symantec intelligence report: february 2015

SYMANTEC INTELLIGENCE REPORTFEBRUARY 2015

p. 2

Symantec CorporationSymantec Intelligence Report :: FEBRUARY 2015

CONTENTS

3 Summary

4 TARGETED ATTACKS + DATA BREACHES

5 Targeted Attacks

5 Attachments Used in Spear-Phishing Emails

5 Spear-Phishing Attacks by Size of Targeted Organization

5 Average Number of Spear-Phishing Attacks Per Day

6 Top-Ten Industries Targeted in Spear-Phishing Attacks

7 Data Breaches

7 Timeline of Data Breaches

8 Top-Ten Types of Information Breached

9 MALWARE TACTICS

10 Malware Tactics

10 Top-Ten Malware

10 Top-Ten Mac OSX Malware Blocked on OSX Endpoints

11 Vulnerabilities

11 Number of Vulnerabilities

11 Zero-Day Vulnerabilities

12 Browser Vulnerabilities

12 Plug-in Vulnerabilities

13 MOBILE THREATS

14 Mobile

14 Mobile Malware Families by Month, Android

15 PHISHING, SPAM + EMAIL THREATS

16 Phishing and Spam

16 Phishing Rate

16 Global Spam Rate

17 Email Threats

17 Proportion of Email Traffic Containing URL Malware

17 Proportion of Email Traffic in Which Virus Was Detected

18 About Symantec

18 More Information

p. 3


Summary

Welcome to the February edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.

Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources.

W32.Ramnit!html was the most common malware blocked in February. W32.Ramnit variants have dominated the top-ten malware list for quite some time. However, near the end of the month, a law enforcement operation led by Europol and assisted by Symantec, Microsoft, and a number of other industry partners, seized infrastructure owned by the cybercrime group behind Ramnit. It is likely that Ramnit’s placement within the top ten list will be impacted by these actions in the coming months.

The largest data breach reported during February took place in January, and resulted in the exposure of 80 million identi-ties. There were six data breaches reported in February that took place during the same month. This number is likely to rise as more data breaches that occurred during the month are reported.

In other news, the average number of spear-phishing attacks rose to 65 per day in February, up from 42 in January. There were 400 vulnerabilities and one zero-day vulnerability disclosed during February.

We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback.

Ben Nahorney, Cyber Security Threat Analyst [email protected]

http://www.symantec.com/connect/blogs/ramnit-cybercrime-group-hit-major-law-enforcement-operation

http://www.symantec.com/connect/blogs/ramnit-cybercrime-group-hit-major-law-enforcement-operation

mailto:symantec_intelligence%40symantec.com?subject=

p. 4


TAR

GETED

ATTACKS

+ DATA

BR

EACHES

p. 5


At a Glance

• The average number of spear-phishing attacks rose to 65 per day in February, up from 42 in January.

• The .doc file type was the most common attachment type used in spear-phishing attacks. The .txt file type came in second.

• Organizations with 2500+ employees were the most likely to be targeted in February.

• Finance, Insurance, & Real Estate lead the Top-Ten Industries targeted, followed by Manufacturing.

Targeted Attacks

Average Number of Spear-PhishingAttacks Per DaySource: Symantec :: MARCH 2014 — FEBRUARY 2015

10

20

30

40

50

60

70

80

90

100

FJ

2015

DNOSAJJMAM

54 5345 43

20

33

84 84

54

88

42

65

Attachments Used in Spear-Phishing Emails

Source: Symantec :: FEBRUARY 2015

Executable type February January

.doc 27.6% 46.1%

.txt 21.0% 8.3%

.xls 16.2% 7.8%

.scr 12.6% –

.rar 7.6% –

.rtf 4.9% 1.3%

.zip 2.3% –

.exe 2.3% 2.0%

.bin 0.9% 8.0%

.ppsx 0.4% –

Spear-Phishing Attacks by Size of Targeted OrganizationSource: Symantec :: FEBRUARY 2015

Organization Size February January

1-250 29.1% 35.2%

251-500 9.0% 7.8%

501-1000 8.0% 14.7%

1001-1500 3.8% 4.3%

1501-2500 6.2% 5.3%

2500+ 43.8% 32.7%

p. 6


Top-Ten Industries Targeted in Spear-Phishing AttacksSource: Symantec :: FEBRUARY 2015

Information Technology

Mining

Construction

Transportation, communications, electric,

gas & Sanitary Services

Services - Professional

Services - Non Traditional

Wholesale

Manufacturing

Finance, insurance& Real Estate 31%

19

13

13

10

5

1

0

0

p. 7


Data Breaches

At a Glance

• There were six data breaches reported in February that took place during the same month. This number is likely to rise as more data breaches that occurred during the month are reported.

• The largest data breach reported during February took place in January, and resulted in the exposure of 80 million identities.

• Real names, home addresses, and government ID numbers, such as Social Security numbers, are currently the top three types of data exposed in data breaches.

20

40

60

80

100

120

140

160

FJ2015

DNOSAJJMAM

NU

MB

ER O

F IN

CID

ENTS

IDEN

TITI

ES E

XPO

SED

(MIL

LIO

NS)

INCIDENTS IDENTITIES EXPOSED (Millions)

Timeline of Data BreachesSource: Symantec :: MARCH 2014 — FEBRUARY 2015

147

59

1

78

31.5

101

6.5.451.7

83

.01

5

10

15

20

25

30

35

40

6

25 24

28

22

2119

2023 22

1210

p. 8


Top-Ten Types of Information BreachedSource: Symantec :: MARCH 2014 — FEBRUARY 2015

Real Names

Home Address

Gov ID numbers (Soc Sec)

Financial Information

Birth Dates

Email Addresses

Medical Records

Phone Numbers

Usernames & Passwords

Insurance

01

02

03

04

05

06

07

08

09

10

67%

46%

44%

35%

33%

24%

24%

22%

17%

9%

MethodologyThis data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model that measures the levels of threats, including malicious software, fraud, identity theft, spam, phishing, and social engineering daily. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information.

In some cases a data breach is not publicly reported during the same month the incident occurred, or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months when a new report is released.

p. 9


MA

LWA

RE TAC

TICS

p. 10


Malware Tactics

At a Glance

• W32.Ramnit!html was the most common malware blocked in February.

• W32.Ramnit variants continue to dominate the top-ten malware list.

• The most common OSX threat seen on OSX was OSX.RSPlug.A, making up 15.7 percent of all OSX malware found on OSX Endpoints.

Top-Ten MalwareSource: Symantec :: FEBRUARY 2015

Rank Name February January

1 W32.Ramnit!html 6.3% 6.5%

2 W32.Sality.AE 5.7% 5.5%

3 W32.Almanahe.B!inf 4.7% 5.8%

4 W32.Ramnit.B 4.5% 4.4%

5 W32.Downadup.B 2.9% 2.7%

6 W32.Ramnit.B!inf 2.7% 2.7%

7 W32.SillyFDC.BDP!lnk 2.0% 2.1%

8 W32.Virut.CF 1.9% 1.7%

9 Infostealer 1.7% –

10 W32.Chir.B@mm(html) 1.3% –

Top-Ten Mac OSX Malware Blocked on OSX EndpointsSource: Symantec :: FEBRUARY 2015

Rank Malware Name January January

1 OSX.RSPlug.A 15.7% 19.2%

2 OSX.Keylogger 14.6% 18.9%

3 OSX.Klog.A 12.3% 9.3%

4 OSX.Flashback.K 9.2% 3.2%

5 OSX.Wirelurker 6.0% 10.5%

6 OSX.Flashback 5.4% 3.2%

7 OSX.Luaddit 5.1% 8.0%

8 OSX.Stealbit.B 3.6% 6.1%

9 OSX.Crisis 2.8% –

10 OSX.Freezer 2.6% 2.6%

p. 11


Number of VulnerabilitiesSource: Symantec :: MARCH 2014 — FEBRUARY 2015

100

200

300

400

500

600

700

800

FJ2015

DNOSAJJMAM

438

575 600 596

457428399 400

562 579

473 494

Zero-Day VulnerabilitiesSource: Symantec :: MARCH 2014 — FEBRUARY 2015

1

2

3

4

5

6

7

8

FJ2015

DNOSAJJMAM

0 0 0 0 0

1

2 2

1

0

1

4

Vulnerabilities

At a Glance

• There were 400 vulner-abilities disclosed during the month of February.

• There was one zero-day vulnerability disclosed during February.

• Microsoft Internet Explorer reported the most browser vulnerabili-ties during the month of February.

• Adobe, reporting on the Acrobat and Flash programs, disclosed the most plug-in vulnerabili-ties over the same time period.

p. 12


Browser VulnerabilitiesSource: Symantec :: MARCH 2014 — FEBRUARY 2015

10

20

30

40

50

60

70

80

90

100

FJ2015

DNOSAJJMAM

Opera

Mozilla Firefox

Microsoft Internet Explorer

Google Chrome

Apple Safari

Plug-in VulnerabilitiesSource: Symantec :: MARCH 2014 — FEBRUARY 2015

5

10

15

20

25

30

35

40

45

50

55

60Java

Apple

Adobe

ActiveX

FJ2014

DNOSAJJMAM

p. 13


MO

BILE TH

REATS

p. 14


Mobile

Mobile Malware Families by Month, AndroidSource: Symantec :: MARCH 2014 — FEBRUARY 2015

8

6

0

4

2 2

3

5

3

4 4

3

1

2

3

4

5

6

7

8

9

10

FJ2014

DNOSAJJMAM

At a Glance

• There were no new Android malware families discovered in February.

p. 15


PHISH

ING

, SPAM

+ EMA

IL THR

EATS

p. 16


Phishing and Spam

Phishing RateSource: Symantec :: MARCH 2014 — FEBRUARY 2015

1 in 500

1 in 1000

1 in 1500

1 in 2000

1 in 2500FJ

2015

DNOSAJJMAM

2041

1610

647

1517

1004

1466

370

731

395496

1290

1587

At a Glance

• The phishing rate declined in February, at one in 1,466 emails, down from one in 1,004 emails in January.

• The global spam rate was 54 percent for the month of February.

• One out of every 237 emails contained a virus.

• Of the email traffic in the month of February, 3 percent contained a mali-cious URL.

Global Spam RateSource: Symantec :: MARCH 2014 — FEBRUARY 2015

10

20

30

40

50

60

70

80

90

100%

FJ2014

DNOSAJJMAM

55 55 54 54

66

59

61 6064 63

58 55

p. 17


Email Threats

Proportion of Email Traffic Containing URL MalwareSource: Symantec :: MARCH 2014 — FEBRUARY 2015

10

20

30

40

50

60

70

80

90

100%

FJ2015

DNOSAJJMAM

6 7

41

145 36 3

147 8

3

FJ2015

DNOSAJJMAM

Proportion of Email Traffic in Which Virus Was DetectedSource: Symantec :: MARCH 2014 — FEBRUARY 2015

351

329

246

195

207237

141

234

183

232

351

270

p. 18


About Symantec

More Information

• Symantec Worldwide: http://www.symantec.com/

• ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/

• Symantec Security Response: http://www.symantec.com/security_response/

• Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/

• Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/

Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more go to www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.

http://www.symantec.com/

http://www.symantec.com/threatreport/

http://www.symantec.com/security_response/

http://us.norton.com/security_response/threatexplorer/

http://us.norton.com/cybercrimeindex/

www.symantec.com

go.symantec.com/socialmedia

For specific country offices and contact numbers,

please visit our website.

For product information in the U.S.,

call toll-free 1 (800) 745 6054.

Symantec Corporation World Headquarters

350 Ellis Street

Mountain View, CA 94043 USA

+1 (650) 527 8000

1 (800) 721 3934

www.symantec.com

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners

www.symantec.com

symantec intelligence report: february 2015

Software

android15 phishing

malware list

common malware

months report

largest data breach

thirdparty data sources

mac osx malware

cyber security threat