The Web poses unique security challenges. When legitimate websites are compromised, anyone can - theoretically - be exposed. To be meaningful, security researchers dealing with Web threats have to develop a solid risk assessment plan that includes the ability to distinguish actual risk from theoretical possibility.

ScanSafe has an advantage in this area because we deal in actual traffic and thus can take 'probable' out of the equation. We don't have to guess whether something will or won't be a problem for Web surfers because we have the actual numbers. Still, we always backup our own findings with traffic analysis and exposure numbers from verifiable sources.

We also consider the quality/popularity of the compromised sites that are acting as conduits for the malware. If the majority of compromised sites have non-existent or extremely low popularity rankings, common sense and a basic knowledge of SEO tells us that the attacks will never take off.

If we didn't incorporate risk assessment, we'd be issuing non-stop alerts. Website compromises are real, pervasive, and an ongoing threat. On average, ScanSafe analyzes over a thousand unique attacks against Web properties each month, many of which impact tens of thousands of highly trafficked websites. Mixed in with those are plenty of others that very few users will ever encounter.

Because we see so much, we take some things for granted. For example, we expect to see heavy obfuscation of embedded scripts, multiple embedded scripts on a compromised page, and having multiple redirects involved.

While these techniques aren't new to us, we can appreciate that some researchers may be seeing them for the first time. And it's understandable that someone seeing it for the first time would be eager to blog about it.

But enthusiasm aside, as an industry we need to ensure we've done the proper risk assessment and that we report events in their proper context. At ScanSafe, we take this part of our job very seriously and work diligently to separate the theoretical from the real. Because if we didn't do that, we would mislead the many folks who are relying on us.

We received a couple of inquiries about an alleged 40,000 domain attack reported by Websense. The attacks were dubbed "Nine-ball", presumably because one of the malware hosts is named "ninetoraq.in". Get it? Nine-to-rack, i.e. nine-ball pool.

Naturally we were a bit surprised that such an allegedly massive attack could bypass our sentries. After we did take a look, it became apparent why this one didn't trip our alert sensors - this attack is almost non-existent and might be more aptly named "scratch ball". This isn't to say our customers weren't protected - they were and still are. It is, however, such a low number attack that it's not the type of thing we'd normally spend our time investigating.

To put this alleged "Mass Injection" into its proper context, here are the actual raw traffic numbers from June 15th onward:

Total number of requests to sites involved in the attacks: 333
Total compromised websites observed: 62

These are the totals based on actual traffic requests involving all of the following malware hosts:

rnw.kz
bro.tw
rmi.tw
ninetoraq.in

Besides just the numbers, another metric we consider is the quality/popularity of the compromised sites acting as conduits for the malware. Based on that metric and some other measurements we take, we can pretty accurately judge whether a particular attack will take off. In this case, with the exception of skyscrapercity.com (a top 10,000 domain according to Alexa), the remaining 61 observed domains all had extremely low or non-existent Alexa traffic ratings. For example, sites like diamond-limousine.com which has an Alexa ranking of 10,658,149.

Certainly ScanSafe is unique in its realtime scanning, the amount of traffic handled, and its ability to report about what's actually happening to Web surfers. Just in the past week, ScanSafe processed over 10 billion Web requests. I suppose when you see that much traffic, from thousands of customer companies in over 90 countries on 4 different continents, your perspective changes. Our view is also shaped by the fact that we see well over a thousand unique Web attacks every month - some that are big like Gumblar and some that are very small like "nine-ball". And from our unique perspective, 333 requests involving 62 compromised websites is certainly not something we would brand a "massive injection".

I personally question whether it was even worth the time just spent blogging about it.

Illena Armstrong, editor-in-chief of SC Magazine, writes:

"Security professionals are well aware of the dangers to a company's bottom line caused by the loss of a laptop, smart phone or other mobile devise. What corporate secrets are now available to intruders? How will the leakage of corporate assets or confidential customer data affect the company's reputation, nevermind the costs incurred from meeting regulatory demands commiting the organization to contact everyone affected."

To address some of these questions, Armstrong interviews Craig Lucca, manager of security administration and management at Bloomberg. The article, titled "Data loss is the top concern in the enterprise" contains some solid advice - and serves as a good preview of what's to come at the SC Magazine Mobile Security eConference on June 16.

Data theft trojans have been continuing their upward trajectory, currently the most predominant malware binaries blocked by ScanSafe. I'm often asked what the attackers do with the data they steal. There's no single answer - what happens to the stolen data is solely dependent on the imagination and intent of the attackers. In some cases, the attacker may try to peddle the stolen data to the victim's competitors - and if that fails, offer it up for sale to the highest bidder.

T-Mobile may be the latest victim of that. On Sunday, attackers advertised the following on the Full Disclosure mailing list:

Hello world,

The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is
available in 98 of the 100 largest markets and 268 million potential customers.

Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers,
financial documents up to 2009.

We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are
offering them for the highest bidder.

Please only serious offers, don't waste our time.

The remainder of the email consists of source documentation of the alleged stolen data and can be viewed in its entirety via the Full Disclosure archive.

Yesterday, Niels Provos of the Google Security Team posted a list of the top ten malware domains (based on the number of compromised websites referencing the malware domains).

Gumblar.cn topped the list with 60,000 compromised websites detected. Martuz.cn, the third stage of the Gumblar attacks, was in the number two spot with 35,000 compromised websites referencing that domain.

(It's assumed, but not known, that the 35,000 martuz.cn referencing sites are included in the 60,000 gumblar.cn referencing sites. If not, that makes the Gumblar attack numbers just that much higher).

Conversely, Beladen.net was pretty far down the list at position 124 with approximately 3,500 compromised sites, according to the Google report. This contradicts claims from Websense and others placing the number of Beladen compromised sites as high as 40,000. Beladen compromised sites accounted for only .03% of ScanSafe Web malware blocks in May 2009, compared to Gumblar compromised sites at 37%.