Check out our previous article

Symantec Report: Attacks Increasingly Target Trusted Web Sites

Summary: The Internet has become the primary conduit of attack activity, and online users are increasingly infected simply by visiting everyday Web sites. At the same time, the number of new malicious code threats is skyrocketing.

Those are among the top conclusions of the latest Symantec Internet Security Threat Report (Vol. XIII, April 2008), which details trends and impending threats that were observed from July 1 to December 31, 2007. The report draws on security intelligence data gathered from an extensive range of sources, including millions of Internet sensors in over 180 countries.

Previously, users had to visit intentionally malicious sites or click on malicious email attachments to become a victim of a security threat. But today hackers are compromising legitimate Web sites and using them as a distribution medium to attack home and enterprise computers. According to the Symantec report, attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites. "Avoiding the dark alleys of the Internet was sufficient advice in years past," said Stephen Trilling, vice president of Symantec Security Technology and Response, in a statement. "Today's criminal is focused on compromising legitimate Web sites to launch attacks on end users, which underscores the importance of maintaining a strong security posture no matter where you go and what you do on the Internet."

The rise of site-specific vulnerabilities

During the last six months of 2007, there were 11,253 site-specific cross-site scripting vulnerabilities reported on the Internet, compared to 6,961 in the first half of the year, according to the report. These refer to vulnerabilities found in individual Web sites. However, only 473 (about 4%) of these vulnerabilities were patched during the same period, representing an enormous window of opportunity for hackers looking to launch attacks.

In the words of the report: "These vulnerabilities are a concern because they allow attackers to compromise specific Web sites, which they can then use to launch subsequent attacks against users. This has shown to be an effective strategy for launching multistage attacks and exploiting client-side vulnerabilities."

Symantec also found that phishing continues to be a vexing problem. In the last six months of 2007, Symantec observed 87,963 phishing hosts (i.e., computers that can host one or more phishing Web sites). That's an increase of 167% compared with the first half of 2007. Of the brands targeted by phishing attacks during this period, 80% were in the financial sector.

In addition, the report determined that attackers are increasingly seeking confidential end-user information that can be fraudulently used for financial gain. In the last six months of 2007, 68% of the most prevalent malicious threats reported to Symantec attempted to compromise confidential information.

A maturing underground economy

In the previous Threat Report, a recurrent theme was the increased professionalization and commercialization of malicious activities. During the current reporting period, this tendency has continued to the point that Symantec believes it has evolved into a mature, consolidated underground economy. Symantec found that a full identity can be purchased in the underground economy for as little as $1. One characteristic of this maturing underground economy involves the outsourcing of malicious activity.

Automated phishing toolkits are an example of such outsourcing. A phishing toolkit is a set of scripts that allows an attacker to automatically set up phishing Web sites that spoof the legitimate Web sites of different brands, including the images and logos associated with those brands. In the words of the report: "Phishing toolkits are developed by groups or individuals and are sold in the underground economy. These sophisticated phishing kits are typically difficult to obtain and expensive, and are more likely to be purchased and used by well organized groups of phishers, rather than average users."

Symantec observed that the popularity of individual phishing toolkits changes quickly, which reflects the need for phishers to adapt in order to avoid detection by anti-phishing software. The change in phishing toolkits during the current reporting period also indicates that the number of toolkits is increasing and that attackers are using a greater number of different toolkits.

View our previous issues

• Ongoing Evolution of Online Fraud

• Striking Back at Identity Thieves

• Managing the Remote and Mobile Workforce

• Security 2.0 and the Challenge of Managing User Identities

• Making Compliance Part of the 'IT DNA'

• Under Pressure: Outsourcing IT

• A Comprehensive Approach to Securing and Managing Endpoints

• A Closer Look at Endpoint Security

• How Compliance Controls Can Minimize Data Loss

• The Evolution of Malicious Code

• Symantec Report Takes Aim at Persistent Myths About IT Risk