The high profile Web site infection, in terms of the huge traffic volume that was logically hijacked during the campaign, raises an important question--can you really trust those "Trusted Web Sites" that average and corporate users often think are secure by default? The truth is that you can't afford to "wait and see," and need to always assume the worst, for the sake of your data/host/network's CIA (Confidentiality, Integrity, Availability).
Throughout the years, cybercriminals have learned that it's easier and more efficient to inject malicious scripts on hundreds of thousands of Web pages, instead of targeting a few high profile Web sites. It's not that they don't want to. It's just more efficient and easy to utilize the "Long Tail" concept. Naturally, that entirely depends on the attackers in question.
For instance, this isn't the first time that pages within MSN's domain were serving malware to its visitors. Back in 2008, MSN Norway fell victim to a malvertising campaign, followed by a series of direct/indirect compromises of high trafficked Web sites throughout the entirety of 2009, affecting FoxNews.com, Cleveland.com, the New York Times, as well as many other high profile Web sites such as, CNN, BBC, Washington Post, GameSpot, World Of Warcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity, Engadget, and Chip.de, proving that no one is safe. And although the media's attention is constantly emphasizing on the emergence of targeted attacks and cyber espionage campaigns, noisy mass SQL injection campaigns and traffic acquisition tactics relying on malvertising, are definitely not a thing from the past.
Do you think the time has come for the industry to admit that there's no such thing as a trusted Web site, and that users should always assume the worst by default? Do you maintain a list of trusted Web site, and what makes you think they're trusted enough to be allowed to run active content?
Find out more about Dancho Danchev at his LinkedIn profile.