Cyber attacks are increasing, and they’re becoming more and more sophisticated.
So concludes the latest Symantec Internet Security Threat Report
. Released in April, the report provides an overview and detailed analysis of the Internet threat landscape in 2009. Increasingly, that landscape is one in which attacks have evolved from simple scams to sophisticated espionage campaigns, targeting some of the world’s largest corporations and government entities.
Continue reading to learn more about the key trends in cyber crime observed by Symantec in 2009.
Based on data collected by tens of millions of Internet sensors, first-hand research, and active monitoring of hacker communications, volume XV of the Internet Security Threat Report finds that malicious code is more rampant than ever. In fact, Symantec identified more than 240 million distinct new malicious programs in 2009, a 100% increase over 2008.
The report also sheds light on the following trends:
- Targeted attacks on enterprises are increasing, with Web-based attacks continuing to be a favored attack vector. As the report explains, “this type of attack begins with some reconnaissance on the part of attackers. This can include researching publicly available information about the company and its employees, such as from social networking sites. This information is then used to create specifically crafted phishing email messages, often referred to as spear phishing, that target the company or even specific staff members.” According to the separately released Symantec State of Enterprise Security Report 2010, 75% of enterprises surveyed experienced some form of cyber attack in 2009, showing that this issue is not limited to a few larger enterprises. These attacks cost enterprise businesses an average of $2 million per year. Organizations reported that enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues, and IT compliance issues. Symantec determined that 60% of all data breaches that exposed identities were the result of hacking.
- Malicious activity continues to take root in emerging countries. A previous edition of the Symantec Internet Security Threat Report noted a shift in malicious activity to emerging countries. In 2009, this trend became even more pronounced. For the first time since Symantec began examining malicious activity by country in 2006, a country other than the United States, China, or Germany ranked in the top three. In 2009 Brazil ranked third in malicious activity, behind the United States and China, respectively. Brazil’s significant increases across all categories of malicious activity are related to the growing Internet infrastructure and broadband usage there, according to Symantec. India also experienced a surge in malicious activity in 2009, moving from 11th place for overall malicious activity in 2008 to fifth last year. India accounted for 15% of all malicious activity in the Asia-Pacific/Japan region in 2009, an increase from 10% in 2008.
- Readily available malicious code kits are making it simple for neophyte attackers to mount attacks. The report found that cyber crime attack toolkits continue to lower the bar to entry for new cyber criminals, making it easy for unskilled attackers to compromise computers and steal information. One such toolkit, called Zeus, which can be purchased for as little as $700, automates the process of creating customized malware capable of stealing personal information. Using kits such as Zeus, attackers created millions of new malicious code variants in an effort to evade detection by security software. Adds the report: “These kits have gained enough popularity among cyber criminals that competition and new business models have arisen. For example, the SpyEye kit, in addition to stealing information, also has the ability to detect if a computer already has Zeus installed and, if so, to intercept its communications. In another example, the Fragus exploit kit contains mechanisms to prevent buyers from reselling their copies of it.”
- Web-based attacks show no signs of slowing down. Attackers in 2009 (and today) typically leverage social engineering techniques to lure unsuspecting users to malicious websites. These sites then attack the victim’s Web browser and vulnerable plug-ins normally used to view video or document files. In particular, 2009 saw dramatic growth in the number of Web-based attacks targeting PDF viewers; these accounted for 49% of observed Web-based attacks. That’s a sizeable increase from the 11% reported in 2008. Mozilla Firefox had the most reported vulnerabilities in 2009, with 169, while Internet Explorer had just 45. Nevertheless, Internet Explorer was still the most attacked browser. According to the report, “this shows that attacks on software are not necessarily based on the number of vulnerabilities in a piece of software, but on its market share and the availability of exploit code as well.”
- The online underground economy is benefiting from the downturn in the global economy. As Stephen Trilling, Senior Vice President of Symantec Security Technology and Response, has put it: “While the above ground economy suffers, the underground economy has remained consistently steady.” That continued to be the case in 2009. While a number of large financial institutions around the world were severely affected by the recent global financial crisis, the downturn didn’t hinder the underground economy or cyber crime targeting financial services in any significant way. In 2009, the financial sector remained the sector most heavily targeted by phishing attacks, accounting for 74% of the brands used in phishing campaigns. The next closest sector was Internet service providers, at just 9%. In addition, Symantec estimates that the top10 bot networks now control at least 5 million compromised computers. Throughout 2009, Symantec saw botnet-infected computers being advertised in the underground economy for as little as 3 cents per computer.
- The Conficker worm continues to be prevalent. Conficker, unleashed in the closing days of 2008, exploited flaws in Microsoft Windows to co-opt machines and link them to a virtual computer commanded remotely by its authors. It spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer, with an estimated 6.5 million government, business, and home computers in over 200 countries under its control by the end of 2009. So far, machines infected with Conficker have not been used for any significant criminal activity, but the threat remains viable.
As the latest Symantec Internet Security Threat Report amply demonstrates, the threat landscape continued to evolve in 2009, with significant growth in both the volume and sophistication of cyber crime attacks. Symantec encourages all enterprises to adhere to the basic security best practices outlined in the report. Above all, that means employing defense-in-depth strategies, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method.