Surfing the Web has become a dangerous pasttime, with Web-based attacks now the primary vehicle for malicious activity over the Internet.
According to Symantec's latest Internet Security Threat Report, most Web-based attacks are launched against users who visit legitimate websites that have been compromised by attackers in order to serve malicious content.
Some of the techniques used by attackers to compromise a website include exploiting a vulnerable Web application running on the server (by attacking through improperly secured input fields) or exploiting some vulnerability present in the underlying host operating system.
In 2008 alone, there were 12 885 site-specific vulnerabilities identified and 63% of vulnerabilities documented by Symantec affected Web applications.
Attackers can either directly serve malicious content from a compromised site itself, or embed a malicious iframe on pages that can redirect a user’s browser to another Web server that is under the attacker’s control. In this way, the compromise of a single website can cause attacks to be launched against every visitor to that site.
Attackers are using increasingly complex methods to launch successful Web-based attacks, says the report, and attackers are now frequently stringing together multiple exploits for medium-severity vulnerabilities – eight of the top 10 vulnerabilities exploited in 2008 were rated as medium severity.
This helps them slip under the radar as many companies make patching high-severity vulnerabilities a top priority, while medium- and low-severity vulnerabilities may be ignored.
However, a single high-severity vulnerability was the top attacked flaw in 2008, with the Downadup (Conficker) worm exploiting a zero-day vulnerability in the Microsoft Windows Server Service RPC Handling component.
The Symantec report indicates that, more than ever before, attackers are concentrating on compromising end users for financial gain.
It says that, in 2008, 78% of confidential information threats exported user data while 76% used a keystroke-logging component to steal information such as online banking account credentials.
In addition , 76% of phishing lures targeted brands in the financial services sector and this sector also had the most identities exposed due to data breaches, while 12% of all data breaches that occurred in 2008 exposed credit card information.
Symantec reports that, in 2008 the average cost per incident of a data breach in the US was $6,7-million, an increase of 5% from 2007, and lost business amounted to
an average of $4,6-million.
Once this information has been stolen, it generally comes up for sale in the underground economy, with the cost of a credit card as low as 6 cents each when bought in bulk.
This commercialisation of the underground economy has led to the co-ordination of specialised and even competitive groups for the production and distribution of items such as customised malicious code and phishing kits – in turn, this has led to a proliferation of malicious code. In 2008, Symantec detected 1,65-million code threats.
Symantec expects malicious activity to continue to be pushed to regions with emerging infrastructures that may still lack the resources to combat the growing involvement of organised crime in the online underground economy.
It also expects that overt attack activities will either be abandoned or pushed further underground, a move that has already been seen with the use of HTTP and P2P communication channels in threats such as Downadup.