2. CYREN YEARBOOK
02 Foreword
FOREWORD
and taken down – forcing the cyber gangs to
devise new techniques for spreading malware
to build replacement networks, for example by
distributing malware via malicious links instead
of attachments. They have to do this because
the economics of spam are so poor that the
spammers only get a ROI if they can illegally
co-opt millions of computers – with their
associated bandwidth – into their networks.
We also saw a big shift in the emphasis for
malware distribution toward smartphones and
tablets, both for their prevalence in the market
– they outsell desktop computers by 10x‘s –
and for their comparatively poor protection.
Smartphones in particular have proven a
lucrative new outlet for the gangs, as they offer
other ways to generate a return beyond ‘classic’
spam distribution.
In response to more effective protection for
desktops, we have seen a rise in ‘ransomware’
– where a computer is locked down by malware
2013 was a very challenging year for IT
security, with several high-profile breaches –
and against that backdrop, it would be easy to
think that the bad guys are winning. In 2013,
the CYREN GlobalView™ Cloud analyzed more
than 4 trillion security transactions, giving us
a unique insight into the security landscape
“below the headlines.” In that data we see many
encouraging trends.
Cyber crime is big business and, in common
with other commercial enterprises, the cyber
gangs expect a big return on their investment
(ROI). So the fact that in 2013 cyber criminals
altered or even dropped many of their long-
standing techniques is a sign that we have
been successful in destroying the ROI for those
techniques.
In that context, let’s take a look at spam.
While 72 percent of all email traffic is still
unwanted advertising, overall spam levels
dropped. This is because botnets were traced
SECURITY REVIEW 2013
AND WHAT TO EXPECT
IN 2014
3. CYREN YEARBOOK
03Contents
TABLE OF
CONTENTS
ANDROID MALWARE.................................... 04
OVERALL MALWARE.................................... 05
WEB SECURITY.....................................06/07
PHISHING .............................................08/09
INTERNET SECURITY...........................10/11
EMAIL-ATTACHED MALWARE ..................... 12
SPAM............................................................. 13
ZOMBIE WORLD MAP ..........................14/15
SPAM COUNTRIES OF ORIGIN .................... 16
SPAM TOPICS ............................................... 17
PREDICTIONS............................................... 18
ABOUT CYREN.............................................. 19
PUBLISHER
CYREN, 7925 Jones Branch Drive, Suite 5200
McLean, VA 22102, Tel: +1 703 760 3320, www.CYREN.com
and the owner is threatened with the
destruction of their data unless they
pay to unlock it – with the gangs also
incorporating a human component
into their distribution model.
At the CYREN GlobalView™ Security
Lab, we are committed to innovating
in equal and opposing force to the
cyber gangs. In 2013 we incorporated
our proven antispam, antimalware,
IP reputation, mobile security, and
URL filtering technologies into a
powerful new security-as-a-service
platform. The first application of
this is a global Web security service
that protects users from Web-borne
threats – wherever they are and on
whatever device they use. In 2014, we
are expanding our existing Advanced
Persistent Threat (APT) capabilities
to shine a light further than ever
into the murky world of the botnet,
potentially exposing the networks all
the way back to their owners.
It is almost certain that 2014 will
present its own challenges but, we
will continue to destroy the ROI for
cyber criminal activities. While we
may lose some battles along the way,
we will be winning the war.
Lior Kohavi,
Chief Technology Officer at CYREN
4. CYREN YEARBOOK Android malware
04
JAN13
FEB13
MAR13
APR13
MAY13
JUN13
JUL13
AUG13
SEP13
OCT13
NOV13
DEC13
350,000
300,000
250,000
400,000
150,000
200,000
100,000
0
!
NEW ANDROID AND MALWARE
MALWARE FOR ANDROID DEVICES
High powered mobile devices such as smartphones
and tablets have become increasingly common and the
Android OS is now installed on hundreds of millions of
devices. Cyber criminals have clearly taken notice of
the huge number of devices, as evidenced by the steady
growth of malware targeting these platforms.
There are additional factors that add to the attraction of
Android as a malware platform. The first is the always
connected nature of most devices – either to WiFi or
mobile networks. This allows cyber criminals to access
compromised devices at will and abuse them in the same
way as wired PCs. The second is the built-in payment
mechanism – usually to app stores – that does not require
user re-entry of credit card information. This can be
easily abused for bogus background app-store purchases.
Thirdly, malware can also generate revenue from premium
SMS, MMS and calls.
per day for last 6 months
ANDROID MALWARE AVERAGE
5,768
5. CYREN YEARBOOK
05Overall malware
RANSOMWARE
TOP 5 DETECTIONS
OVER THE
LAST 6 MONTHS
Ransomware is not a new concept, but 2013 saw a huge increase in its use – apparently as ROI from
other sources fell. Typically, the unfortunate victim is presented with a locked screen and told to
make a payment – either direct via credit card, or by calling a number and handing over payment
details. The alternative to payment is destruction of all data on the affected hard drive. Most
victims pay “unlocking fees” in the region of a few hundred dollars. Of course there is no guarantee
that the criminals will not lock the computer again, so many users elect to reformat their machine
and start over.
AndroidOS/Plankton.A.gen!Eldorado
AndroidOS/FakeDoc.H
AndroidOS/SMSreg.N
AndroidOS/AirPush.A.gen!Eldorado
AndroidOS/SMSreg.C.gen!Eldorado
1
2
3
4
5
MALWARE SHARE
SMS
73
Stealer
8
Adware
12
Other
7
%
INFOSTEALER Backdoor AndroidOS/Plankton.A.gen
Plankton is a service that runs in the background and
communicates with a command and control server “search
webmobile.com” the service waits for actions to execute from
the server. It is able to get the user‘s browsing history, set
bookmarks, homepage and shortcuts and install downloaded
files to the user‘s device. It collects the phone‘s IMEI, IMSI, SDK
version, IP address amongst other sensitive data and sends it to
the server.
SMS TROJAN RISK AndroidOS/SMSreg.N
The SMSreg.N is NOT a Trojan, it is classified as a security risk.
The user downloads an application that sends an SMS message
from the user phone to a premium number for some service
that the application provides – for example a daily horoscope. In
most cases, the user never reads the user agreement, where it
is stated that the user will be charged for this service by letting
the application automatically send a SMS message once a week
or a month.
ADWARE AndroidOS/AirPush.A.gen
This is a detection for the Airpush SDK that pushes ads to the
notification bar on the android device, even though the game or
the app it was installed with is not running.
6. CYREN YEARBOOK
06 Web security
GROWTH OF MALWARE
EMBEDDED IN WEBSITES
The number of malware URLs tracked in the GlobalView™
Cloud Database increased by 131% during 2013.
Any website can easily be compromised if not updated
regularly – enabling malware developers to exploit
security vulnerabilities in common content management
systems. The most common Web category that CYREN
saw hacked in 2013 was “Education” sites.
Travel, sports and pornography sites are popular targets
too (although the latter may intentionally hide malware),
followed by websites offering free pages.
INCREASE IN MALWARE
URLS OVER THE YEAR
TRAVEL
EDUCATION
URL Filter
over the year
MALWARE URL INCREASE
131%
7. CYREN YEARBOOK
07Web Security
WEB EXPLOIT KITS
POPULAR TOPICS 2013
SYRIA EVENT
September 2013 – Fake CNN
and BBC news link to malware
websites.
ROYAL BABY
July 2013 – The world awaiting
first pictures of the new Royal
baby in Great Britain – and
malware authors created fake
status updates and offered “live
hospital cam.”
POPE ELECTION
March 2013 – Papal election:
Fake results and fake child
abuse rumors.
Finds weaknesses
and infects computer
During 2013 CYREN saw an increase in Exploit Kits being used to deliver
platform specific malware. In this model, users visit an infected website and
their computer is scanned by an ‘invisible’ script that chooses the appropriate
malware that can exploit known vulnerabilities associated with the browser,
OS, PDF reader, etc.
Das Öffnen von Programmen durch Webinhalte kann hilfreich sein,
stellt aber eine potenzielle Bedrohung für den Computer dar. Lassen
Sie diese Aktion nur zu, wenn Sie der Inhaltsquelle vertrauen. Welches
Risiko besteht?
Vor dem Offnen dieses Adresstyps immer bestätigen
Von: twistplex.com
Programm: Microsoft Help and Support Center
Adresse: hcp://services/search?
query=anything&topic=hcp://system/sysinfo/sysin
Möchten Sie dieser Website das Offnen eines
Programms auf dem Computer gestatten?
Internet Explorer
Zulassen Abbrechen
?
?
if (b){
var g = [“Win”, 1, “Mac”, 2, “Linux”,
3, “FreeBSD”, 4, “iPhone”, 21.1,
“iPod”, 21.2, “iPad”, 22.1, “Win.*
Mobile”, 22.2, “Pockets*PC”, 22.3,
100]; for (h = g.length - 2; h >= 0; h
1.
2.
3.
4.
5.
6.
Users are typically led to these threats by posts on social
networking sites or email messages with embedded links.
Current events are increasingly used as bait to attract
users to websites contaminated with malware. Popular
subjects in 2013 included the papal election and the royal
baby, with the conflict in Syria being referenced when it
had barely begun. To illustrate how fast these can move,
our data shows that the average time between an actual
news event and its exploitation by cyber criminals was
around 22 hours.
Invisible scripts
8. CYREN YEARBOOK
08 Phishing
PHISHING INCREASE IN
2013 AND WEB CATEGORIES
INFECTED BY PHISHING
The number of phishing URLs tracked
in the GlobalView Cloud Database
increased by 264% during the course
of 2013.
Most common categories: Free Web
pages, Education, Sports, Computers
and Technology, small shopping and
small business sites.
increase over the year
PHISHING URL’S 2013
264%
TOP PHISHING TOPICS
FREE WEB PAGES
EDUCATION
SPORTS
COMPUTERS & TECHNOLOGY
SMALL SHOPPING SITES
SMALL BUSINESS SITES
1
2
3
4
5
6
FREE
9. CYREN YEARBOOK
09Phishing
Every day
new phishing sites
targeting
PayPal users
~750
PayPalusers
PAYPAL IS THE
NUMBER ONE
TARGET OF
PHISHING
With almost 150 million registered account holders,
it is not surprising that PayPal regularly places first
as a subject used in phishing attacks. Every day
we uncover around 750 new phishing websites that
specifically target PayPal users; this equates to more
than 270,000 sites annually. As new phishing sites
are discovered they are categorized and logged as
such in the CYREN GlobalView™ Cloud URL database.
10. CYREN YEARBOOK
10 11Internet security
THE YEAR IN
INTERNET SECURITY
2013 VISUAL REVIEW
APRIL FOOLS`DAY
VALENTINE’S DAY
MOTHER’S DAY
ROYAL BABY SPAM
HALLOWEEN
THANKSGIVING
SYRIAN CRISIS
SPAM MAXIMUM
SEPT
AU
G
JUL JUN
M
AY
APR
JAN
FE
B
MAR
OCT
N
O
V
DEC
Viruses
Spam
Billion emails
per day
2013 Spam average
78.297
2013 Email malware average
Billion daily
virus emails1.68
Phishing
Increase in phishing
URLs over the year264%
2013 Web malware
Increase
during 2013131%
New Android
malware per month
Android malware
173,000
2013 Malware
Million new unique malware
per month6.08
REVIEW 2013
TRENDS 2014
MOBILE MALWARE
Android still the main target
LOCALIZATION
More Localized spam
WEB EXPLOITS
Growing underground market
11. CYREN YEARBOOK Email-attached malware
12
MALWARE IS BEING TAILORED
TO SPECIFIC COUNTRIES
Malware is increasingly tailored for
specific countries. While German
email users receive fake train
bookings from Deutsche Bahn or
Lufthansa tickets, Americans will
receive fake gift vouchers from
U.S. companies, bills from their tax
authorities, or even speeding fines
from the police.
per day
2013 VIRUS AVERAGE
1,85 BILLION
in February
2013 VIRUS MAXIMUM
7,18 BILLION
VIRUS/OUTBREAK
%
dangerous.
virus-
outbreak
dangerous.
virus
dangerous.iframe
60.8
38.5
0.7
20
0%
40
60
80
100
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
VIRUS SHARE
12. CYREN YEARBOOKSpam
13
SPAM LEVELS
Following the trend of the last two
years, spam continued to decrease.
Globally, spam now averages 72% of
all email traffic. Although spam has
decreased, the absolute numbers
of messages sent every day is still
significant – averaging 78 billion
emails. By year-end the average had
dropped to 57 billion emails per day.
SPAM LEVELS CONTINUE
TO DECREASE
20
0%
40
60
80
100
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Spam Trend
spam
legitimate
emails
72
28
%
of the year’s average
2013 SPAM MAXIMUM
301%
daily spam emails
2013 SPAM AVERAGE
78,297BILLION
SPAM SHARE
13. CYREN YEARBOOK CYREN YEARBOOKZombie world mapZombie world map
1514
ZOMBIE COUNTRIES
TOP 10 COUNTRIES FOR HIJACKED
COMPUTERS BY QUARTER IN 2013
INDIA
RUSSIA
BELARUS
IRAN
PERU
ARGENTINA
COLOMBIA
KAZAKHSTAN
VIETNAM
CHINA
QUARTER 1
INDIA
CHINA
VIETNAM
PERU
BELARUS
TAIWAN
RUSSIA
COLOMBIA
ARGENTINA
IRAN
QUARTER 2
INDIA
VIETNAM
CHINA
TAIWAN
BELARUS
PERU
UKRAINE
ARGENTINA
IRAN
RUSSIA
QUARTER 3
INDIA
VIETNAM
IRAN
TAIWAN
BELARUS
PERU
UKRAINE
UNITED STATES
CHINA
RUSSIA
QUARTER 4
India had the largest number of
hijacked – or ‘Zombie’ – computers
throughout 2013. These zombies
were mainly used for spam and
malware distribution. Outside of
India, the other countries in the Top
10 were almost exactly the same
throughout the year, with their place
varying according to overall botnet
activity.
TOP TEN ZOMBIE COUNTRIES EACH QUARTER
5
1
2
3
RUSSIA
CHINA
8 TAIWAN
9 ARGENTINA
10 COLOMBIA
IRAN
4 VIETNAM
6 BELARUS
INDIA
7 PERU
14. CYREN YEARBOOK
16 Spam countries of origin
ONLY TEN COUNTRIES
PRODUCE 50 % OF ALL SPAM
Ten countries are responsible for approximately 50% of
all detected spam, with the Republic of Belarus, USA and
India far ahead at the top of the list. In 2013, a regional
concentration of spammers emerged in Eastern Europe,
replacing the Asian nations of Indonesia, Vietnam and
India. An increasing trend toward spam and malware
originating from Western European networks, for example
Italy and Spain, is a cause for concern.
UNITED STATES
INDIA
ITALY
ARGENTINA
COLOMBIA
SPAIN
BELARUS
8.6%
6.7%
5.3%
4.2%
UKRAINE
3.9%
4.8%
5%
PERU
3.1%
RUSSIAN
FEDERATION
3.1%
3.1%
15. CYREN YEARBOOK
17Spam topics
THE RETURN OF DIET
AND STOCK SPAM
After a break of several years, there was resurgence in
spam advertising for diet products and penny stocks. As
spammers never abandon any technique that yields a
profit, we expect this activity to increase in 2014.
SCAM
DATING
6.8%
DIET
17.6%
PHARMACY
13.8%
REPLICA
PHISHING
JOB OFFER
7.4%
STOCK
15.8%
CASINO
7.7%
DRIVE-BY
16. CYREN YEARBOOK
18
THE SECURITY OUTLOOK
FOR 2014
VIRUSES, TROJANS AND SPAM BECOME SMARTER, FASTER
AND MOBILE
As the Internet becomes an everyday component of the life of more and more
people, cyber criminals will take the opportunity to create even more targeted
attacks.
Predictions
EVENT SPAM RELATING TO THE
OLYMPIC GAMES, FOOTBALL AND
POLITICAL EVENTS: Global – and
increasingly local – events are used
as lures for malware and spam campaigns. Cyber
criminals still love recycling malware attachments
and mailing structures routinely reused for different
campaigns.
PHISHING with a special focus on
social networks, as access details
become valuable in their own right.
SHORT BUT ACUTE MALWARE
OUTBREAKS: Spam and malware
senders know they only have a short
window of opportunity, so campaign
durations will be shorter, but the activity
level within that window will be more intense.
MOBILE MALWARE:
Most mobile devices
are still under-
protected and
malware developers will focus
on this lack of security. At the
same time mobile surfing brings
new risks, as users have limited
visibility of URLs as compared to
their PCs.
GOLDEN OLDIES:
Well-established
spam techniques
like ASCII spam or
using pictures with disruptive
pixels are returning for an
encore. This is because these
techniques can still bypass some
traditional filters, maximizing
delivery of the campaign.
17. CYREN YEARBOOK
WEB
Designed for rapid deployment by businesses of all sizes and powered by the
GlobalView™ Cloud, CYREN Web technologies give you the flexibility to secure
any device against Web-borne threats. Whether you deploy our Embedded URL
Filtering or full-service Web security-as-a-service, your
customers will enjoy industry-leading protection across
all their devices, anywhere they are, however they want.
About CYREN
19
CYREN SECURITY SERVICES
ANTIMALWARE
CYREN Embedded AntiVirus provides the best and broadest protection against
new and zero-hour threats. Our partners enjoy industry-leading performance
with ultra-low processing, memory, storage, and band-
width consumption. CYREN Embedded Mobile Security
delivers a comprehensive security Web and antivirus
foundation for providers of mobile applications or
services.
EMAIL
CYREN Email technologies provide industry-leading email protection service. Our
antispam, antivirus, IP reputation, and outbound antispam solutions are simple
to administer and scale to whatever size your business
needs; protecting your customers’ inbox from threats
across all devices. CYREN Email solutions are available
in both Embedded and security-as-a-service models.
MORE INFORMATION:
www.CYREN.com/Web
MORE INFORMATION:
www.CYREN.com/
AntiMalware
MORE INFORMATION:
www.CYREN.com/
Email
ALWAYS AHEAD OF THE THREAT
Power your business with CYREN real-time security intelligence and live data analytics.
Visit us at the CYREN GlobalView™ Security Center: www.CYREN.com/security-center