Know Your Enemy: Malicious Web Servers Study
Researchers from New Zealandâ€™s Honeynet Alliance report that anyone is at risk on the internet. More increasingly attackers are now part of organized crime, set with the intent to defraud their victims.
The attackers goal: Deploy malware on a victimâ€™s machine and to start collecting sensitive data, such as online account credentials and credit card numbers. Since attackers have a tendency to take the path of least resistance and many traditional attack paths are barred by a basic set of security measures, such as firewalls or anti-virus engines, the â€œblack hatsâ€ are turning to easier, unprotected attack paths to place their malware onto the end userâ€™s machine. They are turning to client-side attacks.
While this isnâ€™t something that most of us didnâ€™t already know, the number of things that can go wrong out on the internet for users is growing. The researchers also found that different browsers are more targeted than others, and that several defensive methods can reduce users' risk of client-based Web infection.
All URL categories the organization reviewed in the new "Know Your Enemy: Malicious Web Servers" report including news, adult, music, Warez, defaced URLs, spam, and links with misspelled names -- contained some malicious URLs. Some sites are obviously still riskier than others, of course -- links on adult sites and in spam messages, for instance, are at the top of the danger list.
The researchers found users may become infected not only by following a link, but also by typing a link manually and missing a letter and being snagged by typo-squatter URLs, the users are also going to malware-infected links served up by search engines.
The group used a client honeypot developed by the Victoria University of Wellington and the New Zealand Honeynet Project to identify malicious Web servers on the Internet. The "high-interaction" honeypot contacted infected Web servers containing malware. Malware can take over a userâ€™s computer without the user's knowledge or interaction. The researchers studied more than 300,000 URLs from approximately 150,000 hosts.
Financial institutions may also want to look into using the Capture-HPC tool, which the Honeypot organization has also released publicly at http://www.nz-honeynet.org/capture.html. This tool detects and records things like file system modifications and registry modifications.
The report examines the different kinds of client-side attacks and evaluates methods to defend against client-side attacks on web browsers. The report gives an overview of client-side attacks and introduces the honeypot technology that allows security researchers to detect and examine these attacks. The report also lists a number of cases where malicious web servers on the Internet were identified with the researchersâ€™ client honeypot technology and then the researchers evaluated different defense methods. One valuable part of the report is a set of recommendations that one can implement to make web browsing safer.
To read the entire report: Know Your Enemy: Malicious Web Servers.