The X-Force Trend and Risk Report for 2011, released Thursday, revealed a 50% decline in spam email compared to 2010, more diligent vendor patching of security vulnerabilities, and fewer Web application vulnerabilities, with half the incidence of cross-site scripting vulnerabilities compared with four years ago.
One attack trend is an increased use of phishing emails that impersonate notifications from social media sites. "The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven't been seen since 2008," according to the report. "Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to Web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites."
The social media phishing trend caught my attention because I had just embarrassed myself by stumbling across one of those attacks when I met with Tom Cross, X-Force Threat Intelligence Manager, at the South by Southwest conference in Austin earlier this month--more on that after the news.
[ Are data defenders getting better or just luckier? See Data Breach Costs Drop. ]
Cross said the decline in spam detected by IBM's global spam monitoring network reflects takedowns of several large spam botnets. It may or may not last, but, for the time being, that action has made a significant dent in spam volumes, he said.
Overall, Internet security seems to be improving, due to an industry focus on improving the quality of software. IBM saw a 30% decline in new exploit code--widely distributed hacking kits to exploit common software vulnerabilities--presumably because there are fewer new vulnerabilities popping up. Vendors are doing a better job of patching their software promptly when vulnerabilities are discovered. By IBM's count, the percentage of unpatched vulnerabilities declined to 36%, compared with 43% in 2010.
IBM found cross-site scripting (XSS) vulnerabilities--errors that make it possible to redirect user input from one site to another--are half as likely to exist in customers' software as they were four years ago. However, IBM says its security scans still find XSS vulnerabilities in about 40% of applications, "still high for something well understood and able to be addressed," according to the report.
Meanwhile, one variety of code-injection attack is on the wane, but attackers have shifted their attention to another. For years, many attacks on Web applications focused on SQL injection--tricking database-driven websites into executing queries of the attacker's design. For example, a dynamic page for displaying a single user's private account information by ID number might be tricked into substituting a wildcard in the query and displaying everyone's private account information.
The good news is the incidence of SQL injection vulnerabilities in public websites dropped by 46% in 2011. The bad news is that the number of shell command injection attacks rose by two to three times in 2011, according to IBM. A shell command vulnerability exists when a Web application passes a command to the Unix shell or other operating system command line in a way that an attacker can manipulate to execute his own commands.
Something Phishy This Way Comes
I mentioned experiencing my own social media pratfall, just prior to a meeting with IBM's Cross. The morning I was to meet him and some of his coworkers for breakfast in Austin, I received a Twitter direct message that appeared to come from one of my social media contacts who works at an IT services firm. Just: "Did you see this tweet about you?"--and then a link.
Half-awake and viewing this on my iPhone, I clicked through and was prompted for my Twitter password, which I entered. The Twitter look-alike site I had just visited--at twitterlogin312707.20m.us--then dumped out back at Twitter.com, which then asked me for my password for real. Okay, I was dumb, but not so dumb that I didn't realize what had just happened. Within a few minutes, I had logged in from my laptop and changed my Twitter password. I did the same on a few other social media websites where I used the same password--also a bad habit, I know, but like most people I can only remember so many passwords.
When I confessed all over breakfast, Cross said I had probably acted quickly enough to avoid problems. As long as I didn't find anything odd in my feed or direct messages (as far as I know, no one has been getting appeals to buy herbal Viagra from me), I was probably all right. I'm just lucky whoever designed this attack didn't have a script ready to log into my account and change my password to some random value before I could get to it.
As for sharing a password between accounts, he thought it was good that I at least limited the practice to a class of accounts (for social media sites) rather than also using it for things like Internet banking.
In recent weeks, I've also been on the receiving end of some odd social media spam on Facebook. A woman I know through local politics started tagging me in photos--photos of women's shoes. At first, I thought she was caught up in some odd social media marketing scheme, abusing the photo tagging notification system (in a way I've seen some other folks do) to draw attention to an image and associated message, regardless of whether I was actually in the photo. But as I saw the complaints piling up on her Facebook wall, and still nothing changed, it dawned on me that her account had been taken over by a bot (or something). She later confirmed to me that she had lost control over her account and had been unable to navigate Facebook's self-service processes for resetting her password.