By Jeremy Reimer | Published: September 17, 2007 – 11:34PM CT
Prior to this decrease, Symantec had reported a rise in the proportion of Web application vulnerabilities, starting in the first half of 2004 and ending in the first half of 2006. This period roughly corresponds to the surge in popularity of social networking sites and “Web 2.0” in general. The exuberance over these then-new technologies left security considerations little more than an afterthought, not only for web site designers but for their users as well. Security attacks such as the WMF exploit on MySpace brought the issue to the public attention, and so did third-party security audits such as the Month of MySpace bugs.
Social networking sites are attractive to hackers not only because of potential security holes in the applications themselves, but the fact that the very nature of the site works as a way to spread attacks to more people. “In such a scenario, the attacker may use the legitimacy of the Web site to attract victims of subsequent attacks,” the Symantec report said. “Sites with large user bases, such as MySpace, have already been abused in this manner.”
Because the site is known and trusted, users are more likely to fall victim to unsolicited e-mails or invites and be tempted to download unknown attachments. Once compromised by a trojan, attackers gain access to personal information about the victim, including passwords to other sites, and can easily find other victims to attack via the user’s own friend lists.
The malware problem in general continues to grow. According to the latest report from security firm PandaLabs, there has been more malware detected in the most recent quarter than was found in all of 2000-2004, putting a strain on traditional key signature methods of malware identification. The number of virus-laden e-mails and phishing attacks are trending slightly downwards according to the latest data from MessageLabs, but this is more a function of increased targeting of attacks to specific people rather than a decrease in the number of attacks in general—the bad guys have had a busy harvest season collecting e-mail addresses and are trying to reap what they sowed as quickly as possible.