It’s getting harder and harder to know who to trust on the World Wide Web, according to online safety advocates StopBadware.org.
The group released its 2007 Trends in Badware report, saying the bad guys are finding new ways to place their malicious software on our computers, often by compromising Web sites that we trust.
With the help of one of its sponsor companies, Google Inc., StopBadware maintains a list of 200,000 Web sites that are known to be associated with malicious downloads.
According to Max Weinstein, a project manager with StopBadware, more than half of these sites have been hacked and don’t even realize it.
In fact, this move to delivering malicious software on legitimate sites has been a disturbing trend over the past year, he said.
“It used to be that the advice to the end-user was ‘keep your software up to date and then don’t go to bad Web sites,’” he said. “You still don’t want to go to those sites, but what we seen now is that you can be on a very legitimate site and have a problem.”
Web surfers know that visiting gambling or pornographic sites could harm their computers, but lately attack code can be downloaded from almost anywhere.
In January, for example, the Web sites of Dolphin Stadium and the Miami Dolphins, hosts to the 2007 Super Bowl, were found to have been hacked and were serving up malicious software, just days before the Super Bowl.
And the bad guys are even sneakier than you might imagine. In June and July, Web sites that had been linked on the popular Boing Boing blog were compromised, a tactic called “linkjacking.”
Weinstein says criminals don’t necessarily have to hack a site to have it serve up malicious software. Part of the problem is in the Web 2.0 world, where sites are built up of many different components pulled from different parts of the Web, it’s becoming easier to sneak badware onto a legitimate site.
StopBadware has seen this happening with Web advertising networks, which can easily be subverted by attackers to serve up maliciously encoded scripts and images, he said. “What we’re seeing is a lot of cases where a legitimate Web site has an ad network, and that ad network itself, or sometimes even a subcontractor of that ad network, contains an ad that is providing badware.”
“It’s certainly something we are seeing in increasing numbers, probably in the past several months,” Weinstein said.
eBay Inc. is looking into ways of curbing a similar problem. The online auction giant allows users to put their own images and HTML code on its site, but sometimes this leads to “bad code,” said eBay Chief Information and Security Officer Dave Cullinane, speaking at an online security symposium at Santa Clara University. The company is looking at including security ratings for users as part of its reputation system to help prevent novice users from accidentally putting malicious or unwanted code on the site. “One of the things we are looking at bundling in is your level of security. As a user goes up, we’ll allow you to do more things.”
Under the proposed system, eBay power sellers with good security ratings would be given more free rein on the types of features they could add to their stores, Cullinane said. Another growing source of concern is social networking. Users should also be wary of fake accounts set up on legitimate social networking sites, which are often designed with one thing in mind: to lure unsuspecting users to malicious Web sites, Weinstein said.
So with all this badware, is the Internet a more dangerous place to be?
It’s a tough question, Weinstein says, but he believes things are getting better, largely because people are getting smarter about what they do online. “I think the bad guys are always trying to stay a step ahead of the average users,” he said. However, “people are learning, and I think that is having an effect.”
“I’d like to think that our effort, and other efforts like ours, are actually making a substantial difference.”