| ... | 5
Phishers were also able to use real https: links to convince visitors to believe that the site was secure by compromising the Web sites of legitimate businesses that supported Secure Sockets Layer (SSL) encryption, which meant that browsers would present a “secure” padlock symbol.
The HTML belowshows thehttps: link used a valid SSL certificate for a hosting company.
The client of thehosting company had been compromised and was being used to host the “secure” phishingsite.
< a href="https ://my.s ec ure-ss l.net/[redux].net.mx /[bank ].c o.uk/1.php js ess ionid= CAM 10:js ess ionid=0000RcSV T4vY F7HNB 8As ppR8HRo:11j71fovqIDV _URL= [redux ].My[redux]_pib" > https://www.[bank ].c o.uk< /a> An example of a phishing attack using a compromised SSL Web site Another botnet, ASPROX, was almost exclusively designed for conducting phishing attacks. When ASPROX first appeared it was principally a phishing Trojan, however, subsequent advances have transformed it into a botnet capable of infecting vulnerable Web sites using SQL injection attacks. It was written in ASP (Active Server Pages) and automatically generates HTTP GET requests used to connect to vulnerable Web sites’ database servers.
This includes a number of different browser exploits to test to compromise the visitor.
5.3 Phishing predictions for Reputation Hijacking Flourishes In July 2008, a vulnerability emerged in the fundamental design of the DNS (Domain Name Service) protocol. An attacker could, in theory, poison a server’s local store (or “cache”) of hostnames and associated IP addresses, causing someone sending an email or requesting a Web site via a polluted server to be given the wrong IP address. In the case of email, this might mean a message is routed to a rogue mail server and then read or copied, before being forwarded to its intended recipient. Both the original sender and final recipient would remain blissfully unaware that the information contained in the email may have been intercepted and harvested for valuable data.
In the case of the Web, it might mean the victim is taken to a counterfeit Web site designed to mimic a genuine Web site that the victim regularly uses. The attack would involve persuading the unsuspecting victim to voluntarily divulge personal information, credit card details and passwords that can be deployed as part of a financial fraud or identity theft scam. This differs from traditional phishing attacks in a key way – the attacker doesn’t need to fool the victim into trusting a hostname that looks plausibly similar to the expected one. Instead, they actually masquerade as the legitimate server itself, which the victim may have bookmarked or stored in their address book.
Bearing in mind the enormous amount of resources habitually deployed by the organized gangs that are responsible for almost all online crime, as well as the number of vulnerable systems and the existence of publicly available exploit code, exploiting this DNS vulnerability may not be very technically demanding. Even after patches were deployed in August 2008 to protect vulnerable servers from attack, it became clear that the vulnerability had not been eliminated – it had merely been slowed down.
The greatest concern is that as more toolkits are created to make the attacks much easier to conduct, botnets, or armies of zombie computers controlled remotely by criminals unknown to the computers’ owners, could be used to effectively bang on a server’s door with thousands of attempts enabling an attacker to poison a DNS server in a matter of days, if not hours.
Businesses that rely on DNS name servers hosted by their Network Service Provider (NSP) or Internet Service Provider (ISP) need to reassure themselves that their provider has taken the threat very seriously and put in place measures to deal with it effectively. Such measures include comprehensive patching and assurances that the threat has been effectively mitigated. Businesses should also consider future adoption of DNSSEC – security extensions to the DNS protocol that provide support for digital signing of domain records and their validation.
However, rollout of DNSSEC is not straightforward and it relies on the root and top-level domains, such as.com, being digitally signed. In August 2008, the U.S..gov domain published plans to mandate DNSSEC on domains belonging to major agencies by December 2009. Currently there are only a few domains doing this, although there are workarounds that enable DNSSEC-aware domains to validate each other, it is certainly important for businesses to consider DNSSEC deployment during 2009.
Following on from the vulnerability in the fundamental design of the DNS (Domain Name Service) protocol that emerged in mid-2008 and afforded the opportunity to corrupt the cache of a DNS server, MessageLabs Intelligence predicts that phishing attacks will focus on exploiting vulnerable DNS domains and Web sites, and less on the traditional approach of hosting the easier-to-spot typo-like domains, where a cursory glance may not spot the fallible Web address. Businesses will be expected to examine wider adoption of DNSSEC (DNS Security Extensions) as a means to mitigate potential DNS attacks.
419 Scams Lose Their Elaborate Prose In 2009, Nigerian style 419, or advance fee fraud scams may become harder to recognize at first glance as the messages will contain only one or two sentences, rather than the rambling prose that has typically identified such scams. The true nature of the scam will likely be revealed slowly, as the target is invited to reply to find out more about the “unique business opportunity” offered. Additionally, scammers are expected to also make greater use of email attachments to convey their messages with more detail, enabling the scam to bypass traditional anti-spam filters.
6 Global and Business: Top Threats of 6.1 Geographic breakdown: top-5 countries and industries targeted 6.1.1 Spam Email spam intercepted:
top 5 countries Hong Kong 81.3% Switzerland 79.8% France 78.3% Austria 78.2% Israel 76.9% 6.1.2 Email Malware Email viruses intercepted:
top 5 countries Switzerland 1.45% 1 in 69.France 1.34% 1 in 74.Hong Kong 1.10% 1 in 91.India 1.09% 1 in 91.United Kingdom 1.00% 1 in 99.6.2 Malware: top-5 threats 6.2.1 Email Email viruses intercepted:
top Exploit/Link-aliaspostcard 13.8% Link/HackedPacker-pe 9.9% Exploit/Link.gen 9.8% Link/HackedPacker5.9% Malprotector Exploit/ 5.2% SuspiciousLink 6.2.2 Web Web viruses intercepted: Web access blocked by policy: Web potentially unwanted programs top 5 top 5 intercepted: top Advertisements PUP:Server W32/ 49.7% 57.3% 27.6% & Popups FTP.Win32.Tftpd Winko.worm!cfg Chat 21.3% PUP:SaveNow 10.5% Iframe 22.7% Streaming Media 5.1% PUP:WhenU 6.5% New Malware.f 7.0% PUP:MyWeb Generic Games 2.6% 3.6% 4.2% Search Downloader.bk Personals & PUP:Remote 1.9% 3.4% JS/ForcePopup.A 4.0% Dating Admin.Win28Oct-10Nov 7 Conclusions 7.1 Cloud-based threats: Cloud-based solution The botnet threat is growing and increasing in technical sophistication, requiring a depth of defense to safeguard businesses against the risks they present with the attacks they deliver.
The collective capacity of botnets already surpasses many of the world’s supercomputers. Botnets are becoming increasingly flexible in their functionality, simultaneously sharing resources across many criminal operations. In effect, botnets are a manifestation of “virtualized” cyber-crime.
Cloud-based computing environments, in which data and information is stored or processed on servers within the fabric of Internet, will become increasingly targeted in 2009, according to MessageLabs Intelligence experts. Especially vulnerable are those that have the ability to host a native Windows platform.
7.2 Key Emerging Markets – BRIC (Brazil, Russia, India and China) As discussed previously in this report, the BRIC countries are among the most populous in the world and offer enormous potential for expansion in the future.
Internet use in China grew significantly throughout 2008. Chinese Internet users accessed more information online like breaking news stories and used the Internet for online shopping and banking. Broadband adoption in China reached 19.1% by the end of June 2008 and reportedly overtook the U.S. with more than 71.6 million subscribers, compared with 70.2 million in the U.S., 21 million in Germany and 16.4 million in the UK (according to Dittberner).
By the latter half of 2008, more spam targeting Chinese domains was being created in the local Chinese language, rather than English, the ubiquitous language of spam. Typical examples of Chinese spam include offers for sales invoices, bespoke transportation services and specialized advertising services; i.e. more business related spam.
By mid-2008, China had more than 253 million Internet users, more Web surfers than in the U.S. according to China Internet Network Information Centre (CNNIC). There were also about 12.2 million ‘.cn’ domain names in circulation, which allows China to boast the largest top-level country code domain, next to Germany (.de).
With China’s dominant Internet growth and broadband adoption, the increased demand for.cn domains puts the country at risk for cybercrime. It’s interesting to note that there are 1.92 million Websites hosted in China (according to CNNIC), with 71.3% actually hosted under the.cn top-level country code domain.
Top level domains of blocked web viruses com 53.9% cn 17.4% ru 12.2% no 3.9% net 3.1% org 2.3% info 2.1% uk 1.6% au 0.8% kr 0.3% other 2.3% Table showing proportion of malicious Web content hosted by top-level domains In November, 53.9% of malicious domains blocked were registered with the.com top-level domain. Malicious sites registered under the.cn top-level country code accounted for 17.4% of blocks, compared with 12.2% for.ru.
In 2009, registrations of.cn domains will most likely continue to rise since they are often inexpensive and attractive to the criminals because they are harder to shut down due to language and time zone differences.
Exposure to Cyber Threats – Global Risk Levels MessageLabs Intelligence continually tracks the IP addresses of active malicious content, and the following table shows how these addresses are identified with their country of origin. Furthermore, the table shows the percentage of Internet users18 worldwide based in each country. The index given indicates the relative level of exposure to cyber threats in each country, (higher values indicate a greater level of risk).
Global risk profile (% share users vs. % share tracked bots) Brazil 2.Turkey 4.China 0.Russia 3.India 1.United States 0.Germany 1.Italy 1.% share global internet users United Kingdom 1.% share global tracked bots Poland 2.Risk index is %bots per %users higher values equal greater chance Argentina 2.of exposure Spain 1.France 0.Japan 0.Australia 0.Canada 0.Netherlands 0.0% 2% 4% 6% 8% 10% 12% 14% 16% 18% Table showing how internet users are exposed to botnet threats 18 Based on the latest publicly available sources in 2008, including OECD and ITU About MessageLabs Intelligence & Symantec About MessageLabs Intelligence MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence publishes a range of information on global security threats based on live data feeds from more than 14 data centers around the world scanning billions of messages and web pages each week.
MessageLabs Team Skeptic,™ comprises many world-renowned malware and spam experts, who have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day on behalf of 19,000 clients in more than 86 countries.
About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.
| ... | 5