Legit Sites Riskier Than Web’s Back Alleys

Malware and scareware

Avoiding sleazy-looking Web sites may not be enough to protect users from malware infection. Instead, experts warn that it’s the sites you like and trust that can hurt your PC.

Just this month, users have been assaulted by infections from targeted and sophisticated attacks on sites like Facebook and Twitter.

Two new studies now charge that legitimate Web sites can pose high risks for surfers. Web site security specialist WhiteHat Security said it found that 63 percent of Web sites currently have at least one pending high security, critical, or urgent issue.

Meanwhile, MessageLabs, the cloud e-mail security subsidiary of Symantec (NASDAQ: SYMC), conducted a study of the sources of infection of its customers and found that legitimate Web sites are far more dangerous than fly-by-night malware sites.

“Users are in a tough predicament,” Jeremiah Grossman, WhiteHat’s founder and CTO, told InternetNews.com. “They have a tough time protecting themselves, especially from brand name Web sites. Most infected Web sites are legitimate Web sites.”

MessageLabs agrees. “We found that about 85 percent of the domains we were blocking were Web sites that were well-established,” Paul Wood, MessageLabs’ intelligence senior analyst, told InternetNews.com.

MessageLabs studied the domains it blocked during the week of May 5 and found that the majority were “well-established,” meaning that their domains had been registered over a year ago.

“The prejudice was that the majority of drive-by downloads would be from domains registered for precisely that purpose, such as in the .cn domain, where it is cheaper to register a large number of disposable domains,” Wood said.

The results were therefore a surprise. “We found that the attack vectors for the moment favor well-established domains,” Wood said.

He added that part of the problem is that spammers have created CAPTCHA-breaking tools that allow them to create hundreds of spam accounts on legitimate e-mail and social networking sites, bypassing security efforts that had been set up to prevent such activity.

But spammers may not need to establish dummy accounts on Web sites, since the sites themselves often have at least one security flaw, researchers noted.

According to the data from WhiteHat security, collected from January 2006 through March 2009, social networking sites are indeed the most vulnerable at the moment. The study, which covered 1,031 Web sites that subscribe to WhiteHat Security’s threat assessment service, found that 82 percent of social networking sites had at least one vulnerability.

Companies aren’t fixing the flaws, but WhiteHat’s Grossman didn’t blame them. “Companies can spend developer resources to fix a flaw, but there’s always the opportunity cost. They sacrifice a revenue-generating feature.”

Fixing flaws is not easy. WhiteHat’s report found that it takes an average of 38 days to fix a SQL Injection flaw, and that’s the fastest time to fix the vulnerabilities it uncovered. The toughest to fix is “insufficient authentication,” which takes an average of 125 days to fix.

These flaws won’t be fixed soon as new flaws are added regularly. In addition to those already present, Grossman noted that sites are adding flaws as they upgrade their software, and that social networking sites are on a particularly aggressive upgrade path.

He called for a two-pronged strategy to address the problem — one set of recommendations for sites already built and a second set for those that have not been built yet. Perhaps if this generation of Web sites is too flawed to fix, the next generation of Web sites need not be.

News Around the Web