Malicious Code is More Covert, Less Recognisable
Websense Report Shows Malicious Code is More Covert, Less Recognisable and More Targeted Toward Financial Gain
Report reveals increase in malicious sites using code from easy-to-use toolkits designed for criminals with no hacking experience; 100% increase in websites designed to install keyloggers, screen scrapers and other forms of crimeware
Auckland, 5 October, 2006—Websense, Inc. (NASDAQ: WBSN), a global leader in web security and web filtering productivity software, today announced the release of the Websense® Security Labs™ 2006 Semi-Annual Web Security Trends Report, which summarises findings for the first half of 2006 and presents projections for the remainder of 2006. The report shows that the volume of attacks increased and malicious code became more covert, less recognisable and more targeted toward financial gain.
Not only has malicious code become more sophisticated, but the infrastructure supporting its creation and spread has also become more complex. Of the sites designed to steal credentials, almost 15% are derived from toolkits, an emerging tactic from the hacker community. These kits, made by professional malicious code writers, are often for sale on the internet and allow non-sophisticated users to launch sophisticated attacks against operating system exploits and vulnerabilities.
The criminal motive of attacks has also become more apparent as traditional hacking for fun has been replaced with activities designed to steal confidential data to reap financial rewards. The report notes a 100% increase in sites designed to install keyloggers, screen scrapers and other forms of crimeware. Conversely, Websense has seen more than a 60% drop in websites designed merely to change user preferences, such as browser settings.
In the first half of 2006, Websense successfully identified and mitigated several new high-profile exploits and widespread web attacks including the continued assault on the Microsoft Windows Metafile (WMF) vulnerability and the Internet Explorer "zero-day" create text vulnerability.
“Websense Security Labs continues to be on the forefront of discovering advanced web-based attacks and techniques. The growth of toolkits is allowing criminals, who may not be versed in writing malicious code, the ability to launch highly sophisticated attacks with minimal effort or expertise,” said Joel Camissar, country manager, New Zealand for Websense. “In addition to protecting against web-based threats such as keyloggers or spyware, Websense profiles these attacker toolkits to proactively protect organisations from these kits before a wave of attacks is triggered.”
According to the report, Websense Security Labs has seen increased exploitation of both web servers and web browser/client technologies. Automated vulnerability scanning for server and client exploits is getting more intelligent, and attackers are taking full advantage of these exploits. During the first half of 2006, 35% of all malicious websites were hosted on web servers that had been compromised.
“As new threats are discovered, Websense web security software quickly protects an organisation’s network infrastructure and employees via real-time security updates of malicious URLs and applications. This advanced level of protection closes a critical window of exposure left open by deployed security solutions such as host and network based signature anti-virus and firewalls while protecting organisations against potential attacks before they even happen,” added Camissar.
Websense Security Labs was introduced in August 2004 with the primary objective of discovering and investigating today’s advanced internet threats and publishing those findings to the security community and customers. Websense Security Labs research delivers precise depictions of current web outbreaks as well as insight into new malicious threats before attacks are launched. Using patent-pending processes and technology, including a worldwide network of computers, data mining processes, customer feedback loops and malicious code categorisation expertise, Websense Security Labs scans more than 85 million websites daily to proactively discover and immediately defend customers against web-based threats.
Additional Highlights from the First Half 2006 Security Trends Report
- Websense Security Labs has seen a 100% increase in sites designed to install keyloggers, screen scrapers and other forms of crimeware. Conversely, the organisation has seen more than a 60% drop in websites designed merely to change user preferences, such as browser settings.
- Websense Security Labs saw a significant increase in the number of phishing targets. In fact, as many as 8–10 new targets are being discovered every day. The Labs also notes that phishing toolkits are now being used to enable easy phishing. For example, one fraudulent website may target as many as 50 different banks under individual subdirectories.
- During the first six months of 2006, Websense Security Labs saw more cases – and more sophisticated use – of cyber-extortion. This form of cyber-extortion allows malicious hackers to keep data hostage on an end-users machine while demanding a monetary sum to unlock the data. Along with the higher numbers, the Labs noted better encryption, making it harder to recover the data and to reverse engineer and develop effective countermeasures.
- Websense Security Labs discovered more botnets (collections of compromised machines) using peer-to-peer (P2P) technologies to gain control, making it more difficult to disable them. The use of the web to control botnets has also increased; allowing botnet owners to more easily control the machines via a web page.
Findings by Websense Security Labs during the first half of
- January 5, 2006 - Websense Security Labs was the first to discover more than 1,100 URLs that were attempting to exploit users who had not installed the patch for the Microsoft Windows Metafile (WMF) vulnerability which was discovered by Websense Security Labs in mid-December 2005. Most attacks were Trojan horse downloaders which updated over HTTP and installed and ran other pieces of malicious code.
- March 24, 2006 - Websense Security Labs was the first to discover 200 unique URLs that were attacking a revealed Internet Explorer "zero-day"vulnerability that could allow code to launch without end-user consent. The most common attack was the use of shellcode to run a Trojan horse downloader that downloaded additional payload code over HTTP. The additional payload was various forms of bots, spyware, backdoors, and other Trojan downloaders.
- June 21, 2006 - Websense Security Labs reported on end-users being lured to install malicious code via Short Message Service (SMS) messages (also known as text messages). Victims received an SMS message on their mobile phone, thanking them for subscribing to a fictitious dating service. The message stated that the subscription fee of $2.00 per day will be automatically charged to their cell phone bill until their subscription is cancelled at the online site.
- June 21, 2006 - Websense Security Labs reported a new type of attack that used email and voice over telephone, otherwise known as Vishing. The Vishing attack targeted customers of Santa Barbara Bank & Trust. Like traditional phishing attacks, users received a spoofed email message. However, unlike the most popular forms of phishing, where users are lured to a fraudulent website, this lure directed users to a telephone number.
Websense, Inc. (NASDAQ:WBSN), a global leader in web security and web filtering software, is trusted to protect 24 million employees worldwide. Websense proactively discovers and immediately protects customers against web-based threats such as spyware, phishing attacks, viruses and crimeware with maximum protection and minimal effort. With diverse partnerships and integrations, Websense enhances our customers' network and security environments. For more information, visit www.websense.com.au.