In-Depth

IM Security Exploits Explode in 2007

It's time to finally get serious about locking down IM

• By Stephen Swoyer
• 01/08/2008

If you're looking for the next killer vector in security vulnerabilities, look no further than the instant messaging (IM) client software that—sanctioned, unsanctioned, or only quasi-sanctioned—your users are running on their desktop PCs.

According to policy and compliance specialist Akonix Systems Inc., 18 new malicious IM attacks surfaced during the month of December, bringing the year's total to 346. That translates into almost one new vulnerability a day, and outstrips the number of reported vulnerabilities for major operating systems platforms such as Windows XP, Windows Server 2003, or even Mac OS.

The stakes are high, says Akonix, which notes that crackers are already exploiting IM-related security vulnerabilities for profit—in addition to de rigueur technological mayhem. Last year, for example, a security consultant was sentenced to nearly 60 years in prison and fined $1.75 million for using IM botnets to hijack PayPal accounts. In all likelihood, he'll be the first of many.

All in all, 2007 was an especially busy year for IM worms. Last month, for example, three prominent IM worms surfaced, while existing attacks—including Mytob and Sohana—were highly active, too. As if that wasn't enough, Akonix reports, attacks on P2P networks (e.g., Kazaa and eDonkey) increased by 125 percent last month, amounting to 27 incidents.

"[Last year] marked an increase in the complexity and harmful design of IMTrojans and viruses," said Don Montgomery, VP of marketing at Akonix, in a statement. "We are continuing to see hackers use this popular medium to stealprivate data from which they can profit."

It's a trend that Montgomery and Akonix expect will continue. "[T]he increasing adoption of unified communications in 2008 will introduce new corporate vulnerabilities and liabilities, including the number of entry pointsthat can be compromised," he indicates.

The upshot, Montgomery argues, is that companies need to get serious—or more serious, at any rate—about securing IM. "Businesses need to make sure they put instant messaging on their management, compliance and security checklists in 2008."

Akonix has a dog in the race: the company markets a policy, compliance, and risk management suite that addresses IM security (Akonix IM Security Center), as well as a passel of other policy, risk, and compliance management offerings. Given the regulatory and potential financial implications, however, companies need to prioritize IM security in the coming year, Montgomery argues—irrespective of which technology or vendor partner they tap to do it.