Traditionally, browser-based attacks originated from “bad” websites but due to poor security coding of web applications or vulnerabilities in the software supporting web sites, attackers have recently been successful in compromising large numbers of trusted web sites to deliver malicious payloads to unsuspecting visitors.
Hackers add scripts that do not change the website’s appearance. These scripts may “silently” redirect you to another web site without you even knowing about it. This redirect to another web site may cause malicious programs to be downloaded to your computer. These programs are generally designed to allow remote control of your computer by the attacker and to capture personal information, often related to obtaining credit card, banking information and data used for identify theft.
In April 2008 Panda Labs, a computer security and anti-virus publisher, announced that more than 280,000 web sites had been altered to redirect computers to malicious websites which would attack them in a variety of different ways. The SANS Institute, a computer security research and training organization, recently declared browser attacks to be “Top Cyber Security Menace” for 2008.
It’s not just desktop or laptop computers that are vulnerable. As their popularity increases, smart phones such as Blackberries and iPhones may become targets of browser based attacks because of the built in browsers technology and Internet access. Clearly users must be aware of the issues and take proactive measures.
The information provided in the Monthly Security Tips Newsletters is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture. Organizations have permission--and in fact are encouraged--to brand and redistribute this newsletter for educational, non-commercial purposes.
1. Wikipedia, http://en.wikipedia.org/wiki/Web_browser
2. Frei, S., Dübendorfer T., Ollmann G, May M., "Understanding the Web
browser threat: Examination of vulnerable online Web browser populations and
the ‘insecurity iceberg’ “