Reasons trustworthy sites can no longer be trusted

Last year, malware became increasingly more common on popular and trusted domains, according to research released this week by security firm Blue Coat Systems. Migration to popular hacked sites with trusted reputations and acceptable-use category ratings was the primary theme for hosting malware delivery infrastructure, researchers claim.

Cybercriminals are hacking trusted sites using stolen access credentials in order to launch attacks that are out in the open, but also veiled from reputation filters and commonly blocked web categories. Here are three reasons researchers say you need to be wary -- even on sites you count as safe:

Cybercriminals are patient and willing to put in the work

Patience delivers payoffs, according to Blue Coat researchers, who note criminals will often wait months to establish legitimate web site infrastructure that will get past reputation-based software filtering. The most common example of this type of exploitation is malvertising (malware advertising) attacks.

"For example, a relatively new ad domain that had existed for approximately six months had been checked several times for malware with clean ratings when it picked a day in early November to selectively target and deliver its cloaked malware payload," the report states. "The next day it was gone."

See also:9 dirty tricks: Social engineer's favorite pick-up lines

In other words, the cybercriminal will wait months and allow their intended malicious site to develop a clean reputation within ad networks. It will allow the site to accept categorizations and pass multiple sweeps for malware in order to seem innocent and gain a trusted position within Web advertising. Once that is accomplished, the site will launch an attack during a particularly vulnerable time, such as the weekend when IT support staff is low, the report said.

Roughly 75 per cent of phishing attacks now reside on trusted domains that have been hacked

Cybercriminals use search engines to find domains that use vulnerable-hosting software. These domains are prime hacking candidates, according to the research. Phishing attacks are more common to reputed websites now because criminals know users often have the same credentials for several accounts, including bank accounts and social networking accounts. Chances are if a thief gets a hold of your Facebook log in or banking password, they will be able to use it in other lucrative places.

See also: Social Media Risks: The Basics

"Most people associate phishing with SPAM and email attacks; however, social networking has opened a new door for social engineering web-based phishing attacks," the report states. "While classical phishing still exists, cyber crime has moved to social networking attacks to enter the picture as a trusted link between friends, either to deliver malware or to phish for confidential and financial information."

The report also notes criminals are poisoning search results and using search engine optimization (SEO) and link-farming techniques to deliver malware.

"These efforts have shifted from free domains to hacked sites with reputable domains in an effort to be better hidden from defenses," the report said.

Criminals are increasingly targeting the most popular web destinations

Historically, malware has been hidden on sites that would traditionally be blocked by any good filtering software. But the Blue Coat research finds online storage sites, which include photo-sharing sites like Flickr, and open/mixed content sites, such istockphoto and YouTube, saw the fastest growth in malware activity in 2010.

"The number of new online storage sites hosting malware increased 13 per cent while the number of new open/mixed content sites hosting malware increased 29 per cent. Both of these categories typically fall within acceptable use policies for most companies," the report claims.

The report cites an example of a phishing attack on AOL, which hosts with tens of millions of users. The phish established with animation what appeared to be three-step secure Web login sending personal information to the AOL billing center. Once there, the user was presented with an elaborate Web page that collects personal, credit card, banking and login credential information with a warning that AOL would never send an email to collect this information.

The report also cites research from Kaspersky Lab which lists its top 10 places to watch out for phishing predators. The list includes some of the world's most popular web sites, including Paypal, Ebay, HSBC, Facebook, Google, IRS, RAPIDSHARE, Bank of America, UBI (United Bank of India), and Bradesco (one of the four leading banks in Brazil).

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AOLBlue Coat SystemsFacebookGoogleHSBCIRSIRSKasperskyKasperskyPAM

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place