Phishing, Spam and Malware Statistics for February 2011

Most abused TLDs
For the phishing URLs, the ascending trend observed in January 2011 continued with even more entries in February. We observe again that more and more different TLDs are used to host phishing, this being an obvious sign that there are a lot of hacked websites and bots out there. The top of the Malware URLs remain almost unchanged, but surprisingly the trend is negative.

Phishing Malware
# Top level domain % Deviation from
January
in %
Top Level Domain % Deviation from
January
in %
1 .com 51.56 32.44 .com 38.35 6.80
2 Others 15.82 100.00 .info 28.01 93.30
3 .org 6.20 21.69 Others 8.78 100.00
4 .net 5.94 4.42 IP Address 4.91 99.31
5 .uk 3.69 37.41 .ru 3.94 -7.36
6 IP Address 3.22 99.67 .net 3.79 -27.93
7 .br 2.44 -3.66 .org 2.71 -11.32
8 .tk 2.18 7.45 .cc 2.69 25.32
9 .ru 2.01 15.40 .br 1.67 -41.84
10 .tl 1.23 10.21 .uk 1.30 50.00

Spam category statistics
We can only confirm again the trend which we observed at the end of 2010 that there is in general less spam out there.

Sorted by amount Sorted by deviation
# Category % Deviation from
January
in %
# Category Deviation from
January
in %
1 Other 77.95 -69.35 1 Malware 0.22
2 Nigerian 7.50 -1.10 2 Commercials 0.02
3 Lottery 5.43 -0.29 3 Fashion -0.08
4 Pharmacy 3.06 -7.71 4 Jobs -0.12
5 University 1.43 -2.36 5 Casino -0.15
6 Software 1.41 -1.86 6 Lottery -0.29
7 Phishing 1.15 -0.56 7 Phishing -0.56
8 Loan 0.70 -0.56 8 Loan -0.56
9 Malware 0.50 0.22 9 Nigerian -1.10
10 Jobs 0.32 -0.12 10 Watch -1.73

Extension statistics for malware URLs
This month we have seen the situation overturned by the .exe extension which took the lead because of a 67% increase. However, the most abused extension this month is not .exe but .html. This makes also sense considering the storm of updates for all browsers which took place in February and continues in March as well – the cyber criminals tried to abuse security vulnerabilities in the webbrowsers.

Sorted by amount Sorted by deviation
# Extension % Deviation from
January
in %
# Extension Deviation from
January
in %
1 exe 42.15 67.44 1 html 75.85
2 txt 24.93 -15.05 2 exe 67.44
3 none 13.16 -35.62 3 htm 65.90
4 jpg 4.11 -3.73 4 rar 58.89
5 htm 3.70 65.90 5 gif 50.00
6 html 3.53 75.85 6 png 11.54
7 php 2.37 -31.65 7 css 0.00
8 rar 1.53 58.89 8 com 0.00
9 gif 1.26 50.00 9 bat 0.00
10 zip 1.21 -36.62 10 jpg -3.73

Most phished brands statistics
The most attacked brand remains Paypal. It has a big distance from the other entries in the top charts. The reason for this is that we have seen an increase in “other brands” category. It looks like the attempt to attack smaller brands with potentially more success is paying off for the phishers.
The biggest ascender this month is HSBC Bank with 85% increase, which actually made it enter in the top chart (it wasn’t present last month).

Sorted by amount Sorted by deviation
# Brand name % Deviation from
January
in %
# Brand name Deviation from
January
in %
1 Paypal 53.59 55.71 1 Others 100.00
2 Others 20.03 100.00 2 HSBC Bank 85.20
3 HSBC Bank 5.07 85.20 3 Bank of America 76.25
4 Chase Bank 4.43 64.75 4 Lloyds 65.50
5 Facebook 4.09 26.33 5 Chase Bank 64.75
6 Ebay 3.48 -402.44 6 Paypal 55.71
7 Bank of America 3.16 76.25 7 Banco Santander 50.97
8 Visa 2.19 46.41 8 Visa 46.41
9 Lloyds 2.07 65.50 9 Facebook 26.33
10 Banco Santander 1.88 50.97 10 Ebay -402.44

URL Shorteners used in malicious activities
Tinyurl.com took the leadership of the most abused shorteners in February. While bit.ly lost in the phishing top, it gained almost the same amount in the malware area making it rule the top chart with more than 23% advantage over the following entries.

Phishing Malware
# Shortener % Deviation from
January
in %
Shortener % Deviation from
January
in %
1 tinyurl.com 23.88 10.45 bit.ly 30.00 17.50
2 tiny.cc 14.93 5.97 u.nu 7.50 7.50
3 bit.ly 10.45 -17.91 ow.ly 7.50 5.00
4 is.gd 5.97 4.48 tinyurl.com 5.00 0.00
5 snipurl.com 4.48 4.48 tiny.cc 5.00 5.00
6 ow.ly 4.48 4.48 zi.ma 2.50 2.50
7 goo.gl 4.48 -4.48 tr.im 2.50 2.50
8 doiop.com 4.48 2.99 snipurl.com 2.50 2.50
9 sn.im 2.99 2.99 sn.im 2.50 2.50
10 notlong.com 2.99 -2.99 shorl.com 2.50 2.50

Sorin Mustaca
Data Security Expert