Thanks, Michael,
This was a disturbing report. If I understand the message clearly, Web sites that have been considered "trustworthy" by (a sort of) default mentality can be hacked (perhaps that is not the right word) to deliver malware. Who can we trust?
Do you know of any major industries, banks for example, that may have been affected?
Ed
Discussion on:
View:
Show:
The bad guys try hard to keep their malcode as inconspicuous as possible, so it is hard to say which sites are affected. The best thing you can do is make sure your computer's operating system and application software is up-to-date. There are other options, but they sacrifice convenience.
I wrote about banks and malware a few years ago, but some of it is still relevant:
http://www.techrepublic.com/blog/security/on-line-banking-how-safe-is-it/2409
I wrote about banks and malware a few years ago, but some of it is still relevant:
http://www.techrepublic.com/blog/security/on-line-banking-how-safe-is-it/2409
I've been saying this for the last couple of years.
Malware from Advertising networks were the initial attack vehicle as website developers had no control over what ads were being shown.
I was just accosted by a popup that insisted I click a box to confirm my membership! I tried reloading the page, but was kicked off TR, and had to navigate back to this article from a Bing search! Maybe TR is the new watering hole for malware writers? Good thing I have EMET configured!
Anyway - I just wanted to add that lately it has become very difficult to acquire zero day exploits from the usual resources. When fellow honeypot testers started getting no bites from the usual web sites, they had to change tactics, because the old way of doing it resulted in dead links or failed to extract truly zero day bugs.
Now the best source is to get a junk email account and simply open as many spam attachments as you can, to throw at the VM environment for testing. This has just been in the last two months - so Michael, your Cisco guys are right - the threatscape is constantly changing - and trying to keep up with it is like bobbing around in a storm on a peace of wooden flotsam from the last shipwreck I was on!
I couldn't agree more with their assessment.
Anyway - I just wanted to add that lately it has become very difficult to acquire zero day exploits from the usual resources. When fellow honeypot testers started getting no bites from the usual web sites, they had to change tactics, because the old way of doing it resulted in dead links or failed to extract truly zero day bugs.
Now the best source is to get a junk email account and simply open as many spam attachments as you can, to throw at the VM environment for testing. This has just been in the last two months - so Michael, your Cisco guys are right - the threatscape is constantly changing - and trying to keep up with it is like bobbing around in a storm on a peace of wooden flotsam from the last shipwreck I was on!
I couldn't agree more with their assessment.
I believe it might be just a check of your log in information.
that's par for the course. I see that periodically, usually in conjunction with a variety of other site misbehaviors.
Michael, I don't think it's any kind of scheduled account check. I usually log on to TR on a Monday and don't log off until Friday. Sometimes I'll go for several weeks without seeing this problem; when it happens, I'll see it several times in an afternoon.
Michael, I don't think it's any kind of scheduled account check. I usually log on to TR on a Monday and don't log off until Friday. Sometimes I'll go for several weeks without seeing this problem; when it happens, I'll see it several times in an afternoon.
I was making an assumption as it seemed that way to me. I should know better.
The news kept reporting increasing numbers of legitimate web-sites being infected with drive-by malware, it went from the tens of thousands to hundreds of thousands within just two years. So this news is not quite as shocking - to me anyway.
Advertising networks hit the New York Times and other big name sites, but I did not realize the extent portrayed by the Cisco report.
I'm waiting for -1 votes to require a comment, or at least the voter's member name.
The thing about the figures in this graphic, is I don't see a granular breakdown of what Dynamic Content and Content Delivery Networks comprise.
I'm thinking that Dynamic Content and Content Delivery are probably drivers in the Pr0n industry, being that it seems unlikely that delivery vectors like Games and Health and Nutrition would show up as individual categories and porn would be entirely absent.
I'm thinking that Dynamic Content and Content Delivery are probably drivers in the Pr0n industry, being that it seems unlikely that delivery vectors like Games and Health and Nutrition would show up as individual categories and porn would be entirely absent.
It is my understanding those two entities are related to the ad networks that push adverts to websites. The problem being the website developer is not aware of malware being served, as the content is independent of his server and code. The most talked-about case of this was the New York TImes.
Not that I have any familiarity with the industry, but I think that a lot of porn outlets actually pioneered this method of affiliate and referral content linking.
I think you're right, it is an inherent risk in the fact that these are supposed to be trusted networks of partner sites sharing content with one another and so mainstream sites you wouldn't expect deliver malware and viruses through this vector as well. I just think this segment of the infographic folds legitimate sites with the NSFW ones.
I'll give you another example somewhere between porn sites and respectable mainstream sites...
You ever get sidetracked by those "Trending on the Web" sidebars that deliver external content that is usually sensational, tabloid-style stories? Things like a red circle around a portion of a frame from a movie like Harry Potter, or a story like, "10 things girls don't know they're doing wrong in bed"... Those are the same basic methodology of delivering content that we're talking about here - and those will quickly get you into networks of affiliates that are rife with malware. Those don't really show up as an individual category here, either... but I think it is because they're all included in the two categories you define.
I think you're right, it is an inherent risk in the fact that these are supposed to be trusted networks of partner sites sharing content with one another and so mainstream sites you wouldn't expect deliver malware and viruses through this vector as well. I just think this segment of the infographic folds legitimate sites with the NSFW ones.
I'll give you another example somewhere between porn sites and respectable mainstream sites...
You ever get sidetracked by those "Trending on the Web" sidebars that deliver external content that is usually sensational, tabloid-style stories? Things like a red circle around a portion of a frame from a movie like Harry Potter, or a story like, "10 things girls don't know they're doing wrong in bed"... Those are the same basic methodology of delivering content that we're talking about here - and those will quickly get you into networks of affiliates that are rife with malware. Those don't really show up as an individual category here, either... but I think it is because they're all included in the two categories you define.
I linked my article about malvertising from 2011 in the post and that was when this type of attack began to appear on the radar.
http://www.techrepublic.com/blog/security/malvertising-adverts-that-bite/5694
http://www.techrepublic.com/blog/security/malvertising-adverts-that-bite/5694
That I must apologize, although I have enough wiggle in the title's word choice to technically be the one to blame. How's that for trying to escape.
The other night I was checking some news sites and SodaHead and Avast started popping up these malware warnings.
It looked like whatever was getting Avast upset was in one of the advertising links and it was being picked up even though I hadn't clicked on the links.
Last night everything seemed to be back to normal.
It looked like whatever was getting Avast upset was in one of the advertising links and it was being picked up even though I hadn't clicked on the links.
Last night everything seemed to be back to normal.
There is some malware that will activate by just being open on web page, and then there is some that will activate if the arrow happens to be in the vicinity.
so that, at least, the vector isn't as likely a malvertisement.
It would be interesting to see how ad blockers distinguish website traffic from ad network traffic.
I know as well as a host file, MBAM will block IP addresses it deems malicious. This could be why things get boring when doing work on honeypots. But you have to test the defenses, and give them a chance to work. Testers sometimes have to turn off the protections that the Internet Explorer browser already supply to get a reaction to the particular solution they are testing. I would say IE 9 blocks about 85% of the zero day exploits right off the bat, using already known built in protections.
It can be real work getting a hit sometimes. I'd say that happens to me occasionally, as well, running under my normal work load. Of course my email clients block most threats in my in box. so I rarely get a hit that way, just by accident.
It can be real work getting a hit sometimes. I'd say that happens to me occasionally, as well, running under my normal work load. Of course my email clients block most threats in my in box. so I rarely get a hit that way, just by accident.
Krebs would be a good source to watch for TR member Edward DeRosier; he could get a pretty good picture of how to assess a bank site's(or other vendor) trustworthiness.
i bookmarked. i'm gonna share this to my friends. thanks for your advice. I learned some new things to prevent my website.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
