Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:01 PM
Connect Directly

Cisco: Cybercriminals Hiding Behind Legitimate Websites, Email Accounts

New annual security threat report from Cisco highlights a 'rough year' for computing in 2008

It's getting harder to tell the good guys from the bad: Sophisticated cybercriminals are increasingly taking cover behind legitimate Websites and email domains to lure their victims, according to Cisco Systems' annual security report, released today.

Among the key findings of The 2008 Cisco Annual Security Report is a 90 percent increase this year in threats originating on legitimate Websites that were unknowingly infected by cybercriminals. And nearly 8 percent of email providers' traffic was generated from hijacked legitimate email domains.

It all starts with malware and botnets, according to Cisco, and botnets are the "nexus" of cybercrime.

"What's fascinating to me are the criminal ecosystems -- the ability for criminals to no longer just use their own resources or know-how, but a broad network of criminals all working together to commit large, profitable, and successful crimes," says Patrick Peterson, Cisco fellow and chief security researcher for the networking giant, in a video blog. "Many of these begin with malware and botnets."

iFrame infections via SQL injection attacks on legit Websites were rampant in 2008, as the bad guys tried to infect users with bots and other malware when they visited these trusted Websites. The iFrames were injected onto the sites via botnets, and the infected links sent victims to malware-downloading sites, according to the Cisco report.

And as security vendors became savvier in protecting users from bot infections, cybercriminals started hiding their bots to do their dirty work, according to Cisco, using a technique the vendor calls "reputation hijacking." That's where bad guys use real email accounts and Web mail providers to send their spam email to evade detection by spam filters.

According to the Cisco report, while spam from reputation hijacking of the top three Web mail providers was about 1 percent of all spam worldwide, it made up 7.6 percent of the email providers' overall traffic this year.

"Cybercriminals are ceasing to use their botnets to perform the crimes directly...rather, using botnets to attack intermediary servers and then have those intermediary servers attack the victims so that the victim can't see the reputation of the botnet that was behind it," Cisco's Peterson says. "This is a way to repurpose their botnets."

The bad guys have their botnets log into Webmail accounts and search for weak passwords. "Then they create a ton of email messages [with those hijacked accounts] and send it to everyone in that address book," he says. "The free Webmail provider sends it and the recipient thinks it came from that ISP."

According to the Cisco report, 200 billion spam messages are sent each day, accounting for 90 percent of all email traffic. The U.S. accounts for 17.2 percent of spam traffic, followed by Turkey (9.2 percent), Russia (8 percent), Canada (4.7 percent), Brazil (4.1 percent), India (3.5 percent), Poland (3.4 percent), South Korea (3.3 percent), Germany (2.9 percent), and the United Kingdom (2.9 percent).

The number of malware infections from malicious email attachments has dropped by 50 percent over the last two years as attackers turned to other techniques, Cisco says in its report. In addition, the number of disclosed security vulnerabilities jumped nearly 12 percent this year, the report says. There were 103 vulnerabilities reported in virtualization software, up from only 35 in 2007.

Cisco expects spear phishing -- which currently accounts for only 1 percent of all phishing attacks -- to grow next year as cybercriminals create more convincing spam. Social engineering and the expansion of mobile computing, virtualization, and cloud computing will also pose more risks in the coming year.

Attackers are blending email and Web-borne attacks to better hit their targets. "Today's attacks are clearly multiprotocol," said Tom Gillis, vice president of product management and product marketing for Cisco's security group in a Webcast on the report today. "If you're only looking at email traffic, you're missing what's happening.

"The threats we're seeing today are odorless, invisible gases that are noxious," he said. "'08 was a rough year for computing."

The Cisco report also provides recommendations for organizations to protect themselves from malware infections, data loss, and other risks in the coming year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.