Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:57 PM
Connect Directly

SMBs Often Hit Hardest By Botnets

Bot infections, spam can be 'silent killer' for SMBs due to drain on email servers, network resources

A small or midsize business (SMB) is ultimately a more attractive target for spammers, botnet operators, and other attackers than a home user mainly because it has a treasure trove of valuable data without the sufficient IT and security resources to protect it.

Security experts say that while large enterprises are getting hit hard by bot infections and related attacks, it's the SMBs that are getting hurt the worst. Home machines are obviously the easiest targets, but SMBs are relatively defenseless, as well, given their lack of IT resources and budgets to build out layered security like the big boys do.

SMBs are also potentially more lucrative targets for botnets and attackers than consumers because getting a foothold into a business' network -- small or midsize -- translates into a potentially better yield than "owning" a couple of home machines, says Randy Abrams, director of technical education for Eset. "It makes a targeted attack a profitable investment," Abrams says.

SMBs can also provide botnet herders with easy-to-grab business-class machines for their armies. "The key reason SMBs might be more attractive to botnets is they have business-class machines, but limited resources in IT to protect them," says Phillip Lin, director of marketing for FireEye. And their all-in-one security approaches can be easy to bypass, he says.

Spammers use their botnets not only for sending unwanted email to SMBs, but also for gathering new email addresses and bot recruits. "They are after sensitive data, as well," says David Setzer, CEO of Mailprotector, an email security service provider. They want to recruit a new spam relay/bot, but they also throw in a keylogger to sniff for usernames and passwords, and try to grab as much lucrative sensitive data as possible, he says.

"It's kind of a Swiss Army knife of malware...[they figure] they might as well get all the goodies they can out of [the SMB]," Setzer adds.

While Setzer says he can't pinpoint any specific botnets that focus on hitting SMBs, more SMBs tend to get hit because they don't have the horsepower to handle the threats. A DSL line or DS3 connection can be no match for a botnet spamming and waging a directory attack, he says.

While the big botnets and spammers stick with the widespread attack strategy rather than targeting companies, some SMBs are getting hit with targeted phishing attacks in order for the attacker to gain a foothold in their networks.

"What we see more often is a whaling-type attack where you have somebody targeting someone at a small- to medium-size business for a specific reason --maybe a smaller brokerage," he says. "It's some human making a cognitive decision to go after [a firm]."

One of Mailprotector's small-business customers was once hit by a massive spam run and directory attack delivering more than 100,000 messages from more than 10,000 distinct IP addresses. "It was a spam and a directory-harvesting attack where they were going through and trying to harvest names and email addresses from the directory," Setzer says. "[The customer] didn't know about the attack until their regular log review because our systems had shut it down...it would have crashed their email."

Many SMBs run multiple services on their servers, and an email server may run other applications, as well. "So when a big denial-of-service or wave comes in, the server can't handle the load or bandwidth," he says.

Symantec's MessageLabs has watched spam levels rise as botnet operators rebuild their spamming infrastructures in the wake of the McColo takedown. "Much of the spam coming from botnets is destined for email addresses at domains where the recipient's address has been created randomly using dictionaries for first and last names," says Paul Wood, MessageLabs intelligence senior analyst for Symantec. "This is a big problem, especially for SMBs, because spam can be a silent killer for these businesses. Even though the incoming mail is spam, SMBs are wasting valuable and limited resources because the email server still has to receive and process these messages in order to reject them."

Sam Masiello, vice president of information security at MX Logic, says his company has seen an increase in targeted, malicious botnet activity against all sizes of enterprises, using available information from social networks and search engines to craft spear-phishing attacks that use the victim's first name, company name, or phone number in the email to appear authentic.

"These highly targeted emails are frequently looking for network authentication credentials so that a hacker could get into a company's network and steal proprietary information, but we have also seen instances of 'whaling,' where affluent people like CEOs are targeted in an effort to install malware keyloggers that activate when the victim logs into their bank or brokerage Website," Masiello says. "SMBs are particularly vulnerable to these types of attacks because many of them do not employ a full-time IT staff and budget to educate their users about these types of threats."

Meanwhile, AT&T sees more SMBs looking for managed security services options to help them protect their data, says Brian Perry, executive director of managed security services for AT&T. "The bot issue is pervasive -- it's not just a consumer issue," he Perry says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVDEC component, in which an attacker can read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVHost function, which may lead to abnormal reboot due to a null pointer reference, causing data loss.
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...