With the ever increasing threats in cyber world, 2010 will be no different from the previous years - but with only more online threats. Security experts predict that malicious hackers could try their hands with cloud computing attacks, Web 2.0 attacks, Online attacks and so on. In this cover story, we bring you the global top 18 security threats to watch-out for in 2010.
It's that time of year when vendors push their annual security predictions. Usually these are analysed well and of course predictable. Hackers and spammers are the biggest threat and nuisance for the world's Internet community today and even strong security measures have been unsuccessful to control these unwanted cyber activities. Whatever happened last year is presumed to get worse the next year. Even though some new attacks are same as in the previous years, this year however there is a new twist from the previous one. There will be more social engineering attacks, more malware, iPhone attacks will escalate and so on.
Where in 2009, Web 2.0 websites such as Facebook and Twitter were hackers' sweet spot, 2010 will see them looking to compromise new platforms such as smartphones and take advantage of the popularity of Windows 7. In the new year, hackers are expected to compromise the integrity of search engine results and use legitimate advertisements to spread their malicious content in the year ahead.
As audiences are moving quickly into the social web, so are the attacks. Additionally, as emerging operating systems/platforms and mobile devices become more popular, they are targeted more. At the same time, malicious attackers are increasing the number of traditional attacks on personal computers, with quickly changing tactics and adding new twists on old plots. The recent spamming and phishing attacks at popular social networking websites are a proof of just how well the hackers understand the taste of internet users. The number of malicious sites is rising day by day and it looks like it is only gong to rise further.
Let's take a look at the top 18 top cyber security threats for the year 2010.
1. Web 2.0 attacks will increase in sophistication and prevalence
With the rise of Web 2.0, attacks that impersonate social networking sites or spoof contacts from your "friends" list are more likely to be clicked on. It is likely we'll see a great deal more of similar scams in 2010. The year 2010 will see a greater volume of spam and attacks on the social web and real-time search engines such as Topsy.com, Google and Bing.com, who recently added real-time search capability features.
Spammers' and hackers' use of Web 2.0 sites in 2009 proved successful because of the high level of trust users place in the platforms and the other users. The trend is likely to continue in 2010, with attackers looking to spread their wares on social websites such as Facebook, Twitter, MySpace and Google Wave.
2. Botnet gangs will fight turf wars
Botnets ruled the cyber security landscape in 2009, with the 10 major heavyweight spam-sending botnets, including Cutwail, Rustock and Mega-D, now controlling at least 5 million compromised computers. With these compromised computers issuing over 83 percent of the 107 billion spam messages distributed globally, we can expect botnets to get bigger, stronger and more intelligent in the year ahead.
A more aggressive activity by botnet gangs who invade secretly and hide software to get access to the information on your computer. This includes your email program and they use your computer to send spam. This is expected in the year ahead and the users better watch them.
In the past year, security experts have noted an increase in botnet groups following each other and using similar spam and web campaigns tactics and other copy-cat behavior. This expected to continue in 2010. In addition, a more aggressive behavior between different botnet groups including bots with the ability to detect and actively uninstall competitor bots is anticipated.
3. Cloud Computing Threats
The rise in cloud-based technologies and the increase in people relying on online services and web-based programs, rather than programs purchased from a retailer, would also become increasingly fertile ground for cyber criminals next year. To keep ahead of the computer security industry's efforts to thwart their activities, the cyber-criminals are now using "in the cloud" technologies in far more sophisticated and effective ways than most legitimate businesses.
4. Assault on Authentication
The banking regulatory bodies have long called for mandatory two-factor authentication for all online banking sites. Now industry security experts warn that attacks against those traditional customer authentication methods are being challenged and defeated. Various security analysts says the threats include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecureID), and call-forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls. This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts.
In 2010, we will also be seeing an increase in high-grade man-in-the-browser trojan attacks (MITB). In 2009, the emergence of highly customizable, stealthy, MITB-capable trojan kits reached a new height with the introduction of Zeus 2.0. MITB trojans send money in real time rather than just stealing credentials for sale in the underground. In 2010, security experts see additional "Fraud-as-a-Service" models will make these kits available to more and more fraudsters. Solutions for these type of attacks include anti-trojan detection and countermeasure services, desktop hardening, out-of-band authentication and transaction monitoring.
Commercial banking has already seen early signs of man-in-the-browser attacks targeting two-factor authentication used to protect U.S. commercial online banking customers. In 2010, security experts project this trend to greatly intensify, requiring commercial banks to deploy additional lines of defense such as adaptive authentication, out-of-band authentication, desktop hardening and anti-trojan countermeasure services.
5. Email gains traction again as a top vector for malicious attacks
In 2010, email used as a vector for spreading malicious attacks will evolve in sophistication. During 2009, security experts saw a huge uptake in emails being used to spread files and deliver Trojans as email attachments after being nearly non-existent for several years.
Attackers are more often using timely topics to lure recipients to open mail, attachments and click on malicious links. Also, researchers have noticed an increased sophistication of blended attacks that are difficult to close down.
It is reported that more than 40 trillion spam messages in the past 12 months, with some of the popular subjects including festive occasions, cheap car discounts and fake Twitter invitations. During 2010, this trend will continue and we will see more emails containing a malicious data.
6. Targetted attacks on Microsoft properties
With the expected fast adoption of Windows 7, we will see more malicious attacks targeting the new operating system with specific tricks to bypass User Access Control warnings, and greater exploitation of Internet Explorer 8.
The User Access Control in Vista was originally implemented to prevent malware from making permanent changes to the system, such as start-up files. However, it allowed pop-ups every time a change was made to the system, such as a change to an IP address and time zone.
The pop-ups occurred so frequently that users ignored the warnings or turned off the feature, leaving them vulnerable. While Windows 7 tries to reduce the pop-ups by allowing four levels of User Access Control, security challenges to the interface and the operating system still exist.
7. Don't trust your search results
A malicious SEO (Search Engine Optimisation) poisoning attack, also known as a Blackhat SEO attack, is when hackers trick search engines into displaying their content ahead of other legitimate sites. As a user searches for related terms, the infected links appear near the top of the search results, generating a greater number of clicks to malicious websites.
SEO poisoning attacks are successful because as soon as a malicious campaign is recognised and removed from search results, the attackers simply redirect their botnets to a new, timely search term.
These ongoing campaigns are likely to gain steam in 2010 and may cause a trust issue in search results among consumers, unless the search providers change the way they document and present links.
8. Smartphones are hackers' next playground
With the increased use of smartphones, mobile security will be an area of concern in the new year. Smartphones such as the iPhone and Android, which are used increasingly for business purposes, are essentially miniature personal computers and in 2010 will face the same types of attacks that target traditional computing.
Additionally, poor security of applications on smartphones can put users' and organisations' data at risk. With a rapidly growing user base, business adoption and increasing use for conducting financial transactions with these devices, hackers will begin more dedicated targeting of smartphones in 2010.
9. Attacks through web advertisements
In a high-profile incident in 2009, visitors to the New York Times web site saw a pop-up box warning them of a virus that directed them to an offer for anti-virus software, which was actually rogue AV.
This attack was served up through an advertisement purchased by someone posing as a national advertiser. The successful attack was a worthwhile investment for the criminals and so in 2010. Security experts predict that more malicious advertisements will be legitimately purchased by the bad guys.
10. Shortened URLs (Uniform Resource Locator)
The popularity of social networking and micro-blogging sites have led spammers to use short URLs in their spam emails. They are another key area for security, as the links may direct people to undesirable sites filled with malware. In 2009, over 90 percent of spam contained a URL and there was an upsurge of short URLs in the 2nd half of the year.
Short URLs hide the true website behind the link, yet are trusted by millions of people who use them to share photos and news online. New social technologies will lead to even more creativity on behalf of the bad guys.
Condensed URLs are popular on social networking sites and in particular, Twitter and Facebook, so users of these platforms should avoid clicking on URLs sent by unknown users. Such links are likely to be created by phishers peddling links to malicious sites.
11. SQL Attacks—More To Come
The biggest data breach on record - Heartland Payment Systems—was done using a "Sequel Injection," or SQL injection, attack. SQL attacks are a popular way to infect and take over websites, as seen by the recent findings by security researchers. SQL injection attacks were one of the most common methods of breaching systems in many cases. They were used in 19 percent of the cases and accounted for 79 percent of the breached records.
12. "Scareware"
Scareware or fake antivirus software are also expected to make a bigger presence in the new year. In such scenarios, users are tricked by scareware promoters into downloading the fake application, which could then lead to sensitive information being compromised. Computers may even be "hijacked" or rendered useless by cybercriminals, who control the machines until the owners pay a ransom fee.
13. Losing your Identity
The bad guys still want your money, identity and/or resources. In the new year, cyber-criminals will, with increased sophistication, continue to make money via social engineering and phishing scams, trick users into providing, or steal personal details.
Instead of targeting people through email, cyber criminals were now focusing on enticing people to malware-infected websites. These websites are designed to trick users into handing over credit card details or carried malware designed to infect visitors’ computers with programs that enabled identity theft.
14. Return to Telephone-Based Fraud
One thing criminals attacking financial institutions and customers are is persistent, as seen by the number of attacks hitting global banks and financial institutions in 2009. When one avenue of entry is closed, the criminals look to other ways to what they're after. As financial institutions beef up their online security, many fraudsters turned to more traditional telephony fraud.
Armed with data stolen via trojans and phishing attacks - including 'vishing' (voice phishing), 'smishing' (SMS phishing or text phishing) and variants of spear phishing, fraudsters around the world call customer service departments at banks, credit unions and credit card companies in order to perform fraud called account takeover. These fraudsters often outsource the actual phone call to multi-lingual third party services provider operating 24/7 out of Russia. Caller ID spoofing is also prevalent and is to be watched over in 2010.
15. Mobile Banking Attacks
The move to mobile banking by financial institutions that want to offer customers instantaneous access to their accounts is catching fire around the country, with hundreds of institutions now offering customers the ability to look up their account data and balances on cell phones. But security experts see trouble ahead when institutions begin allowing more than just account balance checks to happen. The chance for fraud via the mobile phone is already here says various experts dealing with these frauds. Exploits against the ever-growing base of smart phones are on the rise, leading to the possible building of a botnet based on iPhone or Android phones.
The mobile target will continue to grow and as smart phones become more sophisticated, the number of attacks will grow too. In many cases, these devices contain a huge amount of sensitive data, as well, and could even be a vital component of newer two-factor authentication used by banks.
16. Crack the CAPTCHA
CAPTCHA is a contrived acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHA breaking tools have allowed cybercriminals access to an unprecedented number of webmail, IM (Instant messaging) and social networking websites. With a new crop of more sophisticated CAPTCHAs on the horizon - some involving images and animation—it will be increasingly difficult for the bad guys to solve these puzzles with an automatic computer program.
17. Macs are not immune either
Hackers have noticed Apple's rapid growth in market share in both the consumer and corporate segments. There exists additional risk for Mac users because many assume Macs are immune to security threats and therefore employ less security measures and patches, so attackers have additional incentive to go after the Mac OS X platform.
During 2009, Apple released six large security updates for Macs, showing the potential for attacks. In 2010, there will be even more security updates as hackers ramp up attacks targeting the platform. There is also the potential for the first drive-by malware created to target Apple's Safari browser.
As the popularity of Apple products continue to grow, Apple should look to protect the content they place on their devices as more attackers will devote time to create malware to exploit the Macs.
18. Foreign Language SPAM attacks
Automated translation services allow cyberciminals to target their attacks in local languages. While spam over 95 percent of spam is in English, the last year has seen significant increases in spam in countries where English was not the primary language. After English, the most common languages for spam (in order) are French, Portuguese, Russian and German. Spam levels in Germany and The Netherlands increased by 13% since the beginning of the year, with spam now accounting for in excess of 95% of all emails.
More Attacks
There's more to watch for including attacks on web applications especially drive-by downloads of keylogging trojans and man-in-the-middle attacks. The browser will become the favored attack vector, and zero day attacks on client-side software are also on horizon.
Fewer operating system holes are being found, but more and more in Adobe, instant messaging, MS Office and other applications. The scenario would be: A victim views content from a bad guy, and the attacker then takes over the victim's browser. This technique is used to create botnets as well as skim credit card and account information from the client machine.
Various security experts also see infrastructure attacks, launched via an infected browser happening. Here, the bad guy uses a compromised browser to access an enterprise infrastructure controlled by that browser including the enterprise's firewalls, anti-malware solution and possibly HVAC and related systems.
Within institutions, security experts see Voice over Internet Protocol (VoIP) and other converged networking issues coming up. Security experts predict that from simple denial-of-service problems to new malware that affects voice systems, this will be a growing area that affects financial institutions.
Additional Security Threats
In addition to the top 18 threats listed above, we bring you the other threats posing to nations and business organisations that are no less alarming to the main threats.
Highly transient web threats: In 2010, cyber criminals will continue to improve the speed with which they are able to move their campaigns from domain to domain, server to server. In early 2009, security researchers have reported that 60% of these poisoned web threats were active for less than a day and 75% for less than 30 days.
Exploitation of major events and news: In addition, events in 2009 such as the news of the H1N1 virus and the deaths of actor Patrick Swayze and pop icon Michael Jackson, as well as the inauguration of America's first African-American president Barack Obama, saw significant spikes in search queries. World events, news, and holidays always spark a bad guy's imagination. Cybercriminals especially the spammers and malware writers latched on the respective opportunities to release their spam and malware onto the web to trick unsuspecting users.
Organised Crime Targeting Financial Institutions: Over the past several years, law enforcement investigations into cyber crime have uncovered global networks of organised crime groups, including overseas criminal organizations (many based in Eastern Europe) that hire and direct hackers. Security experts says the battle between "us and them" increasingly pits the financial services industry against organised crime organisations.
Information security experts predicts that 2010 will see a frightening rise in incidents attributable to organised crime. Rampant, professional cybercrime, from the Russian Business Network (RBN) to its descendants, from individual criminal 'entrepreneurs' to emerging criminal enterprises - all signs point to dramatic rise of cybercrime. This is simply the logical consequence of today's situation with the use of information systems, insecure computers plus lots of money plus no punishment equals 'go do it!'
Emerging nations go online with poor security: Many users especially from amongst developing countries, who are amongst the growing millions who are getting connected to the Internet, still use pirated software that can't be kept up to date with security patches. We expect to see a big increase in threats being delivered via emerging countries in 2010.
Global economic crisis impacts security: As employment has taken a hard hit due to the economic crisis, it is likely that more people will be lured by the easy money of cyber-crime. Also, individuals desperate in search of earning opportunities are more likely to fall prey to bogus offers or disgruntled employees may breach official data that could fall into the wrong hands.
Business still too complacent: Events in 2009 showed that many businesses simply weren't properly protected. The success of the exploits used to penetrate and establish Conficker into business and enterprise networks early in 2009 was largely because of complacency.
Conclusion
Cyber criminals have also become more “agile”, harder to track, and better at developing malware and viruses that could evade detection by security software. Some criminals are creating hundreds of thousands of websites well in advance of inserting any malware into them, enabling them to gain a good rating in the reputation based networks being used by some security vendors. At a later stage, the bad guys change their ‘innocent web pages’ and go live with their malicious payloads. In early 2009, security researchers have reported that 60% of these poisoned web threats were active for less than a day and 75% for less than 30 days.
Cyber crooks are also more diverse and are busy developing and deploying - automatically generated malware programs. Cyber-criminals can now automatically create hundreds of thousands of unique pieces of malware a day, much of which has no unique signature and can bypass old-fashioned, signature-based virus detection software. Security experts predict that the security threats in 2010 are likely to be nastier, more targeted and more frequent, with malware and cyber-crime being almost exclusively driven by organised crime and motivated by money.
In order to counter the new attacks, individuals and business organisations are needed to remain vigilant to cope with a threat landscape that is quickly evolving in future.
—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specializing in Computer System Security. He has an active interest in designing security algorithms for securing mission critical systems. He can reached at infosecurity@fanaticmedia.com |
