Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:01 PM
Connect Directly

Cisco: Cybercriminals Hiding Behind Legitimate Websites, Email Accounts

New annual security threat report from Cisco highlights a 'rough year' for computing in 2008

It's getting harder to tell the good guys from the bad: Sophisticated cybercriminals are increasingly taking cover behind legitimate Websites and email domains to lure their victims, according to Cisco Systems' annual security report, released today.

Among the key findings of The 2008 Cisco Annual Security Report is a 90 percent increase this year in threats originating on legitimate Websites that were unknowingly infected by cybercriminals. And nearly 8 percent of email providers' traffic was generated from hijacked legitimate email domains.

It all starts with malware and botnets, according to Cisco, and botnets are the "nexus" of cybercrime.

"What's fascinating to me are the criminal ecosystems -- the ability for criminals to no longer just use their own resources or know-how, but a broad network of criminals all working together to commit large, profitable, and successful crimes," says Patrick Peterson, Cisco fellow and chief security researcher for the networking giant, in a video blog. "Many of these begin with malware and botnets."

iFrame infections via SQL injection attacks on legit Websites were rampant in 2008, as the bad guys tried to infect users with bots and other malware when they visited these trusted Websites. The iFrames were injected onto the sites via botnets, and the infected links sent victims to malware-downloading sites, according to the Cisco report.

And as security vendors became savvier in protecting users from bot infections, cybercriminals started hiding their bots to do their dirty work, according to Cisco, using a technique the vendor calls "reputation hijacking." That's where bad guys use real email accounts and Web mail providers to send their spam email to evade detection by spam filters.

According to the Cisco report, while spam from reputation hijacking of the top three Web mail providers was about 1 percent of all spam worldwide, it made up 7.6 percent of the email providers' overall traffic this year.

"Cybercriminals are ceasing to use their botnets to perform the crimes directly...rather, using botnets to attack intermediary servers and then have those intermediary servers attack the victims so that the victim can't see the reputation of the botnet that was behind it," Cisco's Peterson says. "This is a way to repurpose their botnets."

The bad guys have their botnets log into Webmail accounts and search for weak passwords. "Then they create a ton of email messages [with those hijacked accounts] and send it to everyone in that address book," he says. "The free Webmail provider sends it and the recipient thinks it came from that ISP."

According to the Cisco report, 200 billion spam messages are sent each day, accounting for 90 percent of all email traffic. The U.S. accounts for 17.2 percent of spam traffic, followed by Turkey (9.2 percent), Russia (8 percent), Canada (4.7 percent), Brazil (4.1 percent), India (3.5 percent), Poland (3.4 percent), South Korea (3.3 percent), Germany (2.9 percent), and the United Kingdom (2.9 percent).

The number of malware infections from malicious email attachments has dropped by 50 percent over the last two years as attackers turned to other techniques, Cisco says in its report. In addition, the number of disclosed security vulnerabilities jumped nearly 12 percent this year, the report says. There were 103 vulnerabilities reported in virtualization software, up from only 35 in 2007.

Cisco expects spear phishing -- which currently accounts for only 1 percent of all phishing attacks -- to grow next year as cybercriminals create more convincing spam. Social engineering and the expansion of mobile computing, virtualization, and cloud computing will also pose more risks in the coming year.

Attackers are blending email and Web-borne attacks to better hit their targets. "Today's attacks are clearly multiprotocol," said Tom Gillis, vice president of product management and product marketing for Cisco's security group in a Webcast on the report today. "If you're only looking at email traffic, you're missing what's happening.

"The threats we're seeing today are odorless, invisible gases that are noxious," he said. "'08 was a rough year for computing."

The Cisco report also provides recommendations for organizations to protect themselves from malware infections, data loss, and other risks in the coming year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.
PUBLISHED: 2020-07-13
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...