Network News

X My Profile
View More Activity

Three Quarters of Malicious Web Sites Are Hacked

Three-quarters of all Web sites that try to foist malicious software on visitors are legitimate sites that have been hacked, a report released today found. Even worse, most of these compromised sites are social networking communities and some of the Internet's most popular destinations.

Those numbers come from stats (PDF) collected in the first six months of this year by Websense, an online security company that scans more than 40 million Web sites hourly for signs that they may have been compromised by hackers.

Websense found that 60 percent of the Top 100 most popular sites this year have either hosted malware or forwarded visitors to malicious sites. The company also says that nine out of 10 of those compromised sites were social networking or Web search sites.

"The majority of these attacks are using Web properties as repositories for malware, mainly because they let users upload content," said Dan Hubbard, the company's chief technology officer. Some of the most frequently targeted communities include AOL, Facebook, Geocities, Google's Blogspot and Google Pages, and Rapidshare, Hubbard said.

Most of the Web sites either hosted malicious content or silently redirected visitors from trusted pages to hostile sites. Hubbard said the redirect most favored by attackers is at DoubleClick, one of the Internet's largest online ad companies (see this post from earlier this month on the danger and pervasiveness of open redirects on the Internet).

Typically, the hacked sites are advertised through junk e-mail. According to Websense, nearly 30 percent of those links lead to sites that try to plant software which steals passwords and other sensitive data from victims. The remainder of the spam links attempt to install software that lets attackers control the systems from afar, and/or install additional software without the owner's knowledge.

The findings mirror other recent research. In May, Web site vulnerability scanning company ScanSafe found that 68 percent of Web-based malware was pushed out via compromised Web sites.

Bad guys are clearly going where the eyeballs are. But I think this snippet from the report aptly sums up the threat we're facing: "Websense has found that the content of a single Web page may be comprised from multiple locations including a variety of disparate sources. The danger is that users typically associate the content they are viewing from the URL in the address bar, not the actual content source. The URL is no longer an accurate representation of the source content from the Web page" (emphasis added).

Browser add-ons like Site Advisor and Web of Trust (WOT) can help people searching the Web determine whether the sites they are searching for have a nasty reputation. But such services do little to aid in flagging legitimate sites that were recently hacked and seeded with malicious software.

Likewise, browser add-ons like "noscript" for Firefox are essential to tame sites that try to use Javascript to load malware from third-party sites. But noscript does no good on sites that users have instructed the add-on to trust, and the types of sites being compromised now are the very ones most people are likely to add to their trusted list. And of course, anti-virus software is often ineffective against threats at newly-compromised sites.

The single most useful step a Windows user can take to be protected from threats at trusted Web sites is to run the operating system - or the Web browser - under a limited user account that does not have privileges to install software or modify key settings on the PC. This will not stop all attacks, but it will blunt the vast majority of them. If this is a foreign concept, please see my posts on running Windows under a limited user account and dropping the user rights of key Internet-facing programs.

By Brian Krebs  |  July 29, 2008; 12:41 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Critical Security Updates Available for RealPlayer
Next: Exploit Prods Software Firms to Update Their Updaters


Does your advice on limited user apply to Vista as well?

Per your recommendation, I started using a limited user account on my XP machine a few years ago and haven't had any signs of malware problems since (knock on wood). Thanks.

Posted by: Ugh | July 29, 2008 12:54 PM | Report abuse

The following is from the error counsel in Firefox 3.

When this kind of stuff comes up, the keyboard types different letters than on the keys?

Anyone recognize what it is?
Error: key is null
Source File: file:///C:/Program%20Files/Mozilla%20Firefox/components/nsUrlClassifierLib.js
Line: 1173
Error: this.keyManager_ is null
Source File: file:///C:/Program%20Files/Mozilla%20Firefox/components/nsUrlClassifierListManager.js
Line: 511
Error: [Exception... "'JavaScript component does not have a method named: "onRefreshAttempted"' when calling method: [nsIWebProgressListener2::onRefreshAttempted]" nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)" location: "" data: no]

Posted by: brucerealtor | July 29, 2008 1:00 PM | Report abuse

"Three Quarters of Malicious Web Sites Are Hacked"

Uh, no duh. :^)

Or do you mean "only three quarters"? That would be a surprise...

Posted by: antibozo | July 29, 2008 4:20 PM | Report abuse

Another good layer of protection I've used for years is a blocking hosts file. Not only does it block ads (like those of doubleclick) and web beacons to protect your privacy , but also a lot of malicious websites. The file is updated monthly, so be sure to either subscribe to the notification or visit the site often to check for updates.

On a few occasions it has no doubt saved me from further trouble by stopping malware from even getting to my system. A limited user account (and hopefully Antivirus) also helps should something get through, but I'd rather stop the malware from even getting to my system to begin with and the hosts file can help with that.

You can also add your own entries to the file if you wish.

Posted by: TJ | July 29, 2008 8:36 PM | Report abuse

Firefox has built in functionality to block known malicious sites.

Posted by: Firefox blocks a lot of em. | July 30, 2008 5:39 AM | Report abuse

@TJ: Hundreds of new malicious/compromised sites appear every day. Your host file will always be steps behind the actual threats.
And as this article says, 60% of the most popular internet sites are(were) compromised. Are you ready to block and

Posted by: Denis | August 4, 2008 3:50 PM | Report abuse

I think the problem is also that so many people assume there is nothing of significance on their computer or that they aren't surfing anywhere dangerous. This great article spells it out differently for all of the naive surfers and rightfully so! This is also a more basic article for new surfers to check out about malware:

Posted by: Greg | August 4, 2008 10:03 PM | Report abuse

Brian, as far as I know (and I've been using it for some time) noscript only allows the script for the address which you select. For example, I can allow, but that does not allow the content from, or

In one of its more recent updates, the guy(s?) from noscript -did- add an option to "temporarily allow all on this page" but until then you had to allow the content separately for each site.

Posted by: Stern | August 6, 2008 8:18 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company