Armonk (NY) - Today, IBM announced the results of its 2008 X-Force Trend and Risk report, which found corporations put their own customers at risk for "cybercriminal activities" by failing to properly defend their servers against identified exploits.





Two main trends were reported in the X-Force report. First, today's websites are the "Achilles' heel" for IT security. This is the culmination of the attacker's desire to infiltrate the website's software to allow their applications to infect end-user machines coupled to the corporations using standard, off-the-shelf applications which have known exploits. According to their report. 74% of the web applications deployed have had no patches applied. And trends show the volume of attacks seen at the end of 2008 were 30x greater than the number of attacks seen early in the summer months.



The second major trend is a switch away from primarily browser defect and ActiveX script attacks to those involving Flash and PDFs. The research recorded a 50% increase in Q4'2008 in the number of URLs that were hosting exploits compared to the sum total from all of 2007. Spammers are also switching to these compromised web-site tactics for an expanded reach.



The X-Force report also records that the number of disclosed critical vulnerabilities did not see widespread exploitation. IBM believes the Common Vulnerability Scoring System (CVSS) used today as an industry-standard rating system for virus threats needs to be overhauled.



Taken from the press release:

"The CVSS focuses on the technical aspects of a vulnerability, such as severity and ease-of-exploitation. While these factors are extremely important, they do not fully capture the primary motivator of computer crime: the economic opportunity. The CVSS provides an essential base that the security industry desperately needs to measure security threats. But we also realize that cybercriminals are motivated by money, and we need to fully consider how attackers balance the economic opportunity of a vulnerability against the costs of exploitation. If the security industry can better understand the motivations of computer criminals, it can do a better job of determining when emergency patching is most needed in the face of immediate threats."

o 2008 was the busiest year for discovering vulnerabilities with a 13.5 percent increase over 2007.

o At the end of 2008, 53 percent of all vulnerabilities disclosed during the year had no vendor-supplied patches. Further, 46 percent of vulnerabilities from 2006 and 44 percent from 2007 were still left with no available patch at the end of 2008.

o The McColo shutdown had the most impact on spam activity in 2008, not only affecting quantity but also affecting the type of spam sent and countries that frequently sent it.

o China emerged as top spam sender directly after the McColo shutdown, but was replaced by Brazil by the end of the year. For many years before the shutdown, the US had claimed the number one spot.

o Main countries of origin of spam throughout 2008 were Russia with 12 percent, the United States with 9.6 percent and Turkey with 7.8 percent. Although the origins of spam do not necessarily correlate with where spammers reside.

o China surpassed the US as the number one country of hosted malicious Web sites for the first time in 2008.

o Phishers continue to attack financial institutions. Nearly 90 percent of phishing attacks were targeted to financial institutions, with the majority targeting those in North America.

o 46 percent of all malware in 2008 were Trojans targeting users of online games and online banking. The X-Force report predicts that these specific user groups will likely remain targets in 2009.