Blue Coat Systems has published its annual Web Security Report for 2009, providing analysis of user behavior in relation to Web-based threats. It specifically examines where users encountered malware on the Internet. The report concludes that the overwhelming popularity of social networking services and changes in online user behavior are driving broader attack strategies, including complex blended threats, faster malware lifecycles and search engine manipulation.
- Malware adapts with rapid lifecycles: The average lifespan of malware dropped from 7 hours in 2007 to 2 hours in 2009, as criminals respond to the increasing use and effectiveness of URL filtering at blocking malware sources.
- As a result of this faster malware lifecycle, defenses that require patches and downloads are unable to keep pace.
- Social networking leads Internet access activity in 2009 and accounted for 25% of activity among the top 10 URL categories for 2009.
- Increased reliance on social networking for communication also means less reliance on Web-based email.
- Exploiting user trust drives most common threats: The two most common Web-based threats in 2009 – the fake antivirus software and the fake video codec – both exploited user trust in the Internet, search engines and social networks. These were not the “drive-by” attacks of recent years, nor did they require a vulnerability to exploit other than human behavior.
- Malware lurks on unexpected sites: Online storage and software download sites were the most frequent hiding places in 2009. The number of online storage sites grew 200% over the prior year, and this growth coupled with the nature of the service, makes them an ideal and easily accessible malware storage location.
- Advanced spyware drives increase in malware and phone-home sites: The number of malware sites (sites that store malware for download on victims’ computers) nearly doubled in 2009, but more surprising is the 500% increase in the number of malware effects sites (phone-home sites that collect data from an infected computer). This is largely attributable to the emergence of advanced spyware that generates multiple URLs for possible activity, increasing the likelihood that one or more of the URLs will remain undiscovered long enough for cybercriminals to retrieve stolen information.
- Real-time analysis needed: The changing threat landscape is driving the evolution to a hybrid defense that unite traditional Web gateways with cloud-based intelligence to provide real-time analysis and ratings and be extended to remote users.
The information in the report is based on an analysis of data collected from the Blue Coat WebPulse service, a cloud-based collaborative defense that unites 62 million users to provide on-demand security intelligence and real-time ratings for 17 languages. WebPulse complements BlueCoat WebFilter and Blue Coat ProxySG appliances in a hybrid design to provide a first line of defense against malicious attacks for any user, on any network, in any location.