When 2009 came to a close, Symantec made a few predictions regarding what online security trends that were expected in 2010. They have just released this mid-year status check, pretty interesting. Check it out:
Antivirus is Not Enough – With the rise of polymorphic threats and the explosion of unique malware variants in 2009, the industry is quickly realizing that traditional approaches to antivirus, both file signatures and heuristic/behavioral capabilities, are not enough to protect against today’s threats. We have reached an inflection point where new malicious programs are created at a higher rate than good programs. As such, we have also reached a point where it no longer makes sense to focus solely on analyzing malware. Instead, approaches to security that look to ways to include all software files, such as Reputation-Based Security, will become key in 2010.
Status: On track
Unfortunately, the bad guys have proven us correct here. Symantec created 2,895,802 new malicious code signatures last year alone. This was a 71 percent increase over 2008 and a number representing more than half of all malicious code signatures ever created by Symantec. Furthermore, Symantec identified more than 240 million distinct new malicious programs, a 100 percent increase over 2008. We are on track to continue this upward trend in 2010. In just the first half of the year, we have created 1.8 million new malicious code signatures and identified more than 124 million distinct new malicious programs.
This means it is becoming less likely that traditional security technologies will catch every new threat out there; there are simply too many of them, even with automated systems in place. Technology that does not rely on capturing and analyzing a threat in order to protect against it, like Symantec’s Reputation-Based Security, is indeed becoming imperative. Other methods that are also playing a key role in combating today’s most pervasive threats are heuristic, behavioral and intrusion prevention technologies.
Social Engineering as the Primary Attack Vector – More and more, attackers are going directly after the end user and attempting to trick them into downloading malware or divulging sensitive information under the auspice that they are doing something perfectly innocent. Social engineering’s popularity is, at least in part, spurred by the fact that what operating system and Web browser rests on a user’s computer is largely irrelevant, as it is the actual user being targeted, not necessarily the vulnerabilities on the machine. Social engineering is already one of the primary attack vectors used today, and Symantec estimates that the number of attempted attacks using social engineering techniques is sure to increase in 2010.
Status: On track
Reasoning: OK, so we didn’t exactly go out on a limb here. Social engineering is likely the world’s second oldest profession and its exploitation in the digital world was nothing unexpected. However, we have seen its effectiveness improve even further thanks to Web 2.0. With so many computer users enraptured in a love affair with social networking, we have become accustomed to receiving emails announcing so-and-so would like to be our “friend” or is now “following” us. Attackers are taking advantage of this and are devising ever-more creative and convincing tricks to get users to download malware or divulge sensitive information.
Phishing attacks are a prime example of a socially engineered threat. Through the first half of 2010, an average of approximately one in every 476 emails included some form of phishing attack. What makes these attacks even more dangerous is that they are completely operating system agnostic. In a world that is becoming less centralized around the PC, phishing allows cybercriminals to take advantage of computer users regardless of what platform they are operating on. For example, in July 2010 Symantec observed a phishing website that spoofed an Internet Service Provider popular in Australia. Users received an email stating the ISP was unable to verify their account due to a recent change in their contact details. It linked to the spoofed site and requested users visit it in order to confirm crucial customer information, including billing details such as credit card numbers. In a case such as this, Windows, Macintosh and even mobile phone users are all vulnerable to online fraud.
We have also seen social engineering play a large role in some recent, very high-profile attacks. For example, earlier this year the infamous Hydraq attacks against a number of large organizations used, at least in part, socially engineered emails sent to an individual or a small group of individuals within the affected organizations. Once the user was tricked into either clicking a malicious link or opening an attachment, the Hydraq Trojan was installed on their machine.
Rogue Security Software Vendors Escalate Their Efforts – In 2010, expect to see the propagators of rogue security software scams take their efforts to the next level, even by hijacking users’ computers, rendering them useless and holding them for ransom. A less drastic next step, however, would be software that is not explicitly malicious, but dubious at best. For example, Symantec has already observed some rogue antivirus vendors selling rebranded copies of free third-party antivirus software as their own offerings. In these cases, users are technically getting the antivirus software that they pay for, but in reality the software can be downloaded for free elsewhere.
Status: Mostly on track
Reasoning: Rogue security software is still one of the biggest issues facing the security industry and consumers alike, but we have not yet seen peddlers of such nefarious applications go as far as making ransom requests to free locked down computers a regular practice. That does not mean, however, that we have not seen the bad guys expand their repertoire. For example, Symantec recently investigated a company, Online PC Doctors, which is cold calling computer users with a live telephone agent in an attempt to persuade them that their computer is “infected.”
Once the agent has convinced a user that their computer is infected, he or she offers to remotely connect to the machine to take a closer look. Naturally, the agent reports finding a severe malware infection—whether there is one or not. No fear, however, as the agent explains that Online PC Doctors can “fix” the problems, for a fee of course. All the user has to do is send an email to Online PC Doctors with all the pertinent payment information, including full credit card details.
Social Networking Third-Party Applications Will be the Target of Fraud – With the popularity of social networking sites poised for another year of unprecedented growth, expect to see fraud being leveraged against site users to grow. In the same vein, expect owners of these sites to create more proactive measures to address these threats. As this occurs, and as these sites more readily provide third-party developer access to their APIs, attackers will likely turn to vulnerabilities in third-party applications for users’ social networking accounts just as we have seen attackers leverage browser plug-ins more as Web browsers themselves become more secure.
Status: Mostly on track
Reasoning: This is difficult to track directly, but anecdotal feedback and analysis of URLs from Symantec Hosted Services’ Web Security Service both suggest that social networking sites are triggering more blocks in 2010 for malicious content than they did in 2009. On average in 2009, one in 451 Web Security Service blocks related to a social networking site. However, in 2010 this number rose to one in just 301.
There are also many recent anecdotal reports of rogue applications being created for a variety of purposes, some to spread malware, others for financial fraud or taking advantage of users to send spam. For example, an app was recently discovered to be part of an IQ testing scam which aimed at covertly signing users up for a premium mobile service that costs $10 per month.
As further validation that this trend is indeed developing, Facebook recently updated their application authorization system in an effort to reduce the number of these scams and misleading applications being propagated via their network. Now a user is informed when an application seeks permission to access the user’s basic information or to post on their wall.
Windows 7 Will Come into the Cross-Hairs of Attackers – Microsoft has already released the first security patches for the new operating system. As long as humans are programming computer code, flaws will be introduced, no matter how thorough pre-release testing is, and the more complex the code, the more likely that undiscovered vulnerabilities exist. Microsoft’s new operating system is no exception, and as Windows 7 hits the pavement and gains traction in 2010, attackers will undoubtedly find ways to exploit its users.
Status: Still possible
Reasoning: Thus far, we’ve been pleasantly surprised to have seen only one major attack leveraging a vulnerability in Windows 7, though it should be noted that this vulnerability was also present in all of Microsoft’s supported operating systems. The attack involved a piece of malware known as Stuxnet. It exploited a vulnerability in the way Windows handles shortcut links. Stuxnet was limited in distribution, but it was high-profile because it was the first known piece of malware specifically targeting SCADA systems.
A big reason why we think we have yet to see a major increase in attacks targeting Windows 7, one of Microsoft’s best selling operating systems ever, is because attackers are always looking for the path of least resistance. With so many bugs in Web browsers and Web-facing third-party applications and plug-ins that are easier nuts to crack, hacking the new operating system has simply not been the preferred method of gaining access to these systems, with rare exception, as already mentioned.
Fast Flux Botnets Increase – Fast flux is a technique used by some botnets, such as the Storm botnet, to hide phishing and malicious websites behind an ever-changing network of compromised hosts acting as proxies. Using a combination of peer-to-peer networking, distributed command and control, Web-based load balancing and proxy redirection, it makes it difficult to trace the botnets’ original geo-location. As industry counter measures continue to reduce the effectiveness of traditional botnets, expect to see more using this technique to carry out attacks.
Status: Still possible
Reasoning: Thus far this year, we haven’t seen any major new threats using the fast flux technique. We hope it stays that way, but the reality is that the year is only half over. We have, however, seen the resurgence of an old foe which leverages the fast flux technique. The Storm botnet has recently re-emerged as a top botnet and it continues to use the fast flux technique to hide the website domains behind the hyperlinks it spams out.
We have also seen an increase in threats like Spakrab, a back door Trojan that is typically used to send out spam. This threat uses techniques that result in similar camouflaging effects to fast flux, such as masking command and control server geo-locations by exploiting Dynamic DNS providers. Dynamic DNS is free, easy to set up and allows attackers to use compromised hosts that do not have a static IP address, making their physical location harder to pinpoint.
Regardless of if a threat uses fast flux or other similar techniques, if the geographical location of a threat cannot be pinpointed, it becomes much more difficult to stop the attack stream. Thus, it is easy to see why these methods are all the rage among cybercriminals, and why we think they will continue to grow in popularity.
URL Shortening Services Become the Phisher’s Best Friend – Because users often have no idea where a shortened URL is actually sending them, phishers are able to disguise links that the average security conscious user might think twice about clicking. Symantec is already seeing a trend toward using this tactic to distribute misleading applications and we expect much more to come. Also, in an attempt to evade antispam filters through obfuscation, expect spammers to leverage shortened URLs to carry out their own evil deeds.
Status: On track
Reasoning: As predicted, spammers’ use of URLs from link shortening services has become increasingly popular. At its peak in July 2009, 9.3 percent of spam included some form of shortened hyperlink provided by one of the many free online shortening services; this is equivalent to more than 10 billion spam emails each day worldwide. In April of 2010, however, this peak figure nearly doubled to 18.0 percent of spam, the current historical peak.
Not only are phishers and malware authors using shortened URLs to set traps for unsuspecting computer users, but we have seen shortened URLs used as a means to spark life into some older threats. As already mentioned, in late April and early May 2010, Symantec observed the Storm botnet reappear in the wild. Most of the spam messages sent from the new Storm, which peaked at around 1.4 percent of all spam on May 8, 2010 contained links to online pharmacy sites. The majority of these links were in the form of shortened URLs.
Mac and Mobile Malware Will Increase – The number of attacks designed to exploit a certain operating system or platform is directly related to that platform’s market share, as malware authors are out to make money and always want the biggest bang for their buck. In 2009, we saw Macs and smartphones targeted more by malware authors, for example the Sexy Space botnet aimed at the Symbian mobile device operating system and the OSX.Iservice Trojan targeting Mac users. As Mac and smartphones continue to increase in popularity in 2010, more attackers will devote time to creating malware to exploit these devices.
Status: Still possible
Reasoning: We have seen a few new pieces of malware for Mac OS X, but so far, nothing earth-shattering; though we may never see “earth-shattering,” especially as we enter the post-PC era. iOS devices, such as the iPad, iPhone and iPod Touch, continue to be mostly secure from a client perspective. However, we did see the App Store sell several applications that exhibited malicious behavior, though Apple insists only 400 users were impacted. So, the platform did get attacked, just not in the way most anticipated.
On the mobile front, there have been more than 300 iPhone vulnerabilities to date and around a dozen on the Android platform, but beyond that, we have not seen a massive surge in mobile security threats. That said, as more apps flood the market, some of which are created by novice programmers using tools such as Google’s new App Inventor for Android, we think the security integrity of mobile devices could be impacted. In fact, we think the rapidly expanding app market for popular mobile platforms will be the key driver behind mobile security threats in the future. We hope not, but the second half of the year might still see this trend come into its own.
Spammers Breaking the Rules – As the economy continues to suffer and more people seek to take advantage of the loose restrictions of the CAN-SPAM Act, we’ll see more organizations selling unauthorized email address lists and more less-than-legitimate marketers spamming those lists.
Status: Mostly on track
Reasoning: Though there hasn’t been an explosion yet, we are seeing more “gray” mail this year. One example of such gray mail is unsolicited, but legitimate-looking newsletters. These emails generally carry an opt-out message to comply with the CAN-SPAM Act; however, users most likely never subscribed to corresponding distribution lists in the first place, indicating the senders are getting their mailing lists from less-than-legitimate sources. Common examples of such unsolicited gray mail are offers for complimentary subscriptions to online newsletters. Symantec recently analyzed one such sample which indeed did include an opt-out message, thus complying with the CAN-SPAM Act, but the promptness of the sending organization honoring opt-out requests was another story.
As Spammers Adapt, Spam Volumes Will Continue to Fluctuate – Since 2007, spam has increased on average by 15 percent. While this significant growth in spam email may not be sustainable in the long term, it is clear that spammers are not yet willing to give up as long an economic motive is present. Spam volumes will continue to fluctuate in 2010 as spammers continue to adapt to the sophistication of security software, the intervention of responsible ISPs and government agencies across the globe.
Status: On track
Reasoning: We have indeed continued to see the arms race between spammers and antispammers continue. Such antispam victories as the shutdown of the Mariposa botnet have been countered by spammers with actions like the explosive use of disposable and hijacked URLs. While the percentage of messages identified as spam has stayed in a relatively tight range, spam volume has shown much more movement.
Specialized Malware – Highly specialized malware was uncovered in 2009 that was aimed at exploiting certain ATMs, indicating a degree of insider knowledge about their operation and how they could be exploited. Expect this trend to continue in 2010, including the possibility of malware targeting electronic voting systems, both those used in political elections and public telephone voting such as the systems connected with reality television shows and competitions.
Status: Still possible
Reasoning: We haven’t seen a widespread outbreak of specialized malware, but we have seen glimpses of activity that lead us to believe we could still see this trend develop. For example, in late 2009 after we published our originals predictions, the The Gouverneur Times in New York reported that computerized voting machines used by “many voters” in Hamilton County, New York were found to be infected with a computer virus aimed at tainting the voting results. In addition, the previously mentioned Stuxnet threat, discovered in July 2010, was specifically designed to steal SCADA related documents, including industrial automation layout design and control files.
As a side note in relation to our original prediction, in April 2010 Rodney Reed Caverly was charged with computer fraud for allegedly creating malware that infected bank computers and ATMs. The use of inside knowledge of the computer systems and cash machines enabled him to carry out the crime and steal an estimated $200,000 or more before being caught.
CAPTCHA Technology Will Improve – As this happens and spammers have a more difficult time breaking CAPTCHA codes through automated processes, spammers in emerging economies will devise a means to use real people to manually generate new accounts for spamming, thereby attempting to bypass the improved technology. Symantec estimates that the individuals employed to manually create these accounts will be paid less than 10 percent of the cost to the spammers, with the account-farmers charging $30-40 per 1,000 accounts.
Status: On track
Reasoning: In late April 2010, The New York Times reported spammers are paying workers in developing countries to physically enter in CAPTCHA codes to manually generate new accounts for spamming. According to the report, the going rate for the work ranges from 80 cents to $1.20 for each 1,000 deciphered CAPTCHAS. So, we were admittedly a bit off in terms of how much individuals would be getting paid to do this work—the situation is worse than we assumed it would be—but in terms of the overall trend, we were unfortunately dead on.
Instant Messaging Spam – As cybercriminals exploit new ways to bypass CAPTCHA technologies, instant messenger (IM) attacks will grow in popularity. IM threats will largely be comprised of unsolicited spam messages containing malicious links, especially attacks aimed at compromising legitimate IM accounts. By the end of 2010, Symantec predicts that one in 300 IM messages will contain a URL. Also, in 2010, Symantec predicts that overall, one in 12 hyperlinks will be linked to a domain known to be used for hosting malware. Thus, one in 12 hyperlinks appearing in IM messages will contain a domain that has been considered suspicious or malicious. In mid 2009, that level was one in 78 hyperlinks.
Status: On track
Reasoning: As of June 2010, Symantec data indicates that one in 387 IMs contain some form of hyperlink and that one in eight hyperlinks are to a malicious website, i.e. the website harbored some form of malware designed to perform a drive-by attack on a vulnerable Web browser or browser plug-in.
Non-English Spam Will Increase – As broadband connection penetration continues to grow across the globe, particularly in developing economies, spam in non-English speaking countries will increase. In some parts of Europe, Symantec estimates the levels of localized spam will exceed 50 percent of all spam.
Status: More likely next year
Reasoning: Further analysis shows that some domains experience higher than 50 percent spam rates in their local language, but the average isn’t as clear. Certain domains, such as .com, still attract more English language spam than top-level country code-type domains. Although we expected this number to increase, the opposite has been the case in many non-English speaking countries. For example, Brazil has consistently had the highest percentage of spam in the local language, but rather than seeing this percentage increase from the high value we were seeing at the end of 2009—roughly 41 percent—the percentage of spam in Portuguese has fallen to about 29 percent.