Cross-Linking Opening Doors to Malware

By Matthew Hines  |  Posted 2008-06-21 Print this article Print

The entire foundation of our trust in the Internet has been eroded in recent years by the growing popularity of malware attacks propagated via hacked Web sites, and there's evidence that the problem only continues to intensify.

Several years ago, users were thought to be largely insulated from the problem if they merely policed their browsing activities fairly loosely, with the emphasis placed on avoiding porn sites, random download offers of free games and celebrity screensavers, and mom-and-pop URLs that likely had not been developed by experienced coders.

However, the issue has slowly crept its way into the domain of well-known sites, in many cases those run by very large, reputable businesses. Examples in this vein range from purely online concerns such as eBay -- which for a time struggled to stave off cross-site scripting attacks -- to the largest brick-and-mortar businesses in the world, such as Wal-Mart, which recently saw some of its pages subverted by attacks.

And now a new angle on the issue of infected URLs is emerging as online media outlets become more open to the idea of pointing away from their own pages and toward the sites of those concerns that they desire to cover -- in particular, hot online phenomena.

Certainly the blogosphere has been ripe for this type of activity for years as varying levels of professionalism in terms of Web site security have been exposed by the layers of linking that writers typically engage in -- for instance, the practice of including hotlinks to the URLs of independent sources of information and citizen journalists.

But more recently, as the mainstream media has lowered its tolerance for associating itself with lesser-known commodities, including bloggers, but more specifically sites that become overnight Web sensations and can draw large volumes of clicks, the problem of hacked sites has grown even more loaded.

For example, on June 18 the New York Times, which prides itself on being one of the world's most reliable sources of news and information, and is widely regarded as just that, found itself in a precarious position. In an online story about a kitschy NYC consignment shop, the Times offered a link to the store's own URL, which, guess what, had been secretly infected with dangerous spyware.

Much like the site's proprietor, the Times had no reason to suspect that the URL had been hacked, and thus the problem of subverted legitimate Web pages was delivered upon any reader of the story who decided to click on the link and didn't have adequate anti-virus protection in place.

After being apprised of the situation by security researchers, the Times did indeed remove the link from its story.

Another common method being adopted among malware distributors for duping people into stumbling across their work is to attempt to infect URLs linked from user-driven content sites such as Wikipedia and MySpace, with many recent examples of dirty pages being made available over both of those properties.

Projects including McAfee-owned SiteAdvisor and Harvard Law School's are helping out quite a bit with the issue, for those who use the tools -- Stopbadware has conveniently partnered with Google to warn users who attempt to visit infected sites, and SiteAdvisor is provided free by McAfee via download -- but even those well-backed efforts struggle to keep tabs on every site online, especially legitimate URLs that get subverted.

To add metrics to the discussion, researchers with filtering specialist ScanSafe report that they have tracked a staggering 407 percent increase in the risk of malware exposure via compromised Web sites in the last year alone, and the company proposes that the majority of infections coming via this delivery model are arriving through cross-linking practices.

"The New York Times and Wikipedia examples are just that: examples. They by no means are the exception," ScanSafe Senior Researcher Mary Landesman wrote in a recent blog on the topic. "Whether through a media article, an online encyclopedia, a search engine, or other link from an entirely respectable site, the problem of trusting crosslinks will only get worse. And as that trust erodes, it threatens to tear the very fabric of the Web."

Here's hoping that by including a link to that piece of content I'm not propagating the issue myself!

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel