The IT threat landscape is ever evolving, fuelled by the exploits of financially motivated cybercriminals intent on making a quick buck.

These fraudsters are constantly innovating to find new ways of sidestepping security and duping innocent users into inadvertently handing over their hard-earned cash. Graham Cluley, senior technology consultant at Sophos, asks if the web is the new vector of attack for fraudsters.

2007 saw a major shift in fraudster's strategy, caused by increasingly savvy computer users becoming wise to cleverly worded emails and the security industry becoming better at thwarting traditional email-based attacks. However, when one door closes, another one opens, and these criminals are now looking to the web for their ill-gotten gains. In June 2007, Sophos reported that the number of newly infected pages peaked at 29,000 a day.

Why the web?

The web has become an indispensable tool, used by millions worldwide on a daily basis, and yet it remains a relatively unprotected route to users' desktops and laptops. Once compromised, these computers give cybercriminals unchecked access to personal details, passwords and confidential data as well and can be hijacked to send out millions of spam emails.

More and more web hackers are planting spyware and other malware onto websites and then tempting users to the compromised webpages via spammed email invitations. Once web surfers are transported to an infected page, their computer may be exposed, and the fraudster is a step closer to success.

Which sites are the hackers targeting?

Any kind of website can fall victim to attack - whether it offers pornography or pottery classes. Indeed, the more innocuous the site, the better it is for fraudsters, as they're less likely to arouse surfers' suspicion.

Interestingly, Sophos research shows that only one in five infected websites is actually malicious by design. Around 80 percent of all web-based malware is instead hosted on innocent - but compromised - websites. By targeting legitimate sites, they are able to expose a potentially huge pool of victims to their malicious code.

What techniques are the hackers employing?

There are several methods open to fraudsters looking to make a mint online and the most popular of these is the 'drive-by download', which occurs once a surfer has been fraudulently directed to a web page that has been infected with malicious code.

It is easy to obtain kits that enable cybercriminals to simply and quickly create malicious code designed to launch their spyware, viruses or phishing attacks. Once they have found an unprotected web host, the fraudster injects the malicious code and attempts to entice unsuspecting users to visit the infected page.

To do this, cybercriminals deploy a number of tactics including coaxing victims with alluring content, redirecting users from other pages or even loading the content silently from another page. A further simple technique is to simply include the URL in a spam message.

The escalating threat of drive-by downloads is illustrated by a number of high profile sites that have been hacked in 2007. One such incident occurred the week before the Miami Dolphins was due to host the Super Bowl, when malicious code was injected onto the team's website as hackers tried to exploit the influx of eager visitors to the site.

Mal/Iframe is an example of a drive-by download threat that targets vulnerable legitimate sites, and for the first six months of 2007, it accounted for nearly half the world's infected web pages and looks set to continue plaguing users and businesses that are not properly protected against the threat.

ISPs beware

In June 2007, a Mal/Iframe attack on multiple Italian websites occurred, making headlines around the world. More than 10,000 web pages were infected, most of which were on legitimate but compromised websites. Victim websites included city councils, employment services and tourism sites and most of the affected pages appear to be hosted by one of the country's largest ISPs.

This example shows how crucial it is that ISPs act responsibly and fully protect the sites they host. If they slip up, and a canny fraudster catches on to the vulnerability, the implications on users can be dangerously widespread and expensive. Companies with websites should make a point of checking that their ISPs are keeping up with the necessary security precautions; otherwise, they could find that they are unwittingly hosting malware.

Which servers are most at risk?

A popular tactic employed by cybercriminals is to compromise a single web server as this enables hackers to inject their code onto many webpages simultaneously - again increasing the number of potential victims.

Many threats are specifically designed to attack web-related files - such as the HTML, ASP, JS and VBS extensions - and infection on a single web server can affect thousands of web files, across hundreds of different webpages. It is this volume, together with the speed at which the code can be subtly altered and downloaded, that makes this threat vector so dangerous.

Organisations should be aware that infection is not simply a Windows problem. In the first six months of 2007, more than 50 percent of web-based threats affected Apache servers, many of which are hosted on Linux and UNIX.

The threat from within

Organisations need to be realistic about employees surfing the web on the corporate network. It is imperative that users are educated about the threat posed by careless searching to encourage them to surf safely and preserve the integrity of their organisation.

As well as blocking access to malicious sites, a complementary strategy is to block access to websites by category, filtering URLs to create allow lists and block lists. This effectively enables administrators to simply pick and choose relevant websites to allow staff to access.

There is no doubt that users' preoccupation with certain social networking sites is putting ideas in the minds of crafty cybercriminals, many of whom will be aware that a large proportion of organisations are still failing to block access to them.

In a Sophos web survey conducted in May 2007, when asked, 'Why haven't you blocked MySpace in your company?' 50 percent of respondents said that employees should be allowed to access the website. Yet previously in March 2007, the SpaceStalk spyware Trojan was discovered embedded in a QuickTime movie on the MySpace page of MAMASAID, a French rock band.

What can businesses do to thwart web attacks?

Despite the growing dangers lurking on the web, they need not cause a problem if businesses and users take the necessary precautions. However, because attacks made via the web are a relatively new phenomenon, many companies are unsure about how to effectively protect their networks.

It is vital that organisations apply the same structured, routine security measures at the web as they do - or at least should be doing - at the email gateway, their desktops and servers. For example, if run frequently, on-access scanning for malware will help prevent both initial infection and already-infected files from being used, whilst simultaneously stopping users from accidentally serving up malicious content.

As well as ensuring their websites are fully protected, with no vulnerabilities, and up to-date with patches, businesses should also consider deploying web security solutions that not only filter based on website categorisation, but that properly inspect the code of every website before granting access. By taking these precautions, businesses will be helping to shut another door on fraudsters.