April kicked off with a 1:292 rate of malware encounters and closed with a rate of 1:315. Highest peak day was April 20 when the rate reached 1:177. Lowest was April 4 at 1:338. The median rate of web malware encounters in April 2014 was 1:292, representing a slight improvement over the median of 1:260 requests in March but still worse than the median of 1:341 requests in February.


With the close of March Madness, web malware encounters from the video category and file transfer services dropped off the top ten list. Computer sites overtook the business and infrastructure categories for the highest rate of web malware encounters during the month. Encounters via travel-related sites debuted at the number ten spot, perhaps a result of increased browsing to travel sites in preparation for spring break and summer vacation planning.


The ratio of unique non-malicious hosts to unique malware hosts increased from a median of 1:4841 in March 2014 to 1:3855 in April. The ratio of unique non-malicious IP addresses to malicious unique IP addresses also increased, from 1:1388 in March to 1:1133 in April. There was considerably more volatility in the rate of unique malware hosts throughout April, whereas the rate of unique malicious IP addresses remained fairly steady.


At 6% of all web malware encounters, Java encounters remained steady in April 2014 compared to March. Java exploits also continue to be the most frequently encountered of all web-delivered exploits, with malformed PDFs a very distant second at 0.3%. Note that encounter rates are influenced both by the specific software (and version) installed on the web surfing system as well as the point at which the block triggers on the encounter.


Mobile device encounters increased 17% to 4.2% of all web malware encounters in April 2014 compared to 3.6% in March. Android and iOS devices were nearly identical at 2.1% and 2.0%, respectively. Mobile device encounters are not necessarily web malware targeting the specific device and may include things like phishing and Facebook scams, clickfraud, and similar malware. In terms of malware specific to the mobile device, malicious Android APKs remain the most common, at 99% of all mobile-targeting malware.


Advertising plummeted as a vector of mobile device encounters, from the number one spot and 18% in March 2014 to the number 15 spot and 0.21% in April 2014. As with categories for all web malware encounters, this change in mobile encounters is likely due to the end of March Madness and a reduced consumption of video. Mobile device encounters were predominantly from B2B-focused categories in April 2014, with infrastructure, business, and computer-related sites comprising the top three categories, followed by search and file transfer services in the number four and five spots, respectively.


Two significant occurrences impacted vertical risk rates in April 2014. In the first, the overall median for all companies increased 23%. This effectively reduces the risk rating for outliers that typically have significantly higher than median rates. The second occurrence was companies in the Media & Publishing vertical over-taking Pharmaceutical & Chemical for the highest risk spot.

To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.


Spam volumes remained flat between March 2014 and April 2014.


Despite the flattening in spam, there was flux in the top five global spam senders. In April 2014, the Republic of Korea overtook the United States as top origin for spam. The Russian Federation dropped off the top five list altogether and the United Kingdom bubbled up to the number three spot. It is possible that tensions in Ukraine and Russia have influenced the reduction in spam from these two countries. Spain and Germany made up the number four and five spots, respectively, in April 2014.



Mary Landesman

Senior Security Researcher

Cisco TRAC