Hacker attacks getting more personal

Hackers are personalizing intrusion techniques to net more victims

In the same way some e-commerce sites serve up customized content based on a user's profile, cybercriminals are increasingly using personalization techniques to more effectively attack those who visit their Web sites.

Over the past year or so, the number of malicious sites using personalization techniques has mushroomed and today represents a new and disturbing trend, according to IBM's Internet Security Systems X-Force threat analysis group.

Unlike older sites that simply served up the same exploit code over and over, the new ones are loaded with multiple exploits and payloads, said Gunter Ollmann, director of security strategies at IBM's ISS X-Force team. The sites are crafted to first probe a visitor's browser for specific information, which it then uses to craft a customized attack, he said.

"We're seeing a large number of malicious Web sites that make use of IP address and browser information before they start to create an attack," Ollmann said

For instance, a user who visited a malicious Web site using Internet Explorer would be targeted with exploits seeking to take advantage of specific IE flaws, while those running Firefox or Netscape would be targeted with attacks specific to their browser types. The typical payloads include spyware programs and keystroke logging software, he said.

Each Web site can host literally "dozens and dozens of exploits" targeted at old and new flaws in browsers such as IE, Firefox and Netscape, Ollmann said. "We have seen a lot of zero-day exploits being used on such sites."

Very often, the exploits are secured from organized "managed exploit providers" who, for a monthly subscription fee -- sometimes as low as US$20 per month -- provide a virtually unlimited number of exploits, he said.

According to the X-Force 2006 report on security trends, about 30 percent of malicious Web sites at the end of 2006 were using personalization techniques. That number is growing at the rate of about 1,000 new sites every week, Ollmann said. Many of the sites are live for about four or five days before disappearing, he said.

Cybercriminals typically lure users to such sites by using spam mail or by hijacking and using domains that appear to be legitimate sites, he said. Sometimes, users can also get directed to such sites when they click on shared objects within a Web page, such as a banner advertisement or a visitor counter, he said.

Often such sites use IP addresses to ensure that they deliver the malicious code just once in order to minimize the chance of being detected, Ollmann said. Some are even beginning to compile lists of IP addresses of Web sites belonging to security vendors to ensure that visitors from such sites are not targeted with malicious content at all, he said.

Many of these Web sites use sophisticated obfuscation techniques to evade detection, he said. Java scripts, for instance, are often used to "basically encrypt the contents within a page" to hide information from signature-based detection technologies, Ollmann said. A malicious program might also be sometimes truncated into two or more innocuous looking bits, which can then be later reassembled when needed.

Many sites also deliver the payload in two phases. First, a so-called dropper or a downloader program is installed on a system. This program is then later activated to download the malicious payload.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?