Most abused TLDs
The trend we observed in the last months when the non “classical” TLD increased massively continued in December as well. Contrary to November, where the .com has seen a slight increase, we are noticing this month that it decreased by more than 76%. The measures taken in November and December by the registrars of .org and .net finally show results: The usage of these two domains decreases, this month with an astonishing 151% for .org.
| Phishing | Malware | |||||
| # | Top level domain | % | Deviation from November in % |
Top Level Domain | % | Deviation from November in % |
| 1 | .com | 46.24 | -76.13 | .com | 50.83 | -47.50 |
| 2 | Others | 16.35 | 100.00 | Others | 12.57 | 100.00 |
| 3 | .net | 8.83 | -24.48 | IP Address | 5.54 | 98.78 |
| 4 | .tk | 4.19 | 9.45 | .net | 5.51 | -320.42 |
| 5 | .br | 4.08 | 29.85 | .ru | 4.78 | -309.13 |
| 6 | .org | 3.56 | -151.28 | .org | 3.77 | -26.99 |
| 7 | .uk | 3.44 | -29.65 | .info | 3.70 | -42.67 |
| 8 | IP Address | 3.14 | 99.51 | .cc | 2.60 | -41.42 |
| 9 | .ru | 1.86 | -98.36 | .br | 2.17 | -55.36 |
| 10 | .de | 1.58 | -76.92 | .kr | 2.08 | -32.09 |
Spam category statistics
The spam levels decreased slightly from November, but still a lot of mixed spam has been sent. The “Others” category means all kind of spams which can’t be automatically sorted in one of the categories below. This was also expected, considering that we’ve had the holiday season where a lot of things were advertised for selling.
| Sorted by amount | Sorted by deviation | |||||
| # | Category | % | Deviation from November in % |
# | Category | Deviation from November in % |
| 1 | Other | 77.42 | -6.13 | 1 | University | 2.18 |
| 2 | Pharmacy | 6.33 | -1.75 | 2 | Software | 0.71 |
| 3 | Nigerian | 4.17 | -1.17 | 3 | Fashion | 0.02 |
| 4 | University | 3.73 | 2.18 | 4 | Jobs | -0.01 |
| 5 | Lottery | 2.91 | -0.30 | 5 | Malware | -0.15 |
| 6 | Software | 2.14 | 0.71 | 6 | Watch | -0.26 |
| 7 | Watch | 1.26 | -0.26 | 7 | Phishing | -0.26 |
| 8 | Phishing | 0.94 | -0.26 | 8 | Lottery | -0.30 |
| 9 | Loan | 0.52 | -0.35 | 9 | Loan | -0.35 |
| 10 | Casino | 0.23 | -0.52 | 10 | Casino | -0.52 |
Extension statistics for malware URLs
As expected, the level of malware dropped significantly this month because of the fact that the spammers sent out more commercial driven messages than normal.
We are, however, seeing in January a comeback of the spam advertising malware. Interestingly, we see for the second month a significant increase of the .gif extension.
| Sorted by amount | Sorted by deviation | |||||
| # | Extension | % | Deviation from November in % |
# | Extension | Deviation from November in % |
| 1 | none | 25.06 | -103.56 | 1 | bat | 100.00 |
| 2 | txt | 17.78 | 12.60 | 2 | jsp | 75.00 |
| 3 | exe | 16.84 | -127.52 | 3 | css | 30.61 |
| 4 | php | 8.83 | -125.36 | 4 | js | 27.00 |
| 5 | htm | 7.90 | -102.70 | 5 | gif | 22.46 |
| 6 | html | 6.42 | -117.22 | 6 | txt | 12.60 |
| 7 | jpg | 6.21 | -1.87 | 7 | cmd | 0.00 |
| 8 | asp | 2.86 | -131.86 | 8 | jpg | -1.87 |
| 9 | gif | 2.76 | 22.46 | 9 | swf | -21.05 |
| 10 | js | 0.97 | 27.00 | 10 | png | -33.33 |
Most phished brands statistics
The most attacked brand is – as usual – PayPal. Strangely, despite the fact that we see a lot of PayPal phishing emails, we received a lot less phishing overall than in the previous months. I think that the reason for this has to do with the fact that the attacks are becoming more targeted than before. So, the phishers are improving the quality of the spam campaigns now and no longer try to flood the mailboxes blindly. This is why we see that many smaller brands (category Others) increasingly started to get phished for the second month in a row.
| Sorted by amount | Sorted by deviation | |||||
| # | Brand name | % | Deviation from November in % |
# | Brand name | Deviation from November in % |
| 1 | Paypal | 44.40 | -56.42 | 1 | Others | 100.00 |
| 2 | Others | 25.96 | 100.00 | 2 | Tibia Guilds | 57.63 |
| 3 | Ebay | 5.08 | -691.51 | 3 | Visa | 44.09 |
| 4 | Visa | 4.45 | 44.09 | 4 | Chase Bank | 29.11 |
| 5 | 4.41 | -251.09 | 5 | Lloyds | 16.36 | |
| 6 | Chase Bank | 3.78 | 29.11 | 6 | World of Warcraft | 7.81 |
| 7 | HSBC Bank | 3.40 | -118.31 | 7 | Paypal | -56.42 |
| 8 | World of Warcraft | 3.07 | 7.81 | 8 | HSBC Bank | -118.31 |
| 9 | Tibia Guilds | 2.83 | 57.63 | 9 | -251.09 | |
| 10 | Lloyds | 2.63 | 16.36 | 10 | Ebay | -691.51 |
URL Shorteners used in malicious activities
The URL shorteners are used in emails to hide the final location of a malware file. It is not surprising to see the same trend here as in the distribution of the malware extensions (see above) because of this. The most used shorteners, bit.ly and goo.gl, have seen significant decrease in December.
| Phishing | Malware | |||||
| # | Shortener | % | Deviation from November in % |
Shortener | % | Deviation from November in % |
| 1 | bit.ly | 21.43 | -52.38 | tiny.cc | 7.14 | 7.14 |
| 2 | goo.gl | 11.90 | -33.33 | k.im | 7.14 | 3.57 |
| 3 | notlong.com | 9.52 | 7.14 | is.gd | 7.14 | 3.57 |
| 4 | tiny.cc | 7.14 | -2.38 | doiop.com | 7.14 | -3.57 |
| 5 | tinyurl.com | 4.76 | -21.43 | bit.ly | 7.14 | -17.86 |
| 6 | doiop.com | 4.76 | -7.14 | zi.ma | 3.57 | 3.57 |
| 7 | zi.ma | 2.38 | 2.38 | u.nu | 3.57 | 3.57 |
| 8 | u.nu | 2.38 | 2.38 | tr.im | 3.57 | 3.57 |
| 9 | tr.im | 2.38 | 2.38 | tinyurl.com | 3.57 | -10.71 |
| 10 | snipurl.com | 2.38 | 2.38 | snipurl.com | 3.57 | 3.57 |
Sorin Mustaca
Data Security Expert