It's no secret that legitimate sites infected with malware or redirections to malware-laden copycat URLs have become one of the biggest problems in the world of cyber-security - but the sheer ubiquity of the issue has become pretty staggering.
In a report published by filtering specialists Websense earlier this week, based on the company's sensor network - which claims to scan over 40 million URLs per hour - a whopping 70 percent of the Web's top 100 most popular sites were compromised by attackers of some kind during the second half of 2008.
Even to my FUD-filled eyes, that number is just a huge jaw-dropper.
While Websense doesn't name many names, you have to consider who some of the affected sites were, namely, many of the largest and most successful Web properties in the world. This means that even those companies that are likely spending the most time, effort and money on defending their online assets are still getting owned on a pretty regular basis.
Websense did highlight the fact that a number of high-profile media outlets were among those victimized, including CNET Networks, BusinessWeek.com, BillOreilly.com, and the New York Times.
Overall, a thunderous 77 percent of the malware-bearing sites that Websesnse detected in Q3 and Q4 '08 were legitimate properties, and the sheer volume of infected sites tracked by the company's labs group increased by 46 percent over the course of 2008, compared to the previous year. And it's not like there wasn't plenty of this activity going on in 2007!
This is pretty scary stuff. In the old days, you could fairly confidently assume that if you steered clear of mom-and-pop sites, or porn sites, you could likely avoid most of the truly bad malware being floated out online. Now we have to assume that even the most trusted sites... can't really be trusted.
This re-emphasizes the fact that you have to do whatever you can to protect your endpoint, no matter how safe you think your surfing habits to be. The embedded malware issue is just so hard to deal with when popular sites are involved, because it's not like you can test them using SiteAdvisor or Stopbadware.org or something similar. At least with redirections, you might have a clue that something is going on if you keep your eyes on your browser's URL display to look for fishy domain changes.
For businesses, the report highlights the need to stay on top of security patches as aggressively as possible, because most of the attacks launched by the infected sites obviously go after flaws in popular desktop programs, like Microsoft Office products.
Among the other ominous observations posted by Websense:
-84.5 percent of all e-mail messages were spam, a 3 percent decrease over the first half of '08.
-90.4 percent of all unwanted e-mails in circulation linked to spam sites or malicious sites, a 6 percent increase.
-6 percent of spam messages were phishing attacks, representing a 33 percent decrease over the previous six months.
-39 percent of malicious Web attacks included data-stealing programs.
-57 percent of the data-stealing attacks were conducted over the Web, a 24 percent increase.
So, it would seem that now more than ever before the Web is a dangerous place to be, no matter how mainstream the sites you visit may be.
Better keep those AV sigs updated people.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.