AppRiver Threat Landscape: Quarter 1 and 2, 2010
AppRiver, the Gulf Breeze Florida based web security and email company, has issued a new report titled “AppRiver notes: Threat & Spamscape report Special 6-Month Edition: June 2010,” briefly covering online threats the company has monitored over the last six months.
Highlights of the report include the one-year anniversary of the Conflicker worm, phishing and spear phishing attacks based on natural disasters, carbon credits, lawsuits, the IRS and the FIFA World Cup. The report includes a breakdown showing the origin of the 26 billion spam emails blocked by AppRiver in the first half of 2010, and the source region of both spam and malicious email messages, with the United States topping the spam chart at 2.5 billion spam emails, and Europe topping the Malware chart with 44.7%.
Virus activity has also been heavy for the six months reported, with AppRiver noting that more than 45 million virus messages had been blocked in the thirty days prior to the reports publication, or more than one out of every ten emails scanned.
In March, AppRiver blocked over five thousand emails purporting to contain information regarding a lawsuit with a link to a file named complaint.rtf, the link led to another file called complaint_docs.pdf, which actually contained a Trojan.Dropper.
Scams masquerading as IRS messages utilized tokens to customize emails based on the recipient contained a link to a page with a download link to an .exe file. The file actually installed ZeuS, a phish-kit that is used to steal banking information.
” The Zeus crimeware toolkit has been around now for some time and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote systems. Initially linked to a group of criminals known as the “Rock Phish” group and targeting worldwide financial institutions, the toolkit has since become widely available both for sale and for free on underground forums.” (Peter Coogan “Zeus, King of the Underground Crimeware Toolkits” August 25th, 2009)
Other attacks that used ZeuS in the first half of 2010 included FaceBook, MySpace, UPS, DHL, the Royal Mail in the UK, and the Canada Post. ZeuS was prolific enough that US-CERT released a bulletin on March 17th, 2010.
One variation of an older attack style, named the ‘419 scam’ after Article 419 of the Nigerian Criminal Code (Advanced Fee Fraud), also known as the Nigerian Prince scam, started in January 2010 and targed FIFA World Cup fans. These attacks claim that the recipient has won the Online Web Lottery held in South Africa in support of the World Cup, with a prize of one million dollars. The email contained a link to what looked to be an online gaming site, though most of the links were merely images, the ‘live help’ link led to a form asking for personal details. These details could be used to aid criminals in stealing the user’s identity.