State of Internet Security Report

Websense recently released their report on the for the first half of 2009.  They have some very interesting findings which I have summarized below.

• In the first half of 2009, 77 percent of Web sites with malicious code were legitimate sites that have been compromised. This high percentage was maintained over the past six months in part due to widespread attacks including Gumblar, Beladen and Nine Ball which aimed at compromising trusted Web properties with massive injection campaigns.
• Web 2.0 sites allowing user-generated content are a top target for cybercriminals and spammers. Websense Security Labs found that 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
• The “Dirty” Web is getting dirtier: 69 percent of all Web pages with content classified as objectionable (e.g. Sex, Adult Content, Gambling, Drugs) also had at least one malicious link. This is becoming even more pervasive, as 78 percent of new Web pages discovered in the first half of 2009 with objectionable content had at least one malicious link.
• Websense Security Labs found that 37 percent of malicious Web attacks included data-stealing code, demonstrating that attackers are after essential information and data.
• The Web continues to be the most popular vector for data-stealing attacks. In the second half of 2008 the Websense Security Labs found that 57 percent of data-stealing attacks are conducted over the Web.
• The convergence of blended Web and email threats continues to increase. Websense Security Labs reports that 85.6 percent of all unwanted emails in circulation during the first half of 2009 contained links to spam sites or malicious Web sites.
• In June alone, the total number of emails detected as containing viruses increased 600 percent over the previous month.

This information confirms that the Web is a dangerous place and becoming more so.  The reason is simple… money.  Criminals have figured out that the benefit from online crime is high and the cost is low.  Moreover, the chances of getting caught are slim.  Compare the crime of identity theft or credit card fraud committed via the Internet with a physical crime such as a bank robbery.  The cost of committing a crime on the Internet is low.  One can obtain ready made software on the Internet that will help you obtain credit card and other personal information with which it is possible to commit fraud.  The risk associated with this crime is very low compared to the expected payoff.   However, robbing a bank has very high costs and risks.  One could get shot or get caught and sent to prison.  And the likely payoff isn’t that great either.  The average amount of money stolen during a bank robbery is less than $5000.  This isn’t much compared with the risks.

Internet crime is a huge business.  To protect yourself, follow best practices for using the Web safely.  Even legitimate and well known web sites can get compromised and be used to commit fraud against you.  And don’t think because you use a Mac that you are immune to these attacks.  You aren’t.  More on that in a future article.