Monday, March 19, 2007

We're Number One! ... For Malicious Internet Activity

By Lisa Vaas
March 19, 2007

Romanian hackers, eat your hearts out: The United States has far and away the most malicious code, spam, phishing, attack and botnetwork activity on the planet, according to Symantec's most recent semi-annual Internet Security Threat Report.

In this, its 11th edition of the report, Symantec has for the first time ranked countries as far as their Internet malfeasance is concerned. Tapping into its global intelligence network, Symantec found that the United States spawned 31 percent of the worldwide total for malicious activity. China came in second with 10 percent, and Germany came in third with 7 percent.

But bear in mind that not all of the bad U.S. apples necessarily originate within the United States, said Dave Cole, a director in Symantec's Security Response division. "Inside U.S. borders can be a playground for international hackers," he said in an interview with eWEEK. "How much is U.S.-based and how much is driven from outside is anyone's guess."

Because Symantec was aware that industrialized countries' higher rate of Internet users skews test results, the company also broke the numbers down according to the percentage of a country's Internet users that are up to no good. "The more [Internet users] you have, the more likely more will be bad apples and that more people will be targeted," Cole said. "Though [owners of zombie PCs] are innocent except for maybe not cleaning their machines when they're hacked."

Taking the amount of a country's malicious activity and dividing by the number of that country's Internet users, Symantec found that Israel has the most per capita malicious Internet users, at 9 percent. Taiwan came in second, with 8 percent, and the United States came in third, with 6 percent.

Between July 1 and Dec. 31, 2006, Symantec also found that 51 percent of all underground economy servers known to the company were located in the United States—the highest total of any country. In that underground economy, your credit card, with a card verification number, will fetch between $1 and $6. Your identity is more pricey, going for $14-$18 including your U.S. bank account, credit card, date of birth and government-issued identification number.

Symantec also notes that your credit card and identity is more attractive to e-thieves nowadays, as opposed to the allure of financial services in previous periods. "The attackers here are just playing the numbers," Cole said. "The biggest attack for many, many years has always been financial services. They'd go where the money's at, sneak in the back door, get in and steal the customer database and quickly get in and out before anybody notices."

Unfortunately for online thieves, banks got smart and beefed up their security. Security at banks being so much harder, hackers have decided to pick customers' pockets instead of sticking up the bank itself, Cole said. "Why do 'Oceans Eleven' [a film featuring painstakingly elaborate thievery] when you can just hold up 7-11?" Cole asked.

Cole emphasized that these observations pertain to loosely organized online criminals, not organized crime. Of non-organized criminals, 93 percent are targeting home users, Symantec estimates.

Preferred methods of online scams differ region to region. According to Symantec's research, banking Trojans are popular in South America. In China and Asia, where online gaming is popular and a market for virtual possessions is thriving, gaming Trojans are common, Cole said. "We're seeing threats getting more regionalized, and the threat depends on what region you're interested in," he said.

Malicious activity on the Internet has obviously changed considerably since the Slammer worm, Cole said. "[Slammer] pretty much crashed through the Internet and knocked things over," he said. "Guys were pounding their chests and slapping their buddies' hands when they wrecked havoc. Nowadays, they'd rather drive across town in a Ferrari with their pals and their ill-gotten goods."

Malicious code sniffing out confidential information such as credit card numbers increased from 48 percent of Symantec's Top 50 malicious code reports in the first half of 2006 to 66 percent in the second half. Threats that log keystrokes and export sensitive user and system data increased, with keystroke loggers now making up 79 percent of threats to confidential information.

This report is the first in which Symantec assessed data breaches that exposed information that could result in identity theft. The company found that during this time period, the government sector accounted for most of the data breaches that could lead to identity theft, with 25 percent of the total.

The preferred way for companies to lose our data was theft or loss of a computer or other data storage/transmittal medium, such as a USB key or a backup disk. Fifty-four of all identity theft-related data breaches in the second half of 2006 were made up of such losses. The second most common cause of data breaches that could lead to identity theft was insecure policy, which accounted for 28 percent of incidents.

Zombies thrived in this time period, as well. Symantec detected 11 percent more active bot-infected computers than the period before, with an average of 63,912 spotted daily. The worldwide total of distinct bot-infected systems rose to about 6,049,594—a 29 percent increase. The number of command-and-control servers decreased by 25 percent to 4,746. Symantec theorizes that this is due to network owners consolidating and expanding their networks. Zero-day vulnerabilities also rose during this period. Trojans taking advantage of zero-day vulnerabilities numbered 12—a significant increase over the first half of the year and the second half of 2005, when only one zero-day vulnerability was documented for each reporting period. Most of the zero-days in late 2006 were client-side vulnerabilities affecting Office applications, Internet Explorer and ActiveX controls. Symantec noted that attackers are "increasingly using zero-day vulnerabilities as the first step in establishing coordinated networks of malicious activity," the company said in a release.

Trojans increased significantly in late 2006 as well. They made up 45 percent of the volume of malicious code reports, compared with 23 percent in early 2006. While Trojans made up 45 percent of malicious code reports, they made up 60 percent of attempted infections.

"Symantec has observed high levels of coordinated activity between threats, including spam and phishing," Symantec said in its release. "Often, Trojans are used to install spam zombies or phishing Web sites on compromised computers in order to facilitiate fraud or other criminal activities."

In late 2006, spam made up 59 percent of all monitored e-mail traffic, Symantec found—an increase over early 2006, when 54 percent of e-mail was classified as spam.

Symantec found that the rise in spam was primarily due to pump and dump stock scams. The company found that top detected spam category, at 30 percent, was related to financial products and services. Unique phishing messages in late 2006 increased, with 166,248 unique messages, or an average of 904 unique phishing messages per day. Phishing attacks primarily used financial services as bait, with that topic accounting for 84 percent of unique brands used in phishing attacks. Financial services also made up 64 percent of phishing Web sites. Forty-six of all known phishing sites were found in the U.S.

Here's what Symantec forecasts for future threats:

More Vista threats will appear, with vulnerabilities, malicious code and attacks focused against Vista's Teredo platform Vista's Teredo platform, which is a bridge protocol between IPv4 and IPv6.

Attackers will focus on third-party applications that run on Vista.

New phishing economies will develop in which phishers expand their targets to include new industry sectors, such as massively multiplayer online games.

Phishers will develop new techniques, such as ready-made phishing kits, to evade antiphishing solutions such as block lists.

Spam and phishing will increasingly target SMS and MMS on mobile platforms.

New attacks will be developed to hit virtual environments as a way of compromising host systems.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog