The Internet Security Landscape: A Look Back at 2009 and Predictions for 2010
It's been said we should learn from the past, live in the present and plan for the future. Within Symantec Security Response, that's what we do. Our top researchers analyzed the data we researched over the past year and compiled a list of the top security trends we saw from 2009. In our quest to stay ahead of the bad guys and anticipate security protection needs for our customers, we also theorized on what we expect to see in 2010. One thing is for certain, Internet security threats are not diminishing or going away-we expect to continue to see an increase in sophistication of security threats and social engineering tactics in an attempt to victimize computer users.
2009 in Review
While spam isn't ever thought of by the average computer user as good, it seems to be getting worse and worse, with more spam containing some sort of malware than ever before. Between September and October of 2009, Symantec observed dangerous spam increased by nine fold, resulting in 2 percent of all spam containing some sort of malicious code.
The Death of Carefree Social Networking
Remember the good old days when you could hop on your favorite social networking site and not worry about being infected by malware? Those days are gone. 2009 was the year attacks against both social networking sites themselves and the users of those sites became standard practice for criminals. The latter half of 2009 saw attacks utilizing social networking sites increase in both frequency and sophistication. Such sites combine two factors that make for an ideal target for online criminal activity: a massive number of users and a high-level of trust among those users.
Rogue Security Software
Symantec has identified 250 different rogue security applications, but the number of attempted installations-43 million between just July 1, 2008 and June 30, 2009-is what makes this problem so pervasive.
Malware Made Easy
Sources of malware used to be limited to those with expertise in programming and scamming. Now, almost anyone can do it. The ability to take a ready-made malware toolkit, such as the Zeus toolkit, and contribute to this global headache has resulted in more attackers making more money off innocent Internet bystanders than ever.
The Rise of the Botnet
OK, so botnets have been around for a while, but 2009 saw bot networks become the basis for almost all cybercrime. Symantec researchers have observed that most of today's malware contains a bot command and a control channel. In 2009, we even saw botnet designers expand their forte by using social networking sites as communication channels.
All for One and One for All: Intra- and Cross-Industry Cooperation
With the anniversary of the first variant of the Downadup/Conficker threat upon us, we're reminded of how the increasing organization and sophistication of cybercrime has led to greater cooperation among security vendors, law enforcement and Internet service providers. In 2009, some big steps were taken toward greater cooperation. For example, the Conficker Working Group (CWG), the FBI's "Operation Phish Phry" bust and the Digital Crimes Consortium. Conficker brought back memories to the security community of the old-school, large-scale threats from years past. And while Symantec customers were protected and benefitted from Symantec's breadth of experience in dealing with mass-distributed threats, Conficker served as a reminder that while threats of this nature are rare these days, they are not extinct.
Malware, Spam and the News
Cybercriminals are up on current events, that's for sure. Valentine's Day, NCAA March Madness, H1N1 Flu, the crash of Air France Flight 447, Serena Williams, balloon boy and the deaths of Michael Jackson and Patrick Swayze. The list could go on and on. Malware authors and spammers in 2009 more than ever leveraged these current events to try and lure unsuspecting Internet users into downloading malware, buying products and falling for scams.
When an Internet user goes to a Web site, they usually assume what they see is what they get. Unfortunately, that's increasingly not always the case. Cybercriminals have adopted the practice of secretly compromising legitimate Web sites so they serve up malware to unsuspecting visitors. In 2008, Symantec observed a total of 18 million drive-by download infection attempts; however, from just August to October of 2009 alone, Symantec observed 17.4 million.
Pre-McColo Spam Levels
In 2008, the McColo shutdown resulted in a 65 percent decrease in the overall level of spam. In 2009, it's come back strong. Whereas spam was cut to 69.8 percent of all e-mail after the McColo shutdown, spam has returned to an average of 87.4 percent. Spam levels hit an all-time high, accounting for 95 percent of all messages at the end of May.
Polymorphism denotes the ability to mutate. Therefore, polymorphic threats are those in which every instance of the malware is ever so slightly different from the one before it. The automated changes in code made to each instance do not alter what the malware does, but virtually render traditional antivirus detection technologies all but useless against them. Symantec has observed polymorphic threats, such as Waladac, Virut and Sality, become more common as online criminals seek to expand their repertoire of ways to circumvent conventional antivirus technology.
Demonstrating their disrespect for, well anything and everything, spammers hijacking the names and reputations of legitimate sites in an effort to fool users has become the norm. Geocities was a common brand name hijacked by spammers in an attempt to dupe computer users, but with Yahoo's late October shutdown of the Web hosting service, Symantec has witnessed a vast increase in the number of smaller free Web services, such as URL shortening sites, whose names, and legitimate reputations, are being dragged through the mud by spammers.
Data Breaches Continue
As of October 13, 2009, 403 data breaches have been reported for the year, exposing more than 220 million records, according to the Identity Theft Resource Center. Well-meaning insiders continue to represent the bulk of data loss incidents with 88 percent of all data loss incidents caused by insiders like employees and partners, according to The Ponemon Institute. There are rising concerns, however, about malicious data loss. Fifty-nine percent of ex-employees admitted that they took company data when they left their jobs, according to another study by Ponemon.
Antivirus' Inadequacies Exposed
With the continued explosion of unique malware variants in 2009, the industry is quickly realizing that traditional approaches to antivirus are not enough to protect against today's threats. It no longer makes sense to focus solely on analyzing malware. Instead, approaches to security that look to ways to include all software files, such as reputation-based security, will become key in 2010.
Social Engineering as the Primary Attack Vector
More and more, attackers are going directly after the end user and attempting to trick them into downloading malware or divulging sensitive information under the auspice that they are doing something perfectly innocent. Social engineering's popularity is at least in part spurred by the fact that what operating system and Web browser rests on a user's computer is largely irrelevant, as it is the actual user being targeted, not necessarily vulnerabilities on the machine. Social engineering is already one of the primary attack vectors being used today, and Symantec estimates that the number of attempted attacks using social engineering techniques is sure to increase in 2010.
Social Networking Third-Party Application Fraud
Social networking shows no signs of slowing down, and its growth will be accompanied by an increased amount of fraud. Expect owners of these sites to create more proactive measures to address these threats. As this occurs, and as these sites more readily provide third-party developer access to their APIs, attackers will likely turn to vulnerabilities in third-party applications for users' social networking accounts, just as we have seen attackers leverage browser plug-ins more as Web browsers themselves become more secure.
Rogue Security Vendors Spice Things Up
Makers of rogue security software are a nuisance, but they have yet to reach their peak. These vendors are expected to significantly increase their efforts in 2010, and they will get more creative, too. As users wise up to their schemes, tactics such as hijacking computers and holding them for ransom is not unfathomable. Symantec has also already observed vendors rebranding and selling free third-party software, meaning users get the product, but paid money when they didn't have to. This trend will expand in 2010.
Windows 7 Targeted
Microsoft made a lot of noise when they released Windows 7, but no matter the benefits, it is a brand new shiny target for malware authors. Microsoft has already issued its first security patches and as more users adopt the new OS, hackers will certainly find ways to exploit a new batch of vulnerabilities sure to arise.
More Fast Flux Botnets
Fast flux is a technique used by some botnets, such as the Storm botnet, to hide phishing and malicious Web sites behind an ever-changing network of compromised hosts acting as proxies. Using a combination of techniques to accomplish this, it makes it difficult to trace botnets' original geo-locations. As industry counter measures continue to reduce the effectiveness of traditional botnets, expect to see more cybercriminals using this technique to carry out attacks.
Shortened URLs: Gone Phishing
Services that shorten URLs essentially offer blank travel tickets-they'll take you somewhere, but you can't tell where. Symantec has already noticed phishers using this ambiguity to dupe users. They offer a link that purports to take you somewhere nice, and instead you end up in trouble. Spammers can also use shortened URLs to avoid antispam filters. Expect 2010 to see cybercriminals working more with shortened URLs.
Increased Malware for Macs and Mobiles
The security industry has known it's only a matter of time before mobile phones and Mac computers lose their reputation as being essentially threat-free. As their market share increases, so does cybercriminals' determination to make money off of them. In 2009, we saw Macs and smartphones targeted more by malware authors, for example the Sexy Space botnet aimed at the Symbian mobile device operating system and the OSX.Iservice Trojan targeting Mac users. And don't forget about iPhoneOS.Ikee, which sought to score a double-whammy by targeting the iPhone. 2010 will see this trend grow.
Highly specialized malware was uncovered in 2009 that was aimed at exploiting certain ATMs, indicating a degree of insider knowledge about their operation and how they could be taken advantage of. Expect this trend to continue in 2010, including the possibility of malware targeting electronic voting systems, both those used in political elections and public telephone voting, such as that connected with reality television shows and competitions.
Cheap Shots from Spammers
The economic recession has caused people to do some drastic things. For some, the temptation of making money by illegally selling lists of e-mail addresses will be too great to withstand. Disreputable marketers will jump at the opportunity to spam those addresses and take advantage of the loose restrictions of the CAN SPAM Act.
As Spammers Adapt, Spam Volumes Will Continue to Fluctuate - Since 2007, spam has increased on average by 15 percent. While this significant growth in spam e-mail may not be sustainable in the long term, it is clear that spammers are not yet willing to give up as long an economic motive is present. Spam volumes will continue to fluctuate in 2010 as spammers continue to adapt to the sophistication of security software, the intervention of responsible ISPs and government agencies across the globe.
Improved CAPTCHA Technology
As this happens and spammers have a more difficult time breaking CAPTCHA codes through automated processes, spammers in emerging economies will devise a means to use real people to manually generate new accounts for spamming, thereby attempting to bypass the improved technology. Symantec estimates that the individuals employed to manually create these accounts will be paid less than 10 percent of the cost to the spammers.
IM Sick of Spam
Instant messaging is another avenue spammers will try to exploit as traditional channels are better protected by improved technology. IM threats will largely be comprised of unsolicited spam messages containing malicious links, especially attacks aimed at compromising legitimate IM accounts. In mid 2009, approximately one in 78 IM messages had hyperlinks that linked to domains known to host malware. Symantec expects 2010 to feature roughly one in 12 IMs with such hyperlinks.
As broadband connection penetration continues to grow across the globe, particularly in developing economies, spam in non-English speaking countries will increase. In some parts of Europe, Symantec estimates the levels of localized spam will exceed 50 percent of all spam.
The good, the bad and the ugly, it's all here. Now, we must learn from these trends and prepare for what's to come. After all, the Internet is a community, and while we may not all know each other, we are all connected. Just like in a physical community, if citizens take the time to be educated about the issues, to learn from the past and look towards the future, the community as a whole will be safer.
The Booming Criminal Underground Economy.
About the Authors
Zulfikar Ramzan is Technical Director for Symantec Security Response.