Hackers are increasingly using corporate websites to distribute malware and steal company information, security researchers surveyed by the Sans Institute have warned.
The US educational body's list of the 10 most dangerous cyber threats reveals growing technical expertise and professionalism among hackers acting for financially or politically motivated paymasters.
IT bosses need to respond by setting up cyber defences in depth, limiting access to information on a need-to-know basis, and educating users, said Timothy Mullen, vice-president of consulting services at UK-based NGS Software.
Alan Paller, research director at the Sans Institute, said attackers were targeting popular, trusted websites where users have an expectation of effective security.
Criminals are using insecure websites to infect the browsers of visitors with viruses, Trojans and keyloggers. These malicious programs use browser components such as Flash and QuickTime, which are seldom patched automatically, to install themselves in the browser.
"One of the latest such modules, mpack, claims a 10% to 25% success rate in exploiting browsers that visit sites it has infected. Such tools give attackers a huge advantage over the unwary public," Paller said.
As companies have improved their defences, so criminals are turning to new avenues of attack.
Security specialists have even reported malware in digital devices shrink-wrapped at the factory. These include disc drives, USB data sticks, global positioning systems and digital photo frames, said former White House security adviser and survey contributor Howard Schmidt.
Schmidt said manufacturers and suppliers of digital devices with memory might have to reassess how they treat security. "Security is now one of the top five things designers and manufacturers must address," he said.
Schmidt cited the Federal Aviation Authority's requirement last week that Boeing redesign its onboard data networks to prevent hackers accessing the avionics in its new Dreamliner aircraft. "I'll bet as soon as the story broke there wasn't one CEO not on the phone asking, 'Do we have this problem and how do we fix it?'" Schmidt said.
Sans Institute Top 10 Cyber Threats for 2008
1. Increasingly sophisticated website attacks that exploit browser vulnerabilities
2. Increasing sophistication and effectiveness in botnets
3. Cyber espionage efforts by well-resourced organisations to extract large amounts of data for economic and political purposes
4. Mobile phone threats, especially against iPhones, Google's Android phones, and voice over IP systems
5. Insider attacks
6. Advanced identity theft from persistent bots
7. Increasingly malicious spyware
8. Web application security exploits
9. Increasingly sophisticated social engineering to provoke insecure behaviour
10. Supply chain attacks that infect consumer devices