For years, the scourge of the Internet has been ever increasing volumes of spam that clog inboxes around the world. According to a new report from Cisco (NASDAQ:CSCO), 2010 was the first year on record that spam volumes actually declined.
Cisco’s report also points out some counter-intuitive data about which types of technologies are being attacked. As opposed to Adobe PDF which had been a top target, Cisco said that Java vulnerabilities are now more exploited than those in Adobe Acrobat and Reader. Overall, Cisco is rating the status of cybersecurity threats at the end of 2010 at a level lower than they were in 2009, though there is still cause for concern.
The decline in spam volumes varies by geography according to Cisco. In the U.S., spam volume decline by 1.6 percent in 2010 in comparison to 2009. That said the U.S. still continues to lead globally in terms of spam with 11.1 trillion spam messages sent in 2010, down from 11.3 trillion sent in 2009. Among the other countries that experienced spam declines were Brazil with a 47.5 percent drop and Turkey which declined by 87 percent.
Mary Landesman, senior security researcher at Cisco, told InternetNews.com that the decline in spam volumes in 2010 was due to 8 major takedowns of spam senders. She noted that one of the biggest spam farms that was removed in 2010 was an affiliate marketing facilitator that was linked to pharma spam. Landesman said that by taking down the affiliate engine, the revenue stream for the pharma spam was cut off, which reduced the volume of spam.
The decline in spam, however, should not be confused with a decline in risk.
“Spam volumes are not really tied to risk exposure,” Landesman said. “Spam filters do an excellent job of keeping the stuff out people’s inboxes.”
She added that as a result of good spam filters, spam isn’t as much of a risk as it once was. On the other hand, the Cisco report points to a number of new trends in 2010 that due put users at risk.
Over the course of 2010, Adobe’s PDF products were attacked and updated multiple times. However according to Cisco’s data gathered from its ScanSafe cloud security division, Adobe PDF vulnerabilities were not the most exploited vulnerabilities during 2010.
“In 2010, exploited Java vulnerabilities outpaced the exploit of Adobe Reader and Acrobat,” Landesman said. “Java was 3.5 times more frequently exploited than were malicious PDFs. That really spells out the need for paying attention to what’s making the headlines but also paying attention to the types of things that aren’t making the headlines.”
The shift in attacks away from PDF toward Java occurred over a 12-month period. According to Cisco, in January of 2010 Java exploits represented 1.5 percent of web malware while PDF exploits accounted for 6 percent. By November of 2010 the tables had turned with Java coming in at 7 percent and PDF malware at only 2 percent.
As to why attackers shifted from PDF to Java, it all has to do with opportunity.
“There were some Java vulnerabilities along with exploit code that were disclosed in the first quarter,” Landesman said. “Attackers found that the attacks were working and the reason why it continued to be successful is because people were not focused on the need to patch Java.”
Oracle updated Java at multiple points throughout 2010. What’s not clear is whether or not all users properly updated to the lastest patched Java updates.
“The Java patch cycle is not as finely honed as perhaps it could be,” Landesman said. “There have been complaints for users that check for an update, the system says they’re updated, but they’re not actually updated.”
Another Java update issue cited by Landesman is when Java is updated but it still leaves an older version installed as well, which then is still exploitable. She noted that the Java update issues could just be user error, though they are still valid concerns.
“They lead to continued exposure even if the user has attempted to patch,” Landesman said. “The thing is, you really have to question how many users have really tried to patch Java.”
Landesman noted that there was so much attention focused on vulnerabilities in Adobe PDF in 2009 that by 2010 everyone was looking for them and making sure they were patched. In contrast there was no such focus on Java.
“Users still weren’t looking at Java and it just left this open potential for attackers to come and take advantage of the situation,” Landesman said.