The increased level of maliciousness is being led by explosive growth of web-based malware infections, which are up 400% since 2011. That translates to a staggering average of 643 successful infections per week per company.
“Attackers are getting smarter, and can evade typical perimeter defenses pretty easily,” explained Ali Mesdaq, a FireEye researcher, in an interview. “Attacks through the web vector are hard to catch via standard signatures, because just on sheer volume companies can’t keep up with updating signatures, so attacks are slipping through.”
He noted that there’s also been a growth of obfuscation techniques, and many of the tools for attackers are getting more advanced. “Also, while the community was made up of only a few people a few years ago, now a lot of people putting energy and money into this,” he said.
Hand in hand with the web results is an intensified danger of e-mail-based attacks. There was a 56% growth rate in email-based attacks in the second quarter 2012 versus the first quarter. These consisted of emails sent with malicious links as well as those with malicious attachments. In some months, attachment-based efforts were more prevalent, but in May links-based attacks were almost double in frequency to attachments.
“These guys are always moving between the two, seeing what’s effective now, what’s effective later – here’s overall more organization,” Mesdaq said.
When it comes to the links themselves, FireEye has found that limited-use domains are on the rise. In 2011, it was common for a link to a malicious domain to be sent out en masse, 10,000 e-mails at a time in some cases. But so far in 2012, cybercriminals are sending a mail with a link to a site tailored for just one organization, or a small group, say three people.
The use of dynamic, throw-away domains has grown from 38% in the second half of 2011 to 46% in the first half of 2012.
“You can research one organization, and be more effective,” explained Mesdaq. “Rather than taking a shotgun approach, these people are looking for specific data from a specific company. It’s a higher reward undertaking.”
Also, the limited-use approach means that an email would not be recognized as carrying a widespread threat. It would also be much more likely to bypass blacklists and other types of filters.
For perpetrators, the tools available now allow a point-and-click building of a customized PDF. “It’s almost run like a marketing firm would run its business,” explained Phil Lin, another FireEye researcher. “They can source the template from something legitimate, like a white paper, glue the tracking cookies or add malware, then do a targeted e-mail blast through legitimate means – buying lists, for instance.”
FireEye’s research also shows that patterns of attack vary by industry. Technology is the No. 1 most- targeted industry by far. But healthcare attacks were up 100% from the last half of the 2011. That segment has seen steady growth, without spikes.
Financial services, on the other hand, saw a dramatic increase in April and May – which coincides with a spike last year around the same time. This season, the spike originated in Latvia.
Energy and utilities, meanwhile, have seen a 60% increase over the last six months and have seen the highest amount of growth. These industries experienced 300% growth in attacks in one year, primarily via malware.
“This is one of the scarier industries that is being targeted because it affects all of our lives,” Mesdaq said. “There’s the potential to take down the grid.”
Utilities, he said, are just starting to catch up on security, modernizing within the last five years. That’s because the dynamics have changed – utilities are now much more dependent on communications networks, including for smart meters and automation. “They are now connected to networks that need to be secured,” Mesdaq explained.