Hackers are maliciously manipulating both sides of the web experience, but a little due diligence goes a long way to thwart them Credit: Thinkstock Some days when I’m wasting time on the internet, it seems like I can’t visit three websites in a row without hitting a fake “you’re infected” scam or bogus browser extension ad. Most of the time these malicious offerings launch on otherwise legitimate websites — or secretly direct your browser to illegitimate websites.For almost a decade now, a greater number of legitimate websites than malicious ones have been launching malware. The question is how a legitimate website gets compromised in the first place.The answer: in a number of ways — including nearly every method a PC or mobile device can be compromised, plus a few more. 1. Exploits everywhereLike personal computers, most websites are exploited by malware due to unpatched, buggy software. On any given day literally hundreds of thousands — perhaps millions — of web servers run software that should have been patched. Today’s attackers use automated exploit kits that seek out vulnerable websites and look for one or more vulnerabilities. When an exploitable website is found, the kit installs itself and “dials home” to inform its owner.The website is then modified in such a way visitors are either silently exploited (thanks to unpatched software on their own computers) or offered a program containing a Trojan they’re told they need. The exploit kit may include a handful to dozens of client-side exploits that are run against unsuspecting victims (check out this great summary of popular exploit kits). There’s even a secondary exploit market. Often, criminals who buy exploit kits will compromise websites, but rather than harvesting sensitive information themselves, they’ll sell access to exploited websites and users’ computers. These operations offer what is affectionately known as “exploit as a service.”Anyone, including absolute novices, can rent or buy exploit kits or bot nets. All it takes is a willingness to risk criminal prosecution, which is fairly low, especially when crossing international borders. Exploit kits get routinely updated and are rated by users so that other users can judge their exploit efficiency.Unpatched software is the top cause, but ad networks offer an increasingly popular attack vector. Commercial websites allow ad networks to rotate banner ads in their available free space. Hackers like to compromise ad networks because they can quickly distribute malicious scripting code across the internet and hit many websites at once. 2. Fake malwareI’m slightly relieved that a lot of malware is fake — they’re scareware and adware. Not all of it is ransomware. If you have real, triggered malware on your system, I hope you have a good, unaffected backup.Luckily, a lot of the stuff I’ve seen at companies are fake antivirus detection screens or fake ransomware. Sometimes, a user’s browser is drafted to enrich a malicious affiliate marketing scheme.Fake antivirus detection warnings have been around for a long time, but now some malware writers are trying to ride the coattails of real ransomware writers. How dumb do you have to be to resort to fake ransomware? Also, how often does it work? I’ve had several computer-clueless friends call me with fake ransomware scare screens, and even they didn’t pay up. But some people will believe anything. 3. Malicious browser extensionsWith the Windows 10 Anniversary Update giving Microsoft Edge the ability to extend browser functionality, all the major browsers now support browser extensions. I’ve seen a rash of malicious browser extensions, although most tend to be for non-Microsoft browsers.Malicious browser extensions often seem legitimate. They appear to originate from vendor websites and come with glowing customer reviews. PerimeterX recently released a detailed look at one type of malicious browser extension, which redirects the user’s browser to send fake clicks to websites that have paid someone to drive traffic as part of “affiliated marketing” programs. Normally the user doesn’t know it’s happening, aside from the browser slowing down a bit.Malicious affiliate marketing programs have been around for nearly as long as the internet. You would think the biggest websites would catch on, but PerimeterX said that 71 of the websites caught up in the fake affiliate program are among the world’s largest. Big websites fall prey to such schemes because they hire marketing teams, which in turn hire web marketing teams, which outsource the requested traffic. Along the trust chain, someone ends up doing business (usually unintentionally) with a malicious hacker. The website ends up paying for traffic that never really accrued, and users accidentally participate in bogus ad schemes that slow down their computing experience. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe