Security analysts say browser-based attacks are escalating in frequency and damage. And now there are numbers to back up the warnings.
The Computing Technology Industry Association, a global trade association based in Oakbrook Terrace, Ill., reports that a new survey of 900 organizations shows that browser-based attacks are surging, and may pose the 'next significant security threat' to enterprise networks. The study reports that 36.8 percent of the companies surveyed suffered a browser-based attack in the last six months.
That number is up 25 percent from when the same study was conducted last year.
''Oh, yes. It's happening,'' says George Bakos, a senior security expert at the Institute for Security Technology Studies at Dartmouth College. ''Everyone is using a browser and trusting the browser. I hate to bash Microsoft, but there are so many ways to extract information through a person's browser.''
These attacks, which are related to the recent spate of phishing scams, use a browser and user system permissions to allow an attacker to gain access to the computer to steal or destroy critical information. The attacks generally occur when a user visits a Web site that, on the surface, appears harmless, but contains malicious code that convinces the browser to execute commands designed to sabotage the machine or lift proprietary data or personal financial information.
''If an attacker can convince your browser to execute commands in the local zone, they could extract anything -- credit card numbers, personal information, your browsing habits. Anything of value,'' says Bakos. ''You're essentially giving them a seat at your key board.''
Bakos explains that Microsoft's ubiquitous Internet Explorer is designed with ease-of-use and maintaining a consistent interface in mind. The tools and technology available to developers to enrich content can be used by a hacker to steal information.
The malicious code exploits vulnerabilities, like the one in the Compiled Help Files in Internet Explorer. The code can be hidden in a rogue Web page. An attacker also could hack into a legitimate Web page and leave it there, or even plant the malicious code in a banner ad.
Users could stumble upon the infected page, or they could might receive a piece of spam that tricks them into visiting the site. However they get there, once they are on the site, they don't even need to click on anything to be infected. Code on that page will dynamically download executables or content onto the machine.
''That's absolutely the case,'' says Steve Sundermeier, a vice president at Central Command, an anti-virus and anti-spam company based in Medina, Ohio. ''Your browser-based attacks are what your phishing scams are made up of... You innocently go to a site and you don't know what you're getting.''
The Computing Technology Industry Association also reports that while incidents of browser-based attacks are on the rise, computer viruses and worm attacks still far outweigh them. The survey shows that 68.6 percent say viruses and worms are the most security threat they have to deal with.
Talk about this issue with other IT Managers on our Forum: http://forums.datamation.com/forumdisplay.php?s=&forumid=1