In-Depth

Why Web Attacks Are Rising

A new report shines light on Web-based attacks, concluding that -- in terms of both volume and variety -- they pose a significant, and significantly expanding, threat.

• By Stephen Swoyer
• 04/14/2009

The conficker worm has nabbed the lion’s share of recent security ink, but according to a new study from Symantec Corp.’s Security Response arm there are plenty of other problems lurking. Symantec Security Response recently took a look at Web-based attacks, concluding that -- in terms of sheer variety -- they pose a significant, and significantly expanding, threat.

Unlike Conficker, which exploits NetBIOS vulnerability to spread itself over a network -- or (in at least three variants) by means of infected removable media -- Web-based attacks would seem to be easier to protect against. IT must do its due diligence, of course, but so long as users observe certain best practices -- always a dicey proposition -- avoid certain kinds of Web sites, and ensure that their Web browsers are patched against recent vulnerabilities, Web-based attacks would seem to be easier to protect against, right?

Not necessarily. For one thing, Symantec researchers conclude, attackers are increasingly hiding in plain sight -- er, site.

“It used to be that attempts to install malware on a user’s computer via the Web typically came from the darker corners of the Internet. By targeting Web sites that promote illicit activity such as adult material or pirated software, malware authors knew they could find a plentiful supply of users more focused on their short term needs than on cautiously evaluating what they were downloading to their computer,” the report indicates. “Today, malware authors are looking for wider targets. Few Web sites are immune from being compromised and used as a host to deliver malware to their unsuspecting visitors,” the report continues.

“Mainstream Web sites provide a large base of users for malware authors to target. Perhaps more significantly, they provide a set of users who are less likely to be concerned about being the victim of a malware attack because they hold the belief that if they only surf to mainstream Web sites, they will be safe.”

Last year, Symantec says, its Security Response team recorded Web attacks from more than 800,000 distinct domains, a significant number of which originated from mainstream Web sites. The obvious and disconcerting upshot, the report asserts, is that “the notion of being safe if one only visits good sites no longer holds true.”

Why are Web attacks -- even attacks against mainstream (and notionally hardened) sites -- on the rise? In part, Symantec claims, because they’re ripe for the attacking.

“It seems that each new year brings with it a new media type to be served up to users via the Web. This, along with the ever increasing complexity of computing functions that now happen on the Web, means that today’s Web servers have evolved into very complex pieces of code,” the report says. “When you visit a Web site, you are not going to a single static page, but a combination of many different Web content sources, dynamically constructed using many different scripting technologies, plug-in components, and databases.” In this model, communication is the obvious weak link.

“These pieces must all communicate with each other, typically over a network which potentially exposes weaknesses that can be probed and attacked,” the report indicates, going on to cite the highly convoluted schemes many sites used to serve up advertisements (e.g., ads are frequently sourced from third-party sites). “It is not uncommon for a Web site to have ten … or twenty … different domains from which Web site content is pulled to make up one single Web page that a user views!” the report observes.

“The task of keeping such Web servers secure has not kept up with the growth and the complexity of building out a Web site. As a result, more and more Web sites are vulnerable to attack.”

Similarly, attackers are exploiting the complexity of Internet advertising arrangements, leading to a rise in what Symantec calls “maladvertisements.”

“[This is an] effective method for attacking users of legitimate Web sites by delivering the attack through one of the many ad content providers supplying content to the legitimate Web site -- not directly from the Web site itself. Many Web sites today display advertisements hosted by third-party advertising sites,” according to the report. “[D]ue to both the sheer volume of online ads published every day and the automated nature of the publishing mechanisms, it is inevitable that some malicious ad content slips through and is inadvertently hosted on entirely legitimate Web sites.”

Maladvertisements can be difficult to detect, Symantec researchers conclude: “a single malicious advertisement may only appear once every 1,000 page views or only to viewers from a certain geographic region, thus making it more challenging to detect and eradicate.”