With the alarming increase in cyberattacks, criminals are literally turning businesses against their own customers in order to steal consumer's personal data, warns the latest annual X-Force Trend and Risk report from IBM. "The security industry puts a lot of effort into the technical evaluation of security threats, examining, sometimes at great length, the potential threat that each issue might present to corporations and consumers. Criminal attackers out for profit, however, have considerations that the security industry does not always take into account, such as monetization cost and overall profitability."

The report notes that while 2008 brought a substantial number of security related headlines to the forefront, much of the warnings did not amount to mass exploitation. Hence the report starts off by examining what did and didn't happen in 2008 — and why.

The following are the key 2008 highlights exploring vulnerabilities, web-related security threats, spam, phishing, and malware:

Vulnerabilities

• 2008 proved to be the busiest year in X-Force history chronicling vulnerabilities — a 13.5 percent increase compared to 2007.
• The overall severity of vulnerabilities increased, with high and critical severity vulnerabilities up 15.3 percent and medium severity vulnerabilities up 67.5 percent.
• Similar to 2007, nearly 92 percent of 2008 vulnerabilities can be exploited remotely.
• Of all the vulnerabilities disclosed in 2008, only 47 percent can be corrected through vendor patches. Vendors do not always go back to patch previous year's vulnerabilities. 46 percent of vulnerabilities from 2006 and 44 percent from 2007 were still left with no available patch at the end of 2008.
• The two largest categories of vulnerabilities in 2008 are Web application at 55 percent and vulnerabilities affecting PC software at roughly 20 percent.
• For vulnerable operating systems, operating systems from Apple and the base Linux kernel have dominated the top spots for vulnerability disclosures over the past three years.

Web-Related Security Threats

• The number of new malicious Web sites in the fourth quarter of 2008 alone surpassed the number seen in the entirety of 2007 by 50 percent. Last year, China replaced the US as the most prolific host of malicious Web sites.
• Even good Web sites are facing more issues. Web applications, in particular, are increasingly vulnerable and highly profitable targets for helping the criminal underground build botnet armies
• Spammers are turning to the Web. URL spam (a spam email with little more than a link to a Web page that delivers the spam message) took the lead as the main type of Spam this year, and Spammers more and more are using familiar domain names like news and blogging Web sites to host their content.
• Web applications in general have become the Achilles heel of Corporate IT Security. Nearly 55% of all vulnerability disclosures in 2008 affect Web applications, and this number does not include custom-developed Web applications (only off-the-shelf packages). 74 percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of 2008.
• Last year, SQL injection jumped 134 percent and replaced cross-site scripting as the predominant type of Web application vulnerability.
• Exploitation of Websites vulnerable to SQL injection has increased from an average of a few thousand per day, when they first took hold early in 2008, to several hundred thousand per day at the end of 2008.
• In addition to these vulnerabilities, many Web sites request the use of known vulnerable ActiveX controls, which leave Web site visitors who do not have updated browsers in a compromised position.
• Although the number of vulnerabilities affecting Web browsers went down in comparison to 2007, they continue to be the main target of exploitation. New categories of threats affecting clients are on the rise, specifically in the areas of malicious documents, multimedia applications, and potentially Java applications which are easy to host on the Web.

Spam, Phishing and Malware

• The McColo shutdown had the most impact on spam activity in 2008, not only affecting quantity but also affecting the type of spam sent and the countries that most frequently sent it.
• Although the volume of spam dropped after the shutdown, X-Force expects it to return to normal by the first quarter of 2009.
• Simple spam (text or URL-based) replaced complex (PDF, image, etc.) spam in 2008, with a focus on URL spam near the end of the year. Spammers increasingly use familiar URL domains, like blogging Websites and news Websites, to host spam messages.
• Although most of the spam URLs use the .com TLD (top level domain), a steady increase in the use of .cn is evident, and, when it comes to malicious URLs, the number of malicious URLs hosted in China surpassed that of the US this year.
• More than 97 percent of Spam URLs are up for one week or less.
• In terms of the servers sending spam, Russia surpassed the US in 2008, and was accountable for 12 percent of all spam sent last year.
• The most popular subject lines of phishing and spam are not so popular anymore. The top ten subject lines of 2008 took up a much smaller percentage in comparison to 2007. Spammers and phishers alike are becoming more granular and targeted, working harder in essence, to reach more targets. In 2007, the most popular phishing subject lines represented about 40% of all phishing emails. In 2008, the most popular subject lines made up only 6.23% of all phishing subject lines.
• Another trend that developed in 2008 is the focus on user action. Rather than having a generic subject like "security alert," phishers attempt to engage the user into doing something, like fixing an account that has been suspended or updating their account information.
• The majority of phishing — nearly 90 percent — was targeted at financial institutions. Over 99% of all financial phishing targets are in North America or Europe, with the majority of targets in North America (58.4 percent).
• 46 percent of all malware collected over 2008 were Trojans. Trojans targeting users of online games (Onlinegames, Magania) and online banking (Banker and Banload) remain prevalent for the whole year; which indicates that these specific user groups are highly targeted in 2008.

Related Links:
IBM Internet Security Systems X-Force 2008 Trend & Risk Report Full Report [PDF - 106 pages]
Corporations Inadvertently Becoming No. 1 Security Threat to Their Own Customers IBM Press Release
Preview of the 2008 X-Force Trend and Risk Report X-Force Blog

Related topics: Cyberattack, Cybercrime, Data Center, DNS, DNSSEC, Security, Spam, Web