In September, Symantec released the tenth edition of the Internet Security Threat Report. A quick comparison with the first edition of the Report, released in January of 2002, shows just how dramatically the threat landscape has changed.
For example, since that first report, large Internet worms targeting everything and everyone have given way to smaller, more targeted attacks focusing on fraud, data theft, and criminal activity. Moreover, the days of Web site defacements and low-level information gathering attacks are largely behind us. Today we see encrypted bot networks, remotely initiated database breaches, sophisticated phishing scams, and customized malicious code targeting specific companies.
This article draws on the latest Threat Report to show how the new threat landscape is increasingly dominated by attacks and malicious code that are used to commit cybercrime.
The latest Threat Report, covering the first six months of 2006, documents an ongoing shift in the threat landscape. With enterprises increasingly adapting to the changing threat environment by implementing best security practices and defense in-depth strategies, attackers have turned to new techniques. Today, researchers are seeing more targeted malicious code and targeted attacks aimed at client-side applications, such as Web browsers, email clients, and other applications. These can include programs such as word processing or spreadsheet programs, which can open untrusted content that is downloaded by a network client.
Attackers are also reverting to older, non-technical means of compromise, such as social engineering, to launch successful attacks. Attack activity is thus shifting away from network infrastructures and operating system services toward attacks that focus on the end user as the weakest link in the security chain.
Consider these developments:
- In the first six months of 2006, the home user sector was the most highly targeted sector, accounting for 86% of all targeted attacks. As home users represent a fertile resource for identity theft, it’s likely that many of the targeted attacks against them are used for fraud or other financially motivated crime.
- During this reporting period, 18% of all distinct malicious code samples detected by Symantec had not been seen before, indicating that attackers are more actively attempting to evade detection by signature-based antivirus and intrusion detection/prevention systems.
- During the first six months of 2006, 157,477 unique phishing messages were detected, marking an increase of 81% over the previous period. (Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain.)
- Bot networks (i.e., groups of compromised computers) are being used not only to spread malicious code, but to send spam or phishing messages, download adware and spyware, attack an organization, and harvest confidential information. Symantec identified more than 4.6 million active bot network computers during this period.
- Symantec documented a higher volume of vulnerabilities in this reporting period (2,249) than in any other previous six-month period.
Previous editions of the Internet Security Threat Report have speculated that malicious code would eventually become a more prominent security issue. The latest Threat Report appears to bear out that speculation.
Increasingly, financially motivated attacks are using modular malicious code, which is malware that updates itself or downloads a more aggressive threat upon establishing a foothold on the victim host, to expose sensitive information. Threats to confidential information can be used by attackers for financial gain. By using modular malicious code, attackers may be able to download and simultaneously install a confidential information threat on a large number of compromised computers.
While the increase in phishing activity was noted above, it is also worth observing that phishers today are going to greater lengths than ever to evade detection. For example, phishers will attempt to bypass filtering technologies by creating multiple randomized messages and distributing those messages in a broad uncontrolled fashion. These variations often consist of minor changes or differences in the URLs that are included in the email messages. By using a large number of domains in a short period, attackers are able to increase the longevity of each one, making it more difficult for authorities to shut them down because of the amount of effort involved in tracking and taking down each domain used.
Further evidence that financial gain is the motivation behind many of today’s threats: nine of the top 10 "phished" brands in the first half of 2006 were in the financial services sector.
Like recent phishing attacks, which are changing to evade detection, bot networks are evolving too. Bot network owners are increasingly discreet about the number of machines they bring online at any one time. This is due primarily to the increased awareness among end users and organizations of bots and bot networks. Large numbers of bot network machines acting in a coordinated fashion are often easily identifiable, making it easier for ISPs to detect and shut down these networks. Also, some bots and bot networks are reportedly using encrypted channels to communicate, which can make them much more difficult to detect.
Understanding the current threat landscape is critical in helping to protect enterprise users’ online interactions and ensure the availability of critical systems. Increasingly, attackers see end users as the weakest link in the security chain and are constantly targeting them in an effort to profit. As a result, they are now using a variety of techniques to escape detection and prolong their presence on systems in order to gain more time to steal information, hijack the computer for marketing purposes, or compromise confidential information.
The current threat intelligence contained in the Internet Security Threat Report, combined with Symantec Best Practices, can help enterprises ensure the highest degree of security for their users.