Email Attacks Get Personal – Messagelabs Publishes 2004 Email Security Report

London, 6 December 2004. – Phishing attacks or online identity theft has established itself as the principal threat of 2004, and may signal the beginning of a wave of email security attacks targeted specifically at individual or small groups of companies. This puts business firmly on the front line in the fight against online attacks, according to the annual MessageLabs Intelligence Email Security Report for 2004 (*) released today by MessageLabs, the leading provider of managed email security services to business worldwide.

In September 2003 the company intercepted 279 phishing emails (containing a URL to a fraudulent website), by September 2004 that figure had significantly risen to over two million. During the course of 2004, MessageLabs intercepted over 18 million phishing-related emails.

The perpetrators of phishing attacks have also developed new techniques in order to increase their chances of success. Recently, phishing emails have been designed to capture online banking details automatically when a user opens the email, rather than when the user clicks on the URL link. Phishers have also attempted to dupe unsuspecting users into becoming middlemen for money laundering operations, by offering employment opportunities with legitimate organisations.

Spam and virus ratios have also risen since the end of 2003. In 2004 the virus infection ratio was 1 in 16, in comparison to 2003 when it was 1 in 33. The most widespread outbreak of the year was W32/MyDoom.A, which occurred in January. In addition, the percentage of email identified as spam in 2004 is 73 percent whereas in 2003 it was 40 percent.

As well as the rise in phishing, virus and spam volumes, MessageLabs also witnessed tailored malicious activity ranging from Denial of Service (DoS) attacks targeted at blackmailing online gaming sites through to threats that send out child pornography in the name of a particular reputable organisation.

There is also evidence to suggest that Trojans and other malicious code have been developed during 2004 specifically to compromise particular organisations. MessageLabs expects this trend to continue.

Mark Sunner, Chief Technology Officer at MessageLabs, commented: “Email security attacks remain unabated in their persistence and ferocity. The major development of the year has undoubtedly been the emergence of phishing – in just twelve months it has firmly established itself as a threat to any organisation or individual conducting business online.

“We believe that the singling out of certain companies to be the victim of phishing attacks could signal the beginning of a wider trend. Already particular businesses are threatened and blackmailed, indicating a shift from the random, scattergun approach, to customised attacks designed to take advantage of the perceived weaknesses of some businesses.”

As well as threats from targeted fraud, MessageLabs believes that the other key issue facing companies in the coming months will be pressure to comply with regulation. Already in place in a number of countries, laws surrounding financial reporting and disclosure of information require companies to have policies for monitoring, securing and storing all business transactions: including email and instant messaging.

Mr Sunner added: “Compliance is already a big issue, and many firms have yet to grasp the impact it will have on the administration, management and security of email. Failure to comply could not only result in potential legal problems, but threaten a company’s credibility and reputation as well.

“It is vital to ruthlessly evaluate email management solutions, and consider current and potential future regulatory requirements when deciding how best to ensure compliance.” The MessageLabs Intelligence Annual Email Management and Security Report 2004. For a copy, visit www.messagelabs.com/intelligence/2004report