Dragon News

Dragon News

An inside look at the world of Team Cymru. Cybersecurity tools, tips, news and views.




Dragon News

Trying to Stay Out of Trouble Online? Trouble May Still Find You

Jenny O'ConnellJenny O'Connell

There are many myths on the subject of staying safe online, for example:

  1. The laptop I got last Christmas came with <insert-appropriate-antivirus-product-free-trial> so there’s no way I could have a virus now.
  2. My software is so old, I’m sure no one is bothering to exploit it anymore.
  3. There’s no way a phishing email could hit my work inbox, there must be… things, to stop that happening.

And the list goes on and on. But today we’d like to draw your attention to two particular fallacies:

  1. I only visit legitimate websites; therefore I must be safe.
  2. I never download any files; therefore I must be safe.

Wrong and wrong I’m afraid. Unfortunately, even perfectly benign websites can be compromised and used to serve malware. We saw two high profile examples of this very technique near the end of 2015, when the websites of UK newspapers The Independent and The Guardian both came under attack. Subsequently, certain pages were (ab)used to spread malware to unsuspecting visitors.

A hacked website can redirect a user’s web browser to any location the attacker chooses. In the cases above, traffic was redirected to an instance of the Angler exploit kit. An exploit kit will have a number of attacks at its disposal, targeting vulnerabilities in the browser itself, and any add-ons or plug-ins (such as video players or PDF readers). Angler, for example, will check which plug-ins are installed, and launch appropriate attacks.

If the exploit kit manages to successfully leverage a vulnerability, it will download malware onto the victim machine. The compromise can take only seconds, and the user may not see anything to alert them. This process is also known as a ‘drive-by download’, no clicking required, do not pass GO, do not collect £200.

Sadly, even if a would-be attacker cannot compromise a legitimate website itself, they may be able to create an advert containing malicious code. If the advert is displayed on a website, it can achieve the same effect (this is known as malvertising).

So, if you can’t avoid the threats, what can you do to mitigate them?

Fortunately, there’s quite a bit you can do to reduce your risk of infection. Here are some tips for staying safe:

  1. Whichever web browser you choose, make sure you keep it up-to-date. Browser updates contain security fixes that render particular attacks useless. But malware authors know that many people use out-of-date browsers, so it’s still worth their while to target patched vulnerabilities. Many modern browsers, such as Google Chrome, update automatically.
  2. Keep your add-ons and plug-ins up-to-date, for the same reasons outlined above. Many modern browsers, including later versions of Internet Explorer, embed some third party software such as Flash, and update it automatically. This is useful, but always be aware of what is, and isn’t, updating behind the scenes.
  3. Got an old, unsupported add-on or plug-in? Or even one you’re just not using anymore? Uninstall it, just because you don’t use it, doesn’t mean the attackers won’t. If you have a legacy requirement, consider keeping two browsers; one for general browsing, and one specifically for the unsafe add-on (this is, at best, a temporary workaround).
  4. Install an antivirus product. Antivirus software is by no means a universal panacea, but can provide a useful last line of defense. What else must you do? Keep it up-to-date, of course!
  5. Control your add-ons. As we mentioned above, third party add-ons and plug-ins are a favorite point of entry for attackers. Fortunately, many browsers have the option to prompt you before running content using a plug-in. This may seem slightly inconvenient, but could help to avoid exposure to malicious code.

Most browsers also allow users to disable Javascript. Alternatively, plug-ins such as No-Script can be used to achieve this. However, it is becoming increasingly difficult to browse the Internet without Javascript enabled, so this may not be a practical option for many people.

Ad-blocking add-ons have also gained popularity recently, both as a way to avoid irritating adverts, and as a defense against malvertising attacks. However, much of the free content we enjoy online is only made possible thanks to advertising revenue, it helps the people running the websites pay their bills. Some providers are even blocking access to browsers with ad-blocking enabled. So, we’ll leave that decision up to your own moral compass.

So, there we have it, while it may be nice to think that sticking to a tried-and-trusted set of websites will keep you safe, there’s absolutely no guarantee. Like so much in life, it’s better to tackle a distressing truth, than believe a comforting myth.


Photo credit Didier Baertschiger, under Creative Commons