“Targeted attacks destined for Small Business (1 to 250 employees) accounted for 31 percent of all attacks, compared with 18 percent in 2011, an increase of 13 percentage points,” says Symantec’s Internet Security Threat Report 2013 (ISTR). The report suggests state-sponsored attacks gain more notoriety than ‘regular cybercrime’, but remain rare.
“The greatest risk,” it says, “comes from the more prevalent targeted attacks that are created for the purposes of industrial espionage. Increasingly, small to medium-sized businesses (SMB) are finding themselves on the frontline of these targeted attacks as they have fewer resources to combat the threat and a successful attack here may subsequently be used as the springboard to further attacks against a larger organization to which they may be a supplier.”
Targeted attacks in general are increasing. Symantec saw an increase of 42% during 2012. However, attacks aimed specifically at small businesses (fewer than 250 employees) grew from 18% of all targeted attacks in 2011 to 31% in 2012.
Attackers “might use personal information, emails, and files from an individual in such a smaller company to create a well-crafted email aimed at someone in a [larger] target company.” Social engineering remains the key. “For example, messages impersonating EU officials, messages that appear to come from security agencies in the United States and target other government officials, or messages that piggyback announcements about new procurement plans from potential government clients such as the U.S. Air Force.”
However, Symantec also notes the emergence of the watering hole as the “biggest innovation in targeted attacks.” It gives an example that it pins on the Elderwood Gang – believed to be the criminals, possibly state-sponsored, behind the ‘original’ APT, the Aurora attack on Google. A human rights organization’s website was compromised with a single line of code that exploited a zero-day Internet Explorer flaw. “Our data showed that within 24 hours, people in 500 different large companies and government organizations visited the site and ran the risk of infection.”
Extrapolating from this year’s data, Symantec makes a number of predictions for the future. At the high end, state-sponsored attacks will increase – “an outlet where tensions between countries are played out.” The sophistication employed by states will trickle down into mainstream criminality: the “know-how used for industrial espionage or cyberwarfare will be reverse-engineered by criminal hackers for commercial gain.” Legitimate websites will become more dangerous as criminals use drive-by and water hole attacks to compromise visitors. Social media will become a ‘major security battleground.’ “As they go mobile and add payment mechanisms, they will attract even more attention from online criminals with malware, phishing, spam, and scams.” Attacks against cloud providers will increase, and mobile malware and phishing attacks will get more sophisticated.
Worryingly, however, Symantec sees malware becoming ‘increasingly vicious.’ The danger is in criminals combining the high success rate they currently get from ransomware with the destructiveness of something like Shamoon. “Essentially, if it is possible, someone will try it; if it is profitable, many people will do it.”