cyren 2013년 인터넷 위협 보고서_영문
TRANSCRIPT
APRIL FOOLS`DAY
VALENTINE’S DAY
M
AY
AP
R
JAN FEB M
AR
DEC
Viruses
Spam
SECURITY YEARBOOK2013 IN REVIEW AND OUTLOOK FOR 2014
CYREN www.CYREN.com blog.cyren.com
CYREN YEARBOOK02
Foreword
FOREWORD
and taken down – forcing the cyber gangs to devise new techniques for spreading malware to build replacement networks, for example by distributing malware via malicious links instead of attachments. They have to do this because the economics of spam are so poor that the spammers only get a ROI if they can illegally co-opt millions of computers – with their associated bandwidth – into their networks.
We also saw a big shift in the emphasis for malware distribution toward smartphones and tablets, both for their prevalence in the market – they outsell desktop computers by 10x‘s – and for their comparatively poor protection. Smartphones in particular have proven a lucrative new outlet for the gangs, as they offer other ways to generate a return beyond ‘classic’ spam distribution.
In response to more effective protection for desktops, we have seen a rise in ‘ransomware’ – where a computer is locked down by malware
2013 was a very challenging year for IT security, with several high-profi le breaches – and against that backdrop, it would be easy to think that the bad guys are winning. In 2013, the CYREN GlobalView™ Cloud analyzed more than 4 trillion security transactions, giving us a unique insight into the security landscape “below the headlines.” In that data we see many encouraging trends.
Cyber crime is big business and, in common with other commercial enterprises, the cyber gangs expect a big return on their investment (ROI). So the fact that in 2013 cyber criminals altered or even dropped many of their long-standing techniques is a sign that we have been successful in destroying the ROI for those techniques.
In that context, let’s take a look at spam. While 72 percent of all email traffic is still unwanted advertising, overall spam levels dropped. This is because botnets were traced
SECURITY REVIEW 2013
AND WHAT TO EXPECT
IN 2014
CYREN YEARBOOK03
Contents
TABLE OF
CONTENTS
ANDROID MALWARE .................................... 04
OVERALL MALWARE .................................... 05
WEB SECURITY .....................................06/07
PHISHING .............................................08/09
INTERNET SECURITY ...........................10/11
EMAIL-ATTACHED MALWARE ..................... 12
SPAM ............................................................. 13
ZOMBIE WORLD MAP ..........................14/15
SPAM COUNTRIES OF ORIGIN .................... 16
SPAM TOPICS ............................................... 17
PREDICTIONS ............................................... 18
ABOUT CYREN .............................................. 19
PUBLISHER CYREN, 7925 Jones Branch Drive, Suite 5200
McLean, VA 22102, Tel: +1 703 760 3320, www.CYREN.com
and the owner is threatened with the destruction of their data unless they pay to unlock it – with the gangs also incorporating a human component into their distribution model.
At the CYREN GlobalView™ Security Lab, we are committed to innovating in equal and opposing force to the cyber gangs. In 2013 we incorporated our proven antispam, antimalware, IP reputation, mobile security, and URL fi ltering technologies into a powerful new security-as-a-service platform. The fi rst application of this is a global Web security service that protects users from Web-borne threats – wherever they are and on whatever device they use. In 2014, we are expanding our existing Advanced Persistent Threat (APT) capabilities to shine a light further than ever into the murky world of the botnet, potentially exposing the networks all the way back to their owners.
It is almost certain that 2014 will present its own challenges but, we will continue to destroy the ROI for cyber criminal activities. While we may lose some battles along the way, we will be winning the war.
Lior Kohavi,Chief Technology Offi cer at CYREN
CYREN YEARBOOK Android malware04JA
N 1
3
FEB
13
MA
R 1
3
AP
R 1
3
MA
Y 13
JUN
13
JUL
13
AU
G 1
3
SEP
13
OC
T 13
NO
V 13
DEC
13
350,000
300,000
250,000
400,000
150,000
200,000
100,000
0
!
NEW ANDROID AND MALWARE
MALWARE FOR ANDROID DEVICES
High powered mobile devices such as smartphones and tablets have become increasingly common and the Android OS is now installed on hundreds of millions of devices. Cyber criminals have clearly taken notice of the huge number of devices, as evidenced by the steady growth of malware targeting these platforms.
There are additional factors that add to the attraction of Android as a malware platform. The fi rst is the always connected nature of most devices – either to WiFi or mobile networks. This allows cyber criminals to access compromised devices at will and abuse them in the same way as wired PCs. The second is the built-in payment mechanism – usually to app stores – that does not require user re-entry of credit card information. This can be easily abused for bogus background app-store purchases. Thirdly, malware can also generate revenue from premium SMS, MMS and calls.
per day for last 6 months
ANDROID MALWARE AVERAGE
5,768
CYREN YEARBOOK05
Overall malware
RANSOMWARE
TOP 5 DETECTIONS OVER THE LAST 6 MONTHS
Ransomware is not a new concept, but 2013 saw a huge increase in its use – apparently as ROI from other sources fell. Typically, the unfortunate victim is presented with a locked screen and told to make a payment – either direct via credit card, or by calling a number and handing over payment details. The alternative to payment is destruction of all data on the affected hard drive. Most victims pay “unlocking fees” in the region of a few hundred dollars. Of course there is no guarantee that the criminals will not lock the computer again, so many users elect to reformat their machine and start over.
AndroidOS/Plankton.A.gen!Eldorado
AndroidOS/FakeDoc.H
AndroidOS/SMSreg.N
AndroidOS/AirPush.A.gen!Eldorado
AndroidOS/SMSreg.C.gen!Eldorado
1
2
3
4
5
MALWARE SHARE
SMS73
Stealer8
Adware12
Other7
%
INFOSTEALER Backdoor AndroidOS/Plankton.A.gen Plankton is a service that runs in the background and communicates with a command and control server “searchwebmobile.com” the service waits for actions to execute from the server. It is able to get the user‘s browsing history, set bookmarks, homepage and shortcuts and install downloaded fi les to the user‘s device. It collects the phone‘s IMEI, IMSI, SDK version, IP address amongst other sensitive data and sends it to the server.
SMS TROJAN RISK AndroidOS/SMSreg.N The SMSreg.N is NOT a Trojan, it is classifi ed as a security risk. The user downloads an application that sends an SMS message from the user phone to a premium number for some service that the application provides – for example a daily horoscope. In most cases, the user never reads the user agreement, where it is stated that the user will be charged for this service by letting the application automatically send a SMS message once a week or a month.
ADWARE AndroidOS/AirPush.A.gen This is a detection for the Airpush SDK that pushes ads to the notifi cation bar on the android device, even though the game or the app it was installed with is not running.
CYREN YEARBOOK06
Web security
GROWTH OF MALWARE
EMBEDDED IN WEBSITES
The number of malware URLs tracked in the GlobalView™ Cloud Database increased by 131% during 2013.
Any website can easily be compromised if not updated regularly – enabling malware developers to exploit security vulnerabilities in common content management systems. The most common Web category that CYREN saw hacked in 2013 was “Education” sites.
Travel, sports and pornography sites are popular targets too (although the latter may intentionally hide malware), followed by websites offering free pages.
INCREASE IN MALWARE URLS OVER THE YEAR
TRAVEL
EDUCATION
URL Filter
over the year
MALWARE URL INCREASE
131%
CYREN YEARBOOK07
Web Security
WEB EXPLOIT KITS
POPULAR TOPICS 2013
SYRIA EVENTSeptember 2013 – Fake CNN and BBC news link to malware websites.
ROYAL BABYJuly 2013 – The world awaiting fi rst pictures of the new Royal baby in Great Britain – and malware authors created fake status updates and offered “live hospital cam.”
POPE ELECTIONMarch 2013 – Papal election: Fake results and fake child abuse rumors.
Finds weaknessesand infects computer
During 2013 CYREN saw an increase in Exploit Kits being used to deliver platform specifi c malware. In this model, users visit an infected website and their computer is scanned by an ‘invisible’ script that chooses the appropriate malware that can exploit known vulnerabilities associated with the browser, OS, PDF reader, etc.
Das Öffnen von Programmen durch Webinhalte kann hilfreich sein, stellt aber eine potenzielle Bedrohung für den Computer dar. Lassen Sie diese Aktion nur zu, wenn Sie der Inhaltsquelle vertrauen. Welches Risiko besteht?
Vor dem Offnen dieses Adresstyps immer bestätigen
Von: twistplex.com
Programm: Microsoft Help and Support Center
Adresse: hcp://services/search? query=anything&topic=hcp://system/sysinfo/sysin
Möchten Sie dieser Website das Offnen eines Programms auf dem Computer gestatten?
�
Internet Explorer
Zulassen Abbrechen
?
?
if (b){
var g = [“Win”, 1, “Mac”, 2, “Linux”,
3, “FreeBSD”, 4, “iPhone”, 21.1,
“iPod”, 21.2, “iPad”, 22.1, “Win.*
Mobile”, 22.2, “Pocket\s*PC”, 22.3,
100]; for (h = g.length - 2; h >= 0; h
1.
2.
3.
4.
5.
6.
Users are typically led to these threats by posts on social networking sites or email messages with embedded links. Current events are increasingly used as bait to attract users to websites contaminated with malware. Popular subjects in 2013 included the papal election and the royal baby, with the confl ict in Syria being referenced when it had barely begun. To illustrate how fast these can move, our data shows that the average time between an actual news event and its exploitation by cyber criminals was around 22 hours.
Invisible scripts
CYREN YEARBOOK08
Phishing
PHISHING INCREASE IN
2013 AND WEB CATEGORIES
INFECTED BY PHISHING
The number of phishing URLs tracked in the GlobalView Cloud Database increased by 264% during the course of 2013.
Most common categories: Free Web pages, Education, Sports, Computers and Technology, small shopping and small business sites.
increase over the year
PHISHING URL’S 2013
264%
TOP PHISHING TOPICS
FREE WEB PAGES
EDUCATION
SPORTS
COMPUTERS & TECHNOLOGY
SMALL SHOPPING SITES
SMALL BUSINESS SITES
1
2
3
4
5
6
FREE
CYREN YEARBOOK09
Phishing
Every day
new phishing sitestargeting
PayPal users
~750
PayPalusers
PAYPAL IS THE
NUMBER ONE
TARGET OF
PHISHING
With almost 150 million registered account holders, it is not surprising that PayPal regularly places first as a subject used in phishing attacks. Every day we uncover around 750 new phishing websites that specifi cally target PayPal users; this equates to more than 270,000 sites annually. As new phishing sites are discovered they are categorized and logged as such in the CYREN GlobalView™ Cloud URL database.
CYREN YEARBOOK10 11
Internet security
THE YEAR IN
INTERNET SECURITY2013 VISUAL REVIEW
APRIL FOOLS`DAY
VALENTINE’S DAY
MOTHER’S DAY
ROYAL BABY SPAM
HALLOWEEN
THANKSGIVING
SYRIAN CRISIS
SPAM MAXIMUM
S
EP
T
AU
G JUL JUN
M
AY
AP
R
JAN FEB M
AR
O
CT
NO
V
DEC
Viruses
Spam
Billion emailsper day
2013 Spam average
78.297
2013 Email malware averageBillion dailyvirus emails1.68
PhishingIncrease in phishingURLs over the year264%
2013 Web malwareIncreaseduring 2013131%
New Androidmalware per month
Android malware
173,000
2013 MalwareMillion new unique malwareper month6.08
REVIEW 2013
TRENDS 2014
\\ MOBILE MALWAREAndroid still the main target
\\ LOCALIZATIONMore Localized spam
\\ WEB EXPLOITSGrowing underground market
CYREN YEARBOOK Email-attached malware12
MALWARE IS BEING TAILORED
TO SPECIFIC COUNTRIES
Malware is increasingly tailored for specific countries. While German email users receive fake train bookings from Deutsche Bahn or Lufthansa tickets, Americans will receive fake gift vouchers from U.S. companies, bills from their tax authorities, or even speeding fines from the police.
per day
2013 VIRUS AVERAGE
1,85 BILLIONin February
2013 VIRUS MAXIMUM
7,18 BILLION
VIRUS/OUTBREAK
%dangerous.
virus-outbreak
dangerous.virus
dangerous.iframe
60.8
38.5
0.7
20
0%
40
60
80
100
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
VIRUS SHARE
CYREN YEARBOOKSpam13
SPAM LEVELS
Following the trend of the last two years, spam continued to decrease. Globally, spam now averages 72% of all email traffi c. Although spam has decreased, the absolute numbers of messages sent every day is still signifi cant – averaging 78 billion emails. By year-end the average had dropped to 57 billion emails per day.
SPAM LEVELS CONTINUE
TO DECREASE
20
0%
40
60
80
100
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Spam Trend
spam
legitimateemails
72
28
%
of the year’s average
2013 SPAM MAXIMUM
301%
daily spam emails
2013 SPAM AVERAGE
78,297 BILLION
SPAM SHARE
CYREN YEARBOOK CYREN YEARBOOKZombie world mapZombie world map1514
ZOMBIE COUNTRIES TOP 10 COUNTRIES FOR HIJACKED
COMPUTERS BY QUARTER IN 2013
INDIA
RUSSIA
BELARUS
IRAN
PERU
ARGENTINA
COLOMBIA
KAZAKHSTAN
VIETNAM
CHINA
QUARTER 1
INDIA
CHINA
VIETNAM
PERU
BELARUS
TAIWAN
RUSSIA
COLOMBIA
ARGENTINA
IRAN
QUARTER 2
INDIA
VIETNAM
CHINA
TAIWAN
BELARUS
PERU
UKRAINE
ARGENTINA
IRAN
RUSSIA
QUARTER 3
INDIA
VIETNAM
IRAN
TAIWAN
BELARUS
PERU
UKRAINE
UNITED STATES
CHINA
RUSSIA
QUARTER 4
India had the largest number of hijacked – or ‘Zombie’ – computers throughout 2013. These zombies were mainly used for spam and malware distribution. Outside of India, the other countries in the Top 10 were almost exactly the same throughout the year, with their place varying according to overall botnet activity.
TOP TEN ZOMBIE COUNTRIES EACH QUARTER
5
1
2 3
RUSSIA
CHINA
8 TAIWAN
9 ARGENTINA
10 COLOMBIA
IRAN
4 VIETNAM
6 BELARUS
INDIA
7 PERU
CYREN YEARBOOK16
Spam countries of origin
ONLY TEN COUNTRIES
PRODUCE 50 % OF ALL SPAM
Ten countries are responsible for approximately 50% of all detected spam, with the Republic of Belarus, USA and India far ahead at the top of the list. In 2013, a regional concentration of spammers emerged in Eastern Europe, replacing the Asian nations of Indonesia, Vietnam and India. An increasing trend toward spam and malware originating from Western European networks, for example Italy and Spain, is a cause for concern.
UNITED STATES
INDIA
ITALY
ARGENTINA
COLOMBIA
SPAIN
BELARUS
8.6%
6.7%
5.3%
4.2%UKRAINE
3.9%
4.8%
5%
PERU
3.1%
RUSSIANFEDERATION
3.1%
3.1%
CYREN YEARBOOK17
Spam topics
THE RETURN OF DIET
AND STOCK SPAM
After a break of several years, there was resurgence in spam advertising for diet products and penny stocks. As spammers never abandon any technique that yields a profi t, we expect this activity to increase in 2014.
SCAM
DATING
6.8%
DIET
17.6%
PHARMACY
13.8%
REPLICA
PHISHING
JOB OFFER
7.4%
STOCK
15.8%
CASINO
7.7%
DRIVE-BY
CYREN YEARBOOK18
THE SECURITY OUTLOOK
FOR 2014
VIRUSES, TROJANS AND SPAM BECOME SMARTER, FASTER AND MOBILE
As the Internet becomes an everyday component of the life of more and more people, cyber criminals will take the opportunity to create even more targeted attacks.
Predictions
EVENT SPAM RELATING TO THE OLYMPIC GAMES, FOOTBALL AND POLITICAL EVENTS: Global – and
increasingly local – events are used
as lures for malware and spam campaigns. Cyber
criminals still love recycling malware attachments
and mailing structures routinely reused for different
campaigns.
PHISHING with a special focus on
social networks, as access details
become valuable in their own right.
SHORT BUT ACUTE MALWARE OUTBREAKS: Spam and malware
senders know they only have a short
window of opportunity, so campaign
durations will be shorter, but the activity
level within that window will be more intense.
MOBILE MALWARE: Most mobile devices
are still under-
protected and
malware developers will focus
on this lack of security. At the
same time mobile surfi ng brings
new risks, as users have limited
visibility of URLs as compared to
their PCs.
GOLDEN OLDIES: Well-established
spam techniques
like ASCII spam or
using pictures with disruptive
pixels are returning for an
encore. This is because these
techniques can still bypass some
traditional fi lters, maximizing
delivery of the campaign.
CYREN YEARBOOK
WEBDesigned for rapid deployment by businesses of all sizes and powered by the GlobalView™ Cloud, CYREN Web technologies give you the flexibility to secure any device against Web-borne threats. Whether you deploy our Embedded URL Filtering or full-service Web security-as-a-service, your customers will enjoy industry-leading protection across all their devices, anywhere they are, however they want.
About CYREN19
CYREN SECURITY SERVICES
ANTIMALWARECYREN Embedded AntiVirus provides the best and broadest protection against new and zero-hour threats. Our partners enjoy industry-leading performance with ultra-low processing, memory, storage, and band-width consumption. CYREN Embedded Mobile Security delivers a comprehensive security Web and antivirus foundation for providers of mobile applications or services.
EMAILCYREN Email technologies provide industry-leading email protection service. Our antispam, antivirus, IP reputation, and outbound antispam solutions are simple to administer and scale to whatever size your business needs; protecting your customers’ inbox from threats across all devices. CYREN Email solutions are available in both Embedded and security-as-a-service models.
MORE INFORMATION: www.CYREN.com/Web
MORE INFORMATION: www.CYREN.com/AntiMalware
MORE INFORMATION: www.CYREN.com/Email
ALWAYS AHEAD OF THE THREATPower your business with CYREN real-time security intelligence and live data analytics. Visit us at the CYREN GlobalView™ Security Center: www.CYREN.com/security-center
3 4
5
2
CONTACT INFORMATION
1
1
2
5
4
3
US Headquarters
7925 Jones Branch Drive,
Suite 5200
McLean, VA 22102
Tel: +1 703 760 3320
Fax: +1 703 760 3321
USA
1731 Embarcadero
Road,Suite 230
Palo Alto, CA 94303
Sales: +1 650 864 2114
General: +1 650 864 2000
Fax: +1 650 864 2002
Germany
Hardenbergplatz 2
10623 Berlin
Tel: +49 30 52 00 56 0
Fax: +49 30 52 00 56 299
Iceland
Thverholti 18
IS-105, Reykjavik
Tel: +354 540 7400
Fax: +354 540 7401
Israel
1 Sapir Rd. 5th Floor,
Beit Ampa
P.O. Box 4014
Herzliya, 46140
Tel: +972 98636 888
Fax: +972 98636 863
SOURCES
All data analyzed for the 2013 CYREN
Security Yearbook originates from the
CYREN GlobalView™ Cloud Infrastructure.
© 2014 CYREN Ltd. All rights reserved. CYREN, Recurrent
Pattern Detection, RPD, and GlobalView are trademarks,
and Eleven, Authentium, F-Prot, Command Antivirus, and
Command Anti-malware are registered trademarks, of
CYREN. U.S. Patent No. 6,330,590 is owned by CYREN. All
other marks are the property of their respective owners.
This yearbook contains forward-looking statements,
including projections about our business, within the
meaning of Section 27A of the Securities Act of 1933 and
Section 21E of the Securities Exchange Act of 1934. For
example, statements in the future tense, and statements
including words such as „expect,“ „plan,“ „estimate,“
„anticipate,“ or „believe“ are forward-looking statements.
These statements are based on information available to
us at the time of the yearbook; we assume no obligation to
update any of them. The statements in this yearbook are
not guarantees of future performance and actual results
could differ materially from our current expectations as a
result of numerous factors, including business conditions
and growth or deterioration in the internet security
market, technological developments, products offered by
competitors, availability of qualifi ed staff, and technological
diffi culties and resource constraints encountered in
developing new products, as well as those risks described
in the company‘s Annual Reports on Form 20-F and reports
on Form 6-K, which are available through www.sec.gov.