Dan Bleaken, MessageLabs Intelligence Data Analyst from Symantec takes an in depth look at online attacks.

The internet offers an incredible array of benefits. However, it also presents a wealth of opportunities for abuse including data leakage, fraud and identity theft to name a few. All have the potential to seriously undermine a business, and all can result from an inadvertent visit to a malware-infected website.

The number of malware-infected websites polluting the web has grown at a startling pace. MessageLabs Intelligence estimates that internet users around the world now make over 100 million visits to malicious URLs every single month. It’s a genuine web security pandemic.

Protecting your business is no longer simply a question of avoiding 'dodgy' or unknown websites. Many mainstream websites are also being deliberately infected by cyber-criminals - with spyware, Trojans and other business-compromising malware just waiting for the chance to download itself on visitors' machines.  

The rise and rise of web threats

The bad guys’ underlying aim in concealing malware within a website is to take control of visitors’ computers. Once this has been achieved, the scope to exploit both the infected computer and its owner is almost limitless. Here’s how a web-based attack works:


First, the attacker decides exactly why they want to gain access to someone’s computer. For example, they may want to steal sensitive data or track browsing habits or keystrokes, which could provide access to vital bank account passwords. The relevant malware is then obtained and placed on the web, often on a newly registered domain which will at first be regarded with minimal suspicion.


Next, the attacker entices or compels potential victims to download the malware. For this to happen the victim first needs to visit the infected website.

They might arrive at the website in the course of their normal browsing behaviour or they might be led there by adverts, links in spam emails, instant messages, social networking websites or blogs.

In other cases, however, no action on the part of the victim is required for the malware to download itself. There are a wide variety of ways this can be achieved, such as ‘drive by downloads’, where a concealed malware program automatically installs itself on a computer simply as a result of the computer’s user visiting the infected website.


Once the malware has installed itself on the victim’s machine, it proceeds to perform the tasks it was specifically designed to undertake.

This may happen straightaway or the malware may lay dormant, ready to be activated at a later date in response to commands sent by the attacker or possibly a third party which the attacker has sold control of the computer on to. Whatever the timescales involved, the downloaded program may collect personal data, open ports to allow the attacker further access to the infected computer, change registry values, start or stop services / processes, edit and move files, or modify email, web browser and other software settings.

Such actions will, in turn, open up a range of options for the attacker including holding the victim to ransom by locking them out from their computer and demanding cash, or recruiting a computer to a botnet and using it to send spam or steal credit card data.

No safe haven

When web threats first started to appear, there were some simple actions that web users could take to reduce the likelihood of malware infection. It paid to be aware that websites incorporating user-generated content were easier for users to seed with malware or ‘bad’ redirect links.

Although it wasn’t a complete guarantee of immunity, users could minimise their potential vulnerability by maintaining careful, disciplined browsing habits.  

Today, there are still a lot of websites that have been set up purely with malicious intent. These are commonly advertised to potential victims in spam, spIM (spam over instant messenger), blogs and social networking pages. But now cyber-criminals have become much more systematic in the way they compromise legitimate websites, using increasingly sophisticated techniques to do so – and stoking up the danger level for anyone visiting the web.

For instance, attackers can place malicious files on legitimate websites. Visitors to a legitimate website can also be redirected to another website where malware is embedded. Another option is for the attacker to add scripts to a legitimate website which then automatically download malicious files from elsewhere. An even bolder technique is known as ‘clickjacking’. Here, the attacker alters what happens when a button or link is clicked on, with malicious code being executed instead of the proper function.      

So why is it now comparatively easy for the bad guys to subvert reputable websites?

Today, many websites harness multiple media types, pulling, or being fed, information from many sources. In fact, a website can consist of around 100-200 components, and it may only take one of these to be compromised for a visitor to end up downloading malware onto their machine. Moreover, such a component could go unnoticed for some time. It’s usually the internet security community that spots them first and alerts legitimate websites that they are serving up malware to unsuspecting visitors.

There are many ways in which a cyber-criminal can compromise a legitimate website such as a structured query language (SQL) injection in which attackers probe databases behind websites to determine their structure or obtain login credentials before updating the database and changing the website’s content. Using stolen file transfer protocol (FTP) credentials to access and change files on a web server is also one of many popular strategies adopted by the ‘bad guys’.

Sometimes, legitimate websites are compromised on a one-off basis, with the attacker probing several websites until they find one with potential to be compromised. However, its true also that legitimate websites are compromised using automated campaigns where thousands of websites are trawled.

Attackers also prey on the belief that legitimate websites are definitely ‘safe to surf'. They do this, for instance, by registering domains that look very similar but are not identical to legitimate websites, a technique known as 'typo-squatting'. In doing so, they hope users won’t notice that the URL they’re following leads straight to an infected website.

Dangerous domains

Examining the hosting of malicious content or redirection techniques can provide an excellent insight into how the bad guys operate.

For example, an analysis of the age of malicious domains (i.e. the amount of time between the date when a domain was registered and the date when it was first detected as having malicious content) reinforces many of the key points noted earlier. 

Around 16 per cent of blocked domains were registered less than three months before being blocked for the first time. These domains can be divided into two categories. The majority were set up to serve malware to visitors. The rest were new, legitimate domains equipped with inadequate security and so quickly compromised. 

But what about the other 84 per cent? These domains had registration dates more than a few months and perhaps even many years, old. They’re highly likely to be legitimate websites whose owners were unaware that their website contained, or redirected to, malicious content.

Each day, MessageLabs services block approximately 2000 websites that host or redirect to malicious content, across around 240 domains. Almost half of the domains blocked are being blocked for the first time. This indicates that more and more legitimate websites are being compromised and new malicious websites are continually being established.

The US, then, hosts over 50 per cent of the legitimate domains that have been compromised, domains which are attracting an awful lot of victims. By contrast, the younger domains are much more widely scattered, with some noteworthy concentrations in Eastern Europe, Canada and the Far East.

Most interesting is China, hosting 10 per cent of these younger domains and responsible for a massive 44 per cent of blocks. Just two internet protocol (IP) addresses under one registrar account for most of the blocks, with the main threat in the last few months being a Trojan hidden in a dummy ‘help’ page. It should be remembered, though, that the location of cyber-criminals setting up a malicious website doesn’t necessarily have to match the country where the domain is hosted.

Defending your business

For any business, the internet represents a potential minefield. Nothing can be assumed to be ‘safe’. Without effective protection in place, any organisation could find its operations fundamentally, and perhaps even critically, compromised. Indeed, it could unknowingly find its machines not just becoming infected but also playing a role in espionage, extortion and other serious criminal activities.