Soccer, Gaming and 'Exotic' Threats

1:15 PM -- Think you can guess when the biggest spike in phishing occurred during the second half of 2006 -- 40 percent higher than any other time during that period? You're thinking the holiday shopping season, right? Wrong: It was during the World Cup last summer, says David Cole, director of Symantec Security Response.

That's of course a testament to the global scope of the problem, as well as to the global popularity of "the beautiful game." This was just one of the tidbits in Symantec's new six-month Internet threat report for June through December 2006, which the company officially released today.

The big themes and findings were not surprising -- phishing was up, sophisticated criminals are hooking up with hackers, and stolen credit card numbers and SSNs are going for a pittance online, so it's a bulk thing, and one third of all attacks came from within the U.S., and the U.S. leads in botnet activity.

But there were a few less-splashy yet provocative findings I spoke with Cole about last week:

Home users were the target of 93 percent of targeted attacks, and Americans are the biggest targets for computer crime -- 86 percent of the stolen debit and credit card accounts were issued by U.S. banks. The U.S. is also ranked number one as the main origin of worldwide attacks, with 33 percent of attack activity, according to the report. And Symantec found that 51 percent of underground "economy servers" (servers used by bad guys to sell stolen info) were located in the U.S.

But that doesn't mean U.S.-based criminals are behind these servers. "It simply means they're being hosted here, not necessarily that the U.S. people know that they are run on these machines," says Cole, who adds that Symantec has seen a mishmash of languages here, not just English.

Another interesting but deceptive statistic that Symantec found is that the number of botnet command and control servers went down by 25 percent in the second half of last year. Does that mean botnets are getting larger? Yes and no. It's more than likely a reflection of their movement away from conspicuous IRC channels to more stealthy peer-to-peer or encrypted channels that are tougher to detect.

"We're not seeing the command and control traffic as much anymore," Cole notes. "We're seeing some exotic stuff, like their using eDonkey/OverNet, HTTP, and we even saw one over ICMP, if you want to get really wacky."

Cole says eDonkey/OverNet and peer-to-peer have been instrumental in helping keep the Storm trojan pCOM -- which he considers the biggest threat of this year -- alive and well and reinventing itself.

And look out for Web 2.0 and "community"-based threats on social networking and multiplayer/gaming sites like Second Life to rise in the next six months, he says. "They may not be outright malicious malware, but could be playful and destructive."

— Kelly Jackson Higgins, Senior Editor, Dark Reading