Top 10 Security Threat Predictions For 2008

Voice over Internet Protocol (VoIP) attacks comprised more than double the number of security vulnerabilities compared to all of 2006, according to McAfee Avert Labs Top 10 Security Threats of 2008 report. While VoIP threats seem to be here to stay, the defensive technology is still playing catch-up. McAfee expects a 50 percent increase in VoIP-related threats in 2008.

According to Symantec's Top 10 Internet Security Trends for 2007, 42 percent of phishing Websites observed in the first half of the year were associated with just three phishing toolkits. Security professionals say this trend will continue to increase throughout the next year.

It made big headlines when some of the big players went public. While many threats can thus far be deflected, professional hackers and malware authors will begin to look at new ways to get around its defenses.

Where there is money, there are those who try to scam it from others. Online games are increasingly attractive for cyber criminals. Security threats to virtual economies are catching up to threats to real economies, in part because they are not as regulated as established businesses or financial institutions and subsequently don't provide the same kind of protections or failsafes. According to a McAfee Avert Lab report, the number of password-stealing Trojans that targeted online games grew faster than the number of Trojans that targeted banks.

"Virtual economies are growing. There's money to be made here," said Craig Schmugar, threat research manager at McAfee Avert Labs. "And it's lower risk than targeting a bank."

Windows Vista is set to gain additional market share in 2008, which will put it past the 10 percent share threshold. As Vista becomes more of a household name, attackers will find new ways to explore ways of circumventing its security defenses and exploiting its vulnerabilities. McAfee reported that at least 16 vulnerabilities were discovered since Vista's introduction early last year, and even more are anticipated next year.

There is no peace in the eye of the Storm Worm. Bots, or computer programs that give cyber criminals complete control over PCs, are typically installed surreptitiously on the PCs of unsuspecting users.

Also known as Nuwar, the Storm is the most versatile malware on record. According to McAfee Avert Labs' top 10 security threats report for 2008, the Storm's authors released thousands of variants and code-changing techniques, creating the largest peer-to-peer botnet in history. "It constantly moves," said Schmugar. "The thing with Storm is that it radically changes its methods over time. In some regards, it's a trendsetter."

We can expect to see attackers target financial markets with highly sophisticated schemes -- pump and dump combined with DDos for example -- as they continue to locate vulnerabilities in databases and exploit them, according to Fortinet's Top 10 Security Threat report for 2008.

Even when database vulnerability is discovered, security professionals maintain that it takes at least six months before it can be repaired.

You might get more than just 64,000 new "friends." Attackers are increasingly using social networking sites such as Facebook and MySpace to distribute malware. They're also mining data, looking for information that people share in order to "authenticate" their attacks. It could be as simple as a click-on "comparison tool," or a favorites list. And Google's recently announced social networking capabilities will give attackers even more "new friends" to target.

Security breaches at Salesforce.com and Monster.com represent a continually growing trend in attacks on online applications, which can be a veritable goldmine of credit card, social security numbers and other valuable identifying information. Experts say that we can expect to see attackers continue to use sites like these to distribute malware and acquire sensitive data.

It's no secret that the phishers' nets are getting bigger and more advanced. Cyber criminals have found that, yep, they can target their victims more precisely with personal information.

"What we're seeing more and more, is phishing. It's just continued to run totally unabated," said Kevin Simzer, senior vice president of Entrust, specializing in digital identities and information security. "The consumer's data is totally exposed, and low and behold, someone is accessing their account."

Masked as legitimate sites from eBay, Amazon and others, phishing sites will typically ask you to submit personal financial or identifying information such as credit card, bank and social security numbers. Security professionals expect that phishers will increasingly target smaller, less-popular sites as the big companies beef up security and users become savvy to the large-scale scams.