Tackling the threat from compromised Web sites

perspective Recently, I was talking to a group of people about the surge in Web site compromises that has occurred in 2008.

At one point in the discussion, an attendee asked: "But what do those compromises have to do with me?" Unfortunately, that ignorance is typical.

Despite media coverage and widespread publicity, many users remain oblivious to the threat of compromised sites. They erroneously believe the risk is to the owner of the Web site, rather than to their own system.

Unfortunately, their ignorance is often matched by that of site owners, who are either unaware their pages have been compromised or ill-equipped to resolve the underlying security issues.

The situation is exacerbated by the sheer number of compromised Web sites. It's impossible to alert each site owner, and attempts to contact even the most trafficked sites often reach a dead end, due to anonymous Whois data and a lack of valid contact details.

So the Web is proving to be an extremely hospitable host for attackers. Criminals need no longer rely on social engineering to entice users to visit a malicious site. They simply have to compromise a well-trafficked site and take advantage of the stream of visitors.

Ironically, many of the exploits and tools used by the attackers to carry out attacks are unwitting provided by security researchers who publish discoveries in an attempt to warn the innocent.

While this risk has always existed, two factors have converged to lead to the current enormity of the problem: malware being used for criminal profit and the adoption of the Web as the preferred malware conveyor.

Surge in Web-based malware
ScanSafe analysis reveals Web-based malware increased by 553 percent in the third quarter of 2008 compared with the fourth quarter of 2007, with 74 percent of that malware a direct result of Web site compromises.

Most malware intended for download by the compromised sites contained backdoors or were custom-configurable password stealers. These backdoors and password-stealers typically communicate via HTTP port 80, so traditional firewall measures may fail.

Thirty-one percent of the malware blocks in September 2008 were for zero-day threats that weren't detectable by traditional signature-based antivirus at the time of encounter, further hampering localized discovery efforts.

To gauge specific levels of risk, we analyzed malware blocks from a selection of companies between May 2007 and September 2008. Among companies in this group, the risk of exposure to Web-delivered backdoors and password-stealers increased by 499 percent between January 2008 and September 2008.

Certain vertical industries emerged as being at significantly greater risk than others. The energy and oil sector has the highest rate of exposure to Web-based malware, followed by pharmaceutical and chemical, construction and engineering, transport and shipping, and companies in the travel and leisure sector. Many of these industries are already adversely affected by the global economic crisis, and several play a critical role in infrastructure.

There's also a less easily measurable but no less serious risk that the ongoing Web site compromises present. As the attacks continue, security-conscious Web surfers are becoming increasingly reluctant to allow third-party scripts.

The unintended side effect could eventually wreak havoc on the Internet advertising economy, estimated at US$21.2 billion in the Interactive Advertising Bureau's May 2008 Internet Advertising Revenue Report (PDF).

With so many affected and so much at stake, we shouldn't be asking: "What do these Web site compromises have to do with me?" The question we should really be asking is: "What can we do to stop these attacks?"

Mary Landesman is the senior security researcher for ScanSafe.