Cybercriminals are a busy bunch these
days: Stealing identities by the millions, grabbing credit and
debit card account numbers, and waging a myriad other attacks on
unwitting users, businesses, and vulnerable websites. Their weapon
of choice is the malware injection; every five seconds one page is
infected, triple the infection rate in 2007. Across the Internet,
hijacked systems are continuously scanning legitimate websites with
ever-growing botnets for vulnerabilities; when a weakness is
identified, an injection attack happens; often it can be a simple
undetectable 1x1 white pixel at the bottom of a web page with an
active script behind it to download malware from an obscure host.
In March of this year, a malware campaign relying on iFrame
injections wreaked havoc on high-profile sites—among them
USAToday.com, Target.com and Walmart.com.
The campaign leveraged internal search engines by injecting
malicious code into search engine results. The result
“poisoned” the search engine cache feature (sites often
store internal searches to augment Google rankings).
On Google, when a user searches for a popular keyword, the poisoned
cached page pops up. An HTML command tacked onto the end of popular
keywords then opens an invisible iFrame in the user’s browser
that redirects the user to a malicious host where it tries to
install bogus anti-spyware or a malware Trojan on the user’s
PC. According to a July 2008 threat report from Sophos Labs, 90
percent of web-based malware shows up on trusted and popular sites.
Good sites can go bad in a matter of minutes, and against dynamic
evolution the traditional “one against the web”
security defenses do not work. Instead, enterprises need to also
look to a similarly dynamic protection system that united users in
community in which a discovery of malware by one is shared with the
all, providing protection in numbers.
Enter web-based security cloud services that rely on millions of
users for real-time web requests that are constantly analyzed to
detect newly injected malware attacks. Community watch cloud
services see more web traffic than any one organization, and can
leverage more defenses, such as multiple threat detection engines,
minute-by-minute machine analysis and human reviewers to confirm
detections, than manageable for an organization. Every user request
is analyzed against these cloud defenses, offloading the web
gateway to provide faster performance. Plus the cloud service is
cost-effective for small and large organizations.
The key to a cloud service community watch is volume and
repetition--through dynamic, minute-by-minute analysis of web page
elements by cloud services. The more enterprises and home users
join the community watch these services represent, the better our
chance of curbing the spread of malware.
The rapid spread of malware and the nimbleness of cybercriminals
who set up and dismantle sites in minutes, demand that we band
together as a Web community to gain the advantages of protection in
numbers often seen in nature. A hybrid security solution that
leverages the cloud service and works hand-in-glove with security
web gateways installed at the network’s edge, provide better
protection for today’s malware attacks. Plus the cloud
service can be leveraged to protect remote users alike as they
cannot drag traditional network defenses to airports, hotels and
coffee shops.
For enterprise networks, the best approach combines security at
the gateway with the protection of a cloud service that acts as a
community in which all are notified when one discovers malware. We
must all add yet another layer of protection, except this time
behind a united front in the cloud.