Web Attacks Grow Fast, Wal-Mart Absorbs a Blast
Security researchers are finding no shortage of evidence that Web-based attacks are only getting worse, accelerating at an even greater pace over the last 12 months.
According to a report issued the week of June 9 by malware filtering specialist company ScanSafe, the emergence of new Web attacks increased dramatically between May 2007 and May 2008, including a number of threats that infected popular legitimate sites maintained by large companies, one being retail giant Wal-Mart.
At the core of the leap were an "unprecedented" series of compromises that planted hundreds of thousands of malware samples on legitimate sites using malicious scripts and iframes, the company said. Most of the attacks were designed to secretly plant keyword loggers on the machines of unsuspecting site visitors.
During May 2008 alone, users were faced with a threefold increase in the volume of Web-based malware exposure compared with one year ago, ScanSafe researchers estimate.
Overall, the sheer volume of Web-based threats increased 220 percent, with the average risk of exposure to such exploits and infected sites jumping by 407 percent over the past year. Even scarier, the company reported that backdoor and password-stealing malware attacks increased 855 percent, with 68 percent of all Web-based malware residing on legitimate sites that have been somehow subverted during May '08.
All those figures are based on the numbers of attacks that ScanSafe filtered out for its customers over the last year.
In another interesting twist, ScanSafe observed a move away from some malware tactics that have been seen as cutting-edge in recent times, such as the use of social networking sites and blogs to pass along threats. Far more attacks are being passed along directly from hacked, legitimate Web sites themselves, in a return to more time-honored models, ScanSafe said.
That trend is likely being pushed along by the wide availability of free exploit frameworks and vulnerability assessment tools that allow for "mass compromise" of Web sites by even amateur attackers, according to the vendor. ScanSafe contends that the "point and click" model is garnering greater ROI for malware producers, thus leading to broader adoption.
And it's not just poorly designed celebrity sites and screensaver retailers that are getting worked over anymore, but an increasing number of well-known Web properties.
As an example, ScanSafe pointed to the May 2008 subversion of Nature.com, a popular science and medicine portal that is one of the 500 most popular sites linked from Wikipedia and that tracks some 877,000 unique visitors per month. Through their attack, criminals predictably attempted to load a Trojan password stealer onto users' machines via the site.
And the biggest fish of all to get taken over may have been Walmart.com. According to ScanSafe, some pages on the Wal-Mart site were compromised in a fresh round of SQL injection attacks.
Mary Landesman, senior security researcher at ScanSafe, observed that in the case of Wal-Mart, it was more of the same in terms of SQL attacks, but with a slightly different twist.
"Instead of just referencing a single malware host, these attacks may embed references to multiple different malware domains," Landesman said. "[This] seems a bit kludgy and out of character with the previous SQL injection attacks we've observed. Looks like either the attacker has changed tactics, or we've got a copycat on our hands."
The message we're hearing from the malware crowd? If it ain't broke, don't fix it.
Or more accurately, if the site ain't fixed, break it.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.