Websites preferred means of attack for cyber-criminals

PCs are now more likely to be infected with malware from websites than by virus-spreading emails, said Sophos.

In its latest security threat report, the security company warned that cyber-criminals are increasingly burying malware in legitimate websites, as people become more aware of the problems of malicious code in emails.

The malware, such as bank detail-stealing Trojans, is hidden on these sites and tries to surreptitiously download itself to the intended victim's PC.

Graham Cluley, Sophos' senior technology consultant, said: "The real message is not where you go but what is on the site. This problem is not confined to dodgy pornographic websites anymore.

"We are seeing around 29,700 infected web pages every day, of which more than eight in ten were on legitimate websites, including big and small businesses and community sites."

By infecting a single file on a web server, cyber-criminals can easily and quickly cross-contaminate a huge number of websites, as the infected file may form part of a plethora of unrelated pages, all of which are published from the same server.

More than half of all infected web pages found are hosted on Apache servers, which Sophos said demonstrates that infection is not simply a Windows problem.

He said consumers should apply a "good dollop of common sense" in order to protect themselves. This includes keeping security software up to date and having a good firewall.

"A firewall is vital because it should try to block unwanted intrusions. If you haven't made changes or are not downloading a file and you get a message asking for permission to do these, don't give it," he said.

Mr Cluley also urged people to be more aware of the type of information they give out on web forms.

"If you are asked for your mother's maiden name, don’t give the real one. Tell them it is Xena Warrior Princess or something. It doesn't matter to the online bank or retailer because it is just used to identify you online.

"But if someone is out to steal your identity and use that name in the real world there is obviously something amiss and they can't go to Somerset House and find out more details about you."

He called on web hosts to ensure better protection for their servers and said internet service providers could do more to help by monitoring web traffic for malware.

The only good news from the report, he said, is that the security industry is finally winning the battle against spam.

"Spammers are being forced to put their junk mail in PDFs and Excel files to outwit spam filters. But these take too long for most people to download and eventually fewer will be read by consumers," he said.