Phishing, Spam and Malware Statistics for November 2010

Most abused TLDs

The trend observed in the last months when the non “classical” TLD increased massively, continued in November as well. The .com domain nevertheless remains on top of both lists, despite small fluctuations. We are monitoring with great interest the evolution of .info and .org which this month lost a lot of their intensity.

Phishing Malware
# Top level domain % Deviation from
October 2010
in %
Top Level Domain % Deviation from
October 2010
in %
1 .com 48.00 15.96 .com 42.02 -17.55
2 Others 16.32 100.00 .net 12.95 28.06
3 .net 6.48 -6.51 Others 11.57 100.00
4 .org 5.27 -7.31 .ru 10.94 -9.62
5 .in 4.73 92.03 IP Address 4.56 99.05
6 IP Address 4.48 99.80 .info 2.96 -171.38
7 .uk 2.63 27.99 .org 2.68 -150.71
8 .tk 2.23 49.40 .pl 2.41 -44.49
9 .ru 2.17 -0.41 .cc 2.06 -109.23
10 .br 1.69 -4.79 .br 1.89 -43.97
11 .de 1.66 4.32 .kr 1.54 -61.27
12 .au 1.40 48.72 .ca 1.34 63.56
13 .fr 1.19 -14.29 .de 1.08 -42.00
14 .nl 0.91 17.82 .su 1.04 23.56
15 .mx 0.84 88.30 .ua 0.97 33.52

Spam category statistics

The descendent trend we’ve seen until November seems to have stabilized. The spam levels don’t go dramatically down any more. This might be because there were a lot of emails sent in preparation for the winter holidays where a lot of presents are being bought online.

Sorted by amount Sorted by deviation
# Category % Deviation from
October 2010
in %
# Category Deviation from
October 2010
in %
1 Other 77.38 0.49 1 Software 0.81
2 Pharmacy 7.48 -6.20 2 Other 0.49
3 Nigerian 4.95 -0.85 3 Phishing 0.35
4 Lottery 2.98 -0.74 4 University 0.22
5 University 1.44 0.22 5 Fashion 0.00
6 Watch 1.40 -1.27 6 Commercials 0.00
7 Software 1.32 0.81 7 Jobs -0.05
8 Phishing 1.11 0.35 8 Loan -0.23
9 Loan 0.81 -0.23 9 Malware -0.29
10 Casino 0.69 -1.09 10 Lottery -0.74
11 Malware 0.31 -0.29 11 Nigerian -0.85
12 Jobs 0.12 -0.05 12 Casino -1.09
13 Fashion 0.01 0.00 13 Watch -1.27
14 Commercials 0.00 0.00 14 Pharmacy -6.20

Extension statistics for malware URL

Things have change quite dramatically since October in this area. If in October .exe files were on top of the list, with quite a distance to the next extension, .htm, now we have files without any extension as the most used in malware attacks. This means normally that the websites drop some files on the user’s computer using JavaScript, but it can also mean that we blocked entire domains or subdomains because they contain dangerous malware.

Sorted by amount Sorted by deviation
# Extension % Deviation from
October
in %
# Extension Deviation from
October
in %
1 none 28.54 44.02 1 cmd 100.00
2 exe 21.48 -65.99 2 none 44.02
3 php 11.13 -28.54 3 gif 34.39
4 htm 8.96 -119.73 4 jpg 8.27
5 txt 8.69 -2.43 5 aspx 5.95
6 html 7.80 -132.55 6 swf 0.00
7 asp 3.71 -28.95 7 ocx 0.00
8 jpg 3.54 8.27 8 txt -2.43
9 gif 1.20 34.39 9 pdf -5.13
10 aspx 0.91 5.95 10 dll -13.25

Most phished brands statistics

The most attacked brands in November were Paypal and Ebay. Ebay has made a serious “come-back” with an increase of 85% from October. The Facebook phishing attempts (which were actually online pharmacy spams) lost in intensity, landing on place 4.

Sorted by amount Sorted by deviation
# Brand name % Deviation from
October 2010
in %
# Brand name Deviation from
October 2010
in %
1 Paypal 36.39 -38.83 1 Others 100.00
2 Ebay 21.08 85.12 2 USAA 95.45
3 Others 19.65 100.00 3 Ebay 85.12
4 Facebook 8.11 -13.00 4 Mastercard 57.48
5 HSBC Bank 3.89 -29.68 5 Banco Poste Italiane 54.32
6 Mastercard 3.19 57.48 6 Chase Bank 0.00
7 USAA 2.76 95.45 7 Facebook -13.00
8 Banco Poste Italiane 2.03 54.32 8 HSBC Bank -29.68
9 World of Warcraft 1.48 -44.07 9 Paypal -38.83
10 Chase Bank 1.43 0.00 10 World of Warcraft -44.07

URL Shorteners used in malicious activities

There is a newcomer this month in the shorteners top 10 list used in malicious activities: Google’s shortener, goo.gl. Interestingly, it is only used at the moment in phishing activities. Except for that, little has changed in this field.

Phishing Malware
# Shortener % Deviation from
October 2010
in %
Shortener % Deviation from
October 2010
in %
1 bit.ly 32.99 22.68 bit.ly 20.00 -5.00
2 goo.gl 20.62 17.53 tinyurl.com 12.50 12.50
3 tinyurl.com 12.37 -1.03 doiop.com 10.00 10.00
4 doiop.com 6.19 2.06 ow.ly 5.00 5.00
5 tiny.cc 5.15 1.03 k.im 5.00 5.00
6 sn.im 2.06 2.06 is.gd 5.00 5.00
7 notlong.com 2.06 2.06 zi.ma 2.50 2.50
8 is.gd 2.06 -1.03 u.nu 2.50 2.50
9 zi.ma 1.03 1.03 tr.im 2.50 2.50
10 u.nu 1.03 1.03 tiny.cc 2.50 2.50
11 tr.im 1.03 1.03 snipurl.com 2.50 2.50
12 snipurl.com 1.03 1.03 sn.im 2.50 2.50
13 shorl.com 1.03 1.03 shorl.com 2.50 2.50
14 r2me.com 1.03 1.03 r2me.com 2.50 2.50
15 ow.ly 1.03 1.03 notlong.com 2.50 2.50

Sorin Mustaca
Data Security Expert