Some days when I’m wasting time on the internet, it seems like I can’t visit three websites in a row without hitting a fake “you’re infected” scam or bogus browser extension ad. Most of the time these malicious offerings launch on otherwise legitimate websites -- or secretly direct your browser to illegitimate websites.
For almost a decade now, a greater number of legitimate websites than malicious ones have been launching malware. The question is how a legitimate website gets compromised in the first place.
The answer: in a number of ways -- including nearly every method a PC or mobile device can be compromised, plus a few more.
1. Exploits everywhere
Like personal computers, most websites are exploited by malware due to unpatched, buggy software. On any given day literally hundreds of thousands -- perhaps millions -- of web servers run software that should have been patched.
Today’s attackers use automated exploit kits that seek out vulnerable websites and look for one or more vulnerabilities. When an exploitable website is found, the kit installs itself and “dials home” to inform its owner.
The website is then modified in such a way visitors are either silently exploited (thanks to unpatched software on their own computers) or offered a program containing a Trojan they’re told they need. The exploit kit may include a handful to dozens of client-side exploits that are run against unsuspecting victims (check out this great summary of popular exploit kits).
There’s even a secondary exploit market. Often, criminals who buy exploit kits will compromise websites, but rather than harvesting sensitive information themselves, they’ll sell access to exploited websites and users' computers. These operations offer what is affectionately known as “exploit as a service.”
Anyone, including absolute novices, can rent or buy exploit kits or bot nets. All it takes is a willingness to risk criminal prosecution, which is fairly low, especially when crossing international borders. Exploit kits get routinely updated and are rated by users so that other users can judge their exploit efficiency.
Unpatched software is the top cause, but ad networks offer an increasingly popular attack vector. Commercial websites allow ad networks to rotate banner ads in their available free space. Hackers like to compromise ad networks because they can quickly distribute malicious scripting code across the internet and hit many websites at once.
2. Fake malware
I'm slightly relieved that a lot of malware is fake -- they're scareware and adware. Not all of it is ransomware. If you have real, triggered malware on your system, I hope you have a good, unaffected backup.
Luckily, a lot of the stuff I’ve seen at companies are fake antivirus detection screens or fake ransomware. Sometimes, a user’s browser is drafted to enrich a malicious affiliate marketing scheme.
Fake antivirus detection warnings have been around for a long time, but now some malware writers are trying to ride the coattails of real ransomware writers. How dumb do you have to be to resort to fake ransomware? Also, how often does it work? I’ve had several computer-clueless friends call me with fake ransomware scare screens, and even they didn’t pay up. But some people will believe anything.
3. Malicious browser extensions
With the Windows 10 Anniversary Update giving Microsoft Edge the ability to extend browser functionality, all the major browsers now support browser extensions. I’ve seen a rash of malicious browser extensions, although most tend to be for non-Microsoft browsers.
Malicious browser extensions often seem legitimate. They appear to originate from vendor websites and come with glowing customer reviews. PerimeterX recently released a detailed look at one type of malicious browser extension, which redirects the user’s browser to send fake clicks to websites that have paid someone to drive traffic as part of “affiliated marketing” programs. Normally the user doesn’t know it’s happening, aside from the browser slowing down a bit.
Malicious affiliate marketing programs have been around for nearly as long as the internet. You would think the biggest websites would catch on, but PerimeterX said that 71 of the websites caught up in the fake affiliate program are among the world’s largest.
Big websites fall prey to such schemes because they hire marketing teams, which in turn hire web marketing teams, which outsource the requested traffic. Along the trust chain, someone ends up doing business (usually unintentionally) with a malicious hacker. The website ends up paying for traffic that never really accrued, and users accidentally participate in bogus ad schemes that slow down their computing experience.