It seems, sometimes, that a new phishing scam crops up every day, no matter how much security is improved.
That's not just your imagination.
today released its annual IBM X-Force 2009 Trend and Risk Report, which
showed threats that include phishing and document format
vulnerabilities, among others, are on the rise.
The areas are of most concern, the report showed:
- Malicious Web links, which result in malware or viruses being downloaded onto the clicker's computer
- Phishing scams, where messages from a seemingly legit organization or company fool users into turning over sensitive information
- Vulnerabilities in document readers and editors, particularly in PDFs
2009, the report showed, more than 6,600 new document format
vulnerabilities were discovered, which was actually an 11 percent
decrease over 2008. It appears the worst vulnerabilities have been
eliminated in ActiveX, an Internet Explorer plug-in, and relating to
SQL Injection, where malicious code is injected into legit websites.
good news is that software vendors appear to have become much more
responsive to security problems and issue patches quickly. There are
far fewer vulnerabilities categorized as critical or high that have no
patch made available with Web browsers and document readers/editors. On
the flip site, there were 50 percent more vulnerability disclosures for
document readers/editors and multimedia applications - which means the
vendors are letting their customers know quickly when vulnerabilities
"Despite the ever-changing threat landscape,
this report indicates that overall, vendors are doing a better job
responding to security vulnerabilities," Tom Cross, manager of IBM
X-Force Research, said in a prepared statement. "However, attackers
have clearly not been deterred, as the use of malicious exploit code in
Web sites is expanding at a dramatic rate."
In fact, problems
with Web apps have increased exponentially - now accounting for 49
percent of all vulnerabilities. Of thos
e, 67 percent had no patch
available by year's end. In addition, obfuscation, where malicious
attacks are hidden in documents and web pages, increased by three to
four times over 2008.
And the news isn't so good when it comes to malicious web links and phishing, either.
number of malicious web links globally increased a whopping 345 percent
over 2008. What that means, the report explains, is that the bad guys
are probably making a pretty penny from these attacks. Otherwise,
they'd probably try something else.
Phishing attacks had
declined by mid-year, but in the latter half of 2009 surged ahead. In
2008, the countries where most phishing scams originated were Spain,
Italy and South Korea. In 2009? Brazil, the U.S. and Russia. And the
phishers are using people's trust of their banks and governments to
steal their money. The vast majority - 61 percent - of phishing e-mails
appear to originate from financial institutions including banks and
credit unions. Another 20 percent appear to be coming from government
organizations and agencies.
IBM's X-Force is a research and
development team has research that's "been cataloguing, analyzing and
researching vulnerability disclosures since 1997." It has catalalogued
more than 48,000 security vulnerabilities in that time.