Today’s threat environment is characterized by an increase in data theft and data leakage, and the creation of malicious code that targets specific organizations for information that can be used for financial gain.
That’s the conclusion of the latest Symantec Internet Security Threat Report, released March 19. The semi-annual report, one of the most anticipated works of research in the global IT community, also finds that increasingly refined attack methods are being supported by growing global networks of cyber criminals.
“In the more than five years that we've produced the Internet Security Threat Report, we have seen many shifts in attacker behavior, motivation, and execution,” says Dean Turner, editor of the Threat Report. “But it is safe to say that attackers are now fixated on obtaining confidential information, remaining undetected, then selling or otherwise exploiting that information for profit. Gone are the days of hobbyists or look-at-me code writers creating the majority of the problems in the connected world. Identity theft is the motivator.”
Covering the period from July to December 2006, the latest Threat Report documents high levels of malicious activity across the Internet, with increases noted in phishing, spam, bot networks, Trojans, and zero-day threats.
The report shows how “underground economy” servers are used by criminals to sell stolen information, usually for later use in identity theft. This data can include government-issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), user accounts, and email address lists. And they’re selling at bargain-basement prices.
“U.S.-based credit cards with a card verification number were available for between $1 to $6, while an identity -- including a U.S. bank account, credit card, date of birth, and government-issued identification number -- was available for between $14 and $18,” the report states.
“This is the first time we looked at the underground economy, and one of the more interesting things we found is a maturing of the [underground] marketplace,” Vincent Weafer, senior director of Symantec’s Security Response team, told Computerworld. "It’s run on a business model, where qualified data, like a qualified sales lead, is worth more.”
Among other findings:
- Symantec reported more than 6 million distinct bot-infected computers worldwide during the second half of 2006, representing a 29% increase from the previous period.
- Symantec documented 12 zero-day vulnerabilities between July and December 2006. Only one was found in the previous reporting period.
- Theft or loss of a computer or data storage medium, such as a USB memory key, made up 54% of all identity theft-related data breaches.
- Over the last six months of 2006, Symantec detected a total of 166,248 unique phishing messages, an average of 904 per day, marking a 6% increase over the first six months of the year.
- For the first time, Symantec identified the countries with the highest amount of malicious activity originating from their networks. The United States had the highest proportion of overall malicious activity, with 31%; China was second, with 10%; and Germany was third, with 7%.
- The government sector accounted for 25% of all identity theft-related data breaches, more than any other sector.
The report also documents a rise in threats to confidential information. Looking at the top 50 malicious code samples, Symantec researchers found that two-thirds of them threaten confidential data in some way. In the last Threat Report, just under half of the top 50 targeted confidential information. Within that group of confidential information threats, 62% involved some means of exporting user data, like user names and password — up from 38% in the first half of 2006.
“You can see the evolution at work here,” Symantec’s Turner says. “Attackers have figured out what is working best for them and are continually refining those attacks, or enhancing the number or the quality of them, to get what they are after: personal information, which means money.”
Symantec researchers also found that spam continues to rise as a percentage of email traffic, extending a long observed trend. But it is increasingly a part of coordinated attacks, combined with malicious code and online fraud. An example is a “pump-and-dump” scheme, in which spam messages tout a low stock, inflating its price, until the cyber criminals unload their stock for large profits, leaving the duped with worthless shares. “Pump and dump” spam accounted for 30% of the total spam related to the financial services industry in the second half of 2006.
The Internet Security Threat Report is based on Symantec data collected from more than 40,000 sensors deployed in more than 180 countries, in addition to a database that covers more than 20,000 vulnerabilities affecting more than 30,000 technologies from more than 4,000 vendors. Symantec also reviews more than 2 million decoy accounts that attract email messages from 20 different countries around the world.
The entire Internet Security Threat Report, which includes Symantec’s recommended “Enterprise Best Practices,” can be downloaded here