Safe and productive web browsing: the challenge for business

Graham Cluely, Sophos

Graham Cluley A brand new infected web page is discovered every five seconds, making the web the key vector for online hacking attacks, as well as representing a drain on productivity for many businesses. Yet the vast majority of organisations are unprotected against modern web-based malware, with few having deployed proactive protection to combat the dangers to ensure that network security and employee efficiency remain uncompromised. Graham Cluley prescribes some preventative security medicine.

Cybercriminals have, in the past, used email as their preferred vector of attack. However, as organisations have become wise to this danger and introduced measures to protect these systems, hackers have shifted their attentions to the still largely unprotected web. Through web-based malware they steal confidential information or establish botnets - networks of hijacked computers from which malware, spam and other threats can be distributed. Taking advantage of any new vulnerabilities, hackers post their malicious code on legitimate websites - by mid-2008, web pages were being infected at the rate of 16,173 a day, or one every five seconds.

Most businesses have no proactive protection against threats at their web gateway, and web browser patches are often not updated, making it easy for hackers to infect thousands of systems every day via the web. The impact of this is extremely lucrative for criminals - a single compromised computer can give access to thousands of customer records. It is also extremely costly to businesses - estimated at $197 per compromised customer record in 2007.

In addition to the security risks, organisations must deal with the adverse impact on productivity brought about by the explosion of social networking and other non-business-critical sites. Unauthorised surfing can cause network slowdown, staff inefficiency and further security risk if sensitive data is posted online.

A new box of tricks

Hackers use a number of carefully designed tricks to gain access to corporate data and networks via the web.

Reputation hijacking
Sophos's latest research shows that 90 per cent of all malware-infected web pages are found on legitimate websites. The most cost- and time-efficient way for malware authors to infect computers over the web is to host their malware where the largest number of people will see it. This is what happens when the reputation of existing websites is hijacked, drawing in unsuspecting users by piggybacking on the popularity and credibility of these presumed-to-be-safe URLs. Although hackers do also specifically create new infected websites via free web hosting services or, usually, by using a domain name that is similar to an existing, legitimate brand, this is a much less common practice.

The IFRAME HTML tag provides a very convenient mechanism for cybercriminals to infect a website - so far this year it has accounted for more than a third of all web-based malware[1]. By targeting an insecure web server or by exploiting other new vulnerabilities before patches are available, hackers can quickly and easily inject numerous pages on multiple websites with a malicious iFrame. As this code is virtually invisible, content can be loaded without the knowledge of either the site administrator or the site visitor.

This type of threat replicates extremely quickly, with devastating effect. Hackers have had high-profile success - in 2007, infected social networking sites included MySpace, Facebook and Google's Orkut, the latter infecting more than 670,000 users. No sector is immune - those infected include government sites, such as the US Consulate in Russia, to IT security vendor Computer Associates. Even lower-profile websites are susceptible, with infected sites including Christian ministries and organic food producers, to landscape gardeners and ice-cream makers.

Deep down in the database
Hackers use a technique called 'SQL injection' to launch attacks exploiting security vulnerabilities to insert malicious code into the database underlying a website. Companies whose websites have been struck by such an attack often clean up their database, only to be infected again a few hours later. Users visiting the affected websites risk having their computer taken over by hackers, and their personal banking information stolen by identity thieves.

This type of infection requires nothing more than users to surf the web and visit an infected webpage using an unpatched browser. They are not tricked into clicking particular links or opening particular files. Their computer becomes infected simply because they have visited a site where known browser vulnerabilities have been exploited by a malware author. The problem for administrators is that keeping up-to-date with browser and plug-in patches is not as straightforward as patching the operating system. There can be several browser and plug-in patches a month - all from different vendors. In just one example of the problem, in early 2008, vulnerable image upload ActiveX controls used by MySpace and Facebook left users open to attack.

Look-alike domains
By setting up websites using domain names that are similar to those used by legitimate sites (for example, 'Goggle' instead of 'Google'), hackers rely on common human errors to get users to land on their web pages. These pages are like traps waiting to ensnare and infect unsuspecting visitors. Because these lookalike websites generally resemble the site the user had intended to visit, users are often easily tricked into opening or downloading seemingly safe content.

Fast-flux spam attacks
Cybercriminals are turning away from sending malware as email attachments and instead are seeding their spammed email with links to infected web pages. Behind these links are botnets, acting as web hosts. The malware authors cycle through these to provide a constantly changing malware-infected landing page to anyone who follows a link. This process is known as 'fast flux' and increases the difficulty for security filters to find and block the associated spam attacks. Just as social engineering tricks have been used to encourage users to click on email attachments, the same methods are tricking them into clicking on links to web pages. The Storm (or Dorf) worm used topical news stories, e-card greetings, fake YouTube messages and sports events to make it one of the most disruptive threats during 2008.

Beating security defences with fast updating
In stark contrast to the 'fire-and-forget' method of email-borne viruses and worms, modern web threats are constantly being adapted and modified, in an attempt to bypass defences. By repackaging threats, hackers can create numerous minor variants, some of which may not be recognised by security solutions. This process can even be automated, allowing criminals to generate multiple malware variants in a single day. This constant modification of code not only enables hackers to compromise more computers - it also means that, once infected, they stay infected longer than before. By continually changing the characteristics of their code, hackers can cheat rudimentary malware detection engines (or those with relatively poor proactive scanning capabilities) and add more malware, such as spyware or adware, to the computer. Alternatively, compromised computers can launch repeated spam campaigns or distributed denial-of-service attacks.

Safeguarding your corporate network

Today's rapidly evolving web threats and the instant exploitation of any vulnerability by cybercriminals means that it is not enough for businesses to protect only their email and endpoint systems. Organisations need to act now to ensure that surfing the web at work poses no threat to IT security, network resources or staff productivity.

User education as a tool for defence

Many businesses have successfully educated users to spot email-borne threats, and while the fight against web-based threats relies much more heavily on sophisticated technology, users should be engaged in the fight. Many firms have procedures in place that define which websites are considered appropriate, but few have updated these to include guidance on how to avoid infection whilst surfing the net. A good policy will dictate that:

  • Employees must never open spam emails.
  • Employees must never click on links included in emails sent from unknown senders.
  • Web browsers are patched at all times by the IT department.
  • Employees should minimise non-work-related browsing for both security and productivity reasons.

Users can also be required to report unusual behaviour, such as their computer suddenly becoming slow, the homepage changing without their input or a file that opens but does nothing.

Comprehensive security solutions are key

In addition to good preventive practice, such as rigorous patching and educating users about the risks of browsing, organisations must implement a comprehensive web security solution. A good technological defence is one that is able to proactively scan and filter all web pages in real time, even those on legitimate sites, before granting access to the user.

Organisations looking to protect against the growing threat of web-based malware need a solution that above all demonstrates its security attributes and combines powerful site and content controls with low-impact, effective administration. At the same time, end-user expectations and requirements for speed and efficiency must be met. Solutions that fail to meet these demands for security, control and performance in today's cyber climate will ultimately fail the organisation.

1. Sophos Security Threat Report, July 2008 (

Graham Cluley is senior technology consultant at Sophos.