Hackers are changing their habits and using new methods which are web-based, dynamic in their nature and hidden in otherwise legitimate sites. The end-user remains the weakest link in web security as malware authors exploit this weakness to launch their attacks, preying on human interest, curiosity and behavior. Social networks are “trusted” and users rely on their IT administrator to provide protection, thereby lulling everybody into a false sense of security.
1. Exploiting news events – hackers use headline stories to trick users
Barely 24 hours had passed following the announcement of Gaddafi’s death that we started to see targeted malware being released to exploit the public’s curiosity of this big news story. Cyber-criminals will take advantage of human interest – and big world news stories as these generate a huge amount of coverage and internet activity. The same occurred when Bin Laden died and when the Royal Wedding was held – and the trend will continue. This same trick is used for Halloween and other seasonal stories; we’ve seen many of these emerge on social networking sites and others. Social engineered attacks convince users to download content supposedly related to the event that is infected with new strains of malware. Any event which is highly newsworthy and generates interest will be used to propagate malware, scams and other fraud.
2. Insecure browsers and plug-ins – using only Windows Update is not enough
Although your favorite web browser and operating system may be secured and patched, the reality is that most people do not update browser plugins. Java, Adobe Flash and Adobe Reader browser plugins are often outdated and there are many web exploits which use this weakness to infect networks. Web exploits which target these vulnerabilities specifically (such as the Blackhole exploit kit) are becoming increasingly popular in the cyber-criminal community.
3. Compromised high-profile websites and “drive-by downloads”
So how do these exploits spread? The first method is “fast-flux” sites; websites which are created solely for the purpose of distributing malware for a short time. The second way is by compromising a high profile website and injecting a “drive-by download” – a piece of code which infects a user as soon as they visit a website (there’s no need to click anything – simply visiting the website will infect the user’s machine – hence drive-by). The usps.gov website and the mysql.org website were both subjected to these kinds of attacks.
There is a third method of spreading these infections. Rather than exploiting a specific website, malware authors submit infected content to web advertising companies. This content is then passed onto thousands of websites affiliated with these advertising companies, and any website hosting these adverts will distribute malware until this code is detected. The London Stock Exchange was one website that exposed this kind of attack this year, though it was by no means the only one.
4. Search engine poisoning
End-users have grown accustomed to trust search engines. They (wrongly) believe that a renowned search engine, such as Google or Bing, would never direct them to a website which is infected with malware. But search engines do not really make a distinction between websites; they display search results according to their ranking algorithms. As a result, malware authors inundate search results with links to baited pages that take users to malicious websites which will download malware onto their computer. Since users were becoming suspicious of clicking certain types of links, this kind of search has now shifted towards image searches which are much harder to prevent.
As web threats continue to evolve, it becomes harder and harder to ignore the threat exposed by user web browsing, and as attacks continue to evolve, you need to make sure that your web browsing activity is not giving you more than you bargained for.