Social engineering: meh or muh-oh?
There’s been a lot of news lately about the CanSec security conference where all the major Web browsers were “hacked”. The attack for the Safari Web browser required the user to click on a link, after which complete control of the machine was given to the attacker. Is that a real attack since it required somebody to click on a link? Aren’t viruses all about hacking into somebody’s machine without them doing anything?
Not really. The Internet landscape has changed a lot recently. Not too long ago, a virus or worm could infect your computer while it just sat there. And while those are still threats that users must be aware of, the vast majority of malware on the Internet nowadays isn’t a traditional virus, because it can’t spread on its own—it requires social engineering to spread.
So how are these attacks so successful, and why does it matter? Normally these types of attacks require users click on a link to download some malicious program. Usually the link is in spam e-mail, a phishing Web site, or even an advertisement that promises to clean your PC.
But the latest trend is for attackers to actually modify a Web site you visit frequently, such as a blog or company Web site—thus eliminating the need for you to click on any kind of link at all. According to Symantec Security Response, the #1 malicious trend in 2008 was a “known good” Web site being compromised. By modifying a Web site you already visit, the attackers eliminate any need for you to click on a link—you will just stumble upon their attack on your own. Incidentally, if you have any reason to suspect a website may have been hacked, you can check out it’s status for free by visiting the Norton SafeWeb website (safeweb.norton.com) and entering the suspect web address.
Now, if hackers can’t compromise a known good Web site, they can do the next best thing—buy their way in. An attacker can buy an advertisement on a Web site, and use the ad to attack any visitors. This works using an image that takes advantage of a flaw in your Web browser’s PNG image handling, or using an IFRAME that has malicious HTML in it.
Once the “known good” Web site has been compromised, anybody who visits that Web site becomes a target. The attack required somebody at the conference to click a link, but now imagine if that link were embedded on your favorite Web site, and the significance of these kinds of attacks becomes apparent.
Safari is a great Web browser that is generally safe, but like all computer software it has vulnerabilities in it that attackers can take advantage of. Never click on links in e-mails or instant messages, and be cautious about which Web sites you visit. But as more “good” Web sites are compromised, we recommend users take the extra bit of precaution — regardless of whether they’re a Mac or a PC — to run security software. And while firewall and anti-virus software provide a first line of defense, these attacks that originate from the Web require additional protection. Many leading security software products protect against software vulnerabilities with features that are sometimes called intrusion detection or vulnerability protection. We also encourage users to make sure their operating system and security software are up-to-date.