Symantec itself hires workers in all of those areas of the globe, and there are often well-salaried positions available for developers with the level of coding skill that the security company is observing in the attacks coming out of the regions, Huger said.
However, the biggest catalyst to the advancement of the underground economy remains the ubiquitous nature of software vulnerabilities, allowing hackers to take over legitimate Web sites and online applications to deliver their attacks to unsuspecting users, Huger said.
Symantec is increasingly seeing those types of threats -- most notably cross-site scripting attacks -- outpace the creation of more traditional e-mail based exploits. During the last six months of 2007, Symantec tracked a total of 11,253 site-specific cross-site scripting vulnerabilities, far more than the than the 2,134 traditional vulnerabilities documented by the company during the same timeframe.
And of those cross-site scripting vulnerabilities, only 473 had been patched by administrators of the affected Web sites before the end of the year. Of the 6,961 site-specific vulnerabilities reported by Symantec for the first six months of 2007, only 330 have been fixed thus far.
Even in the cases where site administrators are able to fix the vulnerabilities, Huger said, they are typically slow to do so. However, during the second half of 2007, the average patch development time was 52 days, down from an average of 57 days in the first half of 2007.
Among the most commonly-exploited Web-oriented technologies were browser plug-ins, particularly those using ActiveX. Over the second half of 2007, Symantec documented 239 browser plug-in vulnerabilities, compared to 237 during the first six months of the year. During the second half of 2007, 79 percent of those vulnerabilities affected ActiveX components, compared to 89 percent in the first half.
As long as such vulnerabilities continue to make it possible for legitimate sites to get hacked, the only solution for the problem will be technological means by which sites themselves and their users can somehow authenticate each other, Huger said.
"At the end of the day, we'll never be able to drive out all vulnerabilities, so we need software that tells us that the site we're visiting is the site we really want, or that the e-mail we receive is from a trusted source," said the expert. "The criminals have elevated their work to the level where it's nearly impossible to discern something like a targeted phishing attack merely using the human eye, and they are only going to become even more creative is using social engineering to trick people into falling for their attacks."