Topic: Most Attacks Come from Legit but Hijacked Sites (fast-fluxing)

[Samker]

The number of legitimate Websites being hacked to host malware has hit startling highs in recent days, new figures from MessageLabs have revealed.

Data taken from the days between May 4 and 8 showed that 84.6 percent of Websites blocked by the company for hosting malicious content were 'well-established' domains that have been around for a year or more.

During the same period, 10.2 percent of blocked domains were less than a year old and only 3.1 percent were less than a week old.

At first glance this, this runs counter to the assumption that malicious Websites more commonly exist for only days or hours in some cases, the better to avoid detection and filtering. This is termed "fast-fluxing," cycling websites through a maze of bogus sub-domains.

However, according to MessageLabs, the likely explanation is that a move to genuine domains means that the fast-fluxing has now migrated to use a different part of the domain tree.

"The bad guys will compromise the DNS and add sub-domains," said MessageLabs' Paul Wood. The recent figure represented a high mark, admitted Wood, but still represented a gathering storm.

"People need to be extra vigilant and understand that even sites they know and trust can be compromised through attacks such as SQL injection attacks, while businesses need to ensure they take the necessary precautions to block all the latest malicious sites," said Wood.

"With the ever advancing world of cybercrime, nothing can be taken at face value."

One consequence was that the days of reputation filtering services could be numbered as a primary defense. If the domains were fraudulent sub-domains exploiting legitimate domains, this would be difficult to defend against on such a scale.

In Wood's view the only hope was to embrace hosted services, the business MessageLabs is in. "There are things you can do in the cloud that you simply can't do on your own computer."

(PCW)