Because many of the evildoers present themselves as businessmen from legitimate corporations, complete with corporate headquarters, business cards, and expense accounts, it's not always so easy to separate the legitimate ad sources from the bad guys, who often begin advertising a legitimate product only to switch out the link in the ad to a rogue product after the ad campaign is under way. One of the more interesting exploits involved hackers compromising a cartoon syndicate so that every newspaper republishing the affected cartoons ended up pushing malware. You can't even trust a cartoon anymore.
Another problem with hacked websites is that the computers hosting one site can often host multiple sites, sometimes numbering in the hundreds or thousands. One hacked website can quickly lead to thousands more.
No matter how the site was hacked, the innocent user, who might have visited this particular website for years without a problem, one day gets prompted to install an unexpected program. Although they're surprised, the fact that the prompt is coming from a website they know and trust is enough to get them to run the program. After that, it's game over. The end-user's computer (or mobile device) is yet another cog in someone's big botnet.
Nation-state cyber warfare programs are in a class to themselves and aren't something most IT security pros come up against in their daily routines. These covert operations create complex, professional cyber warfare programs intent on monitoring adversaries or taking out an adversary's functionality, but as Stuxnet and Duqu show, the fallout of these methods can have consequences for more than just the intended targets.
Crime and no punishment
Some victims never recover from exploitation. Their credit record is forever scarred by a hacker's fraudulent transaction, the malware uses the victim's address book list to forward itself to friends and family members, victims of intellectual property theft spend tens of millions of dollars in repair and prevention.
The worst part is that almost none of those who use the above malicious attacks are successfully prosecuted. The professional criminals on the Internet are living large because the Internet isn't good at producing court-actionable evidence. It's anonymous by default, and tracks are lost and covered up in milliseconds. Right now we live in the "wild, wild West" days of the Internet. As it matures, the criminal safe havens will dry up. Until then, IT security pros have their work cut out for them.
- 9 popular IT security practices that just don't work
- 10 crazy IT security tricks that actually work
- Malware Deep Dive Report
- Data Loss Prevention Deep Dive Report
- Insider Threat Deep Dive Report
- Malware IQ test: Round 2
- Malware IQ test: Round 1
This story, "IT's 9 biggest security threats," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.