Last month we reported how the spam rate had dropped below 50 percent of email traffic. Almost as if in response to this seemingly watershed moment, the spam rate went up slightly in July, just crossing the midpoint mark again with a percentage of 50.1. While this is the first time the spam rate have increased in more than a year, we still anticipate that the rate will continue its slow, downward trajectory in the months to come.
The Manufacturing and Wholesale industries both saw significant increases in targeted attack activity in July, where both industries were up eight percentage points from June. Enterprises with more than 2500 employees were the most commonly targeted organization size during the month.
The number of vulnerabilities disclosed was up as well in July. There were 579 vulnerabilities reported, in comparison to 526 in June. Of particular note were six zero-day vulnerabilities discovered during the month—the highest number seen in more than a year. Four of these zero-day vulnerabilities—three for Adobe Flash Player and one for Microsoft Windows— were discovered in the data cache of the Italian covert surveillance and espionage software company, Hacking Team, which suffered a data breach in early July.
There were 53.7 million new pieces of malware discovered in July. While down slightly from June, this is still well above the 40.3 million average seen over the last twelve months. Ransomware has also declined slightly this month, though there have been modest increases in the amount of crypto-ransomware seen in July. There was also a slight decrease in malware detected in email traffic during the month, though the Agriculture, Forestry, & Fishing industry remained on top of the list of sectors most likely to receive malicious emails.
In contrast, four mobile malware families were released onto the mobile malware landscape in July, the highest number seen in one month during 2015. The number of mobile malware variants also continues to trend upwards, where 42 Android malware variants were seen per family during July.
2. 2 | July 2015
Symantec Intelligence Report
3 Summary
4 July in Numbers
5 Targeted Attacks & Phishing
5 Top 10 Industries Targeted in Spear-Phishing Attacks
5 Spear-Phishing Attacks by Size of Targeted Organization
6 Phishing Rate
6 Proportion of Email Traffic Identified as Phishing by Industry Sector
7 Proportion of Email Traffic Identified as Phishing by Organization Size
8 Vulnerabilities
8 Total Number of Vulnerabilities
8 Zero-Day Vulnerabilities
9 Vulnerabilities Disclosed in Industrial Control Systems
10 Malware
10 New Malware Variants
10 Top 10 Mac OSX Malware Blocked on OSX Endpoints
11 Ransomware Over Time
11 Crypto-Ransomware Over Time
12 Proportion of Email Traffic in Which Malware Was Detected
12 Percent of Email Malware as URL vs. Attachment by Month
13 Proportion of Email Traffic Identified as Malicious by Industry Sector
13 Proportion of Email Traffic Identified as
Malicious by Organization Size
14 Mobile & Social Media
14 Android Mobile Malware Families by Month
14 New Android Variants per Family by Month
15 Social Media
16 Spam
16 Overall Email Spam Rate
16 Proportion of Email Traffic Identified as Spam by Industry Sector
17 Proportion of Email Traffic Identified as Spam by Organization Size
18 About Symantec
18 More Information
Welcome to the July edition of the Symantec
Intelligence report. Symantec Intelligence aims
to provide the latest analysis of cyber security
threats, trends, and insights concerning malware,
spam, and other potentially harmful business
risks.
Symantec has established the most comprehensive
source of Internet threat data in the world through
the Symantec™ Global Intelligence Network,
which is made up of more than 57.6 million attack
sensors and records thousands of events per
second. This network monitors threat activity
in over 157 countries and territories through a
combination of Symantec products and services
such as Symantec DeepSight™ Intelligence,
Symantec™ Managed Security Services, Norton™
consumer products, and other third-party data
sources.
3. 3 | July 2015
Symantec Intelligence Report
Summary
Last month we reported how the spam rate had dropped below 50 percent of email traffic.
Almost as if in response to this seemingly watershed moment, the spam rate went up slightly
in July, just crossing the midpoint mark again with a percentage of 50.1. While this is the
first time the spam rate have increased in more than a year, we still anticipate that the rate
will continue its slow, downward trajectory in the months to come.
The Manufacturing and Wholesale industries both saw significant increases in targeted
attack activity in July, where both industries were up eight percentage points from June.
Enterprises with more than 2500 employees were the most commonly targeted organization
size during the month.
The number of vulnerabilities disclosed was up as well in July. There were 579 vulnerabilities
reported, in comparison to 526 in June. Of particular note were six zero-day vulnerabilities
discovered during the month—the highest number seen in more than a year. Four of these
zero-day vulnerabilities—three for Adobe Flash Player and one for Microsoft Windows—
were discovered in the data cache of the Italian covert surveillance and espionage software
company, Hacking Team, which suffered a data breach in early July.
There were 53.7 million new pieces of malware discovered in July. While down slightly from
June, this is still well above the 40.3 million average seen over the last twelve months.
Ransomware has also declined slightly this month, though there have been modest increases
in the amount of crypto-ransomware seen in July. There was also a slight decrease in
malware detected in email traffic during the month, though the Agriculture, Forestry, &
Fishing industry remained on top of the list of sectors most likely to receive malicious emails.
In contrast, four mobile malware families were released onto the mobile malware landscape
in July, the highest number seen in one month during 2015. The number of mobile malware
variants also continues to trend upwards, where 42 Android malware variants were seen per
family during July.
We hope that you enjoy this month’s report and feel free to contact us with any comments or
feedback.
Ben Nahorney, Cyber Security Threat Analyst
symantec_intelligence@symantec.com
4. 4 | July 2015
Symantec Intelligence Report
JULYINNUMBERS
5. 5 | July 2015
Symantec Intelligence Report
The Manufacturing and
Wholesale sectors where the
first and second most targeted
industries in July. These
industries each saw an eight
percentage point increase in
spear-phishing attacks.
Top 10 Industries Targeted in Spear-Phishing Attacks
Source: Symantec
Nonclassifiable Establishments
Public Administration
Construction
Retail
Transportation, Communications,
Electric, Gas, Sanitary Services
Services - Non Traditional
Finance, Insurance,
Real Estate
Services - Professional
Wholesale
Manufacturing
30%
22
9
17
13
12
17
11
17
6
8
5
12
7
2
2
0
2
3
2
July June
Top 10 Industries Targeted in Spear-Phishing Attacks
Large enterprises were the target
of 34.1 percent of spear-phishing
attacks in July, up from 25.1
percent in June. In contrast, 33.2
percent of attacks were directed
at organizations with less than
250 employees.
Company Size July June
1-250 33.2% 38.1%
251-500 12.6% 15.2%
501-1000 7.7% 9.0%
1001-1500 3.0% 9.9%
1501-2500 9.3% 2.7%
2501+ 34.1% 25.1%
Spear-Phishing Attacks by Size of Targeted Organization
Source: Symantec
Spear-Phishing Attacks by Size of Targeted Organization
Targeted Attacks Phishing
6. 6 | July 2015
Symantec Intelligence Report
Phishing Rate Inverse Graph: Smaller Number = Greater Risk
Source: Symantec
400
800
1200
1600
2000
2400
2800
JJMAMFJ
2015
DNOSA
1IN
1587
2041
1610
1517
1004
1465
2666
2057
1865
2448
1628
647
Phishing Rate
The overall phishing rate has
increased this month, where one
in 1,628 emails was a phishing
attempt.
Industry July June
Agriculture, Forestry, Fishing 1 in 837.1 1 in 1,469.9
Services - Non Traditional 1 in 1,320.5 1 in 3,977.5
Finance, Insurance, Real Estate 1 in 1,357.6 1 in 2,901.7
Public Administration 1 in 1,359.2 1 in 2,367.3
Nonclassifiable Establishments 1 in 1,564.4 1 in 2,753.1
Services - Professional 1 in 1,566.8 1 in 2,750.3
Mining 1 in 2,017.1 1 in 3,120.1
Construction 1 in 2,241.5 1 in 3,003.1
Wholesale 1 in 2,343.8 1 in 4,142.5
Transportation, Communications,
Electric, Gas, Sanitary Services
1 in 3,114.3 1 in 4,495.4
Proportion of Email Traffic Identified as Phishing
by Industry Sector
Source: Symantec.cloud
Proportion of Email Traffic Identified as Phishing by Industry Sector
The Agriculture, Forestry,
Fishing sector was again the
most targeted Industry overall for
phishing attempts in July, where
phishing comprised one in every
837.1 emails. This rate has been
higher than any other industry
since April.
7. 7 | July 2015
Symantec Intelligence Report
Company Size July June
1–250 1 in 1,288.9 1 in 1,552.5
251–500 1 in 1,613.7 1 in 2,553.7
501–1000 1 in 1,899.6 1 in 3,051.4
1001–1500 1 in 2,209.9 1 in 3,443.2
1501–2500 1 in 2,045.5 1 in 3,552.6
2501+ 1 in 1,872.3 1 in 3,624.5
Proportion of Email Traffic Identified as Phishing
by Organization Size
Source: Symantec.cloud
Proportion of Email Traffic Identified as Phishing by Organization Size
Small companies with less than
250 employees were again the
most targeted organization size
in July.
8. 8 | July 2015
Symantec Intelligence Report
The number of vulnerabilities
disclosed increased in July, up
from 526 in June to 579 reported
during the month.
Total Number of Vulnerabilities
Source: Symantec
100
200
300
400
500
600
JJMAMFJ
2015
DNOSA
399
600 596
428
562
471 469
540
579
526
579
457
Total Number of Vulnerabilities
Vulnerabilities
Zero-Day Vulnerabilities
There were six zero-day
vulnerabilities disclosed in July,
three of which exploit the Adobe
Flash Player.
Zero-Day Vulnerabilities
Source: Symantec
1
2
3
4
5
6
7
JJMAMFJ
2015
DNOSA
0 0
2
0
1
2
1 1 1
0
6
3
9. 9 | July 2015
Symantec Intelligence Report
Vulnerabilities Disclosed in Industrial Control Systems
Source: Symantec
1
2
3
4
JJMAMFJ
2015
DNOSA
1
2
3
4
1
2
3
1 1
2
1
1 1
1
Vulnerabilities
Unique Vendors
Three vulnerabilities in industrial
control systems were reported by
one vendor in July.
Vulnerabilities Disclosed in Industrial Control Systems
Methodology
In some cases the details of a vulnerability are not publicly disclosed during the same month that
it was initially discovered. In these cases, our vulnerability metrics are updated to reflect the time
that the vulnerability was discovered, as opposed to the month it was disclosed. This can cause
fluctuations in the numbers reported for previous months when a new report is released.
10. 10 | July 2015
Symantec Intelligence Report
New Malware Variants
OSX.RSPlug.A continues to be
the most commonly seen OS X
threat seen on OS X endpoints
in July.
Rank Malware Name
July
Percentage
Malware Name
June
Percentage
1 OSX.RSPlug.A 61.9% OSX.RSPlug.A 29.5%
2 OSX.Wirelurker 10.0% OSX.Keylogger 11.6%
3 OSX.Crisis 8.4% OSX.Klog.A 8.9%
4 OSX.Keylogger 4.8% OSX.Luaddit 7.8%
5 OSX.Klog.A 3.5% OSX.Wirelurker 7.1%
6 OSX.Luaddit 1.8% OSX.Flashback.K 5.4%
7 OSX.Stealbit.B 1.3% OSX.Stealbit.B 4.3%
8 OSX.Flashback.K 1.3% OSX.Freezer 3.2%
9 OSX.Freezer 1.1% OSX.Netweird 2.9%
10 OSX.Netweird 0.8% OSX.Okaz 2.5%
Top 10 Mac OS X Malware Blocked on OS X Endpoints
Source: Symantec
Top 10 Mac OSX Malware Blocked on OSX Endpoints
Malware
New Malware Variants
Source: Symantec
10
20
30
40
50
60
70
80
JJMAMFJ
2015
DNOSA
57.6
53.7
31.7
26.6
35.9
44.7
33.7
26.5
35.8
29.2
44.5
63.6
MILLIONS
There were more than 53.7
million new pieces of malware
created in July. While down from
June, this is still well above the
40.3 million average seen over
the last twelve months.
11. 11 | July 2015
Symantec Intelligence Report
Ransomware Over Time
Ransomware attacks were down
slightly in July, where over 413
thousand attacks were detected.
Ransomware Over Time
Source: Symantec
100
200
300
400
500
600
700
800
JJMAMFJ
2015
DNOSA
477
413
669
734
693
756
399
544
354
248
297
738
THOUSANDS
Crypto-Ransomware Over Time
Crypto-ransomware was up
during July, setting another high
for 2015.
Crypto-Ransomware Over Time
Source: Symantec
10
20
30
40
50
60
70
80
JJMAMFJ
2015
DNOSA
31
34
46
62
72
36
20
28
21 23
16
48
THOUSANDS
12. 12 | July 2015
Symantec Intelligence Report
Proportion of Email Traffic in Which Malware Was Detected
The proportion of email traffic
containing malware decreased
again this month, down to the
lowest levels seen since October
of last year.
100
150
200
250
300
350
400
JJMAMFJ
2015
DNOSA
1IN
Proportion of Email Traffic in Which Malware Was Detected
Source: Symantec
Inverse Graph: Smaller Number = Greater Risk
319
337
270
351
329
195
207
237
274
246
207
246
Percent of Email Malware as URL vs. Attachment by Month
The percentage of email malware
that contains a URL remained
low this month, hovering around
three percent.
Percent of Email Malware as URL vs. Attachment by Month
Source: Symantec
10
20
30
40
50
JJMAMFJ
2015
DNOSA
3
6
7
14
5
3
8
3 3 3 3
41
13. 13 | July 2015
Symantec Intelligence Report
Industry July June
Agriculture, Forestry, Fishing 1 in 252.7 1 in 231.6
Services - Non Traditional 1 in 280.1 1 in 365.3
Public Administration 1 in 288.9 1 in 245.9
Wholesale 1 in 333.3 1 in 301.6
Services - Professional 1 in 338.0 1 in 305.8
Construction 1 in 376.3 1 in 305.8
Transportation, Communications,
Electric, Gas, Sanitary Services
1 in 392.4 1 in 230.2
Finance, Insurance, Real Estate 1 in 416.4 1 in 481.5
Mining 1 in 438.3 1 in 371.5
Nonclassifiable Establishments 1 in 519.5 1 in 497.7
Proportion of Email Traffic Identified as Malicious
by Industry Sector
Source: Symantec.cloud
Proportion of Email Traffic Identified as Malicious by Industry Sector
Agriculture, Forestry, Fishing
was the most targeted sector in
July, where one in every 252.7
emails contained malware.
Company Size July June
1-250 1 in 275.8 1 in 255.6
251-500 1 in 259.5 1 in 232.9
501-1000 1 in 351.1 1 in 318.1
1001-1500 1 in 389.5 1 in 292.2
1501-2500 1 in 373.2 1 in 164.0
2501+ 1 in 401.7 1 in 472.4
Proportion of Email Traffic Identified as Malicious
by Organization Size
Source: Symantec.cloud
Proportion of Email Traffic Identified as Malicious by Organization Size
Organizations with 251-500
employees were most likely to be
targeted by malicious email in
the month of July, where one in
259.5 emails was malicious.
14. 14 | July 2015
Symantec Intelligence Report
Mobile Social Media
1
2
3
4
5
6
7
8
9
JJMAMFJ
2015
DNOSA
Android Mobile Malware Families by Month
Source: Symantec
4
1
2
3
5
6
3
0
3
1
2
8
In July there were four new
mobile malware families
discovered.
Android Mobile Malware Families by Month
There was an average of 42
Android malware variants per
family in the month of in July.
10
20
30
40
50
JJMAMFJ
2015
DNOSA
New Android Variants per Family by Month
Source: Symantec
40
42
34 33
37 36
38 38 38 39 39
36
New Android Variants per Family by Month
15. 15 | July 2015
Symantec Intelligence Report
Last 12 Months
Social Media
Source: Symantec
20
40
60
80
100
Comment
Jacking
Fake
Apps
LikejackingFake
Offering
Manual
Sharing
4
82
12
0.11.6
Manual Sharing – These rely on victims to actually do the work of sharing
the scam by presenting them with intriguing videos, fake offers or messages that they share
with their friends.
Fake Offering – These scams invite social network users to join a fake event or group
with incentives such as free gift cards. Joining often requires the user to share
credentials with the attacker or send a text to a premium rate number.
Likejacking – Using fake “Like” buttons, attackers trick users into clicking website
buttons that install malware and may post updates on a user’s newsfeed, spreading the attack.
Fake Apps – Users are invited to subscribe to an application that appears to be
integrated for use with a social network, but is not as described and may be used to steal
credentials or harvest other personal data.
Comment Jacking – This attack is similar to the Like jacking where the attacker tricks the
user into submitting a comment about a link or site, which will then be posted to his/her wall.
Social Media
In the last twelve months, 82
percent of social media threats
required end users to propagate
them.
Fake offerings comprised 12
percent of social media threats.
16. 16 | July 2015
Symantec Intelligence Report
50 50 5150.1%
+.4% pts
49.7%
-1.8% pts
51.5%
-0.6% pts
July June May
Overall Email Spam Rate
Source: Symantec
Overall Email Spam Rate
The overall email spam rate in
July was 50.1 percent, up 0.4
percentage points from June.
Spam
Industry July June
Mining 55.7% 56.1%
Manufacturing 53.8% 53.7%
Retail 53.0% 53.1%
Construction 53.0% 53.3%
Services - Professional 52.5% 52.6%
Agriculture, Forestry, Fishing 52.2% 52.3%
Wholesale 52.1% 52.2%
Nonclassifiable Establishments 52.0% 52.5%
Finance, Insurance, Real Estate 51.9% 51.9%
Services - Non Traditional 51.9% 53.0%
Proportion of Email Traffic Identified as Spam by Industry Sector
Source: Symantec.cloudProportion of Email Traffic Identified as Spam by Industry Sector
At 55.7 percent, the Mining
sector again had the highest
spam rate during July. The
Manufacturing sector came in
second with 53.8 percent.
17. 17 | July 2015
Symantec Intelligence Report
Company Size July June
1–250 52.3% 52.8%
251–500 52.6% 53.2%
501–1000 52.3% 52.4%
1001–1500 51.9% 51.9%
1501–2500 52.2% 52.1%
2501+ 52.4% 52.3%
Proportion of Email Traffic Identified as Spam by Organization Size
Source: Symantec.cloud
Proportion of Email Traffic Identified as Spam by Organization Size
While all organization sizes had
around a 52 percent spam rate,
organizations with 251-500
employees had the highest rate
at 52.6 percent.
18. 18 | July 2015
Symantec Intelligence Report
About Symantec
More Information
Symantec Worldwide: http://www.symantec.com/
ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/
Symantec Security Response: http://www.symantec.com/security_response/
Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/
Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people,
businesses and governments seeking the freedom to unlock the opportunities technology brings
– anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of
the largest global data-intelligence networks, has provided leading security, backup and availability
solutions for where vital information is stored, accessed and shared. The company’s more than 20,000
employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are
Symantec customers. In fiscal 2014, it recorded revenues of $6.7 billion. To learn more go to
www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia.