14 DAY TRIAL // Most users are aware that, in theory, the websites that bear trustmarks from companies such as McAfee or Trust Guard should be secure. However, experts have found a way to leverage the security badges to identify vulnerable websites.
In their presentation at the Derbycon 2012 security conference, researchers Jay James and Shane MacDougall revealed a clever tool developed in Perl – called Oizys - which could be utilized by an attacker to locate easy targets.
Oizys – whose name is inspired by the Greek goddess of misery and suffering – relies on the fact that McAfee, Trust Guard and other similar service providers replace the badges, represented by image files, with a 1x1 pixel .gif in case the site is no longer secure.
By scanning the web for these 1x1 .gif images and by ensuring that the site is not actually offline, or that its owner didn't fail to pay the bill for the trustmark, the application is able to determine which domains are vulnerable.
Interestingly, the researchers found that even McAfee’s own website had been appointed as potentially vulnerable.