Kapersky Lab's Blog, Threat Post reports that more and more (1/150 vs. 1/20,000) legitimate websites are becoming infected by Malware.
While one in every 150 doesn't sound like a "huge" number, that level of penetration still represents unprecedented levels.
"In 2006 the rate was about one infected site in every 20,000 otherwise clean sites. By 2009 that number had skyrocketed to one in every 150 sites" - Kapersky Labs
I would predict that those numbers would become worse, except for the fact that the latest trend shows that hackers are becoming more savvy and targeting "Big Phish."
After all, why bother targeting 150 small credit unions when the bad guys could focus on one big net/catch? (a Top 10 bank)
Therefore, I would expect to see a shift in the bad guys behavior. Rather than taking a mass distribution approach, as they have, they will also put together well prepared and specifically targeted attacks at higher traffic sites. (for example search engines which lead to malware infected sites)
The motivation is clear - target a smaller number of websites that have more traffic and gain more in less time.
Speaking of "less time", that's how much we have before the web becomes SO dangerous, it's untenable. For that reason, I'm not alone when I say that it is only a matter of (less) time before there is a PCI certified PED in every home, just as there is one at every point of sale in the world. (except the most dangerous place of all...the Internet) To continue on the path we are on, is insanity. (doing the same thing over and over again and expecting a different result)
Simply put, we have but two choices.
1. We can continue with the insane "type" of behavior that allows the bad guys to "SWIPE" our credit and debit card details in order to use them to steal from us in the "card not present" web environment or
2. We can take protect our sensitive data and start "SWIPING" our own credit and debit card details in the privacy of our own home, thus preventing our cardholder data from entering the dangerous browser space. At the same time, we would eliminate "card not present" fraud by performing transactions in a securely encrypted "card present" environment. We would also eliminate the threat posed by phishing, by eliminating the practice of typing.
Finally, if malware is designed to look for online banking credentials as we "type" them into boxes at genuine or cloned online banking websites, what would the bad guys find if we stopped typing those same username and passwords and instead, started swiping our bank issued card and entering our bank issued PIN? (replicating the same trusted process used to withdraw cash at an ATM)
Suffice it to say that that the 73% of consumers who use their online banking credentials to log-in to non-banking websites would be taken right out of harm's way.
While one in 150 websites represent a mere .0066 infection rate, consider that almost one in six, or 13.7 percent of searches for trending news/buzz words lead to malware and 71% of Web sites with malicious code are legitimate sites.
Websense, in their recently released "State of Internet (IN)Security, Q3-Q4 2009: Over the six month period, Search Engine Optimization (SEO) poisoning attacks featured heavily, and Websense Security Labs research identified that 13.7 percent of searches for trending news/buzz words lead to malware."Attackers continued to capitalize on Web site reputation and exploiting user trust: " 71 percent of Web sites with malicious code were revealed to be legitimate sites that had been compromised. - Websense Security Labs Report - State of Internet Security, Q3-Q4 2009
It's obvious to me that it's time to stop typing and start swiping. Here's an excerpt from Threat Post:
One in Every 150 Legitimate Sites Infected by Malware by Dennis Fisher
MOSCOW--The problem of attackers infecting legitimate Web sites with malware that then silently exploits vulnerabilities in users' browsers reached unprecedented levels in 2009, with 1 in every 150 legitimate sites serving up malware, experts say.
Analysts at Kaspersky Lab have been monitoring a pool of about 300,000 legitimate Web sites for the last several years, looking to see how many become infected with malware and how long the infections last. In 2006 the rate was about one infected site in every 20,000 otherwise clean sites. By 2009 that number had skyrocketed to one in every 150 sites, a massive increase driven by the continued success of mass SQL injections campaigns by malware such as Gumblar, Asprox and others.
Many of the infections also are using stolen FTP credentials to perpetuate a vicious cycle of user compromise, credential theft, site infection and malware storage. Once a user's machine is infected with a particular type of malware, the program searches the user's PC for FTP user names and passwords, which it then sends off to a remote server. The attacker behind these campaigns then use the FTP credentials to gain access to remote FTP servers, where they will store attack tools and exploit kits that later can be used for other infections.
It's a frighteningly efficient and simple infection method that shows little evidence of slowing down. As long as it's still effective, there's no reason for the attackers to move on to other more complicated tactics.
Continue Reading