Trust-Hacking: Cyber Criminals are Exploiting Traditional Measures of Trust on the Web
February 2018 by Menlo Security
In its third annual State of the Web Report, released today, Menlo Security reveals that many of the supposedly safest neighborhoods of the web are in fact risky places to visit. Forty-two percent of the top 100,000 sites on the web, as ranked by Alexa, are either using software that leaves them vulnerable to attack or have already been compromised in some way. One rarely discussed problem is that the average website connects to 25 background sites for content, such as video clips and online ads.
Most enterprise security administrators don’t have tools in place to monitor these connections, leaving them vulnerable to backdoor attacks. Efforts to sort sites into “good” and “bad” categories are largely ineffectual. The “Business and Economy” category, for example, had more “known bad” sites that had been used to launch attacks or distribute malicious code than “Gambling.” And, email hackers are using trusted hosting services to set up phishing sites, giving them safe-looking URLs. The results underscore Menlo’s belief that in a world where no detection-based security technology is foolproof, it’s time for a new approach.
“This report confirms what most CISO’s already know: that a false sense of security is a dangerous thing when using the web,” says Amir Ben-Efraim, CEO of Menlo Security. “Despite website operators’ best efforts, cyber-criminals can now exploit widespread vulnerabilities to compromise even the most trusted brands on the web."
The report highlights the futility of using categorization services provided by many security vendors as a proxy for safety. For example, 49 percent of “News and Media” sites met Menlo’s criteria as “risky,” as 39 percent of “Business and Economy” sites and 38 percent of “Shopping” sites. Phishing and typosquatting also regularly occurs on sites in widely-trusted categories.