Cybercrime gangs are targeting corporate networks through unsuspecting company executives, while global brands have been put at risk through website infection.
These are some of the findings of the Sophos Security Threat Report, which examines existing and emerging security trends and has identified that criminals have honed their attacks to take advantage of weaknesses in the corporate workplace.
At the same time, 2008 has seen unprecedented numbers of attacks against company websites, designed to infect visiting customers.
Corporate executives have been put at risk during the first six months of 2008 with targeted attacks, known as spear-phishing, designed to steal information from individuals at specific corporations rather than the internet community at large.
In April there was a specifically targeted malware campaign e-mailed to chief executive officers of various companies, all pretending to be subpoenas from US federal courts, trying to frighten the hand-picked recipients into opening the dangerous attachment.
In the report, Sophos experts note that with the continuing popularity of social networking sites, including Facebook and LinkedIn, among business users, cybercriminals who have already gained access to user profiles, may begin to use these as corporate directories, noting new employees and launching spear-phishing attacks specifically aimed at stealing information from new and unsuspecting members of staff.
"To guard against this risk, all organisations should ensure employees are fully educated about the dangers of posting too much information on these sites, and of accepting unsolicited friend requests," says Brett Myroff, CEO of regional Sophos distributor, Sophos South Africa.
Meanwhile, the first half of 2008 has seen total amount of malware samples in existence to exceed 11-million, with Sophos currently receiving approximately 20,000 new samples of suspicious software every single day – one every four seconds.
The greatest explosion has been in malware spread via the web, the preferred vector of attack for financially-motivated cybercriminals.
On average, Sophos detects 16 173 malicious webpages every day – or one every five seconds. This is three times faster than the rate seen during 2007. 90% of the infections are on legitimate websites that have been successfully attacked by hackers.
Thousand of websites belonging to Fortune 500 companies, government agencies and schools have been infected, putting visiting surfers at risk of infection and identity theft. High profile entertainment websites such as those belonging to Sony PlayStation, Euro 2008 ticket sales companies, and UK broadcaster ITV are amongst the many to have suffered from the problem.
"Businesses need to take better care of securing their computers, networks and websites. They not only risking having their networks broken into, but are also putting their customers in peril by passing on infections," says Myroff. "But office workers must also realise that visiting an infected website from your work PC, or sharing too much personal or corporate information on sites like Facebook, could lead to you being the criminal's route into your company."
Although most attacks are now taking place via infected websites, email continues to present a danger. It is common for cybercriminals to spam out links to compromised websites, often using a subject line and message to tempt computer users into clicking through the promise of a breaking news story or a sensationalist topic.
Malicious email attachments, although less frequently used than in previous years by hackers, still pose a threat. The Pushdo Trojan dominated the chart of most widespread malware spreading via email, accounting for 31% of all reports. Pushdo has been spammed out during the year with a variety of disguises, including claiming to contain nude photographs of Hollywood stars Nicole Kidman and Angelina Jolie.
"Can any company honestly say that none of its staff would click on an email claiming to contain nude photos of a Hollywood celebrity? Workers often put an organisation at risk, and that's why companies must protect themselves with a solid multi-tier defence against the latest net threats," he adds.