Paul Wood, Symantec: New Wave of Cyber Attacks Impersonates Business Mediation and Arbitration Service

March 6, 2012

The February Symantec Intelligence Report shows a new wave of cyber-attacks designed to impersonate a well-known business mediation and arbitration service in North America.

Businesses are being targeted with emails purporting to originate from the US Better Business Bureau, socially engineered to suggest that a complaint had been filed against the organization and the details of the complaint could be found in the file attachment, which would lead to a PDF file that contains an embedded executable or a URL that leads to the malware.

“These attacks are reminiscent of similar incidents that were first reported in 2007, when C-level business executives were being targeted with emails that purported to originate from the US Better Business Bureau (BBB). The new wave of attacks bear similar social engineering techniques to the 2007 attacks, although recently the attackers are using considerably more advanced techniques, including server-side polymorphism, making them especially protean in nature,” said Paul Wood, cyber security intelligence manager, Symantec.

“Server-side polymorphism enables the attacker to generate a unique strain of malware for each use, in order to evade detection by traditional anti-virus security software. Scripts such as PHP are commonly used on the attacker’s Web site to generate the malicious code on-the-fly. Like the Greek sea-god, Proteus, the continually transforming nature of these attacks makes them very difficult to recognize and detect using more traditional signature-based defenses,” Wood said.

This month’s report also reveals that cyber criminals tapping into the zeitgeist was particularly noticeable in the week running-up to St. Valentine’s Day, as the volume of spam messages referencing the event rose by as much as three and a half times the daily average for that week. The volume started falling off again after February 14, with a late spike occurring on February 16, when almost 6 times the daily average volume of emails referencing the special day was recorded.

Other Report Highlights:

Spam: In February 2012, the global ratio of spam in email traffic fell by 1.0 percentage points since January 2012, to 68.0 percent (1 in 1.47 emails). This follows the continuing trend of global spam levels diminishing gradually since the latter part of 2011.

Phishing: In February, the global phishing rate increased by 0.01 percentage points, taking the global average rate to one in 358.1 emails (0.28 percent) that comprised some form of phishing attack.

E-mail-borne Threats: The global ratio of email-borne viruses in email traffic was one in 274.0 emails (0.37 percent) in February, an increase of 0.03 percentage points since January 2012. In February, 27.4 percent of email-borne malware contained links to malicious Web sites, 1.6 percentage points lower than January 2012.

Web-based Malware Threats: In February, Symantec Intelligence identified an average of 2,305 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 9.7 percent since January 2012.

Endpoint Threats: The most frequently blocked malware for the last month was WS.Trojan.H. WS.Trojan.H is generic cloud-based heuristic detection for files that posses characteristics of an as yet unclassified threat. Files detected by this heuristic are deemed by Symantec to pose a risk to users and are therefore blocked from accessing the computer.

Geographical Trends:

Spam

• Saudi Arabia remained the most spammed geography in February; with a spam rate of 76.2 percent.
• In the US, 68.9 percent of email was spam and 68.5 percent in Canada.
• The spam level in the UK was 68.6 percent.
• In The Netherlands, spam accounted for 70.0 percent of email traffic, 67.9 percent in Germany, 68.8 percent in Denmark.
• In Australia 68.3 percent of email was blocked as spam, compared with 67.9 percent in Hong Kong, 67.0 percent in Singapore and 65.1 percent in Japan.
• Spam accounted for 68.8 percent of email traffic in South Africa and 72.4 percent in Brazil.

Phishing

• The Netherlands remained the country most targeted for phishing attacks in February, with one in 152.8 emails identified as phishing.
• Phishing levels for the US reached one in 753.5 and one in 427.9 for Canada.
• In Germany phishing levels were one in 700.9, one in 461.9 in Denmark.
• In Australia, phishing activity accounted for one in 499.9 emails and one in 1,045 in Hong Kong; for Japan it was one in 4,762 and one in 689.9 for Singapore.
• In Brazil one in 863.9 emails was blocked as phishing.

E-mail-borne Threats

• Luxembourg became the geography with the highest ratio of malicious email activity in February, with one in 63.9 emails identified as malicious.
• In the UK, one in 154.5 emails was identified as malicious, compared with South Africa, where one in 184.9 emails was blocked as malicious.
• The virus rate for email-borne malware in the US was one in 436.5 and one in 294.0 in Canada.
• In Germany virus activity reached one in 369.2 and one in 611.7 in Denmark.
• In Australia, one in 387.6 emails was malicious. For Japan the rate was one in 1,167, compared with one in 452.8 in Singapore.
• In Brazil, one in 534.7 emails in contained malicious content.

Vertical Trends:

• The Automotive sector overtook Education to become the most spammed industry sector in February, with a spam rate of 70.9 percent; the spam rate for the Education sector was 70.6 percent.
• The spam rate for the Chemical & Pharmaceutical sector was 68.9 percent, compared with 68.4 percent for IT Services, 68.6 percent for Retail, 68.5 percent for Public Sector and 68.0 percent for Finance.
• The Public Sector remained the most targeted by phishing activity in February, with one in 84.1 emails comprising a phishing attack.
• Phishing levels for the Chemical & Pharmaceutical sector reached one in 726.2 and one in 670.6 for the IT Services sector, one in 523.7 for Retail, one in 150.0 for Education and one in 328.6 for Finance.
• With one in 71.2 emails being blocked as malicious, the Public Sector remained the most targeted industry in February.
• The virus rate for the Chemical & Pharmaceutical sector reached one in 328.5and one in 405.4 for the IT Services sector; one in 364.7 for Retail, one in 124.1 for Education and one in 297.8 for Finance.

Market Trends:

• The spam rate for small to medium-sized businesses (1-250) was 68.3 percent, compared with 68.9 percent for large enterprises (2500+).
• Phishing attacks targeting small to medium-sized businesses (1-250) accounted for one in 265.7 emails, compared with one in 361.9 for large enterprises (2500+).
• Malicious email-borne attacks destined for small to medium-sized businesses (1-250) accounted for one in 262.5 emails, compared with one in 261.7 for large enterprises (2500+).