IT security firm Sophos announced a doubling of web-based malware in the first quarter of this year over the same period last year and total spam relay 4.2% higher as well. Sophos also reports that China is a big culprit in hosting (41.1%) and infections. According to this article, Symantec reported last year that Beijing had the most malware-hijacked computers of any city in the world, with more than 5% of the world’s total.
From the first link:
Not all of the infected websites were created by the hackers themselves. Sophos has found that the majority, 70 percent, were genuine websites that were vulnerable to attack because they were unpatched, poorly coded or had not been maintained by their owners. 12.8 percent of the compromised websites were hosting malicious script while Windows malware was responsible for infecting 10.7 percent. Adware was found on 4.8 percent of these pages and porn diallers on 1.1 percent.
It’s not surprising that criminals are turning to the web instead of targeting specific operating systems because (1) they can more easily spread their misery across OS platforms, (2) people still seem to be less cautious about their behaviors online than they are about what they manually save to their hard drives, and (3) most security software is reactive than protective. This last issue is compounded by the fact that trusted websites are susceptible to hacking and hosting malware and even more so the fact that people are increasingly relying on Web 2.0 client-side applications that require full trust.
“We’re continuing to make the same mistakes by putting security last,” said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. “People are buying into this hype and throwing together ideas for Web applications, but they are not thinking about security, and they are not realizing how badly they are exposing their users.”
What’s most troubling is that so many websites are poorly coded and maintained that they’re susceptible to hacking, and that security is an afterthought rather than a paradigm for development.