Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence
Showing posts in English
Paul Wood | 10 Jul 2011 | 0 comments

As with many exciting trends we observe in the technology industry - designed as a force for good, to enable, enhance and empower - there are criminals on the other side of fence looking to hijack, undermine and exploit the new capabilities for their own nefarious purposes.  The subject of today's post - VoIP telephony - is an excellent example of how even a genuinely transformative technology can quickly lose its innocence.  Sunday 10th July represents the five year anniversary of a new word in the security commentator's vocabulary, as the first 'vish' - a phish using VoIP telephony - was reported by a number of concerned consumers. Vishing uses techniques that are essentially similar to phishing, the act of acquiring sensitive information via electronic communication whilst posing as a trusted entity. A vish takes place over the telephone, using call spoofing, and tricks a user into...

Paul Wood | 04 Jul 2011 | 0 comments

Today – Monday 4th July – is notable not just because it is Independence Day in the US, but also because it marks another important anniversary for the technology industry in particular. Fifteen years ago, on 4th July 1996, entrepreneurs Sabeer Bhatia and Jack Smith officially launched the first free web-based email system Hotmail, choosing the day deliberately to symbolise freedom from ISP-based email. In 1997, Microsoft acquired Hotmail for an estimated $400m and turned it into the world’s largest web-based email service with over 350 million users operating in 36 different languages.

The mass adoption of Hotmail, and subsequently rival web-based email tools such as Gmail and Yahoo! Mail, is significant for a couple of reasons. Firstly, over a number of years it has successfully transformed email from a largely professional, ‘grown up’ tool, into a free, mainstream, consumer-friendly way of communicating, accessible to, and enthusiastically...

Nick Johnston | 01 Jul 2011 | 0 comments

We've seen spammers abusing URL shortening services on a huge scale for quite some time, which was also reported in-depth as part of the May 2011 MessageLabs Intelligence Report []. The explosion in popularity of micro-blogging services and social networking status updates has seen a huge increase in the number of URL shortening sites. The simple and semi-anonymous nature of these sites allow spammers to easily create thousands of links which they then include in their spam in an attempt to evade URL-based spam blocking.

Recently we saw a large malware attack using URL shortening services.
The attack abused at least five different URL shortening sites. The message claimed to be from an inter-bank funds transfer service, claiming that a funds transfer had been cancelled. To find out why the transfer was...

Paul Wood | 28 Jun 2011 | 2 comments

Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report.  The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks.

Since the shutdown of the Rustock botnet in March, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.

The overall impact has been that spam now accounts for 72.9% of email in June, returning to the same level as in April earlier this year. In June, 76.6% of this spam was being sent from botnets, compared with 83.1% in March. This marks a return to the same level of output as at the end of 2010...

Sean Butler | 22 Jun 2011 | 0 comments

Today I came across a phishing mail that is tied to the current Wimbledon Tennis Championships that are taking place.   The scammer informs their potential victim that they have won two tickets to this year’s Wimbledon Championships, and all they need to do is login to their online banking account and complete the required fields.  Of course in reality there is no free tickets to Wimbledon and the recipient will end up being a victim of fraud where the scammer will empty their bank account.

A quick glance at the email confirms the suspicious nature of this due to the poor grammar in the body of the mail.  Even the subject contains a grammatical error – “Your way to Wimbledon , claim your tickets now!”  The mail displays a link to a well known worldwide banking corporation, but the link hidden behind this in the source of the mail shows that the...

Nick Johnston | 25 May 2011 | 0 comments

Domain parking services allow registration of Internet domain names without using them for services like email or hosting a website. This is often done to reserve the domain name for future use, to prevent (or carry out) cybersquatting or earn money via advertising hosted on an automatically-generated web site on the domain.

We recently noticed a large domain parking service being abused by spammers on a massive scale. Each domain hosted on the service contains an open redirect script, allowing spammers to redirect to any URL of their choice. The only minor restriction is that URLs have to be base64-encoded: in other words, a redirect URL of "" must be specified as "aHR0cDovL3N5bWFudGVjLmNvbQ==".

This type of abuse is particularly interesting, as it's important to note that spammers have not compromised the service directly: they are simply taking advantage...

Paul Wood | 27 Apr 2011 | 0 comments

Posted on behalf of Martin Lee, Senior Software Engineer,

Targeted attacks are bespoke pieces of malware that are sent to email addresses that appear to have been specially selected by the attacker.  In this way they differ from the rest of email malware that are sent in large numbers without apparent regard to the recipient. In this way non-targeted attacks appear to be designed to infect as many computers as possible, whereas targeted attacks appear to be designed to attack the computers of specifically targeted individuals presumably either to extract information that is valuable to the attacker or to act as a launching pad for further attacks within an organisation.

The targeted malware itself often exploits ‘0’ day or the most recent vulnerabilities. The low copy-numbers in which these malwares are sent and their sophistication means that they are often not detected by traditional anti-virus techniques and require...

Paul Wood | 15 Apr 2011 | 0 comments

Posted on behalf of Mat Nisbet, Malware Analyst,

On the 16th of March Rustock, the largest of the spamming botnets, was taken down. As you would expect,  global spam levels started to drop, as can be seen when you look at the number of mails being delivered  to one of our spamtraps.

However, on the 26th March we saw a large increase in the amount of data traffic hitting our spamtraps,  despite the number of actual emails continuing to decline.

Investigation revealed that the reason for this was that the Cutwail botnet had started sending much  more emails with zip file attachments than normal, meaning the average size of each mail was much  higher than normal. The chart below shows that there have been a couple of spikes in early March, which  may have...

Paul Wood | 06 Apr 2011 | 0 comments

Posted on behalf of Jason Zhang and Joseph Rabaiotti, Malware Research Analysts,

Portable document format (PDF) is one of the most commonly used file formats with which to exchange electronic documents across platforms and applications. Because of its popularity, it has been heavily used in both targeted and non-targeted attacks, as reported by MessageLabs Intelligence Monthly Report (PDF) in February 2011 and a blog post in January 2011. According to the report, PDFs now account for a larger proportion of document-based targeted attacks; in 2009 approximately 52.6% of targeted attacks used PDF exploits, compared with 65.0% in 2010.

In 2011, we have seen no sign of slowing down of this trend, more recently the attacks have widened to include sophisticated...

MarissaVicario | 04 Apr 2011 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst,

Every year tax season is usually exploited by those who seek to make a profit preying on people's trust. Throughout the year MessageLabs Intelligence commonly sees phishing attacks, but there is always an increase around March, as the financial year draws to a close and tax season kicks into full swing.

The chart above shows tax-related phishing as a proportion of all malicious mail (not general spam)

As on can see, there was an increase in traffic in mid February, but even that is less than half of the volume of tax related scams seen throughout March.

Most of the scams that we are seeing are purporting to be from the UK's tax office, "Her Madjesty's Revenue and Customs", or the USA's tax...