Paul Wood, Symantec:
New Wave of Cyber Attacks Impersonates Business Mediation and
March 6, 2012
February Symantec Intelligence Report shows a new wave of cyber-attacks
designed to impersonate a well-known business mediation and arbitration
service in North America.
Businesses are being targeted with emails purporting to originate from
the US Better Business Bureau, socially engineered to suggest that a
complaint had been filed against the organization and the details of the
complaint could be found in the file attachment, which would lead to a
PDF file that contains an embedded executable or a URL that leads to the
“These attacks are reminiscent of similar incidents that were first
reported in 2007, when C-level business executives were being targeted
with emails that purported to originate from the US Better Business
Bureau (BBB). The new wave of attacks bear similar social engineering
techniques to the 2007 attacks, although recently the attackers are
using considerably more advanced techniques, including server-side
polymorphism, making them especially protean in nature,” said Paul Wood,
cyber security intelligence manager, Symantec.
“Server-side polymorphism enables the attacker to generate a unique
strain of malware for each use, in order to evade detection by
traditional anti-virus security software. Scripts such as PHP are
commonly used on the attacker’s Web site to generate the malicious code
on-the-fly. Like the Greek sea-god, Proteus, the continually
transforming nature of these attacks makes them very difficult to
recognize and detect using more traditional signature-based defenses,”
This month’s report also reveals that cyber criminals tapping into the
zeitgeist was particularly noticeable in the week running-up to St.
Valentine’s Day, as the volume of spam messages referencing the event
rose by as much as three and a half times the daily average for that
week. The volume started falling off again after February 14, with a
late spike occurring on February 16, when almost 6 times the daily
average volume of emails referencing the special day was recorded.
Other Report Highlights:
In February 2012, the global ratio of spam in email traffic fell by 1.0
percentage points since January 2012, to 68.0 percent (1 in 1.47
emails). This follows the continuing trend of global spam levels
diminishing gradually since the latter part of 2011.
Phishing: In February, the global phishing rate increased by 0.01
percentage points, taking the global average rate to one in 358.1 emails
(0.28 percent) that comprised some form of phishing attack.
E-mail-borne Threats: The global ratio of email-borne viruses in email
traffic was one in 274.0 emails (0.37 percent) in February, an increase
of 0.03 percentage points since January 2012. In February, 27.4 percent
of email-borne malware contained links to malicious Web sites, 1.6
percentage points lower than January 2012.
Web-based Malware Threats: In February, Symantec Intelligence identified
an average of 2,305 Web sites each day harboring malware and other
potentially unwanted programs including spyware and adware; an increase
of 9.7 percent since January 2012.
Endpoint Threats: The most frequently blocked malware for the last month
was WS.Trojan.H. WS.Trojan.H is generic cloud-based heuristic detection
for files that posses characteristics of an as yet unclassified threat.
Files detected by this heuristic are deemed by Symantec to pose a risk
to users and are therefore blocked from accessing the computer.
Saudi Arabia remained the
most spammed geography in February; with a spam rate of 76.2
In the US, 68.9 percent
of email was spam and 68.5 percent in Canada.
The spam level in the UK
was 68.6 percent.
In The Netherlands, spam
accounted for 70.0 percent of email traffic, 67.9 percent in
Germany, 68.8 percent in Denmark.
In Australia 68.3 percent
of email was blocked as spam, compared with 67.9 percent in Hong
Kong, 67.0 percent in Singapore and 65.1 percent in Japan.
Spam accounted for 68.8
percent of email traffic in South Africa and 72.4 percent in
The Netherlands remained
the country most targeted for phishing attacks in February, with
one in 152.8 emails identified as phishing.
Phishing levels for the
US reached one in 753.5 and one in 427.9 for Canada.
In Germany phishing
levels were one in 700.9, one in 461.9 in Denmark.
In Australia, phishing
activity accounted for one in 499.9 emails and one in 1,045 in
Hong Kong; for Japan it was one in 4,762 and one in 689.9 for
In Brazil one in 863.9
emails was blocked as phishing.
Luxembourg became the
geography with the highest ratio of malicious email activity in
February, with one in 63.9 emails identified as malicious.
In the UK, one in 154.5
emails was identified as malicious, compared with South Africa,
where one in 184.9 emails was blocked as malicious.
The virus rate for
email-borne malware in the US was one in 436.5 and one in 294.0
In Germany virus activity
reached one in 369.2 and one in 611.7 in Denmark.
In Australia, one in
387.6 emails was malicious. For Japan the rate was one in 1,167,
compared with one in 452.8 in Singapore.
In Brazil, one in 534.7
emails in contained malicious content.
The Automotive sector
overtook Education to become the most spammed industry sector in
February, with a spam rate of 70.9 percent; the spam rate for
the Education sector was 70.6 percent.
The spam rate for the
Chemical & Pharmaceutical sector was 68.9 percent, compared with
68.4 percent for IT Services, 68.6 percent for Retail, 68.5
percent for Public Sector and 68.0 percent for Finance.
The Public Sector
remained the most targeted by phishing activity in February,
with one in 84.1 emails comprising a phishing attack.
Phishing levels for the
Chemical & Pharmaceutical sector reached one in 726.2 and one in
670.6 for the IT Services sector, one in 523.7 for Retail, one
in 150.0 for Education and one in 328.6 for Finance.
With one in 71.2 emails
being blocked as malicious, the Public Sector remained the most
targeted industry in February.
The virus rate for the
Chemical & Pharmaceutical sector reached one in 328.5and one in
405.4 for the IT Services sector; one in 364.7 for Retail, one
in 124.1 for Education and one in 297.8 for Finance.
The spam rate for small
to medium-sized businesses (1-250) was 68.3 percent, compared
with 68.9 percent for large enterprises (2500+).
targeting small to medium-sized businesses (1-250) accounted for
one in 265.7 emails, compared with one in 361.9 for large
attacks destined for small to medium-sized businesses (1-250)
accounted for one in 262.5 emails, compared with one in 261.7
for large enterprises (2500+).