SYMANTEC INTELLIGENCE REPORT JUNE

2014

p. 2 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

CONTENTS 3 Summary

15 SOCIAL MEDIA

+ MOBILE THREATS 4

TARGETED ATTACKS + DATA BREACHES

5 Targeted Attacks 5 Attachments Used in Spear-Phishing Emails

5 Spear-Phishing Attacks by Size of Targeted Organization

16 Mobile 16 Mobile Malware Families by Month, Android

16 Number of Android Variants Per Family

17 Mobile Threat Classifications

5 Average Number of Spear-Phishing

18 Social Media

6 Top-Ten Industries Targeted

18 Social Media

7 Data Breaches

19 PHISHING, SPAM + EMAIL THREATS

7 Timeline of Data Breaches

20 Phishing and Spam

8 Total Identities Exposed

20 Phishing Rate

8 Top Causes of Data Breaches

20 Global Spam Rate

Attacks Per Day

in Spear-Phishing Attacks

8 Total Data Breaches 9 Top-Ten Types of Information Breached

21 Email Threats 21 Proportion of Email Traffic Containing URL Malware

10 MALWARE TACTICS 11 Malware Tactics

21 Proportion of Email Traffic

in Which Virus Was Detected

11 Top-Ten Malware

22 About Symantec

11 Malicious Activity by Source: Bots

22 More Information

12 Top-Ten Mac OSX Malware 12 Ransomware Over Time 13 Vulnerabilities 13 Number of Vulnerabilities 13 Zero-Day Vulnerabilities 14 Browser Vulnerabilities 14 Plug-in Vulnerabilities

p. 3 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Summary

Welcome to the June edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks. Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources.

The largest data breach reported in June resulted in the exposure up 1.3 million identities. This seems like a small number when compared to the 145 million exposed in the largest breach of May. However, while reported in June, this breach also took place during the month of May. This brings the total number of identities exposed in May to over 147 million, which is the second-worst month for data breaches in the last 12 months. There was an average of 88 spear-phishing attacks per day in June. This appears to be a return of spear-phishing levels seen in the months of March and April, after the average per day dropped in May. A relatively new OSX threat by the name of OSX.Stealbit.B topped our list of OSX malware, responsible for 25.7 percent of OSX threat found on OSX systems. This threat looks for specific bitcoin-related software on OSX computers and will attempt to modify the programs in order to steal bitcoins. The number of Android variants per family reached the lowest levels seen in the last twelve months. While there was not a significant change in the number of families discovered in June, this may indicate that attackers have had more success with their current set of threats, reducing their need to create multiple variants. June was a quiet month for vulnerabilities, where (only) 438 were reported—tying the lowest number reported in the last 12 months. There were no zero day vulnerabilities disclosed during the month. We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback. Ben Nahorney, Cyber Security Threat Analyst [email protected]

p. 4 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

TARGETED ATTACKS + DATA BREACHES

p. 5 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Targeted Attacks

At a Glance

Average Number of Spear-Phishing Attacks Per Day

• The average number of spear-phishing attacks per day returned to similar levels seen in March and April, after dropping in May.

Source: Symantec :: JULY 2013 — JUNE 2014

250 225 200 175

188 171

• The .doc file type continues to be the most common attachment type used in spear-phishing attacks, followed by .exe files.

165 141

150 125

103

100

116 84

75

54

54

50

88

84

21

25 J

A

S

O

N

D

J 2014

F

M

A

M

J

• Organizations with 2500+ employees were the most likely to be targeted in May. • The Top-Ten Industries targeted remains largely unchanged from May, with minor shifts of less than one percent for various industries.

Attachments Used in Spear-Phishing Emails

Spear-Phishing Attacks by Size of Targeted Organization

Source: Symantec :: JUNE 2014

Source: Symantec :: JUNE 2014

Executable type

June

May

Organization Size

June

May

.doc

19.5%

17.7%

1-250

36.3%

37.0%

.exe

15.4%

16.1%

.au3

11.5%

11.8%

251-500

8.4%

8.6%

.jpg

6.2%

7.0%

501-1000

9.3%

9.0%

.scr

5.8%

6.4%

1001-1500

3.0%

3.0%

.class

2.1%

1.6%

.pdf

1.7%

1.3%

1501-2500

4.1%

4.1%

.bin

1.1%

1.2%

2500+

38.9%

38.3%

.mso

0.6%

—

.dmp

0.6%

—

p. 6 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Top-Ten Industries Targeted in Spear-Phishing Attacks Source: Symantec :: JUNE 2014

22% 19 17

Services – Non-Traditional Manufacturing Finance, Insurance & Real Estate

11 9

Services – Professional Wholesale

6 6

Public Administration Transportation, Gas, Communications, Electric Retail Construction Mining

3 1 1

p. 7 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Data Breaches

Timeline of Data Breaches Source: Symantec :: JULY 2013 — JUNE 2014

159

37

35

NUMBER OF INCIDENTS

160

147

140

130

30

27

25

113 28

22

20

23

100 80

22

15

120

27

20

18

17

60

16

10 5

40

9 8 J

.3

.8

A

S

8 O

N

D

J

INCIDENTS

At a Glance • The largest data breach reported in June took place during the month of May. • With 1.3 million identities exposed in this breach, this brings the total identities exposed in May to 147 million. • Hackers have been responsible for 49 percent of data breaches in the last 12 months. • Real names, government ID numbers, such as Social Security numbers, and home addresses were the top three types of data exposed in data breaches.

2.6

1.7

2.7

F

M

A

.9 M

J

IDENTITIES EXPOSED (Millions)

20

IDENTITIES EXPOSED (MILLIONS)

40

p. 8 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Total Data Breaches

Total Identities Exposed

JULY 2013 — JUNE 2014

JULY 2013 — JUNE 2014

574

266

Million

Top Causes of Data Breaches Number of Incidents

Source: Symantec :: JULY 2013 — JUNE 2014

49%

Hackers Accidentally Made Public

23%

Theft or Loss of Computer or Drive Insider Theft

131 62

20%

52

7%

19

Fraud

.4%

1

Unknown

.4%

1 TOTAL

266

p. 9 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Top-Ten Types of Information Breached Source: Symantec :: JULY 2013 — JUNE 2014

01

Real Names

74%

02

Gov ID numbers (Soc Sec)

46%

03

Home Address

44%

04

Birth Dates

44%

05

Medical Records

33%

06

Financial Information

26%

07

Phone Numbers

20%

08

Email Addresses

18%

09

Usernames & Passwords

14%

10

Insurance

9%

Methodology This data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model that measures the levels of threats, including malicious software, fraud, identity theft, spam, phishing, and social engineering daily. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information. In some cases a data breach is not publicly reported during the same month the incident occurred, or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months when a new report is released. Norton Cybercrime Index

http://us.norton.com/protect-yourself

p. 10 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

MALWARE TACTICS

p. 11 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Malware Tactics

Top-Ten Malware

At a Glance

Source: Symantec :: JUNE 2014

Rank

Name

Percentage

1

W32.Sality.AE

5.3%

2

W32.Ramnit!html

5.1%

3

W32.Ramnit.B

3.8%

4

W32.Almanahe.B!inf

3.7%

5

W32.Downadup.B

2.9%

6

W32.Ramnit.B!inf

2.6%

7

W32.SillyFDC.BDP!lnk

2.1%

8

W32.Virut.CF

1.6%

9

Trojan.Malscript

1.4%

10

Trojan.Zbot

1.4%

Malicious Activity by Source: Bots Source: Symantec :: JUNE 2014

Rank

Country/Region

Percent

1

United States

21.9%

2

China

10.6%

3

Taiwan

7.1%

4

Hungary

5.0%

5

Italy

4.4%

6

Brazil

3.0%

7

Japan

2.9%

8

Canada

2.7%

9

France

2.6%

10

Germany

2.2%

• W32.Sality and W32.Ramnit variants continue to dominate the top-ten malware list. • The United States continues to be the largest source of bot activity. • The most common threat on OSX was OSX.Stealbit.B, making up 26 percent of all OSX malware found on OSX Endpoints.

p. 12 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Top-Ten Mac OSX Malware Blocked on OSX Endpoints Source: Symantec :: JUNE 2014

Malware Name

Percent of Mac Threats Detected on Macs

OSX.Stealbit.B

25.7%

OSX.RSPlug.A

24.1%

OSX.Flashback.K

14.7%

OSX.HellRTS

6.0%

OSX.Sabpab

4.9%

OSX.SMSSend

4.5%

OSX.Keylogger

2.5%

OSX.Loosemaque

2.2%

OSX.Remoteaccess

2.0%

OSX.Flashback

1.6%

p. 13 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Vulnerabilities

Number of Vulnerabilities

At a Glance

Source: Symantec :: JULY 2013 — JUNE 2014

• Vulnerabilities are at their lowest levels seen in the last 12 months.

800 700 600

663 561

500

555

549 469

438

542

562

• There were no zero-day vulnerabilities discovered in June.

579 473

471

438

400 300

• Oracle’s Java reported the most plug-in vulnerabilities over the same time period.

200 100

J

A

S

O

N

D

J 2014

F

M

A

M

J

Zero-Day Vulnerabilities Source: Symantec :: JULY 2013 — JUNE 2014

8 7 6

5

5

4

4 3

2

2 1

• Internet Explorer has reported the most browser vulnerabilities in the last 12 months.

2

1

J

1 0

0

0

A

S

O

0 N

D

J 2014

0 F

M

0 A

M

J

p. 14 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Browser Vulnerabilities Source: Symantec :: JULY 2013 — JUNE 2014

100

Opera Mozilla Firefox

80

Microsoft Internet Explorer 60

Google Chrome Apple Safari

40

20

J

A

S

O

N

D

J F 2014

M

A

M

J

Plug-in Vulnerabilities Source: Symantec :: JULY 2013 — JUNE 2014

80

Java

70

Apple

60

Adobe

50

ActiveX

40 30 20 10

J

A

S

O

N

D

J 2014

F

M

A

M

J

p. 15 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

SOCIAL MEDIA + MOBILE THREATS

p. 16 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Mobile

Mobile Malware Families by Month, Android

At a Glance • There were four Android malware families discovered in June.

Source: Symantec :: JULY 2013 — JUNE 2014

10 9 8

• The number of variants per family reached its lowest levels seen in the last 12 months.

8 7

7 6 5

4

4

4

4

4

3

3

2

2

2

3 2

2

1 J

A

S

O

N

D

J 2014

F

M

A

M

J

Number of Android Variants Per Family Source: Symantec :: JULY 2013 — JUNE 2014

120

107 100

93 80

80

48

46

36

40 20

66

60

60

41

33

20

J

18

A

S

O

N

D

J 2014

F

M

A

M

J

• Of the threats discovered in the last 12 months, 28 percent track the device’s user and 21 percent steal information from the device. • In terms of social networking scams, 78 percent were fake offerings.

p. 17 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Mobile Threat Classifications Source: Symantec :: JULY 2013 — JUNE 2014

30 25

24% 21%

21%

20 15

13%

12%

10

7%

5

Track User

Steal Traditional Reconfigure Information Threats Device

Send Content

Adware Annoyance

Track User

Risks that spy on the individual using the device, collecting SMS messages or phone call logs, tracking GPS coordinates, recording phone calls, or gathering pictures and video taken with the device.

Steal Information

This includes the collection of both device- and user-specific data, such as device information, configuration data, or banking details.

Traditional Threats

Threats that carry out traditional malware functions, such as back doors and downloaders.

Reconfigure Device These types of risks attempt to elevate privileges or simply modify various settings within the operating system. Adware/Annoyance

Mobile risks that display advertising or generally perform

actions to disrupt the user.

Send Content

These risks will send text messages to premium SMS numbers, ultimately appearing on the bill of the device’s owner. Other risks can be used to send spam messages.

p. 18 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Social Media

Social Media Source: Symantec :: JULY 2013 — JUNE 2014

90% 80 70

70%

60 50 40 30

20%

20

7%

10

Fake Offering

Manual Sharing

Likejacking

1%

.7%

Fake Apps

Comment Jacking

Fake Offers

These scams invite social network users to join a fake event or group with incentives such as free gift cards. Joining often requires the user to share credentials with the attacker or send a text to a premium rate number.

Manual Sharing Scams These rely on victims to actually do the work of sharing the scam by presenting them with intriguing videos, fake offers or messages that they share with their friends. Likejacking Using fake “Like” buttons, attackers trick users into clicking website buttons that install malware and may post updates on a user’s newsfeed, spreading the attack. Comment Jacking Similar to likejacking, this type of scam relies on users clicking links that are added to comments by attackers. The links may lead to malware or survey scams. Fake App Users are invited to subscribe to an application that appears to be integrated for use with a social network, but is not as described and may be used to steal credentials or harvest other personal data.

p. 19 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

PHISHING, SPAM + EMAIL THREATS

p. 20 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Phishing and Spam

Phishing Rate

At a Glance

Source: Symantec :: JULY 2013 — JUNE 2014

• The phishing rate for June was one in 496 emails, down from one in 395 emails in May.

1 in 100 1 in 200

• The global spam rate was 59.9 percent for the month of June.

1 in 300 1 in 400

• One out of every 232 emails contained a virus.

1 in 500 1 in 600

• Of the email traffic in the month of June, 7.4 percent contained a malicious URL.

1 in 700 1 in 800 1 in 900 J

A

S

O

N

D

J

F

M

A

M

J

F

M

A

M

J

2014

Global Spam Rate Source: Symantec :: JULY 2013 — JUNE 2014

80% 70 60 50 40 30 20 10

J

A

S

O

N

D

J 2014

p. 21 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

Email Threats

Proportion of Email Traffic in Which Virus Was Detected Source: Symantec :: JULY 2013 — JUNE 2014

1 in 50 1 in 100 1 in 150 1 in 200 1 in 250 1 in 300 1 in 350 1 in 400 1 in 450 1 in 500 J

A

S

O

N

D

J 2014

F

M

A

M

J

J 2014

F

M

A

M

J

Proportion of Email Traffic Containing URL Malware Source: Symantec :: JULY 2013 — JUNE 2014

45% 40 35 30 25 20 15 10 5 J

A

S

O

N

D

p. 22 Symantec Corporation Symantec Intelligence Report :: JUNE 2014

About Symantec

Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more go to www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.

More Information •  Symantec Worldwide: http://www.symantec.com/ •  ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/ •  Symantec Security Response: http://www.symantec.com/security_response/ •  Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/ •  Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/

For specific country offices and contact numbers, please visit our website. For product information in the U.S., call toll-free 1 (800) 745 6054. Symantec Corporation World Headquarters 350 Ellis Street Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners