symantec intelligence report january 2015

SYMANTEC INTELLIGENCE REPORTJANUARY 2015

p. 2

Symantec CorporationSymantec Intelligence Report :: JANUARY 2015

CONTENTS

3 Summary

4 TARGETED ATTACKS + DATA BREACHES

5 Targeted Attacks

5 Attachments Used in Spear-Phishing Emails

5 Spear-Phishing Attacks by Size of Targeted Organization

5 Average Number of Spear-Phishing Attacks Per Day

6 Top-Ten Industries Targeted in Spear-Phishing Attacks

7 Data Breaches

7 Timeline of Data Breaches

8 Top-Ten Types of Information Breached

9 MALWARE TACTICS

10 Malware Tactics

10 Top-Ten Malware

10 Top-Ten Mac OSX Malware Blocked on OSX Endpoints

11 Ransomware Over Time

12 Vulnerabilities

12 Number of Vulnerabilities

12 Zero-Day Vulnerabilities

13 Browser Vulnerabilities

13 Plug-in Vulnerabilities

14 MOBILE THREATS

15 Mobile

15 Mobile Malware Families by Month, Android

16 PHISHING, SPAM + EMAIL THREATS

17 Phishing and Spam

17 Phishing Rate

17 Global Spam Rate

18 Email Threats

18 Proportion of Email Traffic Containing URL Malware

18 Proportion of Email Traffic in Which Virus Was Detected

19 About Symantec

19 More Information

p. 3


Summary

Welcome to the January edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.

Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources.

The average number of spear-phishing attacks rose to 42 per day in January, up from 33 in December. Finance, Insurance, & Real Estate overtook Manufacturing in the Top-Ten Industries targeted for the month of January. The overall phishing rate also rose slightly in January, to one in 1,004 emails.

There were ten data breaches reported in January that took place during the same month. This number is likely to rise as more data breaches that occurred during the month are reported. In comparison, there were 14 new data breaches reported during January that took place between February and December of 2014.

Vulnerabilities are up during the month of January, with 494 disclosed and two zero-days discovered. Google Chrome reported the most browser vulnerabilities during the month of January, after Microsoft Internet Explorer lead for a number of months. Oracle, reporting on the Java program, disclosed the most plug-in vulnerabilities over the same time period. In previous month’s Adobe has held the top spot, with its Acrobat and Flash plug-ins.

We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback.

Ben Nahorney, Cyber Security Threat Analyst [email protected]

mailto:symantec_intelligence%40symantec.com?subject=

p. 4


TAR

GETED

ATTACKS

+ DATA

BR

EACHES

p. 5


At a Glance

• The average number of spear-phishing attacks rose to 42 per day in January, up from 33 in December.

• The .doc file type was the most common attachment type used in spear-phishing attacks. The .class file type came in second.

• Organizations with 1-250 employees were the most likely to be targeted in January.

• Finance, Insurance, & Real Estate lead the Top-Ten Industries targeted, followed by Manufacturing.

Targeted Attacks

Average Number of Spear-PhishingAttacks Per DaySource: Symantec :: FEBRUARY 2014 — JANUARY 2015

25

50

75

100

125

150

175

200

225

250

J

2015

DNOSAJJMAMF

54 53 45 43

2033

141

84 84

54

88

42

Attachments Used in Spear-Phishing Emails

Source: Symantec :: JANUARY 2015

Executable type January December

.doc 46.1% 26.7%

.class 9.9% 2.2%

.txt 8.3% 1.3%

.bin 8.0% 1.6%

.xls 7.8% –

.ace 5.0% –

.vbs 2.4% –

.exe 2.0% 15.7%

.pdf 1.9% 1.6%

.rtf 1.3% –

Spear-Phishing Attacks by Size of Targeted OrganizationSource: Symantec :: JANUARY 2015

Organization Size January December

1-250 35.2% 31.5%

251-500 7.8% 11.5%

501-1000 14.7% 6.6%

1001-1500 4.3% 3.5%

1501-2500 5.3% 9.3%

2500+ 32.7% 37.6%

p. 6


Top-Ten Industries Targeted in Spear-Phishing AttacksSource: Symantec :: JANUARY 2015

Construction

Energy/Utilities

Public Administration

Retail

Transportation, communications, electric,

Services - Non Traditional

Services - Professional

Wholesale

Manufacturing

Finance, insurance & Real Estate 29%

21 12

9 9

5 5

2 1 1

p. 7


Data Breaches

At a Glance

• There were ten data breaches reported in January that took place during the same month. This number is likely to rise as more data breaches that occurred during the month are reported.

• In comparison, there were 14 new data breaches reported during January that took place between February and Decem-ber of 2014.

• Real names, home addresses, and government ID numbers, such as Social Security numbers, are currently the top three types of data exposed in data breaches.

20

40

60

80

100

120

140

160

J2015

DNOSAJJMAMF

NU

MB

ER O

F IN

CID

ENTS

IDEN

TITI

ES E

XPO

SED

(MIL

LIO

NS)

INCIDENTS IDENTITIES EXPOSED (Millions)

Timeline of Data BreachesSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

147

59

1

78

31.5

101

6.5.451.72.6 3

5

10

15

20

25

30

35

40

2725 24

28

22

2119

2023 22

1210

p. 8


Top-Ten Types of Information BreachedSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

Real Names

Home Address

Gov ID numbers (Soc Sec)

Financial Information

Birth Dates

Email Addresses

Medical Records

Phone Numbers

Usernames & Passwords

Insurance

01

02

03

04

05

06

07

08

09

10

67%

43%

43%

36%

33%

23%

23%

21%

17%

9%

MethodologyThis data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model that measures the levels of threats, including malicious software, fraud, identity theft, spam, phishing, and social engineering daily. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information.

In some cases a data breach is not publicly reported during the same month the incident occurred, or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months when a new report is released.

p. 9


MA

LWA

RE TAC

TICS

p. 10


Malware Tactics

At a Glance

• W32.Ramnit!html was the most common malware blocked in January.

• W32.Ramnit and W32.Sality variants continue to dominate the top-ten malware list.

• The most common OSX threat seen on OSX was OSX.RSPlug.A, making up 19.2 percent of all OSX malware found on OSX Endpoints.

• The amount of ransom-ware seen during January decreased slightly when compared to December.

Top-Ten MalwareSource: Symantec :: JANUARY 2015

Rank Name January December

1 W32.Ramnit!html 6.5% 5.1%

2 W32.Almanahe.B!inf 5.8% 5.2%

3 W32.Sality.AE 5.5% 5.0%

4 W32.Ramnit.B 4.4% 3.7%

5 W32.Downadup.B 2.7% 2.4%

6 W32.Ramnit.B!inf 2.7% 2.3%

7 W32.SillyFDC.BDP!lnk 2.1% 1.6%

8 W32.Virut.CF 1.7% 1.7%

9 W97M.Downloader 1.2% –

10 W32.SillyFDC 1.1% 1.1%

Top-Ten Mac OSX Malware Blocked on OSX EndpointsSource: Symantec :: JANUARY 2015

Rank Malware Name January December

1 OSX.RSPlug.A 19.2% 10.1%

2 OSX.Keylogger 18.9% 16.3%

3 OSX.Wirelurker 10.5% 13.6%

4 OSX.Klog.A 9.3% 7.6%

5 OSX.Okaz 8.8% 11.2%

6 OSX.Luaddit 8.0% 9.3%

7 OSX.Stealbit.B 6.1% 4.1%

8 OSX.Flashback.K 3.2% 6.3%

9 OSX.Freezer 2.6% 2.7%

10 OSX.Weapox 2.4% –

p. 11


Ransomware Over TimeSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

THO

USA

ND

S

J

2015

DNOSAJJMAMF

108

365

518

349

236 230183

149

95 80 77116

p. 12


Number of VulnerabilitiesSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

100

200

300

400

500

600

700

800

J2015

DNOSAJJMAMF

438

575 600 596

457428399

542 562 579

473 494

Zero-Day VulnerabilitiesSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

1

2

3

4

5

6

7

8

J2015

DNOSAJJMAMF

0 0 0 0 0

1

2 2

5

0

1

4

Vulnerabilities

At a Glance

• There were 494 vulner-abilities disclosed during the month of January.

• There were two zero-day vulnerability disclosed during January.

• Google Chrome reported the most browser vulner-abilities during the month of January.

• Oracle, reporting on the Java program, disclosed the most plug-in vulner-abilities over the same time period.

p. 13


Browser VulnerabilitiesSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

20

40

60

80

100

J2015

DNOSAJJMAMF

Opera

Mozilla Firefox

Microsoft Internet Explorer

Google Chrome

Apple Safari

Plug-in VulnerabilitiesSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

10

20

30

40

50

60

70

80Java

Apple

Adobe

ActiveX

J2014

DNOSAJJMAMF

p. 14


MO

BILE TH

REATS

p. 15


Mobile

Mobile Malware Families by Month, AndroidSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

8

6

2

4

2 2

3

5

3

4 4

3

1

2

3

4

5

6

7

8

9

10

J2014

DNOSAJJMAMF

At a Glance

• There were three Android malware families discov-ered in January.

p. 16


PHISH

ING

, SPAM

+ EMA

IL THR

EATS

p. 17


Phishing and Spam

Phishing RateSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

1 in 0

1 in 500

1 in 1000

1 in 1500

1 in 2000

1 in 2500J

2015

DNOSAJJMAMF

2041

1610

647

1517

1004478

370

731

395496

1290

1587

At a Glance

• The phishing rate rose in January, at one in 1,004 emails, up from one in 1,517 emails in December.

• The global spam rate was 54 percent for the month of January.

• One out of every 207 emails contained a virus.

• Of the email traffic in the month of December, 5 percent contained a mali-cious URL.

Global Spam RateSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

10

20

30

40

50

60

70

80

90

100%

J2014

DNOSAJJMAMF

55 55 5462

66

59

61 6064 63

58 55

p. 18


Email Threats

Proportion of Email Traffic Containing URL MalwareSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

10

20

30

40

50

60

70

80

90

100%

J2015

DNOSAJJMAMF

6 7

41

145

146 3

147 8

3

1 in 50

1 in 100

1 in 150

1 in 200

1 in 250

1 in 300

1 in 350

1 in 400

1 in 450

1 in 500J

2015DNOSAJJMAMF

Proportion of Email Traffic in Which Virus Was DetectedSource: Symantec :: FEBRUARY 2014 — JANUARY 2015

351

329

246

195

207188

141

234

183

232

351

270

p. 19


About Symantec

More Information

• Symantec Worldwide: http://www.symantec.com/

• ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/

• Symantec Security Response: http://www.symantec.com/security_response/

• Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/

• Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/

Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more go to www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.

http://www.symantec.com/

http://www.symantec.com/threatreport/

http://www.symantec.com/security_response/

http://us.norton.com/security_response/threatexplorer/

http://us.norton.com/cybercrimeindex/

www.symantec.com

go.symantec.com/socialmedia

For specific country offices and contact numbers,

please visit our website.

For product information in the U.S.,

call toll-free 1 (800) 745 6054.

Symantec Corporation World Headquarters

350 Ellis Street

Mountain View, CA 94043 USA

+1 (650) 527 8000

1 (800) 721 3934

www.symantec.com

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners

www.symantec.com

symantec intelligence report january 2015

Business