Sunday, March 29, 2009

Hackers Refocus on Users

A warning to owners and operators of high-traffic web sites - you're under attack.

While that isn't really a revalation, this might be - attackers are after your users.

Because I've been following the compromises of thousands of web sites over the past several months it has become clear that hackers are re-focusing their attack strategy to the user.  The attack may be the same (SQL Injection is still the most popular way to execute) but rather than focusing on simply ripping off your database, defacing your site, or shutting you down the recent shift in strategy has seen injection of scripts and links to malware-infection sites the attackers control; focusing ever more keenly on infecting the user with some sort of malware.  The more bold attackers simply inject the malware into poorly-written sites and infect the users straight-off.

Recent disclosures of 0-day... scratch that... unpatched root-level defects in Internet Explorer 8, FireFox [and rumored 0-day in other browsers] could be aiding attackers in planting nasty little bugs in the browsers of average-Joe users silently.  This then serves to act as a lasting-attack against the user... likely stealing information such as usernames and passwords as well as commonly used links, credit cards and other valuable information.

The worrisome shift becomes glaringly evident when one does a quick Google-search to discover over 57,000 hits in the last month alone!  That's an incredible number of articles written on these types of compromises - with many high-profile sites being "hacked" in this manner.

High-profile sites like Peugeot, various overseas embassies, the USAID website, BusinessWeek and many, many others have recently been turned into malware-distribution engines via some sort of script injection attack - most often injecting a hidden iframe into the window and delivering the malicious payload.

A perfect example of a timely, Easter-based attack uncovered by targeting search-engine results for Easter... 

This trend has focused, I believe, on the users for at least two reasons.  First off effective end-user protection mechanisms simply don't exist to combat custom-written malware which mutates and adapts quickly.  Second, and perhaps more importantly, the value of attacking an end-user is growing.  As computers become used for more and more tasks they will continue to house more and more highly-sensitive information about their users... and attackers will continue to target that information to harvest it for their own malicious gains.

The lesson to take away here is two-fold.  Protecting your site is even more important than ever; but you already new that.  The second, and perhaps discouraging thing, is that there is no forseeable solution to this issue if you're an end-user.  While most of these delivery mechanisms rely on attacking your browser, or injecting script using JavaScript (which is most common) that functionality is typically needed to make the site usable.

What's a user to do?  Here's a checklist for end-users.  It won't guarantee your safety but it'll help.
  1. Never install anything off the web that you don't know for a fact is benign
  2. Your best-bet for browsers is still FireFox 3
  3. While it's not simple, using NoScript for FireFox is a *must* on sites you don't trust...
  4. Never click buttons on pop-ups... use ALT+F4 to close windows

Good luck users - it's up to you to pressure site owners to adopt better security practices by telling them you take your security seriously.

Stay tuned... I'm putting together a collaborative list of "How to Spot Evil on the Web"...

No comments: