RealTime IT News

Legit Web Sites Heavily Compromised

Instead of putting up their own Web sites, malicious hackers are now focusing their efforts on corrupting legitimate sites. A survey released today, and conducted between January and June by messaging- and data-protection firm Websense, found that hackers compromised 50 percent more legitimate Web sites during this period than between July and December 2007.

According to the Websense study, more than 75 percent of Web sites containing malicious code are legitimate sites that have been infected. The survey found that 60 of the 100 most popular Web sites either hosted, or were involved in, malicious activity between January and June 2008.

These sites are overwhelmingly social networking or search sites, such as search engines. They let users upload third-party applications, and many malware writers take advantage of this.

The hackers aren't launching attacks for fun – Web site hacking has become a business where the profit motive rules. When the business is no longer profitable, it's closed down, just as in the real world.

According to the Websense survey, hackers are mainly targeting the top 100 Web sites, especially the Web 2.0 elements of these sites. "Web 2.0 sites are completely dynamic sites that change on a day to day basis, allowing user-uploadable content and tool uploads from third-party sites," Stephan Chenette, manager of Websense Security Labs, told InternetNews.com.

"That's cool, but it opens them up to attacks," he said. More than 45 percent of the top 100 sites support user generated content.

That's going to be a problem for enterprises that want to set up social networks within their firewalls. "I can put up the latest interesting movie in Adobe Flash on my social page with malware embedded in it, and if you access the movie but don't have the latest software patches, I'll be able to exploit you," Chenette said.

While the use of Web 2.0 technologies in corporations typically happens behind the firewall and involves the posting of, and collaboration on, company data, enterprises should keep a close eye on matters, Charles King, an analyst at research firm Pund-It, told InternetNews.com. "There probably should be regulations about the type of personal data that individuals could or should upload to sites like that," he added.

The trend towards working from home and having a mobile workforce could cause security problems, King said. "Presumably employees who work from home or at remote locations are transferring data behind the firewall from external sources," he explained.

"Exactly how much scanning of data goes on, and what type of security policies are created to deal with that data, are issues companies need to keep an eye on," King said. "The exchange of information is much freer and easier on social networking sites, but it doesn't take a large hole to let a lot of bad code into any environment."

Sixty percent of compromised sites either hosted malicious content or contained a masked redirect to lure people to malicious sites, the Websense report said. Often, the redirects appeared as the actual site when the content being served on that page was being hosted elsewhere.

Other new technologies are also laying businesses open to danger. Service-oriented architecture, or SOA is one such technology. It lets companies use gadgets, widgets and mashups on their sites to create new applications, and to use Web applications to conduct their business.

This increases their vulnerability. "Often some of the Web applications come from components that shouldn't be trusted, whose origins can't be tracked," Chenette said. "The content on these sites should be scanned in real time."

Without constant scanning, enterprises wouldn't even know when their sites were hijacked. Several accounts on Yahoo Mail, Excite and even Perl.com, the Web site for Perl programmers, were hijacked earlier this year through their banners.

The banners were supposed to have been paid for, and the purchasers should have paid with their credit cards, Chenette said, adding that the payments were supposed to be traceable back to their origin. "Enterprises have to remember that, even when components come from places you think you have complete control over, in most cases you don't have that control," he warned.

Seizing control of a site is worth a lot of money. "Malicious groups get paid for installing malware on computers, and they get paid for every victim computer they seize," Chenette explained.

Groups who create malware have created business models for their attacks, and sell malware toolkits. These toolkits are collections of exploits, or malicious code.

Like legitimate businesses, malware creators shut down their businesses when they are no longer profitable. Earlier this week, the group in charge of making the Neosploit Web malware toolkit, one of the better known kits, announced on its site that it's going out of business, Chenette said. "They said that not enough people are buying their toolkit and that it's no longer worth it to keep up their business," he added.