BANGALORE, INDIA: The latest Internet Security Threat Report (ISTR), Volume XIII released today by Symantec Corp. in India concludes that the Web is now the primary conduit of attack activity, as opposed to network attacks, and that online users can increasingly be infected simply by visiting everyday Web sites. The report is derived from data collected by millions of Internet sensors, first-hand research and active monitoring of hacker communications and provides a global view of the state of Internet security.

In the past, users had to visit intentionally malicious sites or click on malicious email attachments to become a victim of a security threat. Today, hackers are compromising legitimate Web sites and using them as a distribution medium to attack home and enterprise computers.  Symantec noticed that attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites.

"Users are often the weakest link in Internet security. Attackers can compromise the end user to steal confidential data from them.  This can include personal information, corporate information stored insecurely on the end user's computer, or account credentials the attacker can use to launch additional attacks," said Prabhat Singh, director, Symantec Security Response and Managed Security Services. "The use of social networking Web sites in phishing attacks is symptomatic of the trend toward targeting people rather than computers."

Attackers are leveraging site-specific vulnerabilities that can then be used as a means for launching other attacks.  During the last six months of 2007, there were 11,253 site specific cross-site scripting vulnerabilities reported on the Internet; these represent vulnerabilities in individual Web sites. However, only 473 (about 4 percent) of them had been patched by the administrator of the affected Web site during the same period, representing an enormous window of opportunity for hackers looking to launch attacks.

Specific to India, Symantec has observed that malicious activity in the form of worms, viruses and Trojans is on the rise. More than 65 percent of malicious attacks in India were through worms as compared to the global average of 22 percent. This is a clear indication that basic security patch updates are not being installed by users. Malicious code propagation vectors like file sharing/executables were behind the high proliferation of viruses in India. Symantec also observed that rampant software piracy in India aided the spread of malware by the file sharing/executables mechanism.

Particularly of concern to Indian enterprises and consumers were the increasing botnet activities in India. India had 38,502 bot-infected computers and more than 60 command and control servers, a 50 percent increase from the last reporting period.  A majority of bot-infected computers were tracked in Mumbai (56 percent), Chennai (16 percent) and New Delhi (14 percent). The increase in botnet activities have led to a high number of distributed denial-of-service attacks (DDOS) on Indian enterprises.

Phishing was another major cause of concern in the Indian security threat landscape. In the last six months of 2007, Symantec observed 345 unique phishing URLs with IP addresses hosted in India. Symantec also observed more than 400 unique phishing attacks on reputable Indian banks. Out of these, some of the attacks involved the use of compromised '.gov' servers to launch phishing attacks on other brands.

According to the report, majority of phished Web sites that were detected globally during this reporting period spoofed social networking sites. This is a sign of caution for India too, since according to a recent industry report nearly 5-6 million Indians are actively involved in social networking and spend approximately 25-75 percent of their time online in social networking activities. They can become easy preys to 'abuse of trust' tactics.  According to the Symantec report 

–        Social networking sites are easy for criminals to spoof and because social networking pages are generally trusted by users, phishing attacks mimicking them may be more successful.

–        Profiles on social networking sites often contain a significant amount of personal information about the user.

–        Spoofed social networking pages can include links to false download that require users to enter confidential information such as authentication information or credit card information that can subsequently be used for fraudulent purposes.

The report also found that attackers are seeking confidential end-user information that can be fraudulently used for financial gain and are less focused on the computer or device containing the information.  In the last six months of 2007, 68 percent of the most prevalent malicious threats reported to Symantec attempt to compromise confidential information.

Finally, attackers are leveraging a maturing underground economy to buy, sell and trade stolen information. This economy is now characterized by a number of traits common in traditional economies.  For example, market forces of supply and demand have a direct impact on pricing.  Credit card information, which has become plentiful in this environment, accounted for 13 percent of all advertised goods—down from 22 percent in the previous period and sold for as low as $0.40. 

The price of a credit card in this underground market is determined by factors such as the location of the issuing bank.  Credit cards from the European Union, for example, cost more than those from the United States; this is most likely due to the smaller supply of cards circulating in the E.U which makes the card more valuable to a criminal.  Bank account credentials have become the most frequently advertised item making up 22 percent of all goods and selling for as little as $10.   

"The sale of malicious services, outsourcing of resources such as phishing hosts and spambots, and bulk pricing are signs of a robust economy. These factors in the underground economy indicate that "business is booming," said Vishal Dhupar, managing director, Symantec India.  "So lucrative is the underground economy that organizations and individuals operating within it appear willing and able to change their business models or adopt new ones in response to changes in the threat landscape."

Additional key global findings from the report

In 2007, Symantec detected 711,912 new threats compared to 125,243 in 2006 – an increase of 468 percent; this brings the total number of malicious code threats detected by Symantec to 1,122,311 as of the end of 2007.
Symantec measured the release of both legitimate and malicious software during a portion of the reporting period and found that 65 percent of the 54,609 unique applications released to the public were categorized as malicious.  This is the first time Symantec observed malicious software outpacing legitimate applications.

Theft or loss of a computer or other device made up 57 percent of all data breaches during the last half of 2007 and accounted for 46 percent of all reported breaches in the previous reporting period.

Government was the top industry sector for identities exposed, accounting for 60 percent of the total, an increase from 12 percent in the previous reporting period.

A full identity can be purchased in the underground economy for as little as $1.