Since 2002 Symantec has been publishing its Internet Security Threat Report, which provides an overview and analysis of the year in global threat activity. The report is based on data from the Symantec Global Intelligence Network, which Symantec's analysts use to identify, analyse, and provide commentary on emerging trends in the dynamic threat landscape.
Threats to online security grew considerably in 2012. From the threats of cyberespionage and industrial espionage to the widespread and chronic problems of malware and phishing, we have seen constant innovation from malware authors.
We have also seen an expansion of traditional threats into new forums. In particular, social media and mobile devices have come under increasing attack in 2012, even as spam and phishing attacks via traditional routes have fallen. Online criminals are following users onto these new platforms.
The most important trends in 2012 were:
Small businesses are the path of least resistance for attackers
Last year’s data made it clear that any business, no matter its size, was a potential target for attackers. This was not a fluke. In 2012, 50% of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees – 31% of all attacks targeted them.
This is especially bad news because based on surveys conducted by Symantec, small businesses believe they are immune to attacks targeted at them. But money stolen from a small business is as easy to spend as money stolen from a large business. And while small businesses may assume that they have nothing a targeted attacker would want to steal, they forget that they retain customer information, create intellectual property, and keep money in the bank. While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less careful in their cyberdefences.
Even worse, the lack of adequate security practices by small businesses threatens all of us. Attackers deterred by a large company’s defences often choose to breach the lesser defences of a small business that has a business relationship with the attacker’s ultimate target, using the smaller company to leap frog into the larger one.
Additionally, small businesses and organizations can become pawns in more sophisticated attacks. Driven by attack toolkits, in 2012 the number of Web-based attacks increased by one third and many of these attacks originated from the compromised websites of small businesses. These massive attacks increase the risk of infection for all of us
Malware authors act as Big Brother
If you think someone is violating your privacy online, you are probably right. Half the mobile malware created in 2012 attempted to steal our information or track our movements. Whether they are attacking our computers, mobile phones or social networks, Cyber-criminals are looking to profit by spying on us.
Their ultimate goal is to make money. Their method is to learn our banking information, the phone numbers and email addresses of our friends and business associates, our personal information, and even how to become us by stealing our identity.
Creating successful targeted attacks requires attackers to learn about us. They will research our email addresses, our job, our professional interests, and even the conferences we attend and the websites we frequent. All of this information is compiled to launch a successful targeted attack. Once on our devices, the attacker’s tools are designed to pull as much data as possible.
Undiscovered targeted attacks can collect years of our email, files, and contact information. These tools also contain the ability to log our keystrokes, view our computer screens, and turn on our computers’ microphones and cameras.
Those jobs most targeted for attack in 2012 were knowledge workers who create the intellectual property that attackers want (27% of all targets in 2012) and those in sales (24% in 2012). Interest in targeting the CEO of an organisation waned in 2012; those attacks decreased by 8%.
For the fremaining highlights, read on:
With mobile, it’s not the vulnerability that will get you
As expected, the amount of mobile malware in 2012 continues to rise. 2012 saw a 58% increase in mobile malware families compared to 2011. The year’s total now accounts for 59% of all malware to-date. With a 32% increase in the number of vulnerabilities reported in mobile operating systems, it might be tempting to blame them for the increase.
But this would be wrong. In the PC space, a vulnerability drives attacks as new vulnerabilities are incorporated into commonly available toolkits. The more they’re used, the faster they spread. This is not occurring in the mobile space.
Mobile vulnerabilities have little correlation with mobile malware. In fact, while Apple’s iOS had the most documented vulnerabilities in 2012, there was only one threat created for the platform. Compare this to Android – although only 13 vulnerabilities were reported, it led all mobile operating systems in the amount of malware written for the platform.
Vulnerabilities likely will become a factor in mobile malware, but today Android’s market share, the openness of the platform, and the multiple distribution methods available to applications embedded with malware make it the go-to platform of malware authors.
Zero-day vulnerabilities available when attackers need them
Zero-day vulnerabilities continue to trend upward; 14 were reported in 2012. In the last three years much of the growth in zero-day vulnerabilities used in attacks can be attributed to two groups; the authors of Stuxnet and the Elderwood Gang. In 2010, Stuxnet was responsible for 4 of the 14 discovered zero-day vulnerabilities.
The Elderwood Gang was responsible for 4 of the 14 discovered in 2012. The Elderwood Gang also used zero-day threats in 2010 and 2011, and they’ve used at least one so far in 2013.
Attackers use as many zero-day vulnerabilities as they need, not as many as they have. And Stuxnet and Elderwood make for an interesting contrast in the strategy of their use. Stuxnet remains the aberration, using multiple zero-day exploits in one attack.
From what we know today, it was a single attack that was directed at a single target. Multiple zero-day exploits were used to ensure success so they would not need to attack a second time.
By contrast the Elderwood Gang has used one zero-day exploit in each attack, using it continually until that exploit becomes public. Once that occurs they move on to a new exploit. This makes it seem that the Elderwood Gang has a limitless supply of zero-day vulnerabilities and is able to move to a new exploit as soon as one is needed. It is our hope that this is not the case.
Attribution Is Never Easy
Some targeted attacks make no attempt to stay undetected. A piece of malware named Shamoon was discovered in August. Its purpose was to wipe computer hard drives of energy companies in the Middle East. A group calling itself the “Cutting Sword of Justice” claimed responsibility.
Throughout 2012, DDoS attacks were launched against financial institutions. A group called Izz ad-Din al-Qassam Cyber Fighters claimed responsibility. These attacks and others appear to be classic cases of hacktivism. But proving attribution and motive are not easy, even when someone claims responsibility.
There has been much speculation, some reportedly from the intelligence community, that the Cutting Sword of Justice and the Qassam Cyber Fighters are fronts for a nation state. Complicating what appeared to be simple hactivism even further is the FBI’s warning to financial institutions that some DDoS attacks are actually being used as a “distraction.”