Most abused TLDs
For the phishing URLs, the ascending trend observed in January 2011 continued with even more entries in February. We observe again that more and more different TLDs are used to host phishing, this being an obvious sign that there are a lot of hacked websites and bots out there. The top of the Malware URLs remain almost unchanged, but surprisingly the trend is negative.
| Phishing | Malware | |||||
| # | Top level domain | % | Deviation from January in % |
Top Level Domain | % | Deviation from January in % |
| 1 | .com | 51.56 | 32.44 | .com | 38.35 | 6.80 |
| 2 | Others | 15.82 | 100.00 | .info | 28.01 | 93.30 |
| 3 | .org | 6.20 | 21.69 | Others | 8.78 | 100.00 |
| 4 | .net | 5.94 | 4.42 | IP Address | 4.91 | 99.31 |
| 5 | .uk | 3.69 | 37.41 | .ru | 3.94 | -7.36 |
| 6 | IP Address | 3.22 | 99.67 | .net | 3.79 | -27.93 |
| 7 | .br | 2.44 | -3.66 | .org | 2.71 | -11.32 |
| 8 | .tk | 2.18 | 7.45 | .cc | 2.69 | 25.32 |
| 9 | .ru | 2.01 | 15.40 | .br | 1.67 | -41.84 |
| 10 | .tl | 1.23 | 10.21 | .uk | 1.30 | 50.00 |
Spam category statistics
We can only confirm again the trend which we observed at the end of 2010 that there is in general less spam out there.
| Sorted by amount | Sorted by deviation | |||||
| # | Category | % | Deviation from January in % |
# | Category | Deviation from January in % |
| 1 | Other | 77.95 | -69.35 | 1 | Malware | 0.22 |
| 2 | Nigerian | 7.50 | -1.10 | 2 | Commercials | 0.02 |
| 3 | Lottery | 5.43 | -0.29 | 3 | Fashion | -0.08 |
| 4 | Pharmacy | 3.06 | -7.71 | 4 | Jobs | -0.12 |
| 5 | University | 1.43 | -2.36 | 5 | Casino | -0.15 |
| 6 | Software | 1.41 | -1.86 | 6 | Lottery | -0.29 |
| 7 | Phishing | 1.15 | -0.56 | 7 | Phishing | -0.56 |
| 8 | Loan | 0.70 | -0.56 | 8 | Loan | -0.56 |
| 9 | Malware | 0.50 | 0.22 | 9 | Nigerian | -1.10 |
| 10 | Jobs | 0.32 | -0.12 | 10 | Watch | -1.73 |
Extension statistics for malware URLs
This month we have seen the situation overturned by the .exe extension which took the lead because of a 67% increase. However, the most abused extension this month is not .exe but .html. This makes also sense considering the storm of updates for all browsers which took place in February and continues in March as well – the cyber criminals tried to abuse security vulnerabilities in the webbrowsers.
| Sorted by amount | Sorted by deviation | |||||
| # | Extension | % | Deviation from January in % |
# | Extension | Deviation from January in % |
| 1 | exe | 42.15 | 67.44 | 1 | html | 75.85 |
| 2 | txt | 24.93 | -15.05 | 2 | exe | 67.44 |
| 3 | none | 13.16 | -35.62 | 3 | htm | 65.90 |
| 4 | jpg | 4.11 | -3.73 | 4 | rar | 58.89 |
| 5 | htm | 3.70 | 65.90 | 5 | gif | 50.00 |
| 6 | html | 3.53 | 75.85 | 6 | png | 11.54 |
| 7 | php | 2.37 | -31.65 | 7 | css | 0.00 |
| 8 | rar | 1.53 | 58.89 | 8 | com | 0.00 |
| 9 | gif | 1.26 | 50.00 | 9 | bat | 0.00 |
| 10 | zip | 1.21 | -36.62 | 10 | jpg | -3.73 |
Most phished brands statistics
The most attacked brand remains Paypal. It has a big distance from the other entries in the top charts. The reason for this is that we have seen an increase in “other brands” category. It looks like the attempt to attack smaller brands with potentially more success is paying off for the phishers.
The biggest ascender this month is HSBC Bank with 85% increase, which actually made it enter in the top chart (it wasn’t present last month).
| Sorted by amount | Sorted by deviation | |||||
| # | Brand name | % | Deviation from January in % |
# | Brand name | Deviation from January in % |
| 1 | Paypal | 53.59 | 55.71 | 1 | Others | 100.00 |
| 2 | Others | 20.03 | 100.00 | 2 | HSBC Bank | 85.20 |
| 3 | HSBC Bank | 5.07 | 85.20 | 3 | Bank of America | 76.25 |
| 4 | Chase Bank | 4.43 | 64.75 | 4 | Lloyds | 65.50 |
| 5 | 4.09 | 26.33 | 5 | Chase Bank | 64.75 | |
| 6 | Ebay | 3.48 | -402.44 | 6 | Paypal | 55.71 |
| 7 | Bank of America | 3.16 | 76.25 | 7 | Banco Santander | 50.97 |
| 8 | Visa | 2.19 | 46.41 | 8 | Visa | 46.41 |
| 9 | Lloyds | 2.07 | 65.50 | 9 | 26.33 | |
| 10 | Banco Santander | 1.88 | 50.97 | 10 | Ebay | -402.44 |
URL Shorteners used in malicious activities
Tinyurl.com took the leadership of the most abused shorteners in February. While bit.ly lost in the phishing top, it gained almost the same amount in the malware area making it rule the top chart with more than 23% advantage over the following entries.
| Phishing | Malware | |||||
| # | Shortener | % | Deviation from January in % |
Shortener | % | Deviation from January in % |
| 1 | tinyurl.com | 23.88 | 10.45 | bit.ly | 30.00 | 17.50 |
| 2 | tiny.cc | 14.93 | 5.97 | u.nu | 7.50 | 7.50 |
| 3 | bit.ly | 10.45 | -17.91 | ow.ly | 7.50 | 5.00 |
| 4 | is.gd | 5.97 | 4.48 | tinyurl.com | 5.00 | 0.00 |
| 5 | snipurl.com | 4.48 | 4.48 | tiny.cc | 5.00 | 5.00 |
| 6 | ow.ly | 4.48 | 4.48 | zi.ma | 2.50 | 2.50 |
| 7 | goo.gl | 4.48 | -4.48 | tr.im | 2.50 | 2.50 |
| 8 | doiop.com | 4.48 | 2.99 | snipurl.com | 2.50 | 2.50 |
| 9 | sn.im | 2.99 | 2.99 | sn.im | 2.50 | 2.50 |
| 10 | notlong.com | 2.99 | -2.99 | shorl.com | 2.50 | 2.50 |
Sorin Mustaca
Data Security Expert