1. /
  2. Confident Insights Newsletter/
  3. Symantec Report: Attacks Increasingly Target Trusted Web Sites

Symantec Report: Attacks Increasingly Target Trusted Web Sites

May 13, 2008

Summary

The Internet has become the primary conduit of attack activity, and online users are increasingly infected simply by visiting everyday Web sites. At the same time, the number of new malicious code threats is skyrocketing.
The Internet has become the primary conduit of attack activity, and online users are increasingly infected simply by visiting everyday Web sites. At the same time, the number of new malicious code threats is skyrocketing.
Those are among the top conclusions of the latest Symantec Internet Security Threat Report (Vol. XIII, April 2008), which details trends and impending threats that were observed from July 1 to December 31, 2007. The report draws on security intelligence data gathered from an extensive range of sources, including millions of Internet sensors in over 180 countries.
Previously, users had to visit intentionally malicious sites or click on malicious email attachments to become a victim of a security threat. But today hackers are compromising legitimate Web sites and using them as a distribution medium to attack home and enterprise computers. According to the Symantec report, attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites.
"Avoiding the dark alleys of the Internet was sufficient advice in years past," said Stephen Trilling, vice president of Symantec Security Technology and Response, in a statement. "Today's criminal is focused on compromising legitimate Web sites to launch attacks on end users, which underscores the importance of maintaining a strong security posture no matter where you go and what you do on the Internet."

The rise of site-specific vulnerabilities

During the last six months of 2007, there were 11,253 site-specific cross-site scripting vulnerabilities reported on the Internet, compared to 6,961 in the first half of the year, according to the report. These refer to vulnerabilities found in individual Web sites. However, only 473 (about 4%) of these vulnerabilities were patched during the same period, representing an enormous window of opportunity for hackers looking to launch attacks.
In the words of the report: "These vulnerabilities are a concern because they allow attackers to compromise specific Web sites, which they can then use to launch subsequent attacks against users. This has shown to be an effective strategy for launching multistage attacks and exploiting client-side vulnerabilities."
Symantec also found that phishing continues to be a vexing problem. In the last six months of 2007, Symantec observed 87,963 phishing hosts (i.e., computers that can host one or more phishing Web sites). That's an increase of 167% compared with the first half of 2007. Of the brands targeted by phishing attacks during this period, 80% were in the financial sector.
In addition, the report determined that attackers are increasingly seeking confidential end-user information that can be fraudulently used for financial gain. In the last six months of 2007, 68% of the most prevalent malicious threats reported to Symantec attempted to compromise confidential information.

A maturing underground economy

In the previous Threat Report, a recurrent theme was the increased professionalization and commercialization of malicious activities. During the current reporting period, this tendency has continued to the point that Symantec believes it has evolved into a mature, consolidated underground economy. Symantec found that a full identity can be purchased in the underground economy for as little as $1.
One characteristic of this maturing underground economy involves the outsourcing of malicious activity. Automated phishing toolkits are an example of such outsourcing. A phishing toolkit is a set of scripts that allows an attacker to automatically set up phishing Web sites that spoof the legitimate Web sites of different brands, including the images and logos associated with those brands. In the words of the report: "Phishing toolkits are developed by groups or individuals and are sold in the underground economy. These sophisticated phishing kits are typically difficult to obtain and expensive, and are more likely to be purchased and used by well organized groups of phishers, rather than average users."
Symantec observed that the popularity of individual phishing toolkits changes quickly, which reflects the need for phishers to adapt in order to avoid detection by anti-phishing software. The change in phishing toolkits during the current reporting period also indicates that the number of toolkits is increasing and that attackers are using a greater number of different toolkits.

Steep rise in malicious code threats

At the same time, malicious threats that attackers had previously performed separately are now consolidating across the globe into networks of coordinated malicious activity.
In terms of sheer numbers, in the last six months of 2007, Symantec detected 499,811 new malicious code threats. That's a 136% increase over the previous period when 212,101 new threats were detected and a 571% increase over the second half of 2006. In total, Symantec detected 711,912 new threats in 2007 compared to 125,243 threats in 2006, an increase of 468%.
"This brings the overall number of malicious code threats identified by Symantec to 1,122,311 as of the end of 2007," the report observes. "This means that almost two-thirds of all malicious code threats currently detected were created during 2007."
Symantec also measured the release of both legitimate and malicious software during a portion of the current reporting period and found that 65% of the 54,609 unique applications released to the public could be categorized as malicious. This is the first time Symantec observed malicious software outpacing legitimate applications.

Spam trends

Not surprisingly, the latest Internet Security Threat Report shows that spam continues to be a problem for all users. In the last six months of 2007, spam made up 71% of all email traffic monitored at the gateway, a 16% increase over the last six months of 2006, when 61% of email was classified as spam. The report found that 80% of all spam detected during this period was composed in English, up from 60% in the previous reporting period. Also, 42% of all spam originated in the United States during the second half of 2007, a decrease from 50% in the previous period.

Conclusion

The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, and security risks.
According to the latest report, attackers have adopted stealth tactics that prey on end users on individual computers via the Web, rather than attempting high-volume broadcast attacks to penetrate networks. This may be because enterprise network attacks are now more likely to be discovered and shut down, while specifically targeted malicious activity on end-user computers and Web sites is less likely to be detected. Site-specific vulnerabilities are perhaps the most telling indication of this trend.
Click here to read Volume XIII of the Symantec Internet Security Threat Report.

Back to Newsletter