RP Quarterly Threat q2 2013

Report
McAfee Threats Report: Second Quarter 2013
By McAfee Labs
Table of Contents
Introduction Operation Troy Mobile Threats Banking malware Adults only Targeted Trojans Mobile spyware General Malware Threats Ransomware Database Threats Network Threats Web Threats Spam URLs Messaging Threats Spam volume Drugs, DSN, and snowshoes Botnet breakdowns New botnet senders Messaging botnet prevalence Cybercrime Malware, vulnerabilities, and hacking The Bitcoin saga Actions against cybercriminals 3 4 5 6 7 7 7 7 13 14 15 17 21 22 22 25 26 27 29 30 30 31 32
Phishing 20
Hacktivism 33 Cyberarmies 36 About the Authors About McAfee Labs 37 37
Introduction McAfee Labs researchers have analyzed the threats of the second quarter of 2013. Several trends are familiar: steady growth in mobile and overall malware. A cyberespionage attack against South Korea and a further increase in worldwide spam are further attention grabbers. The Dark Seoul attack against banks and media companies in South Korea inspired McAfee Labs to investigate beyond the basics of computers disabled by having their master boot records deleted. Behind the scenes we found an ongoing attempt to infiltrate South Korean military targets in a cyberespionage campaign that began in 2009. Our extensive report, published in July, explains the history and the coding details behind the damage and attemptedsurveillance. Backdoor Trojans and banking malware were the most popular mobile threats this quarter. We counted more than 17,000 new Android samples during this period. The year is certain to establish another record. New malware of all types exceeded 18 million this quarter, pushing our all-time tally to more than 147 million binaries. AutoRun threats, often spread via USB drives, remain at record levels, as do password-stealing programs. Signed malware, which poses as approved legitimate software, continues to set records, increasing by 50 percent this quarter. Malware that attacks asystems master boot record declined from last quarters record high, but remains very dangerous. Ransomware, which holds a computer hostage until the victim pays to free it, is a bad problem getting worse. The number of new samples more than doubled compared with last quarter. Not only do criminals make relatively safe money from this scheme, they often do not remove their malwareleaving the poor victims system as dead as before. Publicly reported data breaches have averaged a relatively flat line for the past three quarters. Outsiders steal data more often than insiders, but this is one threat area in which our data comes from victims, who may not feel like exposing all of their weaknesses. MySQL still leads enterprise databases in the number of reported vulnerabilities. From the McAfee Global Threat Intelligence network we see that browser-based threats, such as hidden iframes and malicious Java code, comprise almost three-fourths of the Internets malicious activity. IP addresses in the United States are again both the source and the target of most network threats. Our analysis of web threats found that the number of new suspicious URLs, mostly in the United States, increased by 16 percent this quarter. Phishing attacks aimed primarily at targets in the United States. The leading industries suffering phishing attacks are financial and online-auction organizations. Spam levels are bouncing back: This quarter volume reached 2 trillion messages in April, the highest figure weve seen since 2010. We continue to report on the variety of spam subjects and botnet prevalence in selected countries around the world. Our timeline of significant hacks shows the major criminal activity that took place this quarter. Online currency Bitcoin was in the news. One Bitcoin provider suffered DDoS attacks that interrupted service and led to wild swings in value. Law enforcement officials around the world enjoyed some successes this quarter, with arrests halting gangs responsible for stealing hundreds of millions to billions of dollars. Activist hackers demonstrated, defaced, and inspired counterattacks from their opponents. The group Anonymous was involved in some efforts and likely had its name borrowed to support some others. The Middle East was again a busy region for political expression.
Operation Troy When reports of the March 20 Dark Seoul attack on South Korean financial services and media firms emerged, most of the focus was on the wiping of the master boot record of thousands of computers. PCs infected by the attack had all of the data on their hard drives erased. Since that time, however, McAfee Labs has discovered that the Dark Seoul attack included a broad range of technology and tactics beyond cybervandalism. The forensic data indicates that Dark Seoul was actually just the latest attack to emerge from a malware development project that has been named Operation Troy. (The name Troy comes from repeated citations of the ancient city found in the compile path strings of the malware.) The McAfee Labs investigation into the Dark Seoul incident uncovered a longterm attempt at domestic spying, based on code that originated in 2009, against military targets in South Korea. Software developers (both legitimate and criminal) tend to leave fingerprints and sometimes even footprints in their code. Forensic researchers can use these prints to identify where and when the code was developed. Its rare that a researcher can trace a product back to individual developers (unless theyre unusually careless). But frequently these artifacts can be used to determine the original source and development legacy of a new product. Sometimes the developers insert such fingerprints on purpose to establish ownership of a new threat. McAfee Labs uses sophisticated code analysis and forensic techniques to identify the sources of new threats because such analysis frequently sheds light on how to best mitigate an attack or predict how the threat might evolve in the future. McAfee Labs research learned that the Dark Seoul attack was preceded by years of attempted cyberespionage:
Operation TroyDomestic Spying Period

2009
US/South Korean Military Attacks
Dark Seoul
2013
Concealment Troy MBR Wiper 3Rat Client TDrop
2010
Chang EagleXP NSTAR
2011
HTTP Troy Mail Attack
2012
Http Dr0pper Tong
March 20, 2013
DDoS Attacks
10 Days of Rain
Media/Broadcast Attacks Suspected Link Solid Link Highly Probable Link
Financial Industry Attacks
Our investigation into the cyberattacks in March revealed ongoing covert intelligence-gathering operations. McAfee Labs concludes that the attacks on March 20 were not an isolated event strictly tied to the destruction of systems, but the latest in a series of attempts to infiltrate targets since 2009. For details, read the McAfee Labs report Dissecting Operation Troy: Cyberespionage in South Korea.1
Mobile Threats This quarter backdoor Trojans, which steal data without the victims knowledge, and malware that goes after banking login information have made up the largest portion of all new mobile malware families. Spyware has also been active, and malware authors continue to target activists. Halfway through 2013 we have already collected almost as many mobile malware samples as in all of 2012. Will the count double by the end of the year? That much and more, we expect. This quarter we added more than 17,000 Android samples to our database.
New Mobile Malware
40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Total Mobile Malware by Platform
Android Symbian Java ME Others
New Android Malware
20,000 18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
Banking malware Banks in Europe and Asia require two-factor authentications via SMS messages. When customers log into their banks, they are sent a mobile transaction authentication number (mTAN) in a text message. Then they must enter the mTAN code to get access to their accounts. This step prevents an attacker who steals only username and password from reaching a victims money. Attackers seeking to bypass two-factor authentication need to get that text message sent by the banks. Once the attackerhas stolen a username and password from a victims PC, the thief needs only to get the user to install SMSforwarding malware. A pair of malware, Android/FakeBankDropper.A and Android/FakeBank.A, take the standard SMS forwarder malware a step further. Normally we advise users to employ only the official app provided by their banks for any online banking. Android/FakeBankDropper.A counters that defense by replacing the banks official app with Android/FakeBank.A. While the victims think they have the original app installed, the attacker logs into the users accounts to get the latest SMS from the bank.
A short list of similar SMS forwarders:

Android/Nopoc.A: Android/Pincer.A: Android/Stels.A:
Forwards incoming SMS messages to the attackers server
Pretends to install a certificate on the users device. Forwards SMS messages to the attackers server.
Pretends to be an update to the Adobe Flash player. Collects sensitive user information and posts it to the attackers server. Pretends to be a legitimate app, but displays an error message to the user. The malware hides its icon to fool the user into thinking it was uninstalled. Collects sensitive user information and forwards SMS to the attackersserver.
Android/Wahom.A:
Adults only Adult-entertainment software offers helpful camouflage for attackers. They can gain large profits and theyre less likely to attract attention from law enforcement. Attackers interest in adult-entertainment apps has risen this quarter. In Japan a large family of potentially unwanted programs (PUPs), Android/DeaiFraud, pretends to be an app for a popular adult-dating site. Although this malware doesnt directly harm users, it can lead them to receive spam from the attacker. Its also likely that users will be fooled into signing up for the adult-dating site due to the attackers partners posing as real singles on the service. Apart from PUPs, we also saw Android/NMPHost.A, a malware that convinces users to download a second malware, Android/NMP.A, which steals user information. Both malware pretend to be adult-entertainment apps. Once installed, Android/NMP.A collects sensitive user information and sends it to the attackers server. Targeted Trojans Attackers find legitimate apps very useful as cover for their malicious code. They benefit from the popularity of the app as well as from how much users trust the app. In the case of Android/Kaospy.A, attackers are using modified versions of the Kakao talk app and targeting Tibetan activists. This malware is distributed using phishing emails. The malicious spyware collects a large amount of sensitive user information (contacts, call logs, SMS messages, installed applications, and location) and uploads the data to the attackers server. Trojanized apps that arent so narrowly targeted include Android/BadNews.A. This backdoor Trojan pretends to be a legitimate game app that includes ads. Instead it collects sensitive user information and sends it to the attacker. Its also capable of displaying fake news headlines. Mobile spyware Commercial spyware has seen a small increase from the previous quarter. Android./Fzw.A downloads a spyware app from the attackers website. Like other hidden Trojans, it pretends to be a legitimate font installer app. The downloaded spyware forwards SMS messages, call logs, and location information to the attackers server. Android/Roidsec.A is spyware that pretends to be software for syncing the users phone. It really does sync the users sensitive information and SMS messagesonly to the attackers server. The malware collects location, call logs, and data about the phone hardware and can record calls, too. General Malware Threats Malware shows no sign of changing its steady growth, which has risen steeply during the last three quarters. At the end of this quarter we now have more than 147 million samples in our malware zoo.
Total Malware Samples in the McAfee Labs Database
160,000,000 140,000,000 120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0 JUL AUG SEP OCT NOV DEC JAN 2012 2012 2012 2012 2012 2012 2013 FEB MAR APR MAY JUN 2013 2013 2013 2013 2013
New Malware
20,000,000 18,000,000 16,000,000 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
Rootkits, or stealth malware, are designed to evade detection and reside on a system for prolonged periods. Growth in new rootkit samples has been on a downward trend since the middle of 2011. All three of the rootkits types we track in this report matched this trend.
New Rootkit Samples
180,000 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
New Koutodoor Samples
200.000 180.000 160.000 140.000 120.000 100.000 80.000 60.000 40.000 20.000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
New TDSS Samples
200,000 180,000 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
New ZeroAccess Samples
160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
AutoRun malware, which often hides on USB drives and can allow an attacker to take control of a system, doubled at the start of the year and increased slightly again this quarter. The number of fake AV productswhich scare victims into believing their systems are infectedrose during 2012 to a record level but has declined during the last two quarters. Koobface, which plagues Facebook users, peaked in 2009-10 and has remained at low levels since early 2012. Passwordstealing Trojans, which attempt to raid victims bank accounts, established a record high last quarter; this quarters figure was almost as large.
New AutoRun Samples
900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
New Fake AV Samples
1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
10
New Koobface Samples
2,500
2,000
1,500
1,000
500 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
New Password Stealers Samples
1,600,000 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
Signed malware rebounded sharply from its decline in the first quarter and again set a new record, with more than 1.2million new samples discovered this quarter.
Total Malicious Signed Binaries 4,500,000 4,000,000 3,500,000 3,000,000 2,500,000 2,000,000 1,500,000 1,000,000 500,000 0 JUL 1 2012 AUG 1 2012 SEP 1 2012 OCT 1 2012 NOV 1 2012 DEC 1 2012 JAN 1 2013 FEB 1 2013 MAR 1 2013 APR 1 2013 MAY 1 2013 JUN 1 2013
11
New Malicious Signed Binaries
1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 0 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
New malware that attacks the Mac more than tripled, after declining for three quarters. In spite of the small numbers compared with PC threats, Mac users also need protection.
New Mac Malware
700 600 500 400 300 200 100 0
Q1 2011
Q2 2011
Q3 2011
Q4 2011
Q1 2012
Q2 2012
Q3 2012
Q4 2012
Q1 2013
Q2 2013
12
One strain of malware targets a computers master boot record (MBR)an area that performs key startup operations. Compromising the MBR offers an attacker a wide variety of control, persistence, and deep penetration. These attacks, including mebroot, Tidserv, Cidox, and Shamoon, have rapidly increased their numbers. This quarter saw a drop from last periods record level, but its still the second-highest figure we have recorded.
New Master Boot Record-Related Threats 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Variants of Families with Known MBR Payloads Identi ed MBR Components
Ransomware Ransomware has become an increasing problem during the last several quarters, and the situation continues to worsen. The number of new, unique samples this quarter is greater than 320,000, more than twice as many as last quarter. During the past two quarters we have catalogued more ransomware than in all previous periods combined. This trend is also reflected by warnings from law enforcement and federal agencies around the globe. One reason for ransomwares growth is that it is a very efficient means for criminals to earn money because they use various anonymous payment services. This method of cash collection is superior to that used by fake AV products, for example, which must process credit card orders for the fake software. Another reason is that an underground ecosystem is already in place to help with services such as pay-per-install on computers that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the underground market. These advantages mean that the problem of ransomware will not disappear anytime soon.
New Ransomware Samples
350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
13
Database Threats When we reported on the numbers of database breaches made public in our Threats Report for the fourth quarter of 2012, we saw a slowdown in break-ins, with just 47 during the quarter. At that time we couldnt be sure whether we were observing a trend or an anomaly. Six months later, we can now see some stabilization in this area. This year started at the same relatively low rate as 2012 ended, with 119 data breaches in first six months of 2013. Thats a little more than one-third of the 315 breaches during the record-setting 2012. Are we in the middle of a long-term trend or is this just the calm before the storm?
Data Breaches Made Public
350 300 250 200 150 100 50 0 2007 2008 2009 2010 2011 2012 2013
Source: privacyrights.org
The rate of data breaches caused by outside hackers (criminal or otherwise) dropped considerably in 2012, and has held relatively steady for the last four quarters. The lower rate of theft by company insiders has also been relatively steady, though without a dramatic decline. The drop in outsider breaches might point to companies and organizations investing more heavily in perimeter protections than in database security. However, we have seen database security get much more attention from medium-sized and big businesses than just one or two years ago.
Sources of Data Breaches
90 80 70 60 50 40 30 20 10 0 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Insiders Hackers
Source: privacyrights.org
As we can see from the preceding graph, hackers still cause a greater number of breaches than insiders. But we have to remember that data-breach statistics are rarely objective due to their nature. Hackers publish stolen data more frequently than a company will confess that it was compromised.
14
Database vulnerabilities, reported by the developers or others, continue to be dominated by MySQL, with almost 60percent of all vulnerabilities discovered during the past six quarters.
New Vulnerabilities in Leading Databases
45 40 35 30 25 20 15 10 5 0 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 SQL Server Sybase PostgreSQL DB2 Oracle MySQL
Network Threats As usual, the United States is both the source and the target of much of the Internets malicious activity, according the McAfee Global Threat Intelligence network. Browser-based threats have increased to 73 percent of all attacks, compared with 44 percent last quarter. The following detection signatures show which types of attacks McAfee products most frequently blocked:

HTTP: Microsoft JPEG Processing Buffer Overrun HTTP: Multiple Browser Window Injection Vulnerability RTSP: Apple QuickTime Overly Long Content-Type Buffer Overflow HTTP: Microsoft Internet Explorer CHTML Use-After-Free Remote Code Execution
Top Network Attacks
Browser Remote Procedure Call SQL Injection Cross-Site Scripting Others
15
As the host of SQL-injection attacks, which poison legitimate websites, the United States piece of the pie shrunk slightly this quarter, to 32 percent from 35 percent last quarter. Venezuela regained second place, hosting 11 percent. By far most victims of these attacks (60 percent, up from 55 percent last period) are in the United States.
Top SQL-Injection Attackers Top SQL-Injection Victims
United States Venezuela Spain Taiwan China Germany South Korea Others
United States Taiwan China Russia Spain Others
In our botnets tracking, the United States again claims first place. The percentage of control servers hosted dropped 3points to 37 percent. The decrease was larger among botnet victims, falling to 34 percent from 43 percent in the firstquarter.
Top Botnet Control Servers Top Botnet Victims
United States Germany China Turkey Russia United Kingdom South Korea Others
United States Turkey Taiwan Brazil Canada Spain India Others
The United States represents the lions share of hosts of PDF-based attacks, climbing to 53 percent this quarter, compared with 35 percent in the last period. Taiwan, with 8 percent, took second place. China fell to just 2 percent this quarter from 11 percent last time.
Top Malicious PDF Attackers
United States Taiwan Spain United Kingdom Germany Canada Others
16
Web Threats Websites can gain bad or malicious reputations for a variety of reasons. Reputations can be based on full domains and any number of subdomains, as well as on a single IP address or even a specific URL. Malicious reputations are influenced by the hosting of malware, potentially unwanted programs, or phishing sites. Often we observe combinations of questionable code and functionality. These are just a few of the factors that contribute to our rating of a sites reputation. At Junes end, the total number of suspect URLs tallied by McAfee Labs overtook 74.7 million, which represents a 16percent increase over the first quarter. These URLs refer to 29 million domain names, up 5 percent from the previousperiod.
Risk Level of Suspect URLs Risk Level of Suspect Domains
Minimal Unveri ed Medium High
Minimal Unveri ed Medium High
This quarter, we recorded per month an average of 3.5 million new suspect URLs related to about 430,000 domains.
New Suspect URLs
16,000,000 14,000.000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
URLs Associated Domains
17
Most of these suspicious URLs (96 percent) host malware, exploits, or codes that have been designed specifically to compromise computers. Phishing and spam represent 2.1 percent and 0.3 percent, respectively.
Distribution of New Suspect URLs
New Malware URLs Others
New Phishing URLs
New Spam Email URLs
Others
Distribution at the domains level gives us a different outlook, with 12 percent phishing domains and 2 percent spam domains.
Distribution of New Suspect Domains
New Phishing Domains
New Malware Domains Others
New Spam Email Domains
Others
The domains associated with newly suspect URLs are mainly located in North America (chiefly the United States) and EuropeMiddle East (chiefly Germany). This trend is not new; North America historically hosts quite a bit of malware and suspect content. However, its influence has dropped to 52 percent, compared with 74 percent last quarter.
Location of Servers Hosting Suspect Content
North America Africa Asia-Paci c Australia EuropeMiddle East Latin America
18
Digging into the location of servers hosting malicious content in other countries we see quite a global diversity. Each region has one or two clearly dominant players.
Location of Servers Hosting Malicious Content
Africa Asia-Paci c
South Africa Kenya Morocco Egypt Tunisia Others
China South Korea Japan Hong Kong Thailand Others
AustraliaSouth Paci c
Europe and Middle East
Australia New Zealand
Germany Netherlands Russia United Kingdom Poland Others
Latin America
North America
Brazil Bahamas British Virgin Islands Argentina Chile Others
United States Canada
19
Phishing After peaking during the fourth quarter of 2012, the number of new phishing URLs dropped sharply last quarter. Thisperiod saw a modest decrease.
New Phishing URLs
450,000 400,000 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
Most of these URLs are hosted in the United States.

Top Countries Hosting Phishing URLs
United States Germany United Kingdom Canada Netherlands Others
Companies from the United States are the most frequently targeted, suffering 67 percent of all attacks. They are followed by United Kingdom and Australia, with 6 percent and 3 percent, respectively. Phishers go after several key industries. The top 5 are finance (with 42 percent of attacks), online auctions (32 percent), government, shopping, and services.
Phishing Targets by Industry
Finance Online Auctions Shopping Government Services Others
20
Companies in the United States are the most heavily targeted, followed by the United Kingdom and Australia.
United States Amazon American Express Deloitte eBay JPMorgan Chase PayPal Wells Fargo United Kingdom Barclays HM Revenue & Customs HSBC Lloyds TSB Natwest Santander Australia ANZ (Australia and New Zealand Banking Group) Westpac Bank Canada Capital One Royal Bank of Canada TD Bank Group India HDFC Bank ICICI Bank
Spam URLs Spam URLs are links that arrive in unsolicited emails. Also included in this family are sites built only for spamming purposes, such as spam blogs or comment spam.
New Spam URLs
160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
The primary countries hosting these URLs are the United States (with 39 percent of the total). Germany (9 percent) and Russia (6 percent) follow.
Countries Hosting Spam URLs
United States Germany Russia China Antarctica Netherlands South Korea Others
21
Messaging Threats In April, spam volume surpassed 2 trillion messages, the highest figure since December 2010. A slight decline in May and June still left the count higher than any time since May 2011.
Global Email Volume, in Trillions of Messages 2.5
2.0
Monthly Spam
1.5
Legitimate Email
1.0
0.5
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Spam volume Examining results by country, our statistics show marked differences from quarter to quarter. Ukraine and Belarus are the most dramatic examples; each had an increase of greater than 200 percent this period. Japan grew by 142 percent. Meanwhile, Pakistan (down 59 percent) and Romania (down 56 percent) enjoyed large declines. France fell by 25 percent, and the United States decreased by 16 percent.
Spam Volume
Argentina
18,000,000 16,000,000 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 2,000,000 1,800,000 1,600,000 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 0 JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Australia
Belarus
160,000,000 140,000,000 120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 5,000,000 0 20,000,000 15,000,000 10,000,000 30,000,000 25,000,000
Brazil
22
Spam Volume
Chile
12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
China
France
14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 18,000,000 16,000,000 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0
Germany
India
70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 7,000,000 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 0
Italy
Japan
3,000,000 2,500,000 2,000,000 1,500,000 1,000,000 500,000 0 JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 40,000,000 35,000,000 30,000,000 25,000,000 20,000,000 15,000,000 10,000,000 5,000,000 0
Kazakhstan
23
Spam Volume
Peru
25,000,000 20,000,000 15,000,000 10,000,000 5,000,000 0 30,000,000 25,000,000 20,000,000 15,000,000 10,000,000 5,000,000 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Romania
Russia
25,000,000 20,000,000 15,000,000 10,000,000 5,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 8,000,000 7,000,000 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 0
South Korea
Spain
18,000,000 16,000,000 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 40,000,000 35,000,000 30,000,000 25,000,000 20,000,000 15,000,000 10,000,000 5,000,000 0
Ukraine
JUL NOV SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
United Kingdom
14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 200,000,000 180,000,000 160,000,000 140,000,000 120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0
United States
24
Drugs, DSN, and snowshoes As we look at spam subjects around the world, we see that the popularity of drugs just wont go away. Drug offers in our selected countries range from a low of 17 percent to more than 50 percent of leading spam subject lines. In Australia, France, and the United States, delivery service notification (DSN) teasers remain popular. In many countries snowshoe spam appeared on at least one-quarter of the leading subjects. Snowshoe spam spreads the load across many IP addresses to avoid rapid eviction by ISPs. Lots of spam this quarter contained subject lines related to the Boston Marathon bombings. Most of these messages contained links to malware. We were surprised to see relatively little spam for replica products, such as watches and other junk. This has long been a popular subject. Were sure it hasnt gone away but it did lose significant volume.
Argentina Australia Brazil
Spam Types
Drugs DSN Jobs Marketing News Phishing Scams
Columbia
France
Germany
Snowshoe Travel Webinars
India
Italy
Spain
Turkey
United Kingdom
United States
25
Botnet breakdowns Infections from messaging botnets, which supply spam worldwide, have showed an overall decline since May 2012, but this quarters trend was again upward.
Global Messaging Botnet Infections 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013
Cutwail remains in first place among botnets, causing more than 6 million new infections during the quarter. Kelihos was a distant second, at 2.3 million. New last quarter, Slenfbot infected 1.6 million systems this period.
Spam Botnet Prevalence
Cutwail Kelihos Slenfbot Festi Maazben Others
Leading Global Botnet Infections
3,000,000 2,500,000 CUTWAIL 2,000,000 1,500,000 1,000,000 500,000 0

JUL 2012 AUG 2012 SEP 2012 OCT 2012 NOV 2012 DEC 2012 JAN 2013 FEB 2013 MAR 2013 APR 2013 MAY 2013 JUN 2013
KELIHOS SLENFBOT FESTI MAAZBEN
26
New botnet senders Country-specific botnet statistics show big variances from quarter to quarter and from country to country. In Peru, for example, the number of botnet senders increased by almost 300 percent. Among our selected countries, India rose by 14percent. Belarus dropped by 66 percent, Russia by 46 percent, and China by 31 percent.
New Botnet Senders
Argentina
60,000 50,000 40,000 15,000 30,000 20,000 10,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 10,000 5,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 25,000 20,000
Australia
Brazil
200,000 175,000 150,000 125,000 100,000 75,000 50,000 25,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 45,000 40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0
Canada
Chile
35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 500,000 450,000 400,000 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0
China
Colombia
60,000 50,000 40,000 30,000 20,000 10,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0
France
27
New Botnet Senders

Germany
140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 100,000 50,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 300,000 250,000 200,000 150,000
India
Italy
50,000 40,000 30,000 20,000 10,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 0
Japan
Russia
90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 45,000 40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0
South Korea
Spain
90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 100,000 90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 0
Turkey
United Kingdom
70,000 60,000 50,000 40,000 30,000 20,000 10,000 0 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 300,000 200,000 100,000 0 600,000 500,000 400,000
United States
28
Messaging botnet prevalence Our breakdown of botnets shows how the most widespread botnet families are represented in various countries around the globe. Cutwail and Kelihos are the global leaders. Other notably predominate botnets:

Darkmailer in Belarus, Kazakhstan, Pakistan, and Indonesia Cutwail in Greece, Vietnam, and Iran (greater than 60 percent) in Belarus (81 percent) in Japan and Ukraine
Slenfbot Slenfbot
Kelihos in Germany, Italy, Argentina, and United Kingdom (greater than 40 percent)
These variances demonstrate that specific countries can have specific attackers.
New Botnet Senders
Australia
Brazil
Chile
Botnets
Cutwail Festi Kelihos Maazben Others Slenfbot
China
Colombia
Germany
India
Japan
Russia
South Korea
United Kingdom
United States
29
Cybercrime Malware, vulnerabilities, and hackingMalware, Vulnerabilities, and Hacking

APR 5 LivingSocial Hack APR 19 BadNews (in Google Play Apps) MAY 1 CVE-2013-1347 (Dept. of Labor Hack)
Carberp for Free Carberp for $5,000 JUN 30 South Korea Hack
Android.FakeAlert
APR 11 WordPress Hack
April 2013
May 2013
June 2013
APR 17 CVE-2013-2423 (Exploit Packs Updated)
MAY 3 Sirefef (Louisiana Board of Regents Hack)
JUN 27 Generic PSW.o (Gulf States and Caribbean Phishing Campaign)
The
scareware Android.Fakedefender, announced in June by various security companies, has apparently spread through mobile environments since the end of March. Fakedefender locks up an infected device and displays fake security alerts to convince victims to purchase an app in order to remove nonexistent malware or security risks. 5: LivingSocial, the daily deals site owned in part by Amazon, suffered a massive cyberattack on its computer systems. The breach impacted 50 million customers of the Washington, D.C., company. They will now be required to reset their passwords.2
April
April
11: The security firm CloudFare warned of a brute-force attack against the WordPress administrative portals. A botnet appeared to launch the attack and more than tens of thousands of unique IP addresses were recorded attempting to hack WordPress installations, using the username admin and trying thousands of passwords.3 17: The Java exploit CVE-2013-2423 was publicly disclosed.4 Its use was immediately incorporated into various exploit kits such as WhiteHole, Cool, Neutrino, Styx, Sweet Orange, and others. 19: BadNews for millions of users: Malware discovered spreading inside apps in Google Play.5
April
April
May 1: Invincea reported that the US Department of Labor website was compromised to redirect visitors to a site that executed a drive-by download exploit of Internet Explorer to install the Poison Ivy backdoor Trojan. Attributed to the Chinese Deep Panda Group, this type of watering hole attack exploits a previously unknown and, at that time, unpatched security bug in Microsofts IE 8 browser (CVE-2013-1347).6 May 3: Another watering hole attack was detected on the Louisiana Board of Regents website.7 It distributed the Sirefefmalware. June 15, the Carberp banking Trojan toolkit was offered at just US$5,000 through an underground forum. The previous price has been US$40,000.8 A few days later, the download was available for free.
Around
June
27: McAfees Foundstone Incident Response team obtained a 3MB piece of malware (Generic PWS.o) that was sent out during a phishing campaign. The campaign targeted several companies and institutes in the United Arab Emirates, Oman, Bahrain, and a couple of Caribbean islands.9 30: The Seoul Central District Prosecutors Office charged two South Koreans with cooperating with North Korean hackers in China to run illegal websites and steal the personal information of millions of individuals. Investigators discovered the personal data of 140 million South Koreans on their computers and believe they could have shared the information with North Korea.10
June
30
The Bitcoin saga

APR 18 DDoS at Blockchain.info FEB 28 1BTC = $33 APR 3 DDoS at Mt. Gox DDoS at Skill Road
The Bitcoin Saga

JUN 23 DEA Announces Seizure of Bitcoins from Silk Road User JUN 12 BTC Phishing Campaign
MAY 22 Webroot Announces DIY Bitcoin Miner for Sale
April 2013
May 2013
June 2013
MAR 3 DDoS at BitInstant
APR 10 1BTC = $266
APR 21 DDoS at Mt. Gox Delays Litecoin Support
MAY 16 WebMoney Offers WMX MAY 14 Maryland District Court Rules Against Mt. Gox
JUN 21 1BTC = $110
JUL 5 1BTC = $74
Bitcoin (BTC) virtual money was in the news last quarter. At the end of February, it broke its June 2011 peak trading value, at more than US$33.11 Some days later, the BitInstant exchange service was forced to shut down after attackers walked away with more than US$12,000 in BTC.12 And that was just a warm-up for what happened this quarter. In April, Tokyo-based Mt. Gox, the largest Bitcoin exchange service, suffered various DDoS attacks that disrupted business. The first assault occurred around April 3; at that time the BTC exchange rate exceed US$140 to 1 BTC.13 On April 10, the value leaped to US$266 before closing at US$125 the next day.14 This keen interest resulted in 20,000 new accounts created each day. The number of new user accounts opened at Mt. Gox went from 60,000 in all of March to 75,000 in just the first few days of April.15 The sudden activity in this market of course attracted the interest of cybercriminals of all kinds. They engaged in further DDoS actions against Mt. Gox, which had to delay its plan to support Litecoin,16 and new ones against Blockchain. info.17 Silk Road, the notorious underground marketplace using Bitcoin as e-money, was taken down several times by DDoSattacks.18 Lawmakers also paid attention to Mt. Gox. On May 14 the U.S. District Court in Maryland ordered the seizure of Mt. Goxs funds, which were in an account with Dwolla, a payments company that transferred money from U.S. citizens to Mt. Gox to buy and sell Bitcoins.19 In May WebMoney began offering purses, called WMX, denominated in Bitcoins. Bitcoins are transferred to an address provided by WebMoney to fund the purse, and Bitcoins can be withdrawn to a Bitcoin address.20 Bitcoins stored in a WMX purse can be transferred to other purses. In this manner WebMoney can exchange Bitcoins for other currencies supported by the service. As the Bitcoin rate has increased, malicious Bitcoin miners have shown a growing interest by infecting victims with malware that uses computer resources to mine Bitcoin without their knowledge. While the cybercriminals generate profits, the computers slow down. In May, for example, Webroot posted a blog about a marketplace to customize and buy such malware.21 It has been available for sale since the first days of February. On June 13, security researcher Brian Krebs reported a phishing campaign using both Yahoo and Bing search engines and targeting account holders at MtGox.com.22 On June 23 the US Drug Enforcement Administration (DEA) announced they seized 11.02 BTC from a Silk Road user in April and charged him with intent to distribute drugs. The seized money was transferred into the DEAs BTC wallet.23
31
Actions against cybercriminals During this quarter, we learned of a number of law enforcement efforts:

In April, the Russian Federal Security Service (FSB) and the Security Service of Ukraine (SBU) announced they arrested several individuals believed to be involved in the development of the Carberp banking Trojan.24 The leader of the group was a 28-year-old Russian citizen. The rest of the groupsome 20 individuals between 25 and 30 years oldwere arrested in Kiev, Zaporozhye, Lvov, Odessa, and Kherson.25 The ring was said to be responsible for stealing US$250 million (193 million) in Ukraine and Russia alone. Hamza Bendelladj, a 24-year-old Algerian who was arrested in Thailand in January, was extradited to the United States in April. Also known as Bx1, he was listed in a North District of Georgia indictment as a coconspirator who helped develop SpyEye components. Known in the underground as Gribodemon and Harderman, the real name of his partner, the presumed author of the SpyEye Trojan, was redacted in the indictment because he had not yet been arrested.26 On May 9, federal prosecutors unsealed charges against eight New York people linked with an international cybertheft ring accused of stealing US$45 million from banks around the globe. The alleged crooks used prepaid MasterCard debit cards that were issued by the National Bank of Ras Al-Khaimah PSC, located in the United Arab Emirates, and the Bank of Muscat, in Oman. The defendants withdrew US$2.8 million from New York banks in two separate attacks this past December and February.27 While the eight were taking the money from the New York banks, additional coconspirators made more than US$42 million in withdrawals at other banks across the world. In May, the founder of digital currency system Liberty Reserve was indicted in the United States along with six other people for a US$6 billion money-laundering scheme.28 Arthur Budovsky, a Costa Rican citizen of Ukrainian origin and the founder of the currency system, was arrested in Spain, while others were arrested in Costa Rica and New York. Police in Costa Rica also raided three homes and five businesses linked to Liberty Reserve, according to the Associated Press. The digital currencys site is now offline, with its front page replaced by a notice saying that the domain had been seized by the United States Global Illicit Financial Team. Liberty Reserve was incorporated in Costa Rica in 2006 and had at least 200,000 customers in the United States. Suspected of helping cybercriminals in their businesses, it failed to register in the United States as a money-transmitting service. In the same vein, on June 4 the WM Center e-currency exchange was seized by the US government and closed.29 by US Marshals, Microsoft technicians seized servers at two data centers in New Jersey and Pennsylvania on June 5, and with the help of the FBI coordinated with computer emergency response teams and registrars in 87countries to sinkhole domains used by the 1,452 botnets built with the Citadel malware.30 Some security researchers criticized this operation, saying it disrupted their ongoing security research efforts by siphoning off the malicious data they had been tracking.31 Others claimed the long-term effect of this particular takedown will likely be insignificant.32
Accompanied
In June, the United Kingdoms Serious Organised Crime Agency announced eleven arrests in a case involving cooperation from the Vietnamese High-Tech Crime Unit, the Criminal Investigative Division of the Ministry of Public Security of Vietnam, the Metropolitan Police Central e-Crime Unit, and the FBI. Eight criminals were arrested in Vietnam and three additional arrests were made in the United Kingdom. All suspects were associated with the mattfeuter family of websites, on which allegedly approximately 16,000 members bought and sold more than 1.1 million credit card data, facilitating more than US$200 million worth of fraud worldwide.33 In June, US federal officials charged eight members of a Ukrainian cybercrime ring after they allegedly tried to illegally access the networks of a number of financial institutions, including Citibank, JP Morgan Chase, TD Ameritrade, and PayPal, along with the US Department of Defenses Finance and Accounting Services.34 From March 2012 to June 2013, the suspects hacked into these servers, embezzling money from legitimate bank accounts to feed debit cards and cashing out the accounts via ATMs and by making fake purchases as part of what the federal complaint calls the Sharapka Cash Out Organization. In France, investigators from OCLCTIC and DCP dismantled a gang of alleged criminals specializing in financial hacking and arrested five people in June. The crooks may have made 9 million via online shopping. In total, they were able to divert the bank data of 27,000 people. The money collected was later used to purchase high-end hardware.35
32
Hacktivism This quarter activities clearly demonstrated that hacktivists exist in many camps and support many ideologies. Hacktivism
APR 3 #OpNorthKorea Release #2 MAY 16 South African Police Hacked
JUN 20 #OpPetrol
April 2013
May 2013
June 2013
APR 7 #OpIsrael Reloaded
MAY 7 #OpUSA
JUN 4 #OpTurkey
On April 3, OpNorthKorea Release #2 was announced on Pastebin.36 It demanded the resignation of North Korean leader Kim Jong-un, the abandonment of nuclear ambitions, and universal and uncensored Internet access to citizens. Several websites serving the regime were blocked (via DDoS) or defaced throughout the month. A statement purporting to come from Anonymous said that they had compromised 15,000 user records hosted on North Korean propaganda site uriminzokkiri.com. However, when one side makes a statement, the other is likely to reply: During the last week of June, government websites in both North and South Korea were targeted by attackers who claimed to operate under the banner of Anonymous. (A so-called official Anonymous channel has denied via tweet having any involvement in the South Korean attacks.) Some researchers suspect the attackers were the North Korean Whois Team, which frequently uses skull bullets as a symbol of their group. (For more on related attacks, see Operation Troy, page 4.)
33
After #OpIsrael, which we covered in last quarters Threats Report, around 30 hacktivist collectives from around the world decided to continue the confrontation.37 On April 7, they announced #OpIsraelReloaded. The hackers say theyve caused massive damage, but Israeli officials have downplayed the incident, saying the attacks have caused hardly any real losses.38 The hacker Dr FreeDom claims a leak of 30,000 Visa card consumer details.39 These hacks also brought about reprisals. The pro-Israel hacker team Israel Elite Force revealed several names of suspected #OpIsraelReloaded attackers on a dedicated website. Those named are from Jordan, India, and Lebanon. Other Israeli supporters defaced the Anonymous #OpIsrael website.40
Operations against the United States and other Western interests were started under the names #OpUSA (May 79) and #OpPetrol (June 20).41 These operations appeared to take place under the Anonymous banner, but when we looked at the attackers signatures, we discovered mostly Middle Eastern and North African-based hacker groups acting contrary to the ideals of freedom. Many of these movements are associated with AnonGhost, a hacker team fond of using jihad themes. It is clear that Middle Eastern sympathizers of all stripes enjoy conducting their protests under the cover of Anonymous.
34
In June, the protest movement in Turkey led Anonymous to launch #OpTurkey, a hack of the website of the Radio and Television Supreme Council (RTUK). Cyberarmies were also active. The Syrian Electronic Army supported President Bashar alAssads government by shutting down and defacing various official Turkish websites.42 Two collectives hacked into the Turkish Prime Ministrys network and accessed email addresses, passwords, and phone numbers belonging to Prime Minister Tayyip Erdogans staff. (Erdogan has been a vocal critic of Assads actions in the Syrian civil war.) Another group, the Crescent and Star Team, targeted Turkeys Is Bank, which was said to be among the supporters of the Taksim Gezi Park protests.43 These events demonstrate the growth of hacktivism and show that attacks launched under the Anonymous banner are only a part of the problem. In a high-profile doxing campaign (publically exposing private information) in South Africa, Anonymous hacked into an anonymous whistleblower website run by the South Africa Police Service and revealed the identities of thousands of its users, possibly jeopardizing their safety.44 The legal side also made news this quarter:

In April, contradictory reports about hackers arrested in connection with #OpIsrael circulated in Tunisia, Jordan, and Morocco. Whether or not the news was true, these states were threatened for their actions.
Members of the notorious LulzSec hacking gang have been sent to jail:45 Jake Davis (aka Topiary): 24 months for the ring leader Ryan Cleary (aka Viral): 32 months, will serve half that time Mustafa Al-Bassam (aka T-Flow): 20 months suspended for two years, and 300 hours of community service Ryan Ackroyd (aka Kayla): 30 months, will serve half that time In April, FBI raided an Anonymous hacker house suspected of having exposed the Steubenville Rapists. Known as KYAnonymous, the suspect is said to be the leader of KnightSec, the Anonymous offshoot that carried out Operation Roll Red Roll, which targeted Steubenville over the rape by two football players of a 16-year-old girl.46 In May, Italian police arrested four alleged hackers between the ages of 20 and 34. They are accused of monitoring the Italian branch of the Anonymous network.47 Six more people were placed formally under investigation and a total of 10premises were raided at the conclusion of the two-year police investigation Tango Down.
35
Cyberarmies The Syrian Electronic Army and the Izz ad-Din al-Qassam Cyber Fighters are often in the spotlight and attracted attention again this quarter. In the last two Threats Reports of 2012, we introduced the Iranian group Izz ad-Din al-Qassam Cyber Fighters after they claimed responsibility for various cyberattacks launched that year on US banks and financial-services companies. Tied to Iran, those actions are now known as Operation Abadil. They continued this quarter, as we see in the following graphic: Cyberarmies
APR 4 Wells Fargo BB&T APR 2 BB&T APR 18 Ameriprise Financial Citizens Bank M&T Bank
APR 10 Chase PNC American Express Citizens Bank Regions Bank
APR 16 Regions Bank Capital One Principal
MAY 1 Key Bank BBVA Schwab Bank
April 2013
May 2013
APR 3 Bank of America Regions Bank
APR 9 Chase Bank of America Capital One American Express BB&T Wells Fargo
APR 11 Key Bank HSBC
APR 2324 BB&T APR 17 Regions Bank
MAY 2 Union Bank
On May 6, the Cyber Fighters announced they had stopped the attacks so as to not interfere with #OpUSA. On June 12, Google said in a blog that it had tracked a significant jump in the overall volume of phishing activity in and around Iran as its election neared.48 Some researchers have suggested many attackers focused their skills and firepower internally, perhaps to gather intelligence about groups and individuals supporting specific candidates.49 The Syrian Electronic Army supports President Assad. This quarter, they continued their actions against media and Syrian Electronic Army government targets:
APR 22 FIFA World Cup APR 16 NPR Media APR 29 The Guardian MAY 17 Financial Times MAY 26 British Sky Broadcasting JUN 5 Turkish Government Websites
MAY 21 The Telegraph
April 2013
May 2013
June 2013
APR 20 CBS News APR 23 Associated Press
MAY 7 The Onion
MAY 20 Saudi Arabian Ministry of Defense MAY 25 ITV News London Haifa Water System
April April April April
16: NPR media network hacked; website defaced 20: Four Twitter accounts belonging to CBS News programs compromised 22: Two FIFA World Cup Twitter accounts hacked
23: Hacked AP Twitter feed announced to millions of followers that there had been two explosions in the White House, leaving President Barack Obama injured. The news disrupts the US stock exchange, briefly wiping out US$136.5billion in gains and leaving APs Twitter feeds suspended.50
36
April
29: 11 Guardian accounts breached
May 7: Satire publication The Onion has Twitter account hacked May 17: Financial Times website and Twitter feeds hacked May 20: The group claimed to have hacked the Saudi Arabian Ministry of Defense email system and distributed several confidential mail exchanges May 21: Twitter and Facebook accesses for The Telegraph hacked May 25: Israel declared the SEA tried to enter the computers of the Haifa water system May 25: ITV News London hacked May 26: Sky Android apps and Twitter account hacked 5: Some Turkish government websites site jointly breached by Turkish hackers and the SEA
June
About the Authors This report was prepared and written by Toralv Dirro, Paula Greve, Haifei Li, Franois Paget, Vadim Pogulievsky, Craig Schmugar, Jimmy Shah, Ryan Sherstobitoff, Dan Sommer, Bing Sun, Adam Wosotowsky, and Chong Xu of McAfee Labs. About McAfee Labs McAfee Labs is the global research team of McAfee. With the only research organization devoted to all threat vectors malware, web, email, network, and vulnerabilitiesMcAfee Labs gathers intelligence from its millions of sensors and its cloudbased service McAfee Global Threat Intelligence. The McAfee Labs team of 500 multidisciplinary researchers in 30countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public. http://www.mcafee.com/us/threat-center.aspx About McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ: INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its visionary Security Connected strategy, innovative approach to hardware-enhanced security, and unique global threat intelligence network, McAfee is relentlessly focused on keeping its customers safe. http://www.mcafee.com.
37
http://www.mcafee.com/uk/resources/white-papers/wp-dissecting-operation-troy.pdf http://www.usatoday.com/story/news/nation/2013/04/26/liviing-social-hacked-passwords-amazon/2116485/ 3 http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br 4 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423 5 http://blogs.mcafee.com/consumer/badnews-for-good-people 6 http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/ 7 http://news.softpedia.com/news/State-of-Louisiana-Website-Hacked-Spreads-Sirefef-Malware-350944.shtml 8 http://www.theregister.co.uk/2013/06/18/carberp_trojan_source_code_sale/ 9 http://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean 10 http://english.chosun.com/site/data/html_dir/2013/04/08/2013040800970.html 11 http://www.bbc.co.uk/news/technology-21601608 12 http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html 13 https://mtgox.com/press_release_20130404.html 14 http://dollarvigilante.com/blog/2013/4/17/bitcoin-price-march-15-april-14-2013-the-bubble-heard-round-.html 15 https://mtgox.com/press_release_20130411.html 16 https://mtgox.com/pdf/20130424_ddos_statement_and_faq.pdf 17 http://news.softpedia.com/news/Bitcoin-Block-Explorer-Blockchain-info-Disrupted-by-DDOS-Attack-346497.shtml 18 http://www.wired.co.uk/news/archive/2013-05/3/silk-road-ddos 19 https://s3.amazonaws.com/s3.documentcloud.org/documents/701175/mt-gox-dwolla-warrant-idg-news-service.pdf 20 http://blog.wmtransfer.com/en/blog/wmx-the-new-type-of-title-units 21 http://blog.webroot.com/2013/05/22/new-commercially-available-diy-invisible-bitcoin-miner-spotted-in-the-wild/ 22 http://krebsonsecurity.com/2013/06/mtgox-phishing-campaign-hits-bing-yahoo/ 23 http://techcrunch.com/2013/06/27/the-dea-seized-bitcoins-in-a-silk-road-drug-raid/ 24 http://sbu.gov.ua/sbu/control/uk/publish/article?art_id=116410&cat_id=39574 25 http://www.net-security.org/malware_news.php?id=2458 26 http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/ 27 http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051 28 http://www.wired.com/threatlevel/2013/05/liberty-reserve-indicted/ 29 http://www.coindesk.com/wm-center-e-currency-exchange-seized-by-us-government/ 30 http://www.eweek.com/security/microsoft-fbi-shutter-citadel-botnets-seeking-to-end-500m-crime-spree/ 31 http://www.infoworld.com/t/security/microsoft-accused-of-friendly-fire-in-citadel-botnet-takedown-220438 32 http://nakedsecurity.sophos.com/2013/06/12/microsoft-citadel-takedown/ 33 http://garwarner.blogspot.fr/2013/06/vietnamese-carders-arrested-in.html 34 https://threatpost.com/feds-bust-cybercrime-ring-targeting-payroll-financial-firms/ 35 http://www.leparisien.fr/espace-premium/actu/les-pirates-du-net-pillent-27-000-coordonnees-bancaires-12-06-2013-2888529.php 36 http://pastebin.com/4g44jfNF 37 http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q1-2013.pdf 38 http://news.softpedia.com/news/Hacktivists-Target-Over-100-000-Israeli-Sites-Officials-Say-There-s-No-Real-Damage-343610.shtml 39 http://technologynewsforday.wordpress.com/2013/04/07/30000-visa-cards-leaked-by-dr-freedom/ 40 http://www.dreuz.info/2013/04/attaque-danonymous-israel-leur-a-mis-la-honte-le-w00t-ultime/ 41 http://news.softpedia.com/news/Anonymous-Hackers-to-Launch-OpPetrol-on-June-20-Video-352816.shtml 42 http://www.ibtimes.com/opturkey-syrian-electronic-army-joins-anonymous-turkey-protests-hacks-erdogans-network-access-staff 43 http://www.worldbulletin.net/?ArticleID=111010&aType=haber 44 http://www.wired.co.uk/news/archive/2013-05/22/south-africa-whistleblower-leak 45 http://www.dailymail.co.uk/news/article-2324884/Lulzsec-hackers-thought-day-pirates-caused-millions-pounds-damage-cyber-attacks-CIA-Pentagon-HomeOffice-agency.html 46 http://gawker.com/the-fbi-raided-steubenville-anonymous-guys-house-here-511634071 47 http://www.pcworld.com/article/2039020/police-arrest-anonymous-suspects-in-italy.html 48 http://googleonlinesecurity.blogspot.fr/2013/06/iranian-phishing-on-rise-as-elections.html 49 http://krebsonsecurity.com/2013/06/iranian-elections-bring-lull-in-bank-attacks/#more-21113 50 http://www2.macleans.ca/2013/04/23/associated-press-twitter-feed-gets-hacked-claiming-explosions-at-white-house-president-injured/
1 2
2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com
McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided only for information. They are subject to change without notice, and are provided without warranty of any kind, expressed or implied. Copyright 2013 McAfee, Inc. 60444rpt_qtr-q2_0813_fnl_ETMG

RP Quarterly Threat q2 2013

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RP Quarterly Threat q2 2013

Uploaded by

Copyright:

Available Formats

Report

McAfee Threats Report: Second Quarter 2013

Hacktivism 33 Cyberarmies 36 About the Authors About McAfee Labs 37 37

McAfee Threats Report: Second Quarter 2013

McAfee Threats Report: Second Quarter 2013

Operation TroyDomestic Spying Period

March 20, 2013

Media/Broadcast Attacks Suspected Link Solid Link Highly Probable Link

Financial Industry Attacks

McAfee Threats Report: Second Quarter 2013

Total Mobile Malware by Platform

Android Symbian Java ME Others

McAfee Threats Report: Second Quarter 2013

New Android Malware

A short list of similar SMS forwarders:

Forwards incoming SMS messages to the attackers server

McAfee Threats Report: Second Quarter 2013

McAfee Threats Report: Second Quarter 2013

McAfee Threats Report: Second Quarter 2013

New Koutodoor Samples

New TDSS Samples

New ZeroAccess Samples

McAfee Threats Report: Second Quarter 2013

New Fake AV Samples

McAfee Threats Report: Second Quarter 2013

New Koobface Samples

New Password Stealers Samples

McAfee Threats Report: Second Quarter 2013

New Malicious Signed Binaries

700 600 500 400 300 200 100 0

McAfee Threats Report: Second Quarter 2013

McAfee Threats Report: Second Quarter 2013

90 80 70 60 50 40 30 20 10 0 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Insiders Hackers

McAfee Threats Report: Second Quarter 2013

Browser Remote Procedure Call SQL Injection Cross-Site Scripting Others

McAfee Threats Report: Second Quarter 2013

United States Taiwan China Russia Spain Others

United States Turkey Taiwan Brazil Canada Spain India Others

United States Taiwan Spain United Kingdom Germany Canada Others

McAfee Threats Report: Second Quarter 2013

Minimal Unveri ed Medium High

Minimal Unveri ed Medium High

McAfee Threats Report: Second Quarter 2013

New Malware URLs Others

New Phishing URLs

New Spam Email URLs

New Phishing Domains

New Malware Domains Others

New Spam Email Domains

North America Africa Asia-Paci c Australia EuropeMiddle East Latin America

McAfee Threats Report: Second Quarter 2013

South Africa Kenya Morocco Egypt Tunisia Others

China South Korea Japan Hong Kong Thailand Others

Europe and Middle East

Australia New Zealand

Germany Netherlands Russia United Kingdom Poland Others

Brazil Bahamas British Virgin Islands Argentina Chile Others

United States Canada

McAfee Threats Report: Second Quarter 2013

Most of these URLs are hosted in the United States.

United States Germany United Kingdom Canada Netherlands Others

Finance Online Auctions Shopping Government Services Others