It’s time for the update on last month’s Phishing, Spam and Malware statistics again!
Most phished brands
In May 2010, phishing for Paypal account data significantly decreased – while Paypal still is the top target of the cyber criminals though. Increasingly interesting seems to be Ebay and there is also a noticeable shift to “others” which includes all non-listed online banks. Also, tax season seems to be over, the IRS phishing dropped quite a bit.
| Sorted by amount | Sorted by deviation | |||||
| # | Brand name | % | Deviation from April 2010 in % |
# | Brand name | Deviation from April 2010 in % |
| 1 | Paypal | 44.99 | -48.71 | 1 | Others | 100.00 |
| 2 | Ebay | 16.05 | 33.64 | 2 | Halifax | 38.20 |
| 3 | Others | 13.22 | 100.00 | 3 | Ebay | 33.64 |
| 4 | HSBC Bank | 12.04 | -23.04 | 4 | NatWest | 32.61 |
| 5 | 5.33 | -15.28 | 5 | Bank of America | 2.65 | |
| 6 | World of Warcraft | 2.83 | -14.38 | 6 | World of Warcraft | -14.38 |
| 7 | Bank of America | 2.09 | 2.65 | 7 | -15.28 | |
| 8 | Halifax | 1.65 | 38.20 | 8 | HSBC Bank | -23.04 |
| 9 | Irs | 0.96 | -42.31 | 9 | Irs | -42.31 |
| 10 | NatWest | 0.85 | 32.61 | 10 | Paypal | -48.71 |
Most abused TLDs
The main hosting domain for Phishing and Malware spreading sites still is the .com domain. The absolute amount hosted on .com domains is decreasing though. A big increase is noticeable in the usage of plain IP addresses and “other” domains, where “other” means every non-listed domain. The huge drop in Korean domains hosting phishing sites is interesting, too, while the reason for that is unclear.
| Phishing | Malware | |||||
| # | Top level domain | % | Deviation from April 2010 in % |
Top Level Domain | % | Deviation from April 2010 in % |
| 1 | .com | 49.71 | -11.66 | .com | 44.53 | -28.10 |
| 2 | Others | 15.61 | 100.00 | IP Address | 13.76 | 99.83 |
| 3 | .net | 6.69 | -8.03 | Others | 7.60 | 100.00 |
| 4 | .org | 5.42 | -93.95 | .net | 6.83 | -4.23 |
| 5 | IP Address | 4.88 | 99.39 | .org | 5.93 | 14.61 |
| 6 | .br | 2.90 | 6.94 | .ru | 4.74 | 23.10 |
| 7 | .uk | 2.80 | 23.73 | .info | 3.73 | -20.06 |
| 8 | .ru | 1.84 | 5.26 | .cn | 3.63 | 10.46 |
| 9 | .fr | 1.80 | 25.73 | .kr | 2.91 | -27.72 |
| 10 | .info | 1.74 | -28.76 | .br | 2.07 | -26.58 |
| 11 | .us | 1.69 | 66.96 | .it | 1.08 | -7.30 |
| 12 | .de | 1.40 | 27.66 | .de | 0.95 | -59.58 |
| 13 | .pl | 1.33 | 37.08 | .in | 0.83 | -39.34 |
| 14 | .au | 1.29 | 43.93 | .pl | 0.76 | -36.13 |
| 15 | .kr | 0.89 | -246.22 | .uk | 0.65 | 8.48 |
Most abused file extensions
Changes are noticeable in slight decreased usage of .exe files, domains directly, .txt files and .php scripts. But there is a spike in PDF and SWF (Flash Player-) files being abused. This may be related tothe attack on the vulnerability in Adobe’s Flash Player for which the company has released updated software short time ago.
| Sorted by amount | Sorted by deviation | |||||
| # | Extension | % | Deviation from April in % |
# | Extension | Deviation from April in % |
| 1 | exe | 43.28 | -6.52 | 1 | cmd | 66.67 |
| 2 | none | 31.03 | -22.85 | 2 | ocx | 56.25 |
| 3 | txt | 8.95 | -34.95 | 3 | 52.15 | |
| 4 | php | 6.24 | -53.08 | 4 | swf | 43.40 |
| 5 | jpg | 3.33 | 13.88 | 5 | zip | 35.23 |
| 6 | dll | 1.29 | -13.54 | 6 | css | 30.00 |
| 7 | 1.20 | 52.15 | 7 | aspx | 20.00 | |
| 8 | gif | 1.04 | -94.30 | 8 | jpg | 13.88 |
| 9 | com | 0.71 | -46.93 | 9 | png | 2.78 |
| 10 | js | 0.53 | -31.85 | 10 | dat | 2.08 |
| 11 | htm | 0.37 | -222.58 | 11 | exe | -6.52 |
| 12 | zip | 0.35 | 35.23 | 12 | pl | -12.12 |
| 13 | png | 0.28 | 2.78 | 13 | dll | -13.54 |
| 14 | html | 0.27 | -189.71 | 14 | none | -22.85 |
| 15 | swf | 0.21 | 43.40 | 15 | js | -31.85 |
| 16 | dat | 0.19 | 2.08 | 16 | txt | -34.95 |
| 17 | asp | 0.17 | -59.09 | 17 | com | -46.93 |
| 18 | css | 0.16 | 30.00 | 18 | rar | -50.00 |
| 19 | pl | 0.13 | -12.12 | 19 | php | -53.08 |
| 20 | ocx | 0.13 | 56.25 | 20 | asp | -59.09 |
| 21 | rar | 0.10 | -50.00 | 21 | gif | -94.30 |
| 22 | cmd | 0.02 | 66.67 | 22 | html | -189.71 |
| 23 | aspx | 0.02 | 20.00 | 23 | htm | -222.58 |
Spam categories
Eye-catching is that there are no significant changes in the spam category distribution. Very little up- and downs, but the overall ranks stay the same: Unwanted advertisements are sent by email mainly for Online Pharmacies, Fake Watches and Fake University degrees.
| Sorted by amount | Sorted by deviation | |||||
| # | Category | % | Deviation from April 2010 in % |
# | Category | Deviation from April 2010 in % |
| 1 | Other | 50.47 | 13.36 | 1 | Pharmacy | 13.76 |
| 2 | Pharmacy | 20.02 | 13.76 | 2 | Other | 13.36 |
| 3 | Watch | 7.32 | 3.10 | 3 | Watch | 3.10 |
| 4 | University | 7.17 | 2.92 | 4 | University | 2.92 |
| 5 | Nigerian | 2.80 | 0.89 | 5 | Jobs | 2.25 |
| 6 | Loan | 2.64 | 1.41 | 6 | Loan | 1.41 |
| 7 | Jobs | 2.43 | 2.25 | 7 | Nigerian | 0.89 |
| 8 | Software | 2.11 | 0.43 | 8 | Software | 0.43 |
| 9 | Lottery | 1.76 | 0.31 | 9 | Lottery | 0.31 |
| 10 | Casino | 1.67 | -1.61 | 10 | Commercials | 0.27 |
| 11 | Malware | 0.75 | -0.27 | 11 | Phishing | 0.13 |
| 12 | Phishing | 0.59 | 0.13 | 12 | Fashion | -0.00 |
| 13 | Commercials | 0.27 | 0.27 | 13 | Malware | -0.27 |
| 14 | Fashion | 0.00 | -0.00 | 14 | Casino | -1.61 |
Sorin Mustaca
Manager International Software Development
Dirk Knop
Technical Editor