The number of targeted e-mail attacks rose in 2010 compared to the previous year, as cyber criminals increasingly target corporations in search of specific sensitive information and intellectual property, according to Symantec Corp.‘s (NASDAQ: SYMC) MessageLabs Intelligence 2010 security report.
Otherwise known as advanced persistent threats, targeted attacks were identified and blocked by MessageLabs at the rate of 77 per day, and remain one of the top damaging security threats to a business. (In 2009, the number was 48 per day.)
Paul Wood, MessageLabs Intelligence senior analyst, explained that targeted attacks are sent out in low volumes by cyber criminals who often use zero-day exploits for which there are no patches. They fly beneath the radar of most anti-virus software because the low frequency of attacks doesn’t allow for a signature to be produced identifying that particular attack, said Wood.
“You may be have protection but it’s not going to help you in those kinds of circumstances,” said Wood.
The rate of targeted attacks has grown enormously. Five years ago, it might have been one or two blocked and identified per week, said Wood.
Today, three to four hundred organizations are targeted monthly by cyber criminals but the type of organization targeted has changed over time. While traditional targets were large multi-national and well-recognized corporations in the banking, pharmaceutical and defense sectors, Wood said that threat today extends to small to medium-sized businesses.
“If you’re trying to penetrate defenses of a large enterprise-type organization, it becomes more difficult … the more probing you try to do, the more likely you are to draw attention to yourself,” said Wood.
Cyber criminals will sometimes attempt to penetrate a target organization indirectly by taking a “piggy back” on an attachment in an existing e-mail correspondence from a supplier. “It’s not executable and it comes from someone you already know on a subject you’ve had a conversation about,” said Wood.
According to Brian O’Higgins, an Ottawa-based independent security consultant, Symantec’s report of an increase in targeted malware is no surprise because the attack vector’s proven track record only serves as encouragement to cyber criminals.
O’Higgins also pointed out that cyber criminals are encouraged by organizations’ unorganized security that takes the form of unpatched systems and vulnerable configurations.
“These are damaging attacks and enterprises need to plan for them,” said O’Higgins. “In practice this means making an investment to reduce the vulnerability.”
Moreover, hacker tools have improved which means “more complex attacks are more accessible to the dumber hackers, therefore increasing the number of attackers,” added O’Higgins.
The Symantec MessageLabs Intelligence 2010 report also found 88.2 per cent of spam originated from botnets. The top botnets in 2010 were Rustock, Grum and Cutwail. This number has increased annually but tends to fluctuate throughout the year as cyber criminals adjust their attack strategies to avoid being shut down, said Wood.
Corporations are vulnerable to botnet spam because, while they are good at safeguarding what is behind the firewall, they are only just getting used to managing an increasingly mobile workforce, said Wood.
There is a particular group of employees who pose a greater risk to businesses. It’s not those who work are always onsite or always on the road because they understand their working environment. But, Wood explained, it’s the group of workers who straddle working onsite and on the road who are most susceptible to botnet spam.
“About a third of people in both environments seem to have this sudden sense of freedom,” said Wood.
Overall, the Symantec MessageLabs Intelligence 2010 report found a hundred-fold increase in identified malware strains compared to 2009. Specifically, 339,600 strains were identified.
Wood said the enormous increase is due to polymorphic malware or “toolkits being used to generate what appear to be genuinely new versions of a new malware when it fact when it runs the code it does the same thing.” The resultant effect is each visitor to an infected site will be hit with a unique version of the strain.
Follow Kathleen Lau on Twitter: @KathleenLau.