Vendors, VARs Try To Stay One Step Ahead Of Cybercriminals

While in the past attackers sought to destroy data, they now aim to silently steal data for profit without being noticed, according to a recent report from Symantec.

Attackers are transitioning from simply looking to make headlines to making money, said Dean Turner, executive editor of Symantec’s Internet Threat Report and senior manager of Symantec Threat Response. “We really are moving away from hacking for fame; it’s really about hacking for fortune,” he said.

During the second half of 2005, 80 percent of the top 50 threats that Symantec tracked were capable of stealing some sort of confidential information, which attackers can turn into profit, Turner said.

Security experts also are reporting an increase in the use of BOT networks, in which hackers take control of thousands of vulnerable PCs and are paid by third parties to use the PCs to send out spam or spyware.

“BOTs are lucrative and completely anonymous. It’s something that once you set it up, it gives you recurring income,” said Nick Bilogorskiy, manager of malicious-code research for security vendor Fortinet, Sunnyvale, Calif.

In addition, attackers are increasingly focusing on desktops and Web applications instead of more traditional security devices such as firewalls and routers as they seek to steal corporate, personal, financial or confidential data that they can use for profit or additional criminal activity, according to Symantec’s report.

Phishing threats also increased in the second half of 2005 to 7.92 million attempts daily, up from 5.70 million daily in the first half, Symantec found.

“Hackers are getting far more creative,” said Christopher Labatt-Simon, president and CEO of infrastructure and security solution provider D&D Consulting, Albany, N.Y. “It’s incredible some of the things that hackers are doing these days to try and bypass the security that all the vendors are throwing out there.”

Hackers also are selling malicious code that exploits vulnerabilities, which can be particularly damaging if the vulnerability hasn’t been reported, Turner said.

On average, there is a seven-day window between the announcement of a vulnerability and the appearance of its exploitation. Since manufacturers take about 49 days to issue a patch, that leaves an average 42-day window of exposure, he said.

“There are companies that are paying for vulnerabilities, and with the commercial acquisition of vulnerability information, nobody knows how long [the attackers] are holding that information,” Turner said.

Keeping in line with hackers’ motivation to make money instead of headlines, cybercriminals are staging a larger number of small-scale attacks to avoid attracting attention, and more importantly, to avoid getting caught, said Fortinet’s Bilogorskiy.

“I’ve been seeing a transition to smaller-scale, targeted threats so they can stay under the radar of law enforcement agencies,” Bilogorskiy said.

These attacks are even more damaging if they aren’t reported, said Kurtis Kreh, vice president of sales at security solution provider iSmart Connect, Irvine, Calif. “Ninety percent of these attacks go unnoticed or unreported. A financial institution may not even know it occurred. So the problem is that the hacker community is always one step ahead—and always will be,” Kreh said.

The best security defense is multilayered protection, but even still, attackers are always looking for new ways to penetrate secure networks, Bilogorskiy said.

VARs said it requires vigilance to keep up with the bad guys.

“Our guys are constantly researching and looking for what new threats we’re seeing and how different vendors are reacting to that within their product lines to ensure that our customers have control over the threat actually occurring, “ Labatt-Simon said.