Security experts say that while large enterprises are getting hit hard by bot infections and related attacks, it's the SMBs that are getting hurt the worst. Home machines are obviously the easiest targets, but SMBs are relatively defenseless, as well, given their lack of IT resources and budgets to build out layered security like the big boys do.
SMBs are also potentially more lucrative targets for botnets and attackers than consumers because getting a foothold into a business' network -- small or midsize -- translates into a potentially better yield than "owning" a couple of home machines, says Randy Abrams, director of technical education for Eset. "It makes a targeted attack a profitable investment," Abrams says.
SMBs can also provide botnet herders with easy-to-grab business-class machines for their armies. "The key reason SMBs might be more attractive to botnets is they have business-class machines, but limited resources in IT to protect them," says Phillip Lin, director of marketing for FireEye. And their all-in-one security approaches can be easy to bypass, he says.
Spammers use their botnets not only for sending unwanted email to SMBs, but also for gathering new email addresses and bot recruits. "They are after sensitive data, as well," says David Setzer, CEO of Mailprotector, an email security service provider. They want to recruit a new spam relay/bot, but they also throw in a keylogger to sniff for usernames and passwords, and try to grab as much lucrative sensitive data as possible, he says.
"It's kind of a Swiss Army knife of malware...[they figure] they might as well get all the goodies they can out of [the SMB]," Setzer adds.
While Setzer says he can't pinpoint any specific botnets that focus on hitting SMBs, more SMBs tend to get hit because they don't have the horsepower to handle the threats. A DSL line or DS3 connection can be no match for a botnet spamming and waging a directory attack, he says.
While the big botnets and spammers stick with the widespread attack strategy rather than targeting companies, some SMBs are getting hit with targeted phishing attacks in order for the attacker to gain a foothold in their networks.
"What we see more often is a whaling-type attack where you have somebody targeting someone at a small- to medium-size business for a specific reason --maybe a smaller brokerage," he says. "It's some human making a cognitive decision to go after [a firm]."
One of Mailprotector's small-business customers was once hit by a massive spam run and directory attack delivering more than 100,000 messages from more than 10,000 distinct IP addresses. "It was a spam and a directory-harvesting attack where they were going through and trying to harvest names and email addresses from the directory," Setzer says. "[The customer] didn't know about the attack until their regular log review because our systems had shut it down...it would have crashed their email."
Many SMBs run multiple services on their servers, and an email server may run other applications, as well. "So when a big denial-of-service or wave comes in, the server can't handle the load or bandwidth," he says.
Symantec's MessageLabs has watched spam levels rise as botnet operators rebuild their spamming infrastructures in the wake of the McColo takedown. "Much of the spam coming from botnets is destined for email addresses at domains where the recipient's address has been created randomly using dictionaries for first and last names," says Paul Wood, MessageLabs intelligence senior analyst for Symantec. "This is a big problem, especially for SMBs, because spam can be a silent killer for these businesses. Even though the incoming mail is spam, SMBs are wasting valuable and limited resources because the email server still has to receive and process these messages in order to reject them."
Sam Masiello, vice president of information security at MX Logic, says his company has seen an increase in targeted, malicious botnet activity against all sizes of enterprises, using available information from social networks and search engines to craft spear-phishing attacks that use the victim's first name, company name, or phone number in the email to appear authentic.
"These highly targeted emails are frequently looking for network authentication credentials so that a hacker could get into a company's network and steal proprietary information, but we have also seen instances of 'whaling,' where affluent people like CEOs are targeted in an effort to install malware keyloggers that activate when the victim logs into their bank or brokerage Website," Masiello says. "SMBs are particularly vulnerable to these types of attacks because many of them do not employ a full-time IT staff and budget to educate their users about these types of threats."
Meanwhile, AT&T sees more SMBs looking for managed security services options to help them protect their data, says Brian Perry, executive director of managed security services for AT&T. "The bot issue is pervasive -- it's not just a consumer issue," he Perry says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.