Criminals are penetrating websites more often, not only to directly steal data, but also because they can provide an ideal conduit for distributing malware (malicious software) and crimeware.

While traditional phishing strategies are still being used by online criminals, compromising a real website is an even better attack vector as the cyber criminal doesn’t have to dupe the user into unusual behaviour by masking invalid URLs or creating fraudulent web pages, etc.

This trend has been identified in a large number of recent studies:

The August ScanSafe analysis of SQL injections revealed that the attacks have been used to distribute a ‘trojan cocktail’ including a keystroke-logging trojan and a backdoor vulnerability that attempts to connect to a remote website.

IBM’s August X-Force 2009 Mid-Year Trend and Risk Report revealed a 508% increase in the number of new malicious web links in the first half of 2009. These malicious links were not limited to malicious domains or un-trusted websites. Instead, the malicious code was discovered on a large number of trusted sites such as search engines, blogs, bulletin boards, online magazines and mainstream news sites. For instance, in September the New York Times and Public Broadcasting Service websites were both subject to the serving of malicious advertisements.

The Websense report ‘State of Internet Security, Q1 – Q2, 2009’ identified similar trends:

  • the number of malicious websites increased by 233% over the six months of the study and 671% over the previous year
  • 77% of websites with malicious code were shown to be legitimate sites that had been compromised
  • 61% of the ‘top 100 websites’ either hosted malicious content or contained a masked redirect to lure users from legitimate to malicious sites

The SANS report also highlighted the emerging trend of trusted websites becoming an unwitting distribution vector for distributing malicious code.

“These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits… Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.”

In a 9 September article called 7 Reasons Websites Are No Longer Safe , Bill Brenner identified the following seven critical issues for websites that the ordinary user may think are trustworthy:

  1. polluted ads (advertisements containing malicious code served through the target website but drawn from another, compromised, file server)
  2. SQL injections
  3. user-provided content (eg. corrupted videos, malicious code-laden links, etc)
  4. stolen site credentials (allowing hackers to upload malicious code to the web server)
  5. compromised hosting service
  6. local malware (which is activated only in specific circumstances, eg when visiting Internet Banking)
  7. hacker-engineered fakes (phony security software, or scareware).