If there’s one big lesson Internet users should learn from 2008’s security threats it is to trust no one – not a message on your Facebook wall, or even a video acceptance speech by the American President-elect.
Security experts say Canadians have become much more web-savvy and are no longer falling for conventional cyber scams.
But 2008’s threats were far more innovative than those of previous years.
As 2008 draws to a close here are this year’s top five security threats – as identified by security vendors Sophos and Zerospam and a preview of what they expect to be battling in 2009.
1. A surge in Web-based attacks
As e-mail users became more cautious of messages sent to their Inbox, criminals have moved malware to the Web.
There is a Web-based attack every four and a half seconds, according to U.K.-based Sophos’ security threat report for 2009. The report says Web-based attacks were three times more popular in 2008 than 2007.
When user input on a Web form is incorrectly filled out – the code “peppers the database with malicious instructions,” according to the Sophos security threat report for 2009.
In September of 2008, BusinessWeek Magazine was infected with a SQL injection attack, which attempted to download malware from a Russian-based server. The video blogger support page on the Adobe Web site was similarly attacked in October.
“This new development is very dangerous,” said Graham Cluley, senior technology consultant at Sophos.
“We used to tell people to be careful of gambling or pornography sites, but now they can be infected on any Web page – places they typically feel safe.”
2. Resurgence of e-mail attachment malware
Sending malicious e-mail attachments has become five times more popular than last year, Cluley said.
The trend became more pronounced this July and continued to rise until the year end.
One common instance of this scam was messages sent to users’ Inboxes purporting to come from a well-known company, such as UPS.
The message would say a courier tried to deliver a parcel and the user owed a fee, or had been charged for a service.
Upset at being wrongly billed, many users would instinctively click on the provided link and input their credit card information to try and correct the mistake.
“The new e-mail attachment malware works by exploiting the bug in people’s brains. Human vulnerability is the real challenge,” Cluley said, “and this trend will continue into 2009.”
3. Rise of scareware
Scareware, or phony security warnings, have increased tremendously over the last year.
The scam works by sending users a pop-up message saying the computer needs to complete a virus scan. The user would then run the fake scan, ultimately discovering a virus that needs to be fixed for $50.
“The user was never infected,” Clueley said, “it is a complete scam. They prey on user’s vulnerability by sending other messages saying you have child porn on your computer (even though you don’t) and you think, oh crumbs, I just want to repair it as quickly as possible.”
On average, there are five new scareware Web sites created every day, he said. On a peak day, as many as 20 new scareware companies are started.
When Web pages are removed they are put up again the next day under a new name. And they are very professionally designed with an “About Us” section and “Product Reviews.”
4. Spam becomes more professional
Spam is increasingly being sent on social networks such as Twitter, Facebook or MySpace, Cluley said.
Most Facebook users, for instance, put a lot of trust in their “friends” and are more willing to click on a link posted on their “wall” rather than an e-mail.
“Web 2.0 will be a big area of growth as spammers find it more difficult to fool people in real e-mail.”
But spam is increasingly malicious.
Most spam today usually aims to steal the users’ identity, rather than peddle products such as Viagara, he said. According to ZeroSpam, approximately 95 per cent of all e-mails sent are spam.
The U.S. is the biggest host of malware, the Sophos report found, and more spam is relayed from that country than any other country worldwide.
When one ISP was accused of working with the spammers this year and was disconnected, there was a 75 per cent reduction in spam on the Web, according to the Sophos report.
In Canada, efforts to battle rogue ISPs have paid off. Canada used to be number two in the world for relaying spam, but was not on the top 10 list this year.
However Canada is still unable to prosecute individuals who send malicious spam as it still doesn’t have a valid anti-spam law, notes ZeroSpam presisent David Poellhuber.
The private member’s bill on spam currently before the legislature could reduce the number of threats for 2009. But it is unclear whether the bill will be passed, especially in a minority government.
The other problem is Canada does not have anyone to enforce the law – it would require a lot of new resources, Poellhuber said.
Botnets or networks of infected machines controlled by scamsters, also rose significantly in 2008, Poellhuber said.
Cybercriminals use botnets as a weapon to steal information, block a service, or increasingly to send spam to users who come in contact with the botnet and their contact books.
Botnets have been on the rise since 2006 but this year, ZeroSpam found huge botnets with 200,000 machines connected.
Users are unlikely to notice if they are infected as bots usually act surreptitiously. They often have a legitimate name. Sixty per cent of victims don’t know they have one on their computer, Poellhuber said.
Shutting down big control and send centres, such as McColo helped cut the number of botnets in half and also drastically reduced the percentage of spam.
But both numbers are starting to pick up, he said, and will reach similar volumes by 2009.
5. Phishing becomes sophisticated
Phishing techniques in spam have become far more advanced than in the past, Poellhuber said. For instance, Royal Bank phishing scams are sent to .ca addresses and Desjardins Bank scams are written in French.
Phishing scams are also targeting Facebook users in new ways by looking at personal credentials and tailoring e-mails to personal tastes.
Cybercriminals are also using the most popular news events to maximize their reach when sending out e-mails.
Phishing campaigns using the presidential election, the Beijing Olympics and even the terrorist attacks on Mumbai were some of the more successful initiatives carried out this year.
What to expect for 2009
There won’t be a lot of new threats in 2009, Cluely said, as crooks concentrate on what works well. So users should be learning about current threats and purchasing the appropriate anti-virus tools to protect themselves.
According to Sophos, there will be more attacks on non-executable files, such as Microsoft Word and Adobe PDF.
Cybercriminals will increasingly exploit vulnerabilities in Word and booby-trap files rather than direct users to an infected Web page, Cluley said.
“People are more prepared to open and surf a PDF file than they are to download a file. They don’t view it as dangerous.”
There will also be an increased risk of data theft in 2009, he said.
With more companies letting staff go and getting rid of old equipment, there is a greater chance of companies losing data due to staff theft.
This has a potential to really embarrass or even financially devastate an organization.
The Duchess of York is one high-profile individual who had her laptop stolen recently, Clueley recalled, noting how this created panic in the Royal Family about the effect her personal photographs and files could have on their reputation.
“Imagine if this happened to a CEO who was about to close a deal,” he said. “The credit crunch could really exaggerate these types of accidents.”
The increased use of mobile phones and falling laptop prices could also prove to be a problem for many companies, according to the Sophos report.
Cybercriminals are increasingly turning their attention to Apple devices and vulnerable cross-platform software, especially with the popularity of the iPhone.