Web threat delivery mechanisms

Web threats can be divided into two primary categories, based on delivery method – push and pull. Pushbased
threats use spam, phishing, or other fraudulent means to lure a user to a malicious (often spoofed)
Web site, which then collects information and/or injects malware. Push attacks use phishing, DNS
poisoning (or pharming), and other means to appear to originate from a trusted source. Their creators
have researched their target well enough to spoof corporate logos, official Web site copy, and other
convincing evidence to increase the appearance of authenticity.

Precisely-targeted push-based threats are often called “spear phishing” to reflect the focus of their data
gathering (“phishing”) attack. Spear phishing typically targets specific individuals and groups for financial
gain. In November 2006, a medical center fell victim to a spear phishing attack. Employees of the medical
center received an email telling them they had been laid off. The email also contained a link that claimed
to take the recipient to a career counseling site. Recipients that followed the link were infected by a
keylogging Trojan.

In other push-based threats, malware authors use social engineering such as enticing email subject lines
that reference holidays, popular personalities, sports, pornography, world events, and other popular topics
to persuade recipients to open the email and follow links to malicious sites or open attachments with
malware that accesses the Web.

Pull-based threats are often referred to as “drive-by” threats, since they can affect any visitor, regardless
of precautions. Pull threat developers infect legitimate Web sites, which unknowingly transmit malware to
visitors or alter search results to take users to malicious sites. Upon loading the page, the user’s browser
passively runs a malware downloader in a hidden HTML frame (IFRAME) without any user interaction.

Both push- and pull-based Web threat variants target infection at a regional or local level (for example, via
local language sites aimed at particular demographics), rather than using the mass infection technique of
many earlier malware approaches. These threats typically take advantage of Internet port 80, which is
almost always open to permit access to the information, communication, and productivity that the Web
affords to employees.

Case Study: “The Italian Job”

On June 15, 2007, a cyber criminal compromised nearly 6,000 Italian Web sites using
three Trojans (software applications that claim to do one thing, but actually contain
malicious code) that identified, stole, and uploaded personal information to a criminal
network. The attack, which became known as “The Italian Job,” affected roughly 15,000
users over six days. While the damage caused by identity theft and fraud could easily
reach millions of dollars, the cyber criminal who created the initial downloader used a
malware kit (MPack v.86) that cost roughly $700 (USD).

, , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: