Hackers finding new ways to attack

Plugged In

May 17, 2007|By Mike Himowitz | Mike Himowitz,Sun Columnist

When it comes to security on the Web, we still may be our own worst enemies.

For years, millions of us clicked blindly on inviting but booby-trapped e-mail attachments, launching malicious programs that trashed hard drives, paralyzed networks and otherwise made lives miserable.

When we finally got wise to the dangers of unsolicited e-mail, the nature of the threats changed in form and purpose.

Some are now aimed at stealing credit-card numbers, bank account information, Social Security numbers and ultimately, our identities. Others are designed to commandeer our computers and turn them into "zombies" that send millions of spam e-mails or launch hard-to-trace denial-of-service attacks on other computers.

With e-mail attachments now suspect, an increasing number of infections reach our computers through "drive-by" Web downloads. Just landing on a booby-trapped Web site can cause your computer to install a program that takes advantage of a security flaw in your browser - or Windows itself - to turn your life upside down.

Messages containing links to these sites - often disguised as links to popular or otherwise safe Web pages - are replacing the infected e-mail attachment as the hacker's attack of choice.

Microsoft posts security patches to ward off the latest attacks on the second Tuesday of every month, and publishers of security software issue updates even more often. But the cops are always days or weeks behind the bad guys in these cases, far enough behind to make smart surfers leery of clicking on links to unfamiliar Web sites that come in unsolicited e-mails or on pages of Web sites they're not sure of.

As a result, hackers have found new avenues of attack. According to Didier Stevens, a Belgian Internet security specialist and blogger, one avenue involves tricking Google and other search engines into displaying links to booby-trapped Web pages when innocent search terms are entered.

Some crooks are taking an even more brazen approach by purchasing Google "adwords," an increasingly popular and legitimate form of advertising on the world's most popular search engine. Similar paid results show up on other search sites.

Here's how the system works: A business pays Google (or some other search engine) to look for particular words or phrases in every user search. If a Google user enters that term in a search prompt, Google will display the advertiser's ad as a paid listing on the right hand of the page containing the actual search results.

So if you're the president of the Handy Dandy Binocular Co., you might purchase the search word "binoculars." When someone searches for that term, Google will deliver your paid binocular link. No problem so far. In fact, this is an excellent and relatively noninvasive way to match advertisers with potential customers.

But according to Stevens, it's also relatively easy for a crook to buy an adword that produces a paid link to a booby-trapped page. If you click on one of these ads because it looks interesting, your computer could be infected before you know it.

Stevens says these pages often have addresses that use the relatively unpopulated .info domain (as opposed to the crowded .com or .net domains). So that's one clue to a suspicious site. But how many people would click on an ad even if it were suspicious?

Stevens decided to find out. He registered the domain titled "drivebydownload.info," then purchased the Google adword "drive by download." When a user typed in that term, or something close to it, Google displayed Stevens' paid link, which read: "Drive By Download. Is your PC virus-free? Get it infected here."

Over six months, Stevens reported, Google displayed his ad 259,723 times. And 409 people actually clicked on it. That's right, they clicked on an ad that said, "Get infected here."

Stevens didn't actually infect his "victims." All they got was a thank you message. And the percentage of click-throughs was relatively small. Still, Stevens noted, the entire ad campaign cost him $23, or 6 cents for each compromised computer. Not a bad deal. Imagine the return on a link that didn't give itself away.

For details, visit http:--didierstevens.wordpress.com.

So now you're probably asking how to protect yourself against these sites. One is to keep your security software up to date, so that it recognizes attempts to download malicious software.

Another is a free program from McAfee called SiteAdvisor, which does exactly what its title suggests. Installing as a plug-in to your Web browser, it displays a small icon next to every link returned by most popular search engines. A green check means the site is OK, while red signifies risky downloads and a question mark means an unrated site.

Based on its own research and reports from thousands of users, McAfee now returns ratings for most of the sites my searches turn up on Google, Yahoo and MSN.

An upgraded version of SiteAdvisor, available for $19.95, adds ratings to links in e-mails and other features. But the free version works quite well. Visit www.siteadvisor.com.

Of course, none of these programs will work if you're not alert. Pay attention to links in your e-mail and the results from search engines.

And don't click on any link that says "Get infected here."


Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.