If you compromise it, they will come. So say today's cybercriminals and hackers, that is.
This latest approach to hacking is a trend that's gaining momentum, according to the most recent Internet Security Threat Report from Symantec Corp. It used to be that attackers actively sought out their intended victims by trying to break into their computers.
Not anymore. Today's attackers entice their victims to come to them. Hackers and cybercriminals compromise trusted
websites or applications; then, when a user visits that site or uses that application, the attacker is able to
compromise the user's computer. This is typically accomplished by directing the user to a malicious Web site or by
downloading a Trojan onto the user's computer.
It's a worrisome development with serious implications for end users. After all, if they can no longer place their trust in a well-known site, they may forgo participating in online interactions altogether. Yet, individuals and organizations can mitigate their susceptibility to this new type of threat by implementing a combination of security technologies and best practices.
A Web 2.0 World
While financial gain continues to be the motivation behind new and increasingly sophisticated attack tools and
tactics, the increased deployment of Web application and Web 2.0 technologies has also enabled many of these new
attack methods. Examples of Web-based applications include content management systems, e-commerce sites such as
shopping carts, Weblogs, and Web-based e-mail.
As with all software, web applications include vulnerabilities. In fact, during the first six months of 2007, 61 percent of all vulnerabilities disclosed were web application vulnerabilities. Attackers can easily exploit these vulnerabilities to launch attacks from sites that users are likely to trust. In fact, as web applications continue to be deployed, attackers are targeting them as a simple means to circumvent network security measures such as intrusion detection systems and firewalls.
Among attackers' most fruitful targets are social networking sites. While web users have become wary of unsolicited
e-mail attachments and other enticements, they generally trust that their social networking site and its content are
secure. Social networking and other popular sites give attackers access to large numbers of people who may expose
confidential information that can, in turn, be used for identity theft and fraud or to access other sites from which
to propagate more attacks. During the first half of 2007, a prominent social networking site was one of the top ten brands targeted by phishing.
Attackers are also compromising trusted sites in order to lie in wait for unsuspecting users. Hackers are now installing Trojans on web pages; these Trojans exploit vulnerabilities in web browsers and web browser plug-ins. After all, web browsers are not only ubiquitous but also complex and feature-rich-traits that can expose them to vulnerabilities in newly implemented features.
Web browser plug-ins have also become a popular target of attackers. These technologies run inside the web browser and extend its features. Some plug-ins allow additional multimedia content from web pages to be rendered in the browser, while others include execution environments that enable applications to be run inside the browser. What's more, many browsers include plug-ins in their default installation and provide a framework to make it easy to install additional plug-ins. Some plug-ins may even be required to use public websites or an organization's internal site.
Among the most common browser plug-ins are those for Microsoft ActiveX, Apple QuickTime, and Adobe Acrobat. And, like web applications, browser plug-ins also include vulnerabilities. In fact, during the first half of 2007, 237 vulnerabilities affecting browser plug-ins were documented, with 210 of them impacting ActiveX components.
Vulnerabilities in Web browsers and their components have compelled hackers to change the way they distribute some of their malicious code samples. Malicious code used to be delivered to an intended target as mass-mailer email attachments. Now, however, malicious code samples such as Trojans are installed by attackers who lure users into visiting web pages that exploit vulnerabilities in the visiting user's browser or its components.
This is an interesting shift in strategy; the malicious code itself does not directly exploit any vulnerabilities but instead is installed on a computer through the exploitation of a vulnerability. During the first six months of 2007, 18 percent of the 1,509 documented malicious code instances were installed on computers using this method.
A Strong Defense
Clearly, today's threat landscape calls for increased vigilance and protective measures. Attacks are now likely to originate from websites that are trusted as well as those that are not. However, web browser security features can help reduce exposure to browser plug-in exploits. Specifically, end users and IT administrators can activity maintain a so-called "white list" of trusted websites and disable individual plug-ins and scripting capabilities for all other sites. While this will not prevent exploitation attempts from white-listed sites, it may help in preventing exploits from all other sites.
In addition, intrusion prevention technologies can help prevent exploitation of some browser plug-in vulnerabilities through signature- or behavior-based detection capabilities. Antivirus software may also help protect against browser plug-in exploits through heuristic signatures.
End users and organizations are also advised to patch all operating systems and applications, including browsers and browser plug-ins, in a timely manner. Browsers should also be upgraded to the latest, patched versions. Organizations can increase security further by deploying web proxies in order to block potentially malicious script code. And, of course, end users should be extremely cautious about visiting unknown or untrusted websites as well as about viewing or following links in unsolicited emails.
Finally, end users and organizations should employ defense-in-depth strategies. This includes the deployment of antivirus software, firewall, and intrusion detection and prevention technologies.
As security measures are developed and implemented to protect the computers of end users and organizations,
attackers will likely continue to adapt innovative, new techniques and strategies to circumvent them. However, by
using a combination of advanced protective technologies and best practices, individuals and enterprises can avoid
many of the Web's perils and enjoy more of its benefits.
About the Author
Dean Turner is director, Global Intelligence Network, for Symantec Corp.