Social networking is big business nowadays. According to an online Comscore report, MySpace boasts over 28 million visitors per day and Face Book 14 million. This type of traffic level entices attackers and their mischievous groups to test their skills for financial profit. They can use these platforms to embed redirect scripts to newly compromised sites carrying their malware, or to create fraudulent profiles posing as a potential love interest for social engineering exploitation. When redirection is used to distribute malware from previously allowed or legitimate sites, traditional defenses such as firewalls and proxies pose minimal barrier.  In addition, reliability of any website is left to unknown web administrators to properly secure their servers and to disallow exploit code from their visitor's pages. Web advertisements (Web adverts) take these exploits a bit further.

Web adverts are the breath that keeps social networking and other free web 2.0 sites alive. Because of their high traffic and capacity to elicit multiple advertisers, they are increasingly targeted for attacks. Ad merchants love popular websites because they can purchase space and syndicate or sub-syndicate to increase profits. The problem here is the constant re-selling of ad space to multiple parties can lead to prominent websites not knowing the legitimacy of a posted ad. In addition, a zero-hour exploit (or unknown attack) of an ad network or their servers can lead to redirections to malware on thousands of sites almost instantaneously. Although most proxy appliances filter known malicious sites, these devices are still susceptible to zero-day or hour exploits of legitimate websites.

Network security professionals strive to mitigate these threats, which can be accomplished by blocking Web adverts through their proxy or other means. Proxy devices such as Blue Coat can block most Web adverts. The best way to implement this solution is to configure the proxy to replace ads with a blank.html file which puts white space in its place. Otherwise, websites with ads (probably over 90% of webpages) will have errors displayed in their place--not very pleasing to see while reading content. If no proxy is available, ads can also be blocked through Firefox with the Adblock plus plug-in, or through configuring host files to do the job.

One argument may be that software installations from a zero-hour/day exploit is not possible in corporate networks since users lack install permissions. True, but this not only leaves trust in operating system user access control and group policy, but it is underestimating the innovation of an attacker's ability to escalate privileges. While these practices can prove effective, this strategy serves as a means to provide an additional layer to strengthen your enterprise security posture—especially against the determined attacker.

The fact that such a strategy will impact user's browsing habits I think is minute. To ease the transition though, an awareness process should be used to provide users with an acceptance as to why these measures are necessary. This can be achieved through an organizational newsletter, e-mail, or posted memorandum on your company intranet. Users must understand that the goal is to balance security with convenience, and we must change as the proliferation of attacks change.

Marcos Christodonte II is an INFOSEC Manager working for the government. He holds a BS in InformationSystems Management – Information Assurance, CISSP, CCNA, and is a Masters student. He can be reached via e-mail:   This e-mail address is being protected from spambots. You need JavaScript enabled to view it