Despite topping the list, the number of complaints actually went down 5% from the 2008 figures and going down in absolute figures for the first time since 2000. Of the other complaints, Third Party and Creditor Debt Collection ranked second on the list of complaints and Internet Services ranked third.

Looking more closely into the identity theft complaints, 17% of those complaints were credit card fraud. The next most common complaints were government documents/benefits fraud and phone or utilities fraud. Florida had the highest per capita rate of identity theft in the US.

This data indicates all of the complaints received by the FTC but does not indicate absolute crime figures. None of the complaints were verified by the FTC.

Via wired ; Image: Clipart

As we’ve seen highlighted in many other reports throughout the year, 2009 was known for the prominence of cybercrime through social media platforms such as Facebook and Twitter. The report indicates that social networks became one of the most significant vectors for data loss and identity theft.

Interesting data from the report:

- Firms reporting spam and malware attacks via social networks was up by 70%
- 72% of firms believe that employees’ behaviour on social networking sites could endanger their business’s security
- Social networking spam, phishing and malware reports all increased over the year. For example, spam reports were up 33% in April and 57% by December
- Legitimate sites compromised to host malware now rival sites specifically set up for malware distribution
- The US continues to lead as the top malware-hosting country (37.4%)

Businesses perceive Facebook and Twitter as the biggest risks to security (of all social networks). This perception is not only due to the highly publicized risks (particularly malware) but also due to the difficulties to control such sites.

Companies find it impractical to blanket block these sites, particularly as their use in corporate communications becomes more widespread. Therefore, methods to watch for data loss via these vectors becomes more difficult. Training takes the forefront in terms of prevention. Does your security policy state what information is safe to share online, and what not? Do you have data monitoring in effect to know where your sensitive data is and who is accessing it?

Download the report here [PDF].

The report indicates that more than 40,000 unique phishing reports were submitted in the quarter, the highest level in history. Unique phishing websites were also record-setting. Phishing, as defined in the report, considered both social engineering as well as technical subterfuge in order to steal personal data.

Some interesting data from the report:

• 341 brands were hijacked in August, the highest month on record
• Financial services was the most targeted industry sector
• Data-stealing malware was on the rise
• Total number of infected computers was down, though at 48.35% of the records, that’s over 11 million infected computers
• USA, China and Russia hosted the most malware

The report contains quite a lot of very specific data about phishing and malware, it’s a good read.

Via lockergnome

Highlights from the report:

- 69% of organizations suffering breaches were retailers. Finance was second most common.
- 66% of organizations had <100 employees
- Payment card data was compromised in 85% of cases (in all, they were not PCI DSS compliant at the time)
- 80% of attacks on data came from sources external to the organization (SQL injection the most common attack)
- 86% of compromises came from attacks on applications, with just 14% on the IT infrastructure
- Intellectual property was stolen in only 3% of organizations

You can see, from looking at the above data, that basic security requirements, like those of PCI DSS, do prevent data loss. In all the breach cases that payment card data was compromised, companies had no more than half the base requirements of the standard.

“Cybercriminals have figured out that they can saturate anti-virus labs by creating millions of samples,” Correll [PandaLabs researcher] said to SC Magazine. “By doing that they can slow down the response times and their infection ratio would be more successful.”

Details from the study:

• Banker trojans and fake anti-virus messages were the most prolific types of malware
• Cybercriminals favored social networking sites to spread malicious code
• Politically-motivated cyber-attacks increased in 2009 (interesting!)
• 92% of email traffic was spam
• Viruses were only third in terms of malware (6.61%)
• The countries with the most infections were Taiwan, Russia and Poland

View the rest of the report here [PDF]. The company predicts that the malware trend will only grow for 2010 – will be interesting to see how far above the 25 million new malware threats that the year will see. A great reminder to keep your software up-to-date so you always have the latest security patches! (Computrace and our new IT asset management acquired from LANrev can help with this)

Via SC Magazine

Cyber attacks are a growing issue to organizations of all sorts, with new and sophisticated attacks being created every day. Though organizations may have difficulty keeping up with the threat landscape, this study found that organizations are not doing what they could to mitigate the two largest risk areas. Specifically, client-side software is remaining un-patched and websites are not being scanned for common flaws that criminals use to exploit visitors to those sites.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

The ultimate goal of attackers is to steal information and to install “back doors” so that the attacker can return to further exploit organizational systems. The study found that major organizations take at least twice as long to patch client-side vulnerabilities as they do to patch operating system vulnerabilities. Addressing this single issue could drastically reduce your risk of being exploited. What this also means is that the question of Mac vs PC is not going to be your solution to mitigating risk, as these risks come from cross-platform applications and from the Internet.

The report, which is available here, targets major organizations who want to ensure their defenses are up to date. The report shows some interesting patterns to data and includes a tutorial on how some of the most damaging attacks actually work. You may find it handy to print this report off to study the graphs in detail.

The data, compiled from application-related security incidents that are publicly reported, indicates that 19% of the hacks in the first half of 2009 were targeting social networking sites like Twitter and Facebook. This is the first year when social networks became an attack sector. In 2008, government was the leading sector being targeted. The data also indicates a 30% increase in overall web attacks compared to the first half of 2008.

“The dramatic rise in attacks against social networking sites this year can primarily be attributed to attacks on popular new technologies like Twitter, where cross-site scripting and CSRF worms were unleashed,” said Ryan Barnett, director of application security research for Breach Security. “Looking back at 2008, a notable election year, government-related organizations were the top-ranked attack victims and have now dropped to number three. The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity.”

Download a copy of the report here.

Also making major news right now is the indictment of Albert Gonzalez on charges of hacking into the Heartland Payment Systems. Gonzalez is already awaiting trial over his involvement in the TJX hack, putting him as part of the hacking team behind two of the largest hacker-based breaches in history. Read more here.

The report indicates that cybercriminals are both exploiting social networks to identify potential victims and then using these networks to attack them. The report encourages Web 2.0 companies to defend their existing users, rather than focusing on growing their userbase at the expense of security standards.

In terms of business data, the survey indicates that two thirds of businesses are worried that information shared by employees online may put their corporate infrastructure at risk. Right now, a quarter of organizations have been exposed to spam, phishing or malware via social networking sites like Facebook, Twitter and MySpace.

Read more about, and download, the report here.

This information was reportedly made available online as the result of several initiatives. From what the report indicates, at least 250,000 bank / credit accounts were hacked into. Other information was the result of phishing, a process that dupes individuals to give over their details (such as log in details or credit card details). The information was intercepted over a four-year period by a British company, Lucid Intelligence, and collated into a single database, allowing these figures to be determined for the first time:

The Lucid Intelligence database contains the records of four million Britons, and 40 million people worldwide, mostly Americans. Security experts described the database as the largest of its kind in the world.

The report from The Times indicates that other sensitive information, such as corporate email access details, is being sold in online forums or hacking websites. This puts companies at risk for data breach issues.

Individuals can search the database for free, for now, to see if their information has been sold online. It will specify what information about you is known – whether it’s just your email address, your mailing address, or more high risk information such as banking details. You can learn more about the initiative here.

It’s quite an interesting venture – what do you think about it?

Symantec put together this list by looking at malicious code, spam zombies, number of websites hosting phishing sites, number of bot-infected computers controlled by criminals, and country of attack initiation. The study investigated data for 2008 to come up with this list.

Top 10 Countries with Most Cybercrime

1. United States - 23% share of malicious computer activity
2. China - 9% share of malicious computer activity
3. Germany - 6% share of malicious computer activity
4. Britain - 5% share of malicious computer activity
5.  Brazil – 4% share of malicious computer activity
6. Spain - 4% share of malicious computer activity
7. Italy - 3% share of malicious computer activity
8. France - 3% share of malicious computer activity
9. Turkey - 3% share of malicious computer activity
10. Poland – 3% share of malicious computer activity

As you can see, the US accounts for some 23% of the world’s malicious computer activity. That’s a big jump from those countries ranked lower on the list, with the US leading the way on nearly all of the malicious activities tracked by Symantec.

If you download the latest Spam Intelligence report, which looks at spam in the second quarter of 2009, you’ll see that overall levels of spam are on the rise. Malicious websites are also on the rise, with 67% more malicious websites blocked per day in June vs May of this year.

Via businessweek / Image: ppdigital @morguefile