Hijacked Web sites attack visitors

The issue can go unnoticed until it's exposed publicly

Here's the scenario: Attackers compromise a major brand's Web site. But instead of stealing customer records, the attacker installs malware that infects the computers of thousands of visitors to the site. The issue goes unnoticed until it's exposed publicly.

Such attacks are a common occurrence, but most fly under the radar because the users never know that a trusted Web site infected them, says Brian Dye, senior director of product management at Symantec Corp. When his company tracks down the source of such infections, it often quietly notifies the Web site owner. But word can get out, leaving the Web site's customers feeling betrayed, and seriously damaging a brand's reputation.

Attackers, often organized crime rings, gain entry using techniques such as cross-site scripting, SQL injection and remote file-inclusion attacks, then install malicious code on the Web server that lets them get access to the end users doing business with the site.

"They're co-opting machines that can be part of botnets that send phishing e-mail, that are landing sites for traffic diversion and that host malware," says Frederick Felman, chief marketing officer at MarkMonitor. But because the business's Web site isn't directly affected, the administrators of most infected Web sites don't even know it's happening.

That possibility is one of Lynn Goodendorf's biggest worries as global head of data privacy at InterContinental Hotels Group. "I worry about attacks that use a combination of malware and botnets," she says, adding that she has watched this type of activity increase steadily over the past two years. "That's very scary," says Goodendorf.

Most victims haven't associated such attacks with the Web sites that inadvertently infected them. But that may be changing.

The latest versions of Microsoft's Internet Explorer browser and Google's search engine detect sites infected with malware, issue a warning and block access to the site. "To me, this is serious online brand damage," says Garter analyst John Pescatore, and it can be disastrous for small and midsize businesses that totally depend on search engine traffic. The next frontier, says Dye, may be attackers who use these types of exploits against the Web sites of high-profile brands and then publicize -- or threaten to publicize -- what happened.

Preventing attacks like SQL injections requires using enterprise-class security tools, such as intrusion-prevention and -detection systems, with a focus on behavioral analysis to spot attacks, Dye says. But Pescatore sees a more fundamental problem: rushing through Web site updates and ignoring development best practices designed promote security.

Most organizations follow formal processes for major upgrades, but not for the constant "tinkering" that takes place. The result: Vulnerabilities creep into the code. "Security groups often are forced to put Web application firewalls in front of Web servers to shield [these] vulnerabilities from attack," says Pescatore.

Tags securityIntercontinental

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert L. Mitchell

Computerworld (US)

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?