rp quarterly threat q2 2013
TRANSCRIPT
-
7/27/2019 Rp Quarterly Threat q2 2013
1/38
Report
By McAfee Labs
McAee Threats Report: Second Quarter 2013
-
7/27/2019 Rp Quarterly Threat q2 2013
2/38
2 McAfee Threats Report: Second Quarter 2013
Table o Contents
Introduction 3
Operation Troy 4
Mobile Threats 5
Banking malware 6
Adults only 7
Targeted Trojans 7
Mobile spyware 7
General Malware Threats 7
Ransomware 13
Database Threats 14
Network Threats 15
Web Threats 17
Phishing 20
Spam URLs 21
Messaging Threats 22
Spam volume 22
Drugs, DSN, and snowshoes 25
Botnet breakdowns 26
New botnet senders 27
Messaging botnet prevalence 29
Cybercrime 30
Malware, vulnerabilities, and hacking 30
The Bitcoin saga 31
Actions against cybercriminals 32
Hacktivism 33
Cyberarmies 36
About the Authors 37
About McAee Labs 37
-
7/27/2019 Rp Quarterly Threat q2 2013
3/38
3 McAfee Threats Report: Second Quarter 2013
Introduction
McAee Labs researchers have analyzed the threats o the second quarter o 2013. Several trends are amiliar: steady
growth in mobile and overall malware. A cyberespionage attack against South Korea and a urther increase in worldwide
spam are urther attention grabbers.
The Dark Seoul attack against banks and media companies in South Korea inspired McAee Labs to investigate beyondthe basics o computers disabled by having their master boot records deleted. Behind the scenes we ound an ongoing
attempt to inltrate South Korean military targets in a cyberespionage campaign that began in 2009. Our extensive report
published in July, explains the history and the coding details behind the damage and attempted surveillance.
Backdoor Trojans and banking malware were the most popular mobile threats this quarter. We counted more than
17,000 new Android samples during this period. The year is certain to establish another record. New malware o all
types exceeded 18 million this quarter, pushing our all-time tally to more than 147 million binaries. AutoRun threats,
oten spread via USB drives, remain at record levels, as do password-stealing programs. Signed malware, which poses
as approved legitimate sotware, continues to set records, increasing by 50 percent this quarter. Malware that attacks
a systems master boot record declined rom last quarters record high, but remains very dangerous.
Ransomware, which holds a computer hostage until the victim pays to ree it, is a bad problem getting worse. The numbe
o new samples more than doubled compared with last quarter. Not only do criminals make relatively sae money rom this
scheme, they oten do not remove their malwareleaving the poor victims system as dead as beore.
Publicly reported data breaches have averaged a relatively fat line or the past three quarters. Outsiders steal data more
oten than insiders, but this is one threat area in which our data comes rom victims, who may not eel like exposing all o
their weaknesses. MySQL still leads enterprise databases in the number o reported vulnerabilities.
From the McAee Global Threat Intelligence network we see that browser-based threats, such as hidden irames and
malicious Java code, comprise almost three-ourths o the Internets malicious activity. IP addresses in the United States are
again both the source and the target o most network threats.
Our analysis o web threats ound that the number o new suspicious URLs, mostly in the United States, increased by
16 percent this quarter. Phishing attacks aimed primarily at targets in the United States. The leading industries suering
phishing attacks are nancial and online-auction organizations. Spam levels are bouncing back: This quarter volume
reached 2 trillion messages in April, the highest gure weve seen since 2010. We continue to report on the variety o
spam subjects and botnet prevalence in selected countries around the world.
Our timeline o signicant hacks shows the major criminal activity that took place this quarter. Online currency Bitcoin
was in the news. One Bitcoin provider suered DDoS attacks that interrupted service and led to wild swings in value. Law
enorcement ocials around the world enjoyed some successes this quarter, with arrests halting gangs responsible or
stealing hundreds o millions to billions o dollars.
Activist hackers demonstrated, deaced, and inspired counterattacks rom their opponents. The group Anonymous was
involved in some eorts and likely had its name borrowed to support some others. The Middle East was again a busy
region or political expression.
-
7/27/2019 Rp Quarterly Threat q2 2013
4/38
4 McAfee Threats Report: Second Quarter 2013
Operation Troy
When reports o the March 20 Dark Seoul attack on South Korean nancial services and media rms emerged, most
o the ocus was on the wiping o the master boot record o thousands o computers. PCs inected by the attack had all
o the data on their hard drives erased. Since that time, however, McAee Labs has discovered that the Dark Seoul attack
included a broad range o technology and tactics beyond cybervandalism.The orensic data indicates that Dark Seoul was actually just the latest attack to emerge rom a malware development
project that has been named Operation Troy. (The name Troy comes rom repeated citations o the ancient city ound in
the compile path strings o the malware.) The McAee Labs investigation into the Dark Seoul incident uncovered a long-
term attempt at domestic spying, based on code that originated in 2009, against military targets in South Korea.
Sotware developers (both legitimate and criminal) tend to leave ngerprints and sometimes even ootprints in their code.
Forensic researchers can use these prints to identiy where and when the code was developed. Its rare that a researcher
can trace a product back to individual developers (unless theyre unusually careless). But requently these artiacts can
be used to determine the original source and development legacy o a new product. Sometimes the developers insert
such ngerprints on purpose to establish ownership o a new threat. McAee Labs uses sophisticated code analysis and
orensic techniques to identiy the sources o new threats because such analysis requently sheds light on how to best
mitigate an attack or predict how the threat might evolve in the uture. McAee Labs research learned that the Dark Seoul
attack was preceded by years o attempted cyberespionage:
2009
US/SouthKoreanMilitaryAttacks
DDoS Attacks 10 Days of Rain Media/BroadcastAttacks
Financial IndustryAttacks
Chang
EagleXP
NSTAR
HTTP Troy
Mail Attack
Http Dr0pper
Tong
Concealment Troy
MBR Wiper
3Rat Client
TDrop
Suspected Link
Solid Link
Highly Probable Link
Operation TroyDomestic Spying Period Dark Seoul
2011 2012 2013March 20,
20132010
Our investigation into the cyberattacks in March revealed ongoing covert intelligence-gathering operations. McAee Labs
concludes that the attacks on March 20 were not an isolated event strictly tied to the destruction o systems, but the latest
in a series o attempts to inltrate targets since 2009. For details, read the McAee Labs report Dissecting Operation Troy:
Cyberespionage in South Korea.1
-
7/27/2019 Rp Quarterly Threat q2 2013
5/38
5 McAfee Threats Report: Second Quarter 2013
Mobile Threats
This quarter backdoor Trojans, which steal data without the victims knowledge, and malware that goes ater banking
login inormation have made up the largest portion o all new mobile malware amilies. Spyware has also been active, and
malware authors continue to target activists. Halway through 2013 we have already collected almost as many mobile
malware samples as in all o 2012. Will the count double by the end o the year? That much and more, we expect. Thisquarter we added more than 17,000 Android samples to our database.
New Mobile Malware
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
2013201220112010200920082007200620052004
Android
Symbian
Java ME
Others
Total Mobile Malware by Platform
-
7/27/2019 Rp Quarterly Threat q2 2013
6/38
6 McAfee Threats Report: Second Quarter 2013
New Android Malware
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
20,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
Banking malware
Banks in Europe and Asia require two-actor authentications via SMS messages. When customers log into their banks, they
are sent a mobile transaction authentication number (mTAN) in a text message. Then they must enter the mTAN code
to get access to their accounts. This step prevents an attacker who steals only username and password rom reaching a
victims money.
Attackers seeking to bypass two-actor authentication need to get that text message sent by the banks. Once the
attacker has stolen a username and password rom a victims PC, the thie needs only to get the user to install
SMS-orwarding malware.
A pair o malware, Android/FakeBankDropper.A and Android/FakeBank.A, take the standard SMS orwarder malware
a step urther. Normally we advise users to employ only the ocial app provided by their banks or any online banking.
Android/FakeBankDropper.A counters that deense by replacing the banks ocial app with Android/FakeBank.A. While
the victims think they have the original app installed, the attacker logs into the users accounts to get the latest SMS rom
the bank.
A short list o similar SMS orwarders:
Android/Nopoc.A: Forwards incoming SMS messages to the attackers server
Android/Pincer.A: Pretends to install a certicate on the users device. Forwards SMS messages to the attackers server. Android/Stels.A: Pretends to be an update to the Adobe Flash player. Collects sensitive user inormation and posts it to
the attackers server.
Android/Wahom.A: Pretends to be a legitimate app, but displays an error message to the user. The malware hides
its icon to ool the user into thinking it was uninstalled. Collects sensitive user inormation and orwards SMS to the
attackers server.
-
7/27/2019 Rp Quarterly Threat q2 2013
7/38
7 McAfee Threats Report: Second Quarter 2013
Adults only
Adult-entertainment sotware oers helpul camoufage or attackers. They can gain large prots and theyre less likely to
attract attention rom law enorcement. Attackers interest in adult-entertainment apps has risen this quarter.
In Japan a large amily o potentially unwanted programs (PUPs), Android/DeaiFraud, pretends to be an app or a popular
adult-dating site. Although this malware doesnt directly harm users, it can lead them to receive spam rom the attacker.Its also likely that users will be ooled into signing up or the adult-dating site due to the attackers partners posing as real
singles on the service.
Apart rom PUPs, we also saw Android/NMPHost.A, a malware that convinces users to download a second malware,
Android/NMP.A, which steals user inormation. Both malware pretend to be adult-entertainment apps. Once installed,
Android/NMP.A collects sensitive user inormation and sends it to the attackers server.
Targeted Trojans
Attackers nd legitimate apps very useul as cover or their malicious code. They benet rom the popularity o the app as
well as rom how much users trust the app. In the case o Android/Kaospy.A, attackers are using modied versions o the
Kakao talk app and targeting Tibetan activists. This malware is distributed using phishing emails. The malicious spyware
collects a large amount o sensitive user inormation (contacts, call logs, SMS messages, installed applications, and
location) and uploads the data to the attackers server.Trojanized apps that arent so narrowly targeted include Android/BadNews.A. This backdoor Trojan pretends to be a
legitimate game app that includes ads. Instead it collects sensitive user inormation and sends it to the attacker. Its also
capable o displaying ake news headlines.
Mobile spyware
Commercial spyware has seen a small increase rom the previous quarter. Android./Fzw.A downloads a spyware app rom
the attackers website. Like other hidden Trojans, it pretends to be a legitimate ont installer app. The downloaded spyware
orwards SMS messages, call logs, and location inormation to the attackers server.
Android/Roidsec.A is spyware that pretends to be sotware or syncing the users phone. It really does sync the users
sensitive inormation and SMS messagesonly to the attackers server. The malware collects location, call logs, and data
about the phone hardware and can record calls, too.
General Malware Threats
Malware shows no sign o changing its steady growth, which has risen steeply during the last three quarters. At the end o
this quarter we now have more than 147 million samples in our malware zoo.
Total Malware Samples in the McAfee Labs Database
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
-
7/27/2019 Rp Quarterly Threat q2 2013
8/38
8 McAfee Threats Report: Second Quarter 2013
New Malware
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
14,000,000
16,000,000
18,000,000
20,000,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
Rootkits, or stealth malware, are designed to evade detection and reside on a system or prolonged periods. Growth in
new rootkit samples has been on a downward trend since the middle o 2011. All three o the rootkits types we track in
this report matched this trend.
New Rootkit Samples
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
180,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
-
7/27/2019 Rp Quarterly Threat q2 2013
9/38
9 McAfee Threats Report: Second Quarter 2013
New Koutodoor Samples
0
20.000
40.000
60.000
80.000
100.000
120.000
140.000
160.000
180.000
200.000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
New TDSS Samples
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
180,000
200,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
New ZeroAccess Samples
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
-
7/27/2019 Rp Quarterly Threat q2 2013
10/38
10 McAfee Threats Report: Second Quarter 2013
AutoRun malware, which oten hides on USB drives and can allow an attacker to take control o a system, doubled at
the start o the year and increased slightly again this quarter. The number o ake AV productswhich scare victims into
believing their systems are inectedrose during 2012 to a record level but has declined during the last two quarters.
Koobace, which plagues Facebook users, peaked in 2009-10 and has remained at low levels since early 2012. Password-
stealing Trojans, which attempt to raid victims bank accounts, established a record high last quarter; this quarters gurewas almost as large.
New AutoRun Samples
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
800,000
900,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
New Fake AV Samples
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
800,000
900,000
1,000,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
-
7/27/2019 Rp Quarterly Threat q2 2013
11/38
11 McAfee Threats Report: Second Quarter 2013
New Koobface Samples
0
500
1,000
1,500
2,000
2,500
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
New Password Stealers Samples
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
1,600,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
Signed malware rebounded sharply rom its decline in the rst quarter and again set a new record, with more than
1.2 million new samples discovered this quarter.
Total Malicious Signed Binaries
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
3,500,000
4,000,000
4,500,000
SEP 12012
OCT 12012
AUG 12012
NOV 12012
DEC 12012
JAN 12013
FEB 12013
MAR 12013
APR 12013
MAY 12013
JUN 12013
JUL 12012
-
7/27/2019 Rp Quarterly Threat q2 2013
12/38
12 McAfee Threats Report: Second Quarter 2013
New Malicious Signed Binaries
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
New malware that attacks the Mac more than tripled, ater declining or three quarters. In spite o the small numberscompared with PC threats, Mac users also need protection.
New Mac Malware
0
100
200
300
400
500
600
700
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
-
7/27/2019 Rp Quarterly Threat q2 2013
13/38
13 McAfee Threats Report: Second Quarter 2013
One strain o malware targets a computers master boot record (MBR)an area that perorms key startup operations.
Compromising the MBR oers an attacker a wide variety o control, persistence, and deep penetration. These attacks,
including mebroot, Tidserv, Cidox, and Shamoon, have rapidly increased their numbers. This quarter saw a drop rom last
periods record level, but its still the second-highest gure we have recorded.
New Master Boot Record-Related Threats
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
800,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
Variants of Families withKnown MBR Payloads
Identied MBR Components
Ransomware
Ransomware has become an increasing problem during the last several quarters, and the situation continues to worsen.
The number o new, unique samples this quarter is greater than 320,000, more than twice as many as last quarter. During
the past two quarters we have catalogued more ransomware than in all previous periods combined. This trend is also
refected by warnings rom law enorcement and ederal agencies around the globe.
One reason or ransomwares growth is that it is a very ecient means or criminals to earn money because they use
various anonymous payment services. This method o cash collection is superior to that used by ake AV products, or
example, which must process credit card orders or the ake sotware. Another reason is that an underground ecosystemis already in place to help with services such as pay-per-install on computers that are inected by other malware, such as
Citadel, and easy-to-use crime packs are available in the underground market. These advantages mean that the problem
o ransomware will not disappear anytime soon.
New Ransomware Samples
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Q4
2011
Q3
2011
Q2
2011
Q1
2011
-
7/27/2019 Rp Quarterly Threat q2 2013
14/38
14 McAfee Threats Report: Second Quarter 2013
Database Threats
When we reported on the numbers o database breaches made public in our Threats Reportor the ourth quarter o
2012, we saw a slowdown in break-ins, with just 47 during the quarter. At that time we couldnt be sure whether we
were observing a trend or an anomaly. Six months later, we can now see some stabilization in this area. This year started
at the same relatively low rate as 2012 ended, with 119 data breaches in rst six months o 2013. Thats a little more thanone-third o the 315 breaches during the record-setting 2012. Are we in the middle o a long-term trend or is this just the
calm beore the storm?
Data Breaches Made Public
0
50
100
150
200
250
300
350
2013201220112010200920082007
Source: privacyrights.org
The rate o data breaches caused by outside hackers (criminal or otherwise) dropped considerably in 2012, and has held
relatively steady or the last our quarters. The lower rate o thet by company insiders has also been relatively steady,
though without a dramatic decline. The drop in outsider breaches might point to companies and organizations investing
more heavily in perimeter protections than in database security. However, we have seen database security get much more
attention rom medium-sized and big businesses than just one or two years ago.
Sources of Data Breaches
0
10
20
30
40
50
60
70
80
90
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
Insiders
Hackers
Source: privacyrights.org
As we can see rom the preceding graph, hackers still cause a greater number o breaches than insiders. But we have to
remember that data-breach statistics are rarely objective due to their nature. Hackers publish stolen data more requently
than a company will coness that it was compromised.
-
7/27/2019 Rp Quarterly Threat q2 2013
15/38
15 McAfee Threats Report: Second Quarter 2013
Database vulnerabilities, reported by the developers or others, continue to be dominated by MySQL, with almost
60 percent o all vulnerabilities discovered during the past six quarters.
New Vulnerabilities in Leading Databases
0
5
10
15
20
25
30
35
40
45
Q2
2013
Q1
2013
Q4
2012
Q3
2012
Q2
2012
Q1
2012
SQL Server
Sybase
PostgreSQL
DB2
Oracle
MySQL
Network Threats
As usual, the United States is both the source and the target o much o the Internets malicious activity, according the
McAee Global Threat Intelligence network. Browser-based threats have increased to 73 percent o all attacks, compared
with 44 percent last quarter. The ollowing detection signatures show which types o attacks McAee products most
requently blocked:
HTTP: Microsot JPEG Processing Buer Overrun
HTTP: Multiple Browser Window Injection Vulnerability
RTSP: Apple QuickTime Overly Long Content-Type Buer Overfow
HTTP: Microsot Internet Explorer CHTML Use-Ater-Free Remote Code Execution
Browser
Remote Procedure Call
SQL Injection
Cross-Site Scripting
Others
Top Network Attacks
-
7/27/2019 Rp Quarterly Threat q2 2013
16/38
16 McAfee Threats Report: Second Quarter 2013
As the host o SQL-injection attacks, which poison legitimate websites, the United States piece o the pie shrunk slightly
this quarter, to 32 percent rom 35 percent last quarter. Venezuela regained second place, hosting 11 percent. By ar most
victims o these attacks (60 percent, up rom 55 percent last period) are in the United States.
United States
Venezuela
Spain
Taiwan
China
Germany
South Korea
Others
Top SQL-Injection Attackers
United States
Taiwan
China
Russia
Spain
Others
Top SQL-Injection Victims
In our botnets tracking, the United States again claims rst place. The percentage o control servers hosted dropped
3 points to 37 percent. The decrease was larger among botnet victims, alling to 34 percent rom 43 percent in the
rst quarter.
United States
Germany
China
Turkey
Russia
United KingdomSouth Korea
Others
Top Botnet Control Servers
United States
Turkey
Taiwan
Brazil
Canada
SpainIndia
Others
Top Botnet Victims
The United States represents the lions share o hosts o PDF-based attacks, climbing to 53 percent this quarter, compared
with 35 percent in the last period. Taiwan, with 8 percent, took second place. China ell to just 2 percent this quarter rom
11 percent last time.
United States
Taiwan
Spain
United Kingdom
Germany
Canada
Others
Top Malicious PDF Attackers
-
7/27/2019 Rp Quarterly Threat q2 2013
17/38
17 McAfee Threats Report: Second Quarter 2013
Web Threats
Websites can gain bad or malicious reputations or a variety o reasons. Reputations can be based on ull domains and any
number o subdomains, as well as on a single IP address or even a specic URL. Malicious reputations are infuenced by
the hosting o malware, potentially unwanted programs, or phishing sites. Oten we observe combinations o questionable
code and unctionality. These are just a ew o the actors that contribute to our rating o a sites reputation.
At Junes end, the total number o suspect URLs tallied by McAee Labs overtook 74.7 million, which represents a 16 percent
increase over the rst quarter. These URLs reer to 29 million domain names, up 5 percent rom the previous period.
Minimal
Unveried
Medium
High
Risk Level of Suspect URLs
Minimal
Unveried
Medium
High
Risk Level of Suspect Domains
This quarter, we recorded per month an average o 3.5 million new suspect URLs related to about 430,000 domains.
New Suspect URLs
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
14,000.000
16,000,000
Q2 2013Q1 2013Q4 2012Q3 2012Q2 2012
URLs
Associated Domains
-
7/27/2019 Rp Quarterly Threat q2 2013
18/38
18 McAfee Threats Report: Second Quarter 2013
Most o these suspicious URLs (96 percent) host malware, exploits, or codes that have been designed specically to
compromise computers. Phishing and spam represent 2.1 percent and 0.3 percent, respectively.
Others
New Malware URLs
Distribution of New Suspect URLs
Others
New Phishing URLs
New Spam Email URLs
Distribution at the domains level gives us a dierent outlook, with 12 percent phishing domains and 2 percent spam domains
Others
New Malware Domains
Distribution of New Suspect Domains
Others
New Phishing Domains
New Spam Email Domains
The domains associated with newly suspect URLs are mainly located in North America (chiefy the United States) and
EuropeMiddle East (chiefy Germany). This trend is not new; North America historically hosts quite a bit o malware and
suspect content. However, its infuence has dropped to 52 percent, compared with 74 percent last quarter.
North America
Africa
Asia-Pacic
Australia
EuropeMiddle East
Latin America
Location of Servers Hosting Suspect Content
-
7/27/2019 Rp Quarterly Threat q2 2013
19/38
19 McAfee Threats Report: Second Quarter 2013
Digging into the location o servers hosting malicious content in other countries we see quite a global diversity. Each
region has one or two clearly dominant players.
Location of Servers Hosting Malicious Content
China
South Korea
Japan
Hong Kong
Thailand
Others
Asia-Pacic
South Africa
Kenya
Morocco
Egypt
Tunisia
Others
Brazil
Bahamas
British Virgin Islands
Argentina
Chile
Others
Africa
Australia
New Zealand
AustraliaSouth Pacic
Germany
Netherlands
Russia
United Kingdom
Poland
Others
Europe and Middle East
Latin America
United States
Canada
North America
-
7/27/2019 Rp Quarterly Threat q2 2013
20/38
20 McAfee Threats Report: Second Quarter 2013
Phishing
Ater peaking during the ourth quarter o 2012, the number o new phishing URLs dropped sharply last quarter.
This period saw a modest decrease.
New Phishing URLs
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
450,000
Q2 2013Q1 2013Q4 2012Q3 2012Q2 2012
URLs
Associated Domains
Most o these URLs are hosted in the United States.
United States
Germany
United Kingdom
Canada
Netherlands
Others
Top Countries Hosting Phishing URLs
Companies rom the United States are the most requently targeted, suering 67 percent o all attacks. They are ollowed
by United Kingdom and Australia, with 6 percent and 3 percent, respectively. Phishers go ater several key industries. The
top 5 are nance (with 42 percent o attacks), online auctions (32 percent), government, shopping, and services.
Finance
Online Auctions
Shopping
Government
Services
Others
Phishing Targets by Industry
-
7/27/2019 Rp Quarterly Threat q2 2013
21/38
21 McAfee Threats Report: Second Quarter 2013
Companies in the United States are the most heavily targeted, ollowed by the United Kingdom and Australia.
United States United Kingdom Australia Canada India
Amazon
American Express
Deloitte
eBay
JPMorgan Chase
PayPal
Wells Fargo
Barclays
HM Revenue & Customs
HSBC
Lloyds TSB
Natwest
Santander
ANZ (Australia and New
Zealand Banking Group)
Westpac Bank
Capital One
Royal Bank o Canada
TD Bank Group
HDFC Bank
ICICI Bank
Spam URLs
Spam URLs are links that arrive in unsolicited emails. Also included in this amily are sites built only or spamming purposes
such as spam blogs or comment spam.
New Spam URLs
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
Q2 2013Q1 2013Q4 2012Q3 2012Q2 2012
URLs
Associated Domains
The primary countries hosting these URLs are the United States (with 39 percent o the total). Germany (9 percent) and
Russia (6 percent) ollow.
United States
Germany
Russia
China
Antarctica
Netherlands
South Korea
Others
Countries Hosting Spam URLs
-
7/27/2019 Rp Quarterly Threat q2 2013
22/38
22 McAfee Threats Report: Second Quarter 2013
Messaging Threats
In April, spam volume surpassed 2 trillion messages, the highest gure since December 2010. A slight decline in May and
June still let the count higher than any time since May 2011.
Monthly Spam
Legitimate Email
Global Email Volume, in Trillions of Messages
0
0.5
1.0
1.5
2.0
2.5
MAR2013
APR2013
MAY2013
JUN2013
FEB2013
JAN2013
DEC2012
NOV2012
OCT2012
SEP2012
AUG2012
JUL2012
Spam volume
Examining results by country, our statistics show marked dierences rom quarter to quarter. Ukraine and Belarus are
the most dramatic examples; each had an increase o greater than 200 percent this period. Japan grew by 142 percent.
Meanwhile, Pakistan (down 59 percent) and Romania (down 56 percent) enjoyed large declines. France ell by 25 percent,
and the United States decreased by 16 percent.
Spam Volume
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
Brazil
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
14,000,000
16,000,000
18,000,000
Argentina
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
2,000,000
Australia
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
NOV
2012
JUL
2012
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
Belarus
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
-
7/27/2019 Rp Quarterly Threat q2 2013
23/38
23 McAfee Threats Report: Second Quarter 2013
Spam Volume
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
70,000,000
India
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
14,000,000
France
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
NOV
2012
JUL
2012
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
14,000,000
16,000,000
18,000,000
Germany
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
Chile
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
China
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
Italy
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
Japan
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
NOV
2012
JUL
2012
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
40,000,000
Kazakhstan
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
-
7/27/2019 Rp Quarterly Threat q2 2013
24/38
24 McAfee Threats Report: Second Quarter 2013
Spam Volume
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
Russia
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
Peru
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
Romania
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
14,000,000
16,000,000
18,000,000
Spain
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
8,000,000
South Korea
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
40,000,000
Ukraine
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
NOV
2012
JUL
2012
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
14,000,000
United Kingdom
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
180,000,000
200,000,000
United States
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
-
7/27/2019 Rp Quarterly Threat q2 2013
25/38
25 McAfee Threats Report: Second Quarter 2013
Drugs, DSN, and snowshoes
As we look at spam subjects around the world, we see that the popularity o drugs just wont go away. Drug oers in
our selected countries range rom a low o 17 percent to more than 50 percent o leading spam subject lines. In Australia,
France, and the United States, delivery service notication (DSN) teasers remain popular. In many countries snowshoe
spam appeared on at least one-quarter o the leading subjects. Snowshoe spam spreads the load across many IP addressesto avoid rapid eviction by ISPs. Lots o spam this quarter contained subject lines related to the Boston Marathon bombings
Most o these messages contained links to malware. We were surprised to see relatively little spam or replica products,
such as watches and other junk. This has long been a popular subject. Were sure it hasnt gone away but it did lose
signicant volume.
Australia Spam TypesBrazil
Columbia France Germany
India Italy Spain
Turkey United Kingdom United States
Argentina
Drugs
DSN
Jobs
Marketing
News
Phishing
Scams
Snowshoe
Travel
Webinars
-
7/27/2019 Rp Quarterly Threat q2 2013
26/38
26 McAfee Threats Report: Second Quarter 2013
Botnet breakdowns
Inections rom messaging botnets, which supply spam worldwide, have showed an overall decline since May 2012, but
this quarters trend was again upward.
Global Messaging Botnet Infections
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
Cutwail remains in rst place among botnets, causing more than 6 million new inections during the quarter. Kelihos was
a distant second, at 2.3 million. New last quarter, Slenbot inected 1.6 million systems this period.
Cutwail
Kelihos
Slenfbot
Festi
Maazben
Others
Spam Botnet Prevalence
Leading Global Botnet Infections
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
JUN
2013
MAY
2013
APR
2013
MAR
2013
FEB
2013
JAN
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
AUG
2012
JUL
2012
CUTWAIL
KELIHOS
SLENFBOT
FESTI
MAAZBEN
-
7/27/2019 Rp Quarterly Threat q2 2013
27/38
27 McAfee Threats Report: Second Quarter 2013
New botnet senders
Country-specic botnet statistics show big variances rom quarter to quarter and rom country to country. In Peru, or
example, the number o botnet senders increased by almost 300 percent. Among our selected countries, India rose by
14 percent. Belarus dropped by 66 percent, Russia by 46 percent, and China by 31 percent.
New Botnet Senders
0
10,000
20,000
30,000
40,000
50,000
60,000
Argentina Australia
0
25,000
50,000
75,000
100,000
125,000
150,000
175,000
200,000
Brazil Canada
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
Chile
0
10,000
20,000
30,000
40,000
50,000
60,000
Colombia France
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
450,000
500,000
China
0
5,000
10,000
15,000
20,000
25,000
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
-
7/27/2019 Rp Quarterly Threat q2 2013
28/38
28 McAfee Threats Report: Second Quarter 2013
New Botnet Senders
0
50,000
100,000
150,000
200,000
250,000
300,000
India
Russia
Italy
Spain
United StatesUnited Kingdom
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
South Korea
0
100,000
200,000
300,000
400,000
500,000
600,000
Japan
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
0
10,000
20,000
30,000
40,000
50,000
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
Turkey
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
100,000
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
Germany
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
DEC
2012
NOV
2012
OCT
2012
SEP
2012
MAR
2013
FEB
2013
JAN
2013
AUG
2012
JUL
2012
JUN
2013
MAY
2013
APR
2013
-
7/27/2019 Rp Quarterly Threat q2 2013
29/38
29 McAfee Threats Report: Second Quarter 2013
Messaging botnet prevalence
Our breakdown o botnets shows how the most widespread botnet amilies are represented in various countries around
the globe. Cutwail and Kelihos are the global leaders. Other notably predominate botnets:
Darkmailer in Belarus, Kazakhstan, Pakistan, and Indonesia
Cutwail in Greece, Vietnam, and Iran (greater than 60 percent)
Slenbot in Belarus (81 percent)
Slenbot in Japan and Ukraine
Kelihos in Germany, Italy, Argentina, and United Kingdom (greater than 40 percent)
These variances demonstrate that specic countries can have specic attackers.
Australia Brazil
China Colombia Germany
India Japan Russia
South Korea United Kingdom United States
Chile
Cutwail
FestiKelihos
Maazben
Others
Slenfbot
Botnets
New Botnet Senders
-
7/27/2019 Rp Quarterly Threat q2 2013
30/38
30 McAfee Threats Report: Second Quarter 2013
Cybercrime
Malware, vulnerabilities, and hacking
April 2013 May 2013 June 2013
Android.FakeAlert
APR 5LivingSocial
Hack
APR 17CVE-2013-2423
(Exploit PacksUpdated)
MAY 3Sirefef
(Louisiana Boardof Regents Hack)
JUN 27Generic PSW.o
(Gulf States andCaribbean Phishing
Campaign)
APR 11WordPress
Hack
APR 19BadNews
(in Google Play Apps)
MAY 1CVE-2013-1347
(Dept. of Labor Hack)
Carberpfor $5,000
Carberp
for Free
JUN 30South Korea
Hack
The scareware Android.Fakedeender, announced in June by various security companies, has apparently spread through
mobile environments since the end o March. Fakedeender locks up an inected device and displays ake security alerts
to convince victims to purchase an app in order to remove nonexistent malware or security risks.
April 5: LivingSocial, the daily deals site owned in part by Amazon, suered a massive cyberattack on its computer
systems. The breach impacted 50 million customers o the Washington, D.C., company. They will now be required to
reset their passwords.2
April 11: The security rm CloudFare warned o a brute-orce attack against the WordPress administrative portals. A
botnet appeared to launch the attack and more than tens o thousands o unique IP addresses were recorded attempting
to hack WordPress installations, using the username admin and trying thousands o passwords.3
April 17: The Java exploit CVE-2013-2423 was publicly disclosed.4 Its use was immediately incorporated into various
exploit kits such as WhiteHole, Cool, Neutrino, Styx, Sweet Orange, and others.
April 19: BadNews or millions o users: Malware discovered spreading inside apps in Google Play.5
May 1: Invincea reported that the US Department o Labor website was compromised to redirect visitors to a site
that executed a drive-by download exploit o Internet Explorer to install the Poison Ivy backdoor Trojan. Attributed to
the Chinese Deep Panda Group, this type o watering hole attack exploits a previously unknown and, at that time,
unpatched security bug in Microsots IE 8 browser (CVE-2013-1347).6
May 3: Another watering hole attack was detected on the Louisiana Board o Regents website.7 It distributed the
Siree malware.
Around June 15, the Carberp banking Trojan toolkit was oered at just US$5,000 through an underground orum. The
previous price has been US$40,000.8 A ew days later, the download was available or ree.
June 27: McAees Foundstone Incident Response team obtained a 3MB piece o malware (Generic PWS.o) that was sent
out during a phishing campaign. The campaign targeted several companies and institutes in the United Arab Emirates,
Oman, Bahrain, and a couple o Caribbean islands.9
June 30: The Seoul Central District Prosecutors Oce charged two South Koreans with cooperating with North Korean
hackers in China to run illegal websites and steal the personal inormation o millions o individuals. Investigators
discovered the personal data o 140 million South Koreans on their computers and believe they could have shared the
inormation with North Korea.10
-
7/27/2019 Rp Quarterly Threat q2 2013
31/38
31 McAfee Threats Report: Second Quarter 2013
The Bitcoin saga
April 2013 May 2013 June 2013
APR 18DDoS at
Blockchain.info
JUN 23DEA Announces
Seizure of Bitcoinsfrom Silk Road User
MAR 3DDoS atBitInstant
APR 21DDoS at Mt. GoxDelays Litecoin
Support
JUN 211BTC = $110
JUL 51BTC = $74
APR 3DDoS atMt. Gox
FEB 281BTC = $33 DDoS at
Skill Road
MAY 22Webroot Announces
DIY Bitcoin Minerfor Sale
JUN 12BTC Phishing
Campaign
APR 101BTC = $266
MAY 14Maryland District CourtRules Against Mt. Gox
MAY 16WebMoneyOffers WMX
Bitcoin (BTC) virtual money was in the news last quarter. At the end o February, it broke its June 2011 peak trading value,
at more than US$33.11 Some days later, the BitInstant exchange service was orced to shut down ater attackers walked
away with more than US$12,000 in BTC.12 And that was just a warm-up or what happened this quarter.
In April, Tokyo-based Mt. Gox, the largest Bitcoin exchange service, suered various DDoS attacks that disrupted business.
The rst assault occurred around April 3; at that time the BTC exchange rate exceed US$140 to 1 BTC.13 On April 10, the
value leaped to US$266 beore closing at US$125 the next day.14 This keen interest resulted in 20,000 new accounts
created each day. The number o new user accounts opened at Mt. Gox went rom 60,000 in all o March to 75,000 in
just the rst ew days o April.15
The sudden activity in this market o course attracted the interest o cybercriminals o all kinds. They engaged in urther
DDoS actions against Mt. Gox, which had to delay its plan to support Litecoin,16 and new ones against Blockchain.
ino.17 Silk Road, the notorious underground marketplace using Bitcoin as e-money, was taken down several t imes by
DDoS attacks.18
Lawmakers also paid attention to Mt. Gox. On May 14 the U.S. District Court in Maryland ordered the seizure o Mt. Goxs
unds, which were in an account with Dwolla, a payments company that transerred money rom U.S. citizens to Mt. Gox
to buy and sell Bitcoins.19
In May WebMoney began oering purses, called WMX, denominated in Bitcoins. Bitcoins are transerred to an address
provided by WebMoney to und the purse, and Bitcoins can be withdrawn to a Bitcoin address.20 Bitcoins stored in a WMX
purse can be transerred to other purses. In this manner WebMoney can exchange Bitcoins or other currencies supported
by the service.
As the Bitcoin rate has increased, malicious Bitcoin miners have shown a growing interest by inecting victims with
malware that uses computer resources to mine Bitcoin without their knowledge. While the cybercriminals generate prots
the computers slow down. In May, or example, Webroot posted a blog about a marketplace to customize and buy such
malware.21 It has been available or sale since the rst days o February.
On June 13, security researcher Brian Krebs reported a phishing campaign using both Yahoo and Bing search engines and
targeting account holders at MtGox.com.22
On June 23 the US Drug Enorcement Administration (DEA) announced they seized 11.02 BTC rom a Silk Road user in
April and charged him with intent to distribute drugs. The seized money was transerred into the DEAs BTC wallet.23
-
7/27/2019 Rp Quarterly Threat q2 2013
32/38
32 McAfee Threats Report: Second Quarter 2013
Actions against cybercriminals
During this quarter, we learned o a number o law enorcement eorts:
In April, the Russian Federal Security Service (FSB) and the Security Service o Ukraine (SBU) announced they arrested
several individuals believed to be involved in the development o the Carberp banking Trojan.24 The leader o the group
was a 28-year-old Russian citizen. The rest o the groupsome 20 individuals between 25 and 30 years oldwere
arrested in Kiev, Zaporozhye, Lvov, Odessa, and Kherson.25 The ring was said to be responsible or stealing US$250
million (193 million) in Ukraine and Russia alone.
Hamza Bendelladj, a 24-year-old Algerian who was arrested in Thailand in January, was extradited to the United States in
April. Also known as Bx1, he was listed in a North District o Georgia indictment as a coconspirator who helped develop
SpyEye components. Known in the underground as Gribodemon and Harderman, the real name o his partner, the
presumed author o the SpyEye Trojan, was redacted in the indictment because he had not yet been arrested.26
On May 9, ederal prosecutors unsealed charges against eight New York people linked with an international cyberthet
ring accused o stealing US$45 million rom banks around the globe. The alleged crooks used prepaid MasterCard debit
cards that were issued by the National Bank o Ras Al-Khaimah PSC, located in the United Arab Emirates, and the Bank
o Muscat, in Oman. The deendants withdrew US$2.8 million rom New York banks in two separate attacks this past
December and February.27 While the eight were taking the money rom the New York banks, additional coconspirators
made more than US$42 million in withdrawals at other banks across the world. In May, the ounder o digital currency system Liberty Reserve was indicted in the United States along with six other
people or a US$6 billion money-laundering scheme.28 Arthur Budovsky, a Costa Rican citizen o Ukrainian origin and the
ounder o the currency system, was arrested in Spain, while others were arrested in Costa Rica and New York. Police in
Costa Rica also raided three homes and ve businesses linked to Liberty Reserve, according to the Associated Press. The
digital currencys site is now ofine, with its ront page replaced by a notice saying that the domain had been seized by
the United States Global Illicit Financial Team.
Liberty Reserve was incorporated in Costa Rica in 2006 and had at least 200,000 customers in the United States.
Suspected o helping cybercriminals in their businesses, it ailed to register in the United States as a money-transmitting
service. In the same vein, on June 4 the WM Center e-currency exchange was seized by the US government and closed.29
Accompanied by US Marshals, Microsot technicians seized servers at two data centers in New Jersey and Pennsylvania
on June 5, and with the help o the FBI coordinated with computer emergency response teams and registrars in
87 countries to sinkhole domains used by the 1,452 botnets built with the Citadel malware.30
Some security researcherscriticized this operation, saying it disrupted their ongoing security research eorts by siphoning o the malicious data
they had been tracking.31 Others claimed the long-term eect o this particular takedown will likely be insignicant.32
In June, the United Kingdoms Serious Organised Crime Agency announced eleven arrests in a case involving cooperation
rom the Vietnamese High-Tech Crime Unit, the Criminal Investigative Division o the Ministry o Public Security o
Vietnam, the Metropolitan Police Central e-Crime Unit, and the FBI. Eight criminals were arrested in Vietnam and three
additional arrests were made in the United Kingdom. All suspects were associated with the matteuter amily o
websites, on which allegedly approximately 16,000 members bought and sold more than 1.1 million credit card data,
acilitating more than US$200 million worth o raud worldwide.33
In June, US ederal ocials charged eight members o a Ukrainian cybercrime ring ater they allegedly tried to illegally
access the networks o a number o nancial institutions, including Citibank, JP Morgan Chase, TD Ameritrade, and
PayPal, along with the US Department o Deenses Finance and Accounting Services.34 From March 2012 to June 2013,
the suspects hacked into these servers, embezzling money rom legitimate bank accounts to eed debit cards and cashing
out the accounts via ATMs and by making ake purchases as part o what the ederal complaint calls the Sharapka Cash
Out Organization.
In France, investigators rom OCLCTIC and DCP dismantled a gang o alleged criminals specializing in nancial hacking
and arrested ve people in June. The crooks may have made 9 million via online shopping. In total, they were able to
divert the bank data o 27,000 people. The money collected was later used to purchase high-end hardware.35
-
7/27/2019 Rp Quarterly Threat q2 2013
33/38
33 McAfee Threats Report: Second Quarter 2013
Hacktivism
This quarter activities clearly demonstrated that hacktivists exist in many camps and support many ideologies.
April 2013 May 2013 June 2013
JUN 4#OpTurkey
MAY 7#OpUSA
APR 7#OpIsraelReloaded
APR 3#OpNorthKorea
Release #2
MAY 16South African Police
HackedJUN 20
#OpPetrol
On April 3, OpNorthKorea Release #2 was announced on Pastebin.36 It demanded the resignation o North Korean
leader Kim Jong-un, the abandonment o nuclear ambitions, and universal and uncensored Internet access to citizens.
Several websites serving the regime were blocked (via DDoS) or deaced throughout the month. A statement purporting
to come rom Anonymous said that they had compromised 15,000 user records hosted on North Korean propaganda siteuriminzokkiri.com. However, when one side makes a statement, the other is likely to reply: During the last week o June,
government websites in both North and South Korea were targeted by attackers who claimed to operate under the banne
o Anonymous. (A so-called ocial Anonymous channel has denied via tweet having any involvement in the South Korean
attacks.) Some researchers suspect the attackers were the North Korean Whois Team, which requently uses skull bullets
as a symbol o their group. (For more on related attacks, see Operation Troy, page 4.)
-
7/27/2019 Rp Quarterly Threat q2 2013
34/38
34 McAfee Threats Report: Second Quarter 2013
Ater #OpIsrael, which we covered in last quarters Threats Report, around 30 hacktivist collectives rom around the world
decided to continue the conrontation.37 On April 7, they announced #OpIsraelReloaded. The hackers say theyve caused
massive damage, but Israeli ocials have downplayed the incident, saying the attacks have caused hardly any real losses.38
The hacker Dr FreeDom claims a leak o 30,000 Visa card consumer details.39
These hacks also brought about reprisals. The pro-Israel hacker team Israel Elite Force revealed several names o suspected#OpIsraelReloaded attackers on a dedicated website. Those named are rom Jordan, India, and Lebanon. Other Israeli
supporters deaced the Anonymous #OpIsrael website.40
Operations against the United States and other Western interests were started under the names #OpUSA (May 79) and
#OpPetrol (June 20).41
These operations appeared to take place under the Anonymous banner, but when we looked at theattackers signatures, we discovered mostly Middle Eastern and North Arican-based hacker groups acting contrary to the
ideals o reedom.
Many o these movements are associated with AnonGhost, a hacker team ond o using jihad themes. It is clear that
Middle Eastern sympathizers o all stripes enjoy conducting their protests under the cover o Anonymous.
-
7/27/2019 Rp Quarterly Threat q2 2013
35/38
35 McAfee Threats Report: Second Quarter 2013
In June, the protest movement in Turkey led Anonymous to launch #OpTurkey, a hack o the website o the Radio and
Television Supreme Council (RTUK). Cyberarmies were also active. The Syrian Electronic Army supported President Bashar
al-Assads government by shutting down and deacing various ocial Turkish websites.42 Two collectives hacked into the
Turkish Prime Ministrys network and accessed email addresses, passwords, and phone numbers belonging to Prime Minister
Tayyip Erdogans sta. (Erdogan has been a vocal critic o Assads actions in the Syrian civil war.) Another group, the Crescentand Star Team, targeted Turkeys Is Bank, which was said to be among the supporters o the Taksim Gezi Park protests. 43
These events demonstrate the growth o hacktivism and show that attacks launched under the Anonymous banner are
only a part o the problem.
In a high-prole doxing campaign (publically exposing private inormation) in South Arica, Anonymous hacked into an
anonymous whistleblower website run by the South Arica Police Service and revealed the identities o thousands o its
users, possibly jeopardizing their saety.44
The legal side also made news this quarter:
In April, contradictory reports about hackers arrested in connection with #OpIsrael circulated in Tunisia, Jordan, and
Morocco. Whether or not the news was true, these states were threatened or their actions.
Members o the notorious LulzSec hacking gang have been sent to jail:45
Jake Davis (aka Topiary): 24 months or the ring leader
Ryan Cleary (aka Viral): 32 months, will serve hal that time
Mustaa Al-Bassam (aka T-Flow): 20 months suspended or two years, and 300 hours o community service
Ryan Ackroyd (aka Kayla): 30 months, will serve hal that time
In April, FBI raided an Anonymous hacker house suspected o having exposed the Steubenville Rapists. Known as
KYAnonymous, the suspect is said to be the leader o KnightSec, the Anonymous oshoot that carried out Operation
Roll Red Roll, which targeted Steubenville over the rape by two ootball players o a 16-year-old girl.46
In May, Italian police arrested our alleged hackers between the ages o 20 and 34. They are accused o monitoring the
Italian branch o the Anonymous network.47 Six more people were placed ormally under investigation and a total o
10 premises were raided at the conclusion o the two-year police investigation Tango Down.
-
7/27/2019 Rp Quarterly Threat q2 2013
36/38
36 McAfee Threats Report: Second Quarter 2013
Cyberarmies
The Syrian Electronic Army and the Izz ad-Din al-Qassam Cyber Fighters are oten in the spotlight and attracted attention
again this quarter.
In the last two Threats Reports o 2012, we introduced the Iranian group Izz ad-Din al-Qassam Cyber Fighters ater they
claimed responsibility or various cyberattacks launched that year on US banks and nancial-services companies. Tied to
Iran, those actions are now known as Operation Abadil. They continued this quarter, as we see in the ollowing graphic:
April 2013 May 2013
APR 4Wells Fargo
BB&T
APR 18Ameriprise Financial
Citizens BankM&T Bank
APR 9Chase
Bank of AmericaCapital One
American ExpressBB&T
Wells Fargo
APR 11Key Bank
HSBC
APR 2324BB&T
MAY 2Union Bank
APR 2BB&T
APR 10ChasePNC
American ExpressCitizens BankRegions Bank
APR 16Regions BankCapital One
Principal
MAY 1Key Bank
BBVASchwab Bank
APR 3Bank of America
Regions Bank
APR 17Regions Bank
On May 6, the Cyber Fighters announced they had stopped the attacks so as to not interere with #OpUSA. On June 12,
Google said in a blog that it had tracked a signicant jump in the overall volume o phishing activity in and around
Iran as its election neared.48 Some researchers have suggested many attackers ocused their skills and repower internally,
perhaps to gather intelligence about groups and individuals supporting specic candidates.49
The Syrian Electronic Army supports President Assad. This quarter, they continued their actions against media and
government targets:
April 2013 May 2013 June 2013
APR 22FIFA World Cup
MAY 26British Sky
BroadcastingMAY 17
Financial Times
APR 20CBS News
MAY 7The Onion
MAY 20Saudi Arabian
Ministry of
Defense
APR 16NPR Media
APR 29The Guardian
MAY 21The Telegraph
JUN 5Turkish
GovernmentWebsites
APR 23Associated
Press
MAY 25ITV News London
Haifa Water System
April 16: NPR media network hacked; website deaced
April 20: Four Twitter accounts belonging to CBS News programs compromised
April 22: Two FIFA World Cup Twitter accounts hacked
April 23: Hacked AP Twitter eed announced to millions o ollowers that there had been two explosions in the
White House, leaving President Barack Obama injured. The news disrupts the US stock exchange, briefy wiping out
US$136.5 billion in gains and leaving APs Twitter eeds suspended.50
-
7/27/2019 Rp Quarterly Threat q2 2013
37/38
37 McAfee Threats Report: Second Quarter 2013
April 29: 11 Guardian accounts breached
May 7: Satire publication The Onion has Twitter account hacked
May 17: Financial Times website and Twitter eeds hacked
May 20: The group claimed to have hacked the Saudi Arabian Ministry o Deense email system and distributed several
condential mail exchanges May 21: Twitter and Facebook accesses or The Telegraph hacked
May 25: Israel declared the SEA tried to enter the computers o the Haia water system
May 25: ITV News London hacked
May 26: Sky Android apps and Twitter account hacked
June 5: Some Turkish government websites site jointly breached by Turkish hackers and the SEA
About the Authors
This report was prepared and written by Toralv Dirro, Paula Greve, Haiei Li, Franois Paget, Vadim Pogulievsky, Craig
Schmugar, Jimmy Shah, Ryan Sherstobito, Dan Sommer, Bing Sun, Adam Wosotowsky, and Chong Xu o McAee Labs.
About McAee Labs
McAee Labs is the global research team o McAee. With the only research organization devoted to all threat vectorsmalware, web, email, network, and vulnerabilitiesMcAee Labs gathers intelligence rom its millions o sensors and its cloud-
based service McAee Global Threat Intelligence. The McAee Labs team o 500 multidisciplinary researchers in 30 countries
ollows the complete range o threats in real time, identiying application vulnerabilities, analyzing and correlating risks, and
enabling instant remediation to protect enterprises and the public. http://www.mcaee.com/us/threat-center.aspx
About McAee
McAee, a wholly owned subsidiary o Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and
home users to saely experience the benets o the Internet. The company delivers proactive and proven security solutions
and services or systems, networks, and mobile devices around the world. With its visionary Security Connected strategy,
innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAee is relentlessly
ocused on keeping its customers sae. http://www.mcaee.com.
http://www.mcafee.com/us/threat-center.aspxhttp://www.mcafee.com/http://www.mcafee.com/http://www.mcafee.com/us/threat-center.aspx -
7/27/2019 Rp Quarterly Threat q2 2013
38/38
1 http://www.mcaee.com/uk/resources/white-papers/wp-dissecting-operation-troy.pd2 http://www.usatoday.com/story/news/nation/2013/04/26/liviing-social-hacked-passwords-amazon/2116485/3 http://blog.cloudfare.com/patching-the-internet-xing-the-wordpress-br4 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-24235 http://blogs.mcaee.com/consumer/badnews-or-good-people6 http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/7 http://news.sotpedia.com/news/State-o-Louisiana-Website-Hacked-Spreads-Siree-Malware-350944.shtml8 http://www.theregister.co.uk/2013/06/18/carberp_trojan_source_code_sale/9 http://blogs.mcaee.com/mcaee-labs/targeted-campaign-steals-credentials-in-gul-states-and-caribbean10 http://english.chosun.com/site/data/html_dir/2013/04/08/2013040800970.html11 http://www.bbc.co.uk/news/technology-2160160812 http://blog.bitinstant.com/blog/2013/3/4/events-o-riday-bitinstant-back-online.html13 https://mtgox.com/press_release_20130404.html14 http://dollarvigilante.com/blog/2013/4/17/bitcoin-price-march-15-april-14-2013-the-bubble-heard-round-.html15 https://mtgox.com/press_release_20130411.html16 https://mtgox.com/pd/20130424_ddos_statement_and_aq.pd17 http://news.sotpedia.com/news/Bitcoin-Block-Explorer-Blockchain-ino-Disrupted-by-DDOS-Attack-346497.shtml18 http://www.wired.co.uk/news/archive/2013-05/3/silk-road-ddos19 https://s3.amazonaws.com/s3.documentcloud.org/documents/701175/mt-gox-dwolla-warrant-idg-news-service.pd20 http://blog.wmtranser.com/en/blog/wmx-the-new-type-o-title-units21 http://blog.webroot.com/2013/05/22/new-commercially-available-diy-invisible-bitcoin-miner-spotted-in-the-wild/22 http://krebsonsecurity.com/2013/06/mtgox-phishing-campaign-hits-bing-yahoo/23 http://techcrunch.com/2013/06/27/the-dea-seized-bitcoins-in-a-silk-road-drug-raid/24 http://sbu.gov.ua/sbu/control/uk/publish/article?art_id=116410&cat_id=3957425 http://www.net-security.org/malware_news.php?id=245826 http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/27 http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.133905128 http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/29 http://www.coindesk.com/wm-center-e-currency-exchange-seized-by-us-government/30 http://www.eweek.com/security/microsot-bi-shutter-citadel-botnets-seeking-to-end-500m-crime-spree/31 http://www.inoworld.com/t/security/microsot-accused-o-riendly-re-in-citadel-botnet-takedown-22043832 http://nakedsecurity.sophos.com/2013/06/12/microsot-citadel-takedown/33 http://garwarner.blogspot.r/2013/06/vietnamese-carders-arrested-in.html34 https://threatpost.com/eds-bust-cybercrime-ring-targeting-payroll-nancial-rms/35 http://www.leparisien.r/espace-premium/actu/les-pirates-du-net-pillent-27-000-coordonnees-bancaires-12-06-2013-2888529.php36 http://pastebin.com/4g44jNF37 http://www.mcaee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pd38 http://news.sotpedia.com/news/Hacktivists-Target-Over-100-000-Israeli-Sites-Ocials-Say-There-s-No-Real-Damage-343610.shtml39 http://technologynewsorday.wordpress.com/2013/04/07/30000-visa-cards-leaked-by-dr-reedom/40 http://www.dreuz.ino/2013/04/attaque-danonymous-israel-leur-a-mis-la-honte-le-w00t-ultime/41 http://news.sotpedia.com/news/Anonymous-Hackers-to-Launch-OpPetrol-on-June-20-Video-352816.shtml42 http://www.ibtimes.com/opturkey-syrian-electronic-army-joins-anonymous-turkey-protests-hacks-erdogans-network-access-sta43 http://www.worldbulletin.net/?ArticleID=111010&aType=haber44 http://www.wired.co.uk/news/archive/2013-05/22/south-arica-whistleblower-leak45 http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home
Oce-agency.html46 http://gawker.com/the-bi-raided-steubenville-anonymous-guys-house-here-51163407147 http://www.pcworld.com/article/2039020/police-arrest-anonymous-suspects-in-italy.html48 http://googleonlinesecurity.blogspot.r/2013/06/iranian-phishing-on-rise-as-elections.html49 http://krebsonsecurity.com/2013/06/iranian-elections-bring-lull-in-bank-attacks/#more-21113
http://www.mcafee.com/uk/resources/white-papers/wp-dissecting-operation-troy.pdfhttp://www.usatoday.com/story/news/nation/2013/04/26/liviing-social-hacked-passwords-amazon/2116485/http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-brhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423http://blogs.mcafee.com/consumer/badnews-for-good-peoplehttp://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/http://news.softpedia.com/news/State-of-Louisiana-Website-Hacked-Spreads-Sirefef-Malware-350944.shtmlhttp://www.theregister.co.uk/2013/06/18/carberp_trojan_source_code_sale/http://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbeanhttp://english.chosun.com/site/data/html_dir/2013/04/08/2013040800970.htmlhttp://www.bbc.co.uk/news/technology-21601608http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.htmlhttps://mtgox.com/press_release_20130404.htmlhttp://dollarvigilante.com/blog/2013/4/17/bitcoin-price-march-15-april-14-2013-the-bubble-heard-round-.htmlhttps://mtgox.com/press_release_20130411.htmlhttps://mtgox.com/pdf/20130424_ddos_statement_and_faq.pdfhttp://news.softpedia.com/news/Bitcoin-Block-Explorer-Blockchain-info-Disrupted-by-DDOS-Attack-346497.shtmlhttp://www.wired.co.uk/news/archive/2013-05/3/silk-road-ddoshttps://s3.amazonaws.com/s3.documentcloud.org/documents/701175/mt-gox-dwolla-warrant-idg-news-service.pdfhttp://blog.wmtransfer.com/en/blog/wmx-the-new-type-of-title-unitshttp://blog.webroot.com/2013/05/22/new-commercially-available-diy-invisible-bitcoin-miner-spotted-in-the-wild/http://krebsonsecurity.com/2013/06/mtgox-phishing-campaign-hits-bing-yahoo/http://techcrunch.com/2013/06/27/the-dea-seized-bitcoins-in-a-silk-road-drug-raid/http://sbu.gov.ua/sbu/control/uk/publish/article?art_id=116410&cat_id=39574http://www.net-security.org/malware_news.php?id=2458http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/http://www.coindesk.com/wm-center-e-currency-exchange-seized-by-us-government/http://www.eweek.com/security/microsoft-fbi-shutter-citadel-botnets-seeking-to-end-500m-crime-spree/http://www.infoworld.com/t/security/microsoft-accused-of-friendly-fire-in-citadel-botnet-takedown-220438http://nakedsecurity.sophos.com/2013/06/12/microsoft-citadel-takedown/http://garwarner.blogspot.fr/2013/06/vietnamese-carders-arrested-in.htmlhttps://threatpost.com/feds-bust-cybercrime-ring-targeting-payroll-financial-firms/http://www.leparisien.fr/espace-premium/actu/les-pirates-du-net-pillent-27-000-coordonnees-bancaires-12-06-2013-2888529.phphttp://pastebin.com/4g44jfNFhttp://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pdfhttp://news.softpedia.com/news/Hacktivists-Target-Over-100-000-Israeli-Sites-Officials-Say-There-s-No-Real-Damage-343610.shtmlhttp://technologynewsforday.wordpress.com/2013/04/07/30000-visa-cards-leaked-by-dr-freedom/http://www.dreuz.info/2013/04/attaque-danonymous-israel-leur-a-mis-la-honte-le-w00t-ultime/http://news.softpedia.com/news/Anonymous-Hackers-to-Launch-OpPetrol-on-June-20-Video-352816.shtmlhttp://www.ibtimes.com/opturkey-syrian-electronic-army-joins-anonymous-turkey-protests-hacks-erdogans-network-access-staffhttp://www.worldbulletin.net/?ArticleID=111010&aType=haberhttp://www.wired.co.uk/news/archive/2013-05/22/south-africa-whistleblower-leakhttp://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.htmlhttp://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.htmlhttp://gawker.com/the-fbi-raided-steubenville-anonymous-guys-house-here-511634071http://www.pcworld.com/article/2039020/police-arrest-anonymous-suspects-in-italy.htmlhttp://googleonlinesecurity.blogspot.fr/2013/06/iranian-phishing-on-rise-as-elections.htmlhttp://krebsonsecurity.com/2013/06/iranian-elections-bring-lull-in-bank-attacks/#more-21113http://krebsonsecurity.com/2013/06/iranian-elections-bring-lull-in-bank-attacks/#more-21113http://googleonlinesecurity.blogspot.fr/2013/06/iranian-phishing-on-rise-as-elections.htmlhttp://www.pcworld.com/article/2039020/police-arrest-anonymous-suspects-in-italy.htmlhttp://gawker.com/the-fbi-raided-steubenville-anonymous-guys-house-here-511634071http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.htmlhttp://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-Home-Office-agency.htmlhttp://www.wired.co.uk/news/archive/2013-05/22/south-africa-whistleblower-leakhttp://www.worldbulletin.net/?ArticleID=111010&aType=haberhttp://www.ibtimes.com/opturkey-syrian-electronic-army-joins-anonymous-turkey-protests-hacks-erdogans-network-access-staffhttp://news.softpedia.com/news/Anonymous-Hackers-to-Launch-OpPetrol-on-June-20-Video-352816.shtmlhttp://www.dreuz.info/2013/04/attaque-danonymous-israel-leur-a-mis-la-honte-le-w00t-ultime/http://technologynewsforday.wordpress.com/2013/04/07/30000-visa-cards-leaked-by-dr-freedom/http://news.softpedia.com/news/Hacktivists-Target-Over-100-000-Israeli-Sites-Officials-Say-There-s-No-Real-Damage-343610.shtmlhttp://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pdfhttp://pastebin.com/4g44jfNFhttp://www.leparisien.fr/espace-premium/actu/les-pirates-du-net-pillent-27-000-coordonnees-bancaires-12-06-2013-2888529.phphttps://threatpost.com/feds-bust-cybercrime-ring-targeting-payroll-financial-firms/http://garwarner.blogspot.fr/2013/06/vietnamese-carders-arrested-in.htmlhttp://nakedsecurity.sophos.com/2013/06/12/microsoft-citadel-takedown/http://www.infoworld.com/t/security/microsoft-accused-of-friendly-fire-in-citadel-botnet-takedown-220438http://www.eweek.com/security/microsoft-fbi-shutter-citadel-botnets-seeking-to-end-500m-crime-spree/http://www.coindesk.com/wm-center-e-currency-exchange-seized-by-us-government/http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/http://www.net-security.org/malware_news.php?id=2458http://sbu.gov.ua/sbu/control/uk/publish/article?art_id=116410&cat_id=39574http://techcrunch.com/2013/06/27/the-dea-seized-bitcoins-in-a-silk-road-drug-raid/http://krebsonsecurity.com/2013/06/mtgox-phishing-campaign-hits-bing-yahoo/http://blog.webroot.com/2013/05/22/new-commercially-available-diy-invisible-bitcoin-miner-spotted-in-the-wild/http://blog.wmtransfer.com/en/blog/wmx-the-new-type-of-title-unitshttps://s3.amazonaws.com/s3.documentcloud.org/documents/701175/mt-gox-dwolla-warrant-idg-news-service.pdfhttp://www.wired.co.uk/news/archive/2013-05/3/silk-road-ddoshttp://news.softpedia.com/news/Bitcoin-Block-Explorer-Blockchain-info-Disrupted-by-DDOS-Attack-346497.shtmlhttps://mtgox.com/pdf/20130424_ddos_statement_and_faq.pdfhttps://mtgox.com/press_release_20130411.htmlhttp://dollarvigilante.com/blog/2013/4/17/bitcoin-price-march-15-april-14-2013-the-bubble-heard-round-.htmlhttps://mtgox.com/press_release_20130404.htmlhttp://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.htmlhttp://www.bbc.co.uk/news/technology-21601608http://english.chosun.com/site/data/html_dir/2013/04/08/2013040800970.htmlhttp://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbeanhttp://www.theregister.co.uk/2013/06/18/ca