Research from Barracuda Labs has found over 10 million people were exposed to drive-by download risks during February 2012. This press release is scheduled to be distributed tomorrow, but I wanted to share with you ahead of time.
Following analysis into the world’s top 25,000 websites, Barracuda discovered that, statistically, one popular website will serve malicious content every day. Through the below press release and accompanying infographic (link below), you’ll see that this problem occurs on a continual basis, spans 18 countries worldwide and is particularly prevalent in websites that are over five years old.
Infographic: http://www.barracudalabs.com/infographics/trusted_sites/
Over 10 Million People Exposed to Drive-by Exploits in February 2012
New Barracuda Labs Research Study Examines Top 25,000 Websites for Compromises and Risks
Basingstoke, UK: Barracuda Networks, a leading provider of security, networking and data protection solutions, recently released findings from Barracuda Labs’ most recent study, Good Websites Gone Bad. The study analyses the world’s top 25,000 websites, according to Alexa, to identify compromises and risks to consumers online. During the one-month study, February 2012, the team identified a number of exploited websites, exposing more than 10 million users to drive-by downloads and other risks.
An infographic highlighting the study is available at http://www.barracudalabs.com/infographics/trusted_sites/.
Additional highlights of the study include:
• On average, two of the top 25,000 domains serve malicious content each day. That statistically guarantees at least one popular website will serve malicious content every day.
• The top-ranked domains served malicious content 23 of the days in February. That means this problem is not isolated and occurs on a continuous, regular basis.
• The top-ranked domains that served malicious content spanned across 18 different countries. That means this problem has no geographic barrier.
• Over 97% of sites that served visitors malicious content were at least one year old; over half were on sites more than five years old. That means attackers use well-established, long-lived websites for their drive-by download campaigns.
"Web security has shifted. If you are a popular website or company, the attackers want access to your users. Good sites gone bad is a serious problem,” said Dr. Paul Judge, chief research officer at Barracuda Networks. "Users must be careful when visiting even long-time trusted sites and also more than ever legitimate websites must take steps to protect their websites from compromise.
In another development, following the large-scale theft of credit card user data from Global Payments Inc., a major service provider of MasterCard payment processing, Barracuda Networks, noting that failure to disclose a breach immediately makes a bad security incident much worse.
Wieland Alge, General Manager, Barradcuda Networks EMEA commented: “It is hardly surprising that credit card data is targeted by cyber-criminals – it’s potentially worth a truckload of money. However, if the financial sector is expected to maintain the highest possible security standards and keep their losses to a minimum, why did Global Payments Inc take so long to admit something was wrong?
The guidelines laid out in the PCI DSS standard are legally binding for companies in the financial sector. They include technological as well as procedural specifications to minimize the risk of theft.
While we must assume the company was fully compliant to standards, there is no such thing as 100% security. It’s the same on the high street - bank robberies will still happen even though physical security measures are getting tighter and tougher.
Aside from the breach itself, Global Payments Inc should face the music for taking so long to publicize the breach. Any delay increases the possibility of customers being affected. There are only two possible explanations for a delay, neither of them positive: either the theft has not been detected earlier, which would be a grave security lapse; or they chose not to communicate the breach sooner, which is simply unacceptable.
The prompt and frank disclosure of security incidents is central to containing the fallout, protecting the customers affected and defending against future attacks on potential victims.
As long as data breaches are made public promptly, then damage can be limited. Of course, having to change credit card numbers is a major irritation to those affected, but delayed disclosure is by far worse.
In this case, the bad guys have been given ample time to do their deeds and rip off unsuspecting even more customers. The time between fraud detection and taking action is crucial. If banks and financial institutions fail to move fast then everyone, aside from the bad guys of course, will lose.”