With the emergence of new attack techniques and the reinvention of old ones, 2008 has been a year of cybercriminal innovation.
That's the word according to the "MessageLabs Intelligence: 2008 Annual Security Report," released by Symantec on Thursday.
The report summarized the evolutions in spam, botnets, web-based attacks, the use of social engineering and targeted attacks that took place this year.
Among the findings: Malware distribution via social networking sites became more widespread and cybercriminals developed more sophisticated botnets, new ways to launch spam and launched more targeted enterprise attacks.
In a win for the security world this year, disruption of botnets caused spam levels to decrease, with the average global proportion of spam in email traffic down from 84.7 percent in 2007 to 81.2 percent this year.
“Certainly we don't take any comfort that spam is down overall from last year,” Paul Wood, senior analyst at MessageLabs, told SCMagazineUS.com Thursday. “I think it's a constantly shifting battleground, where the lines are shifted all the time.”
One of the shifts this year has been in the capabilities of botnets, he said. Having become more functional and agile, they are not just for sending out spam anymore. Botnets can launch distributed denial-of-service (DDoS) attacks, host malicious websites and are a lucrative business for bad guys who make their money charging for these services, Wood said.
Cybercriminals have put a lot of effort into botnet technology, making them more resilient and harder to disrupt, Wood said.
The report noted that 90 percent of spam this year was distributed by botnets, but cybercriminals also developed a new method to dole out the unwanted mail. Defeating CAPTCHA challenges enabled cybercriminals to generate, in large numbers, accounts from reputable web-based email and application services, using them to distribute 12 percent of the spam this year.
“This year there has been a lot of innovation on the part of the bad guys to take advantage of web-based services in ways they haven't been able to before,” Wood said.
For enterprises, the threat of web-based attacks overshadowed email threats this year, Doug Camplejohn, CEO of Mi5 Networks, told SCMagazineUS.com Thursday.
Companies have web security gaps — most organizations today are only doing light URL filtering, only stopping employees from going to bad websites, he said. That's not enough to protect them from botnets or other web-based threats.
“Companies invested a lot of energy into protecting their email channel and now need to put that protection in place for their web channel,” Camplejohn said.
Targeted trojans are an increasing threat to enterprises, the Symantec report showed. These aim to infect certain key individuals within an organization by utilizing social engineering techniques to appear legitimate. The number of such attacks increased from 10 per day last year to 53 per day this year. In 2006, MessageLabs reported one to two per day and in 2005, only one to two per week.
Wood said that though the number of targeted attacks is small, that doesn't mean companies should think they are immune.
“The concern you can have is it leads into a false sense of security...when it's in fact something like that that can be very damaging to your business,” Wood said.
It's relatively easy to build a trojan or malicious website that goes under the radar of current security tools, which are tuned to detect mass attacks and widespread viruses and trojans, Mickey Boodaei, CEO of web security firm Trusteer, told SCMagazineUS.com Thursday.
Targeted trojan attacks are usually carefully constructed, aimed at C-level executives, or others that have high-level access to the organization's systems, he said. And once a victim has downloaded and installed malware, the attacker may access everything the executive has access to, including sensitive emails, files, login credentials, customer and employee data.