McAfee Labs discovered 200 new malware applications a minute last year, three times the number from 2012. The volume of mobile malware alone grew 197% year over year.
As e-commerce has grown, software-as-a-service—or technology available over the Internet that typically requires less I.T. know-how to use—has become more available for e-retailers to simply download and start using from any computer.
Unfortunately mirroring that trend, the shadow industry that feeds on online retail has also seen a rise in available malicious software—or malware—for even non-technically inclined criminals to buy online and use to steal consumer credit card data.
In 2013, Intel Corp.’s cyber security firm McAfee Inc. discovered three times as many new malware applications on the web than in 2012, with a 52% increase in the number of new applications measured from Q3 to Q4. It published these findings in the last quarterly McAfee Labs Threat Report.
The gross numbers are not small. McAfee detected 200 new malware applications every minute—or three per second—last year, it says. At the end of 2013, there were more than 7.5 million malware applications at large on the web, up from just under 2 million at the end of 2012, McAfee says. Those numbers all represent “signed” malware, or vicious software disguised as legitimate applications using stolen security certificates—the kind that pop up when an application requests that a user install an update, for example.
As a first step in addressing the changing characteristics of cyber threats, Vincent Weafer, senior vice president of McAfee Labs, says, “We will need to learn to place more trust in the reputation of the vendor that signed the file, and less trust in the simple presence of a certificate.”
Malware for mobile devices is proliferating fastest. McAfee found 197% more mobile-specific malware applications in 2013 than in 2012, with 744,000 of them discovered in Q4 alone, it says. Mobile malware can infect a device via an app download or in an SMS message, as well as by visiting malicious web sites or opening malware-infected spam e-mails or tapping on infected ads.
The statistics are sobering for retailers facing newly heightened security concerns after e-retailers including Target and Neiman Marcus recently incurred some of the largest data breaches in retail history. Criminals likely purchased “off the shelf” malware to steal credit card data in Q4 and made a few customizations for it to penetrate the target retailer’s systems, McAfee says, based on its extensive analysis of the security breaches, which included studying the malware used in Target’s data breach. In Target’s case, the malware was based on one such “off-the-shelf” code known as BlackPOS, which has been leaked several times and “can be easily be modified and redistributed with little programming skill or knowledge of malware functionality,” the report’s authors write. “We must recognize that this class of attack is far from ‘advanced.”
Since the thefts, McAfee has tracked batches of 1 million to 4 million stolen credit card numbers for sale in Internet black markets, it says. Thieves can purchase the data with anonymous virtual currencies, such as Bitcoin.
“We believe these breaches will have long-lasting repercussions,” the report’s authors write. “We expect to see changes to security approaches and compliance mandates and, of course, lawsuits. But the big lesson is that we face a healthy and growing cybercrime industry which played a key role in enabling and monetizing the results of these attacks.”