is a downward trend in these areas, just where are persistent cybercriminals likely to refocus their crafty attacks? The following report will give you some indication of where we’re likely headed, and what we’ll have to deal with.

MessageLabs Intelligence report highlights:

Spam: In January 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 83.9 percent (1 in 1.2 emails), a decrease of 0.3 percent since December 2009.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 326.9 emails (0.31 percent) in January, a decrease of 0.03 percent since December 2009. In January 13.2 percent of email-borne malware contained links to malicious websites, a decrease of 5.9 percent since December.

Phishing: In January, phishing activity was 1 in 562.3 emails (0.18 percent) a decrease of 0.11 percent since December 2009. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had decreased by 14.3 percent to 65.3 percent of all email-borne threats.

Web security: Analysis of web security activity shows that 41.4 percent of all web-based malware intercepted was new in January, an increase of 0.6 percent since December. MessageLabs Intelligence also identified an average of 1,760 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 56.2 percent since December.

Geographical Trends:

Spam levels in Denmark fell by 0.6 percent in January, but Denmark remained the most spammed country with levels of 94.8 percent of all email.

In the US, spam decreased to 91.6 percent and to 89.7 percent in Canada. Spam levels fell to 90.0 percent in the UK.

In the Netherlands, spam levels reached 92.4 percent, while spam levels in Australia reached 90.6 percent.

Spam levels in Hong Kong reached 92.1 percent and spam levels in Japan were at 88.2 percent.

Virus activity in China rose by 0.13 percent to 1 in 121.4 emails, placing it at the top of the table for January.

Virus levels for the US were 1 in 440.3 and 1 in 383.1 for Canada. In Germany, virus levels were 1 in 271.6, 1 in 496.4 for the Netherlands, 1 in 644.1 for Australia, 1 in 331.9 for Hong Kong and 1 in 396.5 for Japan.

The UK was the most active country for phishing attacks with 1 in 253.6 emails.

Vertical Trends:

In January, the most spammed industry sector with a spam rate of 95.1 percent was the Engineering sector.

Spam levels for the Education sector were 92.1 percent, 91.0 percent for the Chemical & Pharmaceutical sector, 91.5 percent for IT Services, 92.3 percent for Retail , 89.3 percent for Public Sector and 90.1 percent for Finance.

Virus activity in the Public sector fell by 0.33 percent but moved to the top of the table with 1 in 109.7 emails being infected in January.

Virus levels for the Chemical & Pharmaceutical sector were 1 in 230.9, 1 in 353.4 for the IT Services sector, 1 in 607.2 for Retail, 1 in 187.7 for Education and 1 in 391.5 for Finance.

I highly recommend that you don’t stop with just the highlights of this report, but instead, read the full report. The January 2010 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available here.

About Symantec: Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. More information is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

MessageLabs Intelligence 2009 Security Report – The Need to Read

Now I grant you, I wasn’t around during the days of the Wild West. But I’ve read enough factual western history (no, not the movies), to have a reasonable understanding that at various times, and in various places, it was a land of lawlessness and high danger.

It seems to me, that the Internet is increasingly like the Wild West – a lawless wasteland that can be a difficult, and dangerous place, for the uninformed.

Sure, the strong, fast with a six shooter, secure tough hombres (read – informed), survived; but the weak, the insecure, and the unarmed, (read – uninformed), often got their butts kicked.

While it’s true that securing your computer with adequate software protection (sort of like a six shooter), offers an important form of protection against the bad guys, what you know (being aware of current conditions and dangers), and where you go (being aware of the hidden traps on the Internet),are even more important.

Times have changed; cybercriminals are increasingly more knowledgeable, quicker to respond to opportunities, and more relentless than ever in their attempts to separate surfers from their money.

Even technically astute users are finding, staying safe on the Internet is more difficult than it has ever been. In the last few months, some of my favorite tech writers have come clean, and admitted having had to deal with malware infections on their personal machines.

Since we know that running security applications alone, will not ensure your safety on the Internet, education and awareness have taking on a new urgency. MessageLabs Intelligence, part of Symantec Hosted Services, has just released it’s 2009 Security Report, which will help you understand both the state of the current Internet environment, and what we can expect in 2010.

Key highlights from the report include:

Web Security: For 2009, the average number of new malicious websites blocked each day rose to 2,465 compared to 2,290 for 2008, an increase of 7.6 percent. MessageLabs Intelligence blocked malicious web threats on 30,000 distinct domains. 80 percent of those domains were established legitimate, compromised websites, the remaining 20 percent were new domains set up purely with malicious intent.

Spam: In 2009 the annual average spam rate was 87.7 percent, an increase of 6.5 percent on the 2008 statistic of 81.2 percent. April saw a spike in image spam, accounting for 56.4 percent of all spam on 5 April, compared with annual average of 28.2 percent.

Links are a Spammer’s Best Friend: 90.6% of spam this year contained a hyperlink, driven predominately by an upsurge in the 2nd half of the year of using shortened URLs. Short URLs disguise the true and make it harder for traditional anti-spam filters to identify the messages as spam. URL-shortening was frequently used on social networking and micro-blogging sites and is popular among online criminals because of the inherent trust relationships that exist between users of these sites.

Phishing: The number of phishing attacks was 1 in 325.2 (0.31 percent) emails compared to 1 in 244.9 (0.41) in 2008. More than 161 billion phishing attacks were in circulation in 2009.

Cutwail is 2009’s Heavyweight Botnet – Botnets are responsible for approximately 89.5 billion unsolicited messages each day. In 2009, Cutwail dominated the spam and malware charge in 2009, issuing 29% of all spam (8,500 billion spam messages) and facilitating the spread of one of the biggest 2009 threats: the Bredolab Trojan. At its peak, approximately 3.6 billion Bredolab malware emails were in circulation.

Viruses: The average virus level for 2009 was 1 in 286.4 emails (0.35 percent) reflecting a 0.35 percent decrease on 2008 where levels averaged at 1 in 143.8 emails (0.70 percent). The decline can be attributed to the transition to developing more variants (23 percent increase in 2009 compared with 2008) but fewer malicious emails per strain (approximately 5,827 malicious emails per strain in 2009 compared to 10,436 emails per strain in 2008).

Conficker/Downadup is Still Out There – The most anticipated threat of 2009, this worm allows its creators to remotely install software on infected machines and it was upgraded in April to better evade detection. Conficker is of particular concern as it has not yet been identified how the infected machines will be used.

The CAPTCHA Breach – CAPTCHA-breaking tools allow cyber criminals to create large numbers of real accounts for webmail, IM and social networking websites. This has lead to an emergence of businesses offering what is essentially a CAPTCHA-breaking job – real people who specialize in creating accounts on major webmail services. Advertised as a data processing job, each worker receives around $2-3 per 1,000 accounts created; accounts are then sold on to spammers for around $30 to $40.

I highly recommend however, that you don’t stop with just the highlights of this report, but instead, read the full report hosted by MessageLabs Intelligence. Alternatively, you can listen to a Podcast of the report.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.