Second half of 2011 reflects shifting trends in cyber crime business, M86 reports

By | February 08, 2012

Posted in: Network Security Trends

The percentage of email messages containing malicious links or attachments is high, even as the volume of spam has dropped sharply in the last year, according to a report by web security company M86. The report provides some good insight into the techniques and, if you will, the shifting business trends in the cyber criminal community.

Those trends are manifested in several ways. For example, the M86 Security Labs report for the second half of 2011 notes a remarkable spike in email with malicious attachments in August and September, which fell off precipitously later in the fall. The exploit kit business was shown to be highly volatile, as the Blackhole kit accounted for 95% of all malicious URLs, while Neosploit, the leader in the first half of 2011, all but disappeared.

It’s a matter of having an effective product and support, says with Bradley Anstis, M86 VP of technical strategy. Cyber criminals, like any other customers, look for competitive pricing, high infection rates, easy user interface excellent customer support and regular updates with the latest exploits.

“Blackhole has taken off because it has a good user interface, very good support and is the quickest out to exploit vulnerabilities, issuing regular updates all the time,” says Anstis.

Ease of use and support are not trivial.

“The computer expertise of the average cyber criminal is a lot lower than it used to be,” Anstis notes. “The barrier of entry has been getting lower.”

The short-term spike in malicious email attachments may be something akin to a successful marketing campaign. While most enterprises are justifiably on the alert for web-based threats, a couple of bad actors may have tried an attachment-based campaign, gotten good response and infection results, and rode with it until it petered out. Overall, the proportion of malicious spam in the second half of 2011 rose from 1% to 5%. By December, between 5% and 10% of all spam contained malicious links, redirecting unsuspecting users to malicious or compromised sites hosting the Blackhole kit.

Criminals are increasingly playing on the explosive popularity of — and implicit trust in — social media, luring users with fake notification messages to “Friend Me” on Facebook or inviting you to join my LinkedIn network.

While a lot of the FUD (fear, uncertainty and doubt) around security in the couple of years has been around targeted attacks using spear phishing and zero-day exploits, the vast majority of attacks are automated, massive botnet campaigns exploiting well-known vulnerabilities, some of which have been around for years. The most prevalently exploited, in fact, Microsoft Internet Explorer RDS ActiveX, was identified in 2006, accounting for 17.7% of exploits. Interestingly, the third most-exploited vulnerability (4.7%), Microsoft Internet Explorer user Data Behavior, is far and away the most exploited vulnerability in China.

The likely reasons, Astis says, are the prevalence of older versions of Internet Explorer (IE 6 is, remarkably, still in wide use). The exploits for older software versions are often significantly the cheapest, so criminals in China can take advantage of a mass, low-end market.

Infuriatingly, patches for all of the most widely exploited vulnerabilities have been available almost since each was identified. This reflects poor updating practices among personal users and probably a number of businesses. It almost certainly reflects software piracy, the huge number of installed illegal software programs, particularly in countries such as China, which typically cannot subscribe to update services.

You May Also Be Interested In: