Protecting Your Enterprise from the Thriving Cyber Underground

Multiple, overlapping, and mutually supportive defensive systems and patched, up-to-date systems can help consumers and businesses take advantage of the Internet while avoiding its dangers.

The Internet has become a vital component of the global economy. Companies across continents rely on the Internet to transact business, while more consumers around the world now consider the Web an essential part of life at work and at home. According to Internet World Stats (, there are more than 1.2 billion Internet users worldwide today. As broadband availability continues to grow across world regions, Internet usage will likely expand in parallel to create an even larger digitally connected global community.

At the same time, however, Internet hackers and cybercriminals are devising, using, and making available increasingly sophisticated methods and tools aimed ultimately at fleecing consumers and businesses alike. An in-depth observation of global Internet activity over the first six months of 2007 reveals that malicious activities have become more professionalized and commercialized than ever before, and that attackers are rapidly adapting new techniques and strategies to circumvent security measures.

Indeed, the latest Internet Security Threat Report from Symantec Corp. exposes a thriving underground economy that is now a multi-billion dollar criminal industry.

The Professional Hacker

As attack activity has become increasingly profit-driven, many aspects of it have become more professional and commercial. The development, distribution, and implementation of threats, malicious code, and malicious services mirror the business practices used in traditional software development.

High-priced black market attack and phishing toolkits, for example, are now commercially available over the Internet. One of the most popular during the first half of this year was malware that came ready to install on a server, included a collection of exploit modules to be used right out of the box, and sold for $1,000 US. This tool made it easy to launch exploits for a variety of browser and client-side vulnerabilities and included functionality to serve malicious payloads through legitimate Web sites that were compromised.

This toolkit was also representative of the current threat trend towards launching attacks in stages. In such a scenario, the initial compromise is used simply to establish a protective beachhead from which subsequent attacks can be launched. And it worked. During the first six months of 2007, this toolkit was used to install malicious code on thousands of computers.

Phishing toolkits have also reached new levels of sophistication and are significantly more robust and automated than their predecessors. Also available on the underground market at a relatively high price, phishing toolkits include a set a scripts that allow someone to set up phishing Websites that spoof legitimate sites and generate corresponding phishing e-mail messages.

An Issue of Trust

One of the most worrisome threat trends is a shift in how attackers acquire victims. In the past, hackers sought out certain victims and broke into their computers. That's no longer the case in today’s world of Web applications and Web 2.0 technologies. Now hackers lure victims into coming to them. They do this by compromising trusted sites or applications so that when a user visits that site or uses that application, the attacker redirects the user to a malicious site or downloads a Trojan onto the user’s computer.

Indeed, as Web applications have become more widely deployed, attackers are using them as a means to circumvent network security measures such as firewalls and intrusion detection systems. Social networking sites, based on Web 2.0 technologies, have proven fruitful for attackers by providing them access to large communities of people who trust the site and its content. Attacks against such trusted sites are valued by attackers because they can expose confidential user information which, in turn, can be used for identity theft and fraud or to access more sites from which to propagate further attacks.

In fact, many security experts expect to see an increase in attacks on trusted environments such as persistent virtual worlds (PVWs) and massively multiplayer online games (MMOGs) such as Second Life, World of Warcraft, and the like. Not only are these trusted environments, but some of their characteristics could allow criminals to use them for illegal activities, including money laundering. For example, many PVWs and MMOGs allow players to conduct real money transactions (RMTs) in virtual worlds, using real credit cards and other payment methods to purchase and then exchange virtual credits with other players in other countries.

Furthermore, attackers are likely to begin to use PVWs and MMOGs to trick victims into installing malicious software under the pretense that it improves functionality in the virtual world. Also, hackers may use the automated tools used in many virtual environments to incorporate keystroke loggers, password stealers, and other malicious code into them and, in turn, onto unsuspecting players’ systems.

Cyber Smart

Given these developments, how can consumers and businesses protect themselves in such a dynamic, sophisticated threat environment? While online risk cannot be eliminated, users and organizations can take several steps to develop a more proactive security posture.

It starts with a defense-in-depth approach to security. For consumers, this means implementing a variety of proven protective technologies, including antivirus, firewall, intrusion detection, antiphishing, and vulnerability management. Integrated Internet security suites provide maximum protection with minimal hassle. For organizations, defense-in-depth includes the deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection on client systems.

Consumers and organizations should also be aware that security risks may be automatically installed on computers when file-sharing programs, free downloads, and freeware and shareware versions of software are installed. In fact, malicious code propagated using peer-to-peer (P2P) protocols accounted for 22 percent of all potential infections during the first half of 2007.

Consequently, consumers should exercise caution when considering using file-sharing programs on computers for personal use; users who download files from P2P networks should scan all such files with a regularly updated antivirus product. Organizations should take measures to prevent P2P clients from being installed on any computers on their network. They should also block any ports used by such applications at the network boundary.

Finally, both consumers and organizations should keep patch levels as up-to-date as possible. For organizations, patching is especially critical for computers that host public services and are accessible through the firewall, including HTTP, FTP, mail, and DNS services.

With the World Wide Web looking increasingly like the Wild, Wild West, it is more important than ever for users and organizations to be vigilant and proactive in protecting their information and systems. By employing multiple, overlapping, and mutually supportive defensive systems, applying discretion when considering file-sharing, and keeping systems patched and up-to-date, consumers and businesses can continue to take advantage of the opportunities the Internet offers while avoiding many of its dangers.

- - -

Author: Dean Turner is director, Global Intelligence Network, for Symantec Corp. You can reach the author at .

Must Read Articles