What's in The PhAT Report?
The most recent Phishing Activity Trends Report (or as I prefer to call it, “The PhAT Report”) contains some accepted wisdom and some startling surprises. It may influence your choice of security software and the focus of your security awareness. Read on...
250,000 New Threats Per Day?
The quarterly report is published by the nonprofit Anti-Phishing Working Group, with contributions of data and analysis from security firms such as PandaLabs, WebSense, Internet Identity, and Illumintel. Over 2,000 global corporations, government agencies, and organizations are members of APWG.
The first surprise in the PhAT Report confirmed my assumptions by blowing them out of the water. I assumed the number of different malware species was growing, but not at the rate of “an average of 255,000 new threats per day.” That’s over 23,500,000 new threats in just the last three months of 2014!
No, there aren’t that many black-hat programmers in the world. The vast majority of the new threats are minor variations on old malware. Automated “code tweakers” rapidly re-write malware to give it a slightly new digital signature while retaining its functionality. The new signature is intended to fool signature-based malware detection engines. By cranking out so many variants per day, the bad guys hope to stay ahead of anti-malware programs’ signature database updates.
Signature-based detection is still included in virtually all anti-malware programs, so the bad guys need to keep up this bombardment of variants. But other malware detection techniques that aren’t fooled by code tweaks are commonly used, too.
“Behavioral analysis” examines what software does rather than what it looks like. If, for example, a program tries to update files it didn't create, modify the Windows registry, or replace an operating system file, it may trigger an anti-malware alert.
Of course, many legitimate programs can be caught by behavioral analysis, so “whitelists” of programs generally recognized as safe are included in anti-malware software. Generally, users can add programs to such whitelists so they will stop generating false alerts.
The Crowd and The Cloud
Crowd-sourcing of new threats harnesses the power of an anti-malware program’s user base to identify new threats and add them to all users’ signature databases within moments. This type of anti-malware defense is often cloud-based, with threat reports from all over the globe being delivered to a central site that provides detection service to all users via the Internet. Malware eradication may be handled via the cloud or by local software on each user’s machine.
Another surprise in the PhAT Report concerns the issue of phishing exploits that impersonate financial institutions and trick victims into giving up their login credentials. Data from Websense, which tracks this sort of thing for its living, says such exploits account for only 0.17% of all the malware it detected in Q4 2014.
Roughly 38% of malware detected by Websense in Q4 was “generic data stealing” software that resided on users’ machines. This category includes malware designed to transmit sensitive information from the infected machine to its masters; provide remote control of an “enslaved” machine; and open backdoors into its operating system.
Over 62% of the malware that Websense detected was classified as “other,” a category that includes self-replicating worms, dialers for telephone chargeback scams, and other “oldies but goodies” in the malware family.
This doesn’t mean that phishing sites imitating financial institutions’ login pages are a negligible problem. The financial sector was the target of 20% of phishing exploits in Q4, just behind the retail/consumer services sector. Websense is warning us that danger of “drive-by” infections is still enormous.
Globally, One Third are Infected
Indeed, the PhAT Report cites a global infection rate of 33.21%; one out of every three computers suffered a malware infection in Q4 2014. The USA was about average. Higher infection rates were found in Russia, Asian and Latin American countries, while Europe tended to have the lowest infection rates.
Phishing sites are seldom stand-alone affairs. Most are inserted into legitimate Web servers, which host the parasitic phish unknowingly. Since most Web servers are in the USA, it’s no surprise that most phishing sites are found on USA servers. A pleasant surprise is the USA’s share of phishing sites dropped from 67% to 40% during Q4 2014. The Czech Republic zoomed to No. 2, with 16%.
It should be obvious that anti-malware protection is essential in this threat environment; ideally, your protection should include signature, behavioral, and crowd-sourced lines of defense. Extra vigilance is advisable when dealing with any unsolicited communication that urges you to click a link to a retailer’s or bank’s Web site.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 8 May 2015
|For Fun: Buy Bob a Snickers.|
Prepaid Phone Plans for 2015
The Top Twenty
Microsoft Edge: New Browser on the Block
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- What's in The PhAT Report? (Posted: 8 May 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved