Attackers proved in 2009 that social networks could be used to spread malware and trick users into giving up their data, but in 2010, according to two senior Symantec researchers, cybercriminals will turn to more sophisticated methods, including using social network architectures for the backbone of their attacks.
To get security news and tips delivered to your inbox,
In an effort to sustain growth and pick up new users, more social networks are opening up their architecture to allow third-party applications. Cybercriminals can take advantage of this by developing applications out of the social network environment to target users. In addition, access to social network APIs gives attackers a roadmap to vulnerabilities in legitimate third-party applications and a way to tap into user accounts.
"The bad guys can implant malicious code into the social network application and gain access to personal information and other data," said Paul Wood, senior analyst at MessageLabs Intelligence at Cupertino, Calif.-based Symantec Corp. "As the applications themselves become quite enticing and they may in turn be generated with some other purpose in mind … there may be less reputable motives behind some of these applications."
Wood and Zulfikar Ramzan, technical director of Symantec Security Response, presented their predictions for 2010 during a presentation this week. Many of the data security risks will be more of the same, the two researchers said. Drive-by downloads will continue to target people who fail to fully patch Web browsers and third-party plug-ins; rogue antivirus programs will continue to trick victims into buying software they don't need, and botnet operators will continue to control hordes of zombie machines to spread spam and harvest personal information.
2009 security threat predictions:
Encryption, DLP, disaster recovery topped 2009 priorities: Information Security magazine's annual Priorities 2009 survey identified data protection and disaster recovery among the top priorities for security managers.
Ramzon said that while attackers will use much of the same tactics, they will learn to sharpen their methods to evade security technologies and enable cybercriminal gangs to pull in more money. Rogue security software, which was successful in 2009 with the spread of the Bredolab downloader could move into instances of computer hijacking, rendering them useless, he said.
Researchers have seen changes in malware in 2009 with cybercriminals producing multiple variants to trick antivirus signatures. While 2010 malware will be similar, targeted or specialized malware will aim at embedded devices, predicts Wood. Attackers will target ATM vulnerabilities, errors in electronic voting systems and even holes in systems that provide premium pay-per-view content to get access to streaming movies.
"It requires a significant degree of insider knowledge about the way these systems work and the ways they can be exploited," Wood said. "Seeing attacks against vulnerabilities in systems like computer-aided designed tools are not going to be mass marketed, but they're very useful for a targeted attack if you want to gain access to an organization."
Both researchers said instant messaging could represent a new way for attackers to spread malicious links. Many social networks are incorporating instant messaging features, and when combined with the high level of trust users have on social networks, they could create a lucrative environment for cybercriminals. Some attackers may combine URL shortening with spam techniques and instant messaging giving them a greater chance of success.
"There's a level of trust built up on these sites that if a user gets a message from someone on their buddy list, they're more likely to click on a link," Wood said.
Wood said currently 1 in 400 instant messages contain some form of hyperlink and 1 in 78 of those hyperlinks are associated with a malicious website. That number is expected to increase to 1 in 12 as the adoption of instant messaging within trusted frameworks increases.
Mac users are no longer immune
As in any business, cybercriminals need a large audience to generate enough successful attacks to make the effort worth it. Until now, Mac users have been relatively immune to the onslaught of attacks targeting operating system flaws. Apple users can become a victim of the company's success. As its marketshare increases in both Apple computer and smartphone sales, the opportunity for attack increases, Ramzon said.
"In 2009 we saw Macs and smartphones targeted more than in the past, and we expect that trend to continue," he said.
Smartphone popularity is also resulting in renewed interest from hackers, Ramzon said. The Sexy Space botnet was aimed at the Symbian mobile device operating system and the OSX.Iservice Trojan targeted Mac users in 2009. Malware authors will see more money making opportunities as a result of Apple's increased marketshare and the growth of smartphones in 2010, he said.
An interest in Mac users doesn't mean Windows users can breathe any easier. Windows 7 adoption is sure to increase next year and with that, hackers will be probing the new OS for vulnerabilities to give them a way in, Ramzon said.
"We're dealing with large and fairly complex systems with literally many, many millions of lines of code, so to me it's not a matter of if the vulnerabilities crop up, it's a matter of when they are going to crop up," he said. "Microsoft's new operating system is no exception to this rule, and as Windows 7 hits the pavement and gains traction in 2010, attackers without a doubt are going to find a way to exploit the people who use it."
So far, Microsoft has had two known vulnerabilities in its latest OS. While many enterprises have gotten a handle on patching systems for OS vulnerabilities, third-party plug-ins in browsers and Internet-facing applications such as PDF readers and Flash players, have remained a pesky problem for IT security pros, he said.
"We will probably expect to see attackers look for vulnerabilities in both the applications that run on top of these platforms as well as the human psychological vulnerabilities of the person who operates the applications," Ramzon said.