Rp Quarterly Threat q2 2013

7/27/2019 Rp Quarterly Threat q2 2013

1/38

Report

By McAfee Labs

McAee Threats Report: Second Quarter 2013


2/38

2 McAfee Threats Report: Second Quarter 2013

Table o Contents

Introduction 3

Operation Troy 4

Mobile Threats 5

Banking malware 6

Adults only 7

Targeted Trojans 7

Mobile spyware 7

General Malware Threats 7

Ransomware 13

Database Threats 14

Network Threats 15

Web Threats 17

Phishing 20

Spam URLs 21

Messaging Threats 22

Spam volume 22

Drugs, DSN, and snowshoes 25

Botnet breakdowns 26

New botnet senders 27

Messaging botnet prevalence 29

Cybercrime 30

Malware, vulnerabilities, and hacking 30

The Bitcoin saga 31

Actions against cybercriminals 32

Hacktivism 33

Cyberarmies 36

About the Authors 37

About McAee Labs 37


3/38


Introduction

McAee Labs researchers have analyzed the threats o the second quarter o 2013. Several trends are amiliar: steady

growth in mobile and overall malware. A cyberespionage attack against South Korea and a urther increase in worldwide

spam are urther attention grabbers.

The Dark Seoul attack against banks and media companies in South Korea inspired McAee Labs to investigate beyondthe basics o computers disabled by having their master boot records deleted. Behind the scenes we ound an ongoing

attempt to inltrate South Korean military targets in a cyberespionage campaign that began in 2009. Our extensive report

published in July, explains the history and the coding details behind the damage and attempted surveillance.

Backdoor Trojans and banking malware were the most popular mobile threats this quarter. We counted more than

17,000 new Android samples during this period. The year is certain to establish another record. New malware o all

types exceeded 18 million this quarter, pushing our all-time tally to more than 147 million binaries. AutoRun threats,

oten spread via USB drives, remain at record levels, as do password-stealing programs. Signed malware, which poses

as approved legitimate sotware, continues to set records, increasing by 50 percent this quarter. Malware that attacks

a systems master boot record declined rom last quarters record high, but remains very dangerous.

Ransomware, which holds a computer hostage until the victim pays to ree it, is a bad problem getting worse. The numbe

o new samples more than doubled compared with last quarter. Not only do criminals make relatively sae money rom this

scheme, they oten do not remove their malwareleaving the poor victims system as dead as beore.

Publicly reported data breaches have averaged a relatively fat line or the past three quarters. Outsiders steal data more

oten than insiders, but this is one threat area in which our data comes rom victims, who may not eel like exposing all o

their weaknesses. MySQL still leads enterprise databases in the number o reported vulnerabilities.

From the McAee Global Threat Intelligence network we see that browser-based threats, such as hidden irames and

malicious Java code, comprise almost three-ourths o the Internets malicious activity. IP addresses in the United States are

again both the source and the target o most network threats.

Our analysis o web threats ound that the number o new suspicious URLs, mostly in the United States, increased by

16 percent this quarter. Phishing attacks aimed primarily at targets in the United States. The leading industries suering

phishing attacks are nancial and online-auction organizations. Spam levels are bouncing back: This quarter volume

reached 2 trillion messages in April, the highest gure weve seen since 2010. We continue to report on the variety o

spam subjects and botnet prevalence in selected countries around the world.

Our timeline o signicant hacks shows the major criminal activity that took place this quarter. Online currency Bitcoin

was in the news. One Bitcoin provider suered DDoS attacks that interrupted service and led to wild swings in value. Law

enorcement ocials around the world enjoyed some successes this quarter, with arrests halting gangs responsible or

stealing hundreds o millions to billions o dollars.

Activist hackers demonstrated, deaced, and inspired counterattacks rom their opponents. The group Anonymous was

involved in some eorts and likely had its name borrowed to support some others. The Middle East was again a busy

region or political expression.


4/38


Operation Troy

When reports o the March 20 Dark Seoul attack on South Korean nancial services and media rms emerged, most

o the ocus was on the wiping o the master boot record o thousands o computers. PCs inected by the attack had all

o the data on their hard drives erased. Since that time, however, McAee Labs has discovered that the Dark Seoul attack

included a broad range o technology and tactics beyond cybervandalism.The orensic data indicates that Dark Seoul was actually just the latest attack to emerge rom a malware development

project that has been named Operation Troy. (The name Troy comes rom repeated citations o the ancient city ound in

the compile path strings o the malware.) The McAee Labs investigation into the Dark Seoul incident uncovered a long-

term attempt at domestic spying, based on code that originated in 2009, against military targets in South Korea.

Sotware developers (both legitimate and criminal) tend to leave ngerprints and sometimes even ootprints in their code.

Forensic researchers can use these prints to identiy where and when the code was developed. Its rare that a researcher

can trace a product back to individual developers (unless theyre unusually careless). But requently these artiacts can

be used to determine the original source and development legacy o a new product. Sometimes the developers insert

such ngerprints on purpose to establish ownership o a new threat. McAee Labs uses sophisticated code analysis and

orensic techniques to identiy the sources o new threats because such analysis requently sheds light on how to best

mitigate an attack or predict how the threat might evolve in the uture. McAee Labs research learned that the Dark Seoul

attack was preceded by years o attempted cyberespionage:

2009

US/SouthKoreanMilitaryAttacks

DDoS Attacks 10 Days of Rain Media/BroadcastAttacks

Financial IndustryAttacks

Chang

EagleXP

NSTAR

HTTP Troy

Mail Attack

Http Dr0pper

Tong

Concealment Troy

MBR Wiper

3Rat Client

TDrop

Suspected Link

Solid Link

Highly Probable Link

Operation TroyDomestic Spying Period Dark Seoul

2011 2012 2013March 20,

20132010

Our investigation into the cyberattacks in March revealed ongoing covert intelligence-gathering operations. McAee Labs

concludes that the attacks on March 20 were not an isolated event strictly tied to the destruction o systems, but the latest

in a series o attempts to inltrate targets since 2009. For details, read the McAee Labs report Dissecting Operation Troy:

Cyberespionage in South Korea.1


5/38


Mobile Threats

This quarter backdoor Trojans, which steal data without the victims knowledge, and malware that goes ater banking

login inormation have made up the largest portion o all new mobile malware amilies. Spyware has also been active, and

malware authors continue to target activists. Halway through 2013 we have already collected almost as many mobile

malware samples as in all o 2012. Will the count double by the end o the year? That much and more, we expect. Thisquarter we added more than 17,000 Android samples to our database.

New Mobile Malware

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

2013201220112010200920082007200620052004

Android

Symbian

Java ME

Others

Total Mobile Malware by Platform


6/38


New Android Malware

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

18,000

20,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011

Banking malware

Banks in Europe and Asia require two-actor authentications via SMS messages. When customers log into their banks, they

are sent a mobile transaction authentication number (mTAN) in a text message. Then they must enter the mTAN code

to get access to their accounts. This step prevents an attacker who steals only username and password rom reaching a

victims money.

Attackers seeking to bypass two-actor authentication need to get that text message sent by the banks. Once the

attacker has stolen a username and password rom a victims PC, the thie needs only to get the user to install

SMS-orwarding malware.

A pair o malware, Android/FakeBankDropper.A and Android/FakeBank.A, take the standard SMS orwarder malware

a step urther. Normally we advise users to employ only the ocial app provided by their banks or any online banking.

Android/FakeBankDropper.A counters that deense by replacing the banks ocial app with Android/FakeBank.A. While

the victims think they have the original app installed, the attacker logs into the users accounts to get the latest SMS rom

the bank.

A short list o similar SMS orwarders:

Android/Nopoc.A: Forwards incoming SMS messages to the attackers server

Android/Pincer.A: Pretends to install a certicate on the users device. Forwards SMS messages to the attackers server. Android/Stels.A: Pretends to be an update to the Adobe Flash player. Collects sensitive user inormation and posts it to

the attackers server.

Android/Wahom.A: Pretends to be a legitimate app, but displays an error message to the user. The malware hides

its icon to ool the user into thinking it was uninstalled. Collects sensitive user inormation and orwards SMS to the

attackers server.


7/38


Adults only

Adult-entertainment sotware oers helpul camoufage or attackers. They can gain large prots and theyre less likely to

attract attention rom law enorcement. Attackers interest in adult-entertainment apps has risen this quarter.

In Japan a large amily o potentially unwanted programs (PUPs), Android/DeaiFraud, pretends to be an app or a popular

adult-dating site. Although this malware doesnt directly harm users, it can lead them to receive spam rom the attacker.Its also likely that users will be ooled into signing up or the adult-dating site due to the attackers partners posing as real

singles on the service.

Apart rom PUPs, we also saw Android/NMPHost.A, a malware that convinces users to download a second malware,

Android/NMP.A, which steals user inormation. Both malware pretend to be adult-entertainment apps. Once installed,

Android/NMP.A collects sensitive user inormation and sends it to the attackers server.

Targeted Trojans

Attackers nd legitimate apps very useul as cover or their malicious code. They benet rom the popularity o the app as

well as rom how much users trust the app. In the case o Android/Kaospy.A, attackers are using modied versions o the

Kakao talk app and targeting Tibetan activists. This malware is distributed using phishing emails. The malicious spyware

collects a large amount o sensitive user inormation (contacts, call logs, SMS messages, installed applications, and

location) and uploads the data to the attackers server.Trojanized apps that arent so narrowly targeted include Android/BadNews.A. This backdoor Trojan pretends to be a

legitimate game app that includes ads. Instead it collects sensitive user inormation and sends it to the attacker. Its also

capable o displaying ake news headlines.

Mobile spyware

Commercial spyware has seen a small increase rom the previous quarter. Android./Fzw.A downloads a spyware app rom

the attackers website. Like other hidden Trojans, it pretends to be a legitimate ont installer app. The downloaded spyware

orwards SMS messages, call logs, and location inormation to the attackers server.

Android/Roidsec.A is spyware that pretends to be sotware or syncing the users phone. It really does sync the users

sensitive inormation and SMS messagesonly to the attackers server. The malware collects location, call logs, and data

about the phone hardware and can record calls, too.

General Malware Threats

Malware shows no sign o changing its steady growth, which has risen steeply during the last three quarters. At the end o

this quarter we now have more than 147 million samples in our malware zoo.

Total Malware Samples in the McAfee Labs Database

0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

140,000,000

160,000,000

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012


8/38


New Malware

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

18,000,000

20,000,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011

Rootkits, or stealth malware, are designed to evade detection and reside on a system or prolonged periods. Growth in

new rootkit samples has been on a downward trend since the middle o 2011. All three o the rootkits types we track in

this report matched this trend.

New Rootkit Samples

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

180,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011


9/38


New Koutodoor Samples

0

20.000

40.000

60.000

80.000

100.000

120.000

140.000

160.000

180.000

200.000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011

New TDSS Samples

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

180,000

200,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011

New ZeroAccess Samples

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011


10/38


AutoRun malware, which oten hides on USB drives and can allow an attacker to take control o a system, doubled at

the start o the year and increased slightly again this quarter. The number o ake AV productswhich scare victims into

believing their systems are inectedrose during 2012 to a record level but has declined during the last two quarters.

Koobace, which plagues Facebook users, peaked in 2009-10 and has remained at low levels since early 2012. Password-

stealing Trojans, which attempt to raid victims bank accounts, established a record high last quarter; this quarters gurewas almost as large.

New AutoRun Samples

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

800,000

900,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011

New Fake AV Samples

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

800,000

900,000

1,000,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011


11/38


New Koobface Samples

0

500

1,000

1,500

2,000

2,500

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011

New Password Stealers Samples

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011

Signed malware rebounded sharply rom its decline in the rst quarter and again set a new record, with more than

1.2 million new samples discovered this quarter.

Total Malicious Signed Binaries

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

3,500,000

4,000,000

4,500,000

SEP 12012

OCT 12012

AUG 12012

NOV 12012

DEC 12012

JAN 12013

FEB 12013

MAR 12013

APR 12013

MAY 12013

JUN 12013

JUL 12012


12/38


New Malicious Signed Binaries

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

New malware that attacks the Mac more than tripled, ater declining or three quarters. In spite o the small numberscompared with PC threats, Mac users also need protection.

New Mac Malware

0

100

200

300

400

500

600

700

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011


13/38


One strain o malware targets a computers master boot record (MBR)an area that perorms key startup operations.

Compromising the MBR oers an attacker a wide variety o control, persistence, and deep penetration. These attacks,

including mebroot, Tidserv, Cidox, and Shamoon, have rapidly increased their numbers. This quarter saw a drop rom last

periods record level, but its still the second-highest gure we have recorded.

New Master Boot Record-Related Threats

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

800,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011

Variants of Families withKnown MBR Payloads

Identied MBR Components

Ransomware

Ransomware has become an increasing problem during the last several quarters, and the situation continues to worsen.

The number o new, unique samples this quarter is greater than 320,000, more than twice as many as last quarter. During

the past two quarters we have catalogued more ransomware than in all previous periods combined. This trend is also

refected by warnings rom law enorcement and ederal agencies around the globe.

One reason or ransomwares growth is that it is a very ecient means or criminals to earn money because they use

various anonymous payment services. This method o cash collection is superior to that used by ake AV products, or

example, which must process credit card orders or the ake sotware. Another reason is that an underground ecosystemis already in place to help with services such as pay-per-install on computers that are inected by other malware, such as

Citadel, and easy-to-use crime packs are available in the underground market. These advantages mean that the problem

o ransomware will not disappear anytime soon.

New Ransomware Samples

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Q4

2011

Q3

2011

Q2

2011

Q1

2011


14/38


Database Threats

When we reported on the numbers o database breaches made public in our Threats Reportor the ourth quarter o

2012, we saw a slowdown in break-ins, with just 47 during the quarter. At that time we couldnt be sure whether we

were observing a trend or an anomaly. Six months later, we can now see some stabilization in this area. This year started

at the same relatively low rate as 2012 ended, with 119 data breaches in rst six months o 2013. Thats a little more thanone-third o the 315 breaches during the record-setting 2012. Are we in the middle o a long-term trend or is this just the

calm beore the storm?

Data Breaches Made Public

0

50

100

150

200

250

300

350

2013201220112010200920082007

Source: privacyrights.org

The rate o data breaches caused by outside hackers (criminal or otherwise) dropped considerably in 2012, and has held

relatively steady or the last our quarters. The lower rate o thet by company insiders has also been relatively steady,

though without a dramatic decline. The drop in outsider breaches might point to companies and organizations investing

more heavily in perimeter protections than in database security. However, we have seen database security get much more

attention rom medium-sized and big businesses than just one or two years ago.

Sources of Data Breaches

0

10

20

30

40

50

60

70

80

90

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

Insiders

Hackers

Source: privacyrights.org

As we can see rom the preceding graph, hackers still cause a greater number o breaches than insiders. But we have to

remember that data-breach statistics are rarely objective due to their nature. Hackers publish stolen data more requently

than a company will coness that it was compromised.


15/38


Database vulnerabilities, reported by the developers or others, continue to be dominated by MySQL, with almost

60 percent o all vulnerabilities discovered during the past six quarters.

New Vulnerabilities in Leading Databases

0

5

10

15

20

25

30

35

40

45

Q2

2013

Q1

2013

Q4

2012

Q3

2012

Q2

2012

Q1

2012

SQL Server

Sybase

PostgreSQL

DB2

Oracle

MySQL

Network Threats

As usual, the United States is both the source and the target o much o the Internets malicious activity, according the

McAee Global Threat Intelligence network. Browser-based threats have increased to 73 percent o all attacks, compared

with 44 percent last quarter. The ollowing detection signatures show which types o attacks McAee products most

requently blocked:

HTTP: Microsot JPEG Processing Buer Overrun

HTTP: Multiple Browser Window Injection Vulnerability

RTSP: Apple QuickTime Overly Long Content-Type Buer Overfow

HTTP: Microsot Internet Explorer CHTML Use-Ater-Free Remote Code Execution

Browser

Remote Procedure Call

SQL Injection

Cross-Site Scripting

Others

Top Network Attacks


16/38


As the host o SQL-injection attacks, which poison legitimate websites, the United States piece o the pie shrunk slightly

this quarter, to 32 percent rom 35 percent last quarter. Venezuela regained second place, hosting 11 percent. By ar most

victims o these attacks (60 percent, up rom 55 percent last period) are in the United States.

United States

Venezuela

Spain

Taiwan

China

Germany

South Korea

Others

Top SQL-Injection Attackers

United States

Taiwan

China

Russia

Spain

Others

Top SQL-Injection Victims

In our botnets tracking, the United States again claims rst place. The percentage o control servers hosted dropped

3 points to 37 percent. The decrease was larger among botnet victims, alling to 34 percent rom 43 percent in the

rst quarter.

United States

Germany

China

Turkey

Russia

United KingdomSouth Korea

Others

Top Botnet Control Servers

United States

Turkey

Taiwan

Brazil

Canada

SpainIndia

Others

Top Botnet Victims

The United States represents the lions share o hosts o PDF-based attacks, climbing to 53 percent this quarter, compared

with 35 percent in the last period. Taiwan, with 8 percent, took second place. China ell to just 2 percent this quarter rom

11 percent last time.

United States

Taiwan

Spain

United Kingdom

Germany

Canada

Others

Top Malicious PDF Attackers


17/38


Web Threats

Websites can gain bad or malicious reputations or a variety o reasons. Reputations can be based on ull domains and any

number o subdomains, as well as on a single IP address or even a specic URL. Malicious reputations are infuenced by

the hosting o malware, potentially unwanted programs, or phishing sites. Oten we observe combinations o questionable

code and unctionality. These are just a ew o the actors that contribute to our rating o a sites reputation.

At Junes end, the total number o suspect URLs tallied by McAee Labs overtook 74.7 million, which represents a 16 percent

increase over the rst quarter. These URLs reer to 29 million domain names, up 5 percent rom the previous period.

Minimal

Unveried

Medium

High

Risk Level of Suspect URLs

Minimal

Unveried

Medium

High

Risk Level of Suspect Domains

This quarter, we recorded per month an average o 3.5 million new suspect URLs related to about 430,000 domains.

New Suspect URLs

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000.000

16,000,000

Q2 2013Q1 2013Q4 2012Q3 2012Q2 2012

URLs

Associated Domains


18/38


Most o these suspicious URLs (96 percent) host malware, exploits, or codes that have been designed specically to

compromise computers. Phishing and spam represent 2.1 percent and 0.3 percent, respectively.

Others

New Malware URLs

Distribution of New Suspect URLs

Others

New Phishing URLs

New Spam Email URLs

Distribution at the domains level gives us a dierent outlook, with 12 percent phishing domains and 2 percent spam domains

Others

New Malware Domains

Distribution of New Suspect Domains

Others

New Phishing Domains

New Spam Email Domains

The domains associated with newly suspect URLs are mainly located in North America (chiefy the United States) and

EuropeMiddle East (chiefy Germany). This trend is not new; North America historically hosts quite a bit o malware and

suspect content. However, its infuence has dropped to 52 percent, compared with 74 percent last quarter.

North America

Africa

Asia-Pacic

Australia

EuropeMiddle East

Latin America

Location of Servers Hosting Suspect Content


19/38


Digging into the location o servers hosting malicious content in other countries we see quite a global diversity. Each

region has one or two clearly dominant players.

Location of Servers Hosting Malicious Content

China

South Korea

Japan

Hong Kong

Thailand

Others

Asia-Pacic

South Africa

Kenya

Morocco

Egypt

Tunisia

Others

Brazil

Bahamas

British Virgin Islands

Argentina

Chile

Others

Africa

Australia

New Zealand

AustraliaSouth Pacic

Germany

Netherlands

Russia

United Kingdom

Poland

Others

Europe and Middle East

Latin America

United States

Canada

North America


20/38


Phishing

Ater peaking during the ourth quarter o 2012, the number o new phishing URLs dropped sharply last quarter.

This period saw a modest decrease.

New Phishing URLs

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

400,000

450,000

Q2 2013Q1 2013Q4 2012Q3 2012Q2 2012

URLs

Associated Domains

Most o these URLs are hosted in the United States.

United States

Germany

United Kingdom

Canada

Netherlands

Others

Top Countries Hosting Phishing URLs

Companies rom the United States are the most requently targeted, suering 67 percent o all attacks. They are ollowed

by United Kingdom and Australia, with 6 percent and 3 percent, respectively. Phishers go ater several key industries. The

top 5 are nance (with 42 percent o attacks), online auctions (32 percent), government, shopping, and services.

Finance

Online Auctions

Shopping

Government

Services

Others

Phishing Targets by Industry


21/38


Companies in the United States are the most heavily targeted, ollowed by the United Kingdom and Australia.

United States United Kingdom Australia Canada India

Amazon

American Express

Deloitte

eBay

JPMorgan Chase

PayPal

Wells Fargo

Barclays

HM Revenue & Customs

HSBC

Lloyds TSB

Natwest

Santander

ANZ (Australia and New

Zealand Banking Group)

Westpac Bank

Capital One

Royal Bank o Canada

TD Bank Group

HDFC Bank

ICICI Bank

Spam URLs

Spam URLs are links that arrive in unsolicited emails. Also included in this amily are sites built only or spamming purposes

such as spam blogs or comment spam.

New Spam URLs

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

Q2 2013Q1 2013Q4 2012Q3 2012Q2 2012

URLs

Associated Domains

The primary countries hosting these URLs are the United States (with 39 percent o the total). Germany (9 percent) and

Russia (6 percent) ollow.

United States

Germany

Russia

China

Antarctica

Netherlands

South Korea

Others

Countries Hosting Spam URLs


22/38


Messaging Threats

In April, spam volume surpassed 2 trillion messages, the highest gure since December 2010. A slight decline in May and

June still let the count higher than any time since May 2011.

Monthly Spam

Legitimate Email

Global Email Volume, in Trillions of Messages

0

0.5

1.0

1.5

2.0

2.5

MAR2013

APR2013

MAY2013

JUN2013

FEB2013

JAN2013

DEC2012

NOV2012

OCT2012

SEP2012

AUG2012

JUL2012

Spam volume

Examining results by country, our statistics show marked dierences rom quarter to quarter. Ukraine and Belarus are

the most dramatic examples; each had an increase o greater than 200 percent this period. Japan grew by 142 percent.

Meanwhile, Pakistan (down 59 percent) and Romania (down 56 percent) enjoyed large declines. France ell by 25 percent,

and the United States decreased by 16 percent.

Spam Volume

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

Brazil

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

18,000,000

Argentina

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

2,000,000

Australia

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

NOV

2012

JUL

2012

0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

140,000,000

160,000,000

Belarus

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012


23/38


Spam Volume

0

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

60,000,000

70,000,000

India

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

France

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

NOV

2012

JUL

2012

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

18,000,000

Germany

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

Chile

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

China

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

7,000,000

Italy

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

Japan

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

NOV

2012

JUL

2012

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

40,000,000

Kazakhstan

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012


24/38


Spam Volume

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

Russia

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

Peru

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

Romania

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

18,000,000

Spain

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

7,000,000

8,000,000

South Korea

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

40,000,000

Ukraine

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

NOV

2012

JUL

2012

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

United Kingdom

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

140,000,000

160,000,000

180,000,000

200,000,000

United States

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012


25/38


Drugs, DSN, and snowshoes

As we look at spam subjects around the world, we see that the popularity o drugs just wont go away. Drug oers in

our selected countries range rom a low o 17 percent to more than 50 percent o leading spam subject lines. In Australia,

France, and the United States, delivery service notication (DSN) teasers remain popular. In many countries snowshoe

spam appeared on at least one-quarter o the leading subjects. Snowshoe spam spreads the load across many IP addressesto avoid rapid eviction by ISPs. Lots o spam this quarter contained subject lines related to the Boston Marathon bombings

Most o these messages contained links to malware. We were surprised to see relatively little spam or replica products,

such as watches and other junk. This has long been a popular subject. Were sure it hasnt gone away but it did lose

signicant volume.

Australia Spam TypesBrazil

Columbia France Germany

India Italy Spain

Turkey United Kingdom United States

Argentina

Drugs

DSN

Jobs

Marketing

News

Phishing

Scams

Snowshoe

Travel

Webinars


26/38


Botnet breakdowns

Inections rom messaging botnets, which supply spam worldwide, have showed an overall decline since May 2012, but

this quarters trend was again upward.

Global Messaging Botnet Infections

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

Cutwail remains in rst place among botnets, causing more than 6 million new inections during the quarter. Kelihos was

a distant second, at 2.3 million. New last quarter, Slenbot inected 1.6 million systems this period.

Cutwail

Kelihos

Slenfbot

Festi

Maazben

Others

Spam Botnet Prevalence

Leading Global Botnet Infections

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

JUN

2013

MAY

2013

APR

2013

MAR

2013

FEB

2013

JAN

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

AUG

2012

JUL

2012

CUTWAIL

KELIHOS

SLENFBOT

FESTI

MAAZBEN


27/38


New botnet senders

Country-specic botnet statistics show big variances rom quarter to quarter and rom country to country. In Peru, or

example, the number o botnet senders increased by almost 300 percent. Among our selected countries, India rose by

14 percent. Belarus dropped by 66 percent, Russia by 46 percent, and China by 31 percent.

New Botnet Senders

0

10,000

20,000

30,000

40,000

50,000

60,000

Argentina Australia

0

25,000

50,000

75,000

100,000

125,000

150,000

175,000

200,000

Brazil Canada

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

Chile

0

10,000

20,000

30,000

40,000

50,000

60,000

Colombia France

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

400,000

450,000

500,000

China

0

5,000

10,000

15,000

20,000

25,000

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

45,000

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013


28/38


New Botnet Senders

0

50,000

100,000

150,000

200,000

250,000

300,000

India

Russia

Italy

Spain

United StatesUnited Kingdom

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

45,000

South Korea

0

100,000

200,000

300,000

400,000

500,000

600,000

Japan

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

0

10,000

20,000

30,000

40,000

50,000

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

90,000

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

90,000

Turkey

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

90,000

100,000

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

Germany

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013

DEC

2012

NOV

2012

OCT

2012

SEP

2012

MAR

2013

FEB

2013

JAN

2013

AUG

2012

JUL

2012

JUN

2013

MAY

2013

APR

2013


29/38


Messaging botnet prevalence

Our breakdown o botnets shows how the most widespread botnet amilies are represented in various countries around

the globe. Cutwail and Kelihos are the global leaders. Other notably predominate botnets:

Darkmailer in Belarus, Kazakhstan, Pakistan, and Indonesia

Cutwail in Greece, Vietnam, and Iran (greater than 60 percent)

Slenbot in Belarus (81 percent)

Slenbot in Japan and Ukraine

Kelihos in Germany, Italy, Argentina, and United Kingdom (greater than 40 percent)

These variances demonstrate that specic countries can have specic attackers.

Australia Brazil

China Colombia Germany

India Japan Russia

South Korea United Kingdom United States

Chile

Cutwail

FestiKelihos

Maazben

Others

Slenfbot

Botnets

New Botnet Senders


30/38


Cybercrime

Malware, vulnerabilities, and hacking

April 2013 May 2013 June 2013

Android.FakeAlert

APR 5LivingSocial

Hack

APR 17CVE-2013-2423

(Exploit PacksUpdated)

MAY 3Sirefef

(Louisiana Boardof Regents Hack)

JUN 27Generic PSW.o

(Gulf States andCaribbean Phishing

Campaign)

APR 11WordPress

Hack

APR 19BadNews

(in Google Play Apps)

MAY 1CVE-2013-1347

(Dept. of Labor Hack)

Carberpfor $5,000

Carberp

for Free

JUN 30South Korea

Hack

The scareware Android.Fakedeender, announced in June by various security companies, has apparently spread through

mobile environments since the end o March. Fakedeender locks up an inected device and displays ake security alerts

to convince victims to purchase an app in order to remove nonexistent malware or security risks.

April 5: LivingSocial, the daily deals site owned in part by Amazon, suered a massive cyberattack on its computer

systems. The breach impacted 50 million customers o the Washington, D.C., company. They will now be required to

reset their passwords.2

April 11: The security rm CloudFare warned o a brute-orce attack against the WordPress administrative portals. A

botnet appeared to launch the attack and more than tens o thousands o unique IP addresses were recorded attempting

to hack WordPress installations, using the username admin and trying thousands o passwords.3

April 17: The Java exploit CVE-2013-2423 was publicly disclosed.4 Its use was immediately incorporated into various

exploit kits such as WhiteHole, Cool, Neutrino, Styx, Sweet Orange, and others.

April 19: BadNews or millions o users: Malware discovered spreading inside apps in Google Play.5

May 1: Invincea reported that the US Department o Labor website was compromised to redirect visitors to a site

that executed a drive-by download exploit o Internet Explorer to install the Poison Ivy backdoor Trojan. Attributed to

the Chinese Deep Panda Group, this type o watering hole attack exploits a previously unknown and, at that time,

unpatched security bug in Microsots IE 8 browser (CVE-2013-1347).6

May 3: Another watering hole attack was detected on the Louisiana Board o Regents website.7 It distributed the

Siree malware.

Around June 15, the Carberp banking Trojan toolkit was oered at just US$5,000 through an underground orum. The

previous price has been US$40,000.8 A ew days later, the download was available or ree.

June 27: McAees Foundstone Incident Response team obtained a 3MB piece o malware (Generic PWS.o) that was sent

out during a phishing campaign. The campaign targeted several companies and institutes in the United Arab Emirates,

Oman, Bahrain, and a couple o Caribbean islands.9

June 30: The Seoul Central District Prosecutors Oce charged two South Koreans with cooperating with North Korean

hackers in China to run illegal websites and steal the personal inormation o millions o individuals. Investigators

discovered the personal data o 140 million South Koreans on their computers and believe they could have shared the

inormation with North Korea.10


31/38


The Bitcoin saga


APR 18DDoS at

Blockchain.info

JUN 23DEA Announces

Seizure of Bitcoinsfrom Silk Road User

MAR 3DDoS atBitInstant

APR 21DDoS at Mt. GoxDelays Litecoin

Support

JUN 211BTC = $110

JUL 51BTC = $74

APR 3DDoS atMt. Gox

FEB 281BTC = $33 DDoS at

Skill Road

MAY 22Webroot Announces

DIY Bitcoin Minerfor Sale

JUN 12BTC Phishing

Campaign

APR 101BTC = $266

MAY 14Maryland District CourtRules Against Mt. Gox

MAY 16WebMoneyOffers WMX

Bitcoin (BTC) virtual money was in the news last quarter. At the end o February, it broke its June 2011 peak trading value,

at more than US$33.11 Some days later, the BitInstant exchange service was orced to shut down ater attackers walked

away with more than US$12,000 in BTC.12 And that was just a warm-up or what happened this quarter.

In April, Tokyo-based Mt. Gox, the largest Bitcoin exchange service, suered various DDoS attacks that disrupted business.

The rst assault occurred around April 3; at that time the BTC exchange rate exceed US$140 to 1 BTC.13 On April 10, the

value leaped to US$266 beore closing at US$125 the next day.14 This keen interest resulted in 20,000 new accounts

created each day. The number o new user accounts opened at Mt. Gox went rom 60,000 in all o March to 75,000 in

just the rst ew days o April.15

The sudden activity in this market o course attracted the interest o cybercriminals o all kinds. They engaged in urther

DDoS actions against Mt. Gox, which had to delay its plan to support Litecoin,16 and new ones against Blockchain.

ino.17 Silk Road, the notorious underground marketplace using Bitcoin as e-money, was taken down several t imes by

DDoS attacks.18

Lawmakers also paid attention to Mt. Gox. On May 14 the U.S. District Court in Maryland ordered the seizure o Mt. Goxs

unds, which were in an account with Dwolla, a payments company that transerred money rom U.S. citizens to Mt. Gox

to buy and sell Bitcoins.19

In May WebMoney began oering purses, called WMX, denominated in Bitcoins. Bitcoins are transerred to an address

provided by WebMoney to und the purse, and Bitcoins can be withdrawn to a Bitcoin address.20 Bitcoins stored in a WMX

purse can be transerred to other purses. In this manner WebMoney can exchange Bitcoins or other currencies supported

by the service.

As the Bitcoin rate has increased, malicious Bitcoin miners have shown a growing interest by inecting victims with

malware that uses computer resources to mine Bitcoin without their knowledge. While the cybercriminals generate prots

the computers slow down. In May, or example, Webroot posted a blog about a marketplace to customize and buy such

malware.21 It has been available or sale since the rst days o February.

On June 13, security researcher Brian Krebs reported a phishing campaign using both Yahoo and Bing search engines and

targeting account holders at MtGox.com.22

On June 23 the US Drug Enorcement Administration (DEA) announced they seized 11.02 BTC rom a Silk Road user in

April and charged him with intent to distribute drugs. The seized money was transerred into the DEAs BTC wallet.23


32/38


Actions against cybercriminals

During this quarter, we learned o a number o law enorcement eorts:

In April, the Russian Federal Security Service (FSB) and the Security Service o Ukraine (SBU) announced they arrested

several individuals believed to be involved in the development o the Carberp banking Trojan.24 The leader o the group

was a 28-year-old Russian citizen. The rest o the groupsome 20 individuals between 25 and 30 years oldwere

arrested in Kiev, Zaporozhye, Lvov, Odessa, and Kherson.25 The ring was said to be responsible or stealing US$250

million (193 million) in Ukraine and Russia alone.

Hamza Bendelladj, a 24-year-old Algerian who was arrested in Thailand in January, was extradited to the United States in

April. Also known as Bx1, he was listed in a North District o Georgia indictment as a coconspirator who helped develop

SpyEye components. Known in the underground as Gribodemon and Harderman, the real name o his partner, the

presumed author o the SpyEye Trojan, was redacted in the indictment because he had not yet been arrested.26

On May 9, ederal prosecutors unsealed charges against eight New York people linked with an international cyberthet

ring accused o stealing US$45 million rom banks around the globe. The alleged crooks used prepaid MasterCard debit

cards that were issued by the National Bank o Ras Al-Khaimah PSC, located in the United Arab Emirates, and the Bank

o Muscat, in Oman. The deendants withdrew US$2.8 million rom New York banks in two separate attacks this past

December and February.27 While the eight were taking the money rom the New York banks, additional coconspirators

made more than US$42 million in withdrawals at other banks across the world. In May, the ounder o digital currency system Liberty Reserve was indicted in the United States along with six other

people or a US$6 billion money-laundering scheme.28 Arthur Budovsky, a Costa Rican citizen o Ukrainian origin and the

ounder o the currency system, was arrested in Spain, while others were arrested in Costa Rica and New York. Police in

Costa Rica also raided three homes and ve businesses linked to Liberty Reserve, according to the Associated Press. The

digital currencys site is now ofine, with its ront page replaced by a notice saying that the domain had been seized by

the United States Global Illicit Financial Team.

Liberty Reserve was incorporated in Costa Rica in 2006 and had at least 200,000 customers in the United States.

Suspected o helping cybercriminals in their businesses, it ailed to register in the United States as a money-transmitting

service. In the same vein, on June 4 the WM Center e-currency exchange was seized by the US government and closed.29

Accompanied by US Marshals, Microsot technicians seized servers at two data centers in New Jersey and Pennsylvania

on June 5, and with the help o the FBI coordinated with computer emergency response teams and registrars in

87 countries to sinkhole domains used by the 1,452 botnets built with the Citadel malware.30

Some security researcherscriticized this operation, saying it disrupted their ongoing security research eorts by siphoning o the malicious data

they had been tracking.31 Others claimed the long-term eect o this particular takedown will likely be insignicant.32

In June, the United Kingdoms Serious Organised Crime Agency announced eleven arrests in a case involving cooperation

rom the Vietnamese High-Tech Crime Unit, the Criminal Investigative Division o the Ministry o Public Security o

Vietnam, the Metropolitan Police Central e-Crime Unit, and the FBI. Eight criminals were arrested in Vietnam and three

additional arrests were made in the United Kingdom. All suspects were associated with the matteuter amily o

websites, on which allegedly approximately 16,000 members bought and sold more than 1.1 million credit card data,

acilitating more than US$200 million worth o raud worldwide.33

In June, US ederal ocials charged eight members o a Ukrainian cybercrime ring ater they allegedly tried to illegally

access the networks o a number o nancial institutions, including Citibank, JP Morgan Chase, TD Ameritrade, and

PayPal, along with the US Department o Deenses Finance and Accounting Services.34 From March 2012 to June 2013,

the suspects hacked into these servers, embezzling money rom legitimate bank accounts to eed debit cards and cashing

out the accounts via ATMs and by making ake purchases as part o what the ederal complaint calls the Sharapka Cash

Out Organization.

In France, investigators rom OCLCTIC and DCP dismantled a gang o alleged criminals specializing in nancial hacking

and arrested ve people in June. The crooks may have made 9 million via online shopping. In total, they were able to

divert the bank data o 27,000 people. The money collected was later used to purchase high-end hardware.35


33/38


Hacktivism

This quarter activities clearly demonstrated that hacktivists exist in many camps and support many ideologies.


JUN 4#OpTurkey

MAY 7#OpUSA

APR 7#OpIsraelReloaded

APR 3#OpNorthKorea

Release #2

MAY 16South African Police

HackedJUN 20

#OpPetrol

On April 3, OpNorthKorea Release #2 was announced on Pastebin.36 It demanded the resignation o North Korean

leader Kim Jong-un, the abandonment o nuclear ambitions, and universal and uncensored Internet access to citizens.

Several websites serving the regime were blocked (via DDoS) or deaced throughout the month. A statement purporting

to come rom Anonymous said that they had compromised 15,000 user records hosted on North Korean propaganda siteuriminzokkiri.com. However, when one side makes a statement, the other is likely to reply: During the last week o June,

government websites in both North and South Korea were targeted by attackers who claimed to operate under the banne

o Anonymous. (A so-called ocial Anonymous channel has denied via tweet having any involvement in the South Korean

attacks.) Some researchers suspect the attackers were the North Korean Whois Team, which requently uses skull bullets

as a symbol o their group. (For more on related attacks, see Operation Troy, page 4.)


34/38


Ater #OpIsrael, which we covered in last quarters Threats Report, around 30 hacktivist collectives rom around the world

decided to continue the conrontation.37 On April 7, they announced #OpIsraelReloaded. The hackers say theyve caused

massive damage, but Israeli ocials have downplayed the incident, saying the attacks have caused hardly any real losses.38

The hacker Dr FreeDom claims a leak o 30,000 Visa card consumer details.39

These hacks also brought about reprisals. The pro-Israel hacker team Israel Elite Force revealed several names o suspected#OpIsraelReloaded attackers on a dedicated website. Those named are rom Jordan, India, and Lebanon. Other Israeli

supporters deaced the Anonymous #OpIsrael website.40

Operations against the United States and other Western interests were started under the names #OpUSA (May 79) and

#OpPetrol (June 20).41

These operations appeared to take place under the Anonymous banner, but when we looked at theattackers signatures, we discovered mostly Middle Eastern and North Arican-based hacker groups acting contrary to the

ideals o reedom.

Many o these movements are associated with AnonGhost, a hacker team ond o using jihad themes. It is clear that

Middle Eastern sympathizers o all stripes enjoy conducting their protests under the cover o Anonymous.


35/38


In June, the protest movement in Turkey led Anonymous to launch #OpTurkey, a hack o the website o the Radio and

Television Supreme Council (RTUK). Cyberarmies were also active. The Syrian Electronic Army supported President Bashar

al-Assads government by shutting down and deacing various ocial Turkish websites.42 Two collectives hacked into the

Turkish Prime Ministrys network and accessed email addresses, passwords, and phone numbers belonging to Prime Minister

Tayyip Erdogans sta. (Erdogan has been a vocal critic o Assads actions in the Syrian civil war.) Another group, the Crescentand Star Team, targeted Turkeys Is Bank, which was said to be among the supporters o the Taksim Gezi Park protests. 43

These events demonstrate the growth o hacktivism and show that attacks launched under the Anonymous banner are

only a part o the problem.

In a high-prole doxing campaign (publically exposing private inormation) in South Arica, Anonymous hacked into an

anonymous whistleblower website run by the South Arica Police Service and revealed the identities o thousands o its

users, possibly jeopardizing their saety.44

The legal side also made news this quarter:

In April, contradictory reports about hackers arrested in connection with #OpIsrael circulated in Tunisia, Jordan, and

Morocco. Whether or not the news was true, these states were threatened or their actions.

Members o the notorious LulzSec hacking gang have been sent to jail:45

Jake Davis (aka Topiary): 24 months or the ring leader

Ryan Cleary (aka Viral): 32 months, will serve hal that time

Mustaa Al-Bassam (aka T-Flow): 20 months suspended or two years, and 300 hours o community service

Ryan Ackroyd (aka Kayla): 30 months, will serve hal that time

In April, FBI raided an Anonymous hacker house suspected o having exposed the Steubenville Rapists. Known as

KYAnonymous, the suspect is said to be the leader o KnightSec, the Anonymous oshoot that carried out Operation

Roll Red Roll, which targeted Steubenville over the rape by two ootball players o a 16-year-old girl.46

In May, Italian police arrested our alleged hackers between the ages o 20 and 34. They are accused o monitoring the

Italian branch o the Anonymous network.47 Six more people were placed ormally under investigation and a total o

10 premises were raided at the conclusion o the two-year police investigation Tango Down.


36/38


Cyberarmies

The Syrian Electronic Army and the Izz ad-Din al-Qassam Cyber Fighters are oten in the spotlight and attracted attention

again this quarter.

In the last two Threats Reports o 2012, we introduced the Iranian group Izz ad-Din al-Qassam Cyber Fighters ater they

claimed responsibility or various cyberattacks launched that year on US banks and nancial-services companies. Tied to

Iran, those actions are now known as Operation Abadil. They continued this quarter, as we see in the ollowing graphic:

April 2013 May 2013

APR 4Wells Fargo

BB&T

APR 18Ameriprise Financial

Citizens BankM&T Bank

APR 9Chase

Bank of AmericaCapital One

American ExpressBB&T

Wells Fargo

APR 11Key Bank

HSBC

APR 2324BB&T

MAY 2Union Bank

APR 2BB&T

APR 10ChasePNC

American ExpressCitizens BankRegions Bank

APR 16Regions BankCapital One

Principal

MAY 1Key Bank

BBVASchwab Bank

APR 3Bank of America

Regions Bank

APR 17Regions Bank

On May 6, the Cyber Fighters announced they had stopped the attacks so as to not interere with #OpUSA. On June 12,

Google said in a blog that it had tracked a signicant jump in the overall volume o phishing activity in and around

Iran as its election neared.48 Some researchers have suggested many attackers ocused their skills and repower internally,

perhaps to gather intelligence about groups and individuals supporting specic candidates.49

The Syrian Electronic Army supports President Assad. This quarter, they continued their actions against media and

government targets:


APR 22FIFA World Cup

MAY 26British Sky

BroadcastingMAY 17

Financial Times

APR 20CBS News

MAY 7The Onion

MAY 20Saudi Arabian

Ministry of

Defense

APR 16NPR Media

APR 29The Guardian

MAY 21The Telegraph

JUN 5Turkish

GovernmentWebsites

APR 23Associated

Press

MAY 25ITV News London

Haifa Water System

April 16: NPR media network hacked; website deaced

April 20: Four Twitter accounts belonging to CBS News programs compromised

April 22: Two FIFA World Cup Twitter accounts hacked

April 23: Hacked AP Twitter eed announced to millions o ollowers that there had been two explosions in the

White House, leaving President Barack Obama injured. The news disrupts the US stock exchange, briefy wiping out

US$136.5 billion in gains and leaving APs Twitter eeds suspended.50


37/38


April 29: 11 Guardian accounts breached

May 7: Satire publication The Onion has Twitter account hacked

May 17: Financial Times website and Twitter eeds hacked

May 20: The group claimed to have hacked the Saudi Arabian Ministry o Deense email system and distributed several

condential mail exchanges May 21: Twitter and Facebook accesses or The Telegraph hacked

May 25: Israel declared the SEA tried to enter the computers o the Haia water system

May 25: ITV News London hacked

May 26: Sky Android apps and Twitter account hacked

June 5: Some Turkish government websites site jointly breached by Turkish hackers and the SEA

About the Authors

This report was prepared and written by Toralv Dirro, Paula Greve, Haiei Li, Franois Paget, Vadim Pogulievsky, Craig

Schmugar, Jimmy Shah, Ryan Sherstobito, Dan Sommer, Bing Sun, Adam Wosotowsky, and Chong Xu o McAee Labs.

About McAee Labs

McAee Labs is the global research team o McAee. With the only research organization devoted to all threat vectorsmalware, web, email, network, and vulnerabilitiesMcAee Labs gathers intelligence rom its millions o sensors and its cloud-

based service McAee Global Threat Intelligence. The McAee Labs team o 500 multidisciplinary researchers in 30 countries

ollows the complete range o threats in real time, identiying application vulnerabilities, analyzing and correlating risks, and

enabling instant remediation to protect enterprises and the public. http://www.mcaee.com/us/threat-center.aspx

About McAee

McAee, a wholly owned subsidiary o Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and

home users to saely experience the benets o the Internet. The company delivers proactive and proven security solutions

and services or systems, networks, and mobile devices around the world. With its visionary Security Connected strategy,

innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAee is relentlessly

ocused on keeping its customers sae. http://www.mcaee.com.
http://www.mcafee.com/us/threat-center.aspxhttp://www.mcafee.com/http://www.mcafee.com/http://www.mcafee.com/us/threat-center.aspx


38/38

1 http://www.mcaee.com/uk/resources/white-papers/wp-dissecting-operation-troy.pd2 http://www.usatoday.com/story/news/nation/2013/04/26/liviing-social-hacked-passwords-amazon/2116485/3 http://blog.cloudfare.com/patching-the-internet-xing-the-wordpress-br4 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-24235 http://blogs.mcaee.com/consumer/badnews-or-good-people6 http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/7 http://news.sotpedia.com/news/State-o-Louisiana-Website-Hacked-Spreads-Siree-Malware-350944.shtml8 http://www.theregister.co.uk/2013/06/18/carberp_trojan_source_code_sale/9 http://blogs.mcaee.com/mcaee-labs/targeted-campaign-steals-credentials-in-gul-states-and-caribbean10 http://english.chosun.com/site/data/html_dir/2013/04/08/2013040800970.html11 http://www.bbc.co.uk/news/technology-2160160812 http://blog.bitinstant.com/blog/2013/3/4/events-o-riday-bitinstant-back-online.html13 https://mtgox.com/press_release_20130404.html14 http://dollarvigilante.com/blog/2013/4/17/bitcoin-price-march-15-april-14-2013-the-bubble-heard-round-.html15 https://mtgox.com/press_release_20130411.html16 https://mtgox.com/pd/20130424_ddos_statement_and_aq.pd17 http://news.sotpedia.com/news/Bitcoin-Block-Explorer-Blockchain-ino-Disrupted-by-DDOS-Attack-346497.shtml18 http://www.wired.co.uk/news/archive/2013-05/3/silk-road-ddos19 https://s3.amazonaws.com/s3.documentcloud.org/documents/701175/mt-gox-dwolla-warrant-idg-news-service.pd20 http://blog.wmtranser.com/en/blog/wmx-the-new-type-o-title-units21 http://blog.webroot.com/2013/05/22/new-commercially-available-diy-invisible-bitcoin-miner-spotted-in-the-wild/22 http://krebsonsecurity.com/2013/06/mtgox-phishing-campaign-hits-bing-yahoo/23 http://techcrunch.com/2013/06/27/the-dea-seized-bitcoins-in-a-silk-road-drug-raid/24 http://sbu.gov.ua/sbu/control/uk/publish/article?art_id=116410&cat_id=3957425 http://www.net-security.org/malware_news.php?id=245826 http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/27 http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.133905128 http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/29 http://www.coindesk.com/wm-center-e-currency-exchange-seized-by-us-government/30 http://www.eweek.com/security/microsot-bi-shutter-citadel-botnets-seeking-to-end-500m-crime-spree/31 http://www.inoworld.com/t/security/microsot-accused-o-riendly-re-in-citadel-botnet-takedown-22043832 http://nakedsecurity.sophos.com/2013/06/12/microsot-citadel-takedown/33 http://garwarner.blogspot.r/2013/06/vietnamese-carders-arrested-in.html34 https://threatpost.com/eds-bust-cybercrime-ring-targeting-payroll-nancial-rms/35 http://www.leparisien.r/espace-premium/actu/les-pirates-du-net-pillent-27-000-coordonnees-bancaires-12-06-2013-2888529.php36 http://pastebin.com/4g44jNF37 http://www.mcaee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pd38 http://news.sotpedia.com/news/Hacktivists-Target-Over-100-000-Israeli-Sites-Ocials-Say-There-s-No-Real-Damage-343610.shtml39 http://technologynewsorday.wordpress.com/2013/04/07/30000-visa-cards-leaked-by-dr-reedom/40 http://www.dreuz.ino/2013/04/attaque-danonymous-israel-leur-a-mis-la-honte-le-w00t-ultime/41 http://news.sotpedia.com/news/Anonymous-Hackers-to-Launch-OpPetrol-on-June-20-Video-352816.shtml42 http://www.ibtimes.com/opturkey-syrian-electronic-army-joins-anonymous-turkey-protests-hacks-erdogans-network-access-sta43 http://www.worldbulletin.net/?ArticleID=111010&aType=haber44 http://www.wired.co.uk/news/archive/2013-05/22/south-arica-whistleblower-leak45 http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home

Oce-agency.html46 http://gawker.com/the-bi-raided-steubenville-anonymous-guys-house-here-51163407147 http://www.pcworld.com/article/2039020/police-arrest-anonymous-suspects-in-italy.html48 http://googleonlinesecurity.blogspot.r/2013/06/iranian-phishing-on-rise-as-elections.html49 http://krebsonsecurity.com/2013/06/iranian-elections-bring-lull-in-bank-attacks/#more-21113
http://www.mcafee.com/uk/resources/white-papers/wp-dissecting-operation-troy.pdfhttp://www.usatoday.com/story/news/nation/2013/04/26/liviing-social-hacked-passwords-amazon/2116485/http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-brhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423http://blogs.mcafee.com/consumer/badnews-for-good-peoplehttp://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/http://news.softpedia.com/news/State-of-Louisiana-Website-Hacked-Spreads-Sirefef-Malware-350944.shtmlhttp://www.theregister.co.uk/2013/06/18/carberp_trojan_source_code_sale/http://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbeanhttp://english.chosun.com/site/data/html_dir/2013/04/08/2013040800970.htmlhttp://www.bbc.co.uk/news/technology-21601608http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.htmlhttps://mtgox.com/press_release_20130404.htmlhttp://dollarvigilante.com/blog/2013/4/17/bitcoin-price-march-15-april-14-2013-the-bubble-heard-round-.htmlhttps://mtgox.com/press_release_20130411.htmlhttps://mtgox.com/pdf/20130424_ddos_statement_and_faq.pdfhttp://news.softpedia.com/news/Bitcoin-Block-Explorer-Blockchain-info-Disrupted-by-DDOS-Attack-346497.shtmlhttp://www.wired.co.uk/news/archive/2013-05/3/silk-road-ddoshttps://s3.amazonaws.com/s3.documentcloud.org/documents/701175/mt-gox-dwolla-warrant-idg-news-service.pdfhttp://blog.wmtransfer.com/en/blog/wmx-the-new-type-of-title-unitshttp://blog.webroot.com/2013/05/22/new-commercially-available-diy-invisible-bitcoin-miner-spotted-in-the-wild/http://krebsonsecurity.com/2013/06/mtgox-phishing-campaign-hits-bing-yahoo/http://techcrunch.com/2013/06/27/the-dea-seized-bitcoins-in-a-silk-road-drug-raid/http://sbu.gov.ua/sbu/control/uk/publish/article?art_id=116410&cat_id=39574http://www.net-security.org/malware_news.php?id=2458http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/http://www.coindesk.com/wm-center-e-currency-exchange-seized-by-us-government/http://www.eweek.com/security/microsoft-fbi-shutter-citadel-botnets-seeking-to-end-500m-crime-spree/http://www.infoworld.com/t/security/microsoft-accused-of-friendly-fire-in-citadel-botnet-takedown-220438http://nakedsecurity.sophos.com/2013/06/12/microsoft-citadel-takedown/http://garwarner.blogspot.fr/2013/06/vietnamese-carders-arrested-in.htmlhttps://threatpost.com/feds-bust-cybercrime-ring-targeting-payroll-financial-firms/http://www.leparisien.fr/espace-premium/actu/les-pirates-du-net-pillent-27-000-coordonnees-bancaires-12-06-2013-2888529.phphttp://pastebin.com/4g44jfNFhttp://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pdfhttp://news.softpedia.com/news/Hacktivists-Target-Over-100-000-Israeli-Sites-Officials-Say-There-s-No-Real-Damage-343610.shtmlhttp://technologynewsforday.wordpress.com/2013/04/07/30000-visa-cards-leaked-by-dr-freedom/http://www.dreuz.info/2013/04/attaque-danonymous-israel-leur-a-mis-la-honte-le-w00t-ultime/http://news.softpedia.com/news/Anonymous-Hackers-to-Launch-OpPetrol-on-June-20-Video-352816.shtmlhttp://www.ibtimes.com/opturkey-syrian-electronic-army-joins-anonymous-turkey-protests-hacks-erdogans-network-access-staffhttp://www.worldbulletin.net/?ArticleID=111010&aType=haberhttp://www.wired.co.uk/news/archive/2013-05/22/south-africa-whistleblower-leakhttp://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.htmlhttp://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.htmlhttp://gawker.com/the-fbi-raided-steubenville-anonymous-guys-house-here-511634071http://www.pcworld.com/article/2039020/police-arrest-anonymous-suspects-in-italy.htmlhttp://googleonlinesecurity.blogspot.fr/2013/06/iranian-phishing-on-rise-as-elections.htmlhttp://krebsonsecurity.com/2013/06/iranian-elections-bring-lull-in-bank-attacks/#more-21113http://krebsonsecurity.com/2013/06/iranian-elections-bring-lull-in-bank-attacks/#more-21113http://googleonlinesecurity.blogspot.fr/2013/06/iranian-phishing-on-rise-as-elections.htmlhttp://www.pcworld.com/article/2039020/police-arrest-anonymous-suspects-in-italy.htmlhttp://gawker.com/the-fbi-raided-steubenville-anonymous-guys-house-here-511634071http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.htmlhttp://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.htmlhttp://www.wired.co.uk/news/archive/2013-05/22/south-africa-whistleblower-leakhttp://www.worldbulletin.net/?ArticleID=111010&aType=haberhttp://www.ibtimes.com/opturkey-syrian-electronic-army-joins-anonymous-turkey-protests-hacks-erdogans-network-access-staffhttp://news.softpedia.com/news/Anonymous-Hackers-to-Launch-OpPetrol-on-June-20-Video-352816.shtmlhttp://www.dreuz.info/2013/04/attaque-danonymous-israel-leur-a-mis-la-honte-le-w00t-ultime/http://technologynewsforday.wordpress.com/2013/04/07/30000-visa-cards-leaked-by-dr-freedom/http://news.softpedia.com/news/Hacktivists-Target-Over-100-000-Israeli-Sites-Officials-Say-There-s-No-Real-Damage-343610.shtmlhttp://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pdfhttp://pastebin.com/4g44jfNFhttp://www.leparisien.fr/espace-premium/actu/les-pirates-du-net-pillent-27-000-coordonnees-bancaires-12-06-2013-2888529.phphttps://threatpost.com/feds-bust-cybercrime-ring-targeting-payroll-financial-firms/http://garwarner.blogspot.fr/2013/06/vietnamese-carders-arrested-in.htmlhttp://nakedsecurity.sophos.com/2013/06/12/microsoft-citadel-takedown/http://www.infoworld.com/t/security/microsoft-accused-of-friendly-fire-in-citadel-botnet-takedown-220438http://www.eweek.com/security/microsoft-fbi-shutter-citadel-botnets-seeking-to-end-500m-crime-spree/http://www.coindesk.com/wm-center-e-currency-exchange-seized-by-us-government/http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/http://www.net-security.org/malware_news.php?id=2458http://sbu.gov.ua/sbu/control/uk/publish/article?art_id=116410&cat_id=39574http://techcrunch.com/2013/06/27/the-dea-seized-bitcoins-in-a-silk-road-drug-raid/http://krebsonsecurity.com/2013/06/mtgox-phishing-campaign-hits-bing-yahoo/http://blog.webroot.com/2013/05/22/new-commercially-available-diy-invisible-bitcoin-miner-spotted-in-the-wild/http://blog.wmtransfer.com/en/blog/wmx-the-new-type-of-title-unitshttps://s3.amazonaws.com/s3.documentcloud.org/documents/701175/mt-gox-dwolla-warrant-idg-news-service.pdfhttp://www.wired.co.uk/news/archive/2013-05/3/silk-road-ddoshttp://news.softpedia.com/news/Bitcoin-Block-Explorer-Blockchain-info-Disrupted-by-DDOS-Attack-346497.shtmlhttps://mtgox.com/pdf/20130424_ddos_statement_and_faq.pdfhttps://mtgox.com/press_release_20130411.htmlhttp://dollarvigilante.com/blog/2013/4/17/bitcoin-price-march-15-april-14-2013-the-bubble-heard-round-.htmlhttps://mtgox.com/press_release_20130404.htmlhttp://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.htmlhttp://www.bbc.co.uk/news/technology-21601608http://english.chosun.com/site/data/html_dir/2013/04/08/2013040800970.htmlhttp://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbeanhttp://www.theregister.co.uk/2013/06/18/ca

Documents

Rp Quarterly Threat q2 2013