Web threats can be divided into two primary categories, based on delivery method – push and pull. Pushbased threats use spam, phishing, or other fraudulent means to lure a user to a malicious (often spoofed) Web site, which then collects information and/or injects malware. Push attacks use phishing, DNS poisoning (or pharming), and other means to appear to originate from a trusted source. Their creators have researched their target well enough to spoof corporate logos, official Web site copy, and other convincing evidence to increase the appearance of authenticity. Precisely-targeted push-based threats are often called “spear phishing” to reflect the focus of their data gathering (“phishing”) attack. Spear phishing typically targets specific individuals and groups for financial gain. In November 2006, a medical center fell victim to a spear phishing attack. Employees of the medical center received an email telling them they had been laid off. The email also contained a link that claimed to take the recipient to a career counseling site. Recipients that followed the link were infected by a keylogging Trojan. In other push-based threats, malware authors use social engineering such as enticing email subject lines that reference holidays, popular personalities, sports, pornography, world events, and other popular topics to persuade recipients to open the email and follow links to malicious sites or open attachments with malware that accesses the Web. Pull-based threats are often referred to as “drive-by” threats, since they can affect any visitor, regardless of precautions. Pull threat developers infect legitimate Web sites, which unknowingly transmit malware to visitors or alter search results to take users to malicious sites. Upon loading the page, the user’s browser passively runs a malware downloader in a hidden HTML frame (IFRAME) without any user interaction. Both push- and pull-based Web threat variants target infection at a regional or local level (for example, via local language sites aimed at particular demographics), rather than using the mass infection technique of many earlier malware approaches. These threats typically take advantage of Internet port 80, which is almost always open to permit access to the information, communication, and productivity that the Web affords to employees. Case Study: “The Italian Job” On June 15, 2007, a cyber criminal compromised nearly 6,000 Italian Web sites using three Trojans (software applications that claim to do one thing, but actually contain malicious code) that identified, stole, and uploaded personal information to a criminal network. The attack, which became known as “The Italian Job,” affected roughly 15,000 users over six days. While the damage caused by identity theft and fraud could easily reach millions of dollars, the cyber criminal who created the initial downloader used a malware kit (MPack v.86) that cost roughly $700 (USD).