Websense Security Labs provides twice-yearly reports assessing Web-based malware. Their latest report is not encouraging. Here’s why:

  • 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth during the last year.
  • 77 percent of Web sites with malicious code are legitimate sites that have been compromised.
  • 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
  • 57 percent of data-stealing attacks are conducted over the Web.
  • 85 percent of all unwanted emails in circulation contained links to spam sites and/or malicious Web sites.

Data acquisition

Websense uses their ThreatSeeker Network to collect data about compromised Web sites. The network consists of 50 million real-time data-collection points, each capable of monitoring Web and e-mail content for malicious code. The system is powerful enough to scan 40 million Web sites and 10 million e-mail messages per hour.

Threat Webscape

In order to understand what Web sites would be most appealing to cybercriminals, Websense created Threat Webscape. It is their way of classifying Web sites with regards to malware threats. They group Web sites into one of three classifications:

  • The 100 most-visited Web sites, usually “Social Networking” or “Search” sites.
  • The next million most-visited sites, primarily current event and news sites.
  • The remaining Web sites, typically business sites, blogs, and personal Web sites.

The focus needs to be on the 100 most-visited Web sites. They get the traffic, which catches the attention of the bad guys. Also of interest, is what these popular Web sites have in common:

  • More than 47 percent of the top 100 sites support user-generated content.
  • 61 percent of the top 100 sites either host malicious content or contain a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.

Prominent examples

Websense could not have timed the release of their report better. There have been several examples of high-profile Web sites being compromised this past week. Here is a quote from the New York Times:

“Over the weekend, some visitors to the Web site of The New York Times received a nasty surprise. An unknown person or group sneaked a rogue advertisement onto the site’s pages.”

As I am writing, Ryan Naraine of ZDNet reported that PBS.org is also similarly compromised:

“Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits.”

Both being trusted Web sites raises little suspicion. This makes the two Web sites very effective malware delivery tools.


Web 2.0 the cure and curse

From the above information, we can see that Web sites using Web 2.0 applications comprise almost 50 percent of the top 100 sites. The reason they are popular is the ability for anyone to create content that can be viewed by the public. Web sites like Facebook and Twitter are prime examples and we know how successful they are.

Web 2.0 capabilities also increase the chance for abuse. The dynamic nature of Web 2.0 sites create opportunities for cybercriminals to carry out a variety of attacks.

For example, security researcher Ronen Zilberman found a serious vulnerability on the Facebook Web site. If exploited, the vulnerability would allow hackers to steal personal information, pictures, and friend lists from unsuspecting members. Zilberman explains on his blog site that attackers use Cross-Site Request Forgery (CSRF) to trick the visitor’s computer into performing actions without the member’s knowledge.

On the rise

People accidentally going to malicious Web sites or being directed to one via e-mail messages, are still useful exploit tools. But, compromising for-real Web sites is a win-win situation for cybercriminals. They don’t have to worry about suspicious-looking URLs or displayed pages.

Experts are concerned about the number of compromised legitimate Web sites. Nine-ball has infiltrated over 40,000 sites as of June 2009. Gumblar, another exploit has compromised 70,000 Web sites. The following slide (courtesy of Websense) shows how prolific Nine-ball is:

Final thoughts

It stands to reason. Compromising the real thing will always give better results. As users, our only option is to keep computer operating system and application software up-to-date; doing so will prevent malware delivered by compromised Web sites from gaining a foothold.