Spear-phishing and crimeware assembling marked second half of 2010

The Anti-Phishing Working Group (APWG) reports that the development of crimeware surged in the half-year period ending in December, 2010 with one data contributor registering more than 10 million new malware samples in the period, while other analysts describe important shifts in approaches to crimeware deployment by cybercrime gangs.

Cybercriminals repurpose base code of existing crimeware using polymorphic techniques to craft new variations of crimeware to evade detection by filters reliant on fingerprints of known crimeware.

In H2, 2010, however, cybercriminals’ crimeware development efforts were more than redoubled with PandaLabs reporting 10,425,663 new malware samples being registered in that period – some 17 percent of all samples the company has recorded since 1990.

Luis Corrons, PandaLabs Technical Director, says that fifty-five percent of the new samples created in the 2nd half of 2010 were Trojans, the favorite weapon used by cybercriminals to infect consumers’ computers.

Patrik Runald, Senior Manager, Security Research for Websense, says that his laboratory noticed a shift toward a binary weapons approach to infecting PCs with crimeware, assembling the final crimeware code from several components that arrive through different mechanisms and at different times.

“During the second half of 2010 we saw a small drop, percentage-wise, in malware aimed specifically at stealing data but an increase in the total amount of samples compared to the first half of 2010,” says Runald. “Downloaders are used in many of these cases and the end goal is still to steal data – but using several components instead of including this functionality in the main component.”

“The second half of 2010 saw a 6 percent drop in total phishing attacks from the first half. However, the number of brands targeted went up by over 7 percent and there was an increase of almost 6 percent in unique Brand-Domain pairs,” says Ihab Shraim, chief security officer and vice president, network and systems engineering at MarkMonitor. “This data suggests that phishers are utilizing more targeted tactics in order to achieve a better ROI on their phishing campaigns.”

Indeed, while measurements for conventional social engineering-based phishing show some slowing of growth during the half, reports of hyper-focused phishing attacks on key personnel have been increasing since H2 2010, and have continued growing through early 2011, indicating a larger shift in tactics by established cybercrime gangs. Though difficult to count automatically, reports of these so-called “spear-phishing” schemes have been increasing in frequency over the past year – and continue to grow.

“There are an increasing number of reports where spear-phishing is used as part of a sophisticated attack to gain access into a corporation’s network by infecting a targeted employee’s computer. This trend is accelerating in 2011, and is responsible for many high profile corporate data breaches,” says APWG chairman Dave Jevans.

Other highlights of the report include:

  • Unique phishing reports submitted to APWG in H2, 2010 steadily decreased over the half, after reaching a previous high for 2010 in June with 33,617
  • Unique phishing websites detected by APWG during H2, 2010 saw a fluctuation of more than 5,000 sites month to month within the half-year period
  • The high number of unique brand-domain pairs, 16,767 in November, was down nearly 32 percent from the record of 24,438 in August, 2009
  • The number of phished brands reached a high of 335 in September during the half, a decrease of 6 percent from the all-time high of 356 in October, 2009
  • Financial Services returned to being the most targeted industry sector in the 3rd and 4th quarters of 2010
  • Sweden jumped to the top of countries hosting phishing sites reported during Q3, 2010 with 83.12% of all hosting sites reported in August
  • The top 10 most prevalent families of fake anti-virus software are responsible for more than 59 percent of rogueware infections


Subscribe to the Help Net Security breaking news e-mail alerts:

More about

Don't miss