Phishing, Spam and Malware Statistics for August 2010

Spam category statistics

In August, everything remained constant in the spam types being sent. The only variation introduced was for the category Other, which means that there were indeed some new types of malware which weren’t detected at the beginning. This is actually an example of a very good statistic, from the point of view of our Antispam research team; a very fast reaction time.

Sorted by amount Sorted by deviation
# Category % Deviation from
July 2010
in %
# Category Deviation from
July 2010
in %
1 Other 66.09 11.60 1 Other 11.60
2 Pharmacy 11.24 -12.55 2 Watch 0.79
3 Casino 4.77 -1.09 3 Nigerian 0.40
4 Nigerian 3.77 0.40 4 Jobs 0.21
5 University 3.59 -3.64 5 Malware 0.09
6 Watch 3.19 0.79 6 Loan 0.03
7 Lottery 2.08 -0.09 7 Fashion 0.00
8 Malware 1.93 0.09 8 Commercials -0.00
9 Loan 1.11 0.03 9 Lottery -0.09
10 Phishing 0.92 -0.98 10 Software -0.45
11 Software 0.82 -0.45 11 Phishing -0.98
12 Jobs 0.48 0.21 12 Casino -1.09
13 Fashion 0.02 0.00 13 University -3.64
14 Commercials 0.00 -0.00 14 Pharmacy -12.55

URL Shorteners used in malicious activities

In the URL shorteners statistic, we see quite a lot of movement in both ways. bit.ly, r2me.com and lu.mu got rid of the Phishing website redirects. On the other hand we see tinyurl.com which “shortened” 16% more URLs than in July.

The malware landscape was almost silent this month, but this is only a false sense of comfort, because we have seen a lot of new malware being sent via email instead of being referenced via URLs. I am curious if this trend will continue in the next months.

Phishing Malware
# Shortener % Deviation from
July 2010
in %
Shortener % Deviation from
July 2010
in %
1 tinyurl.com 32.56 16.28 k.im 8.33 4.17
2 bit.ly 25.58 -110.47 zi.ma 4.17 4.17
3 is.gd 8.14 3.49 u.nu 4.17 4.17
4 tiny.cc 4.65 -1.16 tr.im 4.17 4.17
5 notlong.com 4.65 -6.98 tinyurl.com 4.17 4.17
6 doiop.com 4.65 -10.47 tiny.cc 4.17 4.17
7 zi.ma 1.16 1.16 snipurl.com 4.17 4.17
8 u.nu 1.16 0.00 sn.im 4.17 4.17
9 tr.im 1.16 1.16 shorl.com 4.17 4.17
10 snipurl.com 1.16 -2.33 r2me.com 4.17 4.17
11 sn.im 1.16 -12.79 ow.ly 4.17 0.00
12 shorl.com 1.16 1.16 notlong.com 4.17 4.17
13 r2me.com 1.16 -224.42 moourl.com 4.17 4.17
14 ow.ly 1.16 0.00 lu.mu 4.17 4.17
15 moourl.com 1.16 1.16 is.gd 4.17 4.17
16 lu.mu 1.16 -123.26 idek.net 4.17 4.17
17 k.im 1.16 1.16 goo.gl 4.17 4.17
18 idek.net 1.16 0.00 dwarfURL.com 4.17 4.17
19 goo.gl 1.16 1.16 doiop.com 4.17 4.17
20 dwarfURL.com 1.16 1.16 cli.gs 4.17 4.17
21 cli.gs 1.16 1.16 bit.ly 4.17 4.17
22 ad.ag 1.16 1.16 ad.ag 4.17 4.17
23 0.00 0.00 0.00 0.00

Most phished brands statistics

There are no surprise in which brand is the most phished one this month: Paypal. But there were quite a lot of changes happening in this August. We’ve seen that some brands were misused to advertise online pharmacy or other websites. We do count them as Phishing, since these websites trick the user into visiting a website which isn’t what it pretends to be, even if no user credentials are stolen. The brands which we summarize as “Others” are known to us, but since they weren’t so popular among phishers historically, we decided to pack them together into one category. Of course, after seeing such an increase, we have started to investigate which exactly are these other brands which got more attention this month.

Sorted by amount Sorted by deviation
# Brand name % Deviation from
July 2010
in %
# Brand name Deviation from
July 2010
in %
1 Paypal 58.19 -17.13 1 Others 100.00
2 Others 18.28 100.00 2 Irs 65.00
3 HSBC Bank 7.63 56.80 3 Lloyds 60.66
4 Ebay 4.19 9.22 4 Visa 60.00
5 World of Warcraft 3.70 -13.74 5 HSBC Bank 56.80
6 Bank of America 2.12 55.77 6 Bank of America 55.77
7 Irs 2.03 65.00 7 Chase Bank 39.13
8 Chase Bank 1.40 39.13 8 Ebay 9.22
9 Lloyds 1.24 60.66 9 World of Warcraft -13.74
10 Visa 1.22 60.00 10 Paypal -17.13

Extension statistics for malware URLs

The extensions for this month are not a surprise either, considering the fact that we’ve seen a lot of exploits in different kinds of software like PDF Reader or Flash Player. The fact that we see that the “.exe” extension decreased in usage has to do with the increase of the “none” category. The malware authors increasingly use automatic execution of the malicious files, possibly representing the implementation of the exploit of one vulnerability or another.

Sorted by amount Sorted by deviation
# Extension % Deviation from
July
in %
# Extension Deviation from
July
in %
1 exe 24.79 -86.91 1 gif 89.31
2 none 23.73 36.91 2 html 84.23
3 php 12.66 57.83 3 htm 83.70
4 htm 9.22 83.70 4 swf 80.33
5 txt 7.83 15.91 5 aspx 77.14
6 html 7.20 84.23 6 ocx 73.08
7 gif 5.33 89.31 7 js 68.34
8 jpg 2.89 -157.81 8 cmd 66.67
9 asp 1.25 65.47 9 asp 65.47
10 js 1.05 68.34 10 php 57.83
11 css 1.03 52.96 11 css 52.96
12 dll 0.91 14.80 12 none 36.91
13 com 0.68 -70.83 13 txt 15.91
14 swf 0.25 80.33 14 dll 14.80
15 pdf 0.21 -9.62 15 zip 9.09
16 png 0.18 8.89 16 png 8.89
17 dat 0.18 -60.47 17 bat 0.00
18 aspx 0.14 77.14 18 pdf -9.62
19 zip 0.13 9.09 19 dat -60.47
20 ocx 0.11 73.08 20 com -70.83
21 rar 0.10 -108.00 21 pl -71.43
22 pl 0.09 -71.43 22 exe -86.91
23 cmd 0.02 66.67 23 rar -108.00
24 bat 0.00 0.00 24 jpg -157.81

Most abused TLDs

.com remains the most abused top level domain (TLD), despite the fact that it “lost” almost the half of the attacks in August. Other TLDs started to be used more frequently, a sign that the botnets grew even more this month, probably due to the vulnerabilities we’ve seen.

Phishing Malware
# Top level domain % Deviation from
July 2010
in %
Top Level Domain % Deviation from
July 2010
in %
1 .com 45.26 -48.34 .com 49.71 19.97
2 Others 17.88 100.00 Others 11.21 100.00
3 .net 8.77 11.24 .net 6.86 20.67
4 IP Address 6.86 100.00 IP Address 5.46 99.85
5 .org 4.01 -147.26 .ru 5.11 -18.90
6 .ma 2.74 66.08 .org 4.21 17.23
7 .br 2.69 -20.28 .info 3.51 -22.53
8 .ru 2.17 18.50 .cc 2.83 57.61
9 .uk 2.10 12.33 .kr 2.08 28.57
10 .info 1.79 10.16 .br 1.93 -13.89
11 .fr 1.73 4.97 .tv 1.88 90.69
12 .de 1.27 -162.41 .cn 1.80 -91.42
13 .ie 1.12 98.29 .de 1.44 14.16
14 .it 0.83 -124.14 .pl 1.08 47.92
15 .pl 0.75 -79.49 .in 0.91 -97.31

Sorin Mustaca
Data Security Expert