Hackers favour the website ambush

Websites have overtaken e-mail as the main way hackers infect business computers with malware designed to steal information for profit.

Websites have overtaken e-mail as the main way hackers infect business computers with malware designed to steal information for profit.

According to a security threat report from Sophos, the first six months of this year saw the web emerge as the biggest source of malware threats to business.

A new malicious web page is detected every five seconds, which is three times faster than the rate recorded in 2007, according to the report.

Graham Cluley, senior technology consultant at Sophos, said most companies had e-mail filtering in place, so criminals were turning to the web and waiting for victims to come to them.

Over 90% of the web pages used to spread malware are legitimate websites infected by injected code based on the SQL database query language.

The invisible code can then be used to steal user names and passwords from visitors to the site or take over their computers for sending spam or launching denial of service attacks.

Cluley said that each day hackers infected thousands of new websites, run by every sort of organisation from small businesses to government agencies, including some in the UK.

"The fact that those sorts of sites can be infected should be a warning to all businesses that they had better harden their defences on the web front," Cluley said.

According to Cluley, this means not only using web filtering to protect corporate users when they visit infected sites, but also ensuring that companies' own websites do not become infected.

"Websites that are not securely coded could pass on infections to customers, and if they realise where the infection has come from, they may not want to do business there again," Cluley said.

The report added that it could be difficult for web owners to recover from the execution of malicious instructions to their databases.

Cluley advised companies using SQL on their websites to ensure that all user inputs such as names and passwords were properly checked to stop hackers injecting malicious code.

He said companies should also ensure their web applications are regularly patched and updated to stop criminals exploiting known vulnerabilities.

Although most attacks take place through infected websites, e-mail continues to present a danger, according to the Sophos report.

Cybercriminals commonly use spam to send out links to compromised websites and there has been an increase in targeted e-mail attacks known as spear phishing.

The report also details attempts by hackers to take advantage of Web 2.0 sites, attacks against users of non-Windows operating systems, and the increasing use of mobile phone spam.

Read more on IT risk management