XSS accounted for 69% of blocked attacks in FireHost’s Q4 2012 web application attack statistics. And they can be very dangerous: in a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. It is employed by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks against web users; the scripts can even rewrite the content of the HTML page.
“It's fairly obvious that, if you are retailer or service provider dealing with private customer data or payment card details, your business will present an attractive target for hackers,” said Todd Gleason, director of technology at FireHost, in announcing the statistics. “That being said, we also see attacks that have the potential to simply deface or interfere with and disrupt websites and applications. Even though no data is lost, the reputation of a company can still be seriously damaged.”
FireHost said that it blocked 64 million cyber attacks in 2012, spread across what it calls the Superfecta – a group of four cyber attacks that pose the most serious threat to the private information hosted in databases. Those include XSS, directory traversal, SQL injection and cross-site request forgery (CSRF). The company warns that both XSS and SQL injection attacks have become even more prevalent since the third quarter of 2012.
Three out of the four Superfecta attack types rose in total count between Q3 and Q4 2012 – only CSRF attacks saw a drop in volume. However, the large increase in XSS attacks, which rose from just over one million in Q3 2012 to 2.6 million in Q4, seemingly dwarfs the other three attack types, accounting for 57% of the Superfecta. For all of 2012, XSS clocked in at 5.4 million blocked attacks.
Some point out the alacrity of the attacks as well. “The escalating increase of XSS attacks in Q4 does not surprise me – any teenager with a web application scanner can initiate these attacks in their free time,” said security consultant Kevin Mitnick, in an email to Infosecurity. “This increase does show, however, that when your servers are plugged in they are going to be probed – likely within several minutes or so.”
As in Q3 2012, Europe is still the second most likely origin point for malicious traffic blocked by FireHost (after North America) being the source of 13% of attacks. However, other regions have seen marked increases in the amount of attacks that are emanating from them, including Africa, Australia, and the Middle East. South and Central America were both the source of less malicious traffic between the most recent quarters, the company found.
“The change in frequency of the types of attack between quarters gives you an idea of how cybercriminals are constantly working to identify the path of least resistance,” said Chris Hinkley, senior security engineer at FireHost. “During Q4, e-commerce sites in particular would have been very busy with Christmas sales. Hackers will rapidly go after these high-value targets with attacks that are highly automated and, if they are not yielding useful payloads, the attackers are equipped to quickly try a different type of attack."
He added, "This is why it is important to have an understanding of the kind of traffic that is accessing your hosted infrastructure, so that you can make sure that malicious traffic is diverted and that there is less risk to sensitive data.”