Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:30 PM
Connect Directly

10 Web-Based Attacks Targeting Your End Users

Cyber criminals often go after your enterprise data by preying on your end users. Here are ten of the most current exploits to watch for

With so much of today's business conducted via the Web -- on so many types of devices -- cybercriminals smell blood in the water. Employees share more information than ever and connect to more outside networks than ever, making them subject to the threats posed by opportunistic attackers.

Every day, criminals devise new malware and social engineering attacks that target what has become an organization's weakest link: end users and their Web-connected devices. Here are the most common attack methods and social engineering techniques, and ideas on how to stop these attacks before they infect end user devices and work their way into your corporate data.

1. Drive-By Downloads

Drive-by downloads are a central part of many of the most sophisticated Web attacks that criminals perpetrate against online users. They are so dangerous because they require no user action to download malicious content onto an endpoint. What's more, these attacks are often unleashed from legitimate sites.

Drive-by downloads are typically deployed by hackers who have taken advantage of Web vulnerabilities such as SQL injection that can be exploited to "allow attackers to change the content of a website," says Chris Wysopal, CTO at the app security testing company Veracode.

Once implanted on a site, drive-by downloads typically take advantage of browser vulnerabilities to automatically download anything from full-fledged viruses to less detectable downloader apps that will trick the user into eventually loading malware onto the machine via a button press or click.

"They can be encountered in the wild, or users could be directed to them via social engineering attacks," says Patrick Thomas, security consultant for Neohapsis, a mobile and cloud security firm. Drive-by-download attacks are commonly part of commercial exploit kits that make it easy for a nontechnical criminal to deliver an attack. These kits provide code that can automatically fingerprint a browser version and choose an exploit most likely to work against it.

More often than not, drive-by download attacks depend on vulnerabilities that browser vendors have already discovered and fixed, so patching is critical to protecting against them, Thomas says. Patch cycles of two to three months aren't fast enough to keep up with the latest threats.

Also, IT should "include browsers in patch reports and make sure that alternate browsers are considered in your enterprise patch management," he says.

2. Clickjacking

If the attacker requires extra interaction from the user to load malware, this will be accomplished through an attack called "clickjacking."

"The purpose of this attack is to open the target website in an invisible frame and get the user to click somewhere in the frame when they don't even know they're clicking in that website," says Ari Elias-Bachrach, application security consultant and trainer for security consultancy Defensium. "In this way, you can trick the user into making a mouse click that does something [malicious] on the website."

A common example is offering a bogus pop-up window made to look like a legitimate plug-in update or antivirus alert, such as a Microsoft Security Essentials window that says you have a few viruses and should push a button to clean them. "The pop-up itself is not harmful, but if you click the button, you open the gate to infect your machine," says Rick Doten, chief information security officer for DMI, an enterprise mobility company.

Users should be educated about how an organization's antivirus upkeep works to keep them from falling for these more obvious ploys. They also should be apprised of another variation of clickjacking called likejacking, which tricks users into clicking on a predictable location on a page containing an invisible link. The term was coined because often the link is placed over something such as a Facebook "like" button, so that the user not only stumbles into something malicious but also promotes the attacker's page on his Facebook wall in the process. Another form of likejacking can happen when an attacker posts a fake video to get users to click the play button. "More advanced likejacking scams will even use JavaScript to create a dynamic link that follows the user's mouse to ensure that any click, regardless of location, hits its intended target," says Michael Sutton, VP of security research for cloud security vendor Zscaler.

3. Plug-In- And Script-Enabled Attacks

Not only do attackers look for vulnerabilities within the browser itself, they also frequently ferret out bugs in browser plug-ins and scripting programming to help them carry out drive-by downloads and clickjacking attacks.

Since these attacks rely on known vulnerabilities, "make sure users keep browsers and browser plug-ins updated to the latest versions by enabling auto-update functions," says Wolfgang Kandek, CTO of vulnerability management firm Qualys.

In some cases, it may also make sense to turn off scripting within the browser and other susceptible programs, such as Adobe Reader. Similarly, uninstalling certain problematic plug-ins can reduce the attack surface within susceptible user bases. But you'll still need to put controls in place and train users not to undo the work.

same as caption

"Users often just 'allow all scripts on page' when the site doesn't load correctly," DMI's Doten says.

In particular, companies should be wary of Java. It's one of the most susceptible languages to attack, and Java is a favorite among criminals to begin Web attacks that can get them deep within an enterprise network. Unless there's a pressing need for a business application that requires Java, IT should uninstall the plug-in altogether, recommends Andrew Brandt, director of threat research at Solera Networks, a network security intelligence company. Many attacks do spawn a pop-up message from Java asking for permission to execute a malicious Java file, but it's often too hard for users to tell which browser window created the pop-up.

"One accidental 'allow' click is all it takes to start the ball rolling," Brandt explains. "Once the malicious Java applet is running, it takes only seconds for the malware payload -- a Windows application -- to arrive, execute and do its dirty work."

In many of the current versions of Java-based attacks, users might see a small window labeled 'JNLP' appear in the taskbar, he says. This can be an indication of compromise, so educate users to look out for such a red flag.

Most common attack methods

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...