Creative cybercriminals will thrive in 2011

Published: February 23rd, 2011

Cybercrime was alive and well last year according to MarkMonitor, Symantec, Trend Micro and ZapThink. The worse news is that 2011 is expected to be another banner year for cybercriminals as they get more creative with their capers, hatching botnets, malware, phishing scams and other manner of pestilence.

2011 will also see the advancement of attacks against the cloud and, even worse, the proliferation of cyberwarfare that began in earnest in 2010. Witness the battle between the WikiLeaks supporters and credit card companies. The cybercrime underworld will see more consolidation as increased global and public attention is focused on their misdeeds.

Experts interviewed agree that in years past it used to be about hacking the big corporations, but now enterprises and even small and medium-sized businesses are under attack, and the attacks are all more sophisticated. The consensus is that cybercrime is about money, and it’s going to get uglier.

Botnets and spam and malware, oh my!
Symantec’s annual MessageLabs Intelligence Report was released by the company’s Hosted Services group. It showed that cybercriminals are thriving and have diversified their tactics to sustain spam and malware at high levels throughout the year. As detection and prevention technology made advancements to thwart the attacks, the criminals’ technology became stealthier.

According to the report, chief among the offenders are botnets that proved resilient for another year, creating fluctuations in spam levels. E-mail-borne malware also increased a hundredfold.

In August, spam rates peaked at 92.2% of all e-mail received by accounts monitored by Symantec when the Rustock botnet was put to use with new malware variants, delivering an overall increase of 1.4% compared to 2009. Average spam levels for 2010 reached 89.1%, and for most of the year, spam from botnets accounted for 88.2% of all spam. According to the report, the closure of the Spamit spam affiliate in early October resulted in a reduction of spam to 77%. The top three botnets this year were Rustock, Grum and Cutwail, according to the Symantec report.

Despite organizations’ best efforts, successful and resilient botnet operations such as leveraging high-profile events and making use of popular URL shortening services and social networks to bypass spam filters have enabled cybercriminals to keep spam campaigns alive.

The future doesn’t look any brighter because the perpetrators are looking at even more new technologies to attack businesses with. The report predicts that, in 2011, botnet controllers will employ steganography techniques to control computers. This means hiding their commands in plain view in images or music files distributed through file-sharing or social-networking websites. This approach will allow criminals to surreptitiously issue instructions to their botnets without relying on an ISP to host their infrastructure, which will reduce the chances of discovery.

As for malware, 2010’s standout security threat was the “Here you Have” virus. On Sept. 9, the virus used old mass-mailer techniques to send malicious e-mails, peaking at 2,000 blocked e-mails per minute. In total, MessageLabs’ Anti Virus service alone blocked more than 100,000 copies of the virus before it reached any client networks. The report also said there were more than 339,600 different malware strains identified in malicious e-mails blocked, representing a more than hundredfold increase since 2009.

Paul Wood, MessageLabs’ Intelligence senior analyst, said: “With the rise of targeted attacks come variations in the execution and attack complexity. Typically, between 200 and 300 organizations are targeted each month, but the industry sector varies and high-seniority job roles are most frequently targeted, often by way of a general or assistant’s mailbox.

“While, five years ago, large and well-known organizations were often targeted, today the scope of targeted organizations has expanded, and now no organization is safe from attack.”

Cybercrime goes mobile
The proliferation of mobile devices creates new opportunities for nefarious activity. New scams specific to mobile devices, like “smishing” and “vishing,” steal personal information like PINs, bank account and credit card numbers. Smishing combines SMS texting with phishing. The criminal sends out text messages duping the user into calling a phone number or logging into a fake site where they are asked to give out personal information. Vishing is the same scam, except via voicemail.

In addition to infiltration into the mobile space, Trend Micro’s 2011 Threat Prediction report warns that while cloud computing and virtualization offer several benefits, they are at increased risk because servers are moved outside the traditional security perimeter. This exposure expands the playing field for cybercriminals and increases security demands on cloud service providers.

Trend Micro expects increased proof-of-concept attacks (some of which will be successful) against cloud infrastructure and virtualized systems in 2011. According to the report, cybercriminals will test how to successfully infiltrate and misuse a monoculture in the cloud, knowing that the desktop monoculture will disappear. Trend Micro also expects that the growing number of operating systems, programs and browsers, coupled with explosive growth in vulnerable applications, will provide fertile ground for cybercriminals to put a new spin on social engineering via “malware campaigns.” Campaigns against already targeted, unpatchable and widely used legacy systems like many of the Windows OSes will continue.

Trend Micro also believes that in addition to adding enterprises and small-to-medium businesses to their big-business targets, cybercriminals will take aim at security vendors’ brands in order to cause confusion and insecurity among their customers. The company predicts that some security vendors will run into trouble with their inability to store all the threat information with local signatures. They will retire old signatures, which will lead to infections from old malware. In addition, it expects to see increased use of stolen legitimate digital certificates to avoid detection in malware attacks.

The availability of easy-to-use underground toolkits hit highs in 2010 and will contribute to attacks against mid-sized companies going into 2011. These toolkits make it particularly easy to take aim at specific types of organizations. Using ZeuS, which targeted small businesses, as an example, Trend Micro believes that the number of localized, targeted attacks will continue to increase in sophistication.

Phishing in new waters
Among other subjects, MarkMonitor puts out quarterly fraud intelligence reports that include data for emerging phishing sectors, quarterly phish attack trends grouped by sectors, and geographical phishing data for targeted brands by regions and countries within each region.

A high percentage of phishing attacks are directed at financial services such as banks or payment centers. In 2010, the payment services sector accounted for 38% of phishing attacks in the second quarter, and the financial sector, usually most favored by phishers, accounted for 33%. In the third quarter, the financial sector accounted for 41% and the payment services sector accounted for 29%.

The good news was that the third quarter saw no major spikes in phishing attacks. This is unusual since historically they spike during this timeframe. The bad news was that the second quarter saw a 14% increase in volume from the previous quarter to 111,552 attacks, but phishing attack volume declined 5% in the third quarter to 105,446 attacks.

MarkMonitor saw classified advertising as the emerging target for phishers. The company said that in the second quarter, the online classifieds sector became the third largest phishing target, growing 142% from the first quarter, and grew another 80% in the third quarter.

The most heavily targeted brands by location were North American brands and Western European brands. By a wide margin, North American brands attracted the most phishing attacks, accounting for 78% of total attacks in the second quarter and 80% in the third quarter. Western European brands were in second place, with 15% in the second quarter and 13% in the third quarter.

North America took first in hosted attacks at 64% in the second quarter and 60% in the third quarter, with Western Europe placing second, hosting 17% of attacks in the second quarter and 20% in the third quarter.

Frederick Felman, CMO of MarkMonitor, predicted that in 2011 phishers will have richer waters to work in due to the growing domain name population. “The domain name space is expanding greatly due to international character sets being allowed in domain names; this expansion will propel even greater growth in Internet usage by folks all over the globe, some of whom will be using the Internet for the first time,” he said.

“In 2011, we believe that phishers will target this new set of less-experienced users who may be more easily fooled using tried-and-true phishing techniques hosted on these new local language domain names.”

Cyberwarfare: Coming to a theater near you
This scourge seems to be coming of age sooner than most experts expected. Smaller organizations not directly targeted will in many cases still be affected. Ronald Schmelzer, Managing Partner at ZapThink, gave an example in his recent newsletter.

“Your company uses Google for mail, a specialty Software-as-a-Service supplier for its B2B network that just happens to use Amazon’s cloud computing infrastructure, and processes its online payments with an Internet-based credit card gateway,” he said. Next, he laid out the destruction.

“The first thing that the company notices is that it can’t process payments because the credit card processor is under siege. Then its B2B network goes down because Amazon is under attack. Finally, you can’t even send requests for support to either the card processor or the B2B network because Gmail is down due to a distributed denial of service attack.”

He pointed out that at this point, the company is effectively knocked off the net from a business standpoint, even if its own website is up and operational.

This example isn’t pure fiction. WikiLeaks hacktivists launched attacks against the companies named in his theoretical example (except for Google) and it doesn’t bode well for MasterCard or PayPal that they could be brought down for minutes at a time. ZapThink pointed out that PostFinance, a Swiss bank that shut off WikiLeaks funding, was down for over 33 hours.

Ralph Langner, President of Langner Communications of Hamburg, Germany, is a cyber-security expert and leading researcher in SCADA security. In an interview for the International Analyst Network, he detailed his research on the Stuxnet malware.

Stuxnet was first discovered in July 2010 by the Belarus-based security firm VirusBlokAda. It is a Windows-specific worm, and it is not the first time that hackers have targeted industrial systems, but it is the first discovered worm that spies on and reprograms industrial systems, and the first that has a programmable logic controller rootkit. It was written to attack Supervisory Control And Data Acquisition (SCADA) systems that control industrial processes. It has the capability to reprogram programmable logic controllers and hide its changes.

According to Langner, a new era in cyberwarfare has begun, and it must be taken with the utmost seriousness by security and military specialists around the world.

“Stuxnet marks the starting point for a new era of real cyberwarfare, meaning physical destruction. Follow-up attacks are possible. All the militaries across the world should learn from this experience and build their security systems,” he said.

“This is a type of cyberwarfare weapon that can inflict great physical damage to industrial systems. All should analyze what happened here in order to prepare for the future because it is going to be formed by these kinds of technological advances. In contrast to the past, the Stuxnet destroys the physical infrastructure and can paralyze the capabilities of an industry and even a state.”

Article Tags

security

About Alyson Behr

View all posts by Alyson Behr

Cookie	Duration	Description
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_S6PB8V57DG	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_846073_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
WMF-Last-Access	1 month 14 hours 26 minutes	This cookie is used to calculate unique devices accessing the website.

Cookie	Duration	Description
__Host-GAPS	2 years	This cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_pxhd	session	Used by Zoominfo to enhance customer data.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
__Secure-YEC	1 year 1 month	No description
_heatmaps_g2g_100754890	10 minutes	No description
_techvalidate_session	session	No description
cf_7166_id	20 years	No description
cf_7166_person_last_update	session	No description
f5avraaaaaaaaaaaaaaaa_session_	session	No description available.
GoogleAdServingTest	session	No description
Gyazo_cfwoker	7 years 2 months 17 days 7 hours	No description
incap_ses_451_2783402	session	No description
incap_ses_769_2783402	session	No description
loglevel	never	No description available.
m	2 years	No description available.
nlbi_2783402	session	No description
prism_252377639	1 month	No description
TS011605d9	session	No description
ustream-guest	session	No description available.
visid_incap_2783402	1 year	No description
xtc	1 year 1 month	No description

AI

AI and Software Development

Observability

Guide to Observability

CI/CD

A guide to CI/CD

Cloud Native

Cloud Native Content

Data

A Guide to Data

Test

Automation

Mobile

Mobile Testing

API

Sponsored by Parasoft

Performance

Load & Performance Testing

DevSecOps

A Guide to DevSecOps

Enterprise Security

A Guide to Security

Supply Chain Security

Supply Chain Security

Dev Manager

Dev Managers Content

Agile

A Guide To Agile

Value Stream

A Guide To Value Stream

Productivity

A Guide To Productivity

DevOps

DevOps Content

Microservices

A Guide to MicroServices

AI

AI and Software Development

Value Stream Management

A Guide To Value Stream

Creative cybercriminals will thrive in 2011

Article Tags

Subscribe to SDTimes

About Alyson Behr

Related Articles

Red Hat Trusted Software Supply Chain gets updated with three new offerings

Report: Java is the language that’s most prone to third-party vulnerabilities

Implement a good secrets management practice to reduce your security risk

Synopsys hopes to mitigate upstream risks in software supply chains with new SCA tool