Cybercrime was alive and well last year according to MarkMonitor, Symantec, Trend Micro and ZapThink. The worse news is that 2011 is expected to be another banner year for cybercriminals as they get more creative with their capers, hatching botnets, malware, phishing scams and other manner of pestilence.
2011 will also see the advancement of attacks against the cloud and, even worse, the proliferation of cyberwarfare that began in earnest in 2010. Witness the battle between the WikiLeaks supporters and credit card companies. The cybercrime underworld will see more consolidation as increased global and public attention is focused on their misdeeds.
Experts interviewed agree that in years past it used to be about hacking the big corporations, but now enterprises and even small and medium-sized businesses are under attack, and the attacks are all more sophisticated. The consensus is that cybercrime is about money, and it’s going to get uglier.
Botnets and spam and malware, oh my!
Symantec’s annual MessageLabs Intelligence Report was released by the company’s Hosted Services group. It showed that cybercriminals are thriving and have diversified their tactics to sustain spam and malware at high levels throughout the year. As detection and prevention technology made advancements to thwart the attacks, the criminals’ technology became stealthier.
According to the report, chief among the offenders are botnets that proved resilient for another year, creating fluctuations in spam levels. E-mail-borne malware also increased a hundredfold.
In August, spam rates peaked at 92.2% of all e-mail received by accounts monitored by Symantec when the Rustock botnet was put to use with new malware variants, delivering an overall increase of 1.4% compared to 2009. Average spam levels for 2010 reached 89.1%, and for most of the year, spam from botnets accounted for 88.2% of all spam. According to the report, the closure of the Spamit spam affiliate in early October resulted in a reduction of spam to 77%. The top three botnets this year were Rustock, Grum and Cutwail, according to the Symantec report.
Despite organizations’ best efforts, successful and resilient botnet operations such as leveraging high-profile events and making use of popular URL shortening services and social networks to bypass spam filters have enabled cybercriminals to keep spam campaigns alive.
The future doesn’t look any brighter because the perpetrators are looking at even more new technologies to attack businesses with. The report predicts that, in 2011, botnet controllers will employ steganography techniques to control computers. This means hiding their commands in plain view in images or music files distributed through file-sharing or social-networking websites. This approach will allow criminals to surreptitiously issue instructions to their botnets without relying on an ISP to host their infrastructure, which will reduce the chances of discovery.
As for malware, 2010’s standout security threat was the “Here you Have” virus. On Sept. 9, the virus used old mass-mailer techniques to send malicious e-mails, peaking at 2,000 blocked e-mails per minute. In total, MessageLabs’ Anti Virus service alone blocked more than 100,000 copies of the virus before it reached any client networks. The report also said there were more than 339,600 different malware strains identified in malicious e-mails blocked, representing a more than hundredfold increase since 2009.
Paul Wood, MessageLabs’ Intelligence senior analyst, said: “With the rise of targeted attacks come variations in the execution and attack complexity. Typically, between 200 and 300 organizations are targeted each month, but the industry sector varies and high-seniority job roles are most frequently targeted, often by way of a general or assistant’s mailbox.
“While, five years ago, large and well-known organizations were often targeted, today the scope of targeted organizations has expanded, and now no organization is safe from attack.”
Cybercrime goes mobile
The proliferation of mobile devices creates new opportunities for nefarious activity. New scams specific to mobile devices, like “smishing” and “vishing,” steal personal information like PINs, bank account and credit card numbers. Smishing combines SMS texting with phishing. The criminal sends out text messages duping the user into calling a phone number or logging into a fake site where they are asked to give out personal information. Vishing is the same scam, except via voicemail.
In addition to infiltration into the mobile space, Trend Micro’s 2011 Threat Prediction report warns that while cloud computing and virtualization offer several benefits, they are at increased risk because servers are moved outside the traditional security perimeter. This exposure expands the playing field for cybercriminals and increases security demands on cloud service providers.
Trend Micro expects increased proof-of-concept attacks (some of which will be successful) against cloud infrastructure and virtualized systems in 2011. According to the report, cybercriminals will test how to successfully infiltrate and misuse a monoculture in the cloud, knowing that the desktop monoculture will disappear. Trend Micro also expects that the growing number of operating systems, programs and browsers, coupled with explosive growth in vulnerable applications, will provide fertile ground for cybercriminals to put a new spin on social engineering via “malware campaigns.” Campaigns against already targeted, unpatchable and widely used legacy systems like many of the Windows OSes will continue.
Trend Micro also believes that in addition to adding enterprises and small-to-medium businesses to their big-business targets, cybercriminals will take aim at security vendors’ brands in order to cause confusion and insecurity among their customers. The company predicts that some security vendors will run into trouble with their inability to store all the threat information with local signatures. They will retire old signatures, which will lead to infections from old malware. In addition, it expects to see increased use of stolen legitimate digital certificates to avoid detection in malware attacks.
The availability of easy-to-use underground toolkits hit highs in 2010 and will contribute to attacks against mid-sized companies going into 2011. These toolkits make it particularly easy to take aim at specific types of organizations. Using ZeuS, which targeted small businesses, as an example, Trend Micro believes that the number of localized, targeted attacks will continue to increase in sophistication.
Phishing in new waters
Among other subjects, MarkMonitor puts out quarterly fraud intelligence reports that include data for emerging phishing sectors, quarterly phish attack trends grouped by sectors, and geographical phishing data for targeted brands by regions and countries within each region.
A high percentage of phishing attacks are directed at financial services such as banks or payment centers. In 2010, the payment services sector accounted for 38% of phishing attacks in the second quarter, and the financial sector, usually most favored by phishers, accounted for 33%. In the third quarter, the financial sector accounted for 41% and the payment services sector accounted for 29%.
The good news was that the third quarter saw no major spikes in phishing attacks. This is unusual since historically they spike during this timeframe. The bad news was that the second quarter saw a 14% increase in volume from the previous quarter to 111,552 attacks, but phishing attack volume declined 5% in the third quarter to 105,446 attacks.
MarkMonitor saw classified advertising as the emerging target for phishers. The company said that in the second quarter, the online classifieds sector became the third largest phishing target, growing 142% from the first quarter, and grew another 80% in the third quarter.
The most heavily targeted brands by location were North American brands and Western European brands. By a wide margin, North American brands attracted the most phishing attacks, accounting for 78% of total attacks in the second quarter and 80% in the third quarter. Western European brands were in second place, with 15% in the second quarter and 13% in the third quarter.
North America took first in hosted attacks at 64% in the second quarter and 60% in the third quarter, with Western Europe placing second, hosting 17% of attacks in the second quarter and 20% in the third quarter.
Frederick Felman, CMO of MarkMonitor, predicted that in 2011 phishers will have richer waters to work in due to the growing domain name population. “The domain name space is expanding greatly due to international character sets being allowed in domain names; this expansion will propel even greater growth in Internet usage by folks all over the globe, some of whom will be using the Internet for the first time,” he said.
“In 2011, we believe that phishers will target this new set of less-experienced users who may be more easily fooled using tried-and-true phishing techniques hosted on these new local language domain names.”
Cyberwarfare: Coming to a theater near you
This scourge seems to be coming of age sooner than most experts expected. Smaller organizations not directly targeted will in many cases still be affected. Ronald Schmelzer, Managing Partner at ZapThink, gave an example in his recent newsletter.
“Your company uses Google for mail, a specialty Software-as-a-Service supplier for its B2B network that just happens to use Amazon’s cloud computing infrastructure, and processes its online payments with an Internet-based credit card gateway,” he said. Next, he laid out the destruction.
“The first thing that the company notices is that it can’t process payments because the credit card processor is under siege. Then its B2B network goes down because Amazon is under attack. Finally, you can’t even send requests for support to either the card processor or the B2B network because Gmail is down due to a distributed denial of service attack.”
He pointed out that at this point, the company is effectively knocked off the net from a business standpoint, even if its own website is up and operational.
This example isn’t pure fiction. WikiLeaks hacktivists launched attacks against the companies named in his theoretical example (except for Google) and it doesn’t bode well for MasterCard or PayPal that they could be brought down for minutes at a time. ZapThink pointed out that PostFinance, a Swiss bank that shut off WikiLeaks funding, was down for over 33 hours.
Ralph Langner, President of Langner Communications of Hamburg, Germany, is a cyber-security expert and leading researcher in SCADA security. In an interview for the International Analyst Network, he detailed his research on the Stuxnet malware.
Stuxnet was first discovered in July 2010 by the Belarus-based security firm VirusBlokAda. It is a Windows-specific worm, and it is not the first time that hackers have targeted industrial systems, but it is the first discovered worm that spies on and reprograms industrial systems, and the first that has a programmable logic controller rootkit. It was written to attack Supervisory Control And Data Acquisition (SCADA) systems that control industrial processes. It has the capability to reprogram programmable logic controllers and hide its changes.
According to Langner, a new era in cyberwarfare has begun, and it must be taken with the utmost seriousness by security and military specialists around the world.
“Stuxnet marks the starting point for a new era of real cyberwarfare, meaning physical destruction. Follow-up attacks are possible. All the militaries across the world should learn from this experience and build their security systems,” he said.
“This is a type of cyberwarfare weapon that can inflict great physical damage to industrial systems. All should analyze what happened here in order to prepare for the future because it is going to be formed by these kinds of technological advances. In contrast to the past, the Stuxnet destroys the physical infrastructure and can paralyze the capabilities of an industry and even a state.”