There’s an interesting article about some research that Finjan did regarding their findings that 80% of Malware is served by ads. Taking aside the statistic itself, which you can either agree with or not (maybe it’s 80% that Finjan detected), it’s still an interesting trend. However, one thing struck me in the article that they almost glossed over. They mentioned that one trend is that they are embedding the code so that it executes when seen through translation services. Interesting.
There’s a few reasons this is interesting. Firstly, it’s kind of a slap in the face to people who think that using translation services somehow makes you safer or more private (I’ve never understood why people think that since it still downloads all the embedded content directly from your server), and secondly it really opens up a new way to target your attack. It’s easy to tell when a user is using a translation service (referring URL and/or lack of referring URL but preceded by a pull from a translation service - this could be aided by unique IDs on images to track them back to specific pages).
Now using the translation service to know that your target is located in some area that speaks whatever language they are using, you can be sure that they are in an area that has no extradition treaties with wherever you are hosting. That can greatly reduce the liklihood of getting caught, while still maintaining some good number of malware infections. Kinda nasty. I might be reading a little too far into Finjan’s findings, but still, it’s interesting to think about.