Data Breach, Web based Attack, Malicious Code have taken down many enterprises across the globe in the year 2013. Symantec has found and analyzed 14 types of threat trends that made every victim organizations to think over them. Here, in this piece of information, we present the findings of 2014 security report powered by Symantec. All attacks were performed on a network and detected by intrusion detection system and firewall. Other malicious actions include phishing, malicious code, spam zombies, Botnet, and attack origins. Below are categories of malicious activities and their analysis done by Symantec.
Malicious Activities by Source:
- Malicious Code: Malicious code contains virus, Trojans, worms that are injected purposefully into programs. This malicious code can steal confidential data and expose the security of a victim computer.
- Spam Zombies: This technique is used to send bulk of junk emails containing malicious code and phishing activities.
- Phishing hosts: To collect sensitive data of users, many cyber culprits run phishing hosts activity and pretends that the source is authenticated.
- Bot-infected PCs: To control the target user’s system, attackers use Bot-infected computers. Attacker controls numbers of compromised computers with a Botnet channel.
- Network Attack Origins: Any malicious task carried over the network called Network attack, and intrusion detection system and intrusion prevention system can detect network attack easily.
- Web based Attack Origins: Any attack that is delivered via web or HTTP by compromising the legitimate websites is named web-based attack. Such kinds of attack targets innocent visitors.
Findings about Malicious Code:
- In 2013, the United States and China remained on the top for overall malicious activity.
- USA remains on the top with 20% ratio in Botnet activity, which shows a 4.7% growth, compare to year 2012.
- There was a decrease of 8.2% in web-based attacks. In 2012, USA claimed 34.4% web based attack by remaining on the top position.
- In case of Network attack, China remained on the top with 26.6% in 2013. China holds 618 million users.
- USA remained on the top position with 39.4% of phishing websites.
- India was on the top rank in spreading spam zombies, though it shows a diminished growth of 7.4% compared to previous 2012 years.
- In case of all malicious code activities, the USA was on 16.9% while India was on the second place with 15.3% ratio.
Malicious Web-Based Attack Prevalence:
Web based attack are prevailing widely and influenced many enterprises in 2013. These entire web-based attacks were targeted organizations that exploited zero day vulnerability. Such web-based attacks shift their pattern of attack every time. Users have to protect themselves against recently patched vulnerabilities.
Findings on Malicious Website Attack:
- 22.5% growth was recorded in Web-based attack. In 2012, 464.1K attacks were recorded versus 568.7K web-based attacks in 2013.
- In July 2013, there were nearly about 799.5K websites blocked per day.
- While in October 2013, there were nearly about 135.45K websites blocked per day.
Malicious Web Activity by Attack Toolkits:
Attack toolkits do not compromise the whole network; however, it infects users who visit websites that host web attack toolkit. In 2013, Symantec found more than five types of serious vulnerable toolkit like Blackhole, Cool Exploit kit, Sakura, STYX, and Go1 Pack Exploit kit.
Out of them, Go1 Pack Exploit Kit was remained on the top with 22.7% attacks while Cool Exploit Kit remained on the lowest grade with 7.5% ratio.
Many toolkits were updated in 2013. These toolkits targeted Java Runtime Environment including CVE-2013-0422, CVE-2013-2465, CVE-2013-1493 and CVE-2013-2551.
Web-Based Spyware, Adware, and Potentially Unwanted Programs:
A compromised website plays an important role in deploying Spyware and Adware code. Adware vendors spread potentially unwanted programs like add-in toolbars, and they are rewarded for malicious installation. However, it might happen that sometimes vendors do not aware about usage of their code to be installed. When such installation is done without the end user permission, then it violates the end user’s agreements.
- Symantec found Adware.Singaing as the most blocked potentially unwanted programs in 2013.
- While there were nine out of ten unwanted programs, which were classified as Adware.
- 1.8% unwanted programs were classified as spyware.
Web Policy Risks from Inappropriate Use:
Organization runs internet usage policy to limit access among their employees. By doing so, organizations prevent employees from visiting suspicious or illegal sites. Web policy helps to enhance performance management of organizations.
- 39% of social networking traffic was blocked, which means there was 1 out of 2.5 websites were blocked.
- 24% of website activities were blocked regarding advertisement and pop ups.
- There were other activities like streaming media, chat, games, news also blocked in appropriate manner by organizations.
Website Categories Exploited to Deliver Malicious Code:
Organizations keep control policy to mitigate potential risk of uncontrolled web server. In 2013, many website categories found malicious. The top most websites were of related to Technology with 9.9%, while the subsequent websites were of Business, Hosting, and Blogging categories.
There were top three types of threats infected different websites like malicious site, malware, and fake AV.
- Almost 50% Art and museum related websites were affected with fake AV threat.
- Almost 73% Anonymizer websites category were infected with the browser exploit.
- Almost 17% blogging websites were infected with hosted malware.
- There were 67% legitimate websites were used to distribute malware.
- Websites classified as Automation web application hosted large volume of threats on website with an average of 3.4 threats per website. Automated web application category website means a website that automatically allows a computer to open an HTTP connection for different purpose like checking OS, update applications.
To control the targeted users remotely, Bots are the great source for it. A single reliable channel in Botnet can compromise large number of computers. Attackers can use bots in DDoS attack, phishing activity, spam distribution, spyware and adware distribution.
- In 2013, bots remained active for 20 days in Romania.
- USA holds the highest 20.01% of bot infected computers.
- Romania was on the top in Botnet due to lack of proper guidance, lower level of user awareness and support in their own language.
- The overall average lifespan of bot in 2013 was 6 days.
Denial of Service Attacks:
DDoS attacks are increasing rapidly compared to 2012. If we look at the comparison of last three years, 250 DDoS attacks recorded in 2011. 768 DDoS attacks were recorded in 2012, while in 2013, there were 807 web attacks classified as DDoS attacks.
The average bandwidth of DDoS attack increased up to three times compare to 2012.
Network Time Protocol (NTP) reflection attacks saw an increase in the last year. NTP is used to synchronize the time between computers on the internet but if it is not updated, then attackers can use it for DDoS attack. In NTP reflection attack, an attacker sends a small packet of data to an NTP server, which then sends a large volume of data to the targeted IP address.
Hackers now prefer network of compromised servers rather than to go for Botnet of compromised computers. Many DDoS services are available from $5 to $1000 relying on the length and scale of the attack.
Mobile threats are evolving day by day; Symantec has discovered top primary threats like information theft, user tracking, traditional threats, sending content, and change settings. Symantec found 132 vulnerabilities in mobile OS in 2013 compare to 416 in 2012 and 315 in the year of 2011. It shows a 68% decrease in mobile vulnerability.
There were 97% of threats found on Android OS, while the other OS like Symbian (with 2%), Windows (with 2%), and IOS (with 2%) were on the subsequent positions.
- There were 57 new android families detected in 2013.
- The count of average number of malware variants was 57 appeared in 2013.
- There were 127 mobile vulnerabilities found in 2013, compared with 416 in 2012 that shows a 69% decrease.
- The highest activity classified as spied on user accounted at 28% compared to 12% in 2012.
- 17% of malicious mobile activities were intended to data theft in 2013.
QS (Quantified Self):
The ongoing task in cyber world called Quantified Self, which collects and analyzes data about a person’s activities and status. If we compare the data of QS recorded in 2013 is 165% higher than the previous 2012 years. The types of data generated with QS applications are:
- GPS location
- Heart rate
- Calorie/alcohol intake
- Sleep times/patterns
- Body temperature
Businesses involve in QS track every activity of a single person, and collect bunch of data with or without user’s consent. The person installs the app, sign up, and approve the app to collect the data about it.
Identity theft is a serious and growing concern for many organizations. If we look at 2013 identity theft, it saw eight data breaches that exposed more than 10 million identities. In 2013, the overall number of identity exposed has reached to 2,181,891 from 604,826 in 2012.
- Norton Cybercrime index recorded 256 data breach incidents in 2013 with 552,018,539 exposed identities.
- The average number of identity exposed was 2.6 times more than 2012.
- The median number of identities was recorded low compare to 2012. In 2013, the median number of identities exposed was at 6,777 compare to 8,350 in 2012.
- Healthcare, Education, and public sector were remained on the top for data breach. All these three sectors reported for 58% of all data breaches.
- Computer software, finance and retail sectors accounted for 77% of all identities exposed in 2013.
- There were 16 million average identities exposed in social networking websites while 12 million average identities exposed in computer software categories.
- Hackers were responsible for 34% of data breach incidents and almost 74% identities they exposed in 2013.
- The most common information exposed in 2013 data breaches was the “real name”.
- The information about birth date and Government ID numbers were on the second and third position in data breaches subsequently.
- The average number of identities exposed in data breach for hacking incidents was 4.7 million.
In 2013, 28% number of data breach incidents happened due to accidently publicized records, and it was the second biggest cause for data breach.
In insider threat, insiders like employees are aware about login credentials that are why it is a serious concern for every organization. Employees have in-depth knowledge about the inner working system of an organization that can cause insider threat easily.
There are 51% employees believe that their companies are not strict about transfer of official data into their personal computer. These companies lack strict data security policy, and may become victim of insider threat.
Gaming attack revealed username and password to hackers. In 2013, three major online game vendors faced data breach that revealed millions of account information. The attacker also reuses the information retrieved from breached data on other service.
Due to weak or easy password pattern, attacker took 160-password guess to breach the user account password.
In 2013, attackers used “NTP Amplification DDoS attack” during a holiday season in USA, and took down popular online games.
Experts also believed that online games have bunch of vulnerabilities, and it could cause compromise of gaming server.
New Black Market:
The evolution of new black market opened the doors for illegal goods and drugs like the old underground market named Silk Road that adopts the legitimate ecommerce market place and incorporate their features. Such websites use TOR network that provides anonymous internet access to users. Most of transactions are executed in virtual currency like Bitcoin.
The new black market also resembles the online video and music piracy. In October 2013, FBI arrested a man who run such websites and $28 million Bitcoin were detained from this person. Law enforcement agencies need to prevent online narcotics completely. After the move of FBI, attackers moved to copycat services like Black Market Reloaded and Sheep.
New black market does not stand for security threat, but provide additional income for cyber crime gangs and a platform for fraud.
TOR and other networks like I2P and Freenet were also in limelight in 2013, and these networks remained anonymous on the internet. The growth of directly connected users to TOR network rose to 5 million in October 2013.
From the above information, we can say it is true that the overall prospective about prevailing threats needs an attention from every users and organizations. The time has come to follow security parameters for both insider and outsider in organizations.