Computer Attacks Via Phishing, Malicious Links & Vulnerabilities Keep Rising

It seems, sometimes, that a new phishing scam crops up every day, no matter how much security is improved.

That's not just your imagination.

IBM today released its annual IBM X-Force 2009 Trend and Risk Report, which showed threats that include phishing and document format vulnerabilities, among others, are on the rise.

The areas are of most concern, the report showed:
  • Malicious Web links, which result in malware or viruses being downloaded onto the clicker's computer
  • Phishing scams, where messages from a seemingly legit organization or company fool users into turning over sensitive information
  • Vulnerabilities in document readers and editors, particularly in PDFs
In 2009, the report showed, more than 6,600 new document format vulnerabilities were discovered, which was actually an 11 percent decrease over 2008. It appears the worst vulnerabilities have been eliminated in ActiveX, an Internet Explorer plug-in, and relating to SQL Injection, where malicious code is injected into legit websites.

Other good news is that software vendors appear to have become much more responsive to security problems and issue patches quickly. There are far fewer vulnerabilities categorized as critical or high that have no patch made available with Web browsers and document readers/editors. On the flip site, there were 50 percent more vulnerability disclosures for document readers/editors and multimedia applications - which means the vendors are letting their customers know quickly when vulnerabilities are discovered.

"Despite the ever-changing threat landscape, this report indicates that overall, vendors are doing a better job responding to security vulnerabilities," Tom Cross, manager of IBM X-Force Research, said in a prepared statement. "However, attackers have clearly not been deterred, as the use of malicious exploit code in Web sites is expanding at a dramatic rate."

In fact, problems with Web apps have increased exponentially - now accounting for 49 percent of all vulnerabilities. Of those, 67 percent had no patch available by year's end. In addition, obfuscation, where malicious attacks are hidden in documents and web pages, increased by three to four times over 2008.

And the news isn't so good when it comes to malicious web links and phishing, either.

The number of malicious web links globally increased a whopping 345 percent over 2008. What that means, the report explains, is that the bad guys are probably making a pretty penny from these attacks. Otherwise, they'd probably try something else.

Phishing attacks had declined by mid-year, but in the latter half of 2009 surged ahead. In 2008, the countries where most phishing scams originated were Spain, Italy and South Korea. In 2009? Brazil, the U.S. and Russia. And the phishers are using people's trust of their banks and governments to steal their money. The vast majority - 61 percent - of phishing e-mails appear to originate from financial institutions including banks and credit unions. Another 20 percent appear to be coming from government organizations and agencies.

IBM's X-Force is a research and development team has research that's "been cataloguing, analyzing and researching vulnerability disclosures since 1997." It has catalalogued more than 48,000 security vulnerabilities in that time.