2006 Security Trends

Symantec Security Response

Following are key trends that have been observed throughout 2006 by Symantec experts at Security Response.

Online Fraud

Throughout 2006, Symantec observed that online fraud has steadily increased and become more sophisticated. Much of these activities arrived in the form of phishing.

• Symantec observes more than 7 million total phishing attempts each day.
• In the first half of 2006, Symantec detected close to 900 unique phishing messages a day - an increase from nearly 500 per day over the previous 6 month period.
• Phishing e-mails dip on the weekends and rebound on Tuesdays, suggesting that phishers operate during standard work days.
• Nine of the top 10 phished brands were financial institutions. Attacks against this sector are most likely to produce the greatest monetary gain for attackers.
• More than seven out of 10 spoofed brands that Symantec observed are based in the U.S. Florida had the most spoofed local brands.
• Phishers are innovating and embracing new techniques, such as vishing and SMishing.
• You can take action and help fight online fraud by submitting phishing sites to the Symantec Phish Report Network.

Zero-day exploits

In 2006, Symantec observed an increase in the number of zero-day exploits, which indicates that attackers are being more methodical in their discovery and exploitation of software vulnerabilities.

• In late 2005, the Windows WMF vulnerability (a high-impact zero-day exploit) was reportedly sold on the black market to an organization called Iframecash.biz. Active use of the vulnerability was first detected during the 2005 holiday season.
• Beginning in May 2006, Symantec discovered a series of targeted attacks that makes use of previously unpublicized flaws in Microsoft Office.
• The trend expands beyond Office; Symantec also identified two zero-day exploits for Ichitaro, a Japanese word processing program.
• While vendors are steadily improving the development and release of software fixes to patch these vulnerabilities, the reality is that attackers, on average, develop exploits faster than vendors develop patches. This leaves affected systems at risk.
• From January to June 2006, the average time to develop a patch was 31 days. However, the average time to develop exploit code was three days. This leaves a 28 day window of exposure.

Rootkits

Rootkit technology undertook more mainstream adoption by attackers in 2006.

• The use of rootkits by attackers is increasingly common, where it was rare only 12 months ago.
• User-mode rootkit tactics are now commonplace and kernel-mode rootkits are not unusual to observe in the new threats seen in 2006.

© Copyright 2007 Auerbach Publications