Phishing: Malware Infected Web Sites Experience Explosive Growth

Heh! Heh! We're not sure if we were alarmed by the content in this recent CrunchGear blog post, or captivated by the cute "malweb critter" used to give the story a little visual interest (see below). Either way, it's still worth pondering the source document, a Dasient blog from March 7, 2011, that reports that malware infected Websites have doubled in numbers (from 500K in Q4 2009 to 1M in Q4 2010).  And just to help boost your queasy feelings, here's a direct quote from the next bullet in their summary "The probability than an average Internet user will hit an infected page after three months of Web browsing is 95%."

[caption id="attachment_385" align="aligncenter" width="264" caption="It's supposed to be scary, but gosh, it's CUTE!"]It's supposed to be scary, but gosh, it's CUTE![/caption]

Aside from wanting to know how Dasient calculated those odds (1 MB Web sites is a tiny fraction of the total: Netcraft's latest survey indicates nearly 300M sites were available on the World Wide Web as of March 2011: 298,002,705 as of today, in fact) it's still a threat that end-users and businesses alike may want to take steps to protect themselves against. We recommend Trusteer Rapport as a Web browser add-in to protect against phishing and unwanted access to sensitive data (including from keyloggers). Nicholas DeLeon at CrunchGear recommends M86 Security's SecureBrowsing plug-in for IE and Firefox, and the NoScript Firefox extension as well.

Many organizations use URL blacklists and content filtering to try to protect their users against phishing or malware-infected sites, but they keep popping up with incredible frequency (an average of 41,667 new sites per month last year, assuming straight-line growth based on the afore-cited Dasient numbers). It's clear that users and organizations should take as many steps as possible, and use as much appropriate technology as they can bring to bear, to control this looming threat.

Oh yeah! It's probably a good idea to educate your users about the threats inherent in phishing, be they in e-mail messages, tweets, or social networking posts. If they don't click the link, they don't visit the site. If they don't visit the site, they can't catch the malware.

Stu Sjouwerman


Topics: Phishing, KnowBe4

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews