Corporate IT managers should re-double efforts to guard against targeted attacks, which will increase in scope and subtlety this year, according to security experts.
Attacks aimed at stealing vital personal and financial information are on the rise, according to a report from software firm CA Inc., based in Islandia, New York.
Phishing attacks are largely directed at consumers, but scam artistes are also infiltrating machines of enterprise employees. A common channel for such attacks are online porn or gambling sites workers may visit using their office computer, according to the report titled CA 2007 Internet Threat Outlook.
The report predicted we will witness the following trends:
• An increase in targeted attacks
• Continued evolution of blended threats and multi-component malware
• The rise of rootkits
• Exploitation of Web browser vulnerabilities;
• Greater Mac malware
• Increasing game password theft
Once inside a company’s network, malware can “harvest” intellectual property data or client information such as credit card numbers. The attackers can also implant “ransomware” that encrypts a firm’s data and renders it inaccessible until the business pays to get the information back.
The report said phishing e-mails directing users to verify their account number have by now become obvious, and will be replaced by smarter methods.
E-mail worms can be disguised as mail failure notices or seemingly credible notices from your bank notiyfing you of a breach in your account, the report said.
“People creating the threats have become much more subtle,” according to Sam Curry, vice-president of product management, CA. He said, since virus distribution has grown into a multi-million dollar “black market industry”, and malware designers now even have development and life-cycle groups that guide a malware’s evolution. While “run-of-the-mill” viruses that spread spam and disrupt companies’ systems get a lot of media attention, targeted attacks carry a more potent punch, according to James Quinn, senior research analyst at IT consultancy firm Info-Tech Research Group Inc. in London, Ont.
“Attacks such as the “I Love You” virus of yesteryears tend to stay in the public’s mind. However, targeted attacks can have a bigger impact on consumers and companies.”
Quinn said the loss or theft of client personal information or other negative consequences stemming from this could tarnish a company’s reputation.
In addition to using spam to distribute trojans, attackers will also increasingly resort to multi-phased exploits to control computers and steal private information.
“Malware writers continue to blur the line between trojans, worms, viruses and spyware,” according to Brian Grayek, vice-president, malicious content research for CA.
He said attackers will start to use a combination of techniques, or create software that combines the traits of several viruses to avoid detection, or to prolong a virus’ life.
E-mail, until now, has been the primary source of malware. But that’s about to change, according to Sophos PLC a global anti-spam and anti-virus software developer.
“E-mail will no longer be the main vector for downloading viruses,” said Ron O-Brian, senior security analyst for Sophos’ Boston office. He said a year ago Sophos estimated that one in every 41 e-mails contained a virus. In 2007, that number changed to one in every 337 e-mails.
O’Brien said attackers are finding other methods of disseminating viruses such as through links to spoofed Web sites. “Sometimes by simply clicking a link or visiting a site, users will open up their machines to malware.” The consensus among experts is that attacks are going to get more subtle and surreptitious. For instance, according to the CA report, attackers will also step up use of kernel-level rootkits that add code or replace a portion of a kernel code to control systems. CA said this method is especially attractive as it is very hard to detect.
As businesses embrace Web applications, criminal elements will be further motivated to identify browser vulnerabilities and find ways to exploit them.
Browsers such as Microsoft Internet Explorer Version 7 “may create [an] opportunity for abuse”, the report says, because it allows for easy installation of plug-ins.
According to the report, the surfeit of security features in Microsoft Vista might actually backfire. It may tempt some users to turn off the software’s security features and open their system up for exploitation. Quinn, said even so-called safe browsers such as Firefox are not safe. “The moment a browser is touted as safe, more people use it. When it gains a sizeable market share, the browser becomes an attractive target [for hackers].”
The recent release of Intel-based Apple computers has dramatically increased the number of systems using Mac OS X, but it has also opened up new systems for potential attacks said CA. The software company cited the instance of the Macarena parasitic file infector that was active in late 2006. The malware was initially created for Intel-based machines, but later used against OS X.
“Malware that uses a universal binary format that is capable of running on both PowerPC and Intel applications may be a harbinger of what to expect,” the report said.
Quinn, however, doubts Mac users have much to worry about. “The threat is there, but Mac users are simply too few to attract attackers. Perhaps, when the price of Macs comes down, and users increase, we’ll see more Mac attacks.”
The growing popularity of online games that involve money, such as online poker will spawn an increase in game password theft, said CA.
As the amount of money involved in online gaming increases, the sector will become a very enticing target. CA also expects to see a growth in underground distribution of executable protectors that secure malware from reverse engineering and detection.
Last year saw the extensive use of executable protectors guard legitimate software. In 2007, the report says, malware developers will use the same methods to protect their own interest.
How do companies and consumers protect themselves?
Security experts believe the best methods are still awareness and caution.
Curry said companies should institute realistic and well-thought out security policies that clearly inform all employees about the threats and what they should to avoid them. “Policies are useless if people are not aware of them, or think they are exempt and don’t comply.”
O’Brian cautioned against opening unsolicited e-mail, notices or links. He advises users to contact their IT administrator when in doubt about a particular message or link.
Quinn also said IT administrators or users must always keep up to date with the latest security alerts and patches. “Some patches are left un-acted on for days.”
