Attackers favor social-networking sites, shortened URLs

Social-networking sites and shortened URLs have become the favored technologies for scam artists to lure victims to websites that attempt to push malware or launch an attack, says a Symantec report released today.

“A favorite method used to distribute an attack from a compromised profile is to post links to malicious websites from that profile so that the links appear in the news feeds of the victim’s friends. In addition, attackers are increasingly using shortened URLs for this because the actual destination of the link is obscured from the user,” says the “Symantec Internet Security Threat Report: Trends for 2010.”

MORE ON SECURITY: 20 hot IT security issues

The report is Symantec’s annual summary of trends in types of online attacks seen during the course of the last year. While blockbuster events such as the Stuxnet worm that attacked industrial control systems in Iran made headlines in 2010, there were also incremental shifts in attack methods affecting millions online.

Compromising social-networking profiles and using shortened URLs has emerged as a main attack vector, Symantec says. The shortened URL, not bad in and of itself, has become favored by attackers as “one more tool to hide or obfuscate themselves,” says Gerry Egan, director of product management at Symantec Security Response.

While the Symantec report doesn’t name specific social-networking sites, such as Facebook, it claims that the majority of attempts to trick people into visiting so-called drive-by download sites loaded with malware are now perpetrated through social networking.

The Symantec analysis is based on Symantec’s malicious code intelligence gathered from more than 133 million client server and gateway systems, among other sources.

In 2010, there was a 93% increase in Web-based attacks compared with the year before, and in one three-month observation period last year, “65% of the malicious URLs observed on social networks were shortened URLs,” the report says.

In a summary of other trends, Symantec notes it recorded 6,253 new software-related vulnerabilities in products, more than noted in previous years. Symantec also says the rise of certain rootkits is again causing concern, with three frontrunners — called Tidserv, Mebratix and Mebroot — causing the most concern. These three rootkits, says Symantec, “can all modify the master boot record on Windows computers in order to gain control of the computer before the operating system is loaded.”

Tidserv is a “nasty rootkit that affects the master boot record” says Egan. “It intercepts API calls,” and can be part of an entire Tidserv botnet used for criminal purposes. The rootkit can be hard to detect, Egan acknowledges. “It’s a challenge and we have new standard tools going into our products for this.”

Read more about wide area network in Network World’s Wide Area Network section.