Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Internet Security Threat Report
Showing posts in English
David McKinney | 27 Nov 2008 13:16:30 GMT | 0 comments

The newly released Symantec Report on the Underground Economy discusses a number of topics, including the supply and demand of goods and services that were advertised for sale in the underground economy. This information was gathered by monitoring various IRC channels devoted to the commerce of these good and services. In particular, I’d like to highlight some of the things we observed in analyzing the trade in malicious tools.

One of the things we observed is that the underground economy is self-sufficient. What this means is that the tools necessary to produce goods and services are also available for sale in the underground economy. This indicates that the market has matured enough that productivity gains can occur through the division of labor; i.e., the economy makes it viable for individuals to increasingly specialize in the tasks they excel at. This is where...

Marika Pauls Laucht | 26 Nov 2008 10:22:03 GMT | 0 comments

The online underground economy has evolved into a full-fledged marketplace where participants advertise and traffic stolen information, provide services to aid in the use of this information, and perform other illegal activities. Like any market-based economy, it is governed by the laws of supply and demand and, given enough supply, the goods available for purchase are virtually limitless.

As stated in the Symantec Report on the Underground Economy, credit card information was the most popular category of goods and services available for sale, accounting for almost one-third of the total observed. This category included credit card numbers, CVV2 numbers, expiry dates, and credit card dumps. (The CVV2 number is a three- or four-digit number on the credit card and is used for card-not-present transactions, such as Internet or phone purchases. This number helps to verify that...

Téo Adams | 25 Nov 2008 12:24:21 GMT | 0 comments

One topic of discussion in the recently released Symantec Report on the Underground Economy is software piracy. Software piracy occurs primarily in two basic forms: physical counterfeiting and file sharing. Counterfeiters create unauthorized physical copies of software intended for sale as legitimate products (though often the attempt to create a realistic valid copy is minimal). The motivation of counterfeiters is typically financial gain, and customers who know that the software is counterfeit are likely trying to save money. In contrast, piracy by means of file sharing—whether by copying a disc for a friend, uploading files using a peer-to-peer (P2P) application, or some other means—is not typically profitable for the people who share the files. The advent of rapid P2P file-sharing protocols has provided a readily available means for people to distribute and obtain...

M.K. Low | 24 Nov 2008 14:42:14 GMT | 0 comments

Underground economy servers are black market forums used to advertise and traffic stolen information. The information can include government-issued identification numbers such as Social Security numbers, credit card information, bank accounts credentials, personal identification numbers, email address lists, and email accounts. They can also provide services to facilitate these illegal activities and can include cashiers who withdraw funds from the stolen accounts, scam page hosting, and job advertisements for roles such as scam developers or phishing partners.

Symantec's Report on the Underground Economy shows that there are a wide variety of goods and services being advertised on underground economy servers, and many of these goods and services form a self-sustaining marketplace. Participants in this fraud can obtain goods by a variety of means; credit card and banking...

M.K. Low | 10 Jul 2008 15:14:29 GMT | 0 comments

The costs of most goods are so much higher than they were 30 years ago. Back then, cars were under $10,000 (I remember this because the Price is Right only had four missing digits in their Lucky Seven game). You could feed a family of four for $10 and even have change left over to buy a 25 cent candy bar. But what can you buy for $10 in 2008? I could buy just under three gallons of gas for my car, which would probably last me a couple of days. I could buy lunch at the local sushi place but only lunch since there wouldn't be enough left to buy something to drink. Or, I could buy 10 United States identities.


On underground economy servers, criminals sell a variety of illegal goods and services including bank account credentials, credit card numbers, and full identities. Typically, these goods are used for identity theft related activities. In the...

Joseph Blackbird | 11 Apr 2008 17:53:05 GMT | 0 comments

Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking (spoofing) a specific, usually well known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts.


During the second half of 2007, the majority of brands targeted by phishing attacks were in the financial services sector, accounting for 80 percent. This is virtually unchanged from the 79 percent reported in the first half of 2007. The financial services sector also accounted for the highest volume of phishing Web sites during this period, at 66 percent, down slightly from 72 percent in the first half of 2007. Since most phishing activity pursues financial gain, successful attacks using brands in this sector are most likely to yield profitable data, such...

Marc Fossi | 10 Apr 2008 22:17:28 GMT | 0 comments

In late May 2007, the MPack attack kit was first observed in the wild. This kit relied on compromised Web pages to redirect users to an MPack server that attempted to exploit Web browser and plug-in vulnerabilities in order to install malicious code on computers. MPack experienced great success because it took advantage of the trust many users place in certain Web sites. Since the Web browser is the primary gateway to the Internet for most users, Web pages that they visit frequently—such as online forums and other Internet communities—are a useful means of compromising computers for attackers.

Because of the success of kits like MPack and Ice-Pack, it seems that malicious code authors have begun to incorporate similar features in the threats they create. In the current period, seven percent of the volume of the top 50 malicious code samples...

David McKinney | 09 Apr 2008 07:00:00 GMT | 0 comments

With the launch of volume XIII of the Symantec Internet Security Threat Report (ISTR), I’d like to discuss some of the highlights we’ve seen in vulnerability trends for the last six months of 2007.

Zero-days in regional applications

During the last six months of 2007, Symantec observed a trend towards zero-day vulnerabilities that target applications in China and Japan. Of the nine zero-day vulnerabilities tracked during this period, seven affected popular Japanese and Chinese applications, such as JustSystem Ichitaro, Lhaz, GlobalLink, SSReader Ultra Star Reader, and Xunlei Web Thunder. This is a change from previous periods, where we saw attackers concentrate on vulnerabilities in Microsoft Office. It will be interesting to see if attackers continue to focus on region-specific applications. So far this year, we’ve already seen a zero-day attack targeting the Lianzong game platform. However, we’ve also seen a zero-day targeting Microsoft Excel.


M.K. Low | 08 Apr 2008 07:00:00 GMT | 0 comments

Volume XIII of the Symantec Internet Security Threat Report shows that, on a global scale, overall malicious activity seems to be relatively static, with the countries listed in the top 20 unchanged from the first half of 2007. It appears that once an attack infrastructure is established in a country, it becomes entrenched and is difficult to remove. Although malicious tools and methods may change, the proportion of malicious activity that originates within a country tends not to change dramatically. And, as was again observed in the second half of 2007, these types of activities continued the trend towards big money, with attackers switching their tactics to more effective profit-generating schemes.

This trend is further highlighted by the distribution of goods and services advertised on underground economy servers. Underground economy servers are black market...

Marc Fossi | 17 Sep 2007 07:00:00 GMT | 0 comments

In a military operation, a beachhead is a point where an attacking force landing by sea reaches a beach and defends it until reinforcements arrive. At this point, the reinforcements will expand the attack. What can this possibly have to do with malicious code? In the last six months, we’ve seen a large shift towards multistage attacks as described in Volume XII of the Symantec Internet Security Threat Report. The first stage of a typical multistage malicious code attack consists of a small and quiet initial downloader Trojan being installed on a computer. This initial stage may disable security applications on the computer, then download other malicious code as part of a secondary stage attack (expanding the beachhead).

Of great concern is that the secondary stages usually allow the attackers to perform a wider variety of attacks against the user. The later stages are often back...