-2004 has been the year of phishing"
Those were the words of Steve Purdham, chief executive of SurfControl. And in the mind of many within the security industry they succinctly sum up the year for security vendors and consumers alike. All major vendors appear to agree. For once.
Of course if it really was that simple then security during 2004 wouldn't have been the story it was and wouldn't have continued to drive the levels of spending which it inspires. But as summaries go it's pretty much 'on the money'.
And money was a huge issue this year. It was the reason why we saw many of the threats we did and a portentous coming together of the usual suspects.
Graham Cluley, senior technology consultant at Sophos, said: "During the course of the year we have seen a real shift in the reasons why people write viruses. Two or three years ago, and even up until last year, there was this frat-boy mentality - the kids in their mums' basements trying to cause mischief or impress their mates."
It wasn't just viruses, according to Kevin Hogan, senior manager for Symantec security response EMEA, "mischief and gaining kudos among their peers" has been replaced by the realisation that there is serious money to be made from phishing, spam, spyware, viruses and worms. This is the reason why many of those threats and their perpetrators are joining forces.
The earlier singling out of phishing is not to say it posed any more of a threat than anything else per se, but it was largely a new phenomenon and represented the dawn of a new age of identity theft, supported by growth in the threat of spyware.
A spokesman for CyberTrust said phishing scams have existed for years, but attributes the sudden rise over the past 12 months to the fact enough people now shop and bank online to make blanket email campaigns financially viable for the phishers.
But crime relies upon three things - motive, opportunity and ability.
The number of people banking online has certainly created the opportunity and their money is the motivation, but the ability owes everything to 'botnets' which became ever-present in security conversations this year.
A botnet is the end product of spam, virus and Trojan activity. It represents a network of compromised machines whose processing power and bandwidth can be abused by spammers and scammers to pump out vast volumes of email. This potential saw the virus writers and spammers buddy up in 2004, apparently under the influence of organised crime.
Often users whose machines are infected with remote access Trojans will be unaware of the part they are playing in perpetuating the problem of spam and phishing - and nothing creates the ability to build botnets than already having access to a botnet. It is a cycle which gives vendors reason to predict a bleak outlook for 2005.
Sophos' Cluley said: "This is now big business and when business gets involved it all gets a lot nastier."
The creation of a botnet can prove a great money spinner, with capacity being rented out for around $10 per hour, according to MessageLabs.
Mark Sunner, chief technology officer of MessageLabs, said: "Botnets are the primary delivery mechanism for around 70 per cent of spam and almost all phishing scams. The reasons why are fairly obvious - the sender gains the ability to massively amplify the volume being sent whilst at the same time gaining almost total anonymity."
"That's obviously pretty alluring stuff for the bad guys and because of this we can expect this trend to continue unabated," he added.
Because of this unholy alliance, spam and viruses continued to be a problem - more so than ever before. MyDoom and Bagle both appeared bent on creating botnets while the all-conquering Netsky appeared a throw-back to the days of mischief - apparently the work of a German teenager who found himself in the middle of a virus-writing war before getting caught and controversially offered employment with a security company - much to the derision of the rest of the industry.
An increase in people's online activity and expectations of widespread, multi-device connectivity also increased the security threat exponentially.
"If you stay in your home there is always a chance an attacker will come through the window and assault you, but it is a pretty slight risk," explained SurfControl's Purdham.
"But if you go outside and walk the streets that risk increases."
The same is true of IT security. Within the four walls of the office, security is pretty refined but the clamour for increased mobility and the expansion of the perimeter during 2004 mean nothing can be taken for granted.
Mark Murtagh, technical director of Websense, agreed that the push for mobility in 2004 has stretched many defences to their limits and said it has done much to undermine all the hard work companies have done securing the perimeter in previous years.
Over the course of the year human behaviour became an ever more important 'infection vector'. Of course social engineering and general fallibility means the 'people factor' has always been integral to any attack, but now people were becoming the driver rather than the enabler. The desire for wireless access, the need for multi-device mobility and the emergence of the security industry's current bête noire - the USB data key as the en vogue branded giveaway of choice - meant the perimeter really was a thing of the past.
And that's not even to say companies had an effective handle on security within the perimeter. This was perhaps most clearly evidenced by the threat posed by applications such as instant messaging and peer-to-peer networks. The former has certainly hit the radar screens in 2004.
Compliance was a major factor in driving that awareness. Companies had lost control of what data was flowing in and out of their network and how their employees were communicating. Tighter regulation such as Sarbanes-Oxley section 404, which came into effect on 15 November, told them that could no longer be the case. Common sense should arguably tipped them off long ago.
The issue of companies not knowing what was going on their networks was seen most clearly with the emergence of spyware as a major issue. Applications which betray corporate data, such as usernames, passwords or personal data such as banking details reside on hundreds of thousands of computers - often unknown to the user. Spyware has seen innovation as well. Keyloggers, which record every stroke on the keyboard and decipher strings such as passwords, are being replaced by applications which actually record a screenshot with every click of the mouse or keystroke, according to Websense's Murtagh.
Kailash Ambwani, chief executive of FaceTime, said: "Users will go to a Web site and unbeknownst to them they may be downloading all this spyware. It happens on peer-to-peer networks such as Kazaa as well and while some of it is fairly benign adware there is some real nasty stuff out there."
There is also a growing fear that even "benign" data, in the wrong hands, could be used to tailor ever more effective phishing attacks. MessageLabs' Sunner believes it is "a certainty" that cookies and adware placed by reputable retailers and banks will be a target for malicious spyware that will infect a machine and 'have a look around' to learn more about the user.
But not all activity was so covert. Some of the criminals even had a vested interest in putting their heads above the parapets and making themselves known.
One of the newest trends was the continued emergence of 'hackmailing' - extortion with a threat to bring down a website if certain funds aren't paid. Online bookmakers were the most commonly targeted with threats appearing in the run up to major sporting events, such as the Grand National in April, when revenues were greatest and concerns of downtime highest.
In July one such gang were arrested, drawing praise from the betting industry, but the problem has not gone away.
And then there was the old 'favourite' - spam. The fact that 2003 was definitely the year of spam sadly didn't render the menace 'so last year'. The amount being sent continued to increase through 2004 as did its share of total global email traffic.
One of the strangest stories of the year saw Lycos fly in the face of overwhelming conventional wisdom and combine the problems of spam and denial of service attacks in an attempt to create a force for good.
The scheme failed very publicly and potentially only worsened the problems facing users.
Again growing sophistication was a trend with spam. The spammers appeared to be putting greater planning into campaigns were tailoring their bulk mailings to reflect trends within society. The US election was a popular subject as was an apparent 'bling bling' subculture which fuelled a massive explosion in emails selling counterfeit Rolex watches.
Spam will of course continue to be a problem into 2005. Other 'ones to watch' are the increase in threats posed to mobile devices such as smart phones. Proof of concept was as bad as this got in 2004 - with many more buying such devices in the 3G age it's likely proof of concept will become a very real threat.
But it is the new threats of phishing and spyware which are causing the greatest concern - as does the potential for the alliance of spammers, virus writers and organised criminals to 'up the ante'. Typically, as seen with viruses and spam, these threats take time to reach maturity. Although that development time is decreasing with the arrival of each new threat it's likely 2004 saw just the tip of the iceberg of its greatest threats.
