Modernizing Authentication — What It Takes to Transform Secure Access
Symantec's just-released 12th bi-annual Internet Security Threat Report confirms some trends that have been emerging and notes some new ones, as well.
The report covers malicious activity from Jan. 1 to June 30 of this year, and includes data gathered by Symantec's Global Intelligence Network. This consists of more than 40,000 sensors monitoring network activity in over 180 countries and sample code gathered by more than 120 million client, server, and gateway systems that have deployed Symantecs antivirus products.
Also, Symantec runs what it calls the Probe Network, a system of over 2 million decoy accounts to attract e-mail messages from 20 different countries around the world, which allows Symantec to measure global spam and phishing activity.
"Viruses are dropping in favor of theft," Zulfikar Ramzan, senior principal researcher in Advanced Threat Research at Symantec, told InternetNews.com. "Of the top 20 samples we received, 65 percent could threaten confidential info, and 88 percent of those were keystroke loggers. Goes to show hackers are much more after the financial benefits of their activities as opposed to the notoriety of it."
Making things worse is the commercialization of malware thanks to development kits that allow anyone to make a Trojan or worm. The most notorious is MPACK, written by a Russian crimeware gang, that Ramzan said goes for around $1,000. MPACK comes with sample code, making it easy to jumpstart the task.
"[Malware is] getting worse because developers aren't starting from scratch; they're taking existing work and making it worse," he said. In addition, Symantec found that 42 percent of phishing attacks were from 3 specific kits, none of which have a name.
In general, Ramzan said phishing operations can be completely outsourced and require no technical skills. All one needs is a kit to develop a phishing attack relatively easily, rent time on spam and phishing servers, buy a list of e-mail addresses from the underground economy, and go trolling.
Once you have a bunch of credit cards, bank accounts or identities, you can then turn around and sell them on underground servers. Ramzan found credit cards selling for 50 cents to $5, depending on the limit, bank accounts selling for $30 to $400 and identities selling for $6 to $100.
A lot of the crooks involved in this business actually treat it like a job. "We notice more activity on weekdays then weekends. There's a supply chain from the underground, commoditization of the tools, support contracts for the toolkits. There's an incredible amount of professionalization that's gone into this world," he said.
Overwhelmingly, the targets of attacks are home users. Symantec estimates 95 of all attacks in the last six months have been aimed at the home user, an increase from the 87 percent last year.
And those attacks are not aimed at vulnerabilities. Even though Symantec found all of the operating system vendors have improved their response times to when a vulnerability pops up, with the exception of HP, that's not where the criminals are going. Symantec found that exploits of vulnerabilities only made up 18 percent of attacks. The rest were simply looking for a sucker to click on the wrong link or run a file they shouldn't.