Don’t be a drive-by victim

Tens of millions of websites may be infected by malware but often it’s only when the victims complain that the crime comes to light

 It’s called “drive-by downloading”: poisoning a computer with malware when the unsuspecting owner visits an infected website.

All the victim has to do is download a file, install a codec, click an ad or follow a link, and suddenly they’ve handed control of their computer to a gang of crooks who can trawl it for confidential information, hoodwink the owner into buying snake-oil anti-virus software, or turn the machine into a zombie warrior to send out spam or attack other websites.

It’s estimated that tens of millions of sites may be infected at any one time; security firm Sophos finds an infected web page every 4.3 seconds.

But the scariest thing is that in most cases – 84 per cent according to web security specialist M86 Security – the website owner is completely unaware of what’s going on. Often the first they know is when the victims complain.

The more reputable the site owner, the better for the criminals, says Bradley Anstis, M86 Security’s vice-president of technical strategy. Then users are all the more ready to trust the site if it wants to download something on to their computer. Broadcasters, newspapers, retailers, political parties, even stock exchanges, have all been infected – sometimes for just a few hours before the criminals move on to avoid detection.

Instead of dishing out malware the crooks may prefer to loiter for weeks or months, silently reading customers’ credit card numbers entered on to a retail website or personal information typed into an online dating agency.

Sites commonly become compromised in one of two ways, says John Stock, senior consultant at information security firm Outpost24. The advertisements that scream for our attention on almost every commercial website are often supplied by third parties, some of whom are none too fussy about where they get the ads from; it’s easy for crooks to slip in some that are contaminated with malware

Alternatively, criminals use automated software that sniffs out unprotected back doors in poorly coded or badly maintained websites – of which there are many, says Stock. Sometimes hackers can alter the website code from the outside, or they “inject” a piece of SQL code that can induce errors in the site or steal information; SQL injection is the most serious threat to web applications, according to the Open Web Application Security Project (OWASP).

Another favourite tactic (and OWASP’s number two threat) is cross-site scripting, where a piece of Java code is insinuated into a website – for example, via a comment on a forum – which may steal the victim’s identity cookie or record everything they type, such as credit card numbers or log-in details.

Older websites tend to be the most vulnerable, says Stock, especially if they haven’t been updated with the latest software patches. But an obsession with keeping sites running around the clock may allow insufficient downtime for patching and preventive maintenance, and the commercial imperative to get web pages up quickly makes it very tempting to cut corners in security and testing, so even the newest website may be at risk. Often security logs aren’t monitored carefully enough, Stock adds.

It’s not just visitors to the site who may become victims, but its owners too. Sometimes a website is visibly defaced by pranksters or “hacktivists” intent on damaging the owner’s reputation or making a socio-political point. Or the attackers may penetrate the systems behind the website to steal commercial information or intellectual property.

Anstis says it’s highly advisable to equip websites with a web application firewall – software that can protect against a range of unauthorised activity. But no security software is foolproof, and good coding, thorough testing, log monitoring and regular maintenance are all vital.

The price of safety is eternal vigilance.

www.owasp.org

Tags: ,