Predicting the future of abuse, part 2

  • Article

Following on from my previous post, what does the future of Internet abuse look like?  Here’s what I think:

  1. The proliferation of smaller devices will shift malware away from PCs to phones and tablets

    Crime will not go away.  The reason criminals started writing botnets for mobile applications is because they are popular with users.  That’s where the money is.  Thus, even though Google says that its malware detection is getting better, the more Android becomes popular, the more of a target it will become.

    Tablets are in the same boat.  The Samsung Galaxy, iPad, Android tablet, Kindle Fire and Nook, if they remain open platforms or become more open, will become popular targets in proportion to their popularity.

    Furthermore, as these devices start to enable consumers to do more financial transactions, more malware will appear that will siphon off funds from those transactions, or redirect funds (e.g., rogue apps that send money back to spammer when you click on an ad, rather than the app’s original author).

  2. Some (many?) modern filtering techniques will become obsolete
    IPv6 is fantastic from a network management perspective, but it’s a headache for Internet security specialists because it drops the efficacy of filtering techniques.

    For example, IP blocklists are the most important line of defense in spam filters.  But if we allowed unauthenticated mail from IPv6 address space, it would render blocklists useless because each new spam could be sent from a different IP.  Luckily, the email world knows this and is not about to permit email suicide.

    Even URL filters are affected.  One thing that spam filters do is URL host resolution.  You take a spammy domain, find out it’s A-record (the IP that it points to) and use that for reputation analysis.  If spammers have tens of thousands more IP addresses to flux through, this doesn’t work.

    But it’s not just email filtering.  Some portals like Windows Live, or Google, or Facebook, allow users to sign up and create accounts which they can use to login to various services like Blogspot.  These services use signup IP addresses as a method of performing fraud detection (e.g., 1000 signups out of 1100 from IP 292.123.54.31 were malicious).  With IPv6, a spammer can rotate through a lot more IP space which makes this anti-fraud detection less effective.

  3. Do-it-yourself malware will become more prevalent
    One of the malware families that is notorious for customizing its target payload is Zeus.  Let’s say that a phisher wants to target Wells Fargo customers and Bank of America customers.  But, he wants to do this in two separate spam runs.  If both of these banks have two-factor authentication, a Zeus malware would customize its payload so that when it spammed one set of users, it spoofed Wells Fargo’s security mechanisms, but when it targeted the other users, it spoofed Bank of America’s.

    Right now, a spammer has to go to a great deal of time and effort to customize his malware, but it’s worth it in the end.  In the future, the cost of doing this customization will drop and other authors will write more defined modules where less-skilled users can select pre-written targets for their next campaign.  This will decouple the author of the malware from the user of it even more.

    In other words, just as we have rapid-deployment of user friendly legitimate software today, in the future we will have more user-friend malicious software.

I thought about including hacking in this, but decided to exclude emerging social trends and instead focus on the technical ones.

Thus, these are the top level predictions that I see.