BLUF
BLUF: No safe browsing practices are a good start but even trustworthy websites can have malware.
Chances are someone at some point has told you that you don’t need an antivirus if you practice “safe browsing”. If you go to www.reddit.com/r/techsupport you’ll see this come up almost anytime someone asks a question about malware; however, this isn’t true at all. Today I’m going to discuss three different ways that legitimate websites can still infect your computer with malware.
Introduction: Term Definition
Before we begin with this let’s define some terms.
Safe Browsing
Safe browsing is the concept of only visiting websites that are considered normal legitimate websites. Under the concept of “safe browsing,” you might not visit something like www.gravitywall.net because it’s not a well-known website. While I take great efforts to mitigate the issues we’ll list here if you’re judging solely by the concept of how well known something is you wouldn’t visit this site. (For reference: I use Google Sites to avoid hosting my own code and having to deal with security patches, I use Disqus to host comments and avoid XSS, and I don’t run ads to avoid malvertising.)
Legitimacy
There’s no doubt that the word legitimacy is going to ruffle some feathers when talking about companies like Facebook, Reddit, and Google; but we’re not talking about moral legitimacy. For the concept of legitimacy, we’re talking about nonrepudiation. When you go to www.google.com you know definitively who you’re dealing with. It’s Google; there’s no questioning that. When you visit www.gravitywall.net you don’t really know who you’re visiting. I simply don’t have the history that Google does so there could be questions on the legitimacy of my site.
This concept is what most people use to “validate” a site as “safe” to visit or not. If they don’t recognize it then they don’t visit it.
Now that that’s out of the way lets discuss why “Safe browsing” is not a foolproof way to keep your computer from getting a virus.
Domain jacking/Supply Chain attacks
This is probably the most common concern people know about. A website could be high-jacked but an unsavory actor and used to serve malware. We saw this back in 2017 with CCleaner, Asus in 2019, and even some website builders. Even legitimate websites like Google aren’t necessarily immune to this as the human component plays a part. In 2015 Google forgot to pay their domain registration fees and ownership of google.com was bought by someone. Fortunately, this guy was responsible and sold it back to Google (for way less than it’s worth) but image the repercussions that could have come from this. Asides from making a boatload of money off advertising, this guy could have loaded malware on the #1 most visited website in the world. He had an instant ability to serve malware to billions of computers. If you’re verifying the safety of a domain by the legitimacy of you aren’t safe from supply chain attacks.
Now I want to clarify that these types of attacks are less frequent than the next two but they are still possible.
Cross-Site Scripting (XSS)
XSS used to be the most common vulnerability according to OWASP, but recently it’s dropped into the #2 spot. XSS is where client-side scripts are injected into elements of a webpage. A common example of an XSS comes from comment sections on web pages. If the input isn’t properly validated then when someone else visits the page their browser will read the scripting code (usually JavaScript) and load it as trusted code. Since JavaScript is a client-side code (meaning that it runs on the computer visiting the website instead of on the website itself) the web browser will read it and attempt to execute it. This can lead to your browser connecting out to a malicious domain in the background while you’re visiting a legitimate website. In 2019 security company Fortinet discovered an XSS vulnerability in WordPress. WordPress is easily the largest web hosting platform, so an XSS vulnerability in the core service could lead to a large number of “legitimate” sites being able to unintentionally serve malware.
Malvertising
I want to clarify one thing upfront. Malvertising is not the same thing as Ad malware. Another common thing that people talk about when discussing “safe browsing” is “don’t click on things”. While that’s certainly good advice it’s not what we’re talking about. We all know what ad malware is; You’re browsing your favorite hub of adult entertainment and an ad pops up telling you that your Flash is out of date worried that you won’t get your fill and will miss out on the surprise finish you quickly click the ad to download the Flash update. Except that update wasn’t really from Adobe and now you have a trojan. That’s ad malware; malvertising is something else completely.
Imperva has a pretty great article describing the different vectors of malvertising.
From my time working in a SOC, the most common one I saw was “Malware in ad Creative”. The way this works is that when you load the page your computer also downloads and runs all of the JavaScript used for the page as well. Malicious Javascript hidden in the ads loads and your computer transparently reaches out to download the malware.
The same with the other examples even “legitimate sites” have served these malicious ads. Again according to Imperva (seriously go read that article; it’s very insightful) major websites including The New York Times Online, The London Stock Exchange, Spotify, and The Atlantic have all had this issue.
The thing that separates this from other forms of compromise is that the website really has no control over it. With Domain Hijacking and Supply Chain Attacks, the website hosts can make sure their systems are patched and up to date (looking at you Equifax). With XSS the web host needs to properly sanitize input so that scripting code isn’t trusted.
With Malvertising the only thing the website host can do is to not run ads. Most web site creators need ad revenue to keep the website running. Turning off ads would kill their revenue stream. The only option these web creators have is then to trust in the ad providers to properly validate their ads; something even Google isn’t fully capable of doing (although they’re better about it.)
Conclusion
Safe browsing practices are a good first step when trying to protect your security online, but they’re not enough to truly keep you safe. You should always use an Anti-Virus in conjunction with safe browsing practices. Thankfully Windows Defender is free.
