Among the most vulnerable -- and the most lucrative for cybercriminals due to their enormous reach -- are trusted, popular sites with unpatched vulnerabilities. In mid-2007, iFrame and SQL injections of malware began infecting legitimate websites, and the public started to heed the warnings of IT security analysts and pundits. The tone of their battle-cry was calm but unequivocal: Web 2.0 -- and its defining features of social networking, RSS feeds, user-generated content and mash-up applications -- would open up new opportunities for cybercriminals.
Basic classification of websites is fine and necessary. But the approach doesn’t address the reality that good sites can turn bad in a matter of hours, or even minutes. Or that criminals are using the entire internet as a computing grid for attacks, begging the question “Shouldn’t we be doing the same to protect ourselves?”
Across the internet, hijacked systems are continuously scanning legitimate websites with ever-growing botnets for vulnerabilities. When a weakness is identified, an injection attack happens; often it can be a simple undetectable 1x1 white pixel at the bottom of a web page with an active script behind it to download malware from an obscure host. A user visits an infected web page and the code dynamically calls a malware host to infect the user’s computer.
In March of this year, a malware campaign relying on iFrame injections wrought havoc on high-profile sites — among them USAToday.com, Target.com and Walmart.com.
Instead of the more common approach in which criminals create botnets to do their dirty work around the clock, the campaign leveraged internal search engines by injecting malicious code into search engine results. The result “poisoned” the search engine cache feature (sites often store internal searches to augment Google rankings).
On Google, when a user searcheed for a popular keyword, the poisoned cached page popped up. An HTML command tacked onto the end of popular keywords then opened an invisible iFrame in the user’s browser that redirected the user to a malicious host where it tried to install bogus anti-spyware or a malware Trojan on the user’s PC. More than a million web pages were infected, according to Dancho Danchev, a security analyst and blogger. With Google the point of entry, hackers were virtually guaranteed massive distribution. And in the cybercrime world, the more computers infected, the better they can collect information for profit.
According to a July 2008 threat report from Sophos Labs, 90 percent of web-based malware shows up on trusted and popular sites. The vast majority are categorised as such by security solutions, meaning static web gateway defenses allow users access to them. But good sites can go bad in a matter of minutes, and against such dynamic evolution the traditional 'one against the web' security defenses do not work. Instead, enterprises need to also look to a similarly dynamic protection system that unites users in a community where the discovery of malware by one is shared with all, providing protection in numbers.