Evolving Threat Landscape Web Spam Bot

The Evolving Threat Landscape: Web, Spam and Phishing Attacks John Harrison, Group Product Manager, Security Technology and Response Paul Wood, Senior Analyst, Symantec .cloudThe Evolving Threat Landscape: Web, Spam and Phishing Attacks 1

Agenda Introduction Threat Landscape 2010 – Anatomy of a Web Attack Latest in Malware and Phishing Attacks Spam Innovations Summary - What Can You Do?The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 2

>LOVEBUGIntroductionThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 The Evolving Threat Landscape: 3 Web, Spam

GloucesterAmsterdam Calgary Toronto London Frankfurt Denver New York Courbevoie MunichCupertino Diegem Tokyo Mesa Tucson Virginia Osaka Oman Hong Kong Pune Singapore Office Network Operation Center South Africa Sydney Data Center• 32,000 businesses with 10 million users in 100 countries• 5 billion email connections per day on average in 2010• 1 billion web connections per day• 15 data centers spanning 5 continentsThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 4

Global Intelligence Network Identifies more threats, takes action faster & prevents impact Calgary, Alberta Dublin, Ireland Tokyo, Japan San Francisco, CA Mountain View, CA Austin, TX Chengdu, China Culver City, CA Taipei, Taiwan Chennai, India Pune, India Worldwide Coverage Global Scope and Scale 24x7 Event Logging Rapid DetectionAttack Activity Malware Intelligence Vulnerabilities Spam/Phishing• 240,000 sensors • 133M client, server, • 40,000+ vulnerabilities • 5M decoy accounts• 200+ countries gateways monitored • 14,000 vendors • 8B+ email messages/day • Global coverage • 105,000 technologies • 1B+ web requests/dayPreemptive Security Alerts Information Protection Threat Triggered Actions The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 5

>CUTWAILThreat Landscape 2010 – Anatomy of a Web AttackThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 6

Threat Landscape2010 Trends  Targeted Attacks continued to evolve Social Networking  + social engineering = compromise Hide and Seek  (zero-day vulnerabilities and rootkits) Attack Kits  get a caffeine boost  Mobile Threats increaseThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 7

Anatomy of a Web Based Attack• Enterprise and Consumer users are infected today from Web based attacks: – Web Attack Toolkits -Drive-by downloads – Social Engineering Attacks  Website attacks user’s browser by targeting vulnerabilities  Hacker compromises legitimate Web site URL (drive-by-download) Legitimate  User isowned Web Site machine now User is infected using  Social Engineering techniques (fake AV/fake codec) The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011

Threat Landscape Social Networking + Social Engineering = Compromise More Info: Detailed review of Social Media threats available in The Risks of Social Networking• Hackers have adopted social networking – Use profile information to create targeted social engineering – Impersonate friends to launch attacks – Leverage news feeds to spread spam, scams and massive attacksThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 9

Threat LandscapeSocial Networking leads to….• An attacker’s goldmine to conduct; – Externalizing confidential / sensitive information, Personal/Professional Separation, Account Hijacking, Privacy Issues and Identify Theft, Harassment and Cyber-bullying, Information Obsolescence, Information Harvesting• Protection is often not effective until compromise or infection takes place• Exploits trust between friends. Viral by natureThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 10

Facebook Likejacking Attacks = Like Hijacking Likejacking Attack: • Clicking ANYWHERE on the page results in “Liking” this page • It gets posted to all of your friends without you actually clicking on the LIKE button! • How does it work? An invisible Like button follows the mouse around Do you know what is happening?! The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 11

Threat LandscapeSocial Engineering• Also called Scareware or Rogueware• Multitude of propagation methods• Most infections are from Intermediate files (e.g., Zlob, FakeAVAlert) rather than Misleading Applications• All components change quickly including domains and EXEs. Average domain life time < 4 hours.The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 12

For more on Cybercrime, Social Networking Attacksand Stuxnet• The Threat Landscape in the Age of CyberCrime and Stuxnet• Wednesday from 5:00 – 6:00pm. SR B30, Kevin HaleyThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 13

Threat Landscape More Info: Web Attack Toolkits Detailed information available in ISTR Mid- Term: Attack Toolkits and Malicious WebsitesThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 14

Web Attack Toolkits are Easy to ConfigureThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 15

Effectiveness of the Web Attack ToolkitsThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 16

Threat Landscape Web-based threats: Any website can infect you …just by browsing to it• In the past – you had to visit dangerous sites to get infected … but today they’re on legitimate sites attacking you• Exploits leverage software vulnerabilities without user interaction.• Which Web sites can infect you? Your favorite: – News, travel, online games, real estate, government, others • 37.0% of domains hosting web malware were new in March 2011 • 24.5% of web malware was new in March 2011 • In 2010, over 42,926 domains were used to host web malware Source: Symantec.cloud 87.5% of malicious websites blocked in 2010 were legitimate, but compromised The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 17

Threat Landscape – Web-based ThreatsAttack kits lead to intensified threats• The number of daily Web-based attacks observed was 93% higher in 2010 than in 2009• Spikes in activity related to specific activities and campaignsThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 18

Malvertising• “Malicious Advertisement”• The main website isn’t infected – one of the advertisements is• Webpages pull content from ANYWHERE on the web• 1 out of 100, 1000 or 10,000 ads could be infected• Difficult to detect and reproduce * This is a fake websiteThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 19

Threat Landscape  Vulnerabilities Attacked by Web Attack Toolkits• Java exploits added to many existing kits• Up to 25 different vulnerabilities can be exploited• 0-Day Vulnerabilities being targeted more aggressively More Info: Detailed information available in ISTR Mid- Term: Attack Toolkits and Malicious WebsitesThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 20

Vulnerability TrendsWeb Browser Plug-In Vulnerabilities• The number of Flash and Reader vulnerabilities continued to grow.The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 21

Demo of Web AttacksThe Evolving Threat Landscape: Web, Spam and Phishing Attacks 22

>PSYMELatest in Malware and Phishing Attacks SYMANTEC VISION 2011 The Evolving Threat Landscape:23 Web, Spam

Threat Landscape - ConvergenceEvolving Threat landscape: From email and IM to web • Threats now span multiple protocols Spoofed Email with Fraudulent IM with Compromised Website Web Link Web Link Hosting Malware Comprehensive Protection Needed Across Email, Web, and IM The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 24

Threat Landscape - MalwareGreater pressure on traditional antivirus defenses In 2010 ~13,300 Signatures per day Or 1 every 6.5 seconds! In 2000 ~5 Signatures per day The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 25

Threat Landscape - MalwareCase Study: W32.Imsolk.B@mm (aka “Here you have”)• Many business users likely saw something like this in their inboxes on 9 September 2010The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 26

Case Study: W32.Imsolk.B@mm (aka “Here you have”)Window of vulnerability from non-targeted attacksThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 27

Threat Landscape - MalwareTargeted Attacks and Industrial Espionage • 1 or 2 per week in 2005 • 2 per day in 2006 • 10 per day in 2007 • 50+ per day in 2008 • 60+ per day in 2009 • 77 per day in 2010The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 28

Case Study: Targeted Attacks and Industrial EspionageExample of a Targeted Attack in March 2011• Exploit CVE-2011-0609The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 29

Case Study: Targeted Attacks and Industrial EspionageCVE-2011-0609: One Client, One Day: One Hour, 55 EmailsThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 30

Case Study: Targeted Attacks and Industrial EspionageCVE-2011-0609: Anatomy of a Targeted Attack Shellcode drops embedded executable and runs it… SWF-1 decodes SWF-2 and provides heap-spray for shellcode SWF-2 SWF-2 exploits CVE- 2011-0609The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 31

Threat Landscape – Financial Fraud and Identity TheftTypical profile of a phishing attack Malicious URLs appear in emails designed to appear legitimate Spoofed or compromised website is used to capture account information or install malwareThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 32

Threat Landscape – Financial Fraud and Identity TheftClassification of organizations targeted by phishing• Banks were spoofed by 56% of phishing attacks in 2010• Many email-based fraud attempts referred to major events in 2010The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 33

Threat Landscape – Financial Fraud and Identity TheftUnderground economy: Impact on Cybercrime• Credit card information and bank account credentials continue to be the top two advertised items by a large margin• Bulk rates for credit cards range from 10 cards for $17 to 1000 cards for $300• Location affects credit card prices but not bank credentialsThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 34

Threat Landscape - SpamTrends in spam: A decade of evolution and techniques INCREASED COMPLEXITY AND SOPHISTICATION IN GREATER VOLUMES Symantec MessageLabs Intelligence Reports 80% 2000 2011The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 35

Threat Landscape - Botnets What are spam-sending botnets? • Approx. USD $15 for 10,000 bots Command & ControlBotnet Controller The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 36

Threat Landscape - BotnetsWhere does most of the spam come from? BAGLE RUSTOCK 17.2% Spam 28.5% Spam 8.3bn/day 13.8bn/day LETHIC 4.1% Spam UK & USA: 1 in 200 2.0bn/day Spain: 1 in 100 Japan: 1 in 1000 India: 1 in 30 CUTWAIL Vietnam: 1 in 10 4.5% Spam 2.2bn/day FESTI GRUM 8.7% Spam 3.4% Spam 4.2bn/day 1.6bn/day Brazil: 1 in 20The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 37

Threat Landscape - Innovations in SpamAutomated translation: Maximizing potential impact • Automation: Non-English Spam Increasing • When it goes wrong, artifacts help the good guys!The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 38

Threat Landscape - Innovations in Spam Social networking: Shortcuts for spammers• Each shortened URL received an average of 44.2 visits• Approximately 93.5% of responses were received within 3 days of the spam sent• Approximately 2-3% of all email spam now contains a shortened URL The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 39

Threat Landscape - Innovations in SpamSocial networking: Shortcuts for spammersThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 40

>PSYMESummary – What Can You Do? SYMANTEC VISION 2011 The Evolving Threat Landscape:41 Web, Spam

Common Issues and Solutions Found during MalwareInvestigations• Antivirus on endpoints is not enough• Review Security Software settings• Be aggressive on your updating and patching.• Implement a removable media policy.• Turn off Auto-run!• Update your security content frequently and rapidly.• Investigate and use different security solutions for servers.The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 42

Common Issues and Solutions Found during MalwareInvestigations (cont)• Restrict email attachments• Maintain an ongoing blacklist of malicious domains.• Ensure that you have infection and incident response procedures in place• Educate users on the changed threat landscapeThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 43

Symantec Protection Model Defense in Depth File17b053e6352ad23385c59efcbac2490b Website/ Network Domain/ IP address Network File Reputation Behavioral  Network-based Protection  File-based Protection  Reputation-based Protection  Behavioral-based Protection Stops malware as it Looks for and Establishes information Looks at processes as travels over the network eradicates malware about entities e.g. they execute and uses and tries to take up that has already taken websites, files, IP malicious behaviors to residence on a system up residence on a addresses to be used in indicate the presence system effective security of malware  Protocol aware IPS  Antivirus Engine  Domain Reputation  SONAR  Browser Protection  Auto Protect  File Reputation  Behavioral Signatures  Malheur The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 44

Threat Activity TrendsAttacks Blocked/Technology - Endpoint Protection 2009 33% 2010 50% AV Detections AV Detection IPS Dections IPS DetectionsThe Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 45

SummaryWhere to go next? symantec.com/threatreport symanteccloud.com/intelligence On the symantec.com and symanteccloud.com: • Email and web stats on homepage • Analysis on MessageLabs Intelligence site • Register to receive latest reports and information • Podcasts, Blog, YouTube, Facebook and Twitter… Podcasts SYMANTEC VISION 2011 46 The Evolving Threat Landscape: Web, Spam and Phishin 46

Thank you! John Harrison (john_harrison@symantec.com) Paul Wood (paul_wood@symantec.com) Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.The Evolving Threat Landscape: Web, Spam and Phishing Attacks 47

Evolving Threat Landscape Web Spam Bot

by Symantec

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Evolving Threat Landscape Web Spam Bot Presentation Transcript