It's getting harder to tell the good guys from the bad: Sophisticated cybercriminals are increasingly taking cover behind legitimate Websites and email domains to lure their victims, according to Cisco Systems' annual security report, released today.

Among the key findings of The 2008 Cisco Annual Security Report is a 90 percent increase this year in threats originating on legitimate Websites that were unknowingly infected by cybercriminals. And nearly 8 percent of email providers' traffic was generated from hijacked legitimate email domains.

It all starts with malware and botnets, according to Cisco, and botnets are the "nexus" of cybercrime.

"What's fascinating to me are the criminal ecosystems -- the ability for criminals to no longer just use their own resources or know-how, but a broad network of criminals all working together to commit large, profitable, and successful crimes," says Patrick Peterson, Cisco fellow and chief security researcher for the networking giant, in a video blog. "Many of these begin with malware and botnets."

iFrame infections via SQL injection attacks on legit Websites were rampant in 2008, as the bad guys tried to infect users with bots and other malware when they visited these trusted Websites. The iFrames were injected onto the sites via botnets, and the infected links sent victims to malware-downloading sites, according to the Cisco report.

And as security vendors became savvier in protecting users from bot infections, cybercriminals started hiding their bots to do their dirty work, according to Cisco, using a technique the vendor calls "reputation hijacking." That's where bad guys use real email accounts and Web mail providers to send their spam email to evade detection by spam filters.

According to the Cisco report, while spam from reputation hijacking of the top three Web mail providers was about 1 percent of all spam worldwide, it made up 7.6 percent of the email providers' overall traffic this year.

"Cybercriminals are ceasing to use their botnets to perform the crimes directly...rather, using botnets to attack intermediary servers and then have those intermediary servers attack the victims so that the victim can't see the reputation of the botnet that was behind it," Cisco's Peterson says. "This is a way to repurpose their botnets."

The bad guys have their botnets log into Webmail accounts and search for weak passwords. "Then they create a ton of email messages [with those hijacked accounts] and send it to everyone in that address book," he says. "The free Webmail provider sends it and the recipient thinks it came from that ISP."

According to the Cisco report, 200 billion spam messages are sent each day, accounting for 90 percent of all email traffic. The U.S. accounts for 17.2 percent of spam traffic, followed by Turkey (9.2 percent), Russia (8 percent), Canada (4.7 percent), Brazil (4.1 percent), India (3.5 percent), Poland (3.4 percent), South Korea (3.3 percent), Germany (2.9 percent), and the United Kingdom (2.9 percent).

The number of malware infections from malicious email attachments has dropped by 50 percent over the last two years as attackers turned to other techniques, Cisco says in its report. In addition, the number of disclosed security vulnerabilities jumped nearly 12 percent this year, the report says. There were 103 vulnerabilities reported in virtualization software, up from only 35 in 2007.

Cisco expects spear phishing -- which currently accounts for only 1 percent of all phishing attacks -- to grow next year as cybercriminals create more convincing spam. Social engineering and the expansion of mobile computing, virtualization, and cloud computing will also pose more risks in the coming year.

Attackers are blending email and Web-borne attacks to better hit their targets. "Today's attacks are clearly multiprotocol," said Tom Gillis, vice president of product management and product marketing for Cisco's security group in a Webcast on the report today. "If you're only looking at email traffic, you're missing what's happening.

"The threats we're seeing today are odorless, invisible gases that are noxious," he said. "'08 was a rough year for computing."

The Cisco report also provides recommendations for organizations to protect themselves from malware infections, data loss, and other risks in the coming year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message