Our Blog

Today’s Lesson: End Users in the Education Sector Are Twice as Likely to Visit Malicious Sites

Share

Monday, Jul 06, 2015

<p>
The threat landscape today is both dynamic and diverse. On one end of the spectrum are mass infections and threats that, while not very sophisticated, cast a wide net. On the other hand, we have very advanced targeted threats that are crafted painstakingly with a single target in mind, and executed over multiple stages possibly over a long period of time. Whatever the type of attack, it is clear that&nbsp;<a href="http://www.websense.com/content/websense-2015-threat-report.aspx" target="_blank">cybercrime is a business</a>,&nbsp;and attackers are utilizing all marketing concepts like segmentation and targeting to zone in on their victims of interest. &nbsp;</p>

<p>
Just like other aspects of the web are dynamic and targeted to you, such as your location, browser type, and browsing history, to maximize the chances of being relevant to you, malware&nbsp;targets its victims using multiple factors.&nbsp;It doesn&rsquo;t have to be custom crafted or targeted at a single entity, but can be targeted automatically at dynamic subgroups&mdash;for example, specific industries, and geographies.</p>

<p>
The industry (sector) and nature of business play a key role in the type of threats malware uses to target its victims. Using<a href="http://community.websense.com/blogs/securitylabs/archive/2015/04/27/Char... target="_blank">Threat Galaxies</a>&nbsp;to cluster a variety of indicators across diverse threat channels, we found some very interesting behavior. As we clustered our telemetry data gathered via our Websense&reg; ThreatSeeker&reg; Network and the&nbsp;<a href="https://www.websense.com/content/websense-advanced-classification-engine... target="_blank">Websense Advanced Classification Engine</a>&nbsp;&nbsp;by type of threat, we saw a thick cluster of injection in every high level Threat Galaxy. Injection is a generic term for a class of attacks that rely on injecting data into web applications in order to facilitate the execution or interpretation of malicious data in an unexpected manner. It falls into the&nbsp;<a href="http://www.websense.com/content/seven-stages-lure.aspx" target="_blank">lure</a>&nbsp;stage of the attack kill chain.</p>

<p>
To illustrate how attacks are targeted by industry (or sector), let&rsquo;s take a journey into our latest Threat Galaxy, (shown below) that encompasses all industries and threats. Specifically as a case study, the dominant green cluster represents compromised websites that have been injected with malicious elements.</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/8666.pic1.png-550x0.png" style="height:551px; width:550px" /></p>

<p>
Isolating the education sector by coloring it in the same color as injection in the second graph below, we see that the majority of the users that visited compromised websites (colored green in the first graph) are from the education sector.</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/6607.pic2.png-550x0.png" style="height:550px; width:550px" /></p>

<p>
Clearly, users in the education sector are more likely to visit compromised websites. Additionally,&nbsp;according to&nbsp;our study based on the large sample set, users in the education sector are:</p>

<ul>
<li>
20 times more likely to encounter websites impacted by BlackHat SEO than any other sector.&nbsp;</li>
<li>
Twice as likely to visit malicious websites.</li>
<li>
Twice as likely to be impacted by Spyware / Adware.</li>
</ul>

<div>
&nbsp;</div>

<p>
Another interesting point to note from the sample set study is that although users from the education sector display more risky behavior in terms of visiting compromised websites, some threats are less likely to descend further down the attack kill chain for these users. A specific case that illustrates that different threats affect different industries is highlighted in our Websense Security Labs&trade;&nbsp;<a href="http://www.websense.com/content/2015-finance-industry-drilldown.aspx" target="_blank">2015 Financial Services Drill-Down report</a>&nbsp;where we found that the Financial Services sector sees 400 percent more attacks using Geodo than other industries see. On the other hand, users in the education sector are hardly ever impacted by Geodo.</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/6758.pic3.png-550x0.png" style="height:248px; width:550px" /></p>

<p>
In terms of behavior profiling, we find that users in the education sector are three times as likely to visit websites on topics, such as cultural and religious institutions, political organizations, supplements and unregulated compounds. Clearly this behavior also affects the threats they are impacted by. All traffic is not created equal&mdash;certainly not to attack infrastructure. There are multiple factors that have a role to play in terms of which threats impact which victim, and the data shows that the company you keep does matter in how likely you are to have your valuable assets breached by a threat. The lesson for organizations is to keep a close watch on the threats affecting other organizations in the same or similar industry and to look for indicators of compromise in their environment that target such organizations.</p>

<p>
Contributors: Amy Steier, Ruchika Pandey, and Rajiv Motwani</p>

About the Author