In its role as the Australian Computer Emergency Response Team, AusCERT provides incident response services to its members, the Australian public and the wider global community.

This incident response work can be reactive; for example, in response to a request for assistance from a member or the international CERT community; or proactive, where AusCERT independently looks for evidence of attacks and host compromise in the public domain and attempts to mitigate these incidents and/or notify affected parties.

The majority of AusCERT's work as a computer security incident response team involves proactively looking for evidence of Internet attacks directed at Australian Internet users and organisations with an online presence. AusCERT uses a number of methods to locate, analyse and mitigate these attacks.

We proactively look for the following types of attack:

• phishing sites
• malware hosting sites
• compromised Australian web sites (from .au ccTLD domains) serving malware
• malware logging sites
• compromised hosts owned by home users or organisations

The action we take includes:

• in the case of phishing, malware and logging sites, contacting appropriate parties to stop the attack
• notifying owners of compromised Australian web sites when their sites are hosting malware
• notifying ISPs or affected organisations when their hosts, or their customers' computers, are compromised
• where possible, repatriating compromised data including account credentials captured by malware-infected computers to trusted third parties and/or affected domain owners.

The following graphs reflect this activity and provide an indication of the volume of attacks that have targeted or had an impact on Australian Internet users.

Malware and phishing sites monitored by AusCERT per month (2010 - 2013)

Notification by AusCERT of compromised accounts or data (2007 - 2013) Compromised accounts and compromised data repatriated from malware logging sites have declined in 2012 compared to the previous years because most attackers now use methods to protect the stolen captured data, including passwords or encryption.

Notification by AusCERT of compromised accounts or data in 2012. There were no notifications of compromises of accounts or data for January 2013.

Notification by AusCERT of compromised hosts and web sites (2007-2013)

Notification by AusCERT of compromised hosts in 2012

Notification by AusCERT of compromised hosts in 2013

Notification by AusCERT of compromised web sites in 2012. Includes notifications in Australia and overseas and multiple notifications per domain.

Notification by AusCERT of compromised web sites serving malware i n 2013. Includes notification in Australia and overseas and multiple notifications per domain.

Compromised au web sites serving malware by domain (2013)