Web 2.0, with its dynamic technologies and bustling communities, has turned the once quiet territory of the websites in a wild West. As they arrived colonists, they did it too criminals, installing a thousand traps to hunt down the computers of the unwary. Falling into them is as simple as visiting a site with a browser or operating system that has a security flaw.
According to the company Sophos, 6.000 infected pages are discovered every day. Their owners, in 83% of cases, don't even know it. Someone has taken advantage of a security hole to sneak in malicious code that will infect your visitors: a pop-up window will ask them if they agree to download a file to better view the page. This file will contain the virus.
And it will not be just any virus, but an intelligent virus, belonging to a new generation called Malware 2.0, capable of detecting the operating system and browser of its future victim to install the appropriate malicious code. In more and more cases, it is no longer necessary for the visitor to agree to download anything: the virus is automatically introduced to their computer through a small program hidden in the page visited.
New daily attacks
New attacks of this type are known every day, especially on social networks. The most punished is MySpace for a simple reason explained by Luis Corrons, technical director of PandaLabs: "The creators of malicious code try to ensure that the distribution of their code affects the greatest number of people and, the larger and more active a social network, the the easier it will be."
The first social networks attacked were Orkut and MySpace, in 2005. Both had Cross Site Scripting errors (incorrect HTML validation), the biggest security problem of Web 2.0 along with the controls javascript and ActiveX. The attackers introduced worms into the profiles of these networks that, when visited by people with vulnerable browsers, infected their profiles and these infected others. There were thousands of infections in minutes.
Since then, social networks have seen everything: forums and friendship invitations that ask the visitor to download a program to be able to view a photo, a movie, an anniversary postcard. Updates of well-known programs that are actually viruses. Anti-spyware programs that actually install spies. And the old crime of data theft.
In January, an anonymous person made public half a million images taken from supposedly private MySpace profiles. It was not the first time. Around the same time, the newspaper The New York Times He reported that Facebook does not delete the personal information of accounts that are unsubscribed from its servers, exposing it to intruders.
Criminals are also beginning to take advantage of the growing popularity of videos on the web site. Quicktime movies that download Trojans have already been seen on MySpace. Last year, a researcher warned of the many holes in YouTube that would allow malicious code to be injected into its pages, or videos that would infect just by watching them, although, Corrons explains, "YouTube eliminates suspicious videos."
The YouTube Hook
New tricks are growing along the way, says the expert: "We are observing the use of legitimate YouTube videos to make malicious code go unnoticed. Let's imagine that we receive a spam email from a girl who wants to meet people and, in order to see her, we have to "execute a file. When we do so, it will redirect us to a legitimate YouTube video, so that we do not suspect anything while the code is installed."
In addition to infecting the pages where people go, criminals infect thousands of legitimate sites at once, attacking the server that hosts them. They are the so-called "hacks en masse" whose maximum exponent was the MPack tool, which between April and May infected 400.000 websites.
The objective of Web 2.0 criminals is, according to Corrons, "to expand their networks of bots and obtain access codes to bank accounts. Normally, they install a Trojan that will download more malicious code to the computer according to the needs of its creator." The profit is always present: "Sometimes directly, like banking Trojans. Others may gather information on Internet usage habits."
The cause of this problem is "increased application complexity websites and the lack of security awareness and training of its programmers," says Chelo Malagón, from IRIS-CERT. Corrons also blames Internet users: "In most cases, they do not have their systems updated or they are tricked into executing malicious files. and they give too much information on their social media profiles.