ISTR XIII: Attack Trends Continue to Move towards Profit
Volume XIII of the Symantec Internet Security Threat Report shows that, on a global scale, overall malicious activity seems to be relatively static, with the countries listed in the top 20 unchanged from the first half of 2007. It appears that once an attack infrastructure is established in a country, it becomes entrenched and is difficult to remove. Although malicious tools and methods may change, the proportion of malicious activity that originates within a country tends not to change dramatically. And, as was again observed in the second half of 2007, these types of activities continued the trend towards big money, with attackers switching their tactics to more effective profit-generating schemes.
This trend is further highlighted by the distribution of goods and services advertised on underground economy servers. Underground economy servers are black market forums used by criminals to trade stolen information and advertise services that are typically used to commit identity fraud. Information that can be used for financial gain continues to be the focus of the servers—bank account credentials, credit card information, and full identities made up the top three advertised items, representing almost half of the total. This is not surprising, since buyers want to make money from their purchases. Criminals seem to be more focused on buying goods that can make them large amounts of money quickly, rather than on exploits that require more time and resources, such as scam pages and email lists for spamming.
A noticeable result of this trend is that sellers are catering to the demand for financial information by lowering their advertised prices. For example, the price for stolen bank accounts decreased by a third, to as little as $10 USD per account, and identities were selling for a bargain-basement price of $1 USD per item, down from $10 USD. Stopping just short of “But wait, there's more!” some vendors were packaging freebies, such as social security numbers, birthdates, and bank account security answers (for example, mothers' maiden names) in order to attract buyers. Vendors were also giving additional discounts to sellers for buying in bulk. Bulk rates for credit cards were 50 credit card numbers for $40 USD ($0.80 each) and 500 credit card numbers for $200 USD ($0.40 each).
Another indicator that attackers are more motivated by profit is the increase in bot-infected computers in the last half of 2007. Attackers can use bots for a variety of illegal tasks, such as spam and phishing attacks, distributing spyware and adware, and harvesting confidential information from compromised computers, which are all highly lucrative. In "Operation Bot Roast II," the FBI arrested suspected botnet owners from across the United States who were linked to criminal activities, such as conducting multi-million dollar phishing and spamming scams and stealing personal information that could lead to identity theft. Since the investigation began in June 2007, eight people have been indicted for crimes related to botnet activity and over $20 million in economic losses have been reported.
For more information about the threat landscape, please see Volume XIII of Symantec's Internet Security Threat Report.