“Blended threats” – online security attacks that combine several techniques – are likely to become more pervasive in 2008, security industry insiders say.
Such threats are already “gaining momentum”, according to security managed services provider MX Logic Inc. in Englewood, Col.
Blended threats reveal how malware distribution has become a “business model in the underground community,” says the security firm in its‘2008 Cyber Threats Predictions’ document.
These threats are particularly insidious because they use multiple strategies to exploit known vulnerabilities – for instance, combining facets of hacking, computer-worm and denial-of-service attacks.
This “combo” approach enables the attack to spread quickly and cause a huge damage in a short time.
MX Logic cites an example of how this could work in practice.
“A cyber criminal using a blended threat [could] install a key logger on to a PC that captures personal information while he or she simultaneously turns the machine into a spam zombie that pumps out thousands of unsolicited messages claiming to be from brands like Viagra and Rolex.”
In this scenario personal information can be sold for a profit, while the hacker also makes money selling time on a captured PC to spammers.
Another security expert, though, takes a different view on the issue.
“By our definition, almost every threat is a blended threat,” said Marc Fossi, manager of security response at Cupertino, Calif.-based security products vendor Symantec Corp. “It’s like when Trojans from a malicious Web site install themselves on a user’s PC.”
He said this phenomenon is not new but it would continue. “And we’ll see greater numbers of this.”
Zombies go phishing
Increased sophistication among hacker gangs is likely to manifest itself in other ways as well.
For instance, Symantec Corp. in a document titled ‘Trends to Watch in 2008’ has predicted a “bot evolution”, where we’re likely to see phishing sites hosted by bot zombies.
“It’s basically about automating [the process of] setting up phishing sites,” said Symantec’s Fossi.
In this scenario, he said, a bot master would use the bot to host the actual phishing Web pages and relay phishing e-mail messages out because of the automated nature of bots. “They could easily have several phishing sites set up simultaneously.”
He said today, typically, many cyber crooks would compromise a computer or find free Web hosting to set up their phishing site. “When the site is taken down they would compromise another computer or a new Web host to set up an account on.”
But Fossi said if scamsters use a bot-compromised computer, it’s very easy for them to set up multiple sites at once, or to set up one site, and as soon as that gets taken down, to automatically set up a new one on another bot. “It’s the redundancy factor for them. It’s almost like a failover mechanism.”
Both MXLogic and Symantec have predicted the increase in Web services will pave the way for advanced cyber attacks via the Web browser.
“The Web browser is an appealing alternative for cyber crooks to push malware through email because it prompts the user to pull malware from a Web site,” the MX Logic Cyber Threat predictions report notes.
It says the social engineering possibilities are countless, as vulnerabilities within Internet Explorer and Firefox continue to be exploited. “This year,” it says, “the MX Logic Threat Operations Centre has recorded dramatic spikes in the number of Web-based threats.”
Symantec too expects the number of new Web-based threats to increase, as browsers continue to converge on a uniform interpretation standard for scripting languages, such as Java.
Fossi explains why.
“Say every Web browser is using the same Web code to interpret Java off a range of Web sites. Then a single vulnerability in that interpreter would affect all the browsers. The attacker would then be able to compromise a wide variety of hosts with a single exploit.”
He contrasted that with the infamous MPack attack from earlier this year, involving a kit of professionally written PHP software components (dubbed MPack) designed to be hosted and run from a PHP server with a database backend.
MPack, Fossi recalled, implemented different exploit modules. “When users would go to the Web site it would try them one by one. The idea was really to affect the most users that it could.”
But if there’s more of a convergence that site would only need to have used one exploit that it would use for every visitor.
As the media spotlight today is on new and compelling Web 2.0 applications, security insiders say in 2008, social networking sites will continue to serve as a breeding ground for a range of security threats.
MX Logic predicts cyber criminals will “seek new and more sophisticated ways to exploit social networking sites such as Facebook and MySpace.”
The company’s threat research team is already seeing instances of this new direction via blog spam and phishing. It predicts “information looting through interactive communities” will become a common practice next year.
“In 2007, cyber criminals firmly established their intentions to focus on Web 2.0 applications,” noted Sam Masiello, director of threat management at MX Logic.
“This trend, coupled with combined threats distributed through botnets, will reach critical mass in 2008.”
Security – a balancing act
At least one Canadian analyst, however, questions the relevance of such prognostications.
“How meaningful is it to say the threat landscape is changing this way or that when many Canadian organizations still need to take care of the fundamentals?” asked David Senf, director of Canadian security and software research at IDC Canada in Toronto.
For instance he said there are basic things companies here need to do. “For instance, if you have USB keys left around your company with all sorts of unencrypted, and unprotected data, that’s one gaping holes that needs to be closed.”
He said organizations need to look at the internal threats first, while also exercising vigilance against external threats.
Part of the problem, Senf said, is that security is not a high priority overall among Canadian firms.
“Ask senior business execs and they would tell you their priority is reaching out to that next customer, getting the product features right.” CIOs too are attempting to balance a bunch of different priorities.
While it wouldn’t be realistic to say organizations should focus entirely on security, it’s clear that they should devote more attention to it, at least from a risk-assessment perspective, the IDC Canada analyst said.
Senf said, of necessity, there would be huge differences in the security policies, practices and priorities of companies.
He said companies need to first identify which assets they are defending and where those assets sit, and that would tell them what they need to be concered about.
“Just because you learn about the latest attack vector doesn’t mean your organization needs to change its security policies, and strategy,” he said.
“The number one should be around employee training – and effective policy riding on how data is handled by employees. That’s certainly where a lot of the problems come from.”