StopBadware: Trusted Web sites are being hacked and don't even know it

It's getting harder and harder to know who to trust on the World Wide Web, according to online safety advocates StopBadware.org.

On Tuesday, the group released its 2007 Trends in Badware report, saying the bad guys are finding new ways to place their malicious software on our computers -- often by compromising Web sites that we trust.

With the help of one of its sponsor companies, Google, StopBadware maintains a list of 200,000 Web sites that are known to be associated with malicious downloads. According to Max Weinstein, a project manager with StopBadware, more than half of these sites have been hacked and don't even realize it.

In fact, this move to delivering malicious software on legitimate sites has been a disturbing trend over the past year, he said.

"It used to be that the advice to the end-user was 'keep your software up to date and then don't go to bad Web sites,'" he said. "You still don't want to go to those sites, but what we seen now is that you can be on a very legitimate site and have a problem."

Web surfers know that visiting gambling or pornographic sites could harm their computers, but lately attack code can be downloaded from almost anywhere.

In January, for example, the Web sites of Dolphin Stadium and the Miami Dolphins, hosts to the 2007 Super Bowl U.S. football championship, were found to have been hacked and were serving up malicious software, just days before the Super Bowl.

And the bad guys are even sneakier than you might imagine. In June and July, Web sites that had been linked on the popular Boing Boing blog were compromised, a tactic called "linkjacking."

Weinstein says criminals don't necessarily have to hack a site to have it serve up malicious software. Part of the problem is in the Web 2.0 world, where sites are built up of many different components pulled from different parts of the Web, it's becoming easier to sneak badware onto a legitimate site.

StopBadware has seen this happening with Web advertising networks, which can easily be subverted by attackers to serve up maliciously encoded scripts and images, he said. "What we're seeing is a lot of cases where a legitimate Web site has an ad network, and that ad network itself, or sometimes even a subcontractor of that ad network, contains an ad that is providing badware.

"It's certainly something we are seeing in increasing numbers, probably in the past several months," Weinstein said.