One of the biggest mistakes you can make on the Internet nowadays is to assume a website is safe, even if it appears safe on first look. Hackers use very sophisticated ways, leveraging technology and psychology to attack users through websites.
Whether you land on a reputable website or a lesser-known one, you don't expect to download malicious software, also known as malware. But that’s what happens on a legitimate website that’s been compromised with web-borne attacks. Even the website’s administrators may not know they’ve been attacked until months after the fact. Hackers may use exploits like SQL injections to take advantage of flaws or vulnerabilities in websites in order to execute different hacks.
- Malvertising: You may have heard of the term malvertising, a combination of the terms "advertising" and "malware." In a malvertising attack, hackers may inject malicious code into ads. When you click the ad, you may unknowingly download malware.
- Drive-by Downloads: You’ll download malicious programs on a website through a drive-by download without even clicking anything!
- Clickjacking: Threat actors may drop hidden layers on websites to hijack your click. For example, a Facebook like button on a website may silently hijack your click for a malware download or initiate a credit card transaction.
Phishing attacks rely on deception. A typical phishing attack is on email or text and carries a link leading you to a compromised or fraudulent website. A phishing website looks very similar to a legitimate one. It may have familiar graphics, text, and a similar checkout system. But hackers design phishing websites to steal your data like your name, address, and credit card information. Here are some steps that can help you prevent phishing website attacks.
- Look for the padlock sign before the URL. It means that the website has a security certificate. However, this isn’t a guarantee as scammers can also get them.
- Check the URL to see if it looks correct. If it’s random numbers or misspelled, close the browser immediately.
- Try to enter the website address yourself instead of clicking links.
- Be careful if the website throws up regular popups and pressures you to make a fast decision.
- Spelling, grammatical, and graphical errors are rare on legitimate websites. If you see them, you might be on a phishing page.
- Research carefully if a website offers deals that appear too good to be true.
Watering Hole Attacks
Watering hole attacks are highly targeted attacks where websites are prepared to hack an organization, like a government department, business, or a section of the office. Usually, watering hole websites are legitimate websites that threat actors have rigged.
Before hackers use watering hole websites, though, they may gather intelligence on their targets to see what websites they use. So, a watering hole could be a website you or your team trust. The website may drop spyware, Trojans, or even ransomware strains on your system. There are very few ways to stop a dangerous watering hole attack. Here is what you can do:
- Use a cloud-based web browser instead of a local one to avoid downloading malware on your computer.
- Use top anti-malware software to protect your system.
- Only visit websites on company computers that your organization has vetted.
- Avoid saving sensitive information on websites.