Trojan attacks up, phishing attacks down this year, IBM finds

IBM security report finds 55% of new malware is Trojans, an increase of 9% over last year

By Ellen Messmer, Network World
August 25, 2009 05:46 PM ET

Spam-based phishing attacks declined noticeably during the first half of the year, but cyber-criminals may simply be shifting to other technologies found to be more effective in stealing personal data, according to IBM in its semi-annual security threat report .

“The decline in phishing and increases in other areas (such as banking Trojans) indicate the attackers may be moving their resources to other methods to obtain the gains that phishing once achieved,” is the explanation offered in the “IBM Internet Security Systems 2009 Mid-Year Trend & Risk Report.” It says Russia is the top country of origin for phishing e-mails, with 7.2% share, while China is the top hosting country for spam URLs.

10 of the Worst Moments in Network Security History
11 security companies to watch

IBM’s semi-annual security report presents a broad view of trends based on its own analysis of volumes of sensor data, Web crawling technologies and other resources used to gather information through its Internet Security Systems division .

Related Content

In the first half of 2009, 55% of the new malware seen was Trojans, an increase of 9% over last year, the report says. Trojan malware, which includes components called downloaders and info-stealers, are mainly being used in the form of “public-available toolkits” that are “easy to use” by criminals, the report points out.

Phishing attacks may be down because criminals “are likely getting better results with Trojans,” says Dan Holden, X-Force product manager at IBM’s ISS division. “It’s a return on investment issue for them.”

The big picture is that the Web is a “dangerous place,” Holden notes. Criminals are exploiting software vulnerabilities to compromise sites with malicious code or simply taking advantage of the openness of public social-networking forums to place malicious code to go after victims.

In a look at the Internet’s Web sites in general, IBM believes that currently that about 8% of the Internet can be classified as “unwanted content, such as pornographic or criminal Web sites,” which includes those for hacking, illegal drugs, malware, or selling counterfeit goods and the like.

The number of malicious Web links used to trick users into downloading malware or visiting dangerous sites has increased, up 508% in the first half of 2009 in comparison to the number discovered in the first half of 2008, says the report. The U.S. is the top country where such malicious Web links can be found, accounting for 36% of known malicious links, with China holding the second spot.

Malicious Web links are often embedded in Web sites which are trusted by users as attackers take advantage of Web site vulnerabilities or simply placing malicious code in public Web pages and forums they are allowed to use like anyone else.
“Attackers are focusing more and more on using the good name of trusted Web sites to lessen the guard of end users,” IBM noted.

These Web sites, whether for social networking, news, search engines or Web catalogs, will end up hosting at least one link which will typically point back to a known malicious site. Gambling and pornography sites sometimes seem to have malicious links placed systematically throughout them, leading IBM to comment that there may ties to profit-sharing with criminals.
When it comes to spam, the bulk of it today is still classified as URL spam in which a person clicks to view the spam content and China accounts for 41.4% of all spam URLs, according to the report.