Report: Four Percent of E-Crime From Fortune 100
Roughly four percent of all spam, malicious software attacks, phishing Web sites and other cyber crime activities detected in the first half of 2007 emanated from the networks controlled by the world's 100 highest-grossing companies, according to a new report from anti-virus company Symantec.
The finding, from Symantec's semi-annual Internet Security Threat Report, is significant because it indicates how much Fortune 100 organizations have been compromised and are being used by attackers as launching pads for malicious activity, the report notes.
The report jibes with data published by Security Fix in March, which found evidence of phishing Web sites, spam and malware coming from major corporations, including Best Buy, ExxonMobile, HP, and Oracle, among others. Wired.com's Ryan Singel recently documented similar findings.
Symantec cautions, however, that this statistic is actually lower than one might expect, given that Fortune 100 companies collectively control more than seven percent of the world's Internet address space (known as "IP addresses"), and that much of that space is presently unused.
"Since the proportion of malicious activity originating from Fortune 100 IP space is lower than the proportion of the world's active and advertised IP space that is assigned to these organizations, less attack activity is originating from Fortune 100 companies than other IP spaces."
Symantec also found that the average number of bot-infected PCs -- machines seeded with software that allows attackers to remotely control them for criminal purposes -- actually decreased by 17 percent in the first six months of 2007.
This would be notable and welcome news were it not somewhat misleading. The problem is that Symantec admittedly does not have any reliable way to measure the number of bots under the thumb of the criminals who control the Storm worm, a contagion that has infected between one and 10 million PCs worldwide (depending upon which experts you ask).
That's because Storm-infected machines receive updates and instructions via a peer-to-peer system, a decentralized network that actually uses the very same communications protocol as the eDonkey network, which is currently used to trade audio and video files, as well as computer software.
Criminals who run bot networks -- more commonly called "botnets" -- typically control them by having each infected machine report to an Internet based server to receive instructions and updates. Often times, it is possible for security researchers to connect to these so-called "command and control servers" (C&C) and count the number of infected machines are reporting for duty, or disable the server altogether.
As a result, botnets controlled by traditional C&C servers are vulnerable to compromise or shutdown because they rely on a single point of failure: take out the C&C and you can often effectively hobble the botnet. But because it is using a peer-to-peer network, the Storm worm is proving next to impossible to shut down. The P2P aspect also makes it much more difficult to gauge its size.
Symantec's report does note that the Trojan horse program used to install the Storm worm on victim PCs -- which it calls the "Peacom Trojan" -- was in fact the most widely reported family of malicious software spotted in the first half of this year.
Other interesting data from the report:
"Threats with keystroke-logging capacity made up 88 percent of confidential information threats during this period, as did threats with remote access capability, such as back doors. This is an increase from 76 percent and 87 percent respectively over the previous period."
Symantec also broke down the number of security holes found in the most popular Web browsers, including 39 vulnerabilities in Microsoft Internet Explorer, 34 in Mozilla browsers such as Firefox, 25 in Apple Safari, and seven in Opera. In the second half of 2006, 54 vulnerabilities were disclosed for Internet Explorer, 40 for Mozilla browsers, four for Apple Safari and four for Opera.
Among the browser stats, I found this one to be most compelling: Symantec documented 237 vulnerabilities in Web browser plug-ins. Nearly 90 percent of those were related to ActiveX components in IE that were found to introduce security holes that could let malicious Web sites compromise Windows PCs.
By Brian Krebs |
September 17, 2007; 3:27 PM ET
Fraud
,
From the Bunker
,
Misc.
Previous: Would You Like Some Quechup With Your Spam? |
Next: The Threat of Reputation-Based Attacks
Posted by: aeschylus | September 17, 2007 4:35 PM
lol. talk about a typo. fixed, thanks, aeschylus.
Posted by: Bk | September 17, 2007 4:53 PM
"... Symantec documented 237 vulnerabilities in Web browser plug-ins. Nearly 90 percent ... related to ActiveX components in IE ... introduce security holes ... "
Shhhhh. The EU will hear you.
Posted by: GTexas | September 17, 2007 4:59 PM
Your article on fortune 100 companies being 4% of E-Crime is probably low. Research shows it is easy to identify "REAL" email addresses inside of companies which increase your likelihood of getting a real person to read a malicious email which may end up in a successful attach against their network. Also, using wireless tools such as "www.youtube.com/wifiwhirlwind" it is easy to identify corporate networks that have unprotected WiFi networks in place, which are easy prey for malicious activities. Combined with USB sticks being introduced into systems with outside software, plus illegal software being loaded on corporate networks (which some have malicious code in them) all lead to the fact that 4% is just the tip of the iceberg. Another avenue for attack is through employees connecting to corporate VPNs via systems that have already been compromised which are in the employee's home. Reality tells us that the % of problems coming from big corporations are much higher and I am sure government organizations are just as bad as the big fortune companies. This includes foreign governments as well as large foreign corporations. Just something to think about.
Posted by: Futures, Inc. | September 17, 2007 5:00 PM
Another item that needs to be considered is the fact that open source information found on the Internet can contribute to malicious folks putting together pieces of the puzzle to gain unauthorized access into a corporate network. Then they use the network(s) for illegal activities or take information from the network for illegal purposes. I am sure there are organized crime groups that work on such efforts. I seriously don't think the TJMax problem was done by teenagers. I am willing to bet organized crime has more to do with cybercrimes than anyone is willing to admit... or maybe they are just hard to catch. Most corporate networks have perimeter defenses in place, but lack any IDS solutions in the middle of the network if someone were to gain access. It's a real problem and I don't think the world is facing up to this fact.
Posted by: R1no | September 17, 2007 5:10 PM
I have Process Explorer, and a fair amount of it is beyond me. What I'd like to know is if it can tell you what program initiated the current communication. Sometimes I am running the program that initiates it, but sometimes not, and in those cases ProcEx, as far as I know, only shows the fact that it's communicating. I'd like, in short, a way to know whether the communications are legitimate.
Posted by: BarbsPoint | September 17, 2007 7:46 PM
It's hard to believe people running corporate networks are that clueless. But I believe it.
Posted by: Rick | September 17, 2007 8:04 PM
To BarbsPoint:
You may or may not be able to trust your Process Explorer on the local system you are trying to identify malicious activities. I say this as a professional penetration tester and network security engineer. What I highly recommend is having your company have someone come in and perform an internal network collection & analysis of traffic on your network. Highly recommend this be performed on the network with your most valued server, the network with most user systems, and/or at the connection boundary to the Internet. If the proper company performs the work, they will collect traffic for a period of time and run analysis tools against the traffic to see what is going on. This is the best way to know what is going on inside of your network. Something similar to this should be done for the WiFi environment for your company, too. Combined, you will have a much better understanding of what is going on inside your corporate structure. This is the best manner to tell what is really going on inside of your network.
Posted by: R1no | September 17, 2007 9:34 PM
Thanks for the feedback, R1no.
Posted by: BarbsPoint | September 17, 2007 9:48 PM
No problem BarbsPoint. Anytime.
Posted by: R1no | September 18, 2007 11:58 AM
The comments to this entry are closed.
"The report jives..."
I think you mean "jibes".