Spammers’ URL shortening sites highlight weakness of old security

A recent Web threat report warned that spammers are now using their own URL shortening servicesto lure spam recipients into clicking on malicious web links. These use the “.info” top level domain and are open to the public to use for shortening Web links.

Eighty seven URL shortening sites have been identified.

Symantec, which highlighted the issue in its October intelligence report, pointed to the fact that shortened links make it more difficult for traditional anti-spam technology to identify and block malicious messages.

A lot of the traditional anti-spam engines were developed before URLs were widely used in email, so they are not geared up to analyze embedded URLs, as seen in blended email threats, let alone the shortened URLs that got popular with Twitter. Often these URLs link to malicious, or compromised webpages.

The evidence that spammers have developed their own URL shortening service is yet another example of cybercriminals adopting new technology and using this to bypass traditional security measures and catch out unsuspecting users. This is precisely why organizations need to consider technology that looks at the intent of code embedded within email and Web content, rather than relying solely on updates of signature-based databases.

Cybercriminals exploit gaps in existing IT defenses in order to propagate malware. Last year consumers and businesses lost an estimated one hundred billion dollars to cybercrime.

So, if we’re all paying for antivirus, firewall technology and other IT defenses, what has changed and why are these losses growing? As the URL shortening example shows, cybercriminals are adept at harnessing new technology to increase their success rates. The information security industry as a whole has not been quick enough to respond to these changes. The majority of consumers and businesses are using malware and perimeter protection that is based on technology that was developed twenty years ago.

Up until four years ago, the security industry used to be able to block 97 to 99 per cent of all malicious attacks and malware. Today, antivirus, URL filtering and reputation databases combined are only able to block 40 per cent of malware. The reason for this is that the traditional security technologies are reactive-based technologies, relying on continuously refreshed databases of updated threat information such as malware signatures, or URL reputations. However, if a brand new sample of malware is circulated, this opens a window of vulnerability until the vendors update their databases and send out the required patches. As a result of this growing “malware gap”, more attacks are successful at compromising networks to yield lucrative information and cybercrime has exploded.

In the past four years cybercrime has escalated by 400 per cent. In the same period the information security industry has grown at a rate of 40 per cent a year.

Part of the reason for this exponential growth in cybercrime is that the barrier to entry has been lowered for ordinary criminals to move their activities online. It costs very little to buy into a spamming botnet to push out malware, or to compromise a legitimate site with malware. There are even criminal exploit kits available to buy and “crimeware as a service” offerings with service level agreements that guarantee a certain infection rate.

How can they guarantee infections? In the exploit kKits that we have studied in our Security Labs, we have seen new detection features that alert the cybercriminal when their malware is being detected by the leading antivirus companies, in the same way that VirusTotal is used, allowing the criminal coders to stay one step ahead.

Cybercriminals have the competitive advantage: their technology and methods are newer and creative, their costs are lower, they don’t pay any taxes and rarely get caught – it is a highly lucrative business.

Our Security Labs have been tracking spam and malware in the wild for many years. At present we see banking Trojans, social media exploits, mobile malware and advanced persistent threats posing the greatest threats. We have observed the rapid evolution of banking Trojans, from the ZeuS attack on a UK bank, uncovered in August 2010, to the latest developments with SpyEye.

At first, these Trojans simply captured keystrokes, as a means of stealing account login details. Now, these have evolved to full “man in the browser’ attacks and are also compromising mobile devices. Every time the banking industry implements a new security method, cybercriminals reinvent their code to circumvent the latest defense.

Financial institutions and their customers are targeted hard because cybercriminals have the most to gain from cracking their defenses. Other vertical markets with valuable intellectual property; large customer databases; defense contracts and pharmaceutical information are also routinely targeted by cybercriminals.

Except for a few organizations that are charged with safeguarding the most sensitive data, companies have not updated their defenses to cater for the growing malware gap. The net result is epidemic vulnerability.

The malware gap that used to be 3 per cent is now at least 60 per cent. That means that you and your company have a 60 per cent chance of being infected by the latest malware attacks.

People clicking on shortened URL links that lead them to infected websites is just one more way for that malware to find its way into your organization, mobile device, or home computer.

So with more and more sophisticated threats being released each year, what can companies do to protect the information that they store? Firstly, they must continually review new threats to update and enforce security policies to manage the risk to their data and systems. Most new malware is distributed over the Web. Therefore, organizations that are entrusted with the most sensitive data should review and benchmark their existing Web security to test whether it can narrow the malware gap and keep up with the latest threats.

We have talked about security technology lagging behind new cyberthreats, but education of employees is always going to be a key factor in minimizing your risk from cybercrime. It should be recognized that most employees are not technical and are using the Internet for perfectly legitimate reasons at work and home. Web use policies should be clearly outlined and new threats simply explained, so that ordinary users can understand what a cybercrime attack may look like, what messages should make them suspicious and how they can safely check the legitimacy of messages. Additionally, social media privacy settings and acceptable use should be explained and de-mystified.

Social media sites provide a rich source of information for cybercriminals, who can use them to profile individuals that hold particular positions within target organizations. This profiling allows spammers to tailor their malicious messages and increase the likelihood that the recipient will click on links or attachments contained within spam.

What we advocate is using technology that looks at the intent of code within webpages, webmail, email and social media sites, without slowing down the page load. Using this method, if a URL is shortened and allowed through traditional anti-spam defences, but it leads to a site that attempts to download code, or start executable files, then the webpage will be blocked, or the offending code stripped out, to prevent malware entering your system. By coupling this proactive protection with user education and ongoing evaluation of Web defences as new threats arise, organizations can start to close the malware gap.