symantec intelligence report july 2015
TRANSCRIPT
SYMANTEC INTELLIGENCE REPORT
JULY 2015
2 | July 2015
Symantec Intelligence Report
3 Summary
4 July in Numbers
5 Targeted Attacks & Phishing 5 Top 10 Industries Targeted in Spear-Phishing Attacks5 Spear-Phishing Attacks by Size of Targeted Organization6 Phishing Rate6 Proportion of Email Traffic Identified as Phishing by Industry Sector7 Proportion of Email Traffic Identified as Phishing by Organization Size
8 Vulnerabilities8 Total Number of Vulnerabilities8 Zero-Day Vulnerabilities9 Vulnerabilities Disclosed in Industrial Control Systems
10 Malware10 New Malware Variants10 Top 10 Mac OSX Malware Blocked on OSX Endpoints 11 Ransomware Over Time11 Crypto-Ransomware Over Time12 Proportion of Email Traffic in Which Malware Was Detected12 Percent of Email Malware as URL vs. Attachment by Month13 Proportion of Email Traffic Identified as Malicious by Industry Sector13 Proportion of Email Traffic Identified as
Malicious by Organization Size
14 Mobile & Social Media14 Android Mobile Malware Families by Month14 New Android Variants per Family by Month15 Social Media
16 Spam16 Overall Email Spam Rate16 Proportion of Email Traffic Identified as Spam by Industry Sector17 Proportion of Email Traffic Identified as Spam by Organization Size
18 About Symantec
18 More Information
Welcome to the July edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 57.6 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight™ Intelligence, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources.
3 | July 2015
Symantec Intelligence Report
Summary
Last month we reported how the spam rate had dropped below 50 percent of email traffic.
Almost as if in response to this seemingly watershed moment, the spam rate went up slightly
in July, just crossing the midpoint mark again with a percentage of 50.1. While this is the
first time the spam rate have increased in more than a year, we still anticipate that the rate
will continue its slow, downward trajectory in the months to come.
The Manufacturing and Wholesale industries both saw significant increases in targeted
attack activity in July, where both industries were up eight percentage points from June.
Enterprises with more than 2500 employees were the most commonly targeted organization
size during the month.
The number of vulnerabilities disclosed was up as well in July. There were 579 vulnerabilities
reported, in comparison to 526 in June. Of particular note were six zero-day vulnerabilities
discovered during the month—the highest number seen in more than a year. Four of these
zero-day vulnerabilities—three for Adobe Flash Player and one for Microsoft Windows—
were discovered in the data cache of the Italian covert surveillance and espionage software
company, Hacking Team, which suffered a data breach in early July.
There were 53.7 million new pieces of malware discovered in July. While down slightly from
June, this is still well above the 40.3 million average seen over the last twelve months.
Ransomware has also declined slightly this month, though there have been modest increases
in the amount of crypto-ransomware seen in July. There was also a slight decrease in
malware detected in email traffic during the month, though the Agriculture, Forestry, &
Fishing industry remained on top of the list of sectors most likely to receive malicious emails.
In contrast, four mobile malware families were released onto the mobile malware landscape
in July, the highest number seen in one month during 2015. The number of mobile malware
variants also continues to trend upwards, where 42 Android malware variants were seen per
family during July.
We hope that you enjoy this month’s report and feel free to contact us with any comments or
feedback.
Ben Nahorney, Cyber Security Threat Analyst
4 | July 2015
Symantec Intelligence Report
JULY IN
NU
MB
ERS
5 | July 2015
Symantec Intelligence Report
�� The Manufacturing and Wholesale sectors where the first and second most targeted industries in July. These industries each saw an eight percentage point increase in spear-phishing attacks.
Top 10 Industries Targeted in Spear-Phishing AttacksSource: Symantec
Nonclassifiable Establishments
Public Administration
Construction
Retail
Transportation, Communications,Electric, Gas, & Sanitary Services
Services - Non Traditional
Finance, Insurance, & Real Estate
Services - Professional
Wholesale
Manufacturing 30%
22
9 17
13
12
17
11
17
6
8
5
12
7
2
2
0
2
3
2
July June
Top 10 Industries Targeted in Spear-Phishing Attacks
�� Large enterprises were the target of 34.1 percent of spear-phishing attacks in July, up from 25.1 percent in June. In contrast, 33.2 percent of attacks were directed at organizations with less than 250 employees.
Company Size July June
1-250 33.2% 38.1%
251-500 12.6% 15.2%
501-1000 7.7% 9.0%
1001-1500 3.0% 9.9%
1501-2500 9.3% 2.7%
2501+ 34.1% 25.1%
Spear-Phishing Attacks by Size of Targeted Organization Source: Symantec
Spear-Phishing Attacks by Size of Targeted Organization
Targeted Attacks & Phishing
6 | July 2015
Symantec Intelligence Report
Phishing Rate Inverse Graph: Smaller Number = Greater RiskSource: Symantec
400
800
1200
1600
2000
2400
2800
JJMAMFJ2015
DNOSA
1 IN
1587
2041
16101517
1004
1465
2666
20571865
2448
1628
647
Phishing Rate
�� The overall phishing rate has increased this month, where one in 1,628 emails was a phishing attempt.
Industry July June
Agriculture, Forestry, & Fishing 1 in 837.1 1 in 1,469.9
Services - Non Traditional 1 in 1,320.5 1 in 3,977.5
Finance, Insurance, & Real Estate 1 in 1,357.6 1 in 2,901.7
Public Administration 1 in 1,359.2 1 in 2,367.3
Nonclassifiable Establishments 1 in 1,564.4 1 in 2,753.1
Services - Professional 1 in 1,566.8 1 in 2,750.3
Mining 1 in 2,017.1 1 in 3,120.1
Construction 1 in 2,241.5 1 in 3,003.1
Wholesale 1 in 2,343.8 1 in 4,142.5
Transportation, Communications, Electric, Gas, & Sanitary Services 1 in 3,114.3 1 in 4,495.4
Proportion of Email Traffic Identified as Phishing by Industry SectorSource: Symantec.cloud
Proportion of Email Traffic Identified as Phishing by Industry Sector
�� The Agriculture, Forestry, & Fishing sector was again the most targeted Industry overall for phishing attempts in July, where phishing comprised one in every 837.1 emails. This rate has been higher than any other industry
since April.
7 | July 2015
Symantec Intelligence Report
Company Size July June
1–250 1 in 1,288.9 1 in 1,552.5
251–500 1 in 1,613.7 1 in 2,553.7
501–1000 1 in 1,899.6 1 in 3,051.4
1001–1500 1 in 2,209.9 1 in 3,443.2
1501–2500 1 in 2,045.5 1 in 3,552.6
2501+ 1 in 1,872.3 1 in 3,624.5
Proportion of Email Traffic Identified as Phishing by Organization SizeSource: Symantec.cloudProportion of Email Traffic Identified as Phishing by Organization Size
�� Small companies with less than 250 employees were again the most targeted organization size in July.
8 | July 2015
Symantec Intelligence Report
�� The number of vulnerabilities disclosed increased in July, up from 526 in June to 579 reported during the month.
Total Number of VulnerabilitiesSource: Symantec
100
200
300
400
500
600
JJMAMFJ2015
DNOSA
399
600 596
428
562
471 469
540579
526
579
457
Total Number of Vulnerabilities
Vulnerabilities
Zero-Day Vulnerabilities
�� There were six zero-day vulnerabilities disclosed in July, three of which exploit the Adobe Flash Player.
Zero-Day VulnerabilitiesSource: Symantec
1
2
3
4
5
6
7
JJMAMFJ2015
DNOSA
0 0
2
0
1
2
1 1 1
0
6
3
9 | July 2015
Symantec Intelligence Report
Vulnerabilities Disclosed in Industrial Control SystemsSource: Symantec
1
2
3
4
JJMAMFJ2015
DNOSA
1
2
3
4
1
2
3
1 1
2
1
1 1
1
Vulnerabilities
Unique Vendors
�� Three vulnerabilities in industrial control systems were reported by one vendor in July.
Vulnerabilities Disclosed in Industrial Control Systems
MethodologyIn some cases the details of a vulnerability are not publicly disclosed during the same month that it was initially discovered. In these cases, our vulnerability metrics are updated to reflect the time that the vulnerability was discovered, as opposed to the month it was disclosed. This can cause fluctuations in the numbers reported for previous months when a new report is released.
10 | July 2015
Symantec Intelligence Report
New Malware Variants
�� OSX.RSPlug.A continues to be the most commonly seen OS X threat seen on OS X endpoints in July.
Rank Malware Name July Percentage Malware Name June
Percentage
1 OSX.RSPlug.A 61.9% OSX.RSPlug.A 29.5%
2 OSX.Wirelurker 10.0% OSX.Keylogger 11.6%
3 OSX.Crisis 8.4% OSX.Klog.A 8.9%
4 OSX.Keylogger 4.8% OSX.Luaddit 7.8%
5 OSX.Klog.A 3.5% OSX.Wirelurker 7.1%
6 OSX.Luaddit 1.8% OSX.Flashback.K 5.4%
7 OSX.Stealbit.B 1.3% OSX.Stealbit.B 4.3%
8 OSX.Flashback.K 1.3% OSX.Freezer 3.2%
9 OSX.Freezer 1.1% OSX.Netweird 2.9%
10 OSX.Netweird 0.8% OSX.Okaz 2.5%
Top 10 Mac OS X Malware Blocked on OS X EndpointsSource: Symantec
Top 10 Mac OSX Malware Blocked on OSX Endpoints
Malware
New Malware VariantsSource: Symantec
10
20
30
40
50
60
70
80
JJMAMFJ2015
DNOSA
57.653.7
31.726.6
35.9
44.7
33.7
26.5
35.829.2
44.5
63.6
MIL
LIO
NS
�� There were more than 53.7 million new pieces of malware created in July. While down from June, this is still well above the 40.3 million average seen over the last twelve months.
11 | July 2015
Symantec Intelligence Report
Ransomware Over Time
�� Ransomware attacks were down slightly in July, where over 413 thousand attacks were detected.
Ransomware Over TimeSource: Symantec
100
200
300
400
500
600
700
800
JJMAMFJ2015
DNOSA
477413
669734
693756
399
544
354
248297
738
THO
USA
ND
S
Crypto-Ransomware Over Time
�� Crypto-ransomware was up during July, setting another high for 2015.
Crypto-Ransomware Over TimeSource: Symantec
10
20
30
40
50
60
70
80
JJMAMFJ2015
DNOSA
3134
46
62
72
36
20
28
21 23
16
48
THO
USA
ND
S
12 | July 2015
Symantec Intelligence Report
Proportion of Email Traffic in Which Malware Was Detected
�� The proportion of email traffic containing malware decreased again this month, down to the lowest levels seen since October of last year.
100
150
200
250
300
350
400
JJMAMFJ2015
DNOSA
1 IN
Proportion of Email Traffic in Which Malware Was DetectedSource: Symantec
Inverse Graph: Smaller Number = Greater Risk
319
337
270
351329
195 207
237
274
246
207
246
Percent of Email Malware as URL vs. Attachment by Month
�� The percentage of email malware that contains a URL remained low this month, hovering around three percent.
Percent of Email Malware as URL vs. Attachment by MonthSource: Symantec
10
20
30
40
50
JJMAMFJ
2015
DNOSA
3
67
14
53
8
3 3 3 3
41
13 | July 2015
Symantec Intelligence Report
Industry July June
Agriculture, Forestry, & Fishing 1 in 252.7 1 in 231.6
Services - Non Traditional 1 in 280.1 1 in 365.3
Public Administration 1 in 288.9 1 in 245.9
Wholesale 1 in 333.3 1 in 301.6
Services - Professional 1 in 338.0 1 in 305.8
Construction 1 in 376.3 1 in 305.8
Transportation, Communications, Electric, Gas, & Sanitary Services 1 in 392.4 1 in 230.2
Finance, Insurance, & Real Estate 1 in 416.4 1 in 481.5
Mining 1 in 438.3 1 in 371.5
Nonclassifiable Establishments 1 in 519.5 1 in 497.7
Proportion of Email Traffic Identified as Malicious by Industry SectorSource: Symantec.cloud
Proportion of Email Traffic Identified as Malicious by Industry Sector
�� Agriculture, Forestry, & Fishing was the most targeted sector in July, where one in every 252.7
emails contained malware.
Company Size July June
1-250 1 in 275.8 1 in 255.6
251-500 1 in 259.5 1 in 232.9
501-1000 1 in 351.1 1 in 318.1
1001-1500 1 in 389.5 1 in 292.2
1501-2500 1 in 373.2 1 in 164.0
2501+ 1 in 401.7 1 in 472.4
Proportion of Email Traffic Identified as Malicious by Organization SizeSource: Symantec.cloud
Proportion of Email Traffic Identified as Malicious by Organization Size
�� Organizations with 251-500 employees were most likely to be targeted by malicious email in the month of July, where one in 259.5 emails was malicious.
14 | July 2015
Symantec Intelligence Report
Mobile & Social Media
1
2
3
4
5
6
7
8
9
JJMAMFJ2015
DNOSA
Android Mobile Malware Families by MonthSource: Symantec
4
1
2
3
5
6
3
0
3
1
2
8
�� In July there were four new mobile malware families discovered.
Android Mobile Malware Families by Month
�� There was an average of 42 Android malware variants per family in the month of in July.
10
20
30
40
50
JJMAMFJ2015
DNOSA
New Android Variants per Family by MonthSource: Symantec
4042
34 3337 36
38 38 38 39 3936
New Android Variants per Family by Month
15 | July 2015
Symantec Intelligence Report
Last 12 Months
Social MediaSource: Symantec
20
40
60
80
100
CommentJacking
FakeApps
LikejackingFakeOffering
ManualSharing
4
82
12
0.11.6
Manual Sharing – These rely on victims to actually do the work of sharingthe scam by presenting them with intriguing videos, fake offers or messages that they share with their friends.
Fake Offering – These scams invite social network users to join a fake event or groupwith incentives such as free gift cards. Joining often requires the user to sharecredentials with the attacker or send a text to a premium rate number.
Likejacking – Using fake “Like” buttons, attackers trick users into clicking websitebuttons that install malware and may post updates on a user’s newsfeed, spreading the attack.
Fake Apps – Users are invited to subscribe to an application that appears to beintegrated for use with a social network, but is not as described and may be used to steal credentials or harvest other personal data.
Comment Jacking – This attack is similar to the "Like" jacking where the attacker tricks the user into submitting a comment about a link or site, which will then be posted to his/her wall.
Social Media
�� In the last twelve months, 82 percent of social media threats required end users to propagate them.
�� Fake offerings comprised 12 percent of social media threats.
16 | July 2015
Symantec Intelligence Report
50 50 5150.1%
+.4% pts
49.7%-1.8% pts
51.5%-0.6% pts
July June May
Overall Email Spam RateSource: Symantec
Overall Email Spam Rate
�� The overall email spam rate in July was 50.1 percent, up 0.4 percentage points from June.
Spam
Industry July June
Mining 55.7% 56.1%
Manufacturing 53.8% 53.7%
Retail 53.0% 53.1%
Construction 53.0% 53.3%
Services - Professional 52.5% 52.6%
Agriculture, Forestry, & Fishing 52.2% 52.3%
Wholesale 52.1% 52.2%
Nonclassifiable Establishments 52.0% 52.5%
Finance, Insurance, & Real Estate 51.9% 51.9%
Services - Non Traditional 51.9% 53.0%
Proportion of Email Traffic Identified as Spam by Industry SectorSource: Symantec.cloudProportion of Email Traffic Identified as Spam by Industry Sector
�� At 55.7 percent, the Mining sector again had the highest spam rate during July. The Manufacturing sector came in
second with 53.8 percent.
17 | July 2015
Symantec Intelligence Report
Company Size July June
1–250 52.3% 52.8%
251–500 52.6% 53.2%
501–1000 52.3% 52.4%
1001–1500 51.9% 51.9%
1501–2500 52.2% 52.1%
2501+ 52.4% 52.3%
Proportion of Email Traffic Identified as Spam by Organization SizeSource: Symantec.cloud
Proportion of Email Traffic Identified as Spam by Organization Size
�� While all organization sizes had around a 52 percent spam rate, organizations with 251-500 employees had the highest rate at 52.6 percent.
18 | July 2015
Symantec Intelligence Report
About Symantec
More Information
�� Symantec Worldwide: http://www.symantec.com/
�� ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/
�� Symantec Security Response: http://www.symantec.com/security_response/
�� Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/
Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2014, it recorded revenues of $6.7 billion. To learn more go to www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.
For specific country offices
and contact numbers,
please visit our website.
For product information in the U.S.,
call toll-free 1 (800) 745 6054.
Symantec Corporation World Headquarters
350 Ellis Street
Mountain View, CA 94043 USA
+1 (650) 527 8000
1 (800) 721 3934
www.symantec.com
Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners
04/15 21,500-21347932