On the statistical side, 142 million threats were blocked from infecting small businesses as of the second quarter of 2012 – an increase of 27% quarter on quarter. Overall, the report states that Trend protected its users against a total of 15.8bn spam messages, 448.8m malware samples, and 1.3bn malicious URLs. And, it adds, there are now 25,000 identified Android malware apps – up 317% on Q1, 2012. The latter is an example of criminals ‘following the numbers’. “With more than 400 million active Android-based devices and more than 600,000 apps available on Google Play, the number of attacks has nowhere to go but up,” says the report; adding that only one in five Android devices have any security apps installed.
Police-based ransomware is cited as an example of an increasingly sophisticated and targeted attack. The latest ransomware tracks “victims’ geographic locations, holds their systems captive, and scares them using their respective countries’ police forces.” Ransomware encrypts parts of the users’ data and threatens not to release it until a fee or fine is paid. Early samples used simple encryption that companies such as Trend could easily break – but more recent versions are using increasingly professional encryption algorithms.
Trend’s earlier prediction that botnets will become smaller but more common also seems accurate. It’s an example of criminals not keeping all of their eggs in a single basket. Botnets are notoriously difficult to take down – but taking down five smaller botnets is more or less five times harder than taking down one large botnet. Earlier this month Trend showed that these multiple botnets are still used in single co-ordinated spam campaigns: Single massive spam campaigns replace high volume spam runs.
But needless to say, the Blackhole exploit kit retains center stage. Spam campaigns are used to lure victims to infected sites that redirect to a malicious Blackhole site. “In one particular attack,” says the report, “Trend Micro identified more than 2,000 distinct URLs, distributed over 374 domains. Each compromised domain hosted an average of 5 unique malicious landing pages.” The intention is almost always to deliver Zeus-like financial malware capable of stealing victims’ bank credentials and syphoning money out of their accounts. But what is particularly disturbing is the increasing use of hidden Javascript and iFrame redirects within the spam emails. Since not all email clients block iFrames and Javascript, which means that merely looking at the email can redirect the user to a Blackhole site. If the user can and does set the client to ‘text only’, there is no threat – but many users prefer the attractive appearance of rich text displays.