Saturday, December 14, 2013

Top Brands Imitated by Malicious Spam

WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through September 30, 2013. WebSense has a few differences in the way they gather their data, including being world-wide in their focus (most of my readers probably aren't receiving regular spam with the subject "Communicazione Importante"). But I also wondered about what is happening more recently. We know that the Cutwail spammers who were using the BlackHole Exploit server were the primary folks who were sending out all of those malicious LinkedIn emails, so have the top threats changed since Paunch and friends were arrested in October and the Black Hole Exploit server started drying up?
Malcovery Security has been putting out daily reports of the Top Threat Today in the malicious email world for all of 2013 (although at the beginning of the year they were still using their UAB-legacy name "Emerging Threats By Email"). These reports provide a "deep dive" look at the most prominent malware-laden email of the day. Mid-summer we made the determination that in addition to pushing out "THE" top threat, we would look at other significant malware campaigns of the day, and try to get those reports out faster and in a machine-consumable format.
Last week we presented a one-hour Webinar (still accessible, if you'd like to watch/listen to the recording) - State of Cybersecurity 2013/2014. The first 2/3rds of the webinar walks through the significant cybersecurity events of the year, followed by some Malcovery stats, like the chart shown below, followed by my Ten Security Predictions for 2014.

So, do we see LinkedIn spam as the most dangerous email "post-Paunch"? And for that matter, was it the most dangerous during the BlackHole dominated early portion of the year?
During the "Top Report of the Day" early part of the year, we saw WIDE variety of brands. In fact, in January our top reports included:
Adobe, ADP, American Airlines, BBB(4x), Bank of America, British Airways, Citibank, Digital Insights, DocuSign(2x), Dunn & Bradstreet, eFax, EFTPS (3x), FedEx, Facebook (2x), IRS, KeyBank, LinkedIn, PayPal, US Airways, Verizon, and Xerox.
LinkedIn earned the "Top Threat of the Day" position many times during the year, including January 21, April 9, April 10, July 26, August 28, September 27, and October 24. That is still less than ADP, which was the "Top Threat" on at least thirteen days (January 14, January 22, February 5, February 11, March 15, March 21, March 29, May 13, May 24, August 6, August 16, October 22, November 1st).
But what about the RECENT stuff? And how do things shape up when we look at ALL the significant malware threats we saw delivered by email instead of only "THE" top threat?

Malicious Spam Campaigns August 1 - December 13

For August 1 - December 13, here are the "Campaigns" that we saw most prominently in our T3 XML reporting:40 Days ==> Wells Fargo (+10 Days as "Top Threat" - August 6, 9, 23, September 16, 24, October 14, 29, 30, November 27, December 11)
40 Days ==> FedEx (+ 7 Days as "Top Threat" - September 5, 9, 10, 11, 17 & October 4, 10, 30)
24 Days ==> ADP (+ "Top" on August 6, 16, October 22, November 1)
23 Days ==> Facebook (+ September 6, 27)
22 Days ==> HMRC (Her Majesty's Revenue & Customs) (+ October 21)
19 Days ==> "Picture" spam (+ October 23, November 8, 18, 22, December 10, 13)
16 Days ==> Royal Bank of Scotland
15 Days ==> Companies House UK
11 Days ==> Sage
10 Days ==> American Express
10 Days ==> HSBC
10 Days ==> LinkedIn (+ August 6, 16, October 22, November 1)
9 Days ==> Dun & Bradstreet
So what does "Most Dangerous" mean? I would certainly agree that a very-well crafted graphical LinkedIn invitation is more likely to be clicked on than a poorly worded letter from a Wells Fargo advisor with a .zip attachment that I'm supposed to open. It could be that WebSense's scoring system takes into account their observed "click-through and attempted click-through" rate, but our measure shows LinkedIn in 10th place as far as active malicious spam campaigns since August 1st, and only two days since the estimated arrest date of Paunch -- October 16th and October 24th.