Cyber Criminals Turn to Home Users

WASHINGTON –- Phishing and spam are on a dramatic rise as home users become the prime targets of online criminals.

According to a new report by Symantec, phishing attacks were up 81 percent over the last six months and spam jumped 50 percent over the same period.

Between January and June of this year, Symantec detected 157,477 unique phishing messages. Spam made up 54 percent of all monitored e-mail.

“Attackers are focusing on the low-hanging fruit,” Dean Turner, the executive editor of Symantec’s semiannual Internet Security Threat Report, said at a Capitol Hill briefing.

As businesses increase their network security, Turner said consumers are a logical next target.

“The motivation is the same: money,” he said. “What has changed is that they are going after the client side, particularly browsers.”

Due to its market dominance, Microsoft’s Internet Explorer (IE) was the most targeted browser during the reporting period, accounting for 47 percent of browser-based attacks.

Mozilla browsers, though, had the highest number of reported vulnerabilities with 47, almost three times the 17 reported from the last six months of 2005. IE came in second with 38 reported vulnerabilities, a 52 percent increase from the last six months of last year.

“All browsers are vulnerable,” Turner said. “In their minds, some people think [Mozilla’s] Firefox is a more secure browser than IE, but we don’t have any evidence to indicate that.”

Turner also noted, “Just because a browser has a vulnerability doesn’t necessarily mean it is exploitable.”

The good news for browsers, according to the report, is the shortening of the window of exposure (WOE) for those vulnerabilities. In general, Turner said, the patch development time for browsers is shorter than WOE metrics.

In the first six months of this year, Mozilla issued patches for vulnerabilities in one day while Microsoft took nine days, down from 25 days last year. Apple took an average of five days to patch its Safari browser.

As for patch development time for operating systems, Microsoft and Red Hat posted the best marks during the reporting period, taking an average of 13 days. Apple took 53 days, followed by Hewlett-Packard’s HP-UX (53 days) and Sun Solaris (89 days).

Over the last three reporting periods, Microsoft has had the shortest patch development time of all operating system vendors.

“Microsoft is beginning to challenge the ‘open source is quicker’ school of thought,” the Symantec report states.

According to Turner, bots containing malicious code also continued unabated in the first six months of 2006, accounting for 22 percent of the volume of top 50 malicious code reports.

Combined with vulnerable browsers, Turner said bots are “perfect for distributing spam and phishing attacks.”

Symantec’s numbers show an average daily total of 57,717 active bot networks controlling approximately 4.6 million computers. China had the highest percentage of known bot networks at 20 percent.

The United States followed at 19 percent with the U.K. coming in third at 7 percent.

The report also states 58 percent of all spam detected worldwide originated in the United States.

News Around the Web