In its semi-annual threat report out today, Cisco points to an "unusual uptick" in attacks on media and publishing, putting that sector the top target for malware.
For the first half of 2014, media and publishing sites had the dubious distinction of being in first place in terms of visitors being at risk for malware, sometimes because the sites were serving up "malvertising" instead of advertising. Malvertising often works by trying to re-direct browsers through methods such as iFrame attacks to force them to links elsewhere, says Levi Gundert, technical lead for Cisco's threat research, analysis and communications group.
"Criminals like re-directing traffic from media and publishing sites because they are high volume," Gundert says. Criminals, by paying for ads, are exploiting the highly-automated advertising exchanges to accept ads that contain carefully coded elements such as iFrame attacks and JavaScript that the exchanges themselves are not detecting and may not have the means to do so. So far, the industry hasn't come to terms with the significance of the scale of these attacks, but Cisco is hoping it will adopt proactive protections.
Another trend identified in the report, which analyzes threat data through use of sensors and intelligence gathered through Cisco cloud security services, is the rise of so-called "Dynamic DNS" services by cyber-criminals to help them flexibly serve up malware.
Services such as Dyn DNS and NoIP, for example, which are operated legitimately, are being exploited by criminals to a high degree as part of their botnet operations. For the enterprise customer, this means there's clear cause to view Dynamic DNS as a suspicious event in logs and perhaps block it. "The correlation is so high," says Gundert. "Businesses are blocking handfuls of Dynamic DNS."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.