Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/6/2009
02:57 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

SMBs Often Hit Hardest By Botnets

Bot infections, spam can be 'silent killer' for SMBs due to drain on email servers, network resources

A small or midsize business (SMB) is ultimately a more attractive target for spammers, botnet operators, and other attackers than a home user mainly because it has a treasure trove of valuable data without the sufficient IT and security resources to protect it.

Security experts say that while large enterprises are getting hit hard by bot infections and related attacks, it's the SMBs that are getting hurt the worst. Home machines are obviously the easiest targets, but SMBs are relatively defenseless, as well, given their lack of IT resources and budgets to build out layered security like the big boys do.

SMBs are also potentially more lucrative targets for botnets and attackers than consumers because getting a foothold into a business' network -- small or midsize -- translates into a potentially better yield than "owning" a couple of home machines, says Randy Abrams, director of technical education for Eset. "It makes a targeted attack a profitable investment," Abrams says.

SMBs can also provide botnet herders with easy-to-grab business-class machines for their armies. "The key reason SMBs might be more attractive to botnets is they have business-class machines, but limited resources in IT to protect them," says Phillip Lin, director of marketing for FireEye. And their all-in-one security approaches can be easy to bypass, he says.

Spammers use their botnets not only for sending unwanted email to SMBs, but also for gathering new email addresses and bot recruits. "They are after sensitive data, as well," says David Setzer, CEO of Mailprotector, an email security service provider. They want to recruit a new spam relay/bot, but they also throw in a keylogger to sniff for usernames and passwords, and try to grab as much lucrative sensitive data as possible, he says.

"It's kind of a Swiss Army knife of malware...[they figure] they might as well get all the goodies they can out of [the SMB]," Setzer adds.

While Setzer says he can't pinpoint any specific botnets that focus on hitting SMBs, more SMBs tend to get hit because they don't have the horsepower to handle the threats. A DSL line or DS3 connection can be no match for a botnet spamming and waging a directory attack, he says.

While the big botnets and spammers stick with the widespread attack strategy rather than targeting companies, some SMBs are getting hit with targeted phishing attacks in order for the attacker to gain a foothold in their networks.

"What we see more often is a whaling-type attack where you have somebody targeting someone at a small- to medium-size business for a specific reason --maybe a smaller brokerage," he says. "It's some human making a cognitive decision to go after [a firm]."

One of Mailprotector's small-business customers was once hit by a massive spam run and directory attack delivering more than 100,000 messages from more than 10,000 distinct IP addresses. "It was a spam and a directory-harvesting attack where they were going through and trying to harvest names and email addresses from the directory," Setzer says. "[The customer] didn't know about the attack until their regular log review because our systems had shut it down...it would have crashed their email."

Many SMBs run multiple services on their servers, and an email server may run other applications, as well. "So when a big denial-of-service or wave comes in, the server can't handle the load or bandwidth," he says.

Symantec's MessageLabs has watched spam levels rise as botnet operators rebuild their spamming infrastructures in the wake of the McColo takedown. "Much of the spam coming from botnets is destined for email addresses at domains where the recipient's address has been created randomly using dictionaries for first and last names," says Paul Wood, MessageLabs intelligence senior analyst for Symantec. "This is a big problem, especially for SMBs, because spam can be a silent killer for these businesses. Even though the incoming mail is spam, SMBs are wasting valuable and limited resources because the email server still has to receive and process these messages in order to reject them."

Sam Masiello, vice president of information security at MX Logic, says his company has seen an increase in targeted, malicious botnet activity against all sizes of enterprises, using available information from social networks and search engines to craft spear-phishing attacks that use the victim's first name, company name, or phone number in the email to appear authentic.

"These highly targeted emails are frequently looking for network authentication credentials so that a hacker could get into a company's network and steal proprietary information, but we have also seen instances of 'whaling,' where affluent people like CEOs are targeted in an effort to install malware keyloggers that activate when the victim logs into their bank or brokerage Website," Masiello says. "SMBs are particularly vulnerable to these types of attacks because many of them do not employ a full-time IT staff and budget to educate their users about these types of threats."

Meanwhile, AT&T sees more SMBs looking for managed security services options to help them protect their data, says Brian Perry, executive director of managed security services for AT&T. "The bot issue is pervasive -- it's not just a consumer issue," he Perry says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27886
PUBLISHED: 2021-03-02
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
CVE-2016-8153
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8154
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8155
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8156
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.