The figures, compiled by Sophos's global network of monitoring stations, show a dramatic drop in malware spreading in the form of email attachments, with just one infected message in every 1,000 emails in August, compared to one in 322 during the first six months of 2007.
Spam, however, has continued to be a problem - much of it linking to malicious websites designed to infect users. A series of large-scale attacks have been made via spam email, directing users to infected webpages with the promise of ecards, pictures of nude celebrities, YouTube movies and pop music videos. People visiting these sites are running the risk of having their PCs infected by malicious code, which can then steal personal information, spam out more malware and junk email, or launch distributed denial of service attacks against innocent parties.
The total number of infected webpages continues to grow, although at a slightly slower rate than the month before. During August, Sophos detected an average of 5,000 new infected webpages each day, compared to 6,000 in July.
There was also a sharp spike in spam activity in the middle of August due to one of the world's largest ever single spam campaigns, which was designed to manipulate stock prices.
The top 10 list of web-based malware threats in August 2007 includes:
- Mal/Iframe 47.8%
- Mal/ObfJS 17.7%
- Troj/Decdec 14.0%
- Troj/Fujif 4.3%
- Mal/EncPk 2.5%
- Troj/Psyme 2.2%
- Mal/Packer 1.1%
- Troj/Pintadd 1.0%
- VBS/Redlof 0.7%
- Mal/Behav 0.5%
Mal/Iframe and ObfJS have retained their positions at the top of the chart, while Decdec has crept up to third place, accounting for 14 percent of this month's web-based malware, which is up 11 percent from July.
"Whether operating a computer for personal use or business use, people must be aware that cybercriminals are on the prowl using a one-two punch system that combines regular email scams with sophisticated web-based malware attacks, said Ron OBrien, senior security analyst at Boston-based Sophos. IT managers, web hosts and ISPs alone cannot defend against malicious attacks entirely. Users must become better educated about the types of threats out there, as well as the tools available to protect themselves from such attacks.