GDPR cybersecurity – browser exploitation and malvertising
Advice for practitioners – and your clients – on how to protect your web browsers.
In Agent Update 65 HMRC highlights the vulnerability of web browsers. It states that ‘web browsers and associated software (eg plug-ins like Flash) enable users to enjoy a wealth of digital content, in a range of different data formats. There is a lot of complexity behind the scenes in these programs, and security researchers and criminals work hard to find mistakes made by software developers that maintain them. These mistakes often relate to how the web browser processes data within a web page; by crafting the right content, an attacker can get the browser to mistakenly run the attacker’s code. When these vulnerabilities are discovered or reported, the software developers hurry to release software ‘patches’ (updates) to plug the holes.
'Not everyone applies these updates though, or they may even use older versions of web browsers that updates are no longer provided for. This presents an opportunity for criminals, who use “exploit kits” – a collection of specially crafted code, on a website that will target a wide range of vulnerabilities. Their only challenge is to get potential victims to visit their site – once they do, criminals are able to gain entry and install or run their malicious software. This includes sending out emails with links to these websites, littering social media sites with links, or paying for online adverts, which direct victims to the malicious site.
'The latter technique is referred to as malvertising (derived from malware and advertising), and criminals use a range of techniques to sneak their adverts past the checks of online marketing companies to appear on popular websites. Many legitimate sites have unknowingly hosted malvertising, including household names.
'Applying software updates is an important part of keeping your IT systems secure, and generally keeps you safe from this method of attack.
'Applying security patches to ensure the secure configuration of systems forms part of the National Cyber Security Centre (NCSC) 10 Steps to Cyber Security.