Security Threats Outpace Net Usage Growth
More than 6 percent of e-commerce transactions were potentially fraudulent.
Verisign, which markets digital commerce and communication products and services to enterprise clients, reported that the number of security events per device it managed increased by nearly 99 percent between May and August of 2003.
According to the company's Internet Security Intelligence Briefing report for October 2003, the 51 percent year-over-year growth in Internet usage has been outpaced security and fraud threats, which are increasing both in number and complexity. "From a geographical perspective, the United States continued to be the leading source, accounting for nearly 81 percent of security events," Verisign said.
|Top Regions for Security
Events Generated, Q2 '03
Verisign claims it processes more than 10 billion DNS queries per day, more than three times the daily volume three years ago.
But, along with the heady growth of usage comes a major security threat. Data from Verisign's fraud prevention systems indicate that 6.2 percent of e-commerce transactions were potentially fraudulent, and over 52 percent of fraud attempts against Verisign merchants now originate from outside of the U.S.
|Top Source Regions for Fraud Attempts,
"There is increasing evidence of overlap between perpetrators of Internet fraud and security attacks," the company reported, noting that the data showed extremely high correlation (47 percent) between sources of fraud and sources of security attacks. "Attackers who gain control of Internet host machines are using these compromised hosts for both security attacks and fraudulent e-commerce transactions," according to the report.
Based on the evidence, Verisign warned that attacks in the future would be "more blended, more complex, more portent and more coordinated."
"The SoBig virus provides a great example of the sophistication of these threats," the company noted, referring to the destructive mass-mailing virus that carpet-bombed the Internet in September 2003 and reduced network traffic to a crawl.
"The worm had its own domain name resolution mechanism, and it was programmed to bypass the local DNS resolvers as well as any local cache, conceivably to make it spread more easily and therefore more potent. It was programmed to lookup for a DNS name of a recipient's e-mail address directly from A or B DNS root Servers," Verisign reported.
The company, which operates the A-root server, observed a 25 times increase in e-mail related DNS lookups (MX record lookups) per-second in its A-root cluster, noting that the traffic did not abate until September 10, when the virus was programmed to self-destruct.
"We believe this is the first time DNS root servers were used to speed up the rate infection, as a study of other well-known mass-mailing viruses such as Bugbear and Klez did not reveal similar increases in MX record lookups during their infectious periods," Verisign added.
The company said its network security team found a definite correlation between fraud attacks and network security attacks, a scenario which indicates that people who are attacking enterprise network perimeters are also likely to be committing online fraud.
"Hackers tend to attack a system to gain sensitive information such as credit cards or account logins which they can sell to other hackers, or they attack a system to gain privileged access (root access) to the machine which can also be traded with other hackers, or used to launch follow on attacks," the company warned.
In addition, intruders tend to use compromised hosts or proxies to hide their tracks. Once a hacker gains access to a machine, they tend to install a specific software called 'rootkit' which gives them the privileged access to the system. "The rootkit ensures the anonymity of the hacker by automatically deleting the important logs on the system that can be used to trace the hacker's activities," Verisign added.
After a privileged access is obtained and 'rootkit' installed, Verisign reported that hackers then use the compromised machine to attack other machines without being traced.