Growth of the Underground Cybercrime Economy 94
AC50 writes "According to research from Trend Micro's TrendLabs compromised Web sites are gaining in importance on malicious sites created specifically by cyber-criminals. The research debunks the conventional wisdom about not visiting questionable sites, because even trusted Web sites such as those belonging to Fortune 500 companies, schools, and government organizations can serve forth malware."
Any site (Score:5, Informative)
it's called No Script (Score:5, Informative)
Re:it's called No Script (Score:3, Informative)
Re:it's called No Script (Score:3, Informative)
It's a problem, but the size is limited. (Score:5, Informative)
We have a list of major sites being exploited by active phishing scams, [sitetruth.com] which we update every three hours. There are 56 sites on the list right now. Most sites don't stay on the list too long, but we still have 14 that have been on the list since last year. Most of them are DSL service providers with compromised machines they haven't kicked off. Some providers are proactive about this, and some aren't. Then there are a few compromised sites that just have no clue about how to fix their problem. One such site is the teacher web space for a school district.
By, well, nagging, we've been able to get the big players to fix their problems. Google, Yahoo, MSN, and Dell were all on the list at one point, but they've all tightened up their systems.
The points we make with this list are that 1) the number of major sites involved is small, and 2) blacklisting at the second level domain level causes acceptable levels of collateral damage. So go ahead, blacklist the whole second level domain in your phishing filters. Think of it as a way to encourage sites to clean up their act. Or as a way to find out where to apply the clue stick.
This list is about "major" sites, ones in Open Directory (1.7 million sites.) The issue there is with attackers trying to steal the credibility of the major site. At the other end of the scale, any domain less than a few weeks old probably isn't worth connecting to. Or at least it should be read with all executable content disabled, including HTML email. Also, any link with more than one redirect probably shouldn't be followed.
It's easier to filter out the attackers if you're willing to filter out the bottom-feeders as well. But that's another story.
Re:it's called No Script (Score:5, Informative)
Firefox 3 does this. If you start to load a site that's in Google's database of malicious (and compromised) pages, Firefox 3 will show a big red "Suspected attack site!" thing instead of parsing the page.
Mozilla and Google put a lot of effort into making it possible to do this without slowing down page loads. Firefox downloads a list of 32-bit hash prefixes for compromised sites. If a hash prefix matches (which will happen on any malicious page load and perhaps 0.1% of other page loads), Firefox asks Google for the rest of the hash. Both the local database lookup (which can require disk access) and the possible request to Google happen in parallel with Firefox resolving the DNS entry and connecting to the site.
Last week, the site of Firebug author Joe Hewitt was compromised, and Firefox 3 Beta 3 users saw this [mozilla.com].
Re:it's called No Script (Score:2, Informative)
Re:it's called No Script (Score:5, Informative)
The problem is not lack of virtualization. Everything is virtualized already. The problem is excessive permissions given to the programs running in each virtual address space. For example, the web browser should not have any rights to save files outside a designated 'downloads' directory.
Re:it's called No Script (Score:3, Informative)
I read about it in the comments of some
All changes are written to a sandbox directory, convienently called "sandbox"
And you can launch more than just your web browser in it.
Re:This doesn't defy conventional wisdom (Score:3, Informative)
Most of the hosts are not aware their site has been "infected" half of the time. I used a site regularly until one day it tried to download some malware in an iframe and an flv file. Not aware at all their site had got a problem.
Not helped by some people who use a certain "site advisor" program giving it a green tick because it was "full of pretty, cool and amazing things" instead of looking at what their anticrapware app was singing / doing and warning people accordingly.
For that fact alone I refuse to bank online, I just feel safer. Call me old fashioned....
Too many words... (Score:3, Informative)
Surely you mean think twice before [...] you browse with internet exploder..
I can vouche for this story. (Score:1, Informative)
Re:Questionable company (Score:2, Informative)
Nonsense (Score:1, Informative)
The OP is quite correct. It's a heck of a lot easier to clean up an attack that has compromised a VMWare image than one which has compromised the PC.