PRINT
EMAIL
COMMENT
DEL.ICIO.US
DIGG
OUR PREMIUM CONTENT
The Kiplinger Agriculture Letter
The Kiplinger California Letter
Kiplinger's Biofuels Market Alert
Kiplinger's Retirement Report
SUBSCRIBER HELP
CURRENT LETTER
U.S. Agriculture
Feeding the Economy
PREVIOUS ISSUES
Symantec gathers malicious code reports from over 120 million client, server, and gateway systems that have deployed its antivirus product, and also maintains one of the world's most comprehensive vulnerability databases, currently consisting of over 25,000 recorded vulnerabilities (spanning more than two decades) affecting more than 55,000 technologies from over 8,000 vendors. As security administrators and end users adapt new measures to resolve security threats, attackers must create new and innovative ways to attain their objectives. As a result, the threat landscape is constantly shifting. Based on data collected during the last six months of 2007, Symantec has observed that the current security threat landscape is predominantly characterized by the following:
• Malicious activity has become Web-based.
• Attackers targeting end users instead of computers.
• Underground economy consolidates and matures.
• Rapid adaptability of attackers and attack activity.
Web-Based Attacks
In the past, traditional attack activity primarily used widespread, broadcast attacks aimed at computers deployed on networks. However, as administrators and vendors fortified perimeter defenses with tools such as firewalls and intrusion detection/prevention systems (IDS/IPS), attackers responded by adopting new tactics. Instead of trying to penetrate networks with high-volume broadcast attacks, attackers have adopted stealthier, more focused techniques that target individual computers through the World Wide Web. This may be driven, in part, by the fact that compromises that affect computers on enterprise networks are increasingly likely to be discovered and shut down. On the other hand, activity that takes place on end users' computers and/or Web sites is less likely to be detected. As a result of these considerations, Symantec has observed that the majority of effective malicious activity has become Web-based: the Web is now the primary conduit for attack activity. Site-specific vulnerabilities are perhaps the most telling indication of this trend. These are vulnerabilities that affect custom or proprietary code for a specific Web site. During the last six months of 2007, 11,253 site-specific cross-site scripting vulnerabilities were documented. This is considerably higher than the 2,134 traditional vulnerabilities documented by Symantec during this period.
These vulnerabilities are a concern because they allow attackers to compromise specific Web sites, which they can then use to launch subsequent attacks against users. This has shown to be an effective strategy for launching multistage attacks and exploiting client-side vulnerabilities. Symantec has also observed that attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites. This increases the likelihood that the attacks will be successful because a user is more likely to allow a trusted site to execute code on his or her computer, or to open a file downloaded from a trusted site. Attackers targeting trusted sites can also steal user credentials or launch mass attacks because they may allow attacks to propagate quickly through a victim's social network. This is one reason for the shift to site-specific vulnerabilities.
Site-specific vulnerabilities are also popular with attackers because so few of them are addressed in a timely manner. Of the 11,253 site-specific cross-site scripting vulnerabilities documented during this period, only 473 had been patched by the administrator of the affected Web site. Of the 6,961 site-specific vulnerabilities in the first six months of 2007, only 330 had been fixed at the time of writing. In the rare cases when administrators do fix these vulnerabilities, they are relatively slow to do so. In the second half of 2007, the average patch development time was 52 days, down from an average of 57 days in the first half of 2007.
Phishing, creating a spoof site that mimics the legitimate Web site of banks, retailers or other organizations that gather financial and account data, is a growing and increasingly sophisticated phenomenon. In the last six months of 2007, Symantec observed 87,963 phishing hosts, which are computers that can host one or more phishing Web sites. This is an increase of 167% from the first half of 2007, when Symantec detected only 32,939 phishing Web hosts.
The majority of brands used in phishing attacks in the last six months of 2007 were in the financial services sector, accounting for 80%. However, there has been a slight decrease in volume on these sites, which likely was due to a rise in phishing attempts targeting ISPs. ISP accounts can be valuable targets for phishers because people frequently use the same authentication credentials (such as usernames and passwords) for multiple accounts, including email accounts. This information may provide access to other accounts, such as online banking. Additionally, attackers could use the free Web-hosting space often included in these accounts to put up phishing sites, or use the accompanying email accounts to send spam or launch further phishing attacks.
Underground Economy Servers
Underground economy servers are black market forums used by criminals and criminal organizations to advertise and trade stolen information and services typically for use in identity theft. The distribution of goods and services advertised on underground economy servers illustrates the growing focus on end users and their financial and personal information, such as bank account credentials, credit card information and identities.
Over the last six months of 2007, Symantec observed that data related to identities, credit cards, and financial details accounted for 44% of the goods advertised on underground economy servers this period. Bank accounts were the most commonly advertised item for sale on underground economy servers known to Symantec, accounting for 22% of all items.
Underground Economy Consolidates and Matures
Symantec believes that malicious activities have evolved to point of becoming a mature, consolidated underground economy. This economy is characterized by a number of traits that are present in more orthodox economies, including:
Specialization of production of goods and services. Specialized production of goods and services means that individuals will focus on one specific task or job, which is generally done for two reasons: because an economy has evolved enough that individuals can successfully specialize in a specific area; and to take advantage of the economic efficiencies presented when one individual or group performs only one activity. There has been a dramatic increase in code threats -- almost two-thirds of all malicious code threats currently detected were created during 2007. The surge is likely due to the emergence of specialized malicious code authors and the existence of organizations that employ programmers dedicated to the production of these threats.
The outsourcing of production. The specialized production of malicious goods and services is often made possible by the development of an outsourcing model of malicious activity. It is reasonable to assume that the significant increase in new malicious code threats is the result of outsourcing, in which the malicious code authors are paid to create new samples. Automated phishing toolkits are another example of outsourcing. A phishing toolkit is a set of scripts that allows an attacker to automatically set up phishing Web sites that spoof the legitimate Web sites of different brands, including the images and logos associated with those brands. Phishing toolkits are developed by groups or individuals and are sold in the underground economy. These sophisticated phishing kits are typically difficult to obtain and expensive, and are more likely to be purchased and used by well organized groups of phishers, rather than average users.
Multivariate pricing. The underground economy now appears to be characterized by pricing that is affected by a number of market forces, particularly supply and demand. Identities were available in bulk, at $100 for 50 items. Full identities were the third most common item advertised for sale on underground economy servers. The popularity of full identities may be due to their versatility, ease of use, and inclusion of additional information on individuals. Pricing on the underground economy also appears to be subject to value-added incentives. For instance, bank account information for accounts that included higher balances, such as business accounts, and EU accounts, were advertised for considerably more. Furthermore, in some cases, bank accounts that bundled in personal information -- such as names, addresses and dates of birth -- were advertised at higher prices than those without this extra information.
Adaptable business models. Symantec has observed that organizations and individuals currently operating within the underground economy appear willing and able to change their business models or adopt new ones in response to changes in the threat landscape. This change of business model is apparent in a decrease in the advertising of credit cards on underground economy servers and an increase in advertising for bank account credentials. With several recent high profile reports on lost credit card data, credit card companies may be more diligent in monitoring customers' credit card activities and quicker to inform customers of suspicious transactions. Because of this, attackers may be seeking different sources of financial information.
Attackers have developed rapid adaptability to security measures that are continually developed to protect the computers of end users and organizations. In some cases, this adaptability takes the form of geographic mobility, particularly in the case of attackers who may relocate their operations in order to seek digital safe havens. Malicious groups are actively anticipating and planning for the need to adapt on the fly -- including the deployment of back-up servers to which they can turn when law enforcement agencies or ISPs threaten to shut down existing operations.
This summary was drawn from a longer report by Symantec. To read the entire piece, click here.
E-Mail Article
Print Article
|
|
|
|
|
|
|
|
