When it comes to security, the web is insecure-by-design. We’ve known that for a long time – what with “man in the middle” attacks like FireSheep, drive-by download attacks and more. The problem has always been how to scale web based attacks. At the end of the day, having an attack web page is great but, like every other website owner, you still have to figure out how to get people to visit your site!
Now researchers at WhiteHat security say they’ve found an easy way around the “scale” problem: ad networks. In a presentation at Black Hat this week, Jeremiah Grossman, the CTO of WhiteHat Security, and Matt Johansen, the Manager of Threat Research there, will show how would-be attackers can parlay a small cash outlay into a sizeable browser-based botnet that could be used to send out spam, spread malicious code or launch denial of service attacks on other web sites, IT World reports. (And a note: I wrote the IT World piece. :-))
The two didn’t cross any lines in their research. They simply included a non-malicious script with their ad that would ping a server they controlled from the system on which the ad was displayed. The two then measured the potential reach of an attack that spread over an ad network. The results were eye-opening. For an up-front investment of just $.50, they were able to get 1,000 unique hosts to ping their test server, suggesting that a million-strong browser botnet would cost just $500 to build – chump change.
Read more on IT World’s web site here.