Blue Coat 2011 Web Security Report Reveals that a Single Click Can Open Door to Cybercrime
March 2011 by Blue Coat Systems
Blue Coat Systems, Inc. unveiled the 2011 Blue Coat Web Security Report that examines Web behavior and the malware to which users are most frequently exposed. The report analyzes Web requests from the Blue Coat® WebPulse™ service, which weekly rates nearly three billion requests in real-time, to provide a comprehensive overview of the changing ways in which people are using the Internet and the new methods cybercrime is using to target their attacks.
“Today, dynamic Web links are the most powerful tool cybercrime has, and static Web ratings that require update cycles are too slow when the bad guys can harvest users within minutes,” said Steve Daheb, chief marketing officer and senior vice president at Blue Coat Systems. “Only a real-time defense, like the Blue Coat WebPulse service, that can dynamically rate content and follow multi-staged malware attacks from beginning to end will be able to protect users.”
Some of the most surprising Web usage trends from the report include:
Social Networking As the New Communication Platform: Personal Pages/Blogs, Chat/Instant Messaging and Email are the second, third and fourth most requested subcategories of Social Networking, respectively. At the same time, Webmail was the 17th most requested Web category for 2010, falling from ninth in 2009, and fifth in 2008. This ongoing decline in popularity is driven by an overwhelming shift to social networking as the communication platform of choice for Internet users.
Web Behavior Is More Business Focused: As users around the world faced high unemployment and ongoing financial challenges, personal lust as a driving force of Web behavior shifted to a more business-oriented focus. Blue Coat saw a significant decline in requests for Web content in the Dating/Personals, Pornography and Adult/Mature Content categories in 2010. While these categories were fourth, fifth and eighth, on the list of the top 10 most requested categories in 2009, Audio/Video Clips, New/Media, and Reference dominated the top 10 in 2010.
The Web-based threat landscape continues to become more sophisticated, utilizing a combination of techniques and multiple stages to launch attacks.
Among the biggest shifts for 2010 were the following:
Social Networking Becomes Malware Vector: In 2010, cybercrime successfully exploited trusted relationships between friends to quickly infect and harvest new users. Social network phishing and click-jacking attacks were the two most common types of attacks through social networks in 2010. The shift of phishing attacks to social networks is particularly driven by the attempt to obtain user credentials that can also provide access to banking, financial and other online accounts that use shared passwords.
Legitimate Sites Become Part of Attack Infrastructure: One of the most noticeable shifts in the threat landscape in 2010 was the migration of attack infrastructures from free domains to known sites with trusted reputations and acceptable use category ratings. By hacking into trusted sites, cyber criminals can host attack infrastructures on sites that have good reputations.
Malware Hides In Acceptable Web Categories: Historically, malware has been hidden in categories that would traditionally be blocked by acceptable use policies. However, Online Storage and Open/Mixed Content, which ranked second and sixth, respectively, on the list of sites hosting malware, saw the fastest growth in 2010. The number of new Online Storage sites hosting malware increased 13 percent while the number of new Open/Mixed Content sites hosting malware increased 29 percent. Both of these categories typically fall within acceptable use policies for most companies.
Based on the findings, the report offers lessons that organizations can take away to better protect their employees and their confidential data, including:
Dynamic Defense Is Key for Malware Protection: Using dynamic links, cybercrime can build attack infrastructures, changing only the location of the malware deliverable. Blocking malware delivery, call home attempts, scams and phishing requires a defense that can respond dynamically to rate new and unknown content and analyze the dynamic links that increasingly are part of malware attacks.
Real-time Ratings Are Crucial to a Successful Web Defense: Defenses that don’t analyze Web requests in real time and provide immediate ratings leave their users exposed to attacks that may only last for a few hours.
Rely Less on Reputation Ratings: To avoid detection, cybercrime is increasingly hacking legitimate sites with good reputation ratings and using those sites to host attack infrastructures. A defense that only utilizes reputation ratings will leave its users exposed to those attacks.
Protect Remote Users: Web access is ubiquitous, so Web security needs to be 24/7 regardless of location.
Data Loss Driven by Malware: No amount of data governance or automated prevention will stop data loss through malware, so organizations need to move to a dynamic Web defense that can identify command and control servers and block requests for and attempts to send data to those servers.
This report utilizes information from the Blue Coat WebPulse service and the Blue Coat Security Lab. The WebPulse service receives real-time Web requests from more than 70 million diverse users worldwide and analyzes new, unknown or evolving Web content in real time, immediately sharing the intelligence with the entire community. The WebPulse service utilizes advanced technologies that help the Blue Coat Security Lab map the Web ecosystem and follow multi-staged attacks from beginning to end. This ability allows Blue Coat to more fully visualize new attacks and understand how cyber crime is changing its tactics.