Highlights: Spam Proportions, New Phishing Tactic
MessageLabs has released its November 2006 Intelligence Report detailing specifics of security and threat activity for the month. Among the highlights of the report: Small businesses (one to 500 employees) are targeted with nearly twice as much spam per user, per month as medium-sized companies (501 to 2,500 employees) and three times more spam than large companies (more than 2,500 employees). These findings are based on a client survey conducted by MessageLabs.
“The problem smaller organizations face is focusing their resources and making sure they have the right systems in place,” said Paul Wood, MessageLabs senior analyst. “When they try and do security themselves in-house, they struggle because having somebody inside your organization who is going to be there to manage your spam or virus problems or generally just manage your e-mails, that’s a very specialist task. In order for them to not only manage the system but also to be on top of the latest trends, technologies and threats that are out there, it’s actually very difficult.”
He also said that while over-the-counter virus protection is simple to install, such a solution accomplishes little.
“Unfortunately, the cybercriminals are one step ahead of that game,” Wood said. “They already have access to that technology, and that’s the technology they’re aggressively trying to defeat.”
So small businesses end up making for what Wood terms “soft targets,” which also explains why they’re targeted with 60 percent more viruses per month than large companies, although this also might be triggered by small businesses’ association with a more desired target.
“The smaller businesses in that respect are often more susceptible because they could be considered the weakest link in a wider supply chain,” Wood said. “So the real target may be a larger organization, but because the smaller company has some business relationship with them, if they can penetrate the small business, it makes it easier for them to attack the larger business, if they’re looking to commit intellectual property theft using the virus.”
MessageLabs also identified a new piece of bait used by phishing spammers: sending text messages to targets’ mobile phones.
These messages seem to arrive from online dating sites or similar services, stating that the target will be charged a small fee each day if he or she doesn’t unsubscribe via a URL provided in the message. The Web site to which the user is then directed is infested with malware, which can be used to manipulate the victim’s computer.
Wood said this illustrates the continuing adeptness of spammers and hackers.
“Very seldom now do you hear of a big virus outbreak,” he said. “The reason for that is not only have people become wise to not opening attachments, but also the security on people’s computers and in ISP and throughout different levels make it very difficult for cybercriminals to send out those viruses.”
So spammers and hackers largely have moved from e-mails containing viruses to Web sites containing viruses, where all they need to do to infect a computer is somehow direct the target to a URL.
“Shifting the vector from one medium to another, from e-mail to the Web, it’s the same approach in this case,” Wood said. “It’s just using mobile technology because now that seems to be the weakest link in terms of protecting the desktop.”