The great crimeware boom of 2008, plus happy blowback

Looking for a recession-proof career that's booming? No one's recommending that you actually go into the malware business, of course, but the numbers for 2008 are perversely upbeat. There's even some genuinely good news for you.

The Anti-Phishing Working Group reports, for instance, that phishing-related malware (or "crimeware," as they call the stuff) had an absolute boom in the second quarter of 2008 (PDF available here). The group's analysis found a remarkable 9,529 URLs spreading phishing warez by the end of June; that's 258% higher than the number recorded during the same period last year.

The apps that power such sites were burgeoning too, hitting a record high of 442 in May '08. Dan Hubbard, CTO of Websense, says that's largely attributable to an upsurge of code used in SQL injection attacks, which have made a big splash in '08.

Phishers often target very specific brands, and AWPG evidence suggests that phisher R&D on how best to do that is reaping fine returns. The number of brands targeted, according to AWPG researchers, continued to rise through the period examined. Meanwhile, the number of "brand-domain pairs" -- a legit URL and the fake URL used to scam the real business' would-be customers -- has dropped.

That sounds like good news, but a closer look suggests that the phishers have simply gotten better at their work. (Bait the hook better and you need fewer hooks.) 294 brands experienced hijacking during the quarter, also a new record.

Dave Jevans, chair of the AWPG, says that the state of the rest of the economy's only helping the bad guys.

"The current financial crisis has also been used by phishers to create new scams that try to scare consumers into entering their usernames and passwords into sites that mimic those of well-known distressed financial institutions," Jevans wrote. "As the economy degrades, we are seeing a continual increase in malicious and criminal activity on the Internet." Phishing attacks were 13% over the course of the quarter.

Still, it's the wild rise in crimeware that's got him really worried. Noting that he hasn't seen activity levels like this at any point in the AWPG's five-year history, Jevans says that "While phishing continues unabated, the most concerning trend is the dramatic rise in crimeware and the Web sites that distribute it."

A bit of good news, though, for those who have made it through the article to this point: Sometimes things stay fixed longer than you'd dared hope. Last month we reported on the takedown of McColo and the ensuing pandemonium among the botnet crowd. Since then, the biggest botnets -- Srizbi, Mega-D, and such -- have been making their way back online, and experts widely predicted that the break everybody got from the junk-mail flood might be a short-lived respite.

But guess what? Four full weeks later, things are still looking pretty good in the average inbox. We checked in with Matt Sergeant, senior anti-spam technologist for MessageLabs (now part of Symantec), and he confirms that our eyes do not deceive us: "Although volumes have increased slightly since the early days of the McColo downfall, they are not yet back in anywhere near the same volumes. Some botnets such as Cutwail and Mega-D have increased output since the McColo incident, presumably as customers switch to these botnets from the larger Srizbi botnet. But we are yet to see a full rise back to the days before McColo was taken down."