Computer crime for financial gain has taken a new course as vulnerability disclosures have become another profit-making exploit, according to a recently released security threat report.
In addition to more focused attacks on desktops and Web applications aimed to steal identities and confidential information, vulnerability research seems to be taking a bite of the lucrative security market, according to Michael Murphy, vice-president and general manager, Symantec Canada in Toronto. Symantec released its ninth Internet Security Threat Report covering a six-month period from July to December 2005.
“We see a trend of vulnerability withholding, meaning there is now profit in discovering vulnerabilities [by] withholding them and trying to sell them to the highest bidder,” said Murphy.
Vulnerability research has created a black market where disclosures are being sold mostly to organized cyber criminals, a trend which only surfaced over the last 18 months, the Symantec executive said. Symantec expects this trend to increase even further as more criminals see greater financial gains from it.
“If [a cyber criminal] pays $1,000 for a vulnerability, yet I can exploit it and make $10,000, is that not a good business to be in?” said Murphy, adding this development is in line with a shift in attack motivation from bragging rights to financial gain.
Vulnerability research also seems to have become a “fashion” among security researchers at the expense of software companies that are working hard to improve security, commented Howard Schmidt, CEO of R&H Security Consulting in Issaquah, Wash. “It’s almost becoming fashionable for researchers to go after (soft-ware) companies in order to get a job in security,” he said. “It almost sounds like extortion to me.”
The Symantec report also indicated that attacks for profit are still increasing and the new targets are desktops, Web applications and Web browsers. Most perimeter defences generally allow Web traffic to pass through the network, because these are needed to conduct business online or access Web applications. By targeting desktops, hackers are able to capture personal and financial information of users and use them for financial gains, explained Murphy.
“There’s no money to be made in perimeter defense attacks; attacking a firewall or a router in the past was [aimed at bringing] down an organization’s network or computing infrastructure,” he said. “More personalized attacks allow perpetrators to make money off of them.”
Of the top 50 malicious code samples, threats that could potentially expose confidential information rose from 74 per cent to 80 per cent during the last six months of 2005.