Today's Web is vastly different from yesteryear's Web and today's malware is vastly different from yesteryear's virus. No longer a form of digital graffiti, modern day malware is all about money. Your money, that is. This change in intent has also led to a corresponding change in tactics. Modern day malware is made to hide. Social engineering scams are increasingly sophisticated. Man-in-the-middle attacks can forcibly redirect you to hostile websites.
The Web has also changed. No longer a static one-sided delivery method, today's websites host and push content from a variety of sources. And the notion of surfing to only "known good sites" no longer applies. Today's dynamic Web technologies lend themselves to mass compromise of perfectly legitimate websites, outfitted with malicious scripts that turn the "known good site" into a virtual conveyor belt of malware.
The same technologies that foster Web developments also enable attackers to work smarter and faster. An attacker can use virtual hosting providers that redirect (and mask) a site's true origin. Automated tools leverage search engines to ferret out sites vulnerable to compromise. Other automated tools allow attackers to continually churn out repackaged malware designed to thwart signature-based antivirus. And in the darkest recesses of the Internet, the attackers use blogs, forums, and chat to barter malware and exploit frameworks.
And all of this is designed for profit - tricking you into laundering money, stealing your credit card details, siphoning your bank accounts, and even outright identity theft. Don't look to your bank to protect you either - if you don't directly foot the bill for the stolen funds, you'll indirectly pay for it with higher fees and higher prices sometime down the road.
The threat of compromised websites
A Web page isn't just static content from one source. It supports multiple types of active content, including from third-parties. Google Adsense is a good example of that (as is any other third-party advertising included on a site). The same programming techniques used to load third party advertising can be used to load any third party content, including malicious content if so desired. And attackers use that to their advantage.
In other words, when you visit one website, you are in reality pulling content from several different sites and servers. In the past, the biggest web risk was that third party content might be booby-trapped. For example, a rogue advertiser might insert a malicious banner ad into the advertising network, which then was pulled by all participating websites.
Today, the risk has shifted dramatically. Attackers are directly compromising websites and outfitting them with malicious external calls to hostile content.
SQL Injection Attacks
One of the most common forms of Web site compromise are via SQL injection compromise. SQL is short for Standard Query Language, a scripting language used to manage databases. Many/most websites use some sort of database backend. This can be for everything from creating all or most of the site pages to storing information and generating search results pages. SQL injection attacks are malformed SQL queries that instruct the database to take some sort of unintended action beyond just returning requested data. In other words, a SQL injection attack tricks the database into responding to the query as if it were a command to take some specific action, versus just returning some type of information.
A database that is vulnerable to SQL injection can be compromised in a number of ways. Of most concern from an Internet safety standpoint are SQL injection attacks that embed malicious hidden iframes and malicious external references within the source code of the compromised Web pages.
When a Web surfer encounters one of these compromised pages, these hostile third-party references call up exploit code and malware from the attacker-owned sites. This action is invisible to the Web surfer - only a thorough examination of the website source code provides the tell-tale signs of the compromise; the page displayed by the browser looks perfectly normal.
Beginning in late October 2007, a series of SQL injection attacks began which continue to compromise millions of Web pages (past compromises include Ikea and WalMart). And because the malware is being delivered from reputable (but compromised) websites, the old advice to only surf to known reputable sites no longer helps. Worse, the malware foisted by the compromised sites typically consists of password stealers and backdoors. These password stealers and backdoors can be used to steal credit card information, bank account login credentials, and other sensitive financial or personal information.
When encountering one of these compromised sites, chances are you won't notice anything awry. The malware launches silently and once on the system it often uses rootkit technology to hide itself.
Staying Safe Online
Internet safety isn't about avoiding the unknown or untrusted. Today, Internet safety also includes guarding against threats coming from even the most staid, legitimate, and otherwise honorable websites. Or in the words of the X-Files, 'trust no one'.
To avoid being victimized by a compromised website, either use the NoScript addon for Firefox, or disable active scripting in Internet Explorer and Opera. For further details, see Web Browser Security. In addition, follow these computer safety tips to lessen your susceptibility should exposure occur.