Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence
Showing posts in English
MarissaVicario | 17 Jun 2010 | 0 comments

Posted on behalf of Dan Bleaken, Senior Malware Data Analyst, Symantec Hosted Services

The MessageLabs Hosted Web Security Service (WSS) blocks millions of web requests every day to protect users from content that is either malicious or has been determined to be off limits based on company policy.  In a typical week in 2010 Symantec Hosted Services performs about 107 million blocks (up from 90 million per week in 2009), on 5-10 million distinct URLs, for several thousand clients.  That’s tens of thousands of blocks per client per week on average.   

Of these blocked URLs, 99.96% are policy based blocks the biggest proportion of which is for advertising, mostly pop-up ads or auto-forwarding to ads.  Also, Symantec Hosted Services blocks web sites related to Adult/Sexually Explicit material, Violence, Tasteless & Offensive material, Weapons, Criminal Activity, Gambling and Illegal Drugs to name a few.  Clients have full control...

MarissaVicario | 15 Jun 2010 | 0 comments

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec Hosted Services

The FIFA World Cup, which officially started in South Africa last Friday, has been the subject of intense public interest for the past months. This interest in football has been noticed by scammers and malware authors, who are skilled at using high profile events to try to entice unsuspecting users into opening their malicious messages.

MessageLabs Intelligence recently saw some spam for a pharmaceutical site using the World Cup to try to entice users to open the message. The subject of these messages was:

Subject: FIFA World Cup South Africa... bad news

The exact motives of the spammer are unclear, but it's likely that they hope that recipients will read this subject and think that perhaps the tournament has been disrupted somehow (perhaps like the Africa Cup of Nations earlier this year), and then quickly open the message. The body of the message contains more...

Daren Lewis | 11 Jun 2010 | 0 comments

By Nicholas Johnston, Senior Software Engineer, Anti-Spam Team Symantec Hosted Services About “419” scams

With advance-fee fraud scams, or “419s” as they are often known, there is almost always a real person behind each scam, unlike the majority of spam emails that are sent in large volumes by robot networks (or “botnets”). 419 fraud emails tend to be low in number when compared with a typical spam run; they are often sent out manually with a real person ready to engage any potential victims in a dialogue, should anyone respond.

These 419 scams typically promise large amounts of money or even gold in return for an initial payment made by the recipient – perhaps this is to pay for various up-front (advance) fees and charges, and can become a major problem. The people sending these messages, referred to as “419-ers,” are known to frequently abuse free webmail services, and “tell...

Daren Lewis | 10 Jun 2010 | 0 comments
On behalf of Tony Millington, Malware Operations Engineer, Symantec Hosted Services

Beginning on 02 June 2010 MessageLabs Intelligence identified a run of 45 targeted malware emails intercepted in route to a number of Brazilian companies, including chemical, manufacturing, and finance firms. This social engineering attack exploits the excitement surrounding the 2010 World Cup in South Africa to prompt the recipients to take actions which may compromise their systems and corporate information.

One particularly interesting element of this targeted attack is the use of two attack modes, a PDF attachment and a malicious link.
The email was spoofed from a well-known sportswear manufacturer, using the manufacturer’s domain and was sent from a server hosting company in Brazil. The manufacturer being spoofed is a sponsor of the FIFA World Cup which adds validity to the...
MarissaVicario | 02 Jun 2010 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

Targeted attacks are arguably the most damaging type of internet threat.  They take place via email, and are designed to target a specific individual or organisation.  The aim is to extract sensitive or valuable information, which could then be used to gain competitive advantage, blackmail, harm reputation, gather intelligence, spy, steal secrets/designs/ideas, and so on.  MessageLabs Intelligence experts are skilled at differentiating targeted attacks from other (bulk-mailed or spammed) malicious emails that are blocked by MessageLabs Skeptic anti-malware technology.  

The approach attackers often use is to use legitimate details in the email but urge recipients to open a malicious attachment, and therefore have their PC or network compromised in some way.  After all, this is the ultimate goal of the attacker.  Two thirds of attacks are directed at the very...

Daren Lewis | 27 May 2010 | 0 comments

Posted on behalf of Yuriko Kako-Batt, Malware Data Analyst

People receive various spam emails everyday from dating scams to those attempting to phish bank account information, loan offers and those featuring porn sites, pharmaceuticals and replica watches. While the categories differ, many of them have similarities. In most cases the spammer’s aim is to make money, often by luring the victim into “online-shopping”

Criminal gangs make their own branded websites, selling counterfeit or illegally obtained products, and they, or some hired spammers, send spam emails with various subjects and different URLs connecting to those websites. Recipients access the websites from the URL in the spam emails, and may choose to buy products there. Pharmaceutical spam, replica watches, pirated DVDs and cheap software spam are applicable, although their products are different.

Usually these fake products are cheaper than the...

Daren Lewis | 20 May 2010 | 0 comments

By Dan Bleaken, Senior Malware Data Analyst, Symantec Hosted Services


Yesterday the U.S. Federal Trade Commission (FTC) shut down California-based ISP Pricewert LLC (also known as 3FN and APS Telecom), a notorious rogue internet service provider (ISP) that specialised in the deployment of botnets and the distribution of illegal, malicious and harmful content such as spam and child exploitation images. (

One of the largest and most active botnets responsible for spam activity, the Cutwail botnet, experienced several hours of downtime on the morning of June 5, 2009, following a preliminary injunction by the FTC earlier that week. Malware from the Cutwail botnet, also known as Pandex, was first identified in January 2007.

With between 1.5 and 2 million active bots, Cutwail was perhaps the largest...

MarissaVicario | 20 May 2010 | 1 comment

Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services

Recently, the infamous Storm worm has reappeared in the wild. MessageLabs Intelligence first saw this new variant of the botnet start spamming on 30 April. Since then, output has come in bursts reaching a peak of 1.4 percent of spam on 8 May.

The actual spam that we have been seeing is all fairly standard pharmaceutical spam, containing links to web pages hosting the well known Canadian Pharmacy site, with subjects like these:

Get all the medications you want online!
Disappointed with your bad performance in bed?
great offers to spice it up in bed..
need some help in the bed?
its time to spice up the bed
Safest and approved method of male enhancing have a easier time making her...
Have long strong night in BED!
Get your favorite rxmedications here!

MarissaVicario | 17 May 2010 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

Cybercriminals frequently send phishing attacks disguised as emails that claim to be from an organisation, especially financial organisations, asking for personal details, especially passwords.  Once gathered, this information enables the attackers to access the victim’s account, and very often help themselves to their money.

In 2009, Symantec Hosted Services blocked phishing attacks impersonating or relating to 1079 different organisations. Generally, a relatively small number of organisations are impersonated.   In 2009, just eight impersonated organisations made up 50 percent of blocked phishing attacks and 83 impersonated organisations made up 95 percent of blocked phishing attacks. The impersonated organizations were largely banks.  

While most banks are impersonated in phishing attacks at some time, any organisation that offers an online...

MarissaVicario | 14 May 2010 | 0 comments

Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services

At the end of March, MessageLabs Intelligence reported on a wave of targeted attacks that used the upcoming FIFA World Cup as a hook.

Around the same time, March 20 to be precise, a volcanic eruption beneath Iceland's Eyjafjallajokull glacier, later created an ash cloud that forced complete airspace closures across northern Europe in mid-April.  Disruption to air travel continued through the end of April and more recently there has been major disruption to transatlantic flights as the ash cloud drifts south over Western Europe (Spanish/Italian airspace).

UK airspace was shut down for 6 days, for the period between April 15-20.  One day after UK airspace re-opened, much to the relief of travellers all over the world, MessageLabs Intelligence intercepted a...