WEB THREATS: CHALLENGES AND SOLUTIONS
2
White Paper | Web Threats: Challenges and Solutions
I. EXECUTIVE SUMMARY
Motivated by the lure of profits from the sale of stolen confidential information, cyber criminals today are
shifting to the Web as their chosen attack vector, which provides an ideal environment for cyber crime.
Many Web threats can be deployed unbeknownst to the user, requiring no additional action than merely
opening a Web page. Large numbers of users, an assortment of technologies, and a complex network
structure provide criminals with the targets, exploitable weaknesses, and anonymity required for large-
scale fraud.
Web threats pose a broad range of risks, including financial damages, identity theft, loss of confidential
business information, theft of network resources, damaged brand or personal reputation, and erosion of
consumer confidence in e-commerce. These high stakes, the pervasive use of the Web, and the
complexity of protecting against Web threats combine to form perhaps the greatest challenge to protecting
personal and business information in a decade.
Web threats employ blended techniques, an explosion of variants, and targeted regional attacks often
based on social engineering to defraud users. And these threats often use multiple protocols, such as an
email that delivers a link to a dangerous Web site, using both the SMTP and HTTP protocols in the attack.
Conventional means do not provide adequate protection from these threats, and no single method or
technology will improve this situation. Instead, a multi-layered, comprehensive set of techniques must be
brought to bear. This white paper describes Web threats, how they function, and their impacts; it explains
why conventional methods fail to protect against these threats and describes the characteristics of a new
approach required to ensure security, regulatory compliance, and business continuity.
II. INTRODUCTION: AN UNWELCOME SCENARIO
Robert, a Human Resources Director at a large law firm, arrives at his office on Monday morning, logs on
to his computer, and scans his new email. He opens an email from a large employment site he uses
frequently, clicks an embedded link, then logs on to the site to view his postings and responses. Robert’s
client status entitles him to access job seekers’ personal information, which he uses to perform
background investigations and credit checks. Unbeknownst to Robert, the email was actually fraudulent,
spoofing the employment site. When his email client rendered the images in his message, malicious code
contained in the .jpg file secretly downloaded an executable file, which ran automatically on his computer.
This malware logged keystrokes on Robert’s computer, capturing his login information when he accessed
the job site and providing this information to the hacker.
In August 2007, a very similar scene played out as cyber criminals infiltrated the monster.com job site
through “Monster for Employers” accounts, compromising the personal information of 1.6 million users.
Many of these users then received official-looking emails, claiming to be from monster.com and
encouraging them to download a “helper application” that turned out to be yet more malware. These
评论0