Networking

06:14 PM
David F Carr
David F Carr
Commentary
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Social Phishing Spikes As Spam Declines, IBM Finds

Improved Web application security leads attackers to be creative, reports IBM's X-Force Internet security team.

6 Social Sites Sitting On The Cutting Edge
6 Social Sites Sitting On The Cutting Edge
(click image for larger view and for slideshow)
IBM's X-Force team reports positive Internet security trends, although an apparent improvement in Web application security has only prompted evildoers and mischief makers to get craftier.

The X-Force Trend and Risk Report for 2011, released Thursday, revealed a 50% decline in spam email compared to 2010, more diligent vendor patching of security vulnerabilities, and fewer Web application vulnerabilities, with half the incidence of cross-site scripting vulnerabilities compared with four years ago.

One attack trend is an increased use of phishing emails that impersonate notifications from social media sites. "The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven't been seen since 2008," according to the report. "Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to Web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites."

The social media phishing trend caught my attention because I had just embarrassed myself by stumbling across one of those attacks when I met with Tom Cross, X-Force Threat Intelligence Manager, at the South by Southwest conference in Austin earlier this month--more on that after the news.

[ Are data defenders getting better or just luckier? See Data Breach Costs Drop. ]

Cross said the decline in spam detected by IBM's global spam monitoring network reflects takedowns of several large spam botnets. It may or may not last, but, for the time being, that action has made a significant dent in spam volumes, he said.

Overall, Internet security seems to be improving, due to an industry focus on improving the quality of software. IBM saw a 30% decline in new exploit code--widely distributed hacking kits to exploit common software vulnerabilities--presumably because there are fewer new vulnerabilities popping up. Vendors are doing a better job of patching their software promptly when vulnerabilities are discovered. By IBM's count, the percentage of unpatched vulnerabilities declined to 36%, compared with 43% in 2010.

IBM found cross-site scripting (XSS) vulnerabilities--errors that make it possible to redirect user input from one site to another--are half as likely to exist in customers' software as they were four years ago. However, IBM says its security scans still find XSS vulnerabilities in about 40% of applications, "still high for something well understood and able to be addressed," according to the report.

Meanwhile, one variety of code-injection attack is on the wane, but attackers have shifted their attention to another. For years, many attacks on Web applications focused on SQL injection--tricking database-driven websites into executing queries of the attacker's design. For example, a dynamic page for displaying a single user's private account information by ID number might be tricked into substituting a wildcard in the query and displaying everyone's private account information.

The good news is the incidence of SQL injection vulnerabilities in public websites dropped by 46% in 2011. The bad news is that the number of shell command injection attacks rose by two to three times in 2011, according to IBM. A shell command vulnerability exists when a Web application passes a command to the Unix shell or other operating system command line in a way that an attacker can manipulate to execute his own commands.

Something Phishy This Way Comes

I mentioned experiencing my own social media pratfall, just prior to a meeting with IBM's Cross. The morning I was to meet him and some of his coworkers for breakfast in Austin, I received a Twitter direct message that appeared to come from one of my social media contacts who works at an IT services firm. Just: "Did you see this tweet about you?"--and then a link.

Half-awake and viewing this on my iPhone, I clicked through and was prompted for my Twitter password, which I entered. The Twitter look-alike site I had just visited--at twitterlogin312707.20m.us--then dumped out back at Twitter.com, which then asked me for my password for real. Okay, I was dumb, but not so dumb that I didn't realize what had just happened. Within a few minutes, I had logged in from my laptop and changed my Twitter password. I did the same on a few other social media websites where I used the same password--also a bad habit, I know, but like most people I can only remember so many passwords.

When I confessed all over breakfast, Cross said I had probably acted quickly enough to avoid problems. As long as I didn't find anything odd in my feed or direct messages (as far as I know, no one has been getting appeals to buy herbal Viagra from me), I was probably all right. I'm just lucky whoever designed this attack didn't have a script ready to log into my account and change my password to some random value before I could get to it.

As for sharing a password between accounts, he thought it was good that I at least limited the practice to a class of accounts (for social media sites) rather than also using it for things like Internet banking.

In recent weeks, I've also been on the receiving end of some odd social media spam on Facebook. A woman I know through local politics started tagging me in photos--photos of women's shoes. At first, I thought she was caught up in some odd social media marketing scheme, abusing the photo tagging notification system (in a way I've seen some other folks do) to draw attention to an image and associated message, regardless of whether I was actually in the photo. But as I saw the complaints piling up on her Facebook wall, and still nothing changed, it dawned on me that her account had been taken over by a bot (or something). She later confirmed to me that she had lost control over her account and had been unable to navigate Facebook's self-service processes for resetting her password.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
dadler60601
50%
50%
dadler60601,
User Rank: Apprentice
4/11/2012 | 2:00:56 AM
re: Social Phishing Spikes As Spam Declines, IBM Finds
Very timely piece. People need to be aware of the risk of accepting connections using social media. Given the high degree of personal information disclosed, one needs to be even more skeptical of proposed connections. For example, if someone is trying to connect through LinkedIn, if you are not absolutely certain you know this person, check their "connections." Do they have 5 or 500? Can you verify the work history. When in doubt, do without. For more about me see adlerlaw.wordpress.com
Deb Donston-Miller
50%
50%
Deb Donston-Miller,
User Rank: Apprentice
4/17/2012 | 2:18:01 AM
re: Social Phishing Spikes As Spam Declines, IBM Finds
The scary thing about social is how much info can be gleaned with absolutely no end user action at all. No longer do the bad guys have to convince people to click through a link; there is a wealth of information available on users' social media presence, especially if it is not locked down well. But when it does come to email spam, this info can be used to craft emails even the most suspicious of security pros would be hard-pressed to ignore.

Deb Donston-Miller
Contributing Editor, The BrainYard
Hot Topics
13
Why Facebook Wedge Is Revolutionary
Tom Hollingsworth 7/16/2014
10
Open Source Vs. Open Enough
Bob Laliberte, ESG senior analyst,  7/18/2014
5
Do We Need 25 GbE & 50 GbE?
Jim O'Reilly, Consultant,  7/18/2014
White Papers
Register for Network Computing Newsletters
Cartoon
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed