What Are Malicious Websites?

Cybercriminals work hard to exploit vulnerabilities and trick people into divulging personal information. One method they use — creating malicious websites — has become widespread. In January 2021, for example, Google counted over 2 million phishing websites.[1] Understanding how to protect your company against these websites is paramount in keeping devices, networks and data safe.

What Is a Malicious Website? 

If an employee is duped by a malicious website, it could expose your company to crimes like data theft or ransomware. Cyber criminals design malicious websites to harvest information and install malware on a visitor’s device when that person takes an action, such as clicking a link or downloading software. In some cases no action is needed, and a “drive-by” download could be planted on anyone just visiting the site. 

These fake websites often masquerade as legitimate ones and use phishing emails to lure visitors. An employee might be prompted to enter login credentials, for example, which could then be used to break into your company’s network to steal valuable information. Or a staffer might inadvertently download a file or piece of software that could launch a ransomware attack, shutting down access to your company’s systems until a ransom is paid.

Examples of Malicious Websites 

Cybercriminals have become more and more sophisticated in their abilities to make malicious websites appear benign, resulting in many successful phishing and malware campaigns. These three examples showcase the opportunistic ways in which people have been tricked into disclosing sensitive information.

• Cybercrime syndicate BAHMUT developed illegitimate news websites that copied headlines from real news sources in order to target consumers, government officials and businesses with phishing campaigns.[2] Links on these malicious websites redirected visitors to phishing sites that requested user login credentials for Google, Yahoo, Microsoft and others. 
• In 2017, a data breach at a leading credit bureau exposed the personal information of nearly 150 million people. Two years later, upon the launch of the bureau’s settlement claims website, cyber criminals began launching copycat websites in an effort to steal personally identifiable information.[3] 
• Cybercriminals have attempted to capitalize on the COVID-19 pandemic by launching fake websites that appeared to be legitimate coronavirus dashboards.[4] These websites would prompt visitors to download an application to help them stay updated on the pandemic, infecting the visitor’s computer with a malware called AZORult. This malware is used to steal browsing history, cookies, passwords, cryptocurrency and more.

How to Identify a Malicious Website 

Some fake sites can be very difficult to spot. Other malicious websites are more obvious, and they have telltale signs. For example, a malicious website might:

• Ask a visitor to download software, save a file or run a program when it seems unnecessary.
• Alert a visitor that their device is infected with malware or that their software is out of date.
• Claim that a visitor has won a prize, while requiring personal information to claim it.
• Use HTTP as the web address prefix instead of the secure protocol HTTPS. HTTPS uses encryption to increase the security of data transfers while HTTP does not.
• Contain errors, such as misspellings in the body of the website or in the URL, or graphic design that doesn’t match a legitimate brand’s.

How to Protect Against Malicious Websites 

Not only is it important for employees to know how to identify malicious websites, it’s equally important for security teams to take proactive steps to protect against them. For organizations, these steps include:

• Blocking access to malicious websites.
• Installing and maintaining antivirus software, which detects and prevents potential infections.
• Enabling pop-up blockers, to disable windows that could contain malicious code.
• Installing or enabling a firewall, which prevents some types of infections by blocking malicious traffic before it enters a device.
• Monitoring accounts for unauthorized use or activity.
• Keeping computers’ software and operating systems up to date.
• Educating employees to identify malicious websites and report them to the company’s security team.

Tools that protect against email-borne threats like URL phishing come with various degrees of security. Some email systems only inspect URLs during the initial delivery, which attackers can bypass by using a benign site that later changes into a malicious one. Similarly, endpoint-based email security controls are generally ineffective in protecting organizations from URL-based email-borne attacks.

Services like Mimecast's use proprietary threat intelligence and analysis to detect and block malicious URLs. They include such techniques as pre-click URL discovery, browser isolation, which opens suspect websites in a separate container, and other protections.

The Bottom Line 

Malicious websites can cause serious harm to the safety and security of an organization’s data and systems. Protecting against them requires a combination of education and good browsing hygiene, as well as having the right tools and technologies in place.
 

[1] “Phishing 101: How it Works and What to Look For,” Security Boulevard

[2] “BlackBerry Uncovers Massive Hack-For-Hire Group,” Blackberry 

[3] “Beware of Fake Settlement Websites,” U.S. Federal Trade Commission

[4] “COVID-19, Info Stealer and the Map of Threats,” Reason Labs