The unprecedented barrage of Web-borne malware in 2008 is falling in very unexpected patterns, striking users in select -- and somewhat surprising -- verticals in far greater numbers than others.
A study, The Vertical Risk: Web-Delivered Malware Impact by Industry by ScanSafe Inc., analyzed how many times its Web security service blocked malware when users browsed compromised Web pages. The result showed the highest incidence in four startling verticals: energy and oil, pharmaceutical and chemical, engineering and construction, and transportation.
At the other extreme with the lowest incidence of blocking Web malware, were aviation and automotive, healthcare and insurance.
The question the research leaves unanswered is: "Why?"
"I was really surprised; these are not the verticals I would have anticipated," said Mary Landesman, senior security researcher at ScanSafe. The results were sorted into 21 verticals.
The report said the researchers expected that malware exposure would reflect surfing habits and that high-risk verticals would be things like travel and entertainment, which was fifth highest, and media and publishing, which was well below the median. Certainly, they did not expect to see the four sectors that were far and away at highest risk.
The numbers are unassailable, based on an average of 17 billion Web requests and 170 million malware blocks per month from Jan. 1 through Sept. 30. Assuming the employees in these organizations are not, on the whole, stupider than their peers in other industries or more prone to dangerous Web surfing habits, the results are very confounding. The natural speculation is that there is a good deal of social engineering taking place in these verticals, and, by inference, targeted attacks. There's some evidence to suggest that may be the case.
"That's my hunch," said Landesman. "The number of unique variants and the higher number of outbound attempts point to social engineering."
The malicious outbound requests were overwhelmingly higher in the three worst sectors. This reflected requests that did not come from typical user behavior -- clicking on a link from Google, or typing in a URL from another Web page. Rather, they went directly to the compromised website, pointing to a user who was somehow manipulated, or a request from an already compromised PC.
The number of unique malware variants found in the hardest-hit sectors also suggests some deliberate focus on them.
"When you look at the individual number of variants and they still come out so much ahead, it's very concerning," said Landesman. "It indicates they're getting more than their fair share of socially engineered attacks."
This disturbing pattern comes in a year when the growth of Web-delivered malware has gone off the charts, actually starting late last year, Landesman said. ScanSafe's July Global Threat Report showed more Web-borne malware that month than in all of 2007. October was up another 21%. She points to a convergence of three factors fueling the fire:
- The maturity of Web 2.0 and the "sheer number of websites and inexperienced people who are able to put up websites."
- Automated tools that allowed for discovery of vulnerable Web servers and sites. Attackers no longer have to manually probe for vulnerable targets that are slow, inefficient and exposed the attacker to discovery.
- Exploit frameworks available in the public sector. These are prebuilt with exploits that make it easy and cost effective to push out and deliver payloads.
That's discouraging enough, Landesman said, but the possibility of a strong focus on targeted verticals makes the huge numbers even more disturbing.
"I was looking for people that did heavy, heavy research so they were of necessity visiting lots of different and diverse Web sites, based on my expectations of what I believed was leading to much of this," she said. "In fact, there appears to be a great deal of social engineering involved. And I have to question that there is some sort of targeting."