Malicious scripts in compromised websites - and how to protect yourself
When talking about the attacks and threats users must face every day, people often highlight those that are more or less predictable, such as malicious archives sent as email attachments. Even though these threats are still very prevalent (e.g. in the different ransomware variants), cybercriminals also use many other attack vectors. Some of the most dangerous are those that involve scripts, they are quite difficult for the average user to detect.
How does a malicious script work?
Malicious scripts are code fragments that, among other places, can be hidden in otherwise legitimate websites, whose security has been compromised. They are perfect bait for victims, who tend not to be suspicious because they are visiting a trusted site. Therefore, cybercriminals can execute malicious code on the users' systems by exploiting some of the multiple vulnerabilities in the browsers, in the operative system, in third-party applications or in the website itself that allows them to place the exploits in the first place.
If we take a look at recent examples, we will see that cybercriminals have been using well-known exploit kits for years to automate these infection processes. Their operation is relatively simple – they compromise the security of a legitimate website (or else create a malicious website and then redirect the users to it from other locations), and install any of the existing exploit kits. From then on, detection and exploitation of vulnerabilities in the systems of users visiting that website can be automated.
This can be seen in malvertising campaigns, where ads displayed on compromised websites have malicious code embedded in them. If accessed, they would allow cybercriminals to gain control of a device and launch attacks unless protected by a quality computer security product.
At this point, the malicious script (JavaScript for example), which is usually obfuscated, is responsible for downloading and executing what is known as the payload. The latter is merely a piece of malicious code able to exploit these vulnerabilities and infect the user's system with the malware that the cybercriminal has chosen. If not protected, and all goes as planned by the criminals, all this goes almost unnoticed for the user, and thus poses a considerable risk when surfing the web.
The reason why the execution of such code is accomplished automatically and without user intervention has much to do with the permissions that are granted during system configuration. Even today, the number of user accounts with administrator rights on Windows systems is still overwhelming, and this is totally unnecessary in most situations of everyday life.
This, together with the poor configuration of any of the security measures integrated to the Windows system itself, such as the UAC, enables the vast majority of these malicious scripts to operate unimpeded in hundreds of thousands of computers every day.
If only the users would set this security feature at a medium/high security level, many of these attacks could be avoided, provided that users are aware of the importance of reading the alert windows displayed by the system and the security suite instead of making the mistake of closing them or, worse yet, clicking on the "OK" button.
How to protect yourself from malicious scripts
To prevent these types of attacks, users must take into account that there is no 100% secure website on the internet, and consequently, they need to take some measures to protect themselves. Updating the operating system and those applications that are most vulnerable to these attacks (mainly browsers, Flash Player and Java) is crucial to mitigate them. Nevertheless, sometimes this is not enough, and it is necessary to have a security solution that is able to detect these types of malicious scripts – not only those using JavaScript, but also those using PowerShell, etc.
Conclusion
We know that malicious scripts have been used by cybercriminals for years to spread all kinds of threats like Trojans, ransomware, and bots. However, at present there are adequate security measures available at least to mitigate the impact of these attacks. The only thing you need to do is set up the security measures that can protect you against these types of attacks and think before you click.