Spam declines, Web-based attacks rise, says MessageLabs

By Robert Westervelt, News Editor 04 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Spam levels are down slightly in 2008, but Web-based attacks are skyrocketing, fueled by attackers defeating websites and tricking users of social networks, according to an annual report released by Symantec's MessageLabs.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

MessageLabs, a managed messaging security services provider that tracks spam, phishing and Web-based attacks, said the annual average spam rate was 81.2% in 2008, a decline of 3.4% from a year ago.

Nearly all the spam is being distributed by botnets. Paul Wood, a senior analyst for MessageLabs, said the spam decline can be attributed to the de-accreditation of EstDomains, an ISP suspected by many to be hosting the command and control channels for botnets and the shut down of McColo Corp., which was known to be a hosting provider for spammers and malware pushers. The Srizbi botnet, which was responsible for 50% of all spam globally was affected immediately, Wood said.

"Although Srizbi still existed, it was unable to connect to its command and control channel," he said. "Rival botnets have been taking up the slack but they haven't reached the same level they were at before."

Related information: New wave of SQL injection attacks alarm researchers: Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets. McColo shutdown won't stop spam, malware, warn security experts: Increased cooperation among security researchers and ISPs are resulting in victories against spammers and botnet operators. But, cybercriminals move to new spots on the Internet. Facebook wins spam lawsuit: A Canadian man, Adam Guerbuez must pay $873 million for hacking into the profiles of Facebook members to send them spam messages advertising porn sites and male enhancement pills. ICANN transfers EstDomains customers to Directi: The action comes more than a month after ICANN originally notified EstDomains of its decision to de-accredit the regitsrar, which is based in Estonia. Spam Blockers Losing Ground on Sophisticated Attackers: SPAM Spam hasn't been "solved"; in fact, the scourge has grown worse as attackers continually trump countermeasures and refine their focus on high-value targets.

Although Srizbi hasn't returned to its normal level of activity, Wood said it was designed to stay active and will likely find alternative hosting, bringing the volume of spam back to previous levels.

"The operations that were disrupted really as a result of community action, but it's a lot of work," Wood said.

More alarming is the use of complex Web-based malware to infiltrate social networks and target flaws in legitimate websites. The daily number of new websites containing malware rose from 1,068 in January to its peak at 5,424 in November, MessageLabs noted in its report. Attackers are turning to social networks to design extremely targeted social engineering attacks, Wood said. Spammers and phishers set up fake profiles to try to draw fake friend requests and then begin harvesting information they can use before making their move, he said.

"If they know your background and the contacts you have they could take advantage of that in their communications and so far it's been extremely successful for them," he said.

A Canadian man was recently ordered to pay $873 million in damages to Facebook for hacking into the profiles of its members and using his companies to spam them with sexually explicit messages.

SQL injection attacks also fueled the increase. The average number of new malicious websites blocked each day rose to 2,290 in 2008 compared with 1,253 for 2007, an increase of nearly 83%, MessageLabs said. The increase can at least be partially attributed to the strength of the Asprox botnet.

Designed for phishing scams, the Asprox botnet owners tweaked it adding code that makes it target vulnerable websites, Wood said. Asprox tries to exploit a flaw in the website and then injects malicious code in the database behind the website. When a victim lands on a compromised website they don't realize malicious code is being loaded via their browser, spreading the botnet.

SearchSecurity radio:

"These are not necessarily dodgy websites," Wood said. "It's usually Java script that tries to target a vulnerable browser in various ways, the computer gets compromised, they become part of the botnet and the trend continues."

MessageLabs, which has been tracking spam volumes and noting phishing and malware trends since 2005, said it will continue to release reports on the threat landscape. Symantec acquired MessageLabs in October. The acquisition was completed on Nov. 14.

Tags: Malware, Viruses, Trojans and Spyware,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Hacker Tools and Techniques: Underground Sites and Hacking Groups Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam ATM malware lets attackers take over machines

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary