Trend Micro 2010 Future Threat Report
Virtualization, Cloud-Computing and a Shifting Internet Infrastructure Will Widen the Scope of Cybercrime
Using news headlines and the latest technological trends, cybercriminals are brilliantly agile at exploiting whatever is trendy for cash and profit. Now, the growing popularity of cloud computing and virtualization among companies is likely to catch the attention of criminals scheming for the next hot cyber-swindle.
According to the Trend Micro 2010 Future Threat Report, cloud computing and virtualization — while offering significant benefits and cost-savings — move servers outside the traditional security perimeter and expand the playing field for cybercriminals. The industry already witnessed Danger/Sidekick’s cloud-based server failure that caused major data outages in November 2009, highlighting cloud-computing risks that cybercriminals will likely abuse. Trend Micro believes cybercriminals will either be manipulating the connection to the cloud, or attacking the data center and cloud itself.
The Internet infrastructure is changing, opening more opportunities for cybercrime
The “next-generation” protocol designed by the Internet Engineering Task Force, Internet Protocol v. 6, is still in the experimentation stages of replacing the current IPv4, now 20 years old. As users start to explore IPv6, so will cybercriminals, and we can expect to see proof-of-concept elements in IPv6 start to materialize in the upcoming new year. Possible avenues for abuse include new covert channels or C&C. But don’t expect active targeting of IPv6 address space–at least not in the very immediate future.
Domain names are becoming more internationalized and the introduction of regional top-level domains (Russian, Chinese, and Arabic characters) will create new opportunities to launch age-old attacks through look-alike domains for phishing – using Cyrillic characters in place of similar looking Latin characters. Trend Micro predicts this will lead to reputation problems and abuse that will challenge security companies.
Social media and social networks will be used by cybercriminals to enter the users’ “circle of trust”
Social engineering will continue to play a big role in the propagation of threats. But given the increasing saturation of social media with content intended to be shared via online social interactions, cybercriminals will definitely try to penetrate and compromise popular communities more than ever in 2010.
Social networks are also ripe venues for stealing personally identifiable information (PII). The quality and quantity of data posted openly by most trusting users on their profile pages, combined with interaction clues, are more than enough for cybercriminals to stage identity thefts and targeted social engineering attacks. The situation will worsen in 2010, with high-profile personalities suffering from online impersonators or stolen bank accounts.
The extinction of global outbreaks, and the growth of localized, targeted attacks
The threat landscape has shifted and we are no longer seeing global outbreaks like Slammer or CodeRed. Even the much covered Conficker incident of 2008 and early 2009 was not a global outbreak by its true definition; rather it was a carefully orchestrated and architected attack. Moving forward, localized and targeted attacks are expected to grow in their number and sophistication.
More key forecasts for 2010 and beyond:
– It’s all about money, so cybercrime will not go away.
– Windows 7 will have an impact since it is less secure than Vista in the default configuration.
– Risk mitigation is not as viable an option anymore-even with alternative Browsers /alternative operating systems.
– Malware is changing its shape – every few hours.
– Drive-by infections are the norm – one Web visit is enough to get infected.
– New attack vectors will arise for virtualized/cloud environments.
– Bots can’t be stopped anymore, and will be around forever.
– Company/Social networks will continue to be shaken by data breaches.
Source: Trend Micro Incorporated
Security Trends to Watch in 2010 – Symantec
Symantec 2010 Security Predictions
Antivirus is Not Enough – With the rise of polymorphic threats and the explosion of unique malware variants in 2009, the industry is quickly realizing that traditional approaches to antivirus, both file signatures and heuristic/behavioural capabilities, are not enough to protect against today’s threats. We have reached an inflection point where new malicious programs are actually being created at a higher rate than good programs. As such, we have also reached a point where it no longer makes sense to focus solely on analyzing malware. Instead, approaches to security that look to ways to include all software files, such as reputation-based security, will become key in 2010.
Social Engineering as the Primary Attack Vector – More and more, attackers are going directly after the end user and attempting to trick them into downloading malware or divulging sensitive information under the auspice that they are doing something perfectly innocent. Social engineering’s popularity is at least in part spurred by the fact that what operating system and Web browser rests on a user’s computer is largely irrelevant, as it is the actual user being targeted, not necessarily vulnerabilities on the machine. Social engineering is already one of the primary attack vectors being used today, and Symantec estimates that the number of attempted attacks using social engineering techniques is sure to increase in 2010.
Rogue Security Software Vendors Escalate Their Efforts – In 2010, expect to see the propagators of rogue security software scams take their efforts to the next level, even by hijacking users’ computers, rendering them useless and holding them for ransom. A less drastic next step, however, would be software that is not explicitly malicious, but dubious at best. For example, Symantec has already observed some rogue antivirus vendors selling rebranded copies of free third-party antivirus software as their own offerings. In these cases, users are technically getting the antivirus software that they pay for, but the reality is that this same software can actually be downloaded for free elsewhere.
Social Networking Third-Party Applications Will be the Target of Fraud – With the popularity of social networking sites poised for another year of unprecedented growth, expect to see fraud being leveraged against site users to grow. In the same vein, expect owners of these sites to create more proactive measures to address these threats. As this occurs, and as these sites more readily provide third-party developer access to their APIs, attackers will likely turn to vulnerabilities in third-party applications for users’ social networking accounts, just as we have seen attackers leverage browser plug-ins more as Web browsers themselves become more secure.
Windows 7 Will Come into the Cross-Hairs of Attackers - Microsoft has already released the first security patches for the new operating system. As long as humans are programming computer code, flaws will be introduced, no matter how thorough pre-release testing is, and the more complex the code, the more likely that undiscovered vulnerabilities exist. Microsoft’s new operating system is no exception, and as Windows 7 hits the pavement and gains traction in 2010, attackers will undoubtedly find ways to exploit its users.
Fast Flux Botnets Increase – Fast flux is a technique used by some botnets, such as the Storm botnet, to hide phishing and malicious Web sites behind an ever-changing network of compromised hosts acting as proxies. Using a combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection, it makes it difficult to trace the botnets’ original geo-location. As industry counter measures continue to reduce the effectiveness of traditional botnets, expect to see more using this technique being used to carry out attacks.
URL Shortening Services Become the Phisher’s Best Friend - Because users often have no idea where a shortened URL is actually sending them, phishers are able to disguise links that the average security conscious user might think twice about clicking on. Symantec is already seeing a trend toward using this tactic to distribute misleading applications and we expect much more to come. Also, in an attempt to evade antispam filters through obfuscation, expect spammers to leverage shortened URLs shorteners to carry out their own evil deeds.
Mac and Mobile Malware Will Increase – The number of attacks designed to exploit a certain operating system or platform is directly related to that platform’s market share, as malware authors are out to make money and always want the biggest bang for their buck. In 2009, we saw Macs and smartphones targeted more by malware authors, for example the Sexy Space botnet aimed at the Symbian mobile device operating system and the OSX. Iservice Trojan targeting Mac users. As Mac and smartphones continue to increase in popularity in 2010, more attackers will devote time to creating malware to exploit these devices.
Spammers Breaking the Rules – As the economy continues to suffer and more people seek to take advantage of the loose restrictions of the CAN SPAM Act, we’ll see more organizations selling unauthorized e-mail address lists and more less-than-legitimate marketers spamming those lists.
As Spammers Adapt, Spam Volumes Will Continue to Fluctuate – Since 2007, spam has increased on average by 15 percent. While this significant growth in spam e-mail may not be sustainable in the long term, it is clear that spammers are not yet willing to give up as long an economic motive is present. Spam volumes will continue to fluctuate in 2010 as spammers continue to adapt to the sophistication of security software, the intervention of responsible ISPs and government agencies across the globe.
Specialized Malware – Highly specialized malware was uncovered in 2009 that was aimed at exploiting certain ATMs, indicating a degree of insider knowledge about their operation and how they could be exploited. Expect this trend to continue in 2010, including the possibility of malware targeting electronic voting systems, both those used in political elections and public telephone voting, such as that connected with reality television shows and competitions.
CAPTCHA Technology Will Improve – As this happens and spammers have a more difficult time breaking CAPTCHA codes through automated processes, spammers in emerging economies will devise a means to use real people to manually generate new accounts for spamming, thereby attempting to bypass the improved technology. Symantec estimates that the individuals employed to manually create these accounts will be paid less than 10 percent of the cost to the spammers, with the account-farmers charging $30-40 per 1,000 accounts.
Instant Messaging Spam - As cybercriminals exploit new ways to bypass CAPTCHA technologies, instant messenger (IM) attacks will grow in popularity. IM threats will largely be comprised of unsolicited spam messages containing malicious links, especially attacks aimed at compromising legitimate IM accounts. By the end of 2010, Symantec predicts that one in 300 IM messages will contain a URL. Also, in 2010, Symantec predicts that overall, one in 12 hyperlinks will be linked to a domain known to be used for hosting malware. Thus, one in 12 hyperlinks appearing in IM messages will contain a domain that has been considered suspicious or malicious. In mid 2009, that level was 1 in 78 hyperlinks.
Non-English Spam Will Increase – As broadband connection penetration continues to grow across the globe, particularly in developing economies, spam in non-English speaking countries will increase. In some parts of Europe, Symantec estimates the levels of localized spam will exceed 50 percent of all spam.
Source: Symantec Corp
WatchGuard announces Top Threats to education
Education-related Threats Expected to Rise – According to the U.S. Department of Homeland Security, 25 percent of all cyber-security breaches involve schools, and although a majority of educators believe that their campus networks are more secure now than last year, WatchGuard predicts that significant breaches, vulnerabilities and threats will continue to plague schools and universities. WatchGuard deems the following to be the leading network, application and data threats to education:
– Malware & Spyware - As students and faculty utilize the Web for education as well as entertainment purposes, many unwittingly expose themselves to drive-by downloads, or corrupted websites, which injects malicious forms of software on their computers. Once infected, they risk becoming victims of identity theft or loss of personal information via spyware and keyloggers.
– Viruses – Today, e-mail remains to be one of the primary vectors for delivering viruses. Unfortunately, a recent survey showed that 27 percent of users fail to keep their antivirus signatures up to date. With viruses taking on innovative polymorphic properties, antivirus signatures alone may not be enough to stop the next wave of new viruses to come.
– Botnets – It has been estimated that 15 to 20 percent of all school and university computers connected to the Internet may be part of a botnet. As part of a botnet, school and university systems may be used in a variety of unknown exploits, including spam delivery, denial of service attacks, click-fraud, identity theft and more.
– Phishing – Phishing scams continue to get more sophisticated and selective, with students being specifically targeted. A recent report states that phishing attacks via social networks achieve a success rate of over 70 percent, which indicates that a majority of students are vulnerable to phishing scams.
– Hacking - In a recent survey of education IT professionals, 23 percent ranked student hackers as one of their greatest threats to their network security. Whether the hacks are designed to alter grades or for more sinister purposes, student hackers continue to push the envelope for network and data protection.
– Access Control – Usage of mobile devices and wireless access continues to plague network administrators. Concerns of thwarting unauthorized user access to education IT resources is top of mind with many administrators. As use of mobile devices escalates, schools will face
increasing challenges in managing authorized network access.
– Social Networks – The number one threat to school and university networks is social networks, such as Facebook and MySpace. Unfortunately, social networks act as an ideal platform to launch a myriad of attacks against students and faculty, including spam, viruses, malware, phishing and more. Adding to this, socially engineered attacks are often extremely successful due to the “trusted” environment that social networks create.
– Because of the sensitive nature of student and faculty information, such as social security numbers, credit card information, and other personal identifying data at risk, WatchGuard recommends that schools and universities review their security controls and IT policies regularly to ensure they have the most effective, up-to-date security solutions in place.
Source: WatchGuard Technologies
U.S. ranks 9th in Global PC Infection Report, according to PandaLabs
Average number of worldwide infections grew 15 percent over last month – Global infection ratio hits all time high this year at nearly 60 percent
PandaLabs, Panda Security’s malware analysis and detection laboratory, announced that it has detected a 15 percent increase in the total number of malware-infected computers in September in comparison to the previous month of August. According to data gathered from users that scanned and disinfected their computers with the free Panda ActiveScan online antivirus, the average infection ratio rose to 59 percent, the highest rate this year.
In comparison to the infection rates of 29 countries, the U.S. ranks ninth with an infection ratio of 58.25 percent, just below the worldwide average. Taiwan has the most infected PCs, with a 69.10 percent corruption, followed by Russia and China at 67.99 percent and 61.97 percent, respectively. The country with the least infections is Norway at 39.60 percent. To view a table that outlines the percentage of infected computers by country, please visit: http://www.flickr.com/photos/panda_security/3963144168/.
According to Luis Corrons, Technical Director of PandaLabs, “There is a false sense of security, as users perceive there to be no real danger at the moment. When their computers get infected, they rarely notice any symptoms.”
Panda’s study revealed that U.S. computers are infected by the most dangerous malware strains: Trojans, followed by adware, worms and viruses. To see the number and types of malware on infected computers in the U.S., please visit: http://www.flickr.com/photos/lithium-/3963437003/sizes/o/.
“This is a clear sign that hackers are becoming more and more sophisticated,” explains Corrons. “Cybercriminals have found news ways to spread their creations, frequently exploiting the latest news stories to launch attacks through social networks, videos, and email. The huge amount of Trojans in circulation is due to the spectacular increase in the number of banker Trojans aimed at stealing user data.”
PandaLabs uncovers online Facebook password hacking service
According to its Ukraine-based creators, hacking an account costs $100, payable through Western Union
PandaLabs, Panda Security’s malware analysis and detection laboratory, today announced the discovery of an online service that promises to hack into any Facebook account for $100. The creators claim, “Any Facebook account can be hacked,” promising to provide clients with the login and password credentials to access any account on the popular social networking site.
According to Luis Corrons, Technical Director of PandaLabs, “The service’s real purpose may be hacking Facebook accounts as they say, or profiting from those that want to try the service. In any case, the Web page is very well designed. It is easy to contract the service and become either the victim of an online fraud, or a cyber-criminal and accomplice in identity theft. Once an intruder hacks into a Facebook account, all personal data published on the site can be stolen. Similarly, those accounts can also be used to send malware, spam or other threats to the victim’s contacts. In the case of celebrities of other well-known entities, they can be used to defame the account holder, spread information in their name, etc. In any event, this is criminal activity.”
In addition to extorting money and obtaining access to clients’ bank account information, the service also has characteristics in line with hacker affiliate programs. Common among cybercriminals, hacker affiliate programs offer other cybercriminals money to spread malware. This strategy is now being used with everyday Internet users through this Facebook hacking site, by offering extra dollar-credits to spend on the service when users hack more accounts. They can become affiliates to help hackers reach a broader audience, receiving 20 percent of what they sell in credits for hacking more accounts.
It is likely that the cybercriminals behind this operation are members of an Eastern European Internet mafia because payments are conducted online through Western Union wire transfers to a payee in Ukraine. The domain that hosts the service is registered in Moscow, providing further evidence of this theory.
The company claims to have been offering this service for four years with only one percent of accounts hack-proof. In these cases, they offer clients a money-back guarantee. However, the domain is just a few days old.
A series of images illustrating the sales flow can be found on the PandaLabs blog: http://www.pandalabs.com/.