Online security threats increasingly target individuals

Con artists have been exploiting trust to part us from our cash for at least 500 years. The scam used to be called The Spanish Prisoner, nowadays we know it as the Nigerian “419” Advanced Fee Fraud. So is there anything new under the sun when it comes to threats on the Internet?

Twice a year Symantec puts together a report on online threat activity over a six-month period. The latest Internet Security Threat Report makes for some interesting reading.

There are a couple of developments that really stood out for me. One is the trend for hackers to compromise legitimate websites and use them to distribute their malicious code.

Hackers are particularly targeting sites that people trust, like social networking sites, by leveraging site-specific vulnerabilities, those that affect the custom or proprietary web-application code for a specific web site.

This means that the old rules of surfing the web – staying away from dodgy sites and not clicking on suspect email attachments – aren’t enough to keep you protected.

There’s been a shift in the way attackers operate. The primary conduit for their attacks is not the network anymore. It’s the web itself. In the second half of 2007, with the aid of the XSSed Project, we documented 11,253 site-specific cross-site scripting vulnerabilities – five times as many as the 2,134 software/hardware vulnerabilities.

Another number that struck me is the total of malicious threats detected. Online threats now top one million. Not exactly a magic milestone. And – get this – almost two thirds of these (711,912 of 1,122,311) were detected in 2007 alone.

These numbers tell a story. Malicious activity is becoming more targeted and specific as attackers go after confidential information that they can use fraudulently for financial gain. And they also show that attackers are adapting rapidly in response to additional security measures – tweaking their code, their approach and their technique.

In the second half of 2007 65 percent of 54,609 unique applications deployed on Microsoft Windows PCs were malicious. As the volume of malicious code threats increases, overtaking legitimate applications, we anticipate that whitelisting – identifying the ‘good’ applications rather than blacklisting the ‘bad’ will become more prevalent.

So once some shady character offshore somewhere has your personal details – what then?

They’re trading your details on a mature underground economy where the market forces of supply and demand determine prices. Just 40c US will pick you up US credit card information, one from a small European country will typically go for twice as much. The cost of a full identity depends on the location – EU identities are advertised at prices 50 percent higher than US identities. Maybe it’s the added attraction of a foreign accent or rather that EU identities are harder to come by and can be used across multiple countries...

You can even get a discount rate for bulk orders – 50 US identities for US$100 anyone? – as well as value added incentives – bank account information for a business account  or one with a nice healthy balance is advertised at a much higher price than a low balance personal account. These increasingly sophisticated attackers are after information, not computers or the devices containing the data, and they know the value of that information.

Phishing continues to plague internet users. Symantec saw more than five times as many phishing sites during the second half of 2007 as at the same time in 2006.

One of the factors contributing to this continued growth is the increasing availability of phishing toolkits, available on the underground economy, that make it easy for phishers to mount a campaign.

A trend that I think we’re going to see more of in the near future is attacks targeting portable media devices, USB flash drives, MP3 players and the like. As well as being a target for attack, like the floppy disks of old, these devices are a potential distribution system for malicious code. There have already been examples of malicious code being introduced during the manufacturing process. Would you like a complementary Trojan with that?

I predict these devices will increasingly pose a threat to businesses in particular as companies struggle to control the gateway to their information.

It used to be enough to stick to the brightly-lit trusted areas of the internet to keep yourself safe online. Nowadays you have to maintain a strong security posture, be smart and use your common sense no matter what you do and where you go on the internet. I reckon that’s a small price to pay to enjoy the wonders of the world wide web.

You can read the full Symantec Internet Security Threat Report XIII here.