Hidden dangers of Web 2.0 sites highlighted… 

Some 60% of the top 100 most popular Web sites - many of which are social networking, Web 2.0 and search sites - either host malicious content or contain a masked redirect to lure unsuspecting visitors from legitimate sites to malicious sites. This is one of the less-than-cheerful findings of research released this week by Websense Security Labs™. With their large user base, good reputations and support for Web 2.0 applications, says Websense, these sorts of sites provide malicious code authors with abundant opportunity.

Other findings include:
·         in the first half of 2008 more than 75% of the Web sites Websense® classified as malicious were actually sites with seemingly ‘good’ reputations that had been compromised by attackers: this represents a 50% increase from the second half of 2007
·         more than 45% of the top 100 most popular Web sites support user-generated content
·         29% of malicious Web attacks included data-stealing code, demonstrating that attackers are targeting essential information and data
·         the convergence of blended Web and e-mail threats continues to increase. Websense reports that now more than 76.5% of all e-mails in circulation in the past six months contained links to spam sites and/or malicious Web sites: this represents an 18% increase since December 2007

The Websense findings are echoed in part by the ‘Sophos Security Threat Report’ published this month by IT security and control firm Sophos. Looking at the first six months of cybercrime in 2008, Sophos found, inter alia, an explosion in threats spread via the Web with, on average, the company detecting 16,173 malicious Webpages every day; this is three times faster than the rate seen during 2007. And over 90% of the Webpages that are spreading Trojan horses and spyware are legitimate Websites (some belonging to household brands and Fortune 500 companies) that have been hacked through SQL injection.

Sophos experts also note that with the continuing popularity of Web 2.0 social networking sites, including Facebook and LinkedIn, among business users, cybercriminals who have already gained access to user profiles may begin to use these as corporate directories, noting new employees and launching spear-phishing attacks specifically aimed at stealing information from new and unsuspecting members of staff.

“Businesses need to bite the bullet and take better care of securing their computers, networks and websites. They not only risking having their networks broken into, but are also putting their customers in peril by passing on infections,” comments Graham Cluley, senior technology consultant at Sophos. “But office workers must realise it's not just the business fat cats who need to worry about this. Visiting an infected website from your work PC, or sharing too much personal or corporate information on sites like Facebook, could lead to you being the criminal's route into your company.”

Hats in the ring
Meantime, here’s something new this week from Itzik Kotler, Security Operation Center (SOC) team leader at integrated application delivery and security solutions provider Radware. “Web 2.0 is pushing the boundaries of what today’s interactive Web sites can do; however in the rush to add features, security often becomes an afterthought.”

Kotler and his colleague Radware security researcher Jonathan Rom are participating in next week’s technical information security conference ‘Black Hat USA 2008 Briefings’ in Las Vegas . Kotler and Rom will lead the session ‘Jinx – Malware 2.0’, and will examine how the shift in browser technologies to compete more aggressively with operating systems (OSs) has led toward the rapid development of Web 2.0 malware that is OS- and architecture-independent.

“During our presentation at Black Hat, we will demonstrate and share the source code of Jinx, a fully implemented JavaScript malware, which is the creation of our research that unlocks a number of interesting vulnerabilities within many Web 2.0 operating environments, including the popular Mozilla product line,” reports Kotler.
John Williamson