Hackers are increasingly targeting Java vulnerabilities and Adobe vulnerabilities in Flash and Shockwave because the platforms are widely used and tend to remain unpatched for longer.
Spammers are getting cleverer and nastier, and they spend more time on targeted attacks.
Ed Rowley, product manager, M86 Security Inc.
The latest biannual report (.pdf) from email and Web security company M86 Security Inc., which covers the first half of 2011, reveals that six of the top 10 most-exploited vulnerabilities were in Adobe products – twice as many as in the previous report for the second half of 2010.
Concurrently, the Java WebStart vulnerability moved up from number 15 on the list of most exploited vulnerabilities six months ago to number 10. “As with Flash and Acrobat, Java-based vulnerabilities are of concern due to the universal use of this technology and the lack of updating or patching for many Java installations,” the report noted.
The report’s authors concluded it suits cybercriminals to focus on platforms that operate on multiple browsers. “This process will further push cybercriminals to find vulnerabilities in Adobe products like Flash and Acrobat along with Oracle’s Java. Targeting a single software application that is used with all browsers requires less effort,” the report said.
Many of the Adobe attacks are also becoming more sophisticated, the report noted. While spam dropped by about a third, it still accounts for 77% of all email on the Internet, but the proportion of spam containing malicious attachments has risen from 1% to 3%. “Spammers are getting cleverer and nastier, and they spend more time on targeted attacks,” said Ed Rowley, a product manager for Orange, Calif.-based M86. “We are seeing a lot more handcrafted attacks embedding Shockwave into Office documents, which makes it harder for gateway AV scanners to detect.”
The report says the technique was used in March in the high-profile attack against RSA. An email message was sent to specific staff members claiming to be about the 2011 recruitment plan, and contained an Excel file as an attachment. The file contained an embedded Shockwave file that was used to exploit a zero-day vulnerability (CVE-2011-0609) in Adobe Flash on the victim’s system.
“Many security solutions (such as antivirus scanners) aren’t fully capable of separating the malicious Flash component embedded in the Office files, making them difficult to analyze,” the report concluded. “We believe this trend of combining malicious Shockwave files into Microsoft Office files will continue. We expect more vulnerabilities to be found and exploited in both Office and Flash platforms.”
The report also recorded a sharp rise in social networking scams, such as clickjacking and Likejacking in Facebook, which are designed to drive traffic to certain fake sites and earn commissions for the scammers while also spreading malware.
“The thing about social networking is that people tend to trust the messages coming through,” Rowley said. “They think the messages are from friends and so they lower their guard and they are less suspicious.”
Although most of the scams tend to use Facebook, the report provides an example of a blended email attack that masqueraded as a notification from LinkedIn. The message asked the recipient if he or she would like to join the sender’s professional network. Users who clicked on the “confirmation” button were led to a server hosting the BlackHole Exploit Kit, which then attempted to exploit vulnerabilities in Java, PDF reader and other client-side software applications.
In order to combat the attacks, Rowley recommended regular patching of all software to keep it up to date, educating users about the various scams, and using the new security settings available in social networking sites. “Facebook and Twitter have added the option to use HTTPS for their services. We strongly recommend you enable this setting on both services,” he said.
But another new survey shows small companies in the UK have failed to grasp the dangers fully. The research, commissioned by communications equipment manufacturer Netgear, quizzed 300 companies across the country, all of which employed between 50 and 250 people.
The survey found that, while 47% of the organisations are now using social media to stay in touch with customers, only 29% had given their employees any training about the risks involved, and only 34% of businesses have any form of content filtering to stop malware or prevent the loss of confidential information. Furthermore, fewer than half of them had updated their security policies in the past six months to reflect changing patterns of Internet usage.