The study finds that a complex and sophisticated criminal economy has developed to capitalise on Web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software. In 2006, only a small percentage of attackers employed camouflaging techniques, but this number soared to 80 percent during the first half of 2007, and reached nearly 100 percent by the end of the year. The X-Force believes the criminal element will contribute to a proliferation of attacks in 2008.
Using these techniques, cybercriminals can infiltrate a user's system and steal their IDs and passwords or obtain personal information like National Identification numbers, Social Security numbers and credit card information. When attackers invade an enterprise machine, they could steal sensitive company information or use the compromised machine to gain access to other corporate assets behind the firewall.
The Storm Worm, the most pervasive Internet attack last year, continues to infect computers around the world through a culmination of the threats the X-Force tracks, including malicious software (malware), spam and phishing. Last year, delivery of malware was at an all time high, as X-Force reported a 30 percent rise in the number of malcode samples identified. The Storm Worm comprised around 13 percent of the entire malcode set collected in 2007.
In other findings, for the first time ever, the size of spam emails decreased sharply to pre-2005 levels. X-Force believes the decrease is linked to the drop off of image-based spam. This decrease can be counted as a win for the security industry - as anti-spam technologies became more efficient at detecting image-based spam, spammers were forced to turn to new techniques.
The X-Force has been cataloguing, analysing and researching vulnerability disclosures since 1997. With more than 33,000 security vulnerabilities catalogued, it has the largest vulnerability database in the world. This unique database helps X-Force researchers to understand the dynamics that make up vulnerability discovery and disclosure.
The new X-Force report from IBM also reveals that:
- The number of critical computer security vulnerabilities disclosed increased by 28 percent, a substantial upswing from years past.
- The overall number of vulnerabilities reported for the year went down for the first time in 10 years.
- Out of all the vulnerabilities disclosed last year, only 50 percent can be corrected through vendor patches.
- Nearly 90 percent of 2007 disclosed vulnerabilities are remotely exploitable.