Pierluigi Paganini March 06, 2013

Internet is confirmed as primary vector for cyber menaces, web threats have increased significantly respect 2012, both as an attack vector and as the primary support element of other attack trajectories (e.g., social, mobile, email).

Number of malicious web sites grew nearly 600% and 85% are represented by legitimate web hosts that had been compromised by attackers, it is interesting to note that growth was on global scale registering a peck in North America.

The attackers mainly targeted legitimate websites belonging to following  categories:

• Information Technology
• Business and Economy
• Sex
• Travel
• Shopping

Last year cyber offensive mainly targeted businesses and governments organizations, about 70 % of Websense customers experienced a weekly average of 1,719 attacks per 1,000 users, the attacks initiated through social media, mobile devices, email and other attack vectors.

As anticipated Social Media represent a privileged channel for cyber threat due the large audience, shortened web links in 32 percent of the time hid malicious content, majority of cyber attacks also took advantage of the confusion related to the introduction new features and changing services.

High concern is related to the use of social media in the workspace that could expose company information and sensible data managed by employees.

Mobile Threats are considered one of principal concerns for security experts , rapid diffusion of malicious apps and wrong habits of users (e.g. jailbreaking and absence of defense systems) expose them to serious risks.

The report states:

“Legitimate apps were also a cause for concern; many proved less secure than expected. Consider a study by Philipps University and Leibniz University in Germany involving 13,500 free apps downloaded from Google Play. Researchers found that 8 percent of these apps were vulnerable to man-in-the-middle attacks, and approximately 40 percent enabled the researchers to “capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook,Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.””

WebSense reported that malicious apps mainly need three permission requirements that are worth pointing out:

• 82% of malicious apps send, receive, read or write SMS messages. Veryfew legitimate apps require any SMS permissions.
• 12,5% malicious apps required RECEIVE_WAP_PUSH permission, something legitimate apps rarely require.
• 10% malicious apps asked for permission to install other apps—another rarity among legitimate apps.

Another privileged vector for cyber attacks is the Email, only 20% emails sent was legitimate, phishing messages and spam are monopolizing to totality of email traffic.

Email represented an essential component for success of a cyber attacks, it is used to infect victims carrying a malware or proposing infected link to compromised web site.  Attacks such as Flame, Stuxnet and recent Red October were advantaged by highly targeted spear-phishing messages sent to circumscribed group of individuals.

Email-based threats are becoming significantly sophisticated, they are able to circumvent traditional defense, the report refers to the introduction of “time-delay” to some targeted attacks, “in which embedded web links are kept benign until after traditional email security defenses are bypassed”.

Principal Categories of Malicious Web Links in Spam Email found by WebSense are:

• Potentially Damaging Content | Suspicious sites with little or no useful content.
• Web and Email Spam | Sites used in unsolicited commercial email.
• Malicious Websites | Sites containing malicious code.
• Phishing and Other Frauds | Sites that counterfeit legitimate sites to elicit |user information.
• Malicious Embedded iFrame

Malware could not miss in the list of the main threats,  also in this case sophisticated malicious code have been designed to hit specific targets and platforms circumventing defense countermeasures.

Report key finding are:

• 50% Fifty percent of web-connected malware became significantly bolder, downloading additional malicious executables within the first 60 seconds of infection.
• The remainder of web-connected malware proceeded more cautiously, postponing further Internet activity by minutes, hours or weeks, often as a deliberate ruse to bypass defenses that rely on short-term sandboxing analytics.

From the analysis of CnC Communication Protocol emerged that HTTP is most used protocol, however Social media and other popular websites are increasingly use HTTPS to encrypt traffic between their services and their customers, this eventuality allows the “safe passage” of malicious code complicating detection activities.

“The type of CnC communications represented in the table happen only after infection. To avoid detection, such communications are typically short and contain no obviously malicious content. When something significant needs to be transmitted, such as a malware update or stolen data, these communications often use simple but proven data encryption,then send it through HTTP or another channel.”

In the last part of the report is reported the incidence of data Theft/Data loss incidents that mainly target to gather access to intellectual property (IP), payments credentials, credit card numbers and other Personally Identifiable Information (PII). To reach the scope the principal methods of attacks are malware and hacking techniques.

The cyber threat landscape proposed by WebSense describes a reality in constant growth, cyber menaces are increasing in numbers and sophistication level targeting mainly new platforms such as social media and mobile.

“Solutions that focus solely on mobile, email, web or otherwise can no longer be trusted to defend against complex, multistage attacks that can move between attack vectors.”

Pierluigi Paganini

(Security Affairs – WebSense)