Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Uniform Resource Locator

RSA’s February Online Fraud Report 2013 including an update on Phishing activity

RSA’s February 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online. In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA.

The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011. 

This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year. 

Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security. 

The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.

What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one. 

Another similar example is reflected in time-delayed attacks – again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns. 

Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees – spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more – making them more likely to check out a link they received via email that day. 

Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading.

The most common ways of doing this are:

  • Switching letters, as in bnak or bnk for “bank”
  • Adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey”
  • Swapping visually similar letters 

Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart. 

A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing. 

But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers 

Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself. 

This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web. 

Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there. 

A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.

Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly. 

Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization. 

RSA Conclusion

Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns. 

Phishing Attacks per Month In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year. 

Number of Brands Attacked

In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.

US Bank Types Attacked

U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.

Top Countries by Attack Volume

The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.

Top Countries by Attacked Brands

Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil. 

Top Hosting Countries

In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.

Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA January 2013 Online Fraud Report Summary here.
  • The RSA December 2012 Online Fraud Report Summary here.
  • The RSA November 2012 Online Fraud Report Summary here.

.

How advanced attacks succeed, despite $20B spend on enterprise IT security

Image representing FireEye as depicted in Crun...
Image via CrunchBase

FireEye has recently released their research into why IT Security attacks continue to be successful despite an annual IT Security spend of $20 billion.

A summary of key findings of the FireEye research are below:

1) 99% of enterprises have a security gap, despite $20B spent annually on IT security. Within a given week, the typical enterprise network has anywhere from hundreds to thousands of new malicious infections and all industries are under sustained attack.

2) 90% of malicious executables and malicious domains changed in just a few hours. The dynamic nature of modern attacks is the primary means to bypass signature-based tools, making defenses such as antivirus and URL blacklists ineffective.

3) The fastest growing malware categories are Fake-AV programs, which take part in extortion tactic and info stealers, which abscond information.

4) The top 50 out of thousands of malware families account for 80% of successful infections. Sophisticated toolkits and other means are enabling the rapid production of advanced malware.

Extended details on the four findings:

Finding 1: 99% of enterprise networks have a security gap despite $20B spent annually on IT security.

Despite the massive investment in IT security equipment each year, our analysis of FireEye MPS deployments shows that essentially all enterprises are compromised with malware: 99% of enterprises had malicious infections entering the network each week, and 80% of enterprises faced more than one hundred infections per week, with many in the thousands per week. The median weekly infection caseload was 450 infections per week (normalized per Gbps of traffic), with wide variations.

These are all events that have made it through standard gateway defenses, such as firewalls, next-generation firewalls, IPS, antivirus, email and web security Gateways. These malicious events make it through because traditional security systems either rely on signatures, reputation and crude heuristics or were originally designed for policy control. They no longer keep up with the highly dynamic, multi-stage attacks that have become common today for targeted and APT attacks.

Even the most security-conscious industries are fraught with dangerous infections.

Every company studied in every industry looks to be vulnerable and under attack. Even the most security-conscious industries, such as Financial services, health care and government sectors, which have intellectual property, personally identifiable information, and compliance requirements—show a significant infection rate.

Based on this data, FireEye see that today’s cyber criminals are nearly 100% effective at breaking through traditional security defenses in every organization and industry, from security-savvy to security laggards.

Today’s attacks also exhibit a global footprint with infected sites, malicious servers, and callback destinations distributed around the world.

Finding 2: Successful attacks employ dynamic, “zero-day” malware tactics. 90% of malicious binaries and domains change in just a few hours; 94% within a day.

Our Q2 2011 data showed that 90% of both malicious binaries (MD5 hash files) and malicious domains (URLs hosting malware) changed almost immediately, and 94% changed within a day. This dynamism increased noticeably from Q1 to Q2 2011.

FireEye believe the daily morphing of malicious binaries and domains is timed to stay ahead of the typical practice of daily DAT and blacklist/reputation updates, enabling the malware to remain undetected and its communications unblocked.

Those that change within a few hours stay ahead of centralized “real-time” threat intelligence services that assess risk based on signatures, reputation, and behavior. Those that change once a day stay ahead of defenses that use scheduled daily updates.

Malicious executables are constantly being repacked to appear new each time. Most of the MD5s FireEye observed are so dynamic that they persist for an hour or less or are seen just once. The curve has moved noticeably up and to the left from Q1 to Q2,  indicating that a smaller fraction of malware samples remain unchanged over the course of days (note that this is despite the fact that the Q2 sample is larger than the Q1 sample, increasing the size of our view into malware behavior). It’s also striking that the curve steps up at each 24-hour interval indicating that some malware authors are using an integer number of days as the expiration  time before they generate a new packing.

Note that FireEye are not implying that all malware attacks are dynamic, just that the successful attacks penetrating through the signature and reputation-based defenses use dynamic tactics to defeat those static defenses.

Therefore, FireEye believe that dynamic binaries and dynamic domains form the core of today’s advanced, zero-day malware tactics. Cybercriminals are moving quickly and building manoeuvrability into their tools and operations.

In part, the move to malware dynamism explains the rapid expansion in botnets. For example, criminals need more IP addresses (aka bots or zombies) to evade signature and reputation-based filters.

Another conclusion from these findings is that network defenses must tool up for constant change and resilience. Countermeasures must be designed for highly dynamic threats across vectors, such as Web and email. FireEye also see a trend in which organizations must treat every attachment or Web object as suspicious.

Finding 3: The fastest growing malware categories are Fake-AV programs and Info-stealer executables.

While malware programs have multiple capabilities, the FireEye research team provides a general categorization of each malware executable with what they believe to be its primary purpose. For example, Click Fraud software makes money by creating automated HTTP transactions to particular websites in the interest of distorting (driving up) payments to advertisers. Fake-AV software is sold on the pretence that it has found non-existent malware on consumer computers and then offering to “clean” out the infection if consumers buy the full version.

Several things stand out. The three largest categories of malware in Q2 are Fake-AV (listed as Rogue Anti_malware), Downloader Trojans (whose primary function is to download other pieces of malware), and information stealers of various forms. Comparing to Q1, they see a striking growth in Fake-AV (Rogue Anti_malware) and information stealing malware most likely due to a successful monetization model.

Of these, the information stealers are clearly the greater threat to corporate integrity. While FireEye would certainly not advocate ignoring Fake-AV programs, they are a threat to employees’ private finances and act as a conduit for more serious malware infections, it’s clear that information theft is currently the highest priority problem for enterprises.

  • Zbot (Zeus) Primarily a banking Trojan, Zbot has become extremely famous for fraud against online banking for both consumers and small and medium enterprises and likely represents a high priority threat even to large enterprises in the form of fraud against senior executives.
  • Papras (aka Snifula) has received far less publicity, but in our sample it appears to have become just as widespread as Zbot. Papras is less specialized: it steals account credentials for various online services and also logs information entered in web forms. As such, it’s probably a basic tool in a number of different kinds of manually directed intrusions and information thefts.
  • Zegost is also primarily a keylogger
  • Multibanker are specialized banking trojans.
  • Coreflood is a botnet that operated in many versions for ten years until taken down by the Department of Justice in April of 2011.
  • Licat is believed to be associated with Zbot.

Finding 4: The “Top 50″ of thousands of malware families generate 80% of successful malware infections.

In  reviewing several hundreds of thousands of events, they found that the vast  majority of them derive from a few hundred malware families (as evidenced by  the particular callback protocol we detected in use), and that the Top 50 most  frequent malware families are represented in about 80% of all cases.

From  the figure, they conclude that the exploding zoo of malware executables can be attributed to a much smaller number of malware toolkit code bases. In reviewing the top 50 families, the more successful code bases have optimized aspects of their malware binary output to be dynamic and deceptive.

Note that the frequency of appearance is not  correlated with risk. One of the most common malware families, Fake-AV, extorts  payments from users for falsified virus scans. This class of malware is less of a concern from an enterprise perspective, though Fake-AV should be seen as a “gateway malware” to introduce more serious information-theft malware into the network. On the other hand, nation-state APT malware used for espionage is likely to be out in the long tail of comparatively rare malware. In the range between these two zones, they find very potent, very dangerous attacks.

Many of the Top 50 attacks reflect advanced malware used by criminal syndicates for financial gain. This variety of threat is characterized by periodic campaigns combining exploit toolkits and specific malware families such as “Rogue AV” or “Fake-AV.” The attacks cast a relatively “wide but shallow” net, harvesting data and relying on automation for efficiency and profitable success rates.

Here’s  the anatomy of a typical “wide and shallow” attack, one that is dynamic and  short-lived (in each campaign), but not especially targeted or heavily  personalized:

  • Hunt new victims for a few hours at certain infectious IP addresses
  • Install malware via drive-by download or phishing campaign (possibly run  through a social networking site)
  • Collect account data from victims’ computers (or install data-stealing malware on these hosts)
  • Pause (or move on to a new site)
  • Monetize the data that has been collected (for perhaps days or weeks)
  • Run another campaign with a tweaked version of the malware and different IP  addresses when we look at malware by family, and the event timeline of malware activity, they see evidence of the compressed timelines used in campaigns today. FireEye see sharp spikes. Even with a relatively protracted activity, like that shown with Rogue.AV, FireEye see significant spikes above a significant baseline.

The other major category of attack is the “Narrow and Deep” attack that includes  targeted and APT attacks. These attacks infect a relatively small number of machines that act as the beachhead from which to further infiltrate other enterprise systems, especially those that contain critical or sensitive information.

The deeper infiltration is accomplished via lateral movement by propagating the malware infection to other systems and servers in the enterprise network. Only real-time monitoring of suspicious code will detect these subtle attacks.

How do criminals make their malware and domains dynamic? Point-and-click Toolkits?

Criminals make code appear new by packing, encrypting, or otherwise obfuscating the nature of the code. Malware toolkits like Zeus (banking Trojan) and Blackhole (drive-by downloads) automate this process today, which FireEye believe explains some of our finding of increasing and almost ubiquitous dynamism.

The prevalence of dynamic domain addresses indicates that criminals are moving their distribution sources very quickly as well, like a drug dealer moving to a different street corner after every few deals. By moving their malware to an unknown site (often a compromised server or zombie), and using short URLs, cross-site scripting or redirects to send traffic to that site, the criminals can stay ahead of reputation-based defenders.

Criminals invest in toolkits and dynamic domains because signatures and reputation engines have become adept at blacklisting known bad content and “bad” or “risky” URLs sites. Any stationary criminal assets will quickly be blacklisted, therefore these assets must move to remain valuable.

FireEye Conclusions

The new breed of cyber–attacks are evading existing defenses by using dynamic malware, toolkits and novel callback techniques, leaving virtually every enterprise vulnerable to data theft and disruption. Although enterprises are investing $20B per year on IT security systems, cybercriminals are able to evade traditional defenses, such as firewalls, IPS, antivirus and Gateways, as they are all based on older technology: signatures, reputation and crude heuristics.

Enterprises must reinforce traditional defenses with a new layer of security that detects and blocks these sophisticated, single-use attacks. New technologies are needed that can recognize advanced malware entering through Web and email, and thwart attempts by malware to call back to command and control centers. This extra  defense is designed specifically to fight the unknown threats, such as zero-day  and targeted APT attacks, thereby closing the IT security gap that exists in all enterprises.

The FireEye report can be found here.

.

Symantec’s May 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec have released their May 2011 Intelligence Report. A summary of the results are below.

Report highlights

  • Spam – 75.8% in May (an increase of 2.9 percentage points since April 2011)
  • Viruses – One in 222.3 emails in May contained malware (a decrease of 0.14 percentage points since April 2011)
  • Phishing – One in 286.7 emails comprised a Phishing attack (a decrease of 0.06 percentage points since April 2011)
  • Malicious web sites – 3,170 web sites blocked per day (an increase of 30.4% since April 2011)
  • 36.8% of all malicious domains blocked were new in May (an increase of 3.8 percentage points since April 2011)
  • 24.6% of all web-based malware blocked was new in May (an increase of 2.1 percentage points since April 2011)
  • For the First Time, Spammers establish their own fake URL-shortening services

Spammers are establishing their own their own fake URL-shortening services to perform URL redirection. This new spamming activity has contributed to this month’s increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March.

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.

MessageLabs Intelligence has been monitoring the way that spammers abuse URL-shortening services for a number of years using a variety of different techniques so it was only a matter of time before a new technique appeared,” said Paul Wood, MessageLabs Intelligence Senior Analyst. “What is unique about the new URL-shortening sites is that the spammers are treating them as ‘stepping stones’ – a link between public URL-shortening services and the spammers’ own sites.”

To make things more interesting, these new domains were registered several months before they were used, potentially as a means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse.

“With legitimate URL-shortening services attempting to tackle abuse more seriously, spammers seem to be experimenting with ways to establish their own services to better avoid disruption,” Wood said. “However, as long as new URL-shortening services are being created, we expect spammers to continue abusing them.”

 Symantec MessageLabs Email AntiVirus.cloud

The global ratio of email-borne viruses in email traffic was one in 222.3 emails (0.450%) in May, a decrease of 0.143 percentage points since April 2011.

In May, 30.0% of email-borne malware contained links to malicious Web sites, an increase of 16.9 percentage points since April 2011. A large number of emails containing variants of Bredolab related malware, accounted for 16.3% of all email-borne malware, compared with 55.1% in the previous month. These variants were commonly attached as ZIP files, rather than hyperlinks, and as the volume of these attacks diminishes, the proportion of attacks using hyperlinks increased.

The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May. A large number of variants of Bredolab malware continued to be observed in a number of countries during May, as highlighted in the table below.

In the US, virus levels for email-borne malware were 1 in 540.3 and 1 in 334.5 forCanada. In Germany virus activity reached 1 in 435.9, 1 in 1,197 in Denmarkan d in The Netherlands 1 in 330.1. In Australia, 1 in 513.5 emails were malicious and 1 in 377.2 in Hong Kong; for Japan it was 1 in 1,164, compared with 1 in 706.7 in Singapore. In South Africa, 1 in 178.7 emails and 1 in 378.3 emails in Brazil contained malicious content. With 1 in 28.9 emails being blocked as malicious, the Public Sector remained the most targeted industry in May. Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9 and 1 in 367.9 for the IT Services sector; 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

Phishing Analysis

In May, Phishing activity decreased by 0.06 percentage points since April 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack.

South Africa remained the most targeted geography for Phishing emails in May, with 1 in 80.2 emails identified as Phishing attacks.South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.

In the UK, Phishing accounted for 1 in 100.1 emails. Phishing levels for the US were 1 in 1,227 and 1 in 239.2 forCanada. In Germany Phishing levels were 1 in 1,540, 1 in 2662 in Denmark and 1 in 780.9 in The Netherlands. In Australia, Phishing activity accounted for 1 in 1,022 emails and 1 in 2,235 in Hong Kong; for Japan it was 1 in 10,735 and 1 in 2,111 for Singapore. In Brazil, 1 in 589.5 emails were blocked as Phishing attacks.

The Public Sector remained the most targeted by Phishing activity in May, with 1 in 33.2 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 982.8 and 1 in 738.9 for the IT Services sector; 1 in 537.0 for Retail, 1 in 141.4 for Education and 1 in 267.0 for Finance.

Symantec MessageLabs Web Security.cloud

In May, MessageLabs Intelligence identified an average of 3,142 Web sites each day harboring malware and other potentially unwanted programs including Spyware and adware; an increase of 30.4% since April 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 36.8% of all malicious domains blocked were new in May; an increase of 3.8 percentage points compared with April 2011. Additionally, 24.6% of all Web-based malware blocked was new in May; an increase of 2.1 percentage points since the previous month.

Endpoint Protection

The endpoint is often the last line of defense and analysis. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering.

The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit3, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 14.0% of all malicious software blocked by endpoint protection technology in May.

Geographical Trends:

  • Russia became the most spammed in May with a spam rate of 82.2 percent.
  • In the US 76.4 percent of email was spam and 75.3 percent in Canada and 75.4 percent in the UK.
  • In The Netherlands, spam accounted for 77.5 percent of email traffic, in Germany 75.5 percent, 75.1 percent in Denmark and 73.9 percent in Australia.
  • Spam levels in Hong Kong reached 75.2 percent and 74.0 percent in Singapore. Spam levels in Japan were 72.3 percent.
  • In South Africa, spam accounted for 75.9 percent of email traffic and 74.8% in Brazil.
  • The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May.
  • In the US virus levels were 1 in 540.3 and 1 in 334.5 forCanada. In Germany, virus levels reached 1 in 435.9, 1 in 1,197 in Denmark and 1 in 330.1 for The Netherlands.
  • In Australia, 1 in 513.5 emails were malicious and, 1 in 377.2 forHong Kong, for Japan it was 1 in 1,164 compared with 1 in 706.7 forSingapore.
  • In South Africa 1 in 178.7 emails contained malicious content and in Brazil it was 1 in 378.3

Vertical Trends:

  • In May, the most spammed industry sector with a spam rate of 80.2 percent was the Wholesale sector.
  • Spam levels for the Education sector were 77.4 percent, 76.0 percent for the Chemical & Pharmaceutical sector, 75.4 percent for IT Services, 75.4 percent for Retail, 74.5 percent for Public Sector and 74.7 percent for Finance.
  • In May, the Public Sector remained the most targeted industry for malware with 1 in 28.9 emails being blocked as malicious.
  • Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9, 1 in 367.9 for the IT Services sector, 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

For further details visit the Symantec website here.

March’s Report summary can be found here.

April’s Report summary can be found here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: