Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

ISTR XIV: Large-Scale Web-Based Attacks

Created: 14 Apr 2009 12:58:18 GMT • Updated: 23 Jan 2014 18:36:00 GMT
M.K. Low's picture
0 0 Votes
Login to vote

The prevalence of Web-based applications and the ease of which these applications can be exploited using vulnerabilities have contributed to the widespread nature of Web-based attacks. Attackers can successfully reach and compromise a massive number of targets, and this remains as the source of motivation behind Web-based attacks. Attackers who wish to take advantage of client-side vulnerabilities no longer need to actively compromise or break into specific networks to gain access to those computers. Instead, by attacking websites, attackers can use them as means to mount client-side attacks.

An attacker can exploit any number of Web application vulnerabilities, such as SQL injection vulnerabilities, to help mount their Web-based attack. Surprisingly, many of these vulnerabilities are not used to directly compromise enterprise data assets or gain access to sensitive information. They are used simply as a way of injecting malicious content into websites as a means of launching attacks against Web users. As detailed in Volume XIV of the Symantec Internet Security Threat Report, 63 percent of identified vulnerabilities in 2008 affected Web applications, which is an increase of 26 percent from the previous year.

Web-based attacks can be very efficient, especially on a large scale, because they allow attackers to reach a large number of targets that can be compromised. This is especially true of the profusion of dynamic sites that use Web-based applications—such as forums, photo-sharing galleries, blogging applications, and online shopping baskets—because these high-traffic sites can be exploited and used to launch Web-based attacks. In May 2008, more than half a million websites that were compromised with malware that was hosted in both the United States and Russia. Web forums hosted by PHP-based bulletin board applications were exploited to inject malicious JavaScript into forum content, which would then infect visitors with variants of the Zlob Trojan disguised as a video codec installer.

Users may have an inherent trust for legitimate websites and so attackers take advantage of this. Hence, a compromised website with a high volume of traffic can net an attacker a large number of potential victims. These large, popular websites with trusted reputations may also be more difficult to block using security tools without disrupting the legitimate traffic of those sites.

In addition, the large scale of these attacks may indicate that attacks are moving away from becoming less targeted towards specific organizations, and more towards obtaining sensitive information from the general population of Web users. Attackers are also using automated tools such as Neosploit to exploit client-side vulnerabilities on a massive scale. Such toolkits are widely available and prepackaged so that people with minimal technical knowledge are able to use them effectively. Once a computer is compromised, the attacker can then gain access to any connected networks and steal private information and/or system resources.

Web-based attacks are a major threat to computer networks for both enterprises and consumers. The covertness of these types of attacks makes them very difficult to mitigate, since most users are unaware that they are being attacked. Organizations are confronted with the complicated task of being able to detect and filter attack traffic from legitimate traffic. Since many organizations are reliant on Web-based tools and applications to conduct business, it is likely that the Web will continue to be the primary conduit for attack activity.

For more information about the threat landscape, please see Volume XIV of the Symantec Internet Security Threat Report.

Message Edited by Trevor Mack on 04-14-2009 06:00 AM