Antivirus vendor Symantec detected more than 286 million malware threats last year, signaling a big jump in the volume of automated cyber threats.
The Mountain View, Calif.-based company said in its 16th annual Internet Security Threat Report that threats are not only more numerous, but they’re also more sophisticated. In the cat-and-mouse game between authorities and cybercriminals, it looks like the good guys are being overwhelmed.
The year was full of targeted attacks, social networking threats, mobile device attacks, and automated attack toolkits.
“We’ve seen seismic shifts in things like the mobile landscape,” said Gerry Egan, director of Symantec Research Labs. “The attacks are more sophisticated. There’s still a lot of education that has to happen to reduce the behavior that cybercriminals exploit.”
Targeted attacks included Hydraq, a Trojan horse attack that compromised Google and many other companies, and Stuxnet, a sophisticated virus that went after Iran’s nuclear centrifuges. Stuxnet in particular was so sophisticated it gave hackers a new arsenal of weapons. Stuxnet tapped four previously unknown vulnerabilities to break into computer systems.
The targeted attacks were also effective because they first allowed hackers to break into enterprises and then allowed them to study the habits of individuals within those organizations. That allowed them to tailor social engineering techniques — or trickery — to fool those individuals into falling for malware schemes. These kinds of attacks had higher success rates.
Social networks also grew as an attack distribution platform because people give more trust to social networking messages or chat requests from their friends — a kind of trust they once reserved for email but now no longer do given the volume of email spam. Sharing short URLs (web links) was an effective trick to get people to go to malware sites. Attackers posted millions of these short links on social networking sites. Those short links were usually placed on news feed features where people update their status. About 65 percent of the malicious links in news feeds used short URLs. Of these 73 percent were clicked 11 times or more.
Attackers have also changed their infection tactics, increasingly targeting vulnerabilities in the Java programming environment to break into traditional computer systems. Java accounted for 17 percent of all vulnerabilities affecting browser plug-ins in 2010. Automated attack kits targeting web sites were responsible for two thirds of all web-based threats. And the number of web-based attacks per day increased 93 percent in 2010 compared to 2009.
And attackers are targeting mobile devices as more people use them for mobile computing and web surfing. Users aren’t as suspicious about encountering malware on mobile devices since the threats are relatively new. Symantec expects attacks on mobile platforms to increase over time. In 2010, most malware attacks were Trojan Horse programs posing as legitimate apps, distributed via public app stores. Symantec found 163 vulnerabilities in mobile phones during 2010 that could be used by attackers. That number was up 42 percent from 115 in 2009. In the first few months of 2011, these weaknesses have been used to infect hundreds of thousands of phones.
On average, more than 260,000 identities were exposed per data breach in 2010. Symantec found that the 286 million malware threats exploited 6,253 new vulnerabilities. (One vulnerability can be used to launch many attacks). Those threats were used in 3 billion attacks.
Botnets, or networks of compromised machines that are controlled by hackers, were still a huge problem. Rustock, the largest botnet, had more than 1 million bots under its control during the year. Hackers put those bots up for rent, and it cost as little as $15 to rent 10,000 bots. The price for a stolen credit card number ranged from 7 cents to $100 per card on the cyber underground.
Symantec gathers data from 240,000 points on the web in more than 200 countries and it gets intelligence from more than 133 million systems that use its antivirus products.
Calling all mobile executives: This April 25-26, VentureBeat is hosting its inaugural VentureBeat Mobile Summit, where we’ll debate the five key business and policy challenges facing the mobile industry today. Participants will develop concrete, actionable solutions that will shape the future of the mobile industry. The invitation-only event, located at the scenic and relaxing Cavallo Point Resort in Sausalito, Calif., is limited to 180 mobile executives, investors and policymakers. We’ve pretty much finalized the invite list, but have a few spots left. Request an invitation.