Anatomy of a Web Attack
Many malware episodes begin innocently enough.
"Can you come over and look at my computer?"
That's how many tech-support stories start, whether you're supporting users full-time or you happen to be the person around the office who "knows computers."
Upon recently hearing these words, I walked over to my colleague Anne's computer and looked at her screen. A big window had appeared on Anne's monitor, warning her that her computer had been infected with malware and needed to be scanned.
I immediately recognized that the message was a fake. Fortunately, Anne had too. Still, I was amazed by how authentic the "malware warning" looked, and had to check twice to be sure it wasn't a legitimate Windows alert. I probably sounded slightly annoyed as I told Anne to simply close the window. However, she informed me that she'd tried that, and it hadn't worked. "Don't click the Cancel button. Instead, do this," I said, grabbing her mouse and clicking the red X in the top-right corner of the window. No luck.
What looked like a realistic scan of files and folders began. Next came an even more urgent alert telling me how important it was to click the button labeled "Protect Me" in order to download software that would remove the alleged infection. No matter what I did, I couldn't make the window go away. I finally pressed Control-Alt-Delete and used Task Manager to close Internet Explorer, which ended the episode.
Even before I could ask Anne what on earth she'd done to start the warning dialogue, she volunteered that she'd simply browsed our local newspaper's Web site. Suddenly, the urgent and un-closable window had appeared. With this information, I realized what had happened -- and that Anne wasn't to blame. Apparently, the Web page that Anne viewed contained an embedded Flash animation that filled the entire browser window and disabled the controls for closing the window.
This malware then tried to trick her into buying software that claimed to clean a non-existent infection from her computer. At best, this software would have done nothing; more likely, it would have installed malicious applications.
How Could This Happen?
When advertisers place ads, the content displayed is often hosted on another Web site. The newspaper's advertising department checks the link to make sure the content is acceptable, then embeds a link to it in the paper's Web page.
Often, advertisers pay for a certain number of views. Their ad is then displayed to the site's visitors -- along with other rotating ads -- until it reaches the agreed-upon view count.
In an attack on The New York Times, criminals claiming to represent a well-known and reputable company had duped an advertising agency into placing an ad with the Times. They included a link to a Web site holding an authentic ad for the company they claimed to represent. It looked like an everyday transaction, and the criminals even paid the invoices from the Times, the advertising agency and the site hosting the ad. But soon thereafter, the ad was replaced by the fraudsters' own nasty pitch for their fake security software. As a result, some visitors to the newspaper's Web site were served malware.
What to Do
How can you protect yourself against such an attack? Only deal with reputable and verifiable customers. The ad that led to the Times incident had been placed through an advertising agency the paper hadn't worked with before.
Such a policy can't completely protect you against this type of attack -- which can lead to negative publicity for your company -- but it's the best you can do, short of hosting all content locally.
Fortunately, protecting your clients' computers against damage from any malicious Web content can be easy. No matter what Anne would've clicked, as a user without administrative privileges, none of her actions could have seriously infected her computer, which had up-to-date malware protection and was fully patched. However, a user who experiences such an attack may use the company credit card to unwittingly purchase fake security software. Other malware may trick a user into revealing passwords. Only good common sense and frequent reminders to your users can offer protection against this type of threat. Anne may not be a security guru, but I'm glad she knows when -- and isn't afraid -- to say, "Can you come over and look at my computer?"
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.