Symantec Global internet Security threat report
Phishing, Underground Economy Servers, and Spam Trends
phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking (or spoofing) a specific brand, usually one that is well known, often for financial gain. phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts.
phishing generally requires end users to enter their credentials into an online data entry field. this is one of the characteristics that distinguishes phishing from spam-based scams (such as the widely disseminated “419 scam” and other social engineering scams).177 the data that end users enter can then be used for fraudulent purposes.
Spam is usually defined as junk or unsolicited email sent by a third party. While it is certainly an annoyance to users and administrators, spam is also a serious security concern because it can be used to deliver trojans, viruses, and phishing attempts.178 Spam can also be used to deliver drive-by downloaders, which require no end user interaction other than navigation to the UrLs contained in the spam messages. Large volumes of spam could also cause a loss of service or degradation in the performance of network resources and email gateways.
this section will assess phishing and spam trends that Symantec observed in 2009. it will also discuss items that were offered for sale on underground economy servers during this time, since this is where much of the profit is made from phishing and spam attacks. Underground economy servers are black market forums for advertising and trading stolen information and services. this discussion will assess underground economy servers according to the different types of goods and services advertised. it should be noted that this discussion might not necessarily be representative of internet-wide activity; rather, it is intended as a snapshot of the activity that Symantec monitored during this period.
the results used in this analysis are based on data returned from the Symantec probe network, as well as the Symantec Brightmail AntiSpam™ customer base and MessageLabs intelligence. Specifically, statistics are only gathered from enterprise customers’ Symantec Brightmail AntiSpam servers that each receive more than 1,000 email messages per day. this ensures that smaller data samples (that is, smaller customers and test servers) are excluded, thereby allowing for a more accurate representation of data. Statistics obtained on underground economy servers are gathered by proprietary Symantec technologies that monitor communications on those servers.
the Symantec probe network consists of millions of decoy email addresses that are configured to attract a large stream of spam attacks. An attack can consist of one or more messages. the goal of the Symantec probe network is to simulate a wide variety of internet email users, thereby attracting a stream of traffic that is representative of spam activity across the internet as a whole. For this reason, this network is continuously optimized in order to attract new varieties of spam attacks.
the scam is referred to as such because 419 is the section of nigerian criminal code that deals with fraud; nigeria has become notorious as the source for this sort of scam. http://nortontoday.symantec.com/features/security_at_30.php http://news.bbc.co.uk/2/hi/technology/6676819.stm