Phishing, Spam and Malware Statistics for December 2010

Most abused TLDs

The trend we observed in the last months when the non “classical” TLD increased massively continued in December as well. Contrary to November, where the .com has seen a slight increase, we are noticing this month that it decreased by more than 76%. The measures taken in November and December by the registrars of .org and .net finally show results: The usage of these two domains decreases, this month with an astonishing 151% for .org.

Phishing Malware
# Top level domain % Deviation from
November
in %
Top Level Domain % Deviation from
November
in %
1 .com 46.24 -76.13 .com 50.83 -47.50
2 Others 16.35 100.00 Others 12.57 100.00
3 .net 8.83 -24.48 IP Address 5.54 98.78
4 .tk 4.19 9.45 .net 5.51 -320.42
5 .br 4.08 29.85 .ru 4.78 -309.13
6 .org 3.56 -151.28 .org 3.77 -26.99
7 .uk 3.44 -29.65 .info 3.70 -42.67
8 IP Address 3.14 99.51 .cc 2.60 -41.42
9 .ru 1.86 -98.36 .br 2.17 -55.36
10 .de 1.58 -76.92 .kr 2.08 -32.09

Spam category statistics

The spam levels decreased slightly from November, but still a lot of mixed spam has been sent. The “Others” category means all kind of spams which can’t be automatically sorted in one of the categories below. This was also expected, considering that we’ve had the holiday season where a lot of things were advertised for selling.

Sorted by amount Sorted by deviation
# Category % Deviation from
November
in %
# Category Deviation from
November
in %
1 Other 77.42 -6.13 1 University 2.18
2 Pharmacy 6.33 -1.75 2 Software 0.71
3 Nigerian 4.17 -1.17 3 Fashion 0.02
4 University 3.73 2.18 4 Jobs -0.01
5 Lottery 2.91 -0.30 5 Malware -0.15
6 Software 2.14 0.71 6 Watch -0.26
7 Watch 1.26 -0.26 7 Phishing -0.26
8 Phishing 0.94 -0.26 8 Lottery -0.30
9 Loan 0.52 -0.35 9 Loan -0.35
10 Casino 0.23 -0.52 10 Casino -0.52

Extension statistics for malware URLs

As expected, the level of malware dropped significantly this month because of the fact that the spammers sent out more commercial driven messages than normal.
We are, however, seeing in January a comeback of the spam advertising malware. Interestingly, we see for the second month a significant increase of the .gif extension.

Sorted by amount Sorted by deviation
# Extension % Deviation from
November
in %
# Extension Deviation from
November
in %
1 none 25.06 -103.56 1 bat 100.00
2 txt 17.78 12.60 2 jsp 75.00
3 exe 16.84 -127.52 3 css 30.61
4 php 8.83 -125.36 4 js 27.00
5 htm 7.90 -102.70 5 gif 22.46
6 html 6.42 -117.22 6 txt 12.60
7 jpg 6.21 -1.87 7 cmd 0.00
8 asp 2.86 -131.86 8 jpg -1.87
9 gif 2.76 22.46 9 swf -21.05
10 js 0.97 27.00 10 png -33.33

Most phished brands statistics

The most attacked brand is – as usual – PayPal. Strangely, despite the fact that we see a lot of PayPal phishing emails, we received a lot less phishing overall than in the previous months. I think that the reason for this has to do with the fact that the attacks are becoming more targeted than before. So, the phishers are improving the quality of the spam campaigns now and no longer try to flood the mailboxes blindly. This is why we see that many smaller brands (category Others) increasingly started to get phished for the second month in a row.

Sorted by amount Sorted by deviation
# Brand name % Deviation from
November
in %
# Brand name Deviation from
November
in %
1 Paypal 44.40 -56.42 1 Others 100.00
2 Others 25.96 100.00 2 Tibia Guilds 57.63
3 Ebay 5.08 -691.51 3 Visa 44.09
4 Visa 4.45 44.09 4 Chase Bank 29.11
5 Facebook 4.41 -251.09 5 Lloyds 16.36
6 Chase Bank 3.78 29.11 6 World of Warcraft 7.81
7 HSBC Bank 3.40 -118.31 7 Paypal -56.42
8 World of Warcraft 3.07 7.81 8 HSBC Bank -118.31
9 Tibia Guilds 2.83 57.63 9 Facebook -251.09
10 Lloyds 2.63 16.36 10 Ebay -691.51

URL Shorteners used in malicious activities

The URL shorteners are used in emails to hide the final location of a malware file. It is not surprising to see the same trend here as in the distribution of the malware extensions (see above) because of this. The most used shorteners, bit.ly and goo.gl, have seen significant decrease in December.

Phishing Malware
# Shortener % Deviation from
November
in %
Shortener % Deviation from
November
in %
1 bit.ly 21.43 -52.38 tiny.cc 7.14 7.14
2 goo.gl 11.90 -33.33 k.im 7.14 3.57
3 notlong.com 9.52 7.14 is.gd 7.14 3.57
4 tiny.cc 7.14 -2.38 doiop.com 7.14 -3.57
5 tinyurl.com 4.76 -21.43 bit.ly 7.14 -17.86
6 doiop.com 4.76 -7.14 zi.ma 3.57 3.57
7 zi.ma 2.38 2.38 u.nu 3.57 3.57
8 u.nu 2.38 2.38 tr.im 3.57 3.57
9 tr.im 2.38 2.38 tinyurl.com 3.57 -10.71
10 snipurl.com 2.38 2.38 snipurl.com 3.57 3.57

Sorin Mustaca
Data Security Expert