Phishing, Zero-Days Top Symantec's Security List

Published: December 6, 2006

by Alex Woodie

Symantec last week issued an end-of-the-year report on the state of IT security, and the findings may surprise you--or they may not, depending on how closely you've followed the security goings-on during the last 12 months. In any case, if one had to pick the two most important security trends for 2006, it would be tough to beat the meteoric rise of phishing and zero-day exploits.

Phishing, an activity engaged in by criminals to perpetrate identity theft and the financial misdeeds that inevitably follow, increased dramatically in the first half of 2006, when Symantec detected close to 900 unique phishing messages a day, an increase from nearly 500 per day over the previous six month period, the security software giant says.

A closer analysis of phishing trends reveals that phishing e-mails dip on the weekends and rebound on--of all days--Tuesdays, which Symantec took to suggest that phishers operate during standard work days (although it would be a stretch to consider them working Joes like you and me).

A quick glance at your unprotected inbox will also confirm Symantec's finding that nine of the top 10 phished brands were financial institutions. (News bulletin: if you don't have a Washington Mutual checking account, don't follow the links to change your password.) What's more, seven out of 10 spoofed brands that Symantec observed are based in the U.S., while the great state of Florida led the way among the most spoofed local brands, Symantec says.

The other major security trend involves zero-day exploits, the phenomenon you get when black hat hackers and other techno ne'er-do-wells blindside the computer-using community by launching attacks or releasing attack code blueprints on the Web on the same day on which that vulnerability is first publicly revealed to the owner of the vulnerable product (usually Microsoft), and suckers like you and me.

Symantec noted several high-profile zero-day attacks, including the Windows WMF vulnerability in late 2005 and early 2006, and several other attacks on Office products in May 2006. But Microsoft isn't the only target; a Japanese word processing product called Ichitaro was hit with two zero-day exploits, Symantec notes.

The prognosis for zero-day attacks is not good, and the situation will likely get worse before it gets better. According to Symantec, the average time it took developers to come up with a patch for a security hole was 31 days for the first half of this year. However, the average time for hackers to develop exploit code was three days, leaving, on average, a 28-day window of exposure, Symantec says.

Also included in Symantec's report was rootkit technology, a hard-to-detect way of comprising a computer system, which quickly emerged in 2005, but hasn't made many headlines in 2006. Despite the lack of press, Symantec says the use of rootkits--in particular user-mode rootkits, but also kernel-mode rootkits--has grown over the last 12 months, to the point where it is now common.