Malware authors and hackers have to eat like the rest of us, but security data from 2008 suggests many engage in their illegal activities for other reasons besides a desire to get money. Twenty-four percent of all the attacks the Web Hacking Incidents Database logged for 2008 were related to website defacement.
The commercialization of the malware industry is a major trend we at Ars have followed, but the Web Hacking Incident Database (WHID)'s 2008 annual report indicates that economics remains but one factor among many. Unlike most security reports, WHID samples a very small group of real-world, nonrandom attacks. There were 57 such incidents in 2008, 49 in 2007, and a total of 294 from 1999-2008. The organization changed its inclusion criteria in 2006; the current report only includes data from 2007 as reference material.
Of the 57 incidents the WHID analyzed in 2008, 24 percent of them—the largest single percentage—were aimed at defacing websites for the purpose of taking an ideological stand or conveying a specific political message. Other, more "traditional" activities were well represented—19 percent of attacks were aimed at stealing information, 16 percent planted malware, and 13 percent were meant to cause monetary loss. These last three categories are the ones that dominate security reporting—people tend to care the most when their wallets or personally identifiable information (PII) are at risk. Website defacement, however, should not be ignored.
"Web defacements are a serious problem and are a critical barometer for estimating exploitable vulnerabilities in web sites," according to the report. "Traditionally, defacements are labeled as a low severity issue as the focus is on the impact or outcome of thse attacks...we found that the majority [of defacement attacks] were of a political nature, targeting political parties, candidates, and government departments...Others have a cultural aspect, mainly Islamic hackers defacing western web sites."
The WHID report specifically mentions Islam, but we saw other occurrences of the same behavior in 2008. When Russia invaded Georgia to "rescue" the region of South Ossetia last August, Georgian president Mikheil Saakashvili claimed that the country was under formal, organized Russian attack both online and in cyberspace. The attacks themselves were real—there's no doubt about that—but later, more thoughtful analysis indicated there was little reason to suspect the assault was formally approved by the Russian government rather than the work of politically motivated "hacktivists."
Go back a few more months in 2008, and it was India accusing China of hacking its online resources; step back into early 2007 and Estonian-Russian relations were temporarily impaired by an Estonian student who defaced his country's websites with pro-Russian propoganda. Hacktivism often rears its head when relations between two countries are at a relative low point and the situation is tense.
Security researchers have responded to the increasingly economically minded malware market by beginning to track attack vectors by how easily they can be monetized and spread; a trend we approve of. If WHID's results are valid and accurately map to the actual total number of online attacks, firms may also want to consider sociopolitical tensions between various nation-states when evaluating where hot spots are likely to erupt. Hackers may be motivated by financial reasons just as much as anyone, but there's clearly more than dollar signs motivating a large section of the community.
By Joel Hruska