2005 was a busy year in virtual underworld as cybercriminals continued to make headlines with an ever-widening variety of exploits and attacks. The dominant trend of 2005 was large-scale cases of identity theft. According to the Privacy Rights Clearinghouse since February 2005, more than 53 million personal records were exposed in dozens of incidents. Examples of this trend include the massive breach of CardSystems Solution that exposed roughly 40 million credit card numbers.
Identity theft was carried out through a variety of means in 2005 such as phishing attacks and through the exploitation of known vulnerabilities in popular software. While identity theft and all other forms of cybercrime will likely continue into 2006, the tactics used by cybercriminals will almost certainly evolve as they seek to stay one step ahead of the defense. Large-scale attacks will likely be discarded in favor of more focused, less visible, and more diversified attacks.
For example, broad-based phishing attacks will likely evolve into directed and focused ?spear phishing? attacks that incorporate social engineering tactics (WAR Report). Social engineering is the practice of obtaining information through manipulation and deception. Evidence of this emerging trend can be found in a spear phishing attack that took advantage of a flaw on a US government website. Victims were notified via email that they were eligible for $571.94 income tax refund and were directed to www.govbenefits.gov to register for their purported refund. However, the phishers had exploited a flaw in the website and were able to redirect the victims to an illegitimate one that stole the victims? personal information once they attempted to register for their IRS refund. This attack was successful because it capitalized on the official nature of the email and the air of legitimacy offered by the www.govbenefits.gov web site. Future attacks will likely incorporate these focused social engineering tactics to ensnare more victims.
Additionally, it is likely that attacks will be less visible and, thereby, more difficult for systems administrators to detect. It is likely that attackers will rely heavily on rootkits (WAR Report) as well as a variety of other tactics to conceal their malware (malicious software) in an effort to prolong their attack and increase their bounty. Rootkits conceal running processes, files, and data in an attempt to hide themselves from systems administrators. Therefore, rootkits are able to run in the background and steal data without being detected by automated tools or systems administrators. Sony BMG inadvertently highlighted the power of rootkits when they surreptitiously packaged the applications with their music CDs (WAR Report). Sony was using rootkits to detect illegal music file swapping. Unfortunately for Sony, their use of rootkits drew a storm of unwanted publicity and lawsuits. While Sony?s use of rootkit was ultimately discovered, it is important to note that the tainted CDs had been on the market for months before it was discovered. According to Princeton Computer Science Professor Ed Felton, ?as of mid-September, this malware had been on the market for months and presumably had been installed on hundreds of thousands of computers, but still none of the anti-malware vendors had discovered it. It?s not a good sign that all of the major anti-malware vendors missed it for so long.? Attackers will find this ability to hide attractive, as they seek to increase the profits from their exploits by exploiting vulnerabilities for longer periods of time.
Additionally, it is likely that the use of botnets as an avenue for attack will evolve throughout 2006. In the past, bot herders attempted to amass the largest network possible and use the botnet for large-scale spam relays, denial of service attacks, and identity theft via phishing attacks. However, attackers soon realized that large-scale botnets, such as the 1.5 million machine network disrupted by Dutch police earlier this year (WAR Report), were too high profile and quickly drew the attention of authorities. As a result, over the past two years the average size of a botnet has decreased from over 100,000 to roughly 20,000. This trend will likely continue as attackers seek to establish low profile botnets that maximize profits by evading discovery. In addition to shrinking in size, botnets will likely take advantage of encryption in an attempt to hide each bot’s communication to its controller. According to Adam Meyers, an information assurance engineer at SRA International, bots will use encryption to conceal their presence from security tools used to detect them.
Finally, it is likely that 2006 will witness an increased diversity in avenues of attack. The recent past has conditioned systems administrators to focus their attention on securing the operating system. However, as operating systems vendors have taken steps, like automatic patching, to address vulnerabilities in their products, attackers have begun to turn their attention elsewhere to less secure Internet-based applications. According to the SANS Institute, ten of the top 20 Internet security vulnerabilities were found in cross-platform applications. Specifically, the report states that ?during the past year, there has been a shift in focus to exploit security products used by a large number of end users.? Therefore, attackers in 2006 and beyond will continue to seek out Internet-based cross-platform applications with a large installation base as an avenue of attack.
In light of this, it is widely believed that applications for mobile devices, such as cell phones and PDAs, will become an attractive target in 2006. According to McAffe, the anti-virus software vendor, malware created to attack mobile devices will grow from a reported 226 incidents in 2005 to more than 700 in 2006. Examples of this emerging trend include the Cardtrap.A virus that attacked the operating system of Symbian mobile phones. If the unsuspecting user sync-ed his infected Symbian mobile phone with his personal computer, the Cardtrap.A virus attempted to jump from the phone to the PC. Mikko Hypponen, F-Secure chief research officer, believes this type of cross-device attack could continue. According to Hypponen, ?we may begin to see Windows viruses spreading to PDAs that are synched up to computers, or go from PCs to mobile phones with the memory card.”
While the method of attack might evolve in 2006, it is important to note that the motivation for attack will remain the same. The preeminent motivation for cybercriminals will remain money. It should, therefore, come as no surprise that each of the above predictions is centered around the goal of profit maximization. According to US Treasury advisor Valerie McNevin, proceeds from cybercrime amounted to more than $105 billion in 2004. While the source of this dollar amount may be in question, the importance that cybercriminals place on securing these profits is not. As long as there is money to be made from illicit on-line activities, it should be expected that cybercriminals will continue to innovate their tactics in an attempt to seize a piece of the cybercrime pie.