World Cup Crazy
With any worldwide event, security precautions increase, and people are on high alert, as you would expect an increase in malicious activity. In Germany, security professionals held their breath, especially the World Cup network operators as the football matches began.
The world cup fever started back in 2005 with the Sober.n worm - which misrepresented itself as an opportunity for people to buy tickets to the World Cup. This was one of the most widespread computer attacks for 2005 worldwide. This email had a link to a self-extracting Excel file which claimed to contain a game plan for the tournament. Even with all the technical security precautions put in place, it usually comes down to social engineering, teaching and educating employees; people are the weakest link in the chain of computer security. In the case of the World Cup, football fanatics are easily influenced to open emails with subjects lines relating to this event!!
And more than a year on from the first world cup related email virus, there has been a flurry of excitement in June, with the number one virus and phishing attacks both knocked off their top position. Ham percentage has decreased from last month, with a large influx of spam, new viruses, and, especially, phishing emails. Spam and viruses senders were not as prepared as the phishermen, where a huge increase occurred on June 9th - the start of the world cup, with the phishing attacks trying to cash in on the big tournament.
Below, we have the daily breakdown for ham, spam, viruses and phishing.
World of Spam
The volume per geographical location for spam, viruses and phishing emails for June can be seen below.
As with last month, China is number one again - but the percentage of spam has increased dramatically by around 25%. Email inboxes received a flood of World Cup spam; lottery wins (seen purporting to be from the Ivory Coast!), mobile phone deals, and football tickets sales.
| Position | Country | Percentage | ||
|---|---|---|---|---|
| 1 | China |
|
41.84% | |
| 2 | United States |
|
21.66% | |
| 3 | Korea |
|
8.62% | |
| 4 | France |
|
6.24% | |
| 5 | Spain |
|
5.16% | |
| 6 | Poland |
|
4.46% | |
| 7 | Brazil |
|
3.86% | |
| 8 | Austrailia |
|
2.78% | |
| 9 | Germany |
|
2.75% | |
| 10 | UK |
|
2.65% |
Viruses: Football fever
Our expectation for new viruses this month has been fulfulled; while the national flags fluttered, a whirlwind of viruses flew at the sporting nations. This kickoff occurred on Friday, June 16th - these latest viruses are variants of breplibot/brepibot variants.
Another World Cup Virus was not so widely spread. Delf.V (also known as W32/Sixem-A, Email-Worm.Win32.Delf.v, W32.Sixem.A@mm) is a mass-mailing worm that sends out football related emails. The subjects lines contain words such as “Soccer fans killed five teens” and “Crazy soccer fans”.
GB (56.9%) is still top of the virus senders, with China (8.47%) and Brazil (7.86%), second and third respectively.
In with the new and out with the old
Worm.Somefool.P had been topping the list of viruses for the last few months, but has now been replaced by Somefool.Gen-2. The family of Somefool is still the top three in the viruslist. This virus made its outbreak back in 2004; it is quite unbelieveable that two years later it is still top of the list. It seems users are still are not protecting their computers as this virus is still spreading at a high rate or users have simply not cleaned up their computers since the first infections back in 2004. Another reason why this virus is still spreading so fast, is that it has no expiry date. Many viruses have (de)activation dates, after which they become dormant. The Somefool virus was written by the convicted German teenager Sven Jaschan. The virus spreads via email by harvesting addresses from local hard drives. In Microsoft’s latest research and survey “MSRT Progress Made Lessons Learned” - it is reported that 602,634 variants of Somefool were detected and removed since February 2005.
The battle of the worms, Bagle v SomeFool, may have come to an end, as SomeFool has being dominating the virus statistics for months now. To become the top virus sender, back in 2004, VXers incorporated, in some variants of SomeFool, code to remove the bagle virus. Perhaps VXers were putting their code writing to good use!
| Position | Virus | Percentage | |||
|---|---|---|---|---|---|
| 1 |  |
Worm.SomeFool.Gen-2 |
|
28.28% | |
| 2 |  |
Worm.SomeFool.P (NetSky.P) |
|
22.99% | |
| 3 |  |
Worm.SomeFool.Gen-1 |
|
19.11% | |
| 4 | |
Worm.VB-9 |
|
8.28% | |
| 5 | |
Exploit.HTML.IFrame |
|
6.06% | |
| 6 |  |
Worm.Mytob.LQ |
|
4.24% | |
| 7 | |
Worm.SomeFool.Z |
|
3.23% | |
| 8 | |
Worm.Bagle.pwd-eml |
|
2.8% | |
| 9 | |
Trojan.Myno |
|
2.8% | |
| 10 | |
Worm.Nyxem.E |
|
2.22% | |
Phishing: China v US
In last few months, there was competition between China and the US for top place. But this month we have a new contender: Korea. It hits the top stop, coming in with 15.07% of the total, with China (14.36%) and the US (14.24%) a close second and third respectively. Great Britain is in 9th place with 2.54%. In May, we saw a high increase in phishing attacks supposedly originating from paypal and ebay. This pattern is repeated again this month , with paypal attacks increasing in number. Paypal fixed a security flaw in their website on June 17th - see graph below - has this patch made a difference? We can see there was immediate decrease the day it was released, and then levelling off from there, until an increase at the end of the month. Attackers exploited this flaw by redirecting users to a link hosted in South Korea, which requested login details…
Paypal - Phishing attacks in the last 30 days
As with the top virus changing, this month Midamerica Bank has knocked Barclays from the top spot. This mail required you to “Renew Now your MidAmerica Bank Bill Pay and Services”, and there was a link to a website for you to enter the usual details (username, account details).
Midamerica Bank - Phishing attacks in the last 30 days
Be suspicious of any emails you get from your bank!