ScanSafe Reports 35 Percent Increase in Web Threats as Websites in the ‘Long Tail’ Come under Attack

Leading Provider of SaaS Web Security Reports Thousands of Mid-Tier Websites Compromised by Malicious iFrame in Mushrooming Attack

In its Global Threat Report issued today ScanSafe, the pioneer and leading provider of SaaS Web security, reported a 35 percent increase in Web-based malware in April. The increase was driven by two separate series of attacks — an expanding iframe injection on middle tier sites that comprise the so-called ‘Long Tail’ of the Web — as well as a much higher profile SQL injection attack that affected thousands of websites — including many well known sites such as the United Nations.

“What we saw in April was a one-two punch,” says Mary Landesman, senior security researcher, ScanSafe. “In addition to the much publicized SQL injection attack, Web surfers were impacted by the mushrooming of an attack on mid-tier websites. While individually these mid-tier sites may not pack in the visitors, collectively they make up what’s often referred to as the Long Tail of the Web. Ongoing investigation by our Security Threat Alert Team indicates this is a large scale attack that is growing exponentially and is not being detected by the majority of Web crawlers.”

For example, several searches on infected sites using a newly launched security feature on Yahoo! powered by McAfee SiteAdvisor did not flag or block the sites.

“The hackers behind this attack have been employing techniques to elude detection and as a result, the only way to block the malware is if the affected Web page is scanned in real-time, which is what ScanSafe does.”

The attack on these Long Tail sites began in December 2007, but has exploded in recent weeks. In April, nearly 50 percent of ScanSafe’s corporate customer base tried to access one of these sites, but were protected from the malware. Examples of impacted sites (which have since been cleaned) include:
YeahBaby.com – which provides information for expectant parents and parents of newborns and toddlers
Flowercarole.com – a collection of fruit smoothie recipes
Soccercommercials.com – a collection of soccer commercials from around the world

There are several commonalities among the compromised sites that indicate the likelihood that this is a coordinated attack being carried out by one person or group of people. All of the affected sites in the Long Tail attack contain an identical malicious iframe and all exhibit specific behavior designed to thwart casual investigation. The iframe loads exploit code that can expose surfers to malware that can steal passwords or open backdoors to access infected PCs. The malware hosts involved in the attacks are hosted in both Turkey and China. ScanSafe believes the attackers initially gained access to the sites via a compromise in webmaster FTP credentials — allowing them to hack the sites and gain access to host servers.

A detailed threat alert on the Long Tail attacks is available at www.scansafe.com/threat_center/threat_alerts/long_tail_sites_come_ under_attack (Due to its length, this URL may need to be copied/pasted into your Internet browser’s address field. Remove the extra space if one exists.)

Earlier in April, ScanSafe reported on the latest round of SQL injection attacks, estimated to have impacted over 500,000 sites — including many brand name sites. According to ScanSafe, the April attacks are related to a series of attacks targeting Active Server Page (ASP) and Microsoft SQL Server that first appeared in October 2007. High profile victim sites have included the U.N., Ikea, the city of Cleveland and Computer Associates (all these sites have since been cleaned). While earlier waves targeted obscure pages on affected sites, the attacks in April targeted more frequently visited pages. ScanSafe believes the SQL injection attacks will continue to grow in sophistication.

“It’s unlikely we’ve seen the last of either of these attacks. Given the improved targeting and growing number of compromises, Web surfers will want to be increasingly cautious,” says Landesman.

The ScanSafe Global Threat Report is based on an analysis of more than 10 billion Web requests the company scans each month on behalf of business customers in over 60 countries. It represents the world’s largest security analysis of real-world corporate Web traffic.

For a copy of the latest monthly ScanSafe Global Threat Report, please visit http://www.scansafe.com/__data/assets/pdf_file/7584/gtr_APRIL2008.pdf

About ScanSafe

ScanSafe is the largest global provider of SaaS Web Security, ensuring a safe and productive Internet environment for businesses. ScanSafe solutions keep viruses and spyware off corporate networks and allow businesses to control and secure the use of the Web and instant messaging. As a fully managed service, ScanSafe’s solutions require no hardware, upfront capital costs or maintenance and provide unparalleled real-time threat protection. Powered by its proactive, multilayered Outbreak IntelligenceTM threat detection technology, ScanSafe scans more than 10 billion Web requests and blocks 100 million threats each month for customers in over 60 countries.

With offices in London and San Mateo, California, ScanSafe is privately owned and financed by Benchmark Capital and Scale Venture Partners. The company received a 2007 CODiE award for Best Software as a Service Solution, the 2008 and 2007 SC Magazine Europe Award for Best Content Security Solution and was named one of Red Herring’s Top 100 Technology companies. For more information, visit www.scansafe.com.

Contacts

ScanSafe
Sheila O’Neill, +1-650-294-3463 (U.S. Media)
Mobile: +1-303-324-7310
sheila.oneill {at} scansafe(.)com
Susie Bailey, +44 (0) 20 7959 0630 (EMEA Media)
Mobile: +44 (0) 7875 360 437
susie.bailey {at} scansafe(.)com
or
Schwartz Communications, Inc.
Matthew Grant, +1-415-512-0770 (U.S. Media)
scansafe {at} schwartz-pr(.)com