Malicious Web Sites
In the second half of 2004, the lab saw a number of high-level outbreaks that used the web as an attack vector in order to propagate malicious code. Several cases were reported where users were infected with malicious code when they simply visited a Web site; these infections occurred transparently without the user's knowledge or any action on their part such as running an application or opening an attachment. Although some sites rely on social engineering to download and install code, most use browser vulnerabilities or susceptibilities within scripting languages' security enforcement, such as JavaScript, Active X, VB Scripts, and Java Applets.
During the year, dozens of web browser vulnerabilities were reported. In many cases, proof-of-concept (POC) code and hacking examples were available on the Internet for download. This, combined with the fact that patches did not exist for most of the vulnerabilities, led to many web-based exploits.
As more and more companies are blocking receipt of attachments via e-mail to protect their networks from malicious code-laden attachments, the web will continue to rise as a popular attack method. Several vulnerabilities in the most popular browsers in the market remain unpatched. Users will continue to see flaws on both the browser side and on the server side as well, with web server technologies moving forward and POC code easily available to exploit those vulnerabilities.
In 2004, there were zero-day exploits where users could be infected by simply visiting a web site. In 2005, the report predicts that there will be more of this type of exploit. Also, research predicts that there will be an increase in the use of compromised broadband connected PCs, with the risk of higher profile sites and advertising networks being used to spread malicious code.
Furthermore, Websense Security Labs believe that an increase in "poisoning" search results and DNS servers from the most popular search engines is also possible. In this scenario, attackers ensure that their sites appear high in the return lists of queries; when users visit those sites, they are infected. For example, in the BOT phenomenons where attackers are starting to use the web along with other technologies such as Internet relay chat to keep track of infected users and even control networks of infected machines.
Phishing and Fraud-Based Web Sites
According to the report, the second half of 2004 saw a dramatic rise in the quickly mounting and emerging threat of phishing. Phishing has grown in number, frequency, and sophistication like no other security threat in the past. Although most phishing attacks target users of financial institution, ISP and online ecommerce sites, Websense Security Labs has seen attacks that seek out network username and password credentials, a potential sign that targeted attacks at specific end-users and organizations are being developed and on the horizon.
Attacks have also become more widespread geographically. In July 2004, only 35 registered countries hosted phishing sites; in the fourth quarter of 2004, Websense Security Labs saw that number nearly double to 66 countries, with the U.S. still being the top country for hosting phishing sites. At any time, there are currently more than 800 sites online, established with the sole objective of stealing information from users. However, phishing sites are difficult to track because attacks typically move from location to location, server to server and are therefore available online for an average of less than three days.
To further amplify the advancement of phishing attacks, phishing techniques are morphing. According to the report, moving forward into 2005, Websense Security Labs anticipates an increasing number of phishing attacks that capitalize on vulnerabilities in browser technologies. Examples include ploys that use Dynamic Hypertext Markup Language (DHTML) to display fake toolbars, and those that use several other vulnerabilities to run code on users' machines such as replacing fraudulent task bars and address location bars with what appears to be authentic sites, as well as replacing domain names with falsified information. Phishing methods that use malicious code to run a keylogger on users' machines will also become more prevalent.
Along with the continuation of phishing attacks, the report also predicts that there will be a marked increase in the number of fake/fraudulent merchants in new areas in addition to the familiar pharmaceuticals, online gaming/lottery, and loan mortgage scams. The report expects that search engines will be used as a ruse to trick users into connecting to phishing and fraud-based Web sites.
The Websense Security Labs' Web Security Trend Report also discusses the growing use of peer-to-peer (P2P) and instant messaging (IM) and how these technologies are being used to attack organizations. In addition, the report analyzes the spread of malicious code propagating on the Internet, including Trojan horses, keyloggers, spyware, and BOTs. Furthermore, the findings discuss the advancement and development of hacking Web sites and hacking tools and what to expect in 2005.
Websense Security Labs researches today's advanced Internet threats, focusing on malicious Web sites, phishing, and other emerging threats associated with spyware, keylogging, and instant messaging (IM) and peer-to-peer (P2P) use. It delivers timely product and information updates to the security community and Websense customers to support them in making their infrastructure more secure.
