After learning to cope with the carpet-bombing of spam and massed armies of zombie computers assaulting websites, the computer security industry has identified a startling new threat from an increasingly criminalised and sophisticated breed of hacker.
Much more subtle, “laser-focused” strikes are now taking place that can slip under most radar, with stealth attacks on a single company, “inside jobs” and selective stings finding favour.
“What we’re seeing and what we see as happening over the next 24 months is more of a targeted attack against organisations,” says Patrick Hinojosa, chief technology officer of security company Panda Software.
“This could be an attack on a governmental organisation, on a corporation to obtain confidential product information, or against financial companies to obtain large amounts of information that can be converted into money.”
Targeted attacks reported over the past six months by an Israeli company and by a credit card transaction service are seen as the tip of the iceberg, with many organisations preferring to keep security breaches confidential.
One point of entry is through e-mail. MessageLabs screens 100m e-mails a day and sees among them millions of spam and botnet items – where senders can dupe users into unwittingly allowing their computers to become part of a network of machines used to attack websites.
“But the scary thing we are seeing at the moment is the targeted Trojan attack and that can be in just 10 to 100 of the e-mails we’re seeing daily,” says Alex Shipp, senior anti-virus technologist.
The e-mail will commonly contain a Microsoft Word document that delivers the payload.
“Once it gets into your organisation, it sits there for a long time just gathering data and sending it back.”
The intention is industrial espionage and victims have told MessageLabs that the targets of the e-mails were specific and well chosen.
“In one attack, it was people in the R&D department and in another it was executives. So the guys had done their homework beforehand,” says Mr Shipp.
“There was another attack sent to companies in the aerospace industry where the Trojan only activated if you had CAD [computer-aided design] software on your machine – so that’s like saying ‘You have some drawings on your machine I want to steal’.”
The e-mails have been traced to Asian gangs and some American internet addresses have been identified as sources of the Trojans.
Steven Martinez, deputy assistant director of the FBI, told the annual RSA security conference in San José last month: “We’ve got a perfect storm brewing now where we’re seeing a convergence of the hacker community and cybercriminals, with hackers building products for organised gangs.”
Stratton Sclavos, chief executive of Verisign, which monitors traffic as it is relayed across the internet, told the same conference that hacking had moved from being a mischievous hobby to a job.
He showed a Russian website where botnets were being offered for $500 and another where $100, $500 or $1,000 was offered respectively for Visa, Mastercard Platinum and American Express card details.
In spite of the threat from hackers and criminal gangs, security experts say risks to the enterprise are still more likely from the inside than the outside.
A recent FBI survey indicated that 56 per cent of organisations report some level of security breach from within, whether through the carelessness or criminal intent of employees.
IBM last month launched its Identity Risk and Investigation product for monitoring the behaviour of employees on company networks. It uses mathematical modelling to compare the online access patterns of a user with their previous behaviour and that of peer groups. Deviations from norms send alerts to administrators.
Mark Ramsey, global data analytics leader at IBM Business Consulting Services, says: “[Security breaches] impact the brand in tens if not hundreds of millions of dollars so there’s going to have to be a balance between the concept of Big Brother and the impact if they are not able to stop this kind of threat.”
The threat from outside attacks will also require more sophisticated solutions from security vendors, says Panda Software’s Mr Hinojosa.
“It is going to take an AI [artificial intelligence] based approach because the human element is not going to be able to handle the sheer number of possibilities of a real-time attack on a node to figure out what is going on.
“AI will have to be able to detect something that’s never been seen before and eradicate it.”