Gallery

Casual surfing

Posted on 13 Aug 2008 at 11:12

We started our investigation by looking at everyday internet usage, such as you'd expect from a casual, adult PC user. These users tend to spend most of their online time at a few favourite websites - typically, big commercial sites such as Amazon or HSBC, sites that you'd expect to be safe.

Yet even if the well-respected multinationals wouldn't deliberately infect their users, there are those that would. "You can find malware even on completely legitimate sites," explains Larry Bridwell, global security strategist for AVG. "Hackers break into sites and place their own code on there to carry out 'drive-by downloads'. Any web page is vulnerable, but the popular sites are particularly attractive."

Naturally, though, the big sites work hard to make sure this doesn't happen. "Of course, the criminals think, 'it would be really cool if we could crack HSBC'," says David Emm, senior technology consultant at Kaspersky Lab. "But the HSBCs of the world have rafts of people constantly working at keeping them clean and secure. That doesn't mean they're immune, but it does make it a lot less likely they'll be compromised."

In our own visits to a wide range of popular commercial sites, we were unable to find any evidence of malware, and research shows it's a very rare occurrence. The most recent instance of malware being served from a high-profile site came in February 2007, when an official website of the American football Super Bowl was hacked and turned into a Trojan-dropping machine. Our conclusion: if you stick to big sites, there's a small risk of malware, but no call for panic.

Search engines

The larger sites may be fairly safe, but internet searches are likely to lead to smaller sites that are more susceptible to hackers. "Joe's retail store down the road doesn't have the wherewithal of the big sites," Emm warns. "They might have brought in a consultancy to deploy their software, and may not have security staff of their own. That makes them more vulnerable."

We used Google, Windows Live Search and Yahoo to carry out a series of sample web searches. We started with various computer-related phrases, and both Google and Live returned more than 500 results for "help with Vista" without a single infected site sneaking in. Yahoo's 241st result was identified as serving up "potentially dangerous downloads", but Yahoo itself warned us away from the site, thanks to its built-in McAfee SearchScan system.

We also searched for news and gossip, but here too the threat proved minimal. Names such as Boris Johnson, David Tennant, Britney Spears and Darcey Bussell produced overwhelmingly clean results, with Google listing more than 300 clean pages about the London mayor before a single infected site appeared. These impressive results partly reflect the way modern search engines work. They rank pages not only by relevance, but also by popularity. Since people prefer sites they trust, and avoid those they've found to be dodgy, the good sites bubble to the top.

Even esoteric searches, leading to pages of only niche interest, didn't yield any malware.

Web adverts

Almost all of the websites we visited hosted adverts, but they're rarely managed by the site itself; instead, they're fed in by external agencies including DoubleClick or AdBrite. As Bridwell points out, this provides another possible entrance for malware. "Criminals do find ways of getting malware into ads, which are then placed on legitimate sites by other companies."