Bangkok--19 Sep--Oasis Media
Symantec Corp. (Nasdaq: SYMC) announced the findings of its August 2012 Symantec Intelligence Report, which provides the latest analysis of cyber security threats, trends, and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks.
Report highlights
- Spam — 72.3 percent (an increase of 4.7 percentage points since July)
- Phishing — One in 312.9 emails identified as phishing (an increase of 0.109 percentage points since July)
- Malware — One in 233.1 emails contained malware (a decrease of 0.14 percentage points since July) Malicious Web sites — 1 website blocked per day (a decrease of 49.8 percent since July) The state of data breaches to date in 2012
- A look at a malicious email scam that pretends to come from Symantec
Data Breaches in 2012
Data breaches are a serious issue for an organization. The exposure of customer data can lead to a loss of confidence in the organization by its users. Even worse, the organization could find themselves in violation of data privacy laws or on the receiving end of a lawsuit created by its users.
The number of breaches during the same two periods - January through August of 2011 and 2012 - is fairly consistent. It was 16.5 in our 2011 data set, while in 2012 this number dropped to 14. The average number of identities stolen is down during the same period. In the last eight months of 2011 the average number of identities stolen was 1,311,629 per data breach. So far in 2012, this number is down to 640,169 identities per breach—that’s a drop of more than half.
A few high-volume breaches in the 2011 data brought the average up overall. With this in mind, another way to look at this information would be by the median number of identities per breach. The median of identities stolen in 2012 is 6,800 per breach. That’s 41% higher than the previous eight months, at 4,000 per breach. Looking at the numbers this way, it appears that the number of identities stolen in each breach is up.
Fake virus notification using Symantec logo
We recently saw some malicious fake antivirus software. Such software often goes by generic names like “Windows Defender” or similar, but this particular software claims to be a Symantec product. An email claims that not only is the recipient infected—all users on the same network are as well. The email uses out-of-date Symantec branding, and links to a malicious application called RemovalTool.exe. Symantec does not produce a tool like this, nor does it email users in this way.
While the email may give the impression of being fake antivirus software, once installed the threat does not claim that the computer is infected. There are no visual indications that anything has been installed, though this might meet user expectations as the installer claims to be a simple removal tool, rather than a complete antivirus product. The malware downloads an information-stealing Trojan, which is detected as Infostealer.
Global Trends & Content Analysis
Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec? Global Intelligence Network, which is made up of more than 64.6 million attack sensors and records thousands of events per second. This network monitors attack activity in more than 200 countries and territories through a combination of Symantec products and services such as Symantec DeepSight? Threat Management System, Symantec? Managed Security Services and Norton? consumer products, and other third-party data sources.
In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products.
Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; Symantec.cloud and a number of other Symantec security technologies. Skeptic?, the Symantec.cloud proprietary heuristic technology is able to detect new and sophisticated targeted threats before reaching customers’ networks. Over 8 billion email messages and more than 1.4 billion Web requests are processed each day across 15 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers.
These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future.
Spam Analysis
In August, the global ratio of spam in email traffic rose by 4.7 percentage point since July, to 72.3 percent (1 in 1.38 emails). The most common category of spam in August is related to the Sex/Dating category, with 42.51 percent. The proportion of spam exploiting URLs in the .com top-level domain increased in August, as highlighted in the table below. The .info top-level domain also made the list this month, pushing.br out of the top four.
Phishng Analysis
In August, the global phishing rate increased by 0.109 percentage points, taking the global average rate to one in 312.9 emails (0.32 percent) that comprised some form of phishing attack.
Analysis of Phishing Web sites
Overall phishing increased by about 9.44 percent this month. Unique domains increased by about 38 percent as compared to the previous month. Phishing websites that used automated toolkits decreased by 7 percent.
Phishing websites with IP domains (for e.g. domains like http://255.255.255.255) increased by about 24 percent. Webhosting services comprised of 3 percent of all phishing, a decrease of 13 percent from the previous month. The number of non-English phishing sites decreased by 51 percent. Among non-English phishing sites, Portuguese, French, Italian, and Chinese were highest in August.
Malware Analysis
Email-borne Threats
The global ratio of email-borne viruses in email traffic was one in 233.1 emails (0.4 percent) in August, a decrease of 0.14 percentage points since July.
In August, 19.6 percent of email-borne malware contained links to malicious websites, 6.9 percentage points lower than July.
Frequently Blocked Email-borne Malware
The table below shows the most frequently blocked email-borne malware for August, many of which relate to generic variants of malicious attachments and malicious hyperlinks distributed in emails. Approximately 37.6 percent of all email-borne malware was identified and blocked using generic detection.
Malware identified generically as aggressive strains of polymorphic malware accounted for 18.2 percent of all email-borne malware blocked in August.
Endpoint Security Threats
The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering.
Approximately 43.9 percent of the most frequently blocked malware last month was identified and blocked using generic detection. Many new viruses and Trojans are based on earlier versions, where code has been copied or altered to create a new strain, or variant. Often these variants are created using toolkits and hundreds of thousands of variants can be created from the same piece of malware. This has become a popular tactic to evade signature-based detection, as each variant would traditionally need its own signature to be correctly identified and blocked.
By deploying techniques, such as heuristic analysis and generic detection, it’s possible to correctly identify and block several variants of the same malware families, as well as identify new forms of malicious code that seek to exploit certain vulnerabilities that can be identified generically.
About Symantec Intelligence Report
The Symantec Intelligence report provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2012.
About Symantec
Symantec protects the world’s information, and is the global leader in security, backup and availability solutions. Our innovative products and services protect people and information in any environment — from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our industry-leading expertise in protecting data, identities and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at: go.symantec.com/socialmedia.