Phishing has come of age, Web application vulnerabilities are still a serious threat and viruses are a continual and growing network annoyance. These are just a few findings of the semi-annual Symantec Corp. Internet Security Threat Report released today. It covers the period of July 1 to December 31, 2004.
During the documented period the volume of phishing messages (e-mails designed to get individuals to log on to a fake version of a legitimate corporate site and enter their user name and password) grew substantially. Symantec’s own Brightmail anit-spam technology filtered an average of 4.5 million such messages a day at the end of the year, versus one million a day in July 2004.
“Attackers are always looking for the path of least resistance…with maximum benefit,” said the report’s executive editor Dean Turner, in Calgary. “Phishers use [e-mail] because it is an excellent medium.”
What concerns Symantec is the reason for the increase. “I think what probably disturbs us…most is the continued shift to financial gain away from…hacking for fame,” he said. The previous report (Jan 1 to June 30, 2004) pointed to an increased focus on financial gain. “It is certainly confirmed in this report,” he said. “I think it is a continuation of a trend that we have been seeing for some time. Attacks are getting increasingly sophisticated [and] attackers are looking for…novel ways.”
Scott Crawford, senior analyst with Enterprise Management Associates in Bolder, Colo., agrees. According to him, the most important story from the report is that “attackers are becoming more focused…around ways to gain tangible assets.” This leads them to practice identity theft or to gain access to information that can be sold, such as accounts at financial institutions.
Also of note was the increase in viruses and worms as the year progressed. For instance, in the last six months of the year there were 7,360 new viruses and worms, as opposed to 4,496 documented cases in the first six months. Regardless, 2004 was a bad year. The total — 11,856 — dwarfs the previous two years combined, when there were less than 4,000 in all.
If there is a silver lining in the numbers, it is that there are fewer families of new viruses and worms, Turner said. New versions tend to be reworks of a particular virus. The Bagel/Netsky war became a veritable alphabet soup of versions, with only a few bits changed from one to the next. Also, the six-month period did not see the release of a major worm of the Slammer, Code Red variety.
Crawford admits he was a little surprised that worms and viruses were not more destructive (actually erasing or changing data), but he says this is because “there hasn’t been a whole lot of innovation” in the field recently.
Another area of concern for Symantec was the increase in the number of Web application vulnerabilities. Though the increase was not as dramatic as for viruses and worms it still was substantial.
Web application vulnerabilities almost doubled from the previous year’s same six-month period (from 369 to 670). Also, nearly half of all vulnerabilities documented from July to December were for Web applications. Turner said it is clear that the Web application vector is “is a method…attackers have picked up.” Since Web apps allow users to bypass many firewall setups (after all the idea of a Web app is to let you enter the system to carry out a transaction) the security ramifications of these vulnerabilities are substantial, Turner said.
“I think Web application security is going to be the story of 2005-2006,” Crawford said. Because attackers are focusing on areas with tangible benefits, Web applications are of particular concern since they often bypass security, he said. Crawford figures the number of vulnerabilities is higher than reported because many custom applications were not covered in the report.
Internet browsers also took a hit in the last six months of 2004. While none had more than four documented vulnerabilities in the first half of 2004, all (save Apple Safari which had none) had more than five in the latter half of the year. The big losers were Microsoft Corp.’s Internet Explorer with 13 and Mozilla’s browsers with 21. Nine of IE’s 13 were considered high severity, 11 of Mozilla’s were.
The data was gathered from more than 20,000 network-monitoring sensors in over 180 countries. Malicious code, spyware and adware data was gathered from more than 120 million client, server and gateway systems.