A little late this time, but here are our statistics about the phishing, spam and malware situation in January 2011!
Most abused TLDs
While the numbers for Phishing in December were almost all red, showing a dramatic drop for the .org (-151%), .com(-76%) and .net(-24%) domains, we now have seen the exact opposite development in January 2011. Phishing was definitely on the rise and even if the malware URLs still show mostly as red numbers, some of them have also increased. However, even with these high fluctuations, the top 10 remains practically unchanged from December 2010.
| Phishing | Malware | |||||
| # | Top level domain | % | Deviation from December in % |
Top Level Domain | % | Deviation from December in % |
| 1 | .com | 48.77 | 54.21 | .com | 47.38 | -149.81 |
| 2 | Others | 13.94 | 100.00 | Others | 13.60 | 100.00 |
| 3 | .net | 7.96 | 46.40 | .net | 6.41 | -100.00 |
| 4 | .org | 6.79 | 74.68 | .ru | 5.60 | -98.79 |
| 5 | IP Address | 3.79 | 100.00 | IP Address | 5.31 | 97.02 |
| 6 | .br | 3.54 | 44.40 | .org | 4.00 | -119.77 |
| 7 | .uk | 3.24 | 48.64 | .br | 3.14 | -60.43 |
| 8 | .tk | 2.83 | 28.57 | .in | 2.89 | 16.41 |
| 9 | .ru | 2.38 | 62.35 | .cc | 2.66 | -127.12 |
| 10 | .tl | 1.55 | 62.09 | .info | 2.48 | -247.27 |
Spam category statistics
The trend we observed in December 2010 (overall less spam) continued in January for all categories. Here also the top 10 remains unchanged in comparison with December.
| Sorted by amount | Sorted by deviation | |||||
| # | Category | % | Deviation from December in % |
# | Category | Deviation from December in % |
| 1 | Other | 79.35 | -12.51 | 1 | Jobs | 0.09 |
| 2 | Pharmacy | 5.80 | -1.71 | 2 | Loan | 0.07 |
| 3 | Nigerian | 4.64 | -0.32 | 3 | Commercials | 0.02 |
| 4 | Lottery | 3.08 | -0.38 | 4 | Fashion | 0.01 |
| 5 | University | 2.04 | -2.38 | 5 | Casino | -0.03 |
| 6 | Software | 1.76 | -0.77 | 6 | Malware | -0.07 |
| 7 | Watch | 1.02 | -0.48 | 7 | Phishing | -0.19 |
| 8 | Phishing | 0.93 | -0.19 | 8 | Nigerian | -0.32 |
| 9 | Loan | 0.68 | 0.07 | 9 | Lottery | -0.38 |
| 10 | Casino | 0.25 | -0.03 | 10 | Watch | -0.48 |
Extension statistics for malware URLs
The malicious files extensions top chart shows a descending trend, following the trend of the overall malware URLs. A newcomer in the top 10 is the extension OCX. The OCX file type is associated with ‘Object Linking and Embedding (OLE) Control Extension’ by Microsoft. These files can become infected and it are quite hard to detect as they are usually loaded by other modules. The big “looser” of this month is the HTML/HTM extension. Obviously, the cyber criminals have found better ways to spread malware than through a page which usually drops some malware on the user’s computer.
| Sorted by amount | Sorted by deviation | |||||
| # | Extension | % | Deviation from December in % |
# | Extension | Deviation from December in % |
| 1 | txt | 38.03 | -8.91 | 1 | ocx | 100.00 |
| 2 | none | 23.64 | -146.90 | 2 | zip | 69.07 |
| 3 | exe | 18.18 | -115.78 | 3 | rar | 62.16 |
| 4 | jpg | 5.65 | -156.40 | 4 | cmd | 50.00 |
| 5 | php | 4.13 | -397.81 | 5 | 29.03 | |
| 6 | zip | 2.19 | 69.07 | 6 | bat | 0.00 |
| 7 | htm | 1.67 | -1001.35 | 7 | txt | -8.91 |
| 8 | 1.40 | 29.03 | 8 | png | -17.39 | |
| 9 | html | 1.13 | -1224.00 | 9 | exe | -115.78 |
| 10 | rar | 0.84 | 62.16 | 10 | none | -146.90 |
Most phished brands statistics
The most attacked brands differ only slightly from December. While in December Paypal lost a lot of its intensity, we’ve seen a comeback in form of an increase of 52% in January. However, the biggest gain of this month is Ebay with a 92% increase which makes it land on the second place with 27% from the total amount of phished brands.
| Sorted by amount | Sorted by deviation | |||||
| # | Brand name | % | Deviation from December in % |
# | Brand name | Deviation from December in % |
| 1 | Paypal | 36.84 | 52.68 | 1 | Others | 100.00 |
| 2 | Ebay | 27.12 | 92.65 | 2 | Yahoo | 97.28 |
| 3 | Others | 19.18 | 100.00 | 3 | Ebay | 92.65 |
| 4 | 4.68 | 63.05 | 4 | Banco Santander | 69.74 | |
| 5 | Yahoo | 3.46 | 97.28 | 5 | 63.05 | |
| 6 | Chase Bank | 2.43 | 38.76 | 6 | Commonwealth Bank | 62.92 |
| 7 | Visa | 1.82 | 4.12 | 7 | Paypal | 52.68 |
| 8 | Commonwealth Bank | 1.67 | 62.92 | 8 | Chase Bank | 38.76 |
| 9 | Banco Santander | 1.43 | 69.74 | 9 | World of Warcraft | 11.11 |
| 10 | World of Warcraft | 1.35 | 11.11 | 10 | Visa | 4.12 |
URL Shorteners used in malicious activities
Also the URL shorteners have received only green numbers in January. We have seen small fluctuations within the top 10, but nothing dramatical. The most abused services in both categories – for the first time since we started this analysis – are bit.ly and tinyurl.com.
| Phishing | Malware | |||||
| # | Shortener | % | Deviation from December in % |
Shortener | % | Deviation from December in % |
| 1 | bit.ly | 28.57 | 17.14 | bit.ly | 18.18 | 15.15 |
| 2 | tinyurl.com | 14.29 | 12.86 | tinyurl.com | 9.09 | 9.09 |
| 3 | goo.gl | 11.43 | 5.71 | notlong.com | 9.09 | 9.09 |
| 4 | tiny.cc | 10.00 | 7.14 | ow.ly | 6.06 | 6.06 |
| 5 | notlong.com | 7.14 | 2.86 | zi.ma | 3.03 | 3.03 |
| 6 | is.gd | 2.86 | 2.86 | u.nu | 3.03 | 3.03 |
| 7 | doiop.com | 2.86 | 1.43 | tr.im | 3.03 | 3.03 |
| 8 | zi.ma | 1.43 | 1.43 | tiny.cc | 3.03 | 0.00 |
| 9 | u.nu | 1.43 | 1.43 | snipurl.com | 3.03 | 3.03 |
| 10 | tr.im | 1.43 | 1.43 | sn.im | 3.03 | 3.03 |
Sorin Mustaca
Data Security Expert