Not long ago, if you kept your web surfing to “reputable” sites (i.e. non-pornographic and gambling), you could be fairly certain that your machine would not be the victim of an attack from the site you visited. But times have changed. Just prior to the 2007 Super Bowl, the official web site of the Miami Dolphins (where the event was being hosted) was hacked. Attackers placed malicious software on the web server that in turn attempted to compromise any client that accessed the web site. The malicious software took advantage of several vulnerabilities in Microsoft Windows and installed a trojan downloader on vulnerable computers without the user even being aware that anything had occurred. The trojan would then steal passwords and allow the attackers to install additional programs that could be used for a variety of nefarious purposes.
Since that time the flood gates have been opened. This type of attack, called drive-by downloading, has become the favorite method for attacking computers and spreading malware. In fact, these attacks have even surpassed email as the primary vector for the spread of viruses and trojans. What makes this trend even more troubling is the number of legitimate web sites that have been compromised and used to attack the computers of people who visit these sites. The list of organizations that have had their web sites compromised numbers in the tens of thousands and includes such names as the University of California, MySpace, the United Nations, Sony, Cambridge University Press, and even US governmental agencies. Frequently these web site hacks coincide with major sporting events such the Euro 2008 soccer event and the Wimbledon tennis tournament. In both cases web sites related to these events were compromised putting visitors to those sites at risk of infection.
“In 2007, SophosLabs discovered one new infected webpage
every 14 seconds. In the first six months of 2008 that figure
rose to one every five seconds, or an average of 16,173
malicious webpages every day – and 90 percent of these
webpages are on legitimate sites which have been hacked.”
Clearly you cannot assume any web site is safe to surf no matter whose name is on it. So how do you protect yourself? First and foremost ensure that the latest browser patches are installed. This applies whether you use Internet Explorer, Firefox, Safari or something else. Most of these hacks take advantage of vulnerabilities in browsers. And while you are at it make sure you have all recommended Microsoft security patches installed as well as patches for third party applications that tie into the browser such as Java, Adobe Flash and Adobe Acrobat Reader. And just because you use a Mac doesn’t mean you are immune. The same advice applies. Enterprises can and should take advantage of web content filtering tools that can detect and block access to infected web sites. Finally, awareness may be the best defense as we surf the increasingly murky waters of the World Wide Web.