Network News

X My Profile
View More Activity

Report: 51 Percent Of Malicious Web Sites Are Hacked

The number of legitimate Web sites that have been hacked and seeded with code that tries to infect the visitor's PC with malware now exceeds the number of sites specifically created by cyber criminals, according to a report released today.

San Diego based security firm Websense says that roughly 51 percent of all the malicious sites it found in the second half of 2007 were legitimate sites that were compromised by attackers. Malicious, compromised Web sites are especially dangerous because they usually already have a steady stream of trusting visitors. Many of these visitors may not have the latest patches for their Web browser of choice.

The report, available here in PDF form, doesn't go into how the sites were hacked, but Web site hackers compromise sites pretty much the same way they do personal computers: through unpatched security holes. These can be flaws in the Web server software itself, vulnerabilities in some application that runs on top of the server, or weaknesses in a site's back-end database software.

Dan Hubbard, Websense's vice president of security research, said that at any given time there are about two million compromised and malicious sites online, and that slightly more than half of those are hacked sites that range from mom-and-pop type stores to household brand names. The company scans about 600 million sites per week for signs that the sites are trying to foist malicious software on visitors or redirect them to sites that will.

The report follows recent discoveries that almost 100,000 Web sites - including that of security company Computer Associates, the Commonwealth of Virginia, the City of Cleveland - were hacked via Web application vulnerabilities in an apparently coordinated attack. In that attack, the code stitched into hacked sites was designed to perpetrate click fraud and steal online gaming credentials.

All Web software applications have flaws, and all need to be updated from time to time to keep the site healthy and to keep opportunistic predators away. This is an easy enough concept to grasp, except for the poor guy who just got his Web site working exactly the way he wants it and has seen prior server upgrades and reboots break everything.

The trouble is that many of these vulnerabilities are in software that announces its version level in the Web site code itself, giving any hacker with even the slightest Google search skills the ability to find hundreds or thousands of vulnerable Web sites with a few clicks (Web masters who inadvertently advertise their site's vulnerability this way are known as "Googledorks," and there is an entire Web site dedicated to listing these unfortunate targets).

Indeed, Hubbard said, there are multiple online forums and discussion groups where members keep tabs on Web site vulnerability states and hosting providers that have known weaknesses, as well as those providers that have operational restrictions that limit their ability to respond quickly to abuse complaints.

"What bad guys do is keep lists of hosting facilities that are not good at [phishing site or malware site] takedowns," Hubbard said. "They'll keep track of which providers don't have after-hours or weekend support staff, or those who employ personnel who can't speak English."

If it were only a matter of educating a bunch of Googledorks, the situation might not be so bleak right now. The reality is that that a great many compromised sites reside on shared servers run by hosting providers who are leasing the capacity from another hosting reseller, who in turn purchase the space from another reseller upstream, and so on. Figuring out whom to contact to notify the provider that they are hosting a hostile site can be a tedious task. Convincing some hosting providers that it's in their customers' best interests and the interests of the Internet as a whole to patch the applications provided to customers can be another challenge, as evidenced by an investigation Security Fix did last year into iPowerWeb, a hosting provider that has become known for hosting tens of thousands of hacked Web sites.

Hubbard said only about 30 percent of two million hostile sites drop off the list with any regularity: Infected legitimate sites with a fair number of regular visitors tend to get cleaned up pretty quickly, but others will languish on the company's blacklist for weeks or months at a time.

If you run a Web site and are looking for tools to help you test whether your site is vulnerable to known security holes, consider checking out some of these Web vulnerability scanning tools (many of them free).

By Brian Krebs  |  January 22, 2008; 9:29 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Drawing a (Scary) Face On Malicious Software
Next: Massive Java Update Includes Security Fixes


From the perspective of the lowly web user, if I keep on top of patches for Windows and my programs with Microsoft update and Secunia, turn off java, use Firefox with SiteAdvisor, and use Noscript judiciously, can I feel fairly confident surfing? What else might be advisable? The fact that these sites include "household brand names" leaves me feeling a little helpless.

I am nervous about trying to set up a limited user account.

Posted by: Rosie | January 23, 2008 3:41 PM | Report abuse

@Rosie -- You could use "Drop My Rights" to set up the browser (both IE and Firefox) to launch in limited user mode, at least. That would allow you to run those apps in limited mode while still being logged in as admin. That might help add a layer of protection for you. See this link here:

Posted by: Bk | January 23, 2008 4:45 PM | Report abuse

On the other hand, that means, that 49% percent of "malicious websites" are made intentionally.
I cannot decide what irritates me more.

Posted by: Grisu | January 24, 2008 11:05 AM | Report abuse

That's true. make sure you have blocker in your computer to protect your privacy.

Posted by: | January 29, 2008 8:36 AM | Report abuse


Sorry to be so slow to report back with thanks. I have installed DropMyRights on the laptop and so far have had no problems. I have applied it to IE (rarely used), Firefox, Thunderbird, and Google Earth.

Should I be adding it to iTunes? What about MS Office 2003 which does online searches for images, dictionary, etc.? How do I know what other programs are potential problems... like Foxit or Quicktime -- are they not an issue because I evoke them through Firefox?

Am I correct that I will now need to rely on Secunia and regular manual checks for updates -- that this will "break" auto updating of programs?

So many questions, sorry.


Posted by: Rosie | January 29, 2008 9:45 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company