Symantec Vision 2011 Presentation on the Evolving Threat Landscape, including Web, Spam and Phishing Attacks, given by John Harrison, Group Product Manager, Security Technology and Response and Paul Wood, Senior Analyst, Symantec .cloud
1. The Evolving Threat Landscape:
Web, Spam and Phishing Attacks
John Harrison, Group Product Manager,
Security Technology and Response
Paul Wood, Senior Analyst, Symantec .cloud
The Evolving Threat Landscape: Web, Spam and Phishing Attacks 1
2. Agenda
Introduction
Threat Landscape 2010 – Anatomy of a Web Attack
Latest in Malware and Phishing Attacks
Spam Innovations
Summary - What Can You Do?
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 2
4. GloucesterAmsterdam
Calgary Toronto London Frankfurt
Denver New York Courbevoie Munich
Cupertino Diegem Tokyo
Mesa Tucson Virginia Osaka
Oman Hong Kong
Pune
Singapore
Office
Network Operation Center South Africa Sydney
Data Center
• 32,000 businesses with 10 million users in 100 countries
• 5 billion email connections per day on average in 2010
• 1 billion web connections per day
• 15 data centers spanning 5 continents
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 4
5. Global Intelligence Network
Identifies more threats, takes action faster & prevents impact
Calgary, Alberta Dublin, Ireland
Tokyo, Japan
San Francisco, CA
Mountain View, CA Austin, TX Chengdu, China
Culver City, CA
Taipei, Taiwan
Chennai, India
Pune, India
Worldwide Coverage Global Scope and Scale 24x7 Event Logging
Rapid Detection
Attack Activity Malware Intelligence Vulnerabilities Spam/Phishing
• 240,000 sensors • 133M client, server, • 40,000+ vulnerabilities • 5M decoy accounts
• 200+ countries gateways monitored • 14,000 vendors • 8B+ email messages/day
• Global coverage • 105,000 technologies • 1B+ web requests/day
Preemptive Security Alerts Information Protection Threat Triggered Actions
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 5
6. >CUTWAIL
Threat Landscape 2010 – Anatomy of a Web Attack
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 6
7. Threat Landscape
2010 Trends
Targeted Attacks
continued to evolve
Social Networking
+ social engineering = compromise
Hide and Seek
(zero-day vulnerabilities and rootkits)
Attack Kits
get a caffeine boost
Mobile Threats
increase
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 7
8. Anatomy of a Web Based Attack
• Enterprise and Consumer users are infected today from Web
based attacks:
– Web Attack Toolkits -Drive-by downloads
– Social Engineering Attacks
Website attacks user’s browser
by targeting vulnerabilities
Hacker compromises
legitimate Web site URL
(drive-by-download)
Legitimate
User isowned
Web Site
machine
now
User is infected using
Social Engineering techniques
(fake AV/fake codec)
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011
9. Threat Landscape
Social Networking + Social Engineering = Compromise
More Info:
Detailed review of
Social Media threats
available in The Risks of
Social Networking
• Hackers have adopted social networking
– Use profile information to create targeted social engineering
– Impersonate friends to launch attacks
– Leverage news feeds to spread spam, scams and massive attacks
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 9
10. Threat Landscape
Social Networking leads to….
• An attacker’s goldmine to conduct;
– Externalizing confidential / sensitive
information, Personal/Professional
Separation, Account Hijacking, Privacy
Issues and Identify Theft, Harassment
and Cyber-bullying, Information
Obsolescence, Information Harvesting
• Protection is often not effective until
compromise or infection takes place
• Exploits trust between friends. Viral by
nature
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 10
11. Facebook Likejacking Attacks = Like Hijacking
Likejacking Attack:
• Clicking ANYWHERE on the page results in
“Liking” this page
• It gets posted to all of your friends
without you actually clicking on the LIKE
button!
• How does it work? An invisible Like
button follows the mouse around
Do you know what is happening?!
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 11
12. Threat Landscape
Social Engineering
• Also called Scareware or Rogueware
• Multitude of propagation methods
• Most infections are from Intermediate files (e.g., Zlob, FakeAVAlert) rather
than Misleading Applications
• All components change quickly including domains and EXEs. Average domain
life time < 4 hours.
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 12
13. For more on Cybercrime, Social Networking Attacks
and Stuxnet
• The Threat Landscape in the Age of CyberCrime and Stuxnet
• Wednesday from 5:00 – 6:00pm. SR B30, Kevin Haley
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 13
14. Threat Landscape
More Info:
Web Attack Toolkits
Detailed information
available in ISTR Mid-
Term: Attack Toolkits
and Malicious
Websites
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 14
15. Web Attack Toolkits are Easy to Configure
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 15
16. Effectiveness of the Web Attack Toolkits
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 16
17. Threat Landscape
Web-based threats: Any website can infect you
…just by browsing to it
• In the past – you had to visit dangerous sites to get infected
… but today they’re on legitimate sites attacking you
• Exploits leverage software vulnerabilities
without user interaction.
• Which Web sites can infect you? Your favorite:
– News, travel, online games, real estate, government, others
• 37.0% of domains hosting web malware were new in March 2011
• 24.5% of web malware was new in March 2011
• In 2010, over 42,926 domains were used to host web malware
Source: Symantec.cloud
87.5% of malicious websites blocked in 2010 were
legitimate, but compromised
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 17
18. Threat Landscape – Web-based Threats
Attack kits lead to intensified threats
• The number of daily Web-based attacks observed was 93%
higher in 2010 than in 2009
• Spikes in activity related to specific activities and campaigns
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 18
19. Malvertising
• “Malicious Advertisement”
• The main website isn’t
infected – one of the
advertisements is
• Webpages pull content
from ANYWHERE on the
web
• 1 out of 100, 1000 or
10,000 ads could be
infected
• Difficult to detect and
reproduce * This is a fake website
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 19
20. Threat Landscape
Vulnerabilities Attacked by Web Attack Toolkits
• Java exploits added to many existing kits
• Up to 25 different vulnerabilities can be exploited
• 0-Day Vulnerabilities being targeted more aggressively
More Info:
Detailed information
available in ISTR Mid-
Term: Attack Toolkits
and Malicious
Websites
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 20
21. Vulnerability Trends
Web Browser Plug-In Vulnerabilities
• The number of Flash and Reader vulnerabilities continued to grow.
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 21
22. Demo of Web Attacks
The Evolving Threat Landscape: Web, Spam and Phishing Attacks 22
23. >PSYME
Latest in Malware and Phishing Attacks
SYMANTEC VISION 2011 The Evolving Threat Landscape:23
Web, Spam
24. Threat Landscape - Convergence
Evolving Threat landscape: From email and IM to web
• Threats now span multiple protocols
Spoofed Email with Fraudulent IM with Compromised Website
Web Link Web Link Hosting Malware
Comprehensive Protection Needed Across Email, Web, and IM
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 24
25. Threat Landscape - Malware
Greater pressure on traditional antivirus defenses
In 2010
~13,300
Signatures per day
Or 1 every 6.5 seconds!
In 2000
~5
Signatures per day
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 25
26. Threat Landscape - Malware
Case Study: W32.Imsolk.B@mm (aka “Here you have”)
• Many business users likely saw something like this in their
inboxes on 9 September 2010
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 26
27. Case Study: W32.Imsolk.B@mm (aka “Here you have”)
Window of vulnerability from non-targeted attacks
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 27
28. Threat Landscape - Malware
Targeted Attacks and Industrial Espionage
• 1 or 2 per week in 2005
• 2 per day in 2006
• 10 per day in 2007
• 50+ per day in 2008
• 60+ per day in 2009
• 77 per day in 2010
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 28
29. Case Study: Targeted Attacks and Industrial Espionage
Example of a Targeted Attack in March 2011
• Exploit CVE-2011-0609
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 29
30. Case Study: Targeted Attacks and Industrial Espionage
CVE-2011-0609: One Client, One Day: One Hour, 55 Emails
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 30
31. Case Study: Targeted Attacks and Industrial Espionage
CVE-2011-0609: Anatomy of a Targeted Attack
Shellcode drops
embedded executable
and runs it…
SWF-1 decodes SWF-2
and provides heap-spray
for shellcode
SWF-2
SWF-2 exploits CVE-
2011-0609
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 31
32. Threat Landscape – Financial Fraud and Identity Theft
Typical profile of a phishing attack
Malicious URLs appear in emails
designed to appear legitimate
Spoofed or compromised website
is used to capture account
information or install malware
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 32
33. Threat Landscape – Financial Fraud and Identity Theft
Classification of organizations targeted by phishing
• Banks were spoofed by 56% of phishing attacks in 2010
• Many email-based fraud attempts referred to major events in
2010
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 33
34. Threat Landscape – Financial Fraud and Identity Theft
Underground economy: Impact on Cybercrime
• Credit card information and bank account credentials continue
to be the top two advertised items by a large margin
• Bulk rates for credit cards range from 10 cards for $17 to 1000
cards for $300
• Location affects credit card prices but not bank credentials
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 34
35. Threat Landscape - Spam
Trends in spam: A decade of evolution and techniques
INCREASED COMPLEXITY AND SOPHISTICATION IN GREATER VOLUMES
Symantec MessageLabs Intelligence Reports
80%
2000 2011
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 35
36. Threat Landscape - Botnets
What are spam-sending botnets?
• Approx. USD $15 for 10,000 bots
Command & Control
Botnet Controller
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 36
37. Threat Landscape - Botnets
Where does most of the spam come from?
BAGLE
RUSTOCK 17.2% Spam
28.5% Spam 8.3bn/day
13.8bn/day LETHIC
4.1% Spam
UK & USA: 1 in 200 2.0bn/day
Spain: 1 in 100
Japan: 1 in 1000
India: 1 in 30
CUTWAIL Vietnam: 1 in 10
4.5% Spam
2.2bn/day
FESTI
GRUM 8.7% Spam
3.4% Spam 4.2bn/day
1.6bn/day Brazil: 1 in 20
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011
37
38. Threat Landscape - Innovations in Spam
Automated translation: Maximizing potential impact
• Automation: Non-English Spam Increasing
• When it goes wrong, artifacts help the good guys!
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 38
39. Threat Landscape - Innovations in Spam
Social networking: Shortcuts for spammers
• Each shortened URL received an average of 44.2 visits
• Approximately 93.5% of responses were received within 3 days of the spam sent
• Approximately 2-3% of all email spam now contains a shortened URL
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 39
40. Threat Landscape - Innovations in Spam
Social networking: Shortcuts for spammers
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 40
41. >PSYME
Summary – What Can You Do?
SYMANTEC VISION 2011 The Evolving Threat Landscape:41
Web, Spam
42. Common Issues and Solutions Found during Malware
Investigations
• Antivirus on endpoints is not enough
• Review Security Software settings
• Be aggressive on your updating and patching.
• Implement a removable media policy.
• Turn off Auto-run!
• Update your security content frequently and rapidly.
• Investigate and use different security solutions for servers.
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 42
43. Common Issues and Solutions Found during Malware
Investigations (cont)
• Restrict email attachments
• Maintain an ongoing blacklist of malicious domains.
• Ensure that you have infection and incident response
procedures in place
• Educate users on the changed threat landscape
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 43
44. Symantec Protection Model
Defense in Depth
File
17b053e6352ad233
85c59efcbac2490b
Website/ Network
Domain/
IP address
Network File Reputation Behavioral
Network-based
Protection File-based
Protection Reputation-based
Protection Behavioral-based
Protection
Stops malware as it Looks for and Establishes information Looks at processes as
travels over the network eradicates malware about entities e.g. they execute and uses
and tries to take up that has already taken websites, files, IP malicious behaviors to
residence on a system up residence on a addresses to be used in indicate the presence
system effective security of malware
Protocol aware IPS Antivirus Engine Domain Reputation SONAR
Browser Protection Auto Protect File Reputation Behavioral Signatures
Malheur
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 44
45. Threat Activity Trends
Attacks Blocked/Technology - Endpoint Protection
2009 33%
2010 50%
AV Detections
AV Detection IPS Dections
IPS Detections
The Evolving Threat Landscape: Web, Spam and Phishing Attacks SYMANTEC VISION 2011 45
46. Summary
Where to go next? symantec.com/threatreport
symanteccloud.com/intelligence
On the symantec.com and symanteccloud.com:
• Email and web stats on homepage
• Analysis on MessageLabs Intelligence site
• Register to receive latest reports and information
• Podcasts, Blog, YouTube, Facebook and Twitter…
Podcasts
SYMANTEC VISION 2011 46
The Evolving Threat Landscape: Web, Spam and Phishin
46