Twenty years after the release of the Morris Worm, one of the first worms discovered on the Internet, the Web has proven to be the primary place where bad guys lurk, looking for poorly secured websites to plant malicious code. And, they find plenty.
According to the 2009 Security Threat Report [PDF] from Sophos, one new infected Web page is discovered every 4.5 seconds. With that in mind, we thought we’d take a look at the top security threats you should be looking out for in 2009.
SQL Injection Attacks
The Sophos research showed that over the past year the number of SQL injection attacks against innocent websites increased, a trend Sophos expects will continue next year.
Web insecurity, notably weakness against automated remote attacks such as SQL injections, will continue to be the primary way of distributing web-borne malware.
A recent report from the Internet Crime Complaint Center also points to an increase in SQL injection attacks in 2008, specifically relating to financial services and the online retail industry. Unfortunately, cyber criminals prey on the needs of Web users at any given time, and this time the economic crisis is their meal ticket.
The article is well worth reading if you’re interested in how attackers compromise websites by SQL Injection or if you want ideas on how to reduce the likelihood of intruders gaining access to your private data.
Third Party Advertising Agencies and Scareware
In February 2008, Sophos confirmed a ‘poisoned Web advertising campaign‘ on BBC competitor ITV‘s website that affected both Windows and Mac machines. While we’ve all seen Scareware, the pop ups designed to scare people into buying anti-virus software, this is the first time it has been seen for the Mac.
According to Sohpos, a Flash file was injected into traffic served up by ITV.com via third party advertising agencies. Designed to promote a program called Cleanator (Windows) or MacSweeper (Macs), the programs claimed to detect “compromising files” and encouraged users to purchase a full version of the package.
As websites often use third parties to serve up their advertising, Graham Cluley, senior technology consultant at Sophos suggests taking care when selecting agencies. “Website owners should ask the third party agencies they use what procedures they have implemented to positively vet the adverts that they deliver for malicious content or unsavory links.
With social networking on the rise, the bad guys have found yet another playground on the Web. The Sophos report reveals 1800 Facebook users had their profiles defaced in August by an attack that installed a Trojan while displaying an animated graphic of a court jester.
Gated sites appeal to the bad guys because they form a “launching pad” for mass distributing malware attacks and spam, like the recent Koobface Trojan which attacked both MySpace and Facebook and transformed victim machines into zombie computers to form botnets.
Twitter too has become a tool for cyber criminals to distribute malware and marketing messages. In many cases, the bad guys steal members’ usernames and passwords and bombard the victims’ friends with marketing messages or direct them to third party websites. With Twitter especially, it is difficult to discern where links are going due to the 140 character limit and the use of services that shorten URLs.
On the flip side however, Chris Boyd of FaceTime Security Labs at this years RSA Conference explained that social networking sites are incredibly useful for security researchers. “The people that create these things have been on social networking sites since the beginning; they need to be on them a lot to understand them intimately enough to exploit them. But many times they leave a trail online that we can use to track them, to find out things like their names, ages and friends.”
Apple Macs Becoming “Soft Targets”
While Mac malware is miniscule compared to Windows malware, Sophos recommends Mac users follow safe computing best practices and avoid complacency even though cyber criminals are more likely to stick to attacking Windows computers in the foreseeable future due to the higher financial incentive.
With so many Windows home users seemingly incapable of properly defending themselves against malware and spyware, it seems sensible to suggest that some of them should consider switching to the Apple Mac platform. This is not because Mac OS X is superior, but simply because there is significantly less malware currently being written for it.
Along with the scareware attack mentioned earlier, there have been other attempts to infect Mac computers in 2008: the OSX/Hovdy-A Trojan, the Troj/RKOSX-A Trojan, and the OSX/Jahlav-A Trojan.
Smartphones: A New Toy for Cyber Criminals
While most malware and spam is produced as a result of financial incentive, with smartphones, Sophos believes malware will more likely be written by those wanting to make headlines. As neither the iPhone or the G1 has yet been the target of a significant attack, someone will want to be the first and claim the title.
Apple iPhone
According to Sohpos, iPhone users are more vulnerable to phishing attacks than their desktop counterparts for three reasons:
- They may be more willing to click on links because entering URLs on a touch screen is more difficult
- The iPhone version of Safari doesn’t display URLs embedded in emails before they are clicked on making it more difficult to tell whether a link leads to a phishing site
- The iPhone browser doesn’t display full URLs making it easier for the bad guys to trick users
Google Android
Hackers are only just getting a real look at the Android OS so there is not much to report however, one security flaw was revealed only days after the G1 went on sale. The flaw, discovered by Charles Miller, a principal security analyst at Independent Security Evaluators, was in the browser partition of the phone. According to the New York Times, the flaw enabled keystroke logging software to be installed, making it an easy trick to steal identity information and passwords.
Additionally, while many are impressed with Google’s open attitude to applications, others are concerned about the ease in which malicious software could be distributed and caution when it comes to downloading third party apps is advised.
Sophos predicts as more people purchase smartphones, creating threats will become increasingly attractive to cyber criminals: Imagine a generic Mac OS X attack made for the iPhone that could also cripple the Mac computer.
Other Interesting Stats from the Sophos Report
- There were five times as many malicious e-mail attachments at the end of 2008 than at the beginning of 2008
- The United States hosts the most malware on the Web at 37 percent
- Computers in the United States relay the most spam at 17.5 percent
Cyber criminals will always be ahead of security experts simply because most of what the anti-malware providers discover is generally published for the public; the bad guys aren’t as open with what they do. But, being aware of trends, keeping security patches up to date, and installing firewalls will do much to thwart the majority of attacks.
What security threats do you think we should be thinking about in 2009?
Photo Credit: Flickr tsevis