2008 Security Threats Will Follow The Money

Phishing scams, malware, data loss -- many security professionals dispute exactly what constitutes the most serious security threat. But almost all sources agree that over the past two to three years, cyber criminals have become incredibly professional. What was once about bragging rights is now about high-stake payoffs illegitimately gained by large-scale Internet fraud and infiltration.

"It's become a business now," said Kevin Simzer, senior vice president of Entrust, specializing in digital identities and information security. "It's about money now. That's just the reality."

Across the board, attacks are becoming more individualized, acutely honing in on individuals with specific and personal demographic information. Experts say that instead of just credit cards and bank account information, they're going for everything -- any and all information that can be used to create an identity. From there, attackers will either use the data, or sell it blackmarket to someone who will.

"You're starting to see a broader base of attacks. We're really seeing broad-based fraud activities," said Vincent Weaser, senior director of development for Symantec. "Their ability to turn (information) into cold hard cash -- they're after a lot more than simply your bank account."

Something's Phishy

It's no secret that the phishers' nets are getting bigger and more advanced. Continuing a trend of increasingly sophisticated phishing attacks, cyber criminals will target their victims more precisely with personal information. "What we're seeing is more and more is phishing. It's just continued to run totally unabated," said Simzer. "The consumer's data is totally exposed, and low and behold, someone is accessing their account."

Masked as legitimate sites from Ebay, Amazon and others, phishing sites will typically ask individuals to submit financial or identifying information such as credit card, bank and social security numbers. Security professionals expect that phishers will increasingly target smaller, less-popular sites as the big companies beef up security and users become savvy to the large-scale scams.

In addition, the availability of phishing toolkits will make these kinds of scams much easier for cyber predators. In fact, 42 percent of phishing Websites observed in the first half of the year were associated with just three phishing toolkits, according to Symantec's Top 10 Internet Security Trends for 2007,

Also, as individuals become savvy to widespread attacks, phishers will target their victims more precisely with highly researched, personal information, in schemes known as spearphishing, luring victims into attacks by using highly focused individual-specific information. Or whaling, targeting high level executives for sensitive company information.

"All the attacks we've seen in the past aren't going to go away, they never do," said Richard Stiennon, chief marketing officer for Fortinet. "We'll see an increase in the level of targeting. It's a pretty scary concept to think someone picks you out of the fold."

Plus, with the upcoming presidential election, security personnel expect to see more political phishes in 2008. Scams will likely come in the form of political organizations or campaigns asking for "campaign donations."

"There's some social reconnaissance being done," said Peter Bybee, President and CEO of Network Vigilance based in San Diego. "We're definitely seeing more sophisticated, socially engineered attacks. At least they have a more authentic message for coaxing you into doing something."

Next: Web's Wealth Of Data Awaits Thieves Web 2.0 And Mining For Data

The wealth of information stored on the Web often translates to wealth for attackers. Recent security breaches at Salesforce.com and Monster.com represent a growing trend in attacks of online applications, which can be a veritable goldmine of credit card, social security numbers and other valuable identifying information. With hundreds of thousands of database servers accessible on the Internet, experts say that they expect to see attackers continue to use sites like these to distribute malware and acquire sensitive data.

On social networking sites you might get more than just 64,000 new "friends." Attackers are increasingly using sites such as Facebook and MySpace to distribute malware. They're also mining data, looking for information that people share in order to "authenticate" their attacks. Attacks could be installed with a simple click-on "comparison tool," or a favorites list. And Google's recently announced social networking capabilities will give attackers even more "new friends" to target.

"Applications security is really in its infancy," said Bybee. "There're way too many problems with applications that are too easily exploited."

Threats with keystroke logging capacity made up 88 percent of confidential information threats during the first half of 2007, according to a 2007 Symantec semi-annual security threats report. But data loss is often as simple as the theft of a laptop. In fact, theft or loss of a computer or other data-storage medium comprised 46 percent of all data breaches that could lead to identity theft, the report said.

"When laptops get lost or stolen, suddenly desktop encryption becomes a big deal," said Bill Calderwood, President of The Root Group, based in Boulder, Colo.

Stormy Days Ahead

There is no peace in the wake of the Storm Worm.

Also known as Nuwar, the Storm Worm is the most versatile malware in history. Storm's authors released thousands of variants and code-changing techniques, creating the largest peer-to-peer botnet on record.

"It constantly moves," said Craig Schmugar, threat research manager at McAfee Avert Labs. "The thing with Storm is that it radically changes its methods over time. In some regards, it's a trendsetter."

In its path, security researchers expect to see a number of PC-turned-bots in the upcoming year. Bots, or computer programs that give cyber criminals complete control over PCs, are typically installed surreptitiously on the machines, and have almost unlimited potential to wreak havoc on their unsuspecting users.

Not Just A Game

Where there is money, there are those who try to scam it away from others. Increased gold farming and in-game spam, tricking people into giving away financial information indicate a trend that more security threats will likely come in the virtual world for 2008. Security personnel say that threats to virtual economies are catching up to threats to real economies, in part because they are not as regulated as established businesses or financial institutions and subsequently don't provide the same kind of protections or failsafes.

"They have the ability to convert cyber activities into cash," said Weaser. "That's what attracts them into those worlds."

According to the McAfee report, the number of password-stealing Trojans that targeted online games grew faster than the number of Trojans that targeted banks.

"Virtual economies are growing. There's money to be made here," said Schmugar. "And it's lower risk than targeting a bank."

"We're starting to see longer term, more patient and more damaging types of hacks," said Calderwood. "It's almost an organized approachWill the commercial world keep pace with the hacker world? It's a tug of war."