2013 ISTR Shows Changing Cybercriminal Tactics

The Symantec Internet Security Threat Report (ISTR) 2013 reveals how the threat landscape is evolving, compiling information from more than 69 million attack sensors in 157 countries around the world. This year’s report shows more targeted attacks, an increasing focus on smaller businesses, and the continued development of new threats.

Targeted attacks, hacktivism, and data breaches

Targeted attacks saw a 42 percent increase in 2012, bringing the average number up to 116 per day, with a corresponding increase in data theft and incidents of industrial espionage. Attackers appear to be changing their targets as well. Small businesses make up a larger percentage of those targeted for attack than in 2011—a threefold increase—with 31 percent of all targeted attacks directed at companies with fewer than 250 employees. Attackers are evidently finding valuable data to steal from such small companies and fewer defenses in place to stop them. Manufacturing is now the most targeted business sector, making up 24 percent of targeted attacks.

One of the most significant innovations in targeted attacks is the emergence of watering hole attacks. The attackers compromise the security of a website that an intended target is likely to visit and once the target visits the website, their computer becomes infected with malware. This successful tactic, popularized by a group known as the Elderwood Gang, has infected up to 500 companies in a single day.

Data breaches declined in 2012, but the number of identities stolen increased, totaling nearly 240 million. Healthcare, education, and government accounted for the majority of these identities stolen, and while most reported breaches were due to outside attacks, the risk of insider-caused attacks remains high.

Vulnerabilities, exploits, and toolkits

Zero-day vulnerabilities increased to 14 in 2012, and overall vulnerabilities rose to 5,291. Also increasing are mobile vulnerabilities, up to 416 discovered last year. Cybercriminals use these vulnerabilities to compromise the security of their targets, which are particularly vulnerable when they fail to frequently apply patches and updates. This failure on the part of IT is largely responsible for an increase of 30 percent in attacks while new vulnerabilities are increasing at a much slower pace.

Even those without technical skill can become cybercriminals through the use of toolkits, which use previously discovered vulnerabilities in browsers and plugins to perpetrate attacks. The toolkit called Blackhole made up 41 percent of all Web-based attacks in 2012.

Social networking, mobile, and the cloud

Social networks are the new source of spam, with fake offerings making up 56 percent of social media attacks. These are made easier by the personal information made publicly available and the propensity of people on these sites to share links and data with others. Other tactics include creating fake “like” buttons that install malware, or tricking users into downloading fake browser extensions.

Mobile vulnerabilities are rising, with 387 reported for Apple iOS alone. By contrast, the Android platform only showed 13 vulnerabilities, yet its large market share, open platform, and multiple distribution methods for applications, likely accounts for the fact that the majority of mobile threats are directed at Android devices (158 of 163 unique threats). Overall, mobile malware increased by 58 percent in 2012.

As more businesses take advantage of cloud computing, they enjoy overall greater security and lower costs. But there are security concerns with the cloud as well. Retrieving data from a disreputable cloud provider can be a challenge, and attackers are discovering that attacking these providers can yield large amounts of data. In the future, attackers may also begin to attack virtual machines that are used to support the cloud infrastructure.

Spam, phishing, and malware

As social media spam picks up and authorities crack down on botnets, traditional spam has been declining slightly from 75 percent of all email in 2011 to 69 percent in 2012. Pharmaceutical spam has been replaced by adult/sex/dating spam as the most common form, accounting for 55 percent of spam. Despite the decline, 30 billion spam emails are still sent each day. The shift in cybercriminals’ tactics is also evident in the decline of email as a phishing vector. Overall, one in 414 emails is now a phishing attempt, down from one in 299 in 2011.

Malware is found in one out of every 291 emails, and among those emails 23 percent contain URLs linking to websites with malicious code. Every day, approximately 247,350 Web-based attacks were blocked, an increase of 30 percent over 2011. 2012 also represented the first wide-spread case of malware specifically targeting Macs, with the Flashback attack exploiting a Java threat to infect over 600,000 Mac computers. The number of Mac-specific threats is now on a general upward trend. Other new malware attacks include ransomware, which locks the computer until the user pays a fee to the cybercriminal.

For more details on the current threat landscape, see the full ISTR.