Home & Office

App market 'fertile ground' for cybercrime

Web and smartphone apps, a market which is emerging and largely unregulated, are ideal guises for criminal activity, new Blue Coat report warns.
Written by Vivian Yeo, Contributor

Web, social networking and smartphone applications are the "fertile ground" for cybercrime, not helped by the fact that the app market is still emerging and largely unregulated, a new study has warned.

Released Tuesday, the Blue Coat Web Security Report for 2009 indicated that Web-based business services from Google as well as social networking and smart phone apps have all been targets for attack during the past year. Malicious apps disguised as games have already begun troubling users, the security vendor added.

"What's worse, many companies sell untested apps in their online stores, leading customers to believe these products are reliable and legitimate," Blue Coat said in the report.

For 2009, the top Web threat was fake antivirus, the company said. This was followed by the fake video codec scam which tried to convince users they had a problem with their video player. According to Blue Coat, two-thirds of all malware disguised as a video codec offered pornography videos.

Also highlighted in the report was the most commonly compromised Web sites. Online storage sites took the top spot due to a 200 percent spike in number of URLs, while sites offering software downloads and pornography took second and third spots, respectively.

Complex nature, quicker deaths
The past year also saw blended threats grow at a faster rate than in any other year, noted Blue Coat. Dozens or even hundreds of Web sites would be created in a single attack, comprising different threat components to thwart various security measures.

To increase the odds of a successful infection, malware has become more agile, looking for new places to house the attack code, the report noted. Last year, the average lifespan of malware dropped to 2 hours, from 5 hours in 2008.

According to Blue Coat, the number of malware sites in 2009 nearly doubled over the previous year. Effects sites, which typically refer to the IRC or e-mail server collecting stolen information, jumped by over 500 percent. The vendor said the disparity was due to the need for cybercriminals to create more sites to tap user data, to make up for sites that would be detected and disabled by security tools.

In its report, Blue Coat also listed predictions for 2010. These include:

Unabated growth of Web threats
Web-based threats have been the primary way of stealing confidential data and infecting computers since 2007, the company noted. In the first six months of 2009, new malware exceeded all malware detected in 2008. Phishing also increased 585 percent during the same period.

The explosion in Web threats is expected to continue, given the increasing acceptance of Web-based and consumer apps in the enterprise.

Web 2.0 services increasingly vulnerable to attack
In 2009, accessing social-networking sites accounted for 25 percent of all Web activity, with Web advertisements and search engines also among the most accessed URLs last year, said Blue Coat.

While social-networking providers are stepping up security efforts, consumer demand is pushing them to introduce new services that have vulnerabilities yet to be discovered. The gap between services and security, the company noted, will continue to grow this year.

Search engine manipulation to continue to drive malware
Search engine manipulation or SEO (search engine optimization) poisoning, where cybercriminals exploit search engine algorithms to position hacked sites higher in search results, is an easy way to drive users to malicious sites.

The vendor said it expects malware spread via search engines to increase in 2010 due to the high degree of trust users place on these services, as well as the relative ease with which results can be manipulated.

Blue Coat's report was based on statistics gathered from the company's WebPulse network which supports 62 million users globally, as well as intelligence gathered from the industry.

Editorial standards