21347932_GA-internet-security-threat-report-volume-20-2015-social_v2

APRIL 2015VOLUME 20INTERNET SECURITY THREAT REPORT

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 2DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS4 Introduction 60 TARGETED ATTACKS5 Executive Summary 61 Cyberespionage 62 Industrial Cybersecurity9 2014 IN NUMBERS 63 Securing Industrial Control Systems 65 Reconnaissance Attacks18 MOBILE DEVICES 66 Watering Hole Attacks & THE INTERNET OF THINGS 69 Shifting Targets and Techniques 70 Threat Intelligence19 Mobile Malware 70 Techniques Used In Targeted Attacks23 SMS and the Interconnected 77 DATA BREACHES & PRIVACY Threat to Mobile Devices25 Mobile Apps and Privacy 83 Retailers Under Attack 84 Privacy and the Importance of Data Security26 Internet of Things 85 Data Breaches in the Healthcare Industry26 Wearable Devices27 Internet-Connected Everything 87 E-CRIME & MALWARE27 Automotive Security28 The Network As the Target 88 The Underground Economy29 Medical Devices – Safety First, Security Second 90 Malware 93 Ransomware31 WEB THREATS 93 Crypto-Ransomware 95 Digital Extortion: A Short History of Ransomware32 Vulnerabilities 97 Bots and Botnets32 Heartbleed 98 OSX as a Target32 ShellShock and Poodle 100 Malware on Virtualized Systems33 High-Profile Vulnerabilities and Time to Patch34 The Vulnerability Rises 101 APPENDIX35 SSL and TLS Certificates Are Still Vital to Security35 Vulnerabilities as a Whole 102 Looking Ahead 104 Best Practice Guidelines for Businesses41 Compromised Sites 107 20 Critical Security Controls 108 Critical Control Protection Priorities42 Web Attack Toolkits 111 Best Practice Guidelines for Consumers 112 Best Practice Guidelines for Website Owners43 Malvertising 114 Footnotes43 Malvertising at Large 117 Credits 118 About Symantec44 Denial of Service 118 More Information45 SOCIAL MEDIA & SCAMS46 Social Media46 Facebook, Twitter, and Pinterest48 Affiliate Programs: The Fuel That Drives Social Media Scams50 Instagram51 Messaging Platforms53 Dating Scams54 Malcode in Social Media54 The Rise of “Antisocial Networking”54 Phishing56 Phishing in Countries You Might Not Expect58 Email Scams and Spam

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 3DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSCHARTS & TABLES 60 TARGETED ATTACKS 62 Vulnerabilities Disclosed in ICS Including SCADA Systems9 2014 IN NUMBERS 66 Zero-Day Vulnerabilities 67 Top 5 Zero-Day Vulnerabilities, Time of Exposure & Days to Patch18 MOBILE DEVICES 68 Zero-Day Vulnerabilities, Annual Total & THE INTERNET OF THINGS 70 Distribution of Spear-Phishing Attacks by Organization Size 71 Risk Ratio of Spear-Phishing Attacks by Organization Size19 New Android Mobile Malware Families 71 Top 10 Industries Targeted in Spear-Phishing Attacks20 Cumulative Android Mobile Malware Families 72 Risk Ratio of Organizations in an Industry Impacted20 New Android Variants per Family21 App Analysis by Symantec’s Norton Mobile Insight by Targeted Attack Sent by Spear-Phishing Email21 New Mobile Vulnerabilities 72 Risk Ratio of Spear-Phishing Attacks by Industry22 Mobile Vulnerabilities by Operating System 73 Spear-Phishing Emails per Day22 Mobile Threat Classifications 73 Spear-Phishing Email Campaigns 74 Spear-Phishing Email Word Cloud31 WEB THREATS 74 Risk Ratio of Spear-Phishing Attacks by Job Role33 Heartbleed and ShellShock Attacks 75 Risk Ratio of Spear-Phishing Attacks by Job Level35 New Vulnerabilities 75 Average Number of Spear-Phishing Attacks per Day36 Total Number of Vulnerabilities 76 Analysis of Spear-Phishing Emails Used in Targeted Attacks36 Browser Vulnerabilities37 Plug-In Vulnerabilities by Month 77 DATA BREACHES & PRIVACY37 Top 10 Vulnerabilities Found Unpatched 78 Total Breaches 78 Breaches with More Than 10 Million Identities Exposed on Scanned Webservers 79 Top Causes of Data Breach38 Scanned Websites with Vulnerabilities 79 Average Identities Exposed per Breach 80 Median Identities Exposed per Breach Percentage of Which Were Critical 80 Timeline of Data Breaches38 Websites Found with Malware 81 Total Identities Exposed39 Classification of Most Frequently Exploited Websites 82 Top 10 Sectors Breached by Number of Incidents39 Web Attacks Blocked per Month 82 Top 10 Sectors Breached by Number of Identities Exposed40 New Unique Malicious Web Domains 83 Top-Ten Types of Information Exposed40 Web Attacks Blocked per Day42 Top 5 Web Attack Toolkits 87 E-CRIME & MALWARE42 Timeline of Web Attack Toolkit Use 89 Value of Information Sold on Black Market44 DDoS Attack Traffic 90 New Malware Variants 90 Email Malware Rate (Overall)45 SOCIAL MEDIA & SCAMS 91 Email Malware as URL vs. Attachment47 Social Media 91 Percent of Email Malware as URL vs. Attachment by Month55 Email Phishing Rate (Not Spear-Phishing) 92 Proportion of Email Traffic in Which Malware Was Detected57 Phishing Rate 92 Ransomware Over Time57 Number of Phishing URLs on Social Media 93 Ransomware Total58 Overall Email Spam Rate 94 Crypto-Ransomware58 Estimated Global Email Spam Volume per Day 97 Number of Bots59 Global Spam Volume per Day 97 Malicious Activity by Source: Bots 98 Top 10 Spam-Sending Botnets 99 Top 10 Mac OSX Malware Blocked on OSX Endpoints

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 4DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSIntroduction SHARE THISSymantec has established the most comprehensive source of Internet threatdata in the world through the Symantec™ Global Intelligence Network, whichis made up of more than 57.6 million attack sensors and records thousands ofevents per second. This network monitors threat activity in over 157 countriesand territories through a combination of Symantec products and services suchas Symantec DeepSight™ Intelligence, Symantec™ Managed Security Services,Norton™ consumer products, and other third-party data sources.In addition, Symantec maintains one of the world’s most comprehensive vulnerabilitydatabases, currently consisting of more than 66,400 recorded vulnerabilities (spanning morethan two decades) from over 21,300 vendors representing over 62,300 products.Spam, phishing, and malware data is captured through a variety of sources including theSymantec Probe Network, a system of more than 5 million decoy accounts, Symantec.cloud,and a number of other Symantec security technologies. Skeptic™, the Symantec.cloud propri-etary heuristic technology, is able to detect new and sophisticated targeted threats beforethey reach customers’ networks. Over 8.4 billion email messages are processed each monthand more than 1.8 billion web requests filtered each day across 14 data centers. Symantecalso gathers phishing information through an extensive anti-fraud community of enterprises,security vendors, and more than 50 million consumers.Symantec Trust Services secures more than one million web servers worldwide with 100percent availability since 2004. The validation infrastructure processes over 6 billion OnlineCertificate Status Protocol (OCSP) look-ups per day, which are used for obtaining the revo-cation status of X.509 digital certificates around the world. The Norton™ Secured Seal isdisplayed almost one billion times per day on websites in 170 countries and in search resultson enabled browsers.These resources give Symantec analysts unparalleled sources of data with which to identify,analyze, and provide informed commentary on emerging trends in attacks, malicious codeactivity, phishing, and spam. The result is the annual Symantec Internet Security ThreatReport, which gives enterprises, small businesses, and consumers essential information tosecure their systems effectively now and into the future.

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 5DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSExecutive SummaryIf there is one thing that can be said about the threat landscape, and Internetsecurity as a whole, it is that the only constant is change. This can clearly beseen in 2014: a year with far-reaching vulnerabilities, faster attacks, files heldfor ransom, and far more malicious code than in previous years.While 2013 was seen as the Year of the Mega Breach, 2014 had high-profilevulnerabilities grabbing the headlines. Data breaches are still a significantissue, since the number of breaches increased 23 percent and attackers wereresponsible for the majority of these breaches. However, attention shiftedduring the year from what was being exfiltrated to the way attackers couldgain access.Vulnerabilities have always been a big part of the security picture, whereoperating system and browser-related patches have been critical in keepingsystems secure. However, the discovery of vulnerabilities such as Heartbleed,ShellShock, and Poodle, and their wide-spread prevalence across a number ofoperating systems, brought the topic front and center. The conversation hasshifted from discussing “threat X that exploits a vulnerability” to detailinghow “vulnerability Y is used by these threats and in these attacks.”This is one of many constants that changed in 2014. Based on the datacollected by the Symantec Intelligence network and the analysis of oursecurity experts, here are other trends of note in 2014.Attackers Are Moving Faster, Defenses Are NotWithin four hours of the Heartbleed vulnerability becoming public, Symantec saw a surge ofattackers stepping up to exploit it. Reaction time has not increased at an equivalent pace.Advanced attackers continue to favor zero-day vulnerabilities to silently sneak onto victims’computers, and 2014 had an all-time high of 24 discovered zero-day vulnerabilities. As weobserved with Heartbleed, attackers moved in to exploit these vulnerabilities much fasterthan vendors could create and roll out patches. In 2014, it took 204 days, 22 days, and 53days, for vendors to provide a patch for the top three most exploited zero-day vulnerabilities.By comparison, the average time for a patch to be issued in 2013 was only four days. Themost frightening part, however, is that the top five zero-days of 2014 were actively used byattackers for a combined 295 days before patches were available. SHARE THIS

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 6DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSAttackers Are Streamlining and Upgrading Their Techniques, SHAREWhile Companies Struggle to Fight Old Tactics THISIn 2014, attackers continued to breach networks with highly targeted spear-phishing attacks,which increased eight percent overall. They notably used less effort than the previous year,deploying 14 percent less email towards 20 percent fewer targets.Attackers also perfected watering hole attacks, making each attack more selective by infectinglegitimate websites, monitoring site visitors and targeting only the companies they wanted toattack.Further complicating companies’ ability to defend themselves was the appearance of“Trojanized” software updates. Attackers identified common software programs used by targetorganizations, hid their malware inside software updates for those programs, and then waitedpatiently for their targets to download and install that software—in effect, leading companiesto infect themselves.Last year, 60 percent of all targeted attacks struck small- and medium-sized organizations.These organizations often have fewer resources to invest in security, and many are still notadopting basic best practices like blocking executable files and screensaver email attachments.This puts not only the businesses, but also their business partners, at higher risk.Cyberattackers Are Leapfrogging Defenses in Ways Companies Lack Insight to AnticipateAs organizations look to discover attackers using stolen employee credentials and identify signsof suspicious behavior throughout their networks, savvy attackers are using increased levels ofdeception and, in some cases, hijacking companies’ own infrastructure and turning it againstthem.In 2014, Symantec observed advanced attackers:•  Deploying legitimate software onto compromised computers to continue their attacks without risking discovery by anti-malware tools.•  Leveraging a company’s management tools to move stolen IP around the corporate network.•  Using commonly available crimeware tools to disguise themselves and their true intention if discovered.•  Building custom attack software inside their victim’s network, on the victim’s own servers.•  Using stolen email accounts from one corporate victim to spear-phish their next corporate victim.•  Hiding inside software vendors’ updates, in essence “Trojanizing” updates, to trick targeted companies into infecting themselves.Given all of this stealthy activity, it’s not surprising that Symantec Incident Response teamsbrought in to investigate one known breach to an organization discovered additional breachesstill in progress.

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 7DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSAlmost no company, whether large or small, is immune. Five out of SHAREevery six large companies (2,500+ employees) were targeted with THISspear-phishing attacks in 2014, a 40 percent increase over the previous year. Small- andmedium-sized businesses also saw an uptick, with attacks increasing 26 percent and 30percent, respectively.Malware Used In Mass Attacks Increases and AdaptsNon-targeted attacks still make up the majority of malware, which increased by 26 percentin 2014. In fact, there were more than 317 million new pieces of SHAREmalware created last year, meaning nearly one million new threats THISwere released into the wild each day. Some of this malware may not be a direct risk toorganizations and is instead designed to extort end-users. Beyond the annoyance factor toIT, however, it impacts employee productivity and diverts IT resources that could be betterspent on high-level security issues.Malware authors have various tricks to avoid detection; one is to spot security researchersby testing for virtual machines before executing their code. In 2014, up to 28 percent ofall malware was “virtual machine aware.” This should serve as a wake-up call to securityresearchers who are dependent on virtual sandboxing to observe and detect malware. Italso makes clear that virtual environments do not provide any level of protection. Certainmalware like W32.Crisis, upon detecting a virtual machine, will search for other virtualmachine images and infect them.Digital Extortion on the Rise: 45 Times More People Had Their Devices Held Hostage in 2014While most people associate “extortion” with Hollywood films and mafia bosses, cybercrim-inals have used ransomware to turn extortion into a profitable enterprise, attacking big andsmall targets alike.Ransomware attacks grew 113 percent in 2014, driven by more than SHAREa 4,000 percent increase in crypto-ransomware attacks. Instead of THISpretending to be law enforcement seeking a fine for stolen content, as we’ve seen with tradi-tional ransomware, crypto-ransomware holds a victim’s files, photos and other digital mediahostage without masking the attacker’s intention. The victim will be offered a key to decrypttheir files, but only after paying a ransom that can range from $300-$500—and that’s noguarantee their files will be freed.In 2013, crypto-ransomware accounted for a negligible percentage of all ransomware attacks(0.2 percent, or 1 in 500 instances). However, in 2014, crypto-ransomare was seen 45 timesmore frequently. While crypto-ransomware predominately attacks devices running Windows,Symantec has seen an increase in versions developed for other operating systems. Notably,the first piece of crypto-ransomware on mobile devices was observed on Android last year.

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 8DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSCybercriminals Are Leveraging Social Networks and Apps to Do Their Dirty WorkEmail remains a significant attack vector for cybercriminals, but there is a clear movementtoward social media platforms. In 2014, Symantec observed that 70 percent of social mediascams were manually shared. These scams spread rapidly and are lucrative for cybercrimi-nals because people are more likely to click something posted by a friend.Mobile was also ripe for attack, as many people only associate cyber threats with theirPCs and neglect even basic security precautions on their smartphones. In 2014, Symantecfound that 17 percent of all Android apps (nearly one million total) were actually malware indisguise. Additionally, grayware apps, which aren’t malicious by design but do annoying andinadvertently harmful things like track user behavior, accounted for 36 percent of all mobileapps.Internet of Things Is Not a New Problem, But an Ongoing OneSymantec continued to see attacks against Point of Sales systems, ATMs, and home routersin 2014. These are all network-connected devices with an embedded operating system,though they’re not often considered part of the Internet of Things (IoT). Whether officiallypart of the IoT or not, attacks on these devices further demonstrate that it’s no longer onlyour PCs at risk. And the potential for cyberattacks against cars and medical equipmentshould be a concern to all of us.Risks to many IoT devices are exacerbated by the use of smartphones as a point of control.Symantec discovered that 52 percent of health apps—many of which connect to wearabledevices—did not have so much as a privacy policy in place, and 20 percent sent personalinformation, logins, and passwords over the wire in clear text.Some of this may reflect the attitudes of end users. In a Norton survey, one in four admitted theydid not know what they agreed to give access to on their phone when downloading an application.And 68 percent were willing to trade their privacy for nothing more than a free app. SHARE THIS

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 9DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS2014 IN NUMBERS

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 10DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS Grayware apps, which aren’t malicious by design but do annoying and inadvertently harmful things like track user behaviour, accounted for 36 percent of all mobile apps.46 57 277 2312014 2013 2014 2013New Android Mobile Cumulative AndroidMalware Families Mobile Malware Families 6.3 M   1M .7 M 2.3 M 2.2 M 2014 6.1 M 2014 2013 2014 2013 2013 Total Apps Total Apps Total Apps Analyzed Classified Classified as Malware as Grayware48 57 9,839 7,612 App Analysis by Symantec’s Norton Mobile Insight2014 2013 2014 2013New Android Cumulative AndroidVariants per Family Mobile Malware Variants SHARE THIS168 Symantec found that 17 percent of all Android apps (nearly one million total) 2014 were actually malware in disguise.127 DMEVOIBCIELSE 2013New Mobile Vulnerabilities

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 11DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS76+ 77 20+ 16+76% 77% 20% 16% 2014 2013 2014 2013Scanned Websites Percentage of 6,549 6,787with Vulnerabilities Which Were Critical 2014 2013 496,657 New Vulnerabilities 2014 Within four hours of the Heartbleed vulnerability becoming public, Symantec 568,734 saw a surge of attackers stepping up to exploit it. 2013 SHAREWeb Attacks Blocked per Day THIS1 in 1,126 2014 1 in 566 2013Websites Found with Malware Inverse Graph: Smaller Number = Greater Risk 1 SSL/TLS Poodle Vulnerability THREWAETBS 2 Cross-Site Scripting 3 SSL v2 support detected 4 SSL Weak Cipher Suites Supported 5 Invalid SSL certificate chainTop 5 Vulnerabilities Found Unpatched onScanned Web Servers

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 12DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS60+ 66+ 1 in 96560% 66% 2014 2014 2013 1 in 392Overall EmailSpam Rate 2013 Email Phishing Rate Inverse Graph: Smaller Number = Greater Risk 23+ 81+ 70+ 2+ In 2014, Symantec 23% 81% 70% 2% observed that 70 percent of social 2014 2013 2014 2013 media scams were manually shared. Fake Offering Manually Shared Social Media Scams Social Media Scams SHARE THIS 3,829 2014 6,993 2013 Average Number of Phishing URLs on Social Media 28 29Billion Billion2014 2013Estimated Global SOCIASLCAMMEDSI&ASpam Volumeper Day

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 13DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS 73 83 2014 2013 Spear Phishing Emails per Day   18 23 25 29 98 Industry 2014  2013  Days Days841 779 Average Number of Average Attacks per Duration of a Manufacturing 20% Campaign 13%Campaigns Recipients per Campaign Campaign Services— 20% Nontraditional 14%Spear Phishing Email Campaigns   2014  2013   Finance, Insurance 18% & Real Estate SHARE 13% THIS Services— 11% Professional 15%Industry Risk Ratio 2014  2013 Wholesale 10% 5% 1 in 2.3  44%Mining 1 in 2.7  37% Top 10 Industries Targeted in Spear-Phishing AttacksWholesale 1 in 2.9  34% 1 in 3.4  29% TAARTGTAECTKEDSManufacturingTransportation, 1 in 3.0  33%Communications, Electric, 1 in 3.2  31%Gas & Sanitary ServicesPublic Administration 1 in 3.4  29%(Government) 1 in 3.9  26% 1 in 3.4  29% 1 in 3.1  32%Risk Ratio of Spear-Phishing Attacks by Industry

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 14DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS Individual Contributor 1 in 3.7  27% Manager 1 in 3.8  26% Intern 1 in 3.9  26% Director 1 in 5.4  19% Support 1 in 7.6  13% Top 5 Risk Ratio of Spear-Phishing Attacks by Job Level34%   25% 31% 41% 39% Sales/Marketing 1 in 2.9  35% Finance 1 in 3.3  30%2014 30% 2014 2013 2014 2013 Operations 1 in 3.8  27% R&D 1 in 4.4  23% 2013 IT 1 in 5.4  19%Distribution of Spear-Phishing Top 5 Risk Ratio of Spear-Phishing AttacksAttacks by Organization Size by Job Role Small  Medium-Size LargeBusinesses Businesses Enterprises 251 to 2,500 (SMBs) Employees 2,500+ 1 to 250 EmployeesEmployees .doc 39%Risk Ratio of Spear-Phishing .exe 23%Attacks by Organization Size .scr 9% .au3 8% .jpg 5% Spear-Phishing Emails Used in Targeted Attacks45%   63% 33% 83% 43% Last year, 60 percent of all1 in 2.2 19% 1 in 1.6 1 in 3.5 1 in 1.2 1 in 2.3 targeted attacks struck small- and 1 in 5.2 medium-sized organizations. SHARE THIS

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 15DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSIn total, the top five zero-days of 2014 wereactively exploited by attackers for a combined295 days before patches were available. SHARE THIS2013 4 19 59 Average Days to Patch by Vendor for Top 5 Zero-Days2014 Total Days of Exposure for Top 5 Zero-Days 295Number of Attacks Detected (THOUSANDS) 25 81% Microsoft ActiveX 81% Microsoft ActiveX Control Control 20 10% Microsoft Internet Explorer 7% Adobe Flash Player 15 2% Adobe Flash Player <1% Microsoft Windows 10 5 0 25 50 75 100 125 150 175 200 225 250 275 300 Number of Days After Vulnerability Publication Top 5 Zero-Day Vulnerabilities – Days of Exposure and Days to Patch Source: Symantec 24 2014 23 2013Zero-Day Vulnerabilities

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 16DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS312 253 348 M 552 M 1.1 M 2.2 M 7,000 6,777 2014 2013 2014 2013 2014 2013 2014 2013Total Breaches Total Identities Average Identities Median Identities Exposed Exposed per Breach Exposed per BreachThe number of breaches increased 23 percent Healthcare 116  37% Retail 34  11%in 2014. Attackers were responsible for the Education 31  10% Gov. & Public 26  8%majority of these breaches. SHARE Financial 19  6% THIS 4 Top 5 Sectors Breached by Number of Incidents 2014 Real Names   69% Gov. ID Numbers 8 (e.g, SSN)   45% Home Addresses   43% 2013 Financial   36% Information   35%Breaches with More Than 10 Million Birth DatesIdentities ExposedRetail 205M   59%Financial 80M   23%ComputerSoftware 35M   10%Healthcare 7M   2% Top 10 Types of Information ExposedGov. & Public 7M   2% BREACDHAETASTop 5 Sectors Breachedby Number of Identities Exposed

MOBILE & IOT WEB THREATS SCAMS & SOCIAL MEDIA TARGETED ATTACKS 2015 Internet Security Threat Report 17DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS317M 1 in 244 2014 2014252M 1 in 196 2013 2013 New Malware Variants (Added Each Year) Email Malware Rate Inverse Graph: Smaller Number = Greater Risk 24 K 8.8 Million Item 2014 Cost 1,000 Stolen $0.50 to $10 Per Day 2014 Email Addresses 11 K 4.1 Million Credit Card Details $0.50 to $20 Per Day 2013Ransomware Total Scans of Real $1 to $2 Passports $10 to $15 Stolen Gaming Accounts Custom Malware $12 to $3500Ransomware attacks grew 113 1,000 Social Network $2 to $12percent in 2014, along with 45 times Followersmore crypto-ransomware attacks. Stolen Cloud Accounts $7 to $8 1 Million Verified $70 to $150 Email Spam Mail-outs In 2014, up to 28 percent of Registered and $100 all malware was “virtual Activated Russian machine aware.” Mobile Phone SIM Card SHARE THIS Value of Information 12 25 Sold on Black Market1.9M 2.3M 12% 25% & MEA-LCWRAIMREE 2014 2013 2014 2013Number of Bots Email Malware as URL vs. Attachment

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 18DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS MOBILE DEVICES& THE INTERNET OF THINGS

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 19DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSMobile Devices and the Internet of ThingsWith billions of smartphones and potentially many billions of Internet-connected devices of all At a Glancekinds, the focus of Internet security is shifting from the desktop and the data center to the home,the pocket, the purse, and, ultimately, the infrastructure of the Internet itself. There are now more than 1 million malicious apps inMobile Malware existence.The tenth anniversary of mobile malware occurred in 2014. In 2004, researchers discovered Proof-of-concept attacks onSymbOS.Cabir,1 a worm that spread through Bluetooth and targeted the Symbian OS, the most the Internet of Things are here,popular mobile operating system at the time.2 including wearables, Internet infrastructure, and even cars.Today many apps contain malware. As of 2014, Symantec has identified more than 1 millionapps that are classified as malware. This includes 46 new families of Android malware in 2014. Devices on the cusp of theIn addition, there are perhaps as many as 2.3 million “grayware” apps that, while not technically Internet of Things, such asmalware, display undesirable behavior, such as bombarding the user with advertising.3 routers, network-attached storage devices, and embedded2014 46 Linux devices, are already2013 under attack. –19% The falling number 57 of families doesn’t indicate that -45% this problem is going away but2012 103 just that the rate of innovation New Android Mobile Malware Families is slowing. Source: SymantecNew Android Mobile Malware FamiliesThe falling number of families doesn’t indicate that this problem is going away but just that therate of innovation is slowing. This may be because existing malware is effective enough and thereis less demand for new software. In addition, the overall trend masks significant fluctuationsfrom month to month. The drop also suggests that developers are maximizing the number ofvariants per family, for example, by repackaging well-known games and apps with malware.Symantec expects the growth in mobile malware to continue in 2015, becoming more aggres-sive in targeting a user’s money. Already 51 percent of U.S. adults bank online and 35 percentuse mobile phones to do so.4 This creates an incentive for malware writers to target phonesto capture bank details.5 Today, Android malware can intercept text SHAREmessages with authentication codes from your bank and forward them THISto attackers. Fake versions of legitimate banks’ mobile applications alsoexist, hoping to trick users into giving up account details.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 20DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS300 277 In 2014 there were 46 new250 mobile malware families200 231 discovered.150 174 There was a 16 percent drop in100 71 the number of Android variants per family in 2014. 50 2011 2012 2013 2014 Cumulative Android Mobile Malware Families, 2011–2014 Source: SymantecCumulative Android Mobile Malware Families2014 48 -16%2013 57 +50%2012 38 New Android Variants per Family Source: SymantecNew Android Variants per Family

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 21DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS 2014  2013  2012  Millions Of the 6.3 million apps analyzed in 2014, one million of theseTotal Apps Analyzed   6.3 were classified as malware, while   6.1 2.3 million were classified asTotal Apps Classified   2.7 grayware.as MalwareTotal Apps Classified  1 A further 1.3 million apps withinas Grayware   .7 the grayware category wereTotal Grayware Further   .2 classified as madware.Classified as MadwareKnown Ad Libraries   2.3 SHAREMalware Definition   2.2 THIS   1.4 There were 168 mobile   1.3 2013 2012 vulnerabilities disclosed in 2014,   1.2 88 50 a 32 percent increase compared   .6 to 2013. 2014 93 Programs and files that are created to do harm. Malware includes computer viruses, worms, and Trojan horses.Grayware Definition Programs that do not contain viruses and that are not obviously malicious but that can be annoying or even harmful to the user (for example, hack tools, accessware, spyware, adware, dialers, and joke programs).Madware Definition Aggressive techniques to place advertising in your mobile device’s photo albums and calendar entries and to push messages to your notification bar. Madware can even go so far as to replace a ringtone with an ad. App Analysis by Symantec’s Norton Mobile Insight Source: SymantecApp Analysis by Symantec’s Norton Mobile Insight2014 168 +32%2013 127 -69%2012 416 New Mobile Vulnerabilities Source: SymantecNew Mobile Vulnerabilities

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 22DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS 2013 2014 84% of mobile vulnerabilities related to Apple iOS in 2014,100% 82% 84% compared with 11% for Android, 80 4% for BlackBerry and 1% for Nokia.60 SHARE40 THIS20 13% 11% 1% 4% 0% 1% Traditional threats increased 6 percentage points between 2013 iOS Android Blackberry OS Windows and 2014, while threats that Phone steal information from the device or track users declined in 2014. Mobile Vulnerabilities by Operating System, 2013–2014 Source: SymantecMobile Vulnerabilities by Operating System 2012 2013 201435% 25 26 32 30 30 20 28 22 25 20 21 15 15 10 13 11 89 7 13 5 8 10 8 Send Adware Reconfigure Traditional Steal Track Content User Annoyance Device Threats InformationSend Content – Threats that send premium SMS, Spam and SEO Poisoning threats.Adware/Annoyance – Threats that cause advertisement popups and unwanted information.Reconfigure Device – Threats that modify user settings, and elevates privileges.Traditional Threats – Threats like Backdoor Trojans, Downloaders, DDoS utility, Hacktool and Security Alerts.Steal Information – Threats that steal device data, media files and any user credentials. Eg., Banking Trojan.Track User – Threats that spy on users, tracks user location. Mobile Threat Classifications, 2012–2014 Source: SymantecMobile Threat Classifications

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 23DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSSMS and the InterconnectedThreat to Mobile Devicesby Lamine Aouad, Slawomir Grzonkowski,Alejandro Mosquera, and Dylan MorssThe threat landscape is continually evolving, and with classified ad websites. Scammers send automated inquiriesthe emergence of cheaper and readily available technol- about the advert via SMS. They also offer fictitious itemsogies and communication channels, it naturally attracts for sale, such as jobs and houses for rent, and interact withmalicious activity of all sorts. The shift from desktop PCs potential victims by SMS, and then they switch to email forto mobile devices as primary computing devices is a perfect communication. They typically use fake checks or spoofedexample of this. As more users rely on their mobile devices, payment notifications to make victims ship their items ormore spam, scams, and threats are tailored to these devices. to take victims’ deposits. Naturally victims never hear backWe suspect that the interconnectedness of apps on from them.smartphones has played a big part in this increase. This Another variant leads online dating users to fake ageinterconnectedness has enabled a malicious source to send verification websites that charge for a premium adultan SMS that will open in a mobile browser by default, which subscription. For these adult scams, spammers initiallycan be readily utilized to exploit the user. targeted mobile dating apps users and moved to SMSSMS is far from a new technology; it’s older than the afterward. These apps and social media sites were the mainsmartphone itself. However, we’ve seen significant growth sources that dating scammers used in 2014.in this area of the mobile landscape when it comes to how Most SMS scammers are posing as U.S. or Canadianscammers and attackers carry out their campaigns. SMS citizens or businesses running from other countries (manyand other mobile messaging technologies are readily being were traced back to Nigeria). They abuse VoIP and cloud-used as a means to deliver all kinds of scam campaigns, based mobile carriers and messaging services (the top twosuch as adult content, rogue pharmacy, phishing and services, namely Enflick and Integra5, accounted for morebanking scams, payday loan spam, fake gifts, etc. than 90 percent of their traffic). They also abuse all sortsAn important trend in 2014 was the proliferation of scam of hosting, email, listing, and online payment and moneycampaigns. Although this category was not the most transfer services. These scams are not new and have beenprevalent, it certainly was one of the most dangerous running on email for quite some time; however, new mobilethreats using SMS messages as its vector of attack. These platforms and technologies make it easier for scammers toare targeted campaigns, of a range of scams and frauds, take advantage of the unsuspecting, especially when theyaddressed to selected potential victims, mainly scraped off are using a relatively trusted medium like SMS. Online buyers and sellers, as well as those looking for a job, apartment, or anyAdult Content Payday Loan Bank / Account Phishing other service, should pay Rogue Pharmacy close attention to the Scam details of each commu- Others nication and be aware that these scammers are constantly improving38% 24% 11% 10% 9% 8% their fraudulent tactics.0 100%Top Categories of Observed SMS Spam, 2014Source: Symantec

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 24DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS 01 A typical Craigslist or PayPal11 scam, for 02 The scammers have further discussions with the victim via email and follow up with a text instance, would start with a message likethe following sent to hundreds of people scraped message stating that they will be paying for the itemoff Craigslist: and shipping via PayPal:03 The scammers send a confirmation email to 04 If this is successful, the scammers can then track the the victim’s PayPal account, from a fake items to their doorstep and the victim never receivesPayPal email address, claiming the funds have been any compensation for his or her items.deducted from his or her account and will bereleased to the victim once he or she ships the item:

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 25DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSUsers should also be aware of the continually evolvingmalware landscape. SMS has been seen as an infectionand propagation vector for many Trojans, worms, and SMSagents. There are instances of malicious apps’ propagatingvia SMS to infect new victims, which typically would be thecontact list. These are very short messages that look legitbut include links to malicious apps. Typical examples wouldlook like the following text messages to the right. Thesemalicious apps are monetized in different ways, mainly viapremium services and SMS subscriptions. They also leakpersonal information and show affiliate ads.The fact that an older technology, such as SMS, has becomesuch a popular propagation technique for scams and othermalicious activity highlights an important issue in themobile threat landscape: communication is becomingmore unified through new applications and services. In thefuture, the underlying delivery technology will be irrele-vant, regardless if it’s SMS, email, IM, or something new.As different apps and technologies are becoming more andmore integrated, users will need to be aware that threatscan be delivered across a variety of areas.  Mobile malware will become harder to remove, for example, by using PCs as a way to infect attached phonesand by using bootkits to infiltrate a phone’s operating system.6 Like some rootkits for PCs, bootkits infect themaster boot record of a device so that the malware runs before the operating system is even loaded. The firstcrypto-ransomware for Android devices appeared in 2014, giving criminals another way to earn money byinfecting phones and tablets—extortion.7There are also wider privacy issues at stake. Not only can apps gain access to users’ private information,but the phones themselves can also be used to invade people’s privacy. For example, this year researchers atStanford University were able to pick up audio and identify who was speaking by using the gyroscope in amobile phone.8Mobile Apps and PrivacyAn alarming percentage of apps collect and send personally identifiable information (PII) to app developers. Asurvey carried out by Symantec, and published in December 2014,9 indicates that most consumers worry aboutapp security and privacy risks. However, the findings also suggest consumers are their own worst enemies whenit comes to mobile privacy.Many consumers worry about device and data security, but, ironically, most are still willing to allow apps accessto their personal information. In fact, according to the survey, 68 percent of people will willingly trade theirprivacy for a free app.App users think they understand what they are agreeing to when downloading apps, but, in reality, they havelittle understanding of common app permission practices and behaviors. For instance, over half of respondentswere unaware that apps could track their physical location (22 percent of the apps SHAREscanned by Norton Mobile Insight track this information). THIS

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 26DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSInternet of ThingsThe first Internet-connected appliance was a Coke machine at Carnegie SHAREMellon University back in 1982. It reported on stock levels and whether THISnewly loaded drinks were chilled.10 It was the snowflake that started an avalanche.The Internet of Things (IoT), embedded computing devices with Internet connectivity, embracesa wide range of devices, including digital home thermostats, smart TVs, car systems (such asnavigation, entertainment, and engine management computers), networking devices, smartwatches, and activity trackers.The diversity of threats mirrors the diversity of devices. In the past year, there has been agrowing number of probing and experimental attacks on a range of devices, as well as a fewserious attacks.As the market for IoT devices has developed, it has become fragmented with a rich diversity inlow-cost hardware platforms and operating systems. Some attacks are already capable of exploit-ing vulnerabilities in Linux-based IoT systems and routers; however, as market leaders emergeand their ecosystems grow stronger, attacks against some devices will undoubtedly escalate. Thisis likely to follow a path similar to the way that attacks against the Android platform reflectedthe growth in its popularity in recent years.Wearable Devices As the market for IoT devices hasWearable fitness and personal health devices will be a $5 billion market by 201612 according developed, it hasto analysts at Gartner. There are devices and apps already available for measuring our steps, become fragmentedblood pressure, heart rate, and other intimate medical data, which can be stored online or on our with a rich diversityphones. in low-cost hardware platforms andWith countless Internet-connected wearable devices on the market and more coming, including operating systems.the highly anticipated Apple Watch, there is an obvious security and privacy threat.Already, there have been proof-of-concept attacks on Fitbit devices13 and Symantec researchersrevealed significant vulnerabilities in many devices and applications in this area.14 In a review ofthe 100 health apps in the App Store, 20 percent transmitted user credentials without encryptingthem, more than half (52 percent) did not have any privacy policies, and, on average, each appcontacted five Internet domains (typically a mix of advertising and analytics services).The potential exposure of personal data from health-monitoring devices could have serious conse-quences for individuals, for example, if insurance companies started to use the data to adjustpremiums, if people used hacked location data to track other people without their knowledge. In afast-moving and early-stage industry, developers have a strong incentive to offer new functional-ity and features, but data protection and privacy policies seem to be of lesser priority.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 27DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSInternet-Connected EverythingComputing and connectivity have enhanced our lives. Phones now play videos. Cars now havenavigation and entertainment systems. In our homes, lighting, heating, and cooling can becontrolled from an app. The possibilities are exciting, but there is also a dark side.For example, in May 2014, the FBI and police in 19 countries arrested more than 90 people inconnection with “creepware”—using Internet-connected webcams to spy on people.15,16 Similarly,as cars get “smarter” (meaning more digital and more connected), they are also at greater risk.Researchers found that many cars are vulnerable to cyberattacks.17 Researchers were even able touse a laptop to control a standard car.18Automotive Securityby Shankar SomasundaramThe automotive industry is undergoing a number of big The most common attack surface is the OBD-II port, a diag-changes. Cars are already powerful networks on wheels, nostic port that is kept in easily accessible locations withinprocessing large quantities of data. In many cases, smart- most cars, as per regulations for maintenance and softwarephones have already been integrated into car infotainment updates. The OBD-II port can be used to inject packets intosystems. Auto manufacturers are also integrating Internet the car’s computer system, allowing control of the brakes,connectivity into cars. This connectivity offers a variety of ignition control unit, etc. Technically speaking, an attackeruseful features to the cars, ranging from predictive main- could control any component within the car, even prevent-tenance to downloading new features on an on-demand ing the driver from accessing them via a denial-of-servicebasis. Standards around vehicle-to-vehicle (V2V) and vehi- attack. The general argument against the validity of suchcle-to-infrastructure (V2I) communications are also being attacks has been that they require a physical connectiondeveloped, with initial trials already underway. A number to the auto. However, with insurance providers’ and otherof players have also engaged in research on driverless cars, players’ providing wireless aftermarket units that canwhich is progressing rapidly, adding further computing connect to the OBD-II port, such physical connectivity is nopower to the driving experience. longer required.These developments have brought security and privacy If the back-end systems of companies providing devicesissues in the automotive industry to the forefront. Attacks that connect to a car’s OBD-II port are compromised, thenhave already been demonstrated on different car manufac- remote attacks on the car can be launched through theseturers over the last couple of years.19,20 systems. In fact, compromised back-end systems, such as servers collecting and storing data from the devices, couldOne attack surface is the websites and mobile apps provided become launch pads for attacks through multiple vendors,by the car manufacturer, which could be used to configure ranging from repair shops to the auto manufacturers them-or remotely control an Internet-enabled car. Symantec selves.internal research has found that a number of these carmanufacturers’ websites are not very well authenticated. A compromised smartphone or malicious application on aAnother issue is that some of these websites and apps rely phone is also a potential medium for attacking a car. Forupon the car’s unique vehicle identification number (VIN) example, if a compromised device is charged via a vehicle’sto identify it. A car can be easily controlled by spoofing USB port, the vehicle is susceptible to being attacked. TheVINs through these websites and apps, by sending messages increasing popularity of 4G, picocells,21 and Home Node Bs22to the targeted cars. If this seems farfetched, keep in mind has also created a way to connect to and launch attacks overthat in many cases a car’s VIN can be located near the base a cellular interface.of the windshield.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 28DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSAnother big threat vector is the infotainment unit, which Symantec is conducting extensive research in this field,controls the USB port, CD player, and other popular devices. working directly with automobile manufacturers to performResearchers at University of Washington and University vulnerability analysis of different features and componentsof California, San Diego,23 have demonstrated how attacks and providing aftermarket assessment. While auto manu-on a car can be carried out by compromising CD-ROMs facturers are separating out the critical and noncriticalor Bluetooth interfaces. Once the infotainment system is components of the car to ensure security, much more needscompromised, other units in the car can be attacked as well. to be done. Symantec advocates end-to-end security to help address the problem. These solutions range from authenti-Another interesting, albeit less effective, threat has been cation, ensuring only signed code is executed, securing thetire pressure sensors. Attackers have demonstrated how infotainment and telematics units and applications thatwireless signals at the right frequency can be used to send run on them, and then monitor them by using analyticsconflicting signals to the tire pressure controller, possibly to monitor abnormal activity, and ensuring the car’scausing warning lights on the dashboard to turn on or, even software can be updated remotely as needed. Some of theseworse, crash the controllers that connect to the tire pressure approaches must be incorporated during the design phasesensors, risking loss of control of the vehicle. However, such itself. How these solutions are implemented is equallyattacks need to be done at short range and require wireless important, since improper implementation could be just asexpertise, in addition to particular hacking skills, making ineffective as no security at all.them more difficult to carry out. The future of Internet-enabled cars is bright and full ofWhile the above scenarios are critical from a security potential. The next phase of V2V communication, as well asperspective, there are also issues around privacy. With the driverless cars, will bring in a lot more connectivity. It willamount of data being generated by the car, as well as the also increase the attack surface, as cars will autonomouslyuser details that the car stores, questions like “Who owns the communicate with each other and the infrastructure arounddata?” and “How is the data being secured?” become critical them. It is all the more important that we understand andissues. Privacy issues will start to get more severe as V2V and take action on the security issues now, before the challengesV2I technologies become more popular. In scenarios where become too big to surmount.  user anonymity and privacy must be maintained, authentica-tion will need to be carried out on an extremely large scale.The Network As the TargetThe Internet is made up of hubs, switches, and routers that move information from place to place.These devices, from retail home routers to form-factor network-attached storage devices, are at thevery least close cousins in the emerging IoT device space. They have processing, storage, and Internetconnectivity and in many ways function just like more strictly defined IoT devices.These types of devices are already under attack and can be seen as harbingers of what is to come in thelarger IoT space.For example, in August 2014 some Synology network-attached storage devices were infected byransomware.24 At the end of 2013, Symantec researchers discovered a new Linux worm called Darlloz25that targeted small Internet-enabled devices such as home routers, set-top boxes, and securitycameras.26 By March 2014, Symantec identified 31,716 devices that were infected with this malware.27Attackers can use freely available tools, such as the Shodan search engine, to search for Internet-en-abled devices such as security cameras, heating control systems in buildings, and more.28Symantec expects to see further malware development and attacks on the Internet of Things ascriminals find new ways to make money from doing so. For example, some attackers have used Darllozto mine for crypto-currencies similar to bitcoins. Other attackers have leveraged hacked routers tocarry out distributed denial-of-service attacks.29 Experience with PCs and, more recently, with mobilemalware suggests that where there is opportunity created by technical exploits and motivation, such asgreed, vindictiveness, or revenge, there will be cyberattacks.  

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 29DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSMedical Devices – Safety First, Security Secondby Axel WirthMedical devices are notoriously insecure and easy to hack,  Since medical devices are periodically on and off the hospital network as patient come and go, removal ofas has been demonstrated for pacemakers and30 insulin malware from compromised devices may be operation- ally difficult. Given some malware’s ability to reinfectpumps,31 as well as surgical and anesthesia devices, venti- cleaned devices, all vulnerable devices may need to be cleaned at once, requiring all impacted patients tolators, infusion pumps, defibrillators, SHARE come to the hospital at one time: a scheduling challengepatient monitors, and laboratory THIS in-and-of itself.equipment.32 The most important risk scenarios to be aware of are those that target medical devices with the goal to harm aThe concerns voiced by security researchers, government patient. Life-sustaining devices like pacemakers or insulinregulators, and healthcare providers are well founded as any pumps can be hacked. Fortunately, to-date no such case hasmedical device cybersecurity incident could seriously harm been reported outside proof-of-concept security research;patients. Because medical devices are so closely tied in with however, the potential impact remains high.the care process any compromise may also adversely affectcare delivery and hospital operations. Another situation that many healthcare providers struggle with are poorly patched devices, often running end-of-lifeIt is also a topic in the public eye, as we have seen through operating systems. These highly vulnerable devices are athe press coverage of former Vice President Dick Cheney, problem not because they are targeted, but because of theirwho had the remote features of his pacemaker turned off.33 susceptibility to common malware. The impact is mainlyThese types of incidents were even dramatized in TV crime operational, but cases have been reported where emergencyseries like “Homeland” (Showtime) and “Person of Interest” patients have had to be rerouted to other hospitals due to(CBS). malware infections of diagnostic equipment.372014 can be considered the year when medical device Medical device vulnerabilities could also be used for ansecurity became a mainstream topic and change started to attack on a hospital. Attackers could exploit a device andhappen. The US Department of Homeland Security,34 the use it as an entry point for a larger targeted attack, withFBI,35 and the FDA,36 as well as international regulators the goal of damaging the reputation of a healthcare facilityissued warnings and expressed their concerns about the or instilling fear in the population as part of a hacktivist,need to improve the cybersecurity of our medical device cybervandalism, or even a cyberterrorism attack.ecosystem. For practical and regulatory reasons, the responsibilityThere are reasons why medical devices are highly for securing the actual device itself lies mainly with thevulnerable: manufacturers. However, hospitals also need to assure that their biomedical engineers are trained to work with their Medical devices have a long, useful life. IT department to build secure networks for medical devices and include cybersecurity considerations in their buying The design, manufacturing, and sale of medical devices decisions. Solutions to secure their devices and device are highly regulated. Although regulations typically do networks do exist, and can be applied by manufacturers or not prevent manufacturers from including or updating healthcare providers. device cybersecurity, they do mandate a time-consuming release process and test cycle, which can delay availabili- ty of security patches. Medical devices are used 24x7 and may be difficult to find time for upgrades, especially since groups of devices need to be upgraded together to maintain opera- tional compatibility.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 30DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS Asset management and risk analysis are critical  Network-based security technologies, like Firewalls and to minimize the security risks of medical devices. Security Gateways, can be used to detect an external Automated tools to support these activities do exist and attack, but also to identify any devices that may be standards and best practices are being put forward, for compromised by detecting connections to malicious example the IEC 80001 series on risk management of external sources. medical device networks. Medical device security is not only a challenge of today’s Host Intrusion Detection and Prevention (HIDS/HIPS) healthcare ecosystem. Under the evolving umbrella of is a security technology installed on the device itself mobile health, or mHealth, new care delivery models that effectively excludes any undesired programs or an will move devices into the patient’s home. This will place unauthorized user. medical devices on public networks, provide medical apps through consumer devices such as smartphones, and Encryption can be used to protect patient data, but also interlace personal data with clinical information. to prevent data from being manipulated with the goal to change system settings. With the evolving concept of “care is everywhere” we need to deal with cybersecurity, but also privacy concerns. The Device and software certificates can be used to control device will not only provide clinical information, but also use of devices and deployment of device software and information about patient behavior and location. Once upgrades, minimizing the risk of unauthorized code again, it seems that regulations will have to catch up with being installed. technology. We will need new guidelines to address the new risks of information use, data ownership, and consent.  

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 31DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSWEB THREATS

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 32DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSWeb ThreatsWeb threats got bigger and much more aggressive in 2014 as holes in commonly used tools At a Glanceand encryption protocols were exposed and criminals made it harder to escape their maliciousclutches. The Heartbleed vulnerability left approximately half aThe web presented an incredibly threatening landscape in 2014, a trend set to continue in 2015. million trusted websites at riskVulnerabilities and new variants of malware underlined that website security deserves full-time, of significant data breaches inbusiness-critical attention. April.38Vulnerabilities SHARE THISVulnerabilities grabbed the headlines in 2014, and they continue to do so. At the time of writing,a new SSL/TLS vulnerability dubbed “FREAK” had been identified by several security research- The Heartbleed scare causeders.39 FREAK allows man-in-the-middle attacks on encrypted communications between a website many more people to take notevisitor and website, which ultimately could allow attackers to intercept and decrypt communi- and improve standards in SSLcations between affected clients and servers. Once the encryption is broken by the attackers, and TLS implementation.they can steal passwords and other personal information and potentially launch further attacksagainst the affected website. Criminals are taking advantage of the technology andLooking back at 2014, three vulnerabilities disclosed in particular grabbed the news headlines. infrastructure that legitimate ad networks have created toHeartbleed distribute malicious attacks and scams.Heartbleed hit the headlines in April 2014, when it emerged that a vulnerability in the OpenSSLcryptographic software library meant attackers could access the data stored in a web server’s A big jump to 5 percent of totalmemory during an encrypted session. This session data could include credit card details, infected websites has bumpedpasswords, or even private keys that could unlock an entire encrypted exchange.40 anonymizer sites into the top 10 types of infected sites forAt the time, it was estimated that Heartbleed affected 17 percent of SSL web servers, which use 2014.SSL and TLS certificates issued by trusted certificate authorities.41 This had a massive impact onbusinesses and individuals. The total number of sites found with malware has virtuallyNot only was a great deal of sensitive data at risk, but the public also had to be educated about halved since 2013.the vulnerability so they knew when to update their passwords. Website owners had to firstupdate their servers to the patched version of OpenSSL, then install new SSL certificates, andfinally revoke the old ones. Only then would a password change be effective against the threat,and communicating that to the general public posed a real challenge.Fortunately, the response was swift and within five days none of the websites included inAlexa’s top 1,000 were vulnerable to Heartbleed and only 1.8 percent of the top 50,000 remainedvulnerable.42ShellShock and PoodleHeartbleed wasn’t the only vulnerability to come to light in the online ecosystem in 2014. InSeptember a vulnerability known as “Bash Bug” or “ShellShock,” which affected most versions ofLinux and Unix as well as Mac OS X, was discovered. ShellShock was a particularly good examplethat highlighted how quickly the security landscape could change for website owners; one daytheir servers are securely patched and up to date, and then, very suddenly, they are not and manyof the initial patches are incomplete and must be patched again.The easiest route of attack was through web servers, as attackers could use Common GatewayInterface (CGI), the widely used system for generating dynamic web content, to add a malicious

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 33DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTScommand to an environmental variable. The Bourne Again Shell (Bash),43 the server Heartbleed andcomponent containing the vulnerability, would then interpret the variable and run it.44 ShellShock could be viewed as a differentNumerous threats took advantage of ShellShock, exposing servers and the networks to which class of vulnerabilitythey were connected, to malware that could infect and spy on multiple devices. altogether.Attention then turned back to encryption in October 2014, when Google discovered a vulner- The large spikes seen in the chartability known as Poodle. Potentially, this vulnerability allowed criminals to exploit servers demonstrate that while Symantecthat supported an older SSL protocol known as SSL 3.0. It interfered with the “handshake” signatures were in place toprocess that verified the server’s protocol forcing it to use SSL 3.0—even if a newer protocol was detect and block attacks almostsupported.45 immediately after disclosure, there were already a largeA successful exploit allows attackers to carry out man-in-the-middle attacks to decrypt secure number of attacks underway.HTTP cookies, which then lets them steal information or take control of victims’ online accounts. Attackers were able to exploit theFortunately, this was not as serious as Heartbleed. To take advantage of the Poodle vulnerabil- Heartbleed vulnerability withinity, the attacker would need to have access to the network between the client and server—for four hours of it becoming public.instance, through a public Wi-Fi hotspot.High-Profile Vulnerabilities and Time to PatchThe attacks that quickly followed the announcement of these vulnerabilities were big news inand of themselves, albeit in a different manner than attention-grabbing zero-day vulnerabili-ties. Heartbleed and ShellShock could be viewed as a different class of vulnerability altogether,because they were used to compromise servers instead of end points. The key factor with thesehigh-profile vulnerabilities was the prevalence of the software they affected, found in so manysystems and devices. Given the software’s widespread existence, these vulnerabilities instantlybecame hot targets for attackers, and both were exploited within hours of disclosure. Heartbleed Attacks ShellShock Attacks 35 April 7 2014: Sep 24 2014: 30 “Heartbleed” “ShellShock” Vulnerability VulnerabilityTHOUSANDS 25 Reported Reported (CVE-2014-0160) (CVE-2014-6271) 20 15 10 5 M J J A SO N Heartbleed and ShellShock Attacks, April–November, 2014 Source: SymantecHeartbleed and ShellShock Attacks

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 34DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSThe Vulnerability RisesBy Tim GalloOver the past few years the idea of vulnerability manage- overlooked for over 25 years before it was discovered to bement has been frequently talked about but was often seen exploitable, and subsequently disclosed publicly. ShellShockas an annoyance or a process that, while interesting, isn’t has been a part of the fabric of the Internet for most ofas important as breach response or adversary tracking. the Internet’s existence. In fact, the targets of ShellShockHowever, 2014 gave vivid examples of the importance of weren’t just routers or Linux web servers but also emailaddressing vulnerabilities. Three major vulnerabilities were servers and even DDoS bots that utilize the shell—anythingin the news—and not just security industry news—including Unix-based that makes use of Bash.coverage by major media news outlets. They were colloqui-ally known as Poodle, ShellShock, and Heartbleed. We will likely continue to see vulnerabilities like this as the new normal for the coming years, for a few reasons. For The Heartbleed vulnerability starters, it is now apparent that the attackers are not going even got its own logo. to rely on reusing the same old methods and the same old exploits. They are instead investing in researching newEach of these vulnerabilities was discovered in areas tradi- vulnerabilities in frequently used, older infrastructure thattionally not covered by most vulnerability management provides a broad attack surface.processes at the time. These processes have, as of late, beenfocused on laptops and servers, thanks to the regularity of These three high-profile vulnerabilities were also inter-publicized vulnerabilities by Adobe and Microsoft and these esting because not only did they expose flaws in majorcompanies’ speed in releasing patches. While we have seen, components of Internet infrastructure, but they highlightedand will continue to see, new vulnerabilities in these appli- one of the dirty secrets of application development as well:cations, solid processes have been established here in patch code reuse. Code reuse is when a developer copies sectionsdeployment, vulnerability disclosure, and overall patch of code from existing applications for use in development ofmanagement processes. new applications. It is this practice, which has been around for as long as coding has existed, that can lead to vulnera-It is this automation of patch SHARE bilities’ being present in systems that may be completelydeployment by operating system THIS unrelated.and application vendors that has forced attackers to shift When looking at the situation that led up to the Heartbleed discovery, legitimate uses of the OpenSSL library were atheir tactics somewhat. Attackers have moved to new perfect example of code reuse. This code had long been seen as reliable and often went untested, as it was considered “amethods of exploitation—or perhaps more accurately, they solved problem.” However, new vulnerabilities in the library were discovered and developers around the globe had tohave moved back into the vulnerability research game. This scramble to determine if their code reuse implementations were vulnerable.shift back to combing through applications more thorough- Additionally, we have seen a rise in bug bounty programs,ly on the attacker’s part has resulted in vulnerabilities being and we no longer see governments threatening vulnerability researchers with jail time as in years past.46 Therefore, thediscovered in areas previously thought to be secure. incentive to research vulnerabilities has increased and the repercussions of irresponsible disclosure, or even outrightLet’s take one of these vulnerabilities, ShellShock, as an mercenary behavior, are no longer something researchersexample of what we will likely see in the coming years. fear.ShellShock was, at best, a flawed feature and, at worst, adesign flaw, in the Bourne Again Shell (Bash) that went

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 35DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSHowever, what we will also hopefully see is that remediation “protect and respond” and “inform and assess” as well.and better security practices will become more prevalent. That means we need to become better planners and testers,It takes the average IT professional only a few weeks of look to intelligence to help keep us informed, and knowall-nighters to decide that planning ahead is far more our environment well enough to understand whether thatadvantageous. Better enforcement of configuration, policy, intelligence is actionable.and patching across entire infrastructures will help. Themoving of infrastructure to the cloud will help an over- We need to better understand that the fabric of the Internetworked IT professional manage these issues as well. is likely still riddled with holes, and it is our responsibility to maintain vigilance in order to be prepared to deal withAs we look at the “detect and remediate” cycle of security, new vulnerabilities as they are disclosed in a process-ori-the return of vulnerabilities is a key point in understanding ented and programmatic manner. To not do so would bethe threat landscape. To become more effective security detrimental to our future.  professionals, we need to additionally think about how weSSL and TLS Certificates Are Still Vital to Security The overall number of vulnerabilities declinedIt’s important to note that while online security was shaken in 2014, SSL certificates and their 3.5 percent in 2014.more modern counterparts, TLS certificates, still work and are still essential. In fact, the Heart-bleed incident demonstrated just how quickly the online security community could respond tothese types of threats.Industry standards are also constantly improving thanks to the hard work and vigilance oforganizations like the CA/Browser Forum, of which Symantec is a member. In other words, thefoundations of Internet security, which keep your site and visitors safe, are still strong and areonly getting stronger.Vulnerabilities as a Whole 2014 6,549 -3.5% 2013 6,787 +28% 2012 5,291 New Vulnerabilities Source: SymantecNew Vulnerabilities

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 36DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS8,000 While reported vulnerabilities represent a general risk, zero-day7,000 6,787 6,549 vulnerabilities are potentially much more serious. These 6,253 are vulnerabilities that are discovered only after they are6,000 5,562 5,291 exploited by attackers. See the5,000 chapter on Targeted Attacks for 4,842 4,644 4,814 4,989 further coverage on zero-day vulnerabilities.4,000 There was a 8 percent increase3,000 in the number of browser vulnerabilities reported in 2014.2,000 Microsoft Internet Explorer1,000 reported the largest number of vulnerabilities, followed by 2006 2007 2008 2009 2010 2011 2012 2013 2014 Google Chrome. Total Number of Vulnerabilities, 2006–2014 SHARE THIS Source: SymantecTotal Number of Vulnerabilities1,000 891 Opera 800 591 639 Mozilla Firefox 600 Microsoft Internet Explorer Google Chrome Apple Safari400 351200 2011 2012 2013 2014 Browser Vulnerabilities, 2011–2014 Source: SymantecBrowser Vulnerabilities

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 37DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS80 Java With a total of 33670 Apple vulnerabilities, there was a 1060 Adobe percent decrease in the number50 ActiveX of plug-in vulnerabilities reported in 2014.40 Adobe, with its Acrobat and30 Flash plugins, disclosed the largest number of vulnerabilities,20 followed by Oracle and its Java plug-in.10 As was the case in 2013, SSL and J FMAMJ J A SOND J FMAMJ J A SOND TLS vulnerabilities were most commonly exploited in 2014.2013 2014 SHARE Plug-in Vulnerabilities by Month, 2013–2014 THIS Source: SymantecPlug-In Vulnerabilities by MonthRank Name 1 SSL/TLS Poodle Vulnerability 2 Cross-Site Scripting 3 SSL v2 support detected 4 SSL Weak Cipher Suites Supported 5 Invalid SSL certificate chain 6 Missing Secure Attribute in an Encrypted Session (SSL) Cookie 7 SSL and TLS protocols renegotiation vulnerability 8 PHP 'strrchr()' Function Information Disclosure vulnerability 9 http TRACE XSS attack 10 OpenSSL 'bn_wexpend()' Error Handling Unspecified Vulnerability Top 10 Vulnerabilities Found Unpatched on Scanned Web Servers Source: SymantecTop 10 Vulnerabilities Found Unpatchedon Scanned Webservers

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 38DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS 76 77 55 In 2014, 20 percent (1 in 5) of all vulnerabilities discovered 76% 77% 55% on legitimate websites were considered critical, meaning they -1% +25% pts 2012 could allow attackers to access sensitive data, alter the website’s 2014 2013 24 content, or compromise visitors’ computers.Scanned Websites with Vulnerabilities 24% SHARE 20 16 2012 THIS 20% 16% 1 in 1,126 The number of websites found +4% -8% pts with malware decreased by nearly half in 2014. 2014 2013 Percentage of Which Were Critical Source: SymantecScanned Websites with VulnerabilitiesPercentage of Which Were Critical20142013 1 in 566 2012 1 in 532 Websites Found with Malware  Inverse Graph: Smaller Number = Greater Risk Source: SymantecWebsites Found with Malware

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 39DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSRank 2014 Top 10 Most 2014 Percentage 2013 2013 In terms of the type of websites Frequently Exploited of Total Number of Top 10 Percentage most frequently exploited, it’s Categories of Websites Infected Websites interesting to note the inclusion Technology 9.9% of anonymizer websites in the1 Technology 21.5% Business 6.7% top 10 this year. This is perhaps2 Hosting 7.3% Hosting 5.3% another case of criminals3 Blogging 7.1% Blogging 5.0% following the crowds as more4 Business 6.0% Illegal 3.8% people look to evade tracking5 Anonymizer 5.0% Shopping 3.3% by ISPs and others and increase6 Entertainment 2.6% Entertainment 2.9% their browsing privacy.7 Shopping 2.5% Automotive 1.8%8 Illegal 2.4% Educational 1.7% For the most part, the bulk of9 Placeholder 2.2% Virtual Community 1.7% the 12.7% drop in the average10 Virtual Community 1.8% number of daily attacks blocked occurred in the latter half of Classification of Most Frequently Exploited Websites, 2013–2014 2013. The decline in attacks throughout 2014 has been much Source: Symantec more shallow than in 2013.Classification of Most Frequently Exploited Websites 2013 2014 TREND 800 700 600THOUSANDS 500 400 300 200 100 J FMAMJ J A SOND Web Attacks Blocked per Month, 2013–2014 Source: SymantecWeb Attacks Blocked per Month

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 40DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS 2014 29,927 A 47 percent drop in unique malicious web domains in 2014 2013 -47% could indicate an increase in the use of cloud-based SaaS-type 2012 56,158 toolkits. 2011 -24% New Unique Malicious Web Domains 74,001 Source: Symantec +34%New Unique Malicious Web Domains 55,000 2014 496,657 The number of web attacks blocked per day dropped 13 2013 -13% percent in 2014. 2012 568,734 Web Attacks Blocked per Day +23% Source: Symantec 464,100Web Attacks Blocked per Day

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 41DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSWith minor fluctuations from year to year, the trend in the number of vulnerabilities continues These SaaS toolkitsupward. Remedies, workarounds, or patches are available for the majority of reported vulner- are often located onabilities. However, malware authors know that many people do not apply these updates and bulletproof hostingso they can exploit well-documented vulnerabilities in their attacks. In many cases, a special- services, with IPist “dropper” scans for a number of known vulnerabilities and uses any unpatched security addresses that canweakness as a back door to install malware. This, of course, underlines the crucial importance change quickly andof applying updates. domain names that may be dynamicallyThis is how web exploit toolkits, such as Sakura and Blackhole, have made it easier for attackers generated.to exploit an unpatched vulnerability published months or even years previously. Severalexploits may be created for each vulnerability, and a web attack toolkit will perform a vulnerabil-ity scan on the browser to identify any potentially vulnerable plug-ins and the best attack thatcan be applied. Many toolkits won’t utilize the latest exploits for new vulnerabilities if old oneswill suffice. Exploits against zero-day vulnerabilities are uncommon and highly sought after byattackers, especially for use in watering-hole-style targeted attacks.Compromised SitesThree-quarters of the websites Symantec scanned for vulnerabilities in 2014 were found to haveissues—about the same as last year. The percentage of those vulnerabilities classified as critical,however, increased from 16 to 20 percent.In contrast, the number of websites actually found with malware was much lower than last year,down from 1 in 566 to 1 in 1,126. This seems to have had a knock-on effect on the number ofweb attacks blocked per day, which has also declined, though only by 12.7 percent, suggestinginfected websites were, on average, responsible for more attacks in 2014. This is due to the factthat some web attack toolkits are designed to be used in the cloud, as software as a service (SaaS).For example, a compromised website may use an HTML iframe tag, or some obfuscated JavaS-cript, in order to inject malicious code from the SaaS-based exploit toolkit rather than launchthe malicious attack directly from exploit code hosted on the compromised website. This growthin SaaS-based exploit toolkits is also evidenced in the decline in the number of new maliciousdomains used to host malware, which fell by 47 percent, from 56,158 in 2013 to 29,927 in 2014.Web attack toolkits perform scans on the victims’ computers, looking for vulnerable plug-insin order to launch the most effective attack. Moreover, these SaaS toolkits are often located onbulletproof hosting services, with IP addresses that can change quickly and domain names thatmay be dynamically generated, making it more difficult to locate the malicious SaaS infrastruc-ture and shut it down. Attackers are also able to control how the exploits are administered suchas enabling the attacks only if a cookie has been set by the initial compromised website therebypreserving the malicious code from the prying eyes of search engines and security researchers.With the majority of websites still accommodating vulnerabilities, it is apparent that manywebsite owners are not keeping on top of vulnerability scans, although they may be paying moreattention to malware scans that can potentially reveal malicious software. However, malware isoften planted following previous exploitations of vulnerabilities, and prevention is always betterthan cure.With so many potentially vulnerable websites, criminals in 2014 were achieving considerablesuccess exploiting them, and many were also quick to take advantage of the SSL and TLS vulnera-bilities. Moreover, the greater prevalence of social media scams and malvertising in 2014 suggestscriminals are already turning to them as alternative methods of malware distribution.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 42DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSWeb Attack Toolkits Blackhole Sakura Phoenix RedKit With half of active web attack Nuclear toolkits falling into the “other” category, overall toolkit usage2012 41% 22% 10% 7% 3 Other 17% was much more fragmented in 0 Blackhole 2014 than in previous years. G01 Pack 100% After the arrest of the alleged Sakura Styx CoolKit creator in late 2013, the Blackhole toolkit has dropped2013 23% 19% 14% 10% 8% Other 26% 14 percentage points in 2014, comprising only five percent of all web attack toolkit activity. At its peak, Blackhole make up 41 percent of all toolkit activity. 0 100% Sakura Nuclear Styx OrangeKit Blackhole2014 23% 10% 7% 5% 5% Other 50% 0 100% Top 5 Web Attack Toolkits, 2012–2014 Source: SymantecTop 5 Web Attack Toolkits100% Others BlackholePERCENTAGE OF TOTAL OrangeKit Styx Nuclear Sakura 0 J FMAMJ J A SOND Timeline of Web Attack Toolkit Use, Top 5, 2014 Source: SymantecTimeline of Web Attack Toolkit Use

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 43DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSExample of a Browlock webpage demanding a fine for surfing pornography illegally.47 As we moved into 2014, we sawMalvertising ransomware and malvertising crossAs we moved into 2014, we saw ransomware and malvertising cross paths, with the number of paths, with thevictims getting redirected to Browlock websites hitting new heights. number of victims getting redirected toBrowlock itself is one of the less aggressive variants of ransomware. Rather than malicious code Browlock websitesthat runs on the victim’s computer, it’s simply a webpage that uses JavaScript tricks to prevent hitting new heights.the victim from closing the browser tab. The site determines where the victim is and presents alocation-specific webpage, which claims the victim has broken the law by accessing pornographywebsites and demands that they pay a fine to the local police.The Browlock attackers appear to be purchasing advertising from legitimate networks to drivetraffic to their sites. The advertisement is directed to an adult webpage, which then redirectsto the Browlock website. The traffic that the Browlock attackers purchased comes from severalsources, but primarily from adult advertising networks.48To escape, victims merely need to close their browser. However, the large financial investmentcriminals are making to direct traffic to their site suggests people are just paying up instead.Perhaps this is because the victim has clicked on an advert for a pornographic site before endingup on the Browlock webpage: guilt can be a powerful motivator.Malvertising at LargeIt’s not just ransomware that is spread through malvertising: malicious advertisements alsoredirect to sites that install Trojans. Some malicious advertisements even use drive-by attacks toinfect a victim’s device without the user clicking on the advertisements.The appeal for criminals is that malvertising can hit major, legitimate websites drawing in highvolumes of traffic. Ad networks also tend to be highly localized in their targeting, meaning

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 44DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTScriminals can tailor their scams to specific victims—for example, people searching for financialservices. Legitimate ad networks sometimes inadvertently do all the work for the criminals.Criminals also switch tactics to avoid detection. For example, they’ll run a legitimate ad for a fewweeks, to appear aboveboard, and then convert it to a malicious ad. In response, ad networks need torun scans regularly rather than just when a new ad is uploaded.For website owners, it’s hard to prevent malvertising, as they have no direct control over the adnetworks and their customers. However, site managers can reduce risk by choosing networks thatrestrict ad functionality so advertisers can’t embed malicious code in their promotions. And ofcourse, when selecting an ad network, due diligence goes a long way.Denial of ServiceDenial-of-service attacks give attackers another way to target individual organizations. By over-loading critical systems, such as websites or email, with Internet traffic as a way to block access,denial-of-service attacks can wreak financial havoc and disrupt normal operations. Distributeddenial-of-service (DDoS) attacks are not new, but they are growing in intensity and frequency.49For example, Symantec saw a 183 percent increase in DNS amplification attacks between Januaryand August 2014.50 According to a survey by Neustar, 60 percent of companies were impacted bya DDoS attack in 2013 and 87 percent were hit more than once.51 Motives include extortion formoney, diversion of attention away from other forms of attack, hacktivism, and revenge. Increasing-ly, would-be deniers of service can rent attacks of a specified duration and intensity for as little as$10–$20 in the online black market.   DDoS Total DNS Amplification Generic ICMP Generic TCP SYN Flood DDoS traffic saw peaks in April TREND Attack Flood Attack Denial-of-Service Attack and July of 2014. 8 There was a 183 percent 7 increase in DNS amplification 6 attacks between January and 5 August 2014. 4MILLIONS 3 2 1 J FMAMJ J A SOND DDoS Attack Traffic Seen by Symantec’s Global Intelligence Network, 2014 Source: SymantecDDoS Attack Traffic

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 45DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSSOCIAL MEDIA & SCAMS

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 46DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSSocial Media and ScamsIn 2014 criminals hijacked the power of “social proof”—the idea that we attribute more value to At a Glancesomething if it’s shared or approved by others. The classic example is of two restaurants: onewith a big queue, the other empty. People would rather wait in the queue because popularity Social media scammers gosuggests quality. after payouts from affiliate programs by offering falseCriminals exploited this theory by hacking real accounts on platforms like Snapchat so that promises of weight loss,when you saw an endorsement for a scam product or link, you’d trust it because it seemed to money, and sex to drive clickscome from someone you actually knew. and sign-ups.The public also undervalued their data in 2014, freely giving away email addresses and login Many people use the samecredentials without checking that they were on a legitimate website. password on multiple networks, meaning criminalsWhile scammers certainly evolved their tactics and ventured onto new platforms in 2014, a lot have been able to spamof their success continued to come from people’s willingness to fall for predictable and easily multiple accounts thanks to aavoided scams. single hack.Social Media Scammers take advantage of the power of social proof byCriminals will go wherever there are people to be scammed. There are large numbers of people relying on real people ratherusing well-established social media platforms, and, as such, they play host to plenty of scams. than bot networks to shareThe rise in popularity of messaging and dating apps means scammers have taken note and taken their scams.advantage, and a variety of scams are being seen on these platforms. SHAREFacebook, Twitter, and Pinterest THISThe big shift in social media scams this year has been the uptick in manual sharing scams. This Many phishing scams playis where people voluntarily and unwittingly share enticing videos, stories, pictures, and offers on either fears generated bythat actually include links to malicious or affiliate sites. hacking and health-scare stories or intrigue piqued by scandalous celebrity stories, both real and fake. In 2014 criminals hijacked the power of “social proof”— the idea that we attribute more value to something if it’s shared or approved by others.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 47DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS 2012 2013 2014 In 2014, 70 percent of social media threats required end users100% to propagate them, compared 80 with only 2 percent in 2013. 60 81 70 5640 23 10 7 5 32 1 0 0120 18 Fake Likejacking Fake Comment 2 Offering Apps Jacking Manual SharingManual Sharing – These rely on victims to actually do the work of sharingthe scam by presenting them with intriguing videos, fake offers or messages that they sharewith their friends.Fake Offering – These scams invite social network users to join a fake event or groupwith incentives such as free gift cards. Joining often requires the user to sharecredentials with the attacker or send a text to a premium rate number.Likejacking – Using fake “Like” buttons, attackers trick users into clicking websitebuttons that install malware and may post updates on a user’s newsfeed, spreading the attack.Fake Apps – Users are invited to subscribe to an application that appears to beintegrated for use with a social network, but is not as described and may be used to stealcredentials or harvest other personal data.Comment Jacking – This attack is similar to the \"Like\" jacking where the attacker tricks theuser into submitting a comment about a link or site, which will then be posted to his/her wall. Social Media, 2012–2014 Source: SymantecSocial Media

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 48DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSAffiliate Programs: The Fuel That Drives Social Media ScamsBy Satnam NarangIf you have used a social network in the past decade,chances are you’ve seen one of the following offers appearin your news feeds and timelines: Free smartphones, airline tickets, or gift cards Unbelievable news about celebrities (sex tapes, death) Unbelievable world news (specifically, natural disasters) Proposals to get naked on a webcam or propositions from alleged sex workers Affiliates participate in an affiliate program by appending a special ID to the URLs that are used when a customer clicks an advertisement. The unique ID helps keep track of where the click comes from. This affiliate ID enables merchants to track the contributions from affiliates and thus pay out commissions.It has become clear that as any social networking platform Scammers monetize on social media by leveragingbecomes popular, scammers are never far behind. While affiliate networks. When a user is asked to fill out aeach platform may be different and each scam slightly survey or sign up for a premium offer to a service, hevaried, the constant is that affiliate networks are the driving or she becomes the referral for an affiliate program. Byforce behind them. tricking users into participating in a survey and/or signing up for a premium service, the scammer makes money.Affiliate marketing is a popular way for companies toincrease their business on the Internet. A business usesaffiliates to help market and sell their products. Forinstance, an affiliate could feature a book on their webpageand provide a link directly to a vendor that sells that book.And for every sale, the affiliate receives a small commission.While legitimate vendors use affiliates, so do illegitimateones. And in some cases the vendor is legitimate, but someof their affiliates are willing to use unscrupulous methodsto profit from an affiliate program.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 49DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSDetails on these semi-legitimate affiliates and their On the popular dating application Tinder, we found affiliatepayouts are murky. Many won’t share details, making it links to adult dating services and webcam sites. These siteshard to estimate just how much money an affiliate can promote their affiliate payouts directly. One site pays affili-make. However, most affiliate networks put up bids from ates up to $6 for every user who signs up for an account andmerchants, which state clearly what action is required for up to $60 if a user signs up for a premium service, whicha conversion. In the example above, a $1,500 Visa gift card typically involves paying for a subscription using a creditadvertisement will convert when the referrer submits his card.or her email address. This particular merchant values eachemail conversion at $1.40 when paying affiliates. Based on the pricing structure, convincing users to sign up for the premium service could be highly profitable. However, scammers drive so much traffic to these sites that sign-ups for an account, at only $6 each, are enough to create a handsome profit. The users who do sign up for a premium service are just the icing on the cake. Legitimate merchants, and some affiliate networks, have tried to tackle scams on their platforms, but as long as there is money to be made from these shady affiliate programs, they will persist. As a merchant, it is important to know the affiliates you work with and ensure they are being transpar- ent with you about their practices. End users should be mindful when using any social network, keeping an eye out for free offers for gadgets, gift cards, and airline tickets or for invitations from attractive women to join adult dating and webcam sites. If you are asked to fill out a survey or sign up for a service using a credit card, you are most likely being scammed. As the old adage goes, if it sounds too good to be true, it probably is.   SHARE THIS

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 50DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSFacebook share dialog with fake comments and shares. Scam site asks users to install fake Facebook media plug-in.For example, scammers took advantage of the death of Robin Williams by sharing what was Once a fakesupposed to be his goodbye video. Users were told they had to share the video with their friends account has enoughbefore they could view it, and were instructed to fill out surveys, download software, or were redi- followers, therected to a fake news website. There was no video.52 criminals change the name, picture,With manual sharing there’s no hacking or jacking necessary—people and their networks do all and bio, so whenthe work for the criminals. Other social media scams require a bit more work on the part of the the incentive failscriminal. Likejacking and comment jacking, for example, ask victims to click what appears to be a to materialize,“continue” or “verification” button to access some enticing content but actually masks the fact the people can’t locatevictim is liking or commenting on the post to increase its popularity and reach. the account to mark it as spam.InstagramInstagram, the picture-sharing platform, now has more monthly active users than Twitter, andlegitimate brands use it as a marketing channel.53,54 Among the scams seen on Instagram in 2014were those where criminals tried to monetize prepopulated accounts and mimic offers employed bylegitimate corporate users.In one scam, fake accounts are created, purporting to be lottery winners who are sharing theirwinnings with anyone who will become a follower. In another scam, scammers pretend to be well-known brands giving away gift cards. Instagram users are told to follow the fake accounts and addtheir personal information, like email addresses, in the comments to receive incentives.