Rise of the blended attacks
As users have become savvier about traditional threats like email attachments, cybercriminals are attempting to integrate multiple forms of attacks. Research indicates that criminals are more frequently converging their attacks across multiple communications channels, such as email, instant messaging, websites, mobile computing and VoIP.
They are also using several different malware components at once, such as worms, Trojans, spyware, keyloggers, spam and phishing schemes. This blending of attacks is making malware more complex, and personal information is increasingly at risk.
Watch out for the fake security messages
The most common type of blended attack uses spam email messages, instant messages or legitimate website to distribute links to websites where malware or spyware is secretly downloaded to computers. In April 2011, attackers launched a large-scale SQL injection attack that compromised several thousand legitimate websites, including a few catalogue pages from Apple's iTunes music store.
A 25 March 2011 report showed that Spotify, a Luxembourg-based digital-music service, was hit by malware distributed through a third-party ad network. Malicious advertisements being displayed on the free version of Spotify, which is ad-supported, were dropping Trojans and other types of malware onto users’ computers.
Another common blended attack uses Distributed Denial of Service (DDoS) attacks combined with phishing emails. For example, a bank's website is taken down by a DDoS attack and shortly afterward the bank's customers receive emails apologising for the inconvenience, directing them to an "emergency site", of course fake and malicious.
Blended attacks rising in the mobile environment
One example of such blended attacks was Zeus MitMo, a virus discovered in October 2010. This malware was developed to defraud online banking customers, specifically those who had begun using a second channel (the mobile phone) to receive a one-time authentication code for increased internet security in online banking transactions. Developed to run on Symbian and BlackBerry platforms, the malware tricked the mobile user into installing it on his or her mobile phone, and then forwarded any authentication code sent by the bank to the attackers, who then had all the information they needed to empty the account.
At the beginning of 2011, one mobile phone service operator lost $10 million in just a few days. Thousands of its subscribers received messages that looked like genuine missed call alerts, and many of them called the number and received a voice message saying the number was busy and to call back later. What they did not know was that they were calling an international satellite phone service at $4 per minute.
By the time the customers received their bills and started to complain, as standard procedure the operator had already paid the satellite company on behalf of its customers, and so had to issue customer refunds out of its own coffers, leaving it with a huge loss.