Basic Security Skills No Longer Adequate To Prevent Malware And Malvertising Attacks

By Author: EC-COUNCIL
Total Articles: 68
Comment this article

Malvertising, which is a form of criminal method used by cyber criminals to attempt to steal personal information from consumers, is on the rise and becoming a growing problem for businesses. Recently, Spotify, a music streaming service, apologized after 'malverts' were served to some of its users.
Spotify is an online music service that allows users to listen to any music they want to over the internet for free. It is only available in a limited number of European countries, but still has a sizeable user base. The service has approximately ten million users and about 1,000,000 of these are paying members. Services like Spotify and Facebook are legitimate, and derive revenue from advertisers in order to remain free. Like many free services, they also offer a premium subscription service. While the free version is ad supported, the paid version has no ads and allows use of the service while offline, on mobiles, etc.
Malware purveyors placed an advertisement with a widely distributed ad network, and then change the code in the ad to exploit flaws in browser code to inject malware onto users' computers. Malvertising ...
... is on a significant rise, having doubled from Q3 to Q4 2010, according to Dasient. Based on Q4 estimates, three million malvertising impressions were served per day, an increase of 100% as compared to 1.5 million malvertising impressions per day in Q3 2010.
More than one million web sites were estimated to be infected in Q4 2010. As compared to data from one year prior (Q4 2009), web malware infections have nearly doubled and are a growing threat that needs to be abated. The probability that an average Internet user will hit an infected page after three months of web browsing is 95%.
Malicious software being served from legitimate sources has become a major problem. In 2010, nearly 90 percent of Web-based attacks started from a legitimate site, according to security firm MessageLabs, part of Symantec. "There used to be a time when the well-behaved and educated surfer was pretty safe," Dan Bleaken, senior malware data analyst for Symantec Hosted Services, wrote in July. "Today, this is no longer the case." The latest attack installs a variety of programs, including HDD Plus, which appears to be a disk optimization program, but in reality steals control of the user’s computer and requests payment to "fix" the problems.
A recent study by technology corporation Cisco reported even higher increases in malware. Cisco's Q4 report indicated that malware had grown by 139 percent in 2010. A government-backed website, designed to champion the UK's start-up businesses has inadvertently linked users to malware. The slip will be embarrassing for the government, especially as Prime Minister David Cameron had helped launch the site and the Number 10 website linked prominently to it.
According to Paul Baccas, a senior threat researcher at Sophos, the link featured in an article about US investor Warren Buffet and took users to a fake banking site. In reality, the fix contained malware. Last month, the London Stock Exchange hosted booby-trapped adverts that asked visitors to download similar fake security software.
These report findings clearly points out that online attacks are very common these days. One proven way to mitigate information security risks is through technical security training that will enhance the skills proficiency of the cyber security workforce. EC-Council’s brand new TakeDownCon is a technical information security conference series that serves as a platform for IT security professionals to discuss and exchange views on the latest information security threats as well as remediation strategies. In addition to learning from some of the best security experts, TakeDownCon also offers highly sought after technical training courses, including the Certified Ethical Hacker (CEH) course, often touted as the world’s most comprehensive ethical hacking training program.
The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.
ABOUT EC-COUNCIL
EC-Council is a member-based organization that certifies individuals in various e-business and security skills. It is the owner and developer of the world famous ethical hacking training, the Certified Ethical Hacker (CEH) course, Computer Hacking Forensics Investigator (CHFI) program, License Penetration Tester (LPT) program and various other technical security training programs offered in over 84 countries around the globe. TakeDownCon Dallas 2011, is one of the conferences of EC-Council’s Take Down information security conference series.