Malicious scripts in compromised websites and how to protect yourself

scripts-maliciosos-623x425

When talking about the attacks and threats users must face every day, people often highlight those that are more or less predictable, such as malicious archives sent as email attachments. Even though these threats are still very present (e.g. in the different ransomware variants), cybercriminals also use many other attack vectors. Some of the most dangerous are those that involve scripts, since they are difficult for users to detect.

How does a malicious script work?

Malicious scripts are code fragments that can be hidden in otherwise legitimate websites, whose security has been compromised. They are perfect bait for victims, who tend not to be suspicious because they are visiting a trusted site. Therefore, cybercriminals can execute malicious code on the users’ systems by exploiting some of the multiple vulnerabilities in the browsers, in the system itself, or in third-party applications.

If we take a look at recent examples, we will see that cybercriminals have been using well-knownexploit kits for years to automate these infection processes. Their operation is relatively simple – they compromise the security of a legitimate website (or else create a malicious website and then redirect the users to it from other locations), and install any of the existing exploit kits. From then on,detection and exploitation of vulnerabilities in the systems of users visiting that website can be automated.

This can be seen in malvertising campaigns, where ads displayed on compromised websites have malicious code embedded in them. If accessed, they would allow cybercriminals to gain control of a device and launch attacks.

At this point, the JavaScript code, which is usually obfuscated, is responsible for downloading and executing what is known as the payload. The latter is merely a piece of malicious code able to exploit these vulnerabilities and infect the user’s system with the malware that the cybercriminal has chosen. All this goes almost unnoticed for the user, and thus poses a considerable risk when surfing the web.

The reason why the execution of such code is accomplished automatically and without user intervention has much to do with the permissions that are granted during system configuration. Even today, the number of user accounts with administrator rights on Windows systems is still overwhelming, and this is totally unnecessary in most situations of everyday life.

This, together with the poor configuration of any of the security measures integrated to the Windows system itself, such as the UAC, enables the vast majority of these malicious scripts to operate unimpeded in hundreds of thousands of computers every day.

If only the users would set up this security feature at a medium/high security level, many of these infections could be avoided, provided that users are aware of the importance of reading the alert windows displayed by the system instead of making the mistake of closing them or, worse yet, clicking on the “OK” button.

How to protect yourself from malicious scripts

To prevent these types of attacks, users must take into account that there is no 100% secure website on the internet, and consequently, they need to take some measures to protect themselves.Updating the operating system and those applications that are most vulnerable to these attacks (mainly browsers, Flash Player and Java) is crucial to mitigate them. Nevertheless, sometimes this is not enough, and it is necessary to have a security solution that is able to detect this type of malicious scripts – not only those using JavaScript, but also those using PowerShell.

Conclusion

We know that malicious scripts have been used by cybercriminals for years to spread all kinds of threats like trojans, ransomware, or bots. However, at present there are adequate security measures available to – at least – mitigate the impact of these attacks. The only thing you need to do is set up the security measures that can protect you against these types of attacks and think before you click.

by Josep Albors, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s