What’s a New Identity Cost? Less Than a CD.

Data and identity theft are far and away the growth sectors among the criminal underground, according to Symantec’s 11th Internet Security Threat Report. The U.S. rates as the most popular target for theft.

Every day, Symantec  scans the Internet, taking in several terabytes of data, to find “wild” viruses. But it also monitors the underground economy where identity “packages” are sold. According to the report, which covered malware  activity for the last six months of 2006, hundreds of clandestine servers are selling identities, either in single units or in bulk.

“It was surprising how brazen they are,” Alfred Huger, vice president of engineering at the Symantec Security Response team, told internetnews.com. “We got the impression there were bulk buyers, while others bought singly. And we saw the same people on multiple servers, so the community is big enough that they know to shop around for a deal.”

Symantec monitored 330 servers, the bulk of which were in the U.S. The report stated that 51 percent of all known underground economy servers were located within the U.S., with Sweden coming in second at 15 percent.

The identity bundles consisted of a name, address, Social Security number, and at least one bank or credit card account. Prices ranged from $14 to $18 per identity.

Other goodies for sale included Skype accounts, accounts to the online game World of Warcraft, online banking accounts with a guaranteed $9,900 balance, and PayPal accounts with balances. In all, Huger said Symantec watched more than 5,000 transactions.

The report clearly shows the U.S. has a bull’s eye painted on it. A whopping 86 percent of stolen credit cards were from U.S. banks, with U.K. credit cards coming in second at seven percent.

Other statistics from the report:

• Symantec recorded an average of 5,213 denial of service (DoS) attacks per day, down from 6,110 in the first half of the year.
  
• The United States was the target of most DoS attacks, accounting for 52 percent of the worldwide total.
  
• The government sector was the sector most frequently targeted by DoS attacks, accounting for 30 percent of all detected attacks.
  
• Microsoft Internet Explorer was targeted by 77 percent of all attacks specifically targeting Web browsers.
  
• Symantec observed an average of 63,912 active bot-infected computers per day, an 11 percent increase from the previous period.
  
• China had 26 percent of the world’s bot-infected computers, more than any other country.
  
• The United States had the highest number of bot command-and-control computers, accounting for 40 percent of the worldwide total.
  
• Beijing was the city with the most bot-infected computers in the world, accounting for just over five percent of the worldwide total.
  
• The United States accounted for 31 percent of all malicious activity during this period, more than any other country.
  
• The number of zero-day attacks, where a threat is in the wild but there is no fix for it, went from an average of one per period to 12.

The Web remains the single biggest point of weakness, with 66 percent of all vulnerabilities related to Web technologies, such as e-commerce and Web forums.

“It’s pretty safe to say that the most insecure software we see today is Web software, and I think it’s because of ease of use,” said Huger. “These new languages like Ruby and Perl and PHP are great, they’re easy to use, and it makes them accessible. But it also brings people to the game don’t know how to program securely.”

Far more interesting, though, was the turnaround rate when vulnerabilities were found. Microsoft  has the reputation for having an operating system that’s about as secure as kiddie gate, but Sun Microsystems  actually was worse in both the number of problems and rate of repair.

Microsoft had 39 OS-related vulnerabilities in the second half of 2006 and issued a fix on average within 21 days. Sun, by contrast, had 63 issues and took 122 days. Apple had 43 problems and took on average 66 days to issue a fix.

But before we go on thinking every server is being hacked, Huger points out that only 13 percent of all data loss last year was due to hacking, which 54 percent was due to physical theft or loss of hardware, like the increasing number of laptops that are performing a vanishing act. Another 28 percent were due to sloppy or poor policy, like AOL releasing subscriber search records.

Still, Huger is optimistic. “Ten years ago, virus writers existed in very succinct privacy. It was very difficult to get access to them. In this game we’re watching what they are doing, how they are doing business. The stakes are higher but we are certainly better prepared to deal with it,” he said.