Certain sites act as the cornerstones of the Internet. Even though they may change, they’re established and trusted. Many people wouldn’t consider any of them potential security risks. So companies and individuals use them as integral parts of their business processes and electronic life – Google Cloud Services and download.cnet.com for instance.

For a threat actor there are few tools handier than a trusted brand or site. It’s the perfect Trojan horse. Because of this, reputation jacking is on the rise.

What’s Reputation Jacking?

Threat actors place malicious content on trusted sites to gain access to user’s devices and spread malware. Instead of an outside attack, they wait for the victim to download software from a trusted source or otherwise insinuate themselves into a normal operation.

While phishing methods impersonate trusted brands, reputation jacking goes one step further by using the actual trusted brand or site to unknowingly host malware, while helping attackers avoid detection. And as quickly as these sites can neutralize uploaded malware, more arrives.

What Kind of Malware Is Hosted on These Trusted Sites?

Threat actors routinely use Remote Access Trojans (RATs) in these attacks. Because RATs allow control of an infected machine they’re versatile and particularly dangerous. Through this backdoor, an attacker gains total access to the infected machine and connected systems. Beyond monitoring activities, one can change settings, copy files, use the connection for even more criminal activity and a host of other unfortunate scenarios.

Often phishing emails work as the entry point to RATs into a system. First the attacker reaches out to potential victims through a malicious campaign that includes a link to a site. Standard computer security training warns people against such links, but if it connects to a trusted site or the phishing email mimics acceptable communication well enough, a RAT hosted on a reputable, established site works exceedingly well.

Also bear in mind that downloaded packages can conceal RATs too. So, if one were updating existing software or adding a new app from trusted sites this kind of Ttrojan could easily get in. After all, the SSL security certificate is valid and most people would click past the cursory warning to download from trusted sources, if they read it at all..

Threat actors are also Trojanizing actual apps to do their bidding. Unbeknownst to users and the site, download.cnet.com hosted a clipboard-replacing attack for years. The attack allowed malicious actors to replace a user’s bitcoin address with their own. That’s basically someone rerouting your bank deposits to their accounts. Given the fluctuating value of digital currency, it could even be a more expensive theft.

And it’s not just Trojans. Attackers embed malicious code into image metadata files on Google’s Content Delivery Network and can use other means like flash ads and malvertising that pop up on popular sites.

Ways to Combat Reputation Jacking

Reputation jacking works because people feel safe on certain sites. But whether the threat is on the site or in its applications, reputation jacking preys upon this trust.

So if a trusted site pops up on a potential threat list, think twice before you assume it’s an error.

Companies can overcome implicit bias, even when it’s positive. Some may find that restricting access to those on the lookout for and ready to handle potential threats puts them on a better footing. Others may need to implement a process that streamlines protocols so that everyone has simple solutions at their fingertips – cybersecurity team alerts or quarantining for example.

No one wants to slow their system or hurt productivity, but security shouldn’t be sacrificed.
Essentially, this would just mean you encounter more problems, faster. And who wants that?

Education can help. If individuals and companies expand their definition of “potential threat” to include “potential targets” it would more accurately reflect the cybersecurity terrain. Attackers target sites with the most traffic and best reputations because they make the most effective conduit. Knowing this is an important first step in cutting off that passage.

By Tenea D. Johnson

Founder, Progress By Design