• United States




3 ways websites get pwned — and threaten you

Jul 26, 20164 mins
Data and Information SecurityHackingMobile Security

Hackers are maliciously manipulating both sides of the web experience, but a little due diligence goes a long way to thwart them

clicks pageviews traffic denial of service ddos attack
Credit: Thinkstock

Some days when I’m wasting time on the internet, it seems like I can’t visit three websites in a row without hitting a fake “you’re infected” scam or bogus browser extension ad. Most of the time these malicious offerings launch on otherwise legitimate websites — or secretly direct your browser to illegitimate websites.

For almost a decade now, a greater number of legitimate websites than malicious ones have been launching malware. The question is how a legitimate website gets compromised in the first place.

The answer: in a number of ways — including nearly every method a PC or mobile device can be compromised, plus a few more.

1. Exploits everywhere

Like personal computers, most websites are exploited by malware due to unpatched, buggy software. On any given day literally hundreds of thousands — perhaps millions — of web servers run software that should have been patched.

Today’s attackers use automated exploit kits that seek out vulnerable websites and look for one or more vulnerabilities. When an exploitable website is found, the kit installs itself and “dials home” to inform its owner.

The website is then modified in such a way visitors are either silently exploited (thanks to unpatched software on their own computers) or offered a program containing a Trojan they’re told they need. The exploit kit may include a handful to dozens of client-side exploits that are run against unsuspecting victims (check out this great summary of popular exploit kits).

There’s even a secondary exploit market. Often, criminals who buy exploit kits will compromise websites, but rather than harvesting sensitive information themselves, they’ll sell access to exploited websites and users’ computers. These operations offer what is affectionately known as “exploit as a service.”

Anyone, including absolute novices, can rent or buy exploit kits or bot nets. All it takes is a willingness to risk criminal prosecution, which is fairly low, especially when crossing international borders. Exploit kits get routinely updated and are rated by users so that other users can judge their exploit efficiency.

Unpatched software is the top cause, but ad networks offer an increasingly popular attack vector. Commercial websites allow ad networks to rotate banner ads in their available free space. Hackers like to compromise ad networks because they can quickly distribute malicious scripting code across the internet and hit many websites at once.

2. Fake malware

I’m slightly relieved that a lot of malware is fake — they’re scareware and adware. Not all of it is ransomware. If you have real, triggered malware on your system, I hope you have a good, unaffected backup.

Luckily, a lot of the stuff I’ve seen at companies are fake antivirus detection screens or fake ransomware. Sometimes, a user’s browser is drafted to enrich a malicious affiliate marketing scheme.

Fake antivirus detection warnings have been around for a long time, but now some malware writers are trying to ride the coattails of real ransomware writers. How dumb do you have to be to resort to fake ransomware? Also, how often does it work? I’ve had several computer-clueless friends call me with fake ransomware scare screens, and even they didn’t pay up. But some people will believe anything.

3. Malicious browser extensions

With the Windows 10 Anniversary Update giving Microsoft Edge the ability to extend browser functionality, all the major browsers now support browser extensions. I’ve seen a rash of malicious browser extensions, although most tend to be for non-Microsoft browsers.

Malicious browser extensions often seem legitimate. They appear to originate from vendor websites and come with glowing customer reviews. PerimeterX recently released a detailed look at one type of malicious browser extension, which redirects the user’s browser to send fake clicks to websites that have paid someone to drive traffic as part of “affiliated marketing” programs. Normally the user doesn’t know it’s happening, aside from the browser slowing down a bit.

Malicious affiliate marketing programs have been around for nearly as long as the internet. You would think the biggest websites would catch on, but PerimeterX said that 71 of the websites caught up in the fake affiliate program are among the world’s largest.

Big websites fall prey to such schemes because they hire marketing teams, which in turn hire web marketing teams, which outsource the requested traffic. Along the trust chain, someone ends up doing business (usually unintentionally) with a malicious hacker. The website ends up paying for traffic that never really accrued, and users accidentally participate in bogus ad schemes that slow down their computing experience.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author