Internet security breaches and fraud attempts have outpaced the
“impressive” growth of Internet usage with the U.S. being the biggest target
by attackers, according to statistics released by Verisign .
Verisign, which markets digital commerce and communication products and
services to enterprise clients, reported that the number of security events
per device it managed increased by nearly 99 percent between May and August
of 2003.
According to the company’s Internet Security Intelligence Briefing report
for October, the 51 percent year-over-year growth in Internet usage has been
outpaced security and fraud threats, which are increasing both in number and
complexity. “From a geographical perspective, the United States continued to
be the leading source, accounting for nearly 81 percent of security events,”
Verisign said.
The Mountain View, Calif.-based firm painted a glowing picture of Web
usage, reporting that DNS resolutions grew by more than 50 percent between
August 2002 and August 2003. Verisign said DNS resolutions for e-mail
jumped a whopping 245 percent in the same period.
Verisign claims it processes more than 10 billion DNS
queries per day, more than three times the daily volume three years ago.
But, along with the heady growth of usage comes a major security threat.
Data from Verisign’s fraud prevention systems indicate that 6.2 percent of
e-commerce transactions in the U.S. were potential fraud attempts, and over
52 percent of fraud attempts against Verisign merchants now originate from
outside of the U.S.
“There is increasing evidence of overlap between perpetrators of Internet
fraud and security attacks,” the company reported, noting that the data
showed extremely high correlation (47 percent) between sources of fraud and
sources of security attacks. “Attackers who gain control of Internet host
machines are using these compromised hosts for both security attacks and
fraudulent e-commerce transactions,” according to the report (PDF format).
Based on the evidence, Verisign warned that attacks in the future would
be “more blended, more complex, more portent and more coordinated.”
“The SoBig virus provides a great example of the sophistication of these
threats,” the company noted, referring to the destructive mass-mailing virus
that carpet-bombed the Internet in September and reduced network traffic to
a crawl.
“The worm had its own domain name resolution mechanism, and it was
programmed to bypass the local DNS resolvers as well as any local cache,
conceivably to make it spread more easily and therefore more
potent. It was programmed to lookup for a DNS name of a recipient’s e-mail
address directly from A
or B DNS root Servers,” Verisign reported.
The company, which operates the A-root server, observed a 25 times
increase in e-mail related DNS lookups (MX record lookups) per-second in its A-root cluster, noting that the traffic did not abate until Sept 10, when the virus was programmed to self-destruct.
“We believe this is the first time DNS root servers were used to speed up the rate infection, as a study of other well-known mass-mailing viruses such as Bugbear and Klez did not reveal similar increases in MX record lookups during their infectious periods,” Verisign added.
The company said its network security team found a definite correlation between fraud attacks and
network security attacks, a scenario which indicates that people who are attacking enterprise network perimeters are also likely to be committing online fraud.
“Hackers tend to attack a system to gain sensitive information such as
credit cards or account logins which they can sell to other hackers, or they
attack a system to gain privileged access (root access) to the machine which
can also be traded with other hackers, or used to launch follow on attacks,”
the company warned.
In addition, intruders tend to use compromised hosts or proxies to hide
their tracks. Once a hacker gains access to a machine, they tend to install
a specific software called ‘rootkit’ which gives them the privileged access
to the system. “The rootkit ensures the anonymity of the hacker by
automatically deleting the important logs on the system that can be used to
trace the hacker’s activities,” Verisign added.
After a privileged access is obtained and ‘rootkit’ installed, Verisign
reported that hackers then use the compromised machine to attack other
machines without being traced.