The future of web threats?

We have blogged a lot over the past year or so about attackers using compromised sites in order to infect victims with malware. Once infected there are a variety of mechanisms through which the attackers then make their money. These include, but are not limited to, exploitation of resources, sending spam, hosting scammy web sites, data theft and installation of PUAs.

As it happens there are lots of other unscrupulous ways to make money (ab)using the web. One of the presentations on the agenda for next week’s Black Hat conference that caught my eye is on this very topic (Get Rich or Die Trying by Jeremiah Grossman and Arian Evans [1]).

The question is, are we likely to a shift in the techniques attackers use? In the short term, probably not. I do not see the soft targets going away any time soon – insecure web applications and poorly secured servers will continue to be widespread. The biggest single improvement to the current situation will probably be with increased client side security. Particularly integration of more security within the major browsers, which is an effective way of reaching most users. The security features we have seen in new versions of Firefox and Internet Explorer are very welcome [2].

If increased security helps to thwart current attacks, then attackers may be forced to change their tactics. Sadly they will not have to look too far. There are many other ways in which web applications and their use by innocent victims can be abused for financial gain. These include affiliate scheme abuse, something we have seen and blogged about before [3].