Phishing Down as Cyber Criminals Launch Targeted Attacks: IBM
Cyber-criminals shifted focus in 2010 to launch more sophisticated targeted attacks, IBM said in a new report. In short, 2010 was the year cyber-attacks became more about quality rather than quantity.
While there was an increase in new vulnerabilities, exploits and types of attacks in 2010, more vulnerabilities were being identified before they could be attacked, according to IBM's X-Force 2010 Trend and Risk Report, released March 31. The increase in vulnerability reports were partly the result of organizations proactively trying to identify bugs in software, the researchers said in the report.
Overall, 2010 was a more dangerous year, with more vulnerabilities and exploits than in 2009. As computing environments increased in complexity, so did the threat landscape, as the number of sophisticated attacks being launched expanded. More than 8,000 new vulnerabilities--or 27 percent more than 2009--were found in 2010, and exploit releases increased 21 percent, the report said.
"From Stuxnet to Zeus Botnets to mobile exploits, a widening variety of attack methodologies is popping up each day," said Tom Cross, a threat intelligence manager at IBM X-Force.
The high-profile targeted attacks in 2010 were launched by highly sophisticated cyber-criminals who were likely well-funded and well-aware of hidden vulnerabilities, according to the report.
However, phishing attacks have declined significantly, according to the report. While there is still a fair amount of them, there is less than a quarter of the volume compared to 2009 and 2008, the IBM X-Force researchers found. However, current phishing attempts are more likely to be spear phishing, or very targeted attacks, the report said. Cyber-criminals put in the effort to create complicated and targeted attacks on specific types of victims in 2010, according to the report.
While the researchers viewed the rise in the number of vulnerabilities found and reported as a fairly positive development, they were concerned that 44 percent of those reported vulnerabilities did not have a vendor-supplied patch by the end of 2010.