The world wide web presents a wealth of opportunities for abuse. Data leakage, fraud, identity theft, compromised confidentiality, impaired computing capabilities, financial loss, legal action, damaged reputation. All can result from an inadvertent visit to a malware-infected website and all have the potential to seriously undermine a business.
‘Bad guys’ no longer rely primarily on email to pursue their nefarious objectives. Malware-infected sites polluting the web have grown significantly. MessageLabs Intelligence estimates that Internet users now make more than 100 million visits to malicious URLs every month.
Protecting your business is no longer simply a question of avoiding ‘dodgy’ or unknown websites. Mainstream sites are also being deliberately infected by cyber-criminals with spyware, trojans and other business-compromising malware.
The rise and rise of web threats
Cyber criminals’ underlying aim in concealing malware within a website is to take control of visitors’ computers. Once achieved, the scope to exploit the infected computer is almost limitless.
Fundamentally, any web-based attack comprises three components – the set-up, the hit and the aftermath.
The attacker decides why they want to gain access to someone’s computer. For example, they may want to steal sensitive data. They may want to track browsing habits or keystrokes, which could provide access to vital bank account passwords. Or they may want to recruit the machine to a botnet – a ‘robot network’ of computers that, unknown to their owners, can be used by remote controllers to fire out spam or malware-propagating emails. The relevant malware is then obtained and placed on the web.
The attacker compels potential victims to download the malware. For this to happen, the victim first needs to visit the infected website.
They might arrive at the site in the course of their normal browsing behaviour. Alternatively, they might be led there by adverts, links in spam emails, instant messages, social networking sites or blogs, ‘sponsored links’ on internet search engines or malicious links designed to appear high up on search engine results. If a machine is already infected, a further possibility is that results generated by major search engines will lead not to the website indicated but to a malware-infected site.
In some cases, the victim then has to be lured into taking a particular action for the malware to be downloaded. Examples include:
- A ‘click here to install’ button that purports to let the victim download important software updates.
- A ‘you’re infected – click here to remove the virus’ pop-up alert.
- Malicious files placed in areas where the victim expects to download music, software, movies etc.
In other cases, however, no action on the part of the victim is required for the malware to download itself.
Obviously, techniques that require no action from the user deployed with increasing frequency, present an acute danger to web users.
Once the malware has installed itself on the victim’s machine, it performs the tasks it was designed to do.
The downloaded program may collect personal data, open ports to let the attacker further access the infected computer, change registry values, start or stop services/processes, edit and move files, or modify email, web browser and other software settings.
Such actions will, in turn, open up a range of options for the attacker. They could:
- Hold the victim to ransom by locking them out from their computer and demanding cash in return for a password to unlock it.
- Recruit the computer to a botnet and use it to send spam, steal credit card data, perform distributed denial-of-service (DDoS) attacks etc
- Tell the victim their computer is infected (via ‘scareware’) and then charge for downloading useless remedial software, or download more malware to the victim’s machine.
- Steal personal information, monitor activity and collect data (passwords, email addresses, bank details etc)
- Edit files so that visiting frequently browsed web pages results in the victim being redirected to malicious websites.
- Hijack the clipboard and alter material which, when pasted later (e.g. onto a site with user-generated content), contains different information such as a malicious weblink.
No safe haven
When web threats first started to appear, there were simple actions web users could take to reduce the likelihood of malware infection. For example, web users could avoid dubious corners of the internet, such as pornography sites, sites offering illicit software, music and movie downloads.
Today, there are still many websites set up purely with malicious intent. These are commonly advertised to potential victims in spam, spIM (spam over Instant Messenger), blogs and social networking pages.
Attackers can place malicious files on perfectly legitimate sites. Visitors to a legitimate site can also be redirected to another site where malware is embedded. Another option is when the attacker adds scripts to a legitimate site. These then automatically download malicious files from elsewhere. An even bolder technique is known as ‘clickjacking’. Here, the attacker alters what happens when a button or link is clicked on, with malicious code being executed instead of the proper function.
So why is it now comparatively easy for the bad guys to subvert reputable websites in this way?
Many websites harness multiple media types. Scripts, plugins, databases, other sites/servers may contribute to a website’s overall content. Not all of them may necessarily be under the control of the site’s owners.
A website can consist of up to 200 components. It only takes one of these to be compromised for a visitor to download malware onto their machine. Such a component could go unnoticed for some time. It’s usually the Internet security community that spots them first and alerts legitimate websites that they’re serving up malware.
Attackers prey on the all-too-widespread belief that legitimate sites are ‘safe to surf’. They can do this by registering domains that look very similar but are not identical to legitimate sites – a technique known as ‘typo-squatting’. In doing so, they hope users won’t notice that the URL they’re following is not quite what it seems and leads to an infected website.
Defending your business
For any business, the web represents a potential minefield. Nothing can be assumed to be ‘safe’. Without effective security in place, any organisation could find its operations fundamentally – and perhaps even critically – compromised. Indeed, it could unknowingly find its machines not just become infected but also play a role in espionage, extortion and other serious criminal activities.
What are you doing to make sure your company isn’t at risk?
– Andrew Gordon is the MessageLabs senior manager for enterprise and partner services (www.messagelabs.com.au)