The Web’s already got its share of threats, but in many cases, savvy users can steer clear of dangers. But that may be changing as cyber criminals’ attacks continue growing in sophistication — with even legitimate sites becoming less trustworthy.
Social networking sites and other prominent online destinations, like search engines, will be some of the major targets, according to Web and e-mail security vendor Marshal8e6. The company predicts an upswing in attacks on sites such as Facebook, LinkedIn and Google (NASDAQ: GOOG) that will severely impact the notion of trusted sites on which the Internet depends.
“In many cases, we won’t be able to automatically trust legitimate Web sites,” Adrian Duigan, Marshal8e6’s product marketing manager, told InternetNews.com.
Duigan said the most dramatic change he’s seen during the past year is cyber criminals’ move to host their malware to legitimate Web sites, rather than on their own sites. Between 50 and 60 percent of the malware Marshal8e6 encountered over the past 12 months was hosted on legitimate Web sites — and it expects that figure to go up to 70 to 80 percent, he said.
The warnings signals the latest sign that even after major setbacks, malware authors, botnet owners and other online troublemakers aren’t out of the fight for long.
And as a result of their new tactics, security vendors must scramble to cope with the changes.
“In the past, we could recognize sites that are harmful, but now a site could be legitimate
one day and be hijacked the next day by malware,” Duigan said. “What makes it more difficult is the hijacked pages are then abandoned by hackers in 48 hours.”
About 60 percent of new sites linked to malware were put up for less than one day, antivirus vendor AVG Research has found. The rest were all active for up to 14 days at the most.
These new modes of attack could destroy the model of trust used throughout the Internet, which relies heavily on sites and message sources’ reputation. For instance, a trusted site such as Google or Facebook has a good reputation, so messages from it are not blocked by spam filters when they come in.
With malware authors corrupting that trust model by using trusted sites to distribute or host spam, security vendors will have to change the way they classify Web sites and how they assume whether sites are inherently safe or unsafe, Duigan said.
Social networking sites in particular are emerging as a source of security threats, with easily set-up profiles and lax user safeguards. That was why the Koobface worm, which targeted Facebook and MySpace, spread so easily.
“The major issues we’re seeing is spammers setting up setting up Facebook or YouTube or Hotmail accounts or accounts on other free Web services, and it’s going to come down to the vendors running those sites and how they’re going to secure them,” Duigan said.
Facebook and similar sites also are increasingly encouraging developers to create new applications and post these on their sites. While the trend is seen as a way for social networking sites to monetize their infrastructure, the capabilities could constitute a real threat in the wrong hands.
“Facebook will have to tighten up their controls on what uses you can create for those applications,” Duigan said.
The bigger danger posed by social networking sites is that they could impact enterprises, which are increasingly linking up to them. Salesforce (NYSE: CRM) is tied in to Facebook and Google to help customers leverage the cloud, for example. And IBM (NYSE: IBM) has partnered with both Salesforce and LinkedIn, a social networking site geared toward professionals.
Security vendors aren’t alone in worrying about security. Facebook, along with its peers, have vowed to work to contain security threats.
“We have been dealing with attacks for years and have built a team of security professionals and a series of sophisticated tools and systems to limit the impact of security issues on our users,” Barry Schnitt, a Facebook spokesperson, told InternetNews.com by e-mail. “We will continue to invest resources in staying ahead of any and all security threats.”
To thwart threats to enterprises that are using Facebook, Schnitt said companies should ensure employees have up-to-date browsers with phishing blacklists and antivirus software.
“Also, the enterprise has a captive audience and an opportunity, and perhaps even an obligation, to educate employees on security best practices,” he added.
Other trends Marshal8e6 noted include an increase in the use of blended attacks — which use multiple attack techniques to compromise security, like e-mails carrying viruses paired with a worm — and the possible emergence of attacks on the virtualized environment.
“We’ll see new types of attacks we haven’t encountered before, and vendors will have to be very agile in the way they address some of these emerging threats,” he said.