2008 Spam/Malware Predictions

As we near the end of another year I can say with surety that 2007 will be remembered among spam and malware filtering companies as the year of the Storm Worm. In 2005 it was the year of the Sober worm, but 2007 has most definitely been owned by Storm and its many variants.

So, as we close out 2007 we start to look forward to 2008. What are some of the 2007 trends that we expect to continue in 2008? What will be new? How will current trends evolve?

Here are some of my random thoughts:

-- We will see an increased prevalence of Web 2.0 attacks.

When we talk about "Web 2.0" we are talking mostly about interactive communities like blogs, wikis, and social networking sites like MySpace and Facebook. Web 2.0 sites provide a richer, more interactive internet experience for its users which extends the internet beyond just your typical "download content and view pages" approach and puts users in more control over the content.

From a user experience perspective, this is a great idea, but typically what makes things easier for the user carries along with it some level of security implication.

As part of the Web 2.0 experience, more code execution is being pushed to the client browser. This doesn't necessarily change the types of attacks that exist in Web 2.0 applications versus Web 1.0 applications (attacks like XSS, SQL Injection, and CSRF still exist just as they did before), but now will manifest themselves in different ways. As such it will be the responsibility of the application developer to be more aware of client side input validation and make sure that potentially malicious code never makes it from the "untrusted" user environment to a site's "trusted" backend infrastructure. Cyber criminals will try to exploit these potential vulnerabilities in code validation as much as possible.

-- We will see an increase in "blended threats" in 2008.

If you are not familiar with the term "blended threat" it is a combination type of threat which will mix the data stealing capabilities of malware with backdoor botnet capabilities. What this means is that if you are infected with one of these hybrid types of malware you could have a keylogger installed on your machine which is logging your keystrokes and sending your potentially confidential and personally identifiable information to a cyber crook for sale in the underground community, but your machine is also available as a spam zombie such that botnet herders can rent time on your computer to send out spam/viruses/etc.

The holiday season is a particularly interesting time to potentially see these types of threats also because of the amount of online shopping that takes place in the 5 weeks between Thanksgiving and Christmas. comScore recently released their Cyber Monday 2007 Statistics which showed that $733 million dollars was spent online on Cyber Monday (the Monday after the Thanksgiving weekend) alone. This is obviously a target that is too large for criminals to ignore.

-- Abuse will continue to move into other forms of communication

We've already seen some of this in 2007, but is something that we expect to continue not only into 2008 but beyond.

Mobile phone and PDA abuse is already a big problem in places like Europe and Japan. It isn't so much so yet in the United States, but as smartphones make more of a movement into the space where they allow the development and installation of third party applications users will need to be continually wary of the security implications of these new conveniences. The line between the PC and the phone is becoming blurrier every day and as such mobile computing devices will soon need to deploy the same types of security suites that should be installed on every desktop and laptop PC.

We also expect to see more tele-spam (spam sent via VoIP technologies) and voicemail injection (the compromising of vulnerable VoIP systems to inject spam voicemail directly into a user's voicemail inbox.

In the vein of "targets too large for criminals to ignore" the smartphone industry is expected to be a $250B industry by 2011. You can be sure that cyber criminals will do whatever they can to get a piece of that pie!

-- Continued movement of malware away from email as a primary distribution vector.

This is another one of those trends that we have seen shift over the past year or two. Malware authors have already begun the movement from the "push" based method of infection that we have talked about previously (where static malware content is pushed to the user via an email attachment) to a "pull" based model where users pull the content from a web site, typically lured to by a link in either an email or an instant message.

The Storm Worm is actually a great example of this transition in action. Early versions of the Storm Worm pushed executable file attachments to unsuspecting users when opened would infect the user's PC with Storm. Later variants used social engineering tactics like fake, malicious e-cards to lure people to web sites to download more dynamic pieces of malware.

More and more viruses have been following this trend over the last year or two and we expect this trend to continue. By 2009 or 2010 we expect malware distribution by internet pull based methods to surpass email as a distribution vector making it the primary method of infection. The email virus is likely to never completely go away, but the dynamic nature of the web as a way to distribute malware carries many advantages that email's static nature does not.

-- More targetted phishing/malware attacks

What discussion about social engineering would be complete without a mention of the evolution of tactics by cyber criminals in an effort to establish legitimacy with their targets?

Social engineering has always been the key ingredient to the success or failure of any cyber crime campaign. If you can do it well, you will have a significant greater chance of success than if you don't. The Storm and Sober worms (the last two really successful email-borne malware campaigns) were successful because of the social engineering tactics they used (Paris Hilton videos, free World Cup tickets, and e-cards as a few examples). As cyber criminals continue to launch new campaigns, you can be certain that they will refine their social engineering tactics to the point where even the trained eye will have trouble quickly determining the (il)legitimacy of an email.

These attacks will also become more targeted similar to the government agency scams from earlier this year that were sent primarily to high C-level executives. Effective social engineering combined with good targeting methods virtually ensure that there will always be people who will fall for these scams which will always leave spam as a virtually 100% profitable venture.