In spite or maybe because of stress I bring to you some information about security. Since there are many great sources that provide people who may not (yet) be security experts with what they need to know I will focus on recent events and things you may not have considered.

To start off this column I will use a fairly non-technical topic: Abusing the history and credibility of a domain to push malware to the systems of relatively security-savvy people.

The Concept

Say you own the domain amazingsite.tld. You’ve been using it extensively for years to provide quality content to users. In order to provide a nice UX you have integrated JavaScript components that use jQuery and Angular.JS into your code. This has led many users to disable script blockers like NoScript on your site as you clearly don’t intend to do harm. You have also decided to show ads on this page to cover your hosting costs and earn some money for your efforts. Because people value your content they have decided that you are worth supporting and have disabled their ad blocker on your domain.

Now, after the domain has been unused for years, you decide not to renew it or simply forget that you even own it. You may even have shut down the server already. Anyway, the domain is now up for grabs. This is where the danger lies.

Mallet, someone with malicious intent, decides to register your domain as soon as it expires. They may even have set up a script to automatically do this as it has become obvious that you are no longer interested in renewing it.

Mallet now sets up their server to serve malicious JavaScript code from any page requested from this domain. This will infect all visitors who click deadlinks (i.e. hyperlinks that have been created before your site went down) if they are running a vulnerable browser. This is also the reason why nobody should use an RSS reader that readily executes JavaScript as these tend to be particularly vulnerable since using the newest version of their respective rendering engine (you may have noticed that WebKit is really popular in software other than web browsers) is not a priority for them which often leaves them open for vulnerabilities years after they have been patched in their framework. This means that people who have such an RSS reader and have not bothered to kick you out of their feeds may soon find their PC to be infected with some nasty ransomware.

Mitigation

The problem with this attack is that while most major web browsers will soon display warnings about this site being malicious, older browsers, non-browser software like RSS readers with a possibly outdated rendering engine and the unlucky few who are hit by this attack before it is recognized have next to no way of protecting themselves.

Assessment

Difficulty of Implementation: 2/5
Difficulty of Mitigation: 4.5/5
Prevalence: 1.5/5

Final Thoughts

Even if this form of attack is not that widespread as it depends on prominent domains falling out of use, the simplicity of implementing it (on top of an existing browser-based exploit, that is) and the fact that it is next to impossible to mitigate make this attack something to keep in mind when disabling one’s ad blocker or allowing JavaScript to be run on any particular site.

Sources of Inspiration

SpiderLabs: Angler Takes Malvertising to New Heights

Security Now, Episode 552, “D.R.O.W.N.”