Johannesburg, 07 May 2013
Our Web sites are being used against us, as Web-based attacks have increased by a third from 2011 to 2012.
This was the word from Gordon Love, Symantec's regional director for Africa, who was addressing the ITWeb Security Summit at the Sandton Convention Centre, in Johannesburg, on Tuesday.
Quoting the findings from the recently published 2013 Symantec Internet Security Threat Report, Love pointed out that Symantec blocked 250 000 Web attacks on a daily basis. He also pointed out that one in 532 Web sites were infected, while 1.6 million new malware variants were discovered every day.
"The rate of Web-based attacks blocked per day increased by 30%, while the rate of discovery of vulnerabilities has only increased by 6%. In a nutshell, it's older, non-patched vulnerabilities that cause most systems to get compromised," he explained.
Love also pointed out that approximately 53% of Web sites scanned were found to have unpatched, potentially exploitable vulnerabilities (36% in 2011), of which 24% were deemed to be critical (25% in 2011). The most common vulnerability found was for cross-site scripting vulnerabilities, he said.
"With all these unpatched vulnerabilities in legitimate Web sites, there is no need for malware authors to set up their own. In fact, 61% of all malicious Web sites are legitimate sites."
According to Love, Web attacks silently infect enterprise and consumer users when they visit a compromised Web site.
"In other words, you can be infected simply by visiting a legitimate Web site. Typically, attackers infiltrate the Web site to install their attack toolkits and malware payloads, unbeknown to the site owner or the potential victims," he explained.
Describing how a hacker adds code to a legitimate Web site, Love said toolkits are available that make it easy.
For example, he explained, in May 2012, the LizaMoon toolkit used an SQL injection technique to affect at least a million Web sites.
Other approaches include exploiting a known vulnerability in the Web site hosting or content management software, and using phishing, spyware or social engineering to get the Web master's password.
The other method is hacking through the Web server backend infrastructure, such as control panels or databases, and paying to host an advertisement that contains the infection, Love said.
"In the case of LizaMoon, these sites were being used to deliver Fake AV. The next massive compromise of Web sites will be used to deliver ransomware. Ransomware started in Russia; what makes it so effective is it can customise itself to language and won't allow you to access your computer until you pay a fine."
According to Love, while this threat started in Russia and then spread across Europe, today almost all countries are at risk.
"Unlike scareware, which encouraged you to buy fake anti-virus protection, ransomware just locks your computer and demands a release fee. The malware is often quite sophisticated, difficult to remove, and in some cases, it persists in safe mode, blocking attempts at remote support."
He also noted that victims usually end up with ransomware from drive-by downloads when they are silently infected while visiting Web sites that host Web attack toolkits. This ransomware is often from legitimate sites that have been compromised by hackers who insert the malicious download code, he added.
"The perpetrators use social engineering to increase the chances of payment. The locked screen often contains a fake warning from local law enforcement and the ransom is presented as a fine for criminal activity online."
In some cases, Love described, ransomware also takes a photo of the victim using a Web cam and displays this image in the locking screen, which can be unnerving for victims.
"Criminals use anonymous money transfer systems or prepaid credit cards to receive the payments. The ransom typically ranges between $50 and $400. In many cases, payment doesn't unlock the computer."
Share