A recently revealed image-rendering vulnerability related to Windows Meta Files made it easier for phishers to spread software designed for a criminal enterprise, such as identity theft.
The number of sites distributing "crimeware" -- or software engineered for criminal activity like identity theft -- nearly doubled in December, rising from 4,630 in November to 7,197 the following month, according to a report issued today by the Anti-Phishing Working Group (APWG).
APWG Chairman David Jevans said in a statement, "The speed, precision and massive scale by which the phishers were able to identify and exploit this vulnerability for criminal enterprise highlights the fact that the eCrime industry has reached a level of efficiency that has the potential to threaten the larger online economy."
Crimeware refers to a subset of malicious software, or malware, that has been specifically engineered for criminal activity like information theft and identity fraud. It can be thought of as an automated form of phishing, which relies on social engineering to dupe users into revealing sensitive information. Key logging software that secretly records online banking passwords and sends them to a cyber criminal represents an example of crimeware. The goal of phishing attacks is often to plant crimeware so that compromised systems become ongoing sources of valuable data.
According to the APWG, a recently revealed image-rendering vulnerability related to Windows Meta Files made it easier for phishers to spread their crimeware. Microsoft published a security bulletin (MS06-001) on this "critical" vulnerability on January 5th, 2006, and recommended that customers apply an update immediately.
During the month of December, more brand-spoofing subterfuges were recorded than any other month on record. The vast majority of those attacks, 89.3%, targeted the financial industry, most of which involved just seven major brands.
Malware overall continues to rise, despite a number of high-profile cyber crime arrests last year. As Eugene Kaspersky, head of virus research for Kaspersky Lab, Inc., observed in a Monday interview with InformationWeek, the number of samples of malicious code tracked his company doubled in the past year.
"The message is that the environment is getting more and more aggressive, because the hackers, they have a big money by writing malicious code," Kaspersky says. "And there are more and more hackers coming."
However, apocalyptic assessments from those in the security industry should be viewed with some skepticism. A study released in December by identity risk management firm ID Analytics, Inc., found that among consumers whose personal data was compromised in large data breaches, only 0.098 percent--less than one in 1,000 identities--were actually defrauded.
The reason, the firm speculates, is that identity theft takes too much work. It doesn't scale, which is to say it can't be done quickly. Assuming that it takes five minutes to fill out a credit application using stolen information, ID Analytics notes it would take an identity thief working full time -- 6.5 hours a day, five days a week, 50 weeks a year -- over 50 years to rob everyone in a stolen file of one million consumer identities. If the work were outsourced, for $10 an hour, it would cost about $830,000 -- a lot of money for even an accomplished criminal to risk.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.