10 Web-Based Attacks Targeting Your End Users

Cyber criminals often go after your enterprise data by preying on your end users. Here are ten of the most current exploits to watch for

8. Mobile Application Threats

As mobility extends the reach of third-party apps to users' smartphones and tablets, it also increases the risk that these Web-enabled applications will compromise corporate networks.

The use of enterprise mobile apps "blows away all the old models of enterprise security, including traditional firewalling, intrusion protection, and data loss prevention technologies," says Kevin Morgan, CTO of mobile app security vendor Arxan Technologies. The new risk comes from the "extreme variety of enterprise mobile applications being deployed."

Morgan says that mobile apps are frequently subject to direct attack by criminals who reverse engineer the applications, tamper with them and redistribute them to compromise devices. It isn't difficult for attackers to redistribute compromised applications that look legitimate on the Android marketplace, which tends not to vet or manage how code is signed. Similarly, attackers target jailbroken Apple phones through rogue marketplaces.

"This creates tremendous risk that individuals pick up applications that are tampered and repackaged versions of the original legitimate application, providing all the same functions -- but with unknown 'extras,' such as capturing and sending to a remote server login credentials, credit card numbers, or high-value and sensitive corporate information," Morgan says.

Users shouldn't be allowed to use jailbroken or rooted devices on the corporate network, and enterprises should consider some form of mobile application management to constrain application downloads, Morgan advises.

9. Malvertising

Online advertising that contains embedded malware or links to malicious websites, otherwise known as malvertising, is among the most common high-volume, Web-based attacks assaulting online machines today, according to researchers with OpenDNS.

"That's because hundreds of thousands of websites allow the same third-party network to put ads on their sites," says Ulevitch. So if one third-party network is compromised, it can affect thousands of sites.

In many cases, the malicious ads attack visitors without the site owners ever knowing there's a problem. Once attackers compromise the third-party network, they'll find a way to add malicious code to existing advertisements placed by a network provider to fill in banner ad spots. These sites could be legitimate news sites, blogs or any other ad-supported site.

When the user visits that legitimate site, the malicious code within the infected advertisement redirects the request for the ad content from the third party's queue of ads and requests content from a different Internet host that's serving up malware. Sometimes the malicious ad content can take advantage of browser vulnerabilities to automatically redirect to a malicious site or initiate a drive-by download. Other times the ad will entice users to click through some kind of lure -- perhaps a fake AV warning or a promise for a weight loss product -- and send them to a site hosting malware.

In addition to typical advice about maintaining strong endpoint security -- namely through frequent patching, updated antivirus, and effective configuration and vulnerability management -- network security precautions can help protect users as well, says Ulevitch.

"To protect against these types of attacks, enterprises need to block the DNS requests by domain name or IP address or by the subsequent IP-based connection," Ulevitch says. Security intelligence feeds may help block infection by pinpointing malicious IP addresses associated with current malvertising campaigns, he notes.

Users should be trained to avoid potential scams originating from banner ads, even from legitimate sites. They should be on guard for similar scams delivered through mobile apps. Many mobile apps are given away for free but supported by ad revenue. Most of those ads are delivered by third-party ad networks, and cyber crooks are increasingly attacking these networks, says Blue Coat's Larsen.

"As a recent example, an advertisement for a fake Angry Birds download delivered an SMS Trojan that [sent] premium SMS texts to the malware host, which then billed the unsuspecting users," Larsen reports.

10. P2P Dangers

Peer-to-peer networks have long been a hotbed of criminal activities, but as more legitimate networks such as Skype and Spotify gain mainstream acceptance, the bad guys are using them as platforms for malicious activity.

Researchers at Damballa, a provider of advanced threat protection, have seen a fivefold increase in malware using P2P for command-and-control instructions and data transfers in recent studies. P2P often gives attackers the power to bypass traditional network defenses.

"As the security industry starts to mitigate the risks from advanced malware by detecting communication 'up' to C&C, malware authors incorporate 'sideways' P2P communication so there is no one set of addresses that can be blocked," says Brian Foster, CTO for Damballa.

Even in organizations that have stamped out P2P activities on the corporate network, the threat may be introduced via mobile workers outside the network.

The less-reputable P2P networks continue to be bastions of malware distribution. Solera's Brandt recently did research on the less seemly "file indexing" directories set up for the sole purpose of delivering pirated software, many of which link to files stored in file drop services similar to the now-defunct Megaupload.

"On many attempts I found my browser endlessly loading pop-under ads while the file drop sites played countdown timers, demanded that I entered captchas and asked for other nonsense that serves no purpose other than to give the ads time to load," Brandt recalls. More than once, Brandt's test machine was infected simply by waiting for a download to begin. "Usually the culprit was a pop-under ad window, which itself contained a malicious iFrame reference to the hostile code," he says.

Protect Your Users From Web Threats

The starting point to protect against these many Web threats are basic endpoint protection measures, such as patching devices frequently, employing systematic configuration and vulnerability management practices, and keeping endpoints updated with antivirus software. Employees should be educated to understand the sophistication with which crooks design their attacks, often using familiarity, business urgency or plain curiosity as drivers.

But these recommendations are only a start. Some endpoints still fall through the cracks of even the best endpoint hygiene programs, and some employees still fall for well-crafted social engineering ploys. Criminals continue to employ attacks that take advantage of unknown, or zero-day, vulnerabilities. With so many potential points of leak or entry, additional layers of protection are essential, experts say. Some of these additional layers could be implemented by rethinking endpoint security, says Anup Ghosh, CEO of endpoint security vendor Invincea.

"Asking users to make security decisions and then blaming them when they make the wrong one isn't a solution to the problem," says Ghosh. Invincea advocates giving users the capability to browse within virtualized containers that would, in theory, buffer their actions on the Web from vulnerabilities in the browser or other applications on the device.

Other experts recommend backstopping endpoint protection with effective network intelligence to detect the kind of "sideways" movement that malware makes through the network after breaking in to a single endpoint.

"Building several different security zones, rather than one blanket solution, and monitoring them closely with daily forensic inspection and data analysis is the most effective strategy," says Vann Abernethy, senior product manager of distributed denial-of-service mitigation firm NSFocus.

Strategies may vary, but the key is to overlap them and to minimize chinks in the armor.

"Companies need to take a layered approach when dealing with these endpoint weaknesses," says Mark Lobel, principal in PricewaterhouseCoopers' security advisory practice. "It is impossible to stop an employee from ever being tricked, but companies can minimize the number of times -- through education -- and identify the impacts as quickly as possible through monitoring and alerting."

Editors' Choice
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading