In February, web security firm Finjan said it uncovered an illegal database containing more than 8,700 stolen FTP server credentials.
“You basically own their website,” Landesman says. “You can make any modification you want. The attacker can even change security settings to allow future attacks to take place.”
She also warned about sites using third-party offerings, such as a web server (open-source Apache is hugely popular) or blog software, to ensure those programs are updated with the latest patches and deployed with security settings turned on.
Other threats
Meanwhile, Grossman – who says he successfully predicted a few years ago the rise of SQL and XSS attacks – thinks another major wave of web-based ambushes are on the way.
Business logic flaws, as they are known, include insufficient authentication and information leakage. They are simple glitches that have the ability to financially cripple a company, Grossman says. Yet, unlike poorly written code, these design flaws cannot be scanned for.
One prominent example: a North Carolina woman was found guilty of wire fraud last October after discovering a way to order items on QVC.com, cancel them without being charged, yet still have the merchandise delivered. She then sold the items on eBay, profiting more than US$400,000.
“They are very easy to exploit and very hard to see,” says Grossman, who presented on the topic last month at the Black Hat conference in Las Vegas.
Of course, when discussing website security, it would be a vast oversight not to mention phishing – the age-old scheme in which cybercrooks trick users into giving up their personal information.
Phishing attacks are more sophisticated than ever, says Avivah Litan (left), vice president and distinguished analyst at Stamford, Conn.-based Gartner. A December study of 4,500 U.S. adults shows a 118 percent rise in the number of phishing emails received over the past three years (3.3 percent of respondents lost money as a result).
The seriousness of the phishing threat was underscored in July when researchers at Indiana University reported that of some 2.5 million pages they examined, 128,000 contained open redirects. This meant phishers could add some quick code to a web address and redirect users to the website of their choice.
“The query string part of the URL allows you to provide parameters of where you want things to go,” says Craig Shue, a Ph.D. student and one of the lead researchers.
To the victim, he says, the URL for the phishing site would appear just like the legitimate domain name, just with some added characters that allowed the page to redirect somewhere else.
“It's really just routing through the legitimate site to the bad site,” Shue says. “It's taking advantage of the user's familiarity with the brand and using it against them.”
As was the case with SQL or XSS, poor coding by developers is to blame, he says.
As a way to combat phishing, the CA/Browser Forum, a group of certification authorities and web browser software manufacturers, created an extended-validation SSL certificate, first released last year.
The new certificates are different than their predecessors because they are represented by a green shade in the address bar, while the name of the site and its company location are displayed on the browser chrome, says Tim Callan, vice president of SSL marketing at VeriSign. So far, roughly 6,000 companies – which were vetted by a certificate provider – have deployed the new technology.
The goal is to increase consumer confidence by making website visitors more informed and more aware of what to look for in a trusted site – in this case, green, Callan says.
“The name of the site appears on the chrome of the browser,” he says. “It can't be changed or manipulated. A person who runs a false site can make their HTML look like Bank of America. What they can't do is put Bank of America in the green spot in the chrome of the browser to the right of the address bar in Internet Explorer 7.” (In Firefox 3, the chrome appears to the right of the address bar).
But Litan questions the effectiveness of such seals of approval. “It will tell you if a company is registered with a legal authority, but that doesn't mean they're not a crook,” she says.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
