Web surfers in February 2014 experienced a median malware encounter rate of 1:341 requests, compared to a January 2014 median encounter rate of 1:375. This represents a 10% increase in risk of encountering web-delivered malware during the second month of the year. February 8, 9, and 16 were the highest risk days overall, at 1:244, 1:261, and 1:269, respectively. Interestingly, though perhaps not unexpectedly, web surfers were 77% more likely to encounter Facebook scams on the weekend compared to weekdays. 18% of all web malware encounters in February 2014 were for Facebook related scams.


The ratio of unique non-malicious hosts to unique malware hosts was fairly constant between the two months, at 1:4808 in January 2014 and 1:4775 in February 2014. Likewise, the rate of unique non-malicious IP addresses to malicious IP addresses was also similar between the two months, at 1:1330 in January 2014 compared to 1:1352 in February 2014.


While Java malware encounters were 4% of all web malware encounters in January 2014, that rate increased to 9% in February. Of particular interest was the increase in the rate of Java malware encounters involving versions older than Java 7 or Java 6, which increased to 33% of all Java malware encounters in February 2014 from just 13% in the month prior.


Web malware encounters from mobile devices increased from 3.7% in January 2014 to 4.7% in February. The largest increase was in Apple iOS device encounters, which increased from 1.5% in January to 2.7% in February. Mobile device web malware encounters via non-Android or non-iOS devices remained static, at 0.1% of total web malware encounters for each of the two months.


During the month of February 2014, risk ratings for companies in the Media & Publishing vertical increased 417%, Utilities increased 218%, and Insurance 153%. Companies in Pharmaceutical & Chemical remained at a consistent high rate, with a slight increase from a 990% risk rating in January 2014 to an 1100% risk rating in February.

To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.

Following a January 2014 spam volume decrease of 20% in January 2014, spam volumes increased 73% in February 2014. Contributing to this higher volume was malicious email masquerading as bank draft notifications – with a twist. Instead of trying to influence through fear, these email claimed that an “International Bank draft is ready for pick-up” with the alleged details contained in the attachment. Instead of the promised fund info, the attached “Bank Draft_fdp.rar” contained a password stealing trojan that installs a backdoor on victim computers.

A second money-promising email hitting inboxes in February claimed:

Good Day,
Actual fund was transfer, scan copy enclosed herewith and consider tax calculation to courier all necessary documents asap.
-Sent from my iPhone

To further the ruse, the email attachment was aptly named “PDF SWIFT Transfer.rar”. Though no exploit was used to deliver these malware, those hoping for a little extra cash might fall for the socially engineered messages. Further details on these spam campaigns can be found in Cisco Threat Outbreak Alert 32940 and 32886.

The top five global spam senders in February 2014 were the United States at 16.5%, followed by the Russian Federation at 12.41%, with Spain, China, and Germany a distant 3.77%, 3.39%, and 3%, respectively. Though the Russian Federation was also in the number two spot in January 2014, it was a significant volume increase from only 5.10% of global spam origin that month.


Mary Landesman

Senior Security Researcher

Cisco TRAC