Websites have overtaken e-mail as the main way hackers infect
business computers with
malware designed to steal information for profit.
According to a
security threat report from Sophos, the first six months of
this year saw the web emerge as the biggest source of malware
threats to business.
A new malicious web page is detected every five seconds, which
is three times faster than the rate recorded in 2007, according to
the report.
Graham Cluley, senior technology consultant at Sophos, said most
companies had e-mail filtering in place, so criminals were turning
to the web and waiting for victims to come to them.
Over 90% of the web pages used to spread malware are legitimate
websites infected by
injected code based on the SQL database query language.
The invisible code can then be used to steal user names and
passwords from visitors to the site or take over their computers
for sending spam or launching denial of service attacks.
Cluley said that each day hackers infected thousands of new
websites, run by every sort of organisation from small businesses
to government agencies, including some in the UK.
"The fact that those sorts of sites can be infected should be a
warning to all businesses that
they had better harden their defences on the web front," Cluley
said.
According to Cluley, this means not only using web filtering to
protect corporate users when they visit infected sites, but also
ensuring that companies' own websites do not become infected.
"Websites that are not securely coded could pass on infections
to customers, and if they realise where the infection has come
from, they may not want to do business there again," Cluley
said.
The report added that it could be difficult for web owners to
recover from the execution of malicious instructions to their
databases.
Cluley advised companies using SQL on their websites to ensure
that all user inputs such as names and passwords were properly
checked to stop hackers injecting malicious code.
He said companies should also ensure their web applications are
regularly patched and updated to stop criminals exploiting known
vulnerabilities.
Although most attacks take place through infected websites,
e-mail continues to present a danger, according to the Sophos
report.
Cybercriminals commonly use spam to send out links to
compromised websites and there has been an increase in targeted
e-mail attacks known as
spear phishing.
The report also details attempts by hackers to take advantage of
Web 2.0 sites, attacks against users of non-Windows operating
systems, and the increasing use of mobile phone spam.