Sophos's 2013 threat report points to US as Blackhole capital

Sophos has published its Security Threat Report 2013 and identifies the Blackhole exploit kit as the market leader of malware. The Blackhole exploit kit is a package of software which attempts to break into a system via a browser by analysing the system for available vulnerabilities and serving up an appropriate exploit; it then allows the purchaser to deploy other malware through the hole it has opened up.

Drive-bys redirects and exploit sites make up the attack landscape on the net
Source: SophosLabs Blackhole has been particularly successful in this area, but what is more surprising is that, according to Sophos, 30.81% of sites hosting it are in the United States, which is followed by Russia at 17.88% and Chile at 10.77%. Sophos says that between October 2011 and March 2012, almost 30% of detected threats were either directly from Blackhole or diversions to Blackhole kits that had been rigged on formerly reputable sites. Blackhole's real innovation in malware is its business model, as it is delivered as "Software as a service" where customers rent it for as long as they need it. The Blackhole developers launched version 2.0 of the crimeware in September.

Sophos says that in 2012 the biggest problems were cloud services, the Bring Your Own Device (BYOD) movement, hacking of SQL databases, improving social engineering methods, and an increasing number of attacks on the Android mobile operating system. The latter has seen everything from SMS fraud, apparent botnets on phones, banking malware, and bogus or rogue applications from application stores. Sophos expects a new generation of attacks to start appearing on Android devices as the Near Field Communication (NFC) capabilities of a number of Android phones allow them to act as credit or cash cards, making them a potentially valuable target.

One type of attack that has been out of fashion for many years, but is now making a return, is ransomware. Back in the late 80s early ransomware was distributed by floppy disk and locked up users' systems, demanding that $189 be sent to a Panamanian address to unlock the system. That attack is back now, albeit using far more modern techniques. Ransomware such as the BKA Trojan has been locking up machines around the world and claiming the user has been downloading illegal pornography or similar. Claiming to be from local law enforcement it demands some form of payment, usually through a cash payment network like Ukash or Paysafe. Sophos predicts that there will be increasing incidents of ransomware which will be encrypting users' hard drives as part of the scam.

Sophos detects many different forms of Mac malware but doesn't discuss how many machines this is sampled from Mac users are advised to be more on the lookout – 2012 saw what was the largest Mac malware outbreak when 600,000 users were infected via Flashback, malware which first appeared as a fake Flash installer and mutated to exploit a Java vulnerability. Flashback has since been beaten back, but Sophos feels the Mac malware authors are becoming more agile.

Looking forward into 2013, Sophos sees a number of trends: more SQL injection hacks and other attacks aimed at exploiting basic web server mistakes, more "irreversible" malware such as ransomware that encrypts drives, and attack toolkits with premium features, building on the Blackhole business model. On the positive side though, it does see 2013 having better exploit mitigation including better restricted mobile platforms and trusted boot mechanisms. That said, there could be a whole new class of challenges as social media, GPS location, and NFC create new soft spots for cybercriminals "to compromise our security or privacy".

(djwm)