Blueliv Releases Q1 2015 Global Cyber Threat Report


  • Blueliv reveals startling scale of cybercrime, pinpoints geolocations most affected
  • Dyre and Dridex, the most nefarious banking Trojans

Blueliv releases its Cyber Threat Report, revealing detailed figures on criminal online activity in the first quarter of 2015.

Through its cyber threat intelligence platform between January and March 2015, Blueliv detected and analyzed 5.5 million stolen credentials and credit cards, 225,000 targeted malware samples, and 500,000 crime servers.


“It’s important for people to understand the scope and scale of these global online threats, in order to better protect themselves and their companies” said Blueliv Founder and CEO Daniel Solis. “Blueliv’s threat intelligence platform provides unique visibility into cyber crime—visibility we share so that cyber security experts and risk-assessment professionals across the sector are armed with better information in our fight against cyber crime.”


In the first quarter of 2015, the US has continued to be the most targeted country for theft of credit and debit card information, with US victims comprising 57% of these cases worldwide. One important reason is the lack of integrated chips in the US cards. Since there is no hardware protection in US cards, it’s easier for criminals to steal credit cards information while the customer is purchasing. If one business is infected, it’s easy for information to be stolen from all cards used to make purchases there.

The second largest country affected by credit data theft is Australia, with 8% of the cases worldwide. This is up from fifth place in the previous quarter. The UK remains in third spot, with 4% of these cases globally.

Criminals are always trying to find new ways to steal credit and debit card information. One of the most common methods, however, involves tampering with ATMs. Personal information, and access to accounts, are stolen by added magnetic readers and pin pads or hidden cameras. Another common technique is infecting chip and pin terminals with malware, this is what we know as Point of Sales malware (POS).

Stolen card data is then sold on the black market. Depending on the type of card it may cost from 50 cents up to 17 US-dollars. The average value for card information in Q1 of 2015 was $4.85 per card, slightly lower than the average for 2014; which was $5.86.


The theft of credentials also remains an increasing important threat. Individuals and businesses find themselves lacking security measures capable of safeguarding themselves from the leak of thousands of sensitive credentials. This includes all type of sensitive information: from bank details to confidential business documents. Malware, fraudulent websites and phishing attacks are the primary culprits.credentials by country

Bulgaria has suffered the largest amount of this type of theft, rising up to a 28% of the total, followed by France, with 25%.

credentials by industry

Technology & Telcos are the industries hit hardest in Q1 by credential theft, with 48%, followed by Media, Social & Advertising, with 32%. These industries have changed positions in comparison with last quarter. Retail continues to be the third worst affected, with 7% of the total cases, up from 5% in Q4 2014.


While the overall number of botnets remained very close to that of the previous quarter, their geographic targets are shifting. While the US continues to be the worst hit by these botnets, their numbers decreased from 50% to 39% this quarter. Meanwhile in the European Union, the number of botnets has risen from 22% to 28% over the same period.

Some new threats have arisen since last Blueliv’s inforgraphy, Dyre and Dridex banking trojans have made a strong showing infecting mostly all countries in the world. The most affected countries are the following:

botnet map

As far as the geolocation of crime servers is concerned, more than half of them are still located in China, and another 17% are based in the US.


The most common types of malware found in the first quarter were Pony, which made up nearly half of the samples, followed by Zeus. However, it is noticeable the presence that  Dridex*, Gozi and Dyre* have had these months. Ransomware has also increased its influence this quarter, infecting a great amount of users.

malware types

With regards to malware in POS, more than a half of the samples were Dexter (55%) followed by Backoff and JackPos, (with 18% and 14% respectively).


Where on earth are most of the malicious URLs based? China continues in the first position, with 38% of the URLs, followed once again by the US (21%).

“Blueliv uncovers cyber intelligence,” said Solis “and brings it to light, to the benefit of everyone who works to lock out those who would do harm online. We need to encourage companies and sectors to better share information about threats, in order to make it harder still for cyber criminals to succeed. It is with this aim that we are releasing information about infected servers that are spreading malware and infecting end users through our free API, helping the world stop the kill-chain:

Download Blueliv’s Q1 2015 Cyber Threat Intelligence Report!

*Find out more about Dyre and Dridex in our report: Chasing the cybercrime: network insights of Dyre and Dridex Trojan bankers.

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP