The tool makers

Threats are increasing. Symantec reported that it detected 1,656,227 malicious code threats in 2008, equal to 60 percent of all threats detected since the report began in 2002. Ramzan said that the numbers in 2008 are not strictly comparable to those from 2002 because criminals now have tools to automate the modification of malicious code. "They can create a hundred variants automatically," he said. "They're part of the same family, but they're not one instance and not one hundred."

The report attributed the increase in part to a better-functioning underground market, with vendors competing to provide such products as customized malicious code and phishing kits.

Although some criminals work alone or in small groups, the report identified one large cyber crime organization: the Russian Business Network (RBN), which Ramzan said started out as hosts for online criminals.

"Traditionally, their business was renting out hosting space for people carrying out cyber crime operations," he said. "They were the landlord to the underworld. Recently, we suspect that they have crossed the line and begun participating by building attack tool kits and selling them and even by carrying out criminal operations."

"They've done a bit of everything," Ramzan added.

Another such group, Ramzan said, is the Rock Phish group, which is responsible for a significant amount of all phishing attacks.

The enterprise threat

While individual users have cause to fear that their credit card or bank account is at risk because that information is so popular in the criminal underground, enterprise users should fear items that appear in the marketplace only occasionally, Ramzan said. "We occasionally see one-offs that don't make it to the report."

In its 2007 mid-year report (available here in PDF format,) for example, the company conducted a study that concluded that "between January 1 and June 30, 2007, four percent of malicious activity detected by Symantec originated from the IP address space of Fortune 100 companies."

Symantec has not since repeated the study, although Ramzan said the evidence indicates that criminals occasionally rent time on a stolen machine that others can use to launch attacks.

Despite such findings, he said he worries that security awareness is actually decreasing -- because criminals are better at hiding what they do.

"The profit-driven attacker wants to get onto your system without being noticed and stay for the longest time," he said. "Attacks are more silent, so awareness has gone down. People's level of awareness must be increased."

Article courtesy of