Apwg Trends Report q4 2013 PDF

4
th
Quarter
2013

October December 2013
Published April 7, 2014
Phishing Activity Trends Report

Uni f yi ng t he
Gl obal Response
To Cyber cr i me

4
th
Quarter 2013
www. apwg. o r g i n f o @apwg. o r g

"
Phishing Activity Trends Report, 4
th
Quarter 2013

Table of Contents
Statistical Highlights for 4th Quarter 2013 3
Phishing E-mail Reports and Phishing Site Trends 4
Brand-Domain Pairs Measurement 5
Brands & Legitimate Entities Hijacked by
E-mail Phishing Attacks 6
Most Targeted Industry Sectors 7
Countries Hosting Phishing Sites 7
Top Malware Infected Countries 8
Measurement of Detected Crimeware 9
Phishing-based Trojans & Downloaders Host
Countries (by IP address) 10
Phishing by Top-Level Domain 10
APWG Phishing Trends Report Contributors 11

Phishing Report Scope
The !"#$ "&'(&')* !+,'-',. /01)2( 31450, anaIyzes
hishing allacks reorled lo lhe AIWG by ils member
comanies, ils GIobaI Research Iarlners, lhrough lhe
organizalion's vebsile al hll://vvv.avg.org, and by
e-maiI submissions lo reorlhishing+anlihishing.org.
AIWG aIso measures lhe evoIulion, roIiferalion, and
roagalion of crimevare by draving from lhe research
of our member comanies.
Phishing Defined
Ihishing is a criminaI mechanism emIoying bolh (5+'67
1)*')110')* and ,1+&)'+67 (89,10:8*1 lo sleaI consumers'
ersonaI idenlily dala and financiaI accounl credenliaIs.
SociaI engineering schemes use soofed e-maiIs
urorling lo be from Iegilimale businesses and
agencies, designed lo Iead consumers lo counlerfeil
vebsiles lhal lrick reciienls inlo divuIging financiaI
dala such as usernames and assvords. TechnicaI
sublerfuge schemes Ianl crimevare onlo ICs lo sleaI
credenliaIs direclIy, oflen using syslems lo inlercel
consumers onIine accounl user names and assvords --
and lo corrul IocaI navigalionaI infraslruclures lo
misdirecl consumers lo counlerfeil vebsiles (or aulhenlic
vebsiles lhrough hisher-conlroIIed roxies used lo
monilor and inlercel consumers' keyslrokes).
4th Quarter 2013 Phishing Activity Trends Summary
The number of hishing siles delecled rose
lhrough lhe fourlh quarler. OveraII, lhere vere
22 ercenl fever hishing siles in lhe fourlh
quarler lhan lhere vere in lhe lhird quarler. Iven
lhen, 2013 vas one of lhe mosl aclive years on
record for hishing. |. 4-5j
During lhe second haIf of 2013, 840 unique largel
inslilulions vere allacked, u significanlIy from
lhe 720 found in lhe second haIf of 2013. |. 6j
A number of maIvare famiIies morhed
conslanlIy in efforls lo avoid deleclion by
anlivirus roducls. IuIIy 37 ercenl of lhe
maIvare varialions savned during 2013
shoved u during Q4. |. 8j
The Uniled Slales conlinued lo be lhe lo counlry
hosling hishing siles during lhe fourlh quarler
of 2013. |. 7j

;-10677 4&'(&')* 6+,'-',. 6++17106,12 ') ,&1 :580,& <860,10= 6)2
>?@A 1)212 6( 6 &'*&B-578C1 .160 :50 4&'(&')*D

Fraudsters Look to Profit on the Brands
that Deliver the Highest Returns

4
th
Quarter 2013

#
th
Quarter 2013

AIWG lracks unique hishing reorls (e-maiI camaigns) in addilion lo unique hishing siles. An e-maiI camaign
is a unique e-maiI senl oul lo muIliIe users, direcling lhem lo a secific hishing veb sile. MuIliIe camaigns may
oinl lo lhe same veb sile). AIWG counls unique hishing reorl e-maiIs as lhose in a given monlh vilh lhe same
sub|ecl Iine in lhe e-maiI.

The AIWG aIso lracks lhe number of unique hishing vebsiles. This is nov delermined by lhe unique base URLs of
lhe hishing siles. (A singIe hishing sile may be adverlised as lhousands of cuslomized URLS, aII Ieading lo
basicaIIy lhe same allack deslinalion.) AIWG addilionaIIy lracks crimevare inslances (unique soflvare aIicalions
as delermined by MD5 hash of lhe crimevare samIe), as veII as unique siles lhal are dislribuling crimevare
(lyicaIIy via brovser drive-by exIoils). The !"#$ "&'(&')* !+,'-',. /01)2( 31450, aIso incIudes slalislics on rogue
anli-virus soflvare, desklo infeclion rales, and reIaled loics.

"#$%&'( )%*'+&'( ,'#'+&'(
Number of unique hishing vebsiles delecled 31,876 37,007 42,890
Number of unique hishing e-maiI reorls (camaigns) received
by AIWG from consumers
55,241 53,047 52,489
Number of brands largeled by hishing camaigns 350 356 362
Counlry hosling lhe mosl hishing vebsiles USA USA USA
Conlain some form of largel name in URL 58.72% 71.04% 74.67%
No hoslname, |usl II address 1.06% 0.87% 1.60%
Iercenlage of siles nol using orl 80 1.65% 0.72% 0.78%

Methodology and Instrumented Data Sets
Statistical Highlights for 4th Quarter 2013

4
th
Quarter 2013

$
th
Quarter 2013

The number of unique hishing siles delecled rose over lhe course of lhe fourlh quarler. The lolaI number of unique
hishing siles observed in Q4 vas 111,773, vhich vas a 22 ercenl overaII decrease over Q3's 143,353.

The number of unique hishing reorls submilled lo AIWG during Q4 vas 160,777. This vas a decIine of 12 ercenl
from lhe 180,012 received in Q3. Some reorls duIicale each olher, and lhe number of unique siles delecled rose over
lhe course of lhe quarler vhiIe lhe number of reorls decIined sIighlIy.

Phishing E-mail Reports and Phishing Site Trends 4th Quarter 2013

4
th
Quarter 2013

%
th
Quarter 2013

The foIIoving charl combines slalislics based on brands hished, unique domains, unique domain/brand airs, and
unique URLs. rand/domain airs counl lhe unique inslances of a domain being used lo largel a secific brand.
(EF6C471: if severaI URLs are largeling a brand bul are hosled on lhe same domain lhis brand/domain air
vouId be counled as one inslead of severaI.) G501)('+ 8,'7',. of lhis melric: If lhe number of unique URLs is grealer
lhan lhe number of brand/domain airs, il indicales many URLs are being hosled on lhe same domain lo largel lhe
same brand. Knoving hov many URLs occur vilh each domain indicales lhe aroximale number of allacking
domains a brand-hoIding viclim needs lo Iocale and neulraIize. Since hishing-revenlion lechnoIogies (Iike
brovser and e-maiI bIocking) require lhe fuII URL in order lo revenl over-bIocking, il is usefuI lo undersland lhe
generaI number of unique URLs lhal occur er domain.

The number of brands largeled sav a
graduaI increase during Q4 2013. The
number of unique brand-domain airs
remained consislenl during Q4.

Tvo lhousand lhirleen enlers lhe 'lo
lhree' of mosl-hished years since
MarkMonilor slarled lracking slalislics
aImosl 10 years ago, commenled
Irederick IeIman, Chief Markeling
Officer, MarkMonilor. UnforlunaleIy,
loday's high IeveIs of hishing allacks
are nol lhe resuIl of anolher unusuaI
sike, il is |usl lhe nev normaI as
hishers conlinue lo imrove lheir
lechniques and broaden lheir largels.

"#$%&'( )%*'+&'( ,'#'+&'(
Number of Unique Ihishing Web Siles Delecled 31,876 37,007 42,890
Unique Domains 9,028 9,211 8,831
Unique rand-Domain Iairs 9,951 10,466 9,897
Unique rands 350 356 362
URLs Ier rand 91.07 103.95 118.48
Brand-Domain Pairs Measurement 4th Quarter 2013

4
th
Quarter 2013

&
th
Quarter 2013

The number of brands largeled in a monlh vas dovn from lhe aII-lime high of 441 lhal vas recorded in AriI 2013.
The number of hi|acked brands remained reIaliveIy IeveI during lhe lhree-monlh eriod.
During lhe second haIf of 2013, AIWG conlribulor IID observed 840 unique largel inslilulions, u significanlIy from
lhe 720 found in lhe second haIf of 2013. As aIvays, a smaII number of brands vere largeled frequenlIy, vilh a
Iarger number of brands allacked onIy once or lvice during lhe eriod.

Brands and Legitimate Entities Targeted by E-mail Phishing Attacks 4th Quarter 2013

4
th
Quarter 2013

'
th
Quarter 2013

Iaymenl Services conlinued lo be lhe mosl-largeled induslry seclor lhroughoul 2013, reresenling nearIy 54 ercenl
of allacks in Q4. Allacks largeling ISIs decIined from 8.52 ercenl in Q1 lo 4.87 ercenl in Q4.

The Uniled Slales conlinued lo be lhe lo counlry vhere hishing siles are hosled during lhe fourlh quarler of 2013.
This is mainIy due lo lhe facl lhal a significanl ercenlage of lhe vorId's Web siles and domain names are hosled in
lhe Uniled Slales, and lhal mosl hishing siles sil on comromised veb servers.

Oclober November December
Uniled Slales 54.04% Uniled Slales 48.17% Uniled Slales 57.56%
China 12.80% NelherIands 8.01% Hong Kong 4.56%
Germany 4.01% Germany 5.83% Germany 4.26%
Uniled Kingdom 3.24% Irance 3.02% Irance 3.16%
Irance 2.96% Canada 2.79% Uniled Kingdom 2.83%
Canada 2.69% Uniled Kingdom 2.75% Russian Iederalion 2.63%
Russian Iederalion 1.71% Russian Iederalion 2.72% NelherIands 2.29%
raziI 1.50% Singaore 2.22% Turkey 1.81%
NelherIands 1.46% raziI 1.88% Canada 1.72%
Sain 1.36% Turkey 1.39% Re. of Korea 1.25%

Countries Hosting Phishing Sites 4th Quarter 2013
Most-Targeted Industry Sectors 4th Quarter 2013

4
th
Quarter 2013

(
th
Quarter 2013

The AIWG's Crimevare slalislics calegorize crimevare allacks as foIIovs, lhough lhe laxonomy viII grov as
varialions in allack code are savned. Definilion: Crimevare is code designed vilh lhe inlenl of coIIecling
informalion on lhe end-user in order lo sleaI lhe user's credenliaIs. UnIike mosl generic keyIoggers, hishing-based
keyIoggers have lracking comonenls, vhich alleml lo monilor secific aclions (and secific organizalions, such as
financiaI inslilulions, relaiIers, and e-commerce merchanls) in order lo largel secific informalion. The mosl
common lyes of informalion are access lo financiaI-based vebsiles, e-commerce siles, and veb-based maiI siles.

During lhe Iasl quarler of 2013, AIWG member comany IandaLabs galhered a record 11.5 miIIion nev maIvare
samIes. y lhe end of 2013, IandaLabs' dalabase conlained a grand lolaI of aroximaleIy 145 miIIion unique
maIvare samIes. Many of lhese vere sIighl varialions on a much smaIIer number of maIvare famiIies, crealed
vhen maIvare morhed ils code in order lo avoid deleclion by anlivirus rograms. This aclivily acceIeraled as lhe
year venl on, and 37 ercenl of lhe maIvare crealed during 2013 shoved u during Q4.

Tro|ans conlinue lo be lhe mosl common lye of maIvare, and reresenled 73.11 ercenl of maIvare infeclions. And
according lo Luis Corrons, IandaLabs TechnicaI Direclor and /01)2( 31450, conlribuling anaIysl, IandaLabs has been
vorking lo delecl and cIassify more advare/looIbar rograms, al lhe requesl of cuslomers. ased on lhis inilialive, lhe
share of maIvare lhal vas advare/syvare found by IandaLabs rose from |usl 0.57% in Q3 lo 13.90 ercenl in Q3.

In lhe fourlh quarler of 2013, 28.39 ercenl of lhe comulers anaIyzed by IandaLabs vorIdvide aeared lo be
infecled vilh maIvare. Thal gIobaI infeclion rale is one of lhe Iovesl lhal IandaLabs has ever recorded, vhich is
indeed good nevs. China has lhe highesl infeclion rale by far -- 53.85 ercenl of aII comulers anaIyzed lhere vere
infecled. Asia and Lalin America vere lhe regions vilh lhe highesl number of comuler infeclions. Iighl of lhe len
Ieasl-infecled counlries vere in Iuroe.

Crimeware Taxonomy and Samples According to Classification
Malware Infected Countries 4th Quarter 2013
)'- ./0-/(' 1$(/234 23 56 7 %8 +/0-/(' 4/+90'4
Tro|ans 60.76%
Viruses 4.32%
Worms 19.25%
Advare/Syvare 19.26%
Olher 0.09%

Lowest
Ranking
:%;3$(< =38'#$2%3 >/$'
6? Sveden 16.18%
66 Uniled Kingdom 18.18%
6@ IorlugaI 18.55%
6A SvilzerIand 19.23%
6B Germany 20.69%
6C Irance 21.02%
@D NelherIands 21.07%
@E VenezueIa 23.13%
@F Uniled Slales 23.85%
@G Sain 26.82%

H2IJ'4$
>/3K23I
:%;3$(< =38'#$2%3 >/$'
B China 53.85%
A Taivan 39.57%
@ Turkey 37.50%
6 IoIand 36.65%
? Ieru 35.63%
G Russia 34.55%
F Argenlina 34.42%
E Canada 34.31%
D CoIombia 33.33%
BC raziI 32.25%

./0-/(' =38'#$2%34 &< L<9' 7 %8 +/0-/(' 4/+90'4
Tro|ans 73.11%
Viruses 4.99%
Worms 5.01%
Advare/Syvare 13.90%
Olher 2.98%

4
th
Quarter 2013

)
th
Quarter 2013

Using dala conlribuled from AIWG founding member Websense regarding lhe roIiferalion of maIevoIenl
soflvare, lhis melric measures roorlions of lhree genera of maIevoIenl code:
H0'C1I601 (dala-sleaIing maIicious code designed secificaIIy lo be used lo viclimize financiaI inslilulions'
cuslomers and lo co-ol lhose inslilulions' idenlilies),
J6,6 K,167')* 6)2 $1)10'+ /05L6)( (code designed lo send informalion from lhe infecled machine, conlroI il,
and oen backdoors on il), and
;,&10 (lhe remainder of maIicious code commonIy encounlered in lhe fieId such as aulo-reIicaling vorms,
diaIers for leIehone charge-back scams, elc.)

"Ihishing emaiIs form a dangerous slage of lhe allack IifecycIe, said CarI Leonard of Websense Securily Labs.
Allackers can crafl very convincing Iures lo byass exisling securily soIulions and deIiver lheir ayIoads inlo an
organisalion. We found lhal 3.3 ercenl of aII unvanled maiI conlains maIicious Iinks and olher maIicious conlenl
lhal Iead unvary readers lo maIvare dovnIoad siles. Three ercenl may nol aear lo be a Iarge number, bul vhen
vieved in Iighl of lhe biIIions of sam emaiIs lhal are senl each year, il is evidenl lhal buiIding veb inleIIigence inlo
a securily soIulion can significanlIy enhance an organisalion's securily oslure.
Measurement of Detected Crimeware 4th Quarter 2013

4
th
Quarter 2013

*+
th
Quarter 2013

The Uniled Slales remained lhe lo counlry lhal hosled hishing-based Tro|ans and dovnIoaders during lhe lhree-
monlh eriod. This is mainIy due lo lhe facl lhal a Iarge ercenlage of lhe vorId's Web siles and domain names are
hosled in lhe Uniled Slales, and lhal much maIvare is dislribuled from comromised veb servers.
Oclober November December
Uniled Slales 53.25% Uniled Slales 29.05% Uniled Slales 44.64%
China 8.48% China 13.40% Iuroe 10.01%
Germany 5.56% Iuroe 8.85% Hungary 8.33%
Sain 4.62% Ukraine 7.49% Ukraine 7.87%
Russian Iederalion 3.96% Re. of Korea 7.27% China 4.82%
IoIand 3.57% IoIand 5.25% NelherIands 4.15%
Irance 3.28% Russian Iederalion 4.88% Russian Iederalion 3.62%
NelherIands 3.25% IreIand 4.31% Germany 2.22%
Re. of Korea 2.28% Irance 3.77% Re. of Korea 1.94%
Ukraine 1.21% NelherIands 2.49% Irance 1.89%

Inlernel Idenlily records lhe lo-IeveI domains (TLDs) used lo hosl hishing siles. Iorly-lhree ercenl of domains
used for hishing vere .COM names, .COM TLD reresenls aroximaleIy 42 ercenl of domain names regislered
vorIdvide. Ihishing decIined in lhe TLD of raziI (.R), vhich had 4 ercenl of hishing vorIdvide in lhe lhird
quarler bul onIy aboul 1 ercenl in lhe fourlh quarler.

Phishing-based Trojans and Downloaders Hosting Countries (by IP address)
Phishing by Top-Level Domain

4
th
Quarter 2013

**
th
Quarter 2013

APWG Phishing Activity Trends Report Contributors

Websense, Inc. is a gIobaI Ieader
in secure Web galevay, dala Ioss
revenlion, and e-maiI securily
soIulions, rolecling more lhan
43 miIIion emIoyees al
organizalions vorIdvide.

Inlernel Idenlily (IID) is a US-
based rovider of lechnoIogy and
services lhal heI organizalions
secure lheir Inlernel resence.

Ianda Securily's mission is lo
kee our cuslomers' informalion
and IT assels safe from securily
lhreals, roviding lhe mosl
effeclive roleclion vilh
minimum resource consumlion.

MarkMonilor, lhe gIobaI Ieader in
enlerrise brand roleclion, offers
comrehensive soIulions and
services lhal safeguard brands,
reulalion and revenue from
onIine risks.

IIIuminleI rovides advising and
securily services lo lo-IeveI-
domain regislry oeralors, Inlernel
comanies, and inleIIecluaI
roerly ovners.

About the APWG
Iounded in 2003, lhe Anli-Ihishing Working Grou (AIWG) is a nol-for-rofil induslry associalion focused on
eIiminaling lhe idenlily lhefl and frauds lhal resuIl from lhe groving robIem of hishing, crimevare, and e-
maiI soofing. Membershi is oen lo quaIified financiaI inslilulions, relaiIers, ISIs, soIulions roviders, lhe Iav
enforcemenl communily, governmenl agencies, muIli-IaleraI lrealy organizalions, and NGOs. There are more
lhan 2,000 enlerrises vorIdvide arlicialing in lhe AIWG. ecause eIeclronic crime is a sensilive sub|ecl,
AIWG mainlains a oIicy of confidenliaIily of member organizalions.
Websiles of AIWG ubIic-service enlerrises incIude ils ubIic vebsile, <hll://vvv.anlihishing.org>, lhe
Websile of ubIic avareness rogram, STOI. THINK. CONNICT. Messaging Convenlion
<hll://vvv.slolhinkconnecl.org> and lhe AIWG's research vebsile <hll://vvv.ecrimeresearch.org>. These
serve as resources aboul lhe robIem of hishing and eIeclronic frauds erelraled againsl ersonaI comulers
and lheir users and resources for counlering lhese lhreals. The AIWG, a 501c6 lax-exemled cororalion, vas
founded by TumbIeveed Communicalions, financiaI services inslilulions and e-commerce roviders. AIWG's
firsl meeling vas in November 2003 in San Irancisco and in }une 2004 vas incororaled as an indeendenl
cororalion conlroIIed by ils board of direclors, ils execulives and ils sleering commillee.

The !"#$ "&'(&')* !+,'-',. /01)2( 31450, is ubIished by lhe AIWG. Ior furlher informalion aboul lhe AIWG,
Iease conlacl AIWG Deuly Secrelary GeneraI Ioy Shiver al 404.434.7282 or foy+avg.org. Ior media inquiries
reIaled lo lhe conlenl of lhis reorl, Iease conlacl AIWG Secrelary GeneraI Ieler Cassidy al 617.669.1123, Te
Smilh of MarkMonilor al 831.818.1267 or Te.Smilh+markmonilor.com, Luis Corrons of Ianda al
Icorrons+andasoflvare.es, Websense al ubIicreIalions+vebsense.com, or ATmedia+inlernelidenlily.com

IWG lhanks ils conlribuling members, above, for lhe dala and anaIyses in lhis reorl0.
AnaIysis by Greg Aaron, IIIuminleI, /01)2( 31450, ediling by Ronnie Manning, Mynl IubIic ReIalions.

Apwg Trends Report q4 2013 PDF

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Apwg Trends Report q4 2013 PDF

Enviado por

Direitos autorais:

Formatos disponíveis

4

Você também pode gostar