You don't have to click on a sketchy link to end up downloading malware. A new report from Citizen Lab's Morgan Marquis-Boire shows how companies can spread targeted malware by intercepting web traffic en route, sending malicious traffic from an otherwise friendly link. A company called Hacking Team has been using the tactics on traffic from YouTube and Microsoft's login.live.com servers, seeding innocent videos with surveillance software designed to track the target's activities online.
The attacks are more targeted than traditional malware, usually targeting a single person at a time, and relying on access to government internet infrastructure to intercept the traffic. Hacking Team typically works with governments like Morocco and the United Arab Emirates, but Marquis-Boire says similar capabilities have been used by intelligence agencies in the US, Britain, Russia, China and Israel.Snowden documents released in The Washington Post have identified NSA malware injection attacks that infected more than 80,000 different devices.
Since the attacks are injected into everyday web traffic, defending against them is difficult, but many companies have already adopted HTTPS encryption as a possible defense. HTTPS would encrypt the connection between the user and the server, preventing injection attacks. At the moment, only a small fraction of web traffic is encrypted, but Google is offering incentives to sites that switch over, including a small boost in search rankings. It's unclear whether login.live or YouTube will switch to default HTTPS, but Marquis-Boire says both Microsoft and Google "have taken steps to close the vulnerability by encrypting all targeted traffic."