Epidemic of malware on legitimate sites


9 Jun 2008

Over two thirds of web-based malware is now found on legitimate websites, a growth of more than 400pc over a year ago, an IT security firm has found.

ScanSafe, which specialises in software-as-a-service (SaaS) web security, reported that 68pc of all web-based malware it blocked on behalf of its corporate customers in May was found on legitimate websites. This was up 407pc on May 2007.

ScanSafe said the increase was the result of an unprecedented series of attacks that have outfitted hundreds of thousands of legitimate sites with malicious scripts and iframes designed to silently deliver password stealers and backdoors to visitors’ computers.

“The compromise techniques being used now allow hackers to quickly ‘colonise’ thousands of legitimate sites, from big brandname sites like Wal-Mart, to smaller but equally legitimate sites,” explained Mary Landesman, senior security researcher at ScanSafe.

The company reported a 220pc increase in the amount of web-based malware such as viruses, Trojans and password stealers. The fastest growing category of threats is backdoor and password-stealing malware, which grew 855pc from May 2007 to May 2008.

The web was riddled with compromised sites in May 2008, largely as a result of ongoing SQL injection attacks that began in late October 2007 affecting hundreds of thousands of websites. In parallel, another highly prolific series of attacks has been rendered through the use of stolen FTP credentials.

“Over the past year malware authors have moved away from direct attacks – attacks in which they directly interact with victims, via social engineering, for example – to indirect attacks accomplished through compromised websites,” said Landesman.

“These indirect attacks not only leverage stealthier techniques, like the insertion of an invisible iframe, but they leverage legitimate, brandname sites that web surfers implicitly trust. The net result is that you absolutely cannot assume that because you are on a brandname or well-known site that it is a safe one.

“Currently, thousands of legitimate sites are being compromised daily.”
By Niall Byrne