Scientists Take Aim at Website Hackers

Hackers are capitalizing on new chinks in Internet security as the public gains greater access to sophisticated web operations, according to cybersecurity experts.

"Websites are the next battleground in the war for computer security," said computer scientist Michalis Faloutsos, who, with collaborator and fellow computer scientist Anirban Banerjee, cofounded the company StopTheHacker.com to counter the threat.

StopTheHacker.com specifically addresses the security of websites, an issue that is often overlooked in favor of personal-computer safeguards. According to the researchers, the same concerns that users had for personal computer security 10 years ago are applicable to website safety today. "We are in the early stages of this war, and any website is vulnerable," Faloutsos added.

The Web 2.0 environment is allowing nontechnical people to start-up very technical websites, and hackers identify weak points in the websites to find various ways to harm users.

One method hackers employ involves slightly altering a site in a way that is undetectable to the naked eye. The hackers place malware within web pages, so when visitors click on a link in the site, they are brought back to the hacker's website. The hacker's site will appear to be safe but often tries to elicit personal information from the user and cause harm to site visitors' computers.

The number of unprotected sites continues to grow with the popularity of companies that offer--often for low prices--to host pages with simple directions and technical support. The website-building customers do not have the training necessary to adequately protect their pages, leaving the sites exposed to malware and infiltration.

Faloutsos and Banerjee say the burden of security should not be the concern of the customer, but is the inherent responsibility of the hosts. "Hosting sites should take it upon themselves to protect the space they offer--though many do not," said Banerjee, who added that website security is an underserved market.

A common misconception for many people building websites is that the protection on a personal computer is an adequate shield from various Internet threats. The researchers believe that this is potentially a very costly myth. "Specific solutions are required for website malware," Faloutsos said. "Antivirus, anti-spam, and firewalls are complementary services, these alone are not enough protection."

Popular antivirus software is not trained to detect website malware. Hackers make constant and slight changes in malware codes, making it difficult for antivirus software to keep up and effectively guard a website from future attack.

Hackers are also growing more clever when it comes to escaping detection and finding ways into unprotected areas, said Banerjee, adding that, "hackers are injecting malicious computer code in web pages, advertisements, PDF files, and other kinds of documents."

Advertisements in the banners above web pages are also a prime target for hackers. The website has sold that space to advertisers and no longer has direct control over banner content. A hacker could give malicious code to the advertisers, which they unknowingly post. When site visitors interested in the advertised product click on the banner, they get infected with malware, or are taken to the hacker's site.

Many large and popular websites, including major business publications, have been targeted specifically because of the heavy traffic they receive. Once infected, these sites shut down until the issue is remedied.

Many organizations crawl the web and blacklist infected sites, ultimately slashing the traffic for the site. For smaller sites, this black mark can cause more than just technical damage. "For sites that are relying on the web for sales, this blacklisting could totally ruin business," Faloutsos said.

The researchers say that a little more than two years ago, the number of websites being hacked began starting to climb noticeably, and it has become very expensive to protect them. Each day, about 6,000 of the 75 million active websites on the Internet are infected, and from 2008 to 2009, the number of attacked websites doubled.

With support from the National Science Foundation (NSF), the StopTheHacker.com team developed a two pronged approach to counter website hackers. First, the researchers play the part of a potential hacker--figuring out the weak points in the client's website and the best way to penetrate those spots. Second, they run a periodic scan, which is completed from a visitor's point of view.

"Our system 'learns' how to hunt down malicious code--unlike the approach taken by the antivirus world, where a signature for a specific sample of malware is searched for on a computer," Faloutsos said. "This allows us to identify previously unseen malicious code and analyze new emerging threats." This all culminates in a system that helps the team thoroughly protect the site from potential security threats before setting up specific software needed to safeguard each client.

Social networking sites are emerging as favorite sites for serious hacker activity, Faloutsos said.  Some hackers are actually charging customers to hack into the accounts of other users under the pretense of helping the user recover a lost password. Hackers also post spam on the pages of a user's friends. Some hackers have compromised social networking pages and sent out messages to friends of users in order to infect their computers.

People should realize that the only way to stop the damage from website attacks is to start sufficiently protecting websites now, Faloutsos said. "Five years from now, it will be commonplace for websites to have protection," he said. "This is just the beginning; this is not a problem that will just go away."

-- Veronica Raymond, National Science Foundation, veronica1.raymond@gmail.com

This Behind the Scenes article was provided to LiveScience in partnership with the National Science Foundation.