Symantec Cyber Security Intelligence Report

SYMANTEC INTELLIGENCE REPORTAUGUST 2014

p. 2

Symantec CorporationSymantec Intelligence Report :: AUGUST 2014

CONTENTS

3 Summary

4 TARGETED ATTACKS + DATA BREACHES

5 Targeted Attacks

5 Attachments Used in Spear-Phishing Emails

5 Spear-Phishing Attacks by Size of Targeted Organization

5 Average Number of Spear-Phishing Attacks Per Day

6 Top-Ten Industries Targeted in Spear-Phishing Attacks

7 Data Breaches

7 Timeline of Data Breaches

8 Total Identities Exposed

8 Top Causes of Data Breaches

8 Total Data Breaches

9 Top-Ten Types of Information Breached

10 MALWARE TACTICS

11 Malware Tactics

11 Top-Ten Malware

11 Top-Ten Mac OSX Malware Blocked on OSX Endpoints

12 Ransomware Over Time

12 Malicious Activity by Source: Bots

13 Vulnerabilities

13 Number of Vulnerabilities

13 Zero-Day Vulnerabilities

14 Browser Vulnerabilities

14 Plug-in Vulnerabilities

15 SOCIAL MEDIA + MOBILE THREATS

16 Mobile

16 Mobile Malware Families by Month, Android

17 Mobile Threat Classifications

18 Social Media

18 Social Media

19 PHISHING, SPAM + EMAIL THREATS

20 Phishing and Spam

20 Phishing Rate

20 Global Spam Rate

21 Email Threats

21 Proportion of Email Traffic Containing URL Malware

21 Proportion of Email Traffic in Which Virus Was Detected

22 About Symantec

22 More Information

p. 3


Summary

Welcome to the August edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.

Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources.

As reported in the ISTR Volume 19, 2013 saw a 500 percent increase in ransomware in the latter part of the year. Overall ransomware levels remained high through March 2014, and then slowly started to decline, in part due to the disruption of the GameOver Zeus botnet back in late May.

In contrast, crypto-style ransomware has seen a 700 percent-plus increase. These file-encrypting versions of ransomware began the year comprising 1.2 percent of all ransomware detec-tions, but now make up 31 percent at the end of August. One variant known as Trojan.Cryptodefense began to appear in large numbers in early June. By the end of July, it made up 77 percent of all crypto-style ransomware for the year to date. This follows predictions in the ISTR saying this type of malware would become more common in 2014.

Over 31.5 million identities were reported exposed in August, from 12 incidents. The jump in exposed identities is due to a large breach in South Korea, comprising 27 million identities. In the last 12 months 53 percent of data breaches were caused by hacking and 21 percent were accidentally made public.

The average number of spear-phishing emails blocked each day for August was 20, compared with 54 in July and 88 in June. This is below the year-to-date average of 86, which is slightly higher than the daily average of 84 for all if 2013.

The most frequently used malicious file types in these email-based targeted attacks were .exe and .doc file types, with .exe attachments coming out on top this month at 31.8 percent. 29 percent of spear phishing emails were sent to Manufacturing, returning it to the top of the industries targeted.

One in 1,587 emails was identified as a phishing attempt, compared with one in 1,298 for July and one in 496 in June. While at first glance this looks like a big drop, it is not indica-tive of a wider trend just yet, resulting in only a 0.01 percentage point decrease in the overall phishing rate.

We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback.

Ben Nahorney, Cyber Security Threat Analyst [email protected]

http://www.symantec.com/security_response/publications/threatreport.jsp

http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network

http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network

http://www.symantec.com/security_response/writeup.jsp?docid=2014-032622-1552-99

mailto:symantec_intelligence%40symantec.com?subject=

p. 4


TAR

GETED

ATTACKS

+ DATA

BR

EACHES

p. 5


At a Glance

• The average number of spear-phishing attacks dropped to 20 per day in August, the lowest seen in the last twelve months.

• The .exe file type was the most common attachment type used in spear-phishing attacks, followed by .doc files.

• Organizations with 2500+ employees were the most likely to be targeted in August.

• Manufacturing lead the Top-Ten Industries targeted, followed by Professional Services.

Targeted Attacks

Average Number of Spear-PhishingAttacks Per DaySource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

AJJMAMFJ

2014

DNOS

54

21 20

116

54

141

84 84

54

88103

165

Attachments Used in Spear-Phishing Emails

Source: Symantec :: AUGUST 2014

Executable type August July

.exe 31.8% 15.10%

.doc 22.8% 19.90%

.txt 9.6% --

.rtf 7.7% --

.scr 4.4% 5.60%

.class 4.2% 2.40%

.pdf 2.8% 2.00%

.tjv 1.1% --

.com 0.8% --

.fas 0.7% --

Spear-Phishing Attacks by Size of Targeted OrganizationSource: Symantec :: AUGUST 2014

Organization Size August July

1-250 28.8% 35.7%

251-500 7.8% 8.5%

501-1000 4.6% 9.0%

1001-1500 6.3% 3.1%

1501-2500 4.6% 4.1%

2500+ 47.8% 39.6%

p. 6


Top-Ten Industries Targeted in Spear-Phishing AttacksSource: Symantec :: AUGUST 2014

Logistics

Mining

Retail

Public Administration

Transportation, Gas, Communications, Electric

Services - Non Traditional

Wholesale

Finance, Insurance & Real Estate

Services - Professional

Manufacturing 29%

16 15

12 9

7 6

1 1 1

p. 7


Data Breaches

At a Glance

• The largest data breach reported in August resulted in the exposure of 27 million identities. For the month, 31 million identities were exposed.

• Hackers have been responsible for 53 percent of data breach-es in the last 12 months.

• Real names, government ID numbers, such as Social Security numbers, and home addresses were the top three types of data exposed in data breaches.

20

40

60

80

100

120

140

160

AJJMAMFJDNOS

NU

MB

ER O

F IN

CID

ENTS

IDEN

TITI

ES E

XPO

SED

(MIL

LIO

NS)

INCIDENTS IDENTITIES EXPOSED (Millions)

Timeline of Data BreachesSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

147

2.8 .9 1.1

31

1.72.68.1

130

113

159

.8

27

22

22 29

2725

21

24

15 1412

21

5

10

15

20

25

30

35

40

p. 8


Top Causes of Data BreachesSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

Insider Theft

Theft or Lossof Computeror Drive

AccidentallyMade Public

Hackers 53%

20%

21%

6%

Numberof Incidents

137

55

51

16

259TOTAL

Total DataBreachesSEPTEMBER 2013 — AUGUST 2014

259

Total IdentitiesExposedSEPTEMBER 2013 — AUGUST 2014

598Million

p. 9


Top-Ten Types of Information BreachedSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

Real Names

Gov ID numbers (Soc Sec)

Home Address

Birth Dates

Financial Information

Medical Records

Phone Numbers

Email Addresses

Usernames & Passwords

Insurance

01

02

03

04

05

06

07

08

09

10

68%

44%

40%

40%

32%

30%

19%

18%

14%

8%

MethodologyThis data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model that measures the levels of threats, including malicious software, fraud, identity theft, spam, phishing, and social engineering daily. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information.

In some cases a data breach is not publicly reported during the same month the incident occurred, or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months when a new report is released.

Norton Cybercrime Indexhttp://us.norton.com/protect-yourself

p. 10


MA

LWA

RE TAC

TICS

p. 11


Malware Tactics

At a Glance

• W32.Sality and W32.Ramnit variants continue to dominate the top-ten malware list.

• The most common OSX threat seen on OSX was OSX.RSPlug.A, making up 51 percent of all OSX malware found on OSX Endpoints.

• Overall ransomware activity has remained low since March of this year. However, crypto-style ransomware has seen a 700 percent increase since January.

• The US and China where first and second, respec-tively, in August in terms of overall botnet source activity.

Top-Ten MalwareSource: Symantec :: AUGUST 2014

Rank Name August July

1 W32.Sality.AE 4.3% 4.8%

2 W32.Ramnit!html 4.3% 4.3%

3 W32.Almanahe.B!inf 3.6% 3.9%

4 W32.SillyFDC.BDP!lnk 3.0% 2.1%

5 W32.Ramnit.B 2.7% 2.9%

6 W32.Downadup.B 2.3% 2.8%

7 W32.Ramnit.B!inf 1.9% 2.0%

8 W32.Virut.CF 1.2% 1.4%

9 Trojan.Zbot 1.1% 1.4%

10 W32.SillyFDC 0.9% --

Top-Ten Mac OSX Malware Blocked on OSX EndpointsSource: Symantec :: AUGUST 2014

Rank Malware Name August July

1 OSX.RSPlug.A 51.2% 38.20%

2 OSX.Flashback.K 8.5% 8.80%

3 OSX.Stealbit.B 8.1% 12.50%

4 OSX.Klog.A 7.2% --

5 OSX.Sabpab 4.2% 5.80%

6 OSX.Netweird 2.7% 2.00%

7 OSX.Flashback 2.6% 2.50%

8 OSX.Crisis 2.2% 5.70%

9 OSX.FakeCodec 1.9% 1.70%

10 OSX.Keylogger 1.6% 2.60%

p. 12


Malicious Activity by Source: BotsSource: Symantec :: JULY 2014

Rank Country/Region Percent

1 United States 25.2%

2 China 11.7%

3 Taiwan 7.7%

4 Hungary 5.1%

5 Italy 4.2%

6 Brazil 3.1%

7 Canada 3.1%

8 Japan 3.0%

9 France 2.8%

10 Germany 2.5%

Ransomware Over TimeSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

THO

USA

ND

S

200

400

600

800

1,000

AJJMAMFJ

2014

DNOS

625

419

861

660

465

342425

156 143230 183 149

p. 13


Number of VulnerabilitiesSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

AJJMAMFJ2014

DNOS

438

575

399

549

438471

542 562 579

473

663

555

Zero-Day VulnerabilitiesSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

AJJMAMFJ2014

DNOS

0 0 00 0

2 2

0

5

0

1

4

Vulnerabilities

At a Glance

• There were 399 vulner-abilities disclosed during the month of August.

• There were no zero-day vulnerabilities discovered in August.

• Internet Explorer has reported the most brows-er vulnerabilities in the last 12 months.

• Oracle’s Java reported the most plug-in vulner-abilities over the same time period.

p. 14


Browser VulnerabilitiesSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

20

40

60

80

100

AJJMAMFJ2014

DNOS

Opera

Mozilla Firefox

Microsoft Internet Explorer

Google Chrome

Apple Safari

Plug-in VulnerabilitiesSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

10

20

30

40

50

60

70

80Java

Apple

Adobe

ActiveX

AJJMAMFJ2014

DNOS

p. 15


SOCIA

L MED

IA

+ MO

BILE TH

REATS

p. 16


Mobile

Mobile Malware Families by Month, AndroidSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

7

2

4

2

4

2 2

3

4 443

AJJMAMFJ2014

DNOS

At a Glance

• There were two Android malware families discov-ered in July.

• Of the threats discovered in the last 12 months, 24 percent steal information from the device and 23 percent track the device’s user.

• In terms of social networking scams, 52 percent were fake offer-ings and 37 percent were manually shared scams.

p. 17


Mobile Threat ClassificationsSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

Track User Risks that spy on the individual using the device, collecting SMS messages or phone call logs, tracking GPS coordinates, recording phone calls, or gathering pictures and video taken with the device.

Steal Information This includes the collection of both device- and user-specific data, such as device information, configuration data, or banking details.

Traditional Threats Threats that carry out traditional malware functions, such as back doors and downloaders.

Recon�gure Device These types of risks attempt to elevate privileges or simply modify various settings within the operating system.

Adware/Annoyance Mobile risks that display advertising or generally perform actions to disrupt the user.

Send Content These risks will send text messages to premium SMS numbers, ultimately appearing on the bill of the device’s owner. Other risks can be used to send spam messages.

AdwareAnnoyance

SendContent

ReconfigureDevice

TraditionalThreats

TrackUser

StealInformation

8%

11%

21%23%

13%

24%

p. 18


Social Media

Social MediaSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

52%

Fake Offers These scams invite social network users to join a fake event or group with incentives such as free gift cards. Joining often requires the user to share credentials with the attacker or send a text to a premium rate number.

Manual Sharing Scams These rely on victims to actually do the work of sharing the scam by presenting them with intriguing videos, fake offers or messages that they share with their friends.

Likejacking Using fake “Like” buttons, attackers trick users into clicking website buttons that install malware and may post updates on a user’s newsfeed, spreading the attack.

Comment Jacking Similar to likejacking, this type of scam relies on users clicking links that are added to comments by attackers. The links may lead to malware or survey scams.

Fake App Users are invited to subscribe to an application that appears to be integrated for use with a social network, but is not as described and may be used to steal credentials or harvest other personal data.

CommentJacking

FakeApps

LikejackingManualSharing

FakeOffering

37%

8.5%1.7% .6%

p. 19


PHISH

ING

, SPAM

+ EMA

IL THR

EATS

p. 20


Phishing and Spam

Phishing RateSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

1 in 200

1 in 400

1 in 600

1 in 800

1 in 1000

1 in 1200

1 in 1400

1 in 1600

AJJMAMFJ

2014

DNOS

359311 236

306401

478

370

731

395

469

12901587

At a Glance

• The phishing rate was down again in August, at one in 1,587 emails, down from one in 1,290 emails in July.

• The global spam rate was 62.6 percent for the month of August.

• One out of every 270 emails contained a virus.

• Of the email traffic in the month of August, 3.2 percent contained a mali-cious URL.

Global Spam RateSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

10

20

30

40

50

60

70

80

AJJMAMFJ2014

DNOS

75

64.8

68.8 70.6

62.2 62.1

66.2

58.5

60.6

59.9

63.7

62.6

p. 21


Email Threats

Proportion of Email Traffic Containing URL MalwareSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

5

10

15

20

25

30

35

40

45

AJJMAMFJ2014

DNOS

14.7

10.5 9.5

13.615.6 14.2

5.7

2.6

13.7

7.4

7.9

3.2

1 in 50

1 in 100

1 in 150

1 in 200

1 in 250

1 in 300

1 in 350

1 in 400

1 in 450

1 in 500

AJJMAMFJ2014

DNOS

Proportion of Email Traffic in Which Virus Was DetectedSource: Symantec :: SEPTEMBER 2013 — AUGUST 2014

206 191

129 112

207188

141

234

183

232

351

270

p. 22


About Symantec

More Information

• Symantec Worldwide: http://www.symantec.com/

• ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/

• Symantec Security Response: http://www.symantec.com/security_response/

• Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/

• Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/

Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more go to www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.

http://www.symantec.com/

http://www.symantec.com/threatreport/

http://www.symantec.com/security_response/

http://us.norton.com/security_response/threatexplorer/

http://us.norton.com/cybercrimeindex/

www.symantec.com

go.symantec.com/socialmedia

For specific country offices and contact numbers,

please visit our website.

For product information in the U.S.,

call toll-free 1 (800) 745 6054.

Symantec Corporation World Headquarters

350 Ellis Street

Mountain View, CA 94043 USA

+1 (650) 527 8000

1 (800) 721 3934

www.symantec.com

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners

www.symantec.com

Technology

Symantec Cyber Security Intelligence Report