Malicious Websites : After turning on the computer, you probably spend the majority of your time on the Internet , whether on social networks, blogs, forums, news sites or watching videos. The point of contact between a hacker and you is very often the Internet , especially via malicious websites.

The most infected websites

Logically, if you do not visit twisted sites, you do not risk much, right?

As often, hackers love prejudices like these, and take advantage of them to achieve their goals. Indeed, many known sites are regularly infected by malware.

In “Symantec’s “2016 Threat Report,” we learn that 76% of scanned business sites contained vulnerabilities

The famous vulnerabilities

These vulnerabilities are bugs or omissions (voluntary or not) when creating an application or site, which can be used (“exploited”) by hackers. For example, a website may contain a vulnerability that allows access to an account by providing a specific, but invalid password to the database that will crash the system and allow the connection. There are countless vulnerabilities of all kinds, some of which can be used to spread malicious ads, we’ll talk about it again.

Of all the vulnerabilities, about 10% would be critical vulnerabilities . By “critical” is meant a vulnerability similar to the example given previously with the password and which therefore makes it easy to compromise data.

Among the vulnerable sites, it is the sites of the categories Technology , Business and Blogging that arrive on the podium of the most exploited sites

How to spot a malicious or infected site?

Here is a non-exhaustive list of infectious websites, as well as their malware propagation methods.

Streaming, hacking, gambling or pornographic sites

There is always a certain category of websites that comes to mind when we talk about hacking. Sometimes the websites themselves are illegal, and as long as you do, it’s illegal to the very end by hacking even the netizens.

The classic hacking vector is advertising asking you to visit such a site or download such a program . These same sites are usually not allowed by “classic” advertising agencies like Google. So they use other advertising boards , which place the advertisements of their choice, and this is not necessarily a good sign.

So yes, you can of course use ad blockers, but more and more websites forbid you to access if you do not accept ads . And some of you are still posting it.

You also need to know that these sites need two things: traffic and clicks on ads to make money. So here’s why it’s not necessarily in their interest to spread discrete ads that nobody will click.

Drive By downloads

This is a popular malware propagation method of using another application for propagation.

Phishing (or phishing)

Since this threat works particularly well and is widely used, it has become one of the best known. Financial services and other websites now warn users against phishing attempts. Internet users themselves become aware of this risk and take the time to do additional checks.

Hackers have several ploys to make you believe that their malicious site is an official site:

The typosquatting

This involves registering domain names similar to official sites, but with slight variations. Thus, a user who would like to type “facebook.com” too quickly in his address bar could type “facebok.com”. Rest assured, in this example Facebook has planned the coup and has appropriated the domain name in time.

The domain shadowing

It involves hacking an upstream site and then creating a subdomain or a web page redirecting to another website. The problem is more serious here because the domain name is correct … but the site has been hacked.

Exploit kits

Vulnerabilities, there are everywhere, even in your browser ! And exploiting them is their goal. The exploit kits are hidden in malicious web pages, waiting for users who visit them with software or browser versions that are not updated (and vulnerable).

When an attacker detects an entirely new vulnerability, it is considered a “zero day”. That is to say that only the pirate knows the vulnerability , it is not yet patched, and is therefore “exploitable in nature”. From there, the hacker builds his exploitation kit and propagates it in web pages, either by using his own sites or by advertising on trusted sites (sometimes the advertising itself is exploited, allowing code propagation and pop-up usually not possible).

JavaScript infections

In the same way as an exploit kit, malicious Javascript code can spread on websites, performing a very specific action in the victim’s browser. This code can be installed via browser extensions that provide access to all pages visited and therefore their content .

One can also place in this category the “Self XSS”, consisting of executing a Javascript code in his browser thinking to unlock something or hack another person. Only the code executed will allow to hack the one who launches it , by sending for example his personal information at a distance.

The malvertising

We talked about exploit kits and exploiting the advertising itself. Well, this is called “Malvertising”. It is about finding vulnerabilities in an advertising network, or more precisely in the code used to display advertisements in order to propagate malicious advertisements. The classic example is the use of an innocuous advertisement, which then turns into malicious advertising. You may have already experienced the case of the pop-up window difficult to close on your smartphone , indicating that you have “won an iPhone”, while you were visiting a popular news site.

Malicious redirects

It is possible that a site you visit (known or not) is hacked . Piracy does not necessarily mean closing the site, but sometimes it is very discreet: only the links are changed , to redirect you to other malicious sites (phishing).

How to protect against malicious or infected sites?

It’s difficult. Hackers love prejudices and other traditional methods of verification.

For example, an HTTP site might be more risky than an HTTPS site. Even if it is absolutely true when it comes to encrypting data on the network , this does not prevent an attacker from using an HTTPS phishing site .

One could also use web site scanners, such as VirusTotal. Unfortunately we are faced with the same problems as classic antiviruses: false negatives and false positives . A false negative occurs when an antivirus believes that a site or program is healthy, while it is malicious . Conversely, a false positive occurs when an antivirus believes that a website is a malicious while it is healthy . This solution is still valid if Virustotal displays a large number of antivirus detecting the site as malicious.

We could use an advertising blocker, but our access to the site may be blocked or paid.

The solutions cited are valid , but it is important to note that we must take a step back to analyze the situation.

The following solutions are to be used without moderation:

  • Keep all software up to date (including browsers and extensions) : this avoids vulnerabilities as much as possible (even if zero risk does not exist)
  • Use “de-URL shorteners” : shortening a URL is convenient, but seeing where you go without needing to click is more reassuring.
  • Keep your knowledge up to date : Knowing new threats and ways to protect yourself is your best defense. Hoping that this article contributed to it.

Want to learn more about web vulnerabilities?

These flaws and many others are seen in detail in my video course on web intrusion testing.

We will talk about the fundamentals: how HTTP, HTTPs, DNS and web architecture work in general.

We will also set up a test lab with virtual machines to host and scan our vulnerable sites to learn without breaking anything.

We will of course talk about all the web vulnerabilities (XSS, CSRF, SQL, LFI, RFI, … etc) by following the Top 10 OWASP but also of all that revolves around web security: denials of service, bad configurations, personal data, recognition, etc .