Editor's View
Business Bulletin
Trailblazers
Business Tools
Finance
Expansion
Strategy
Leadership
Flotation
Exits
Columns
Enterprise News
Deal Listings
Backchat
Business Tools

Deceptive appearances 

Sep 08 issue
 
Legitimate websites are now spreading viruses

In the last few months the websites of both the Sony PlayStation game SingStar Pop and the Association of Tennis Professionals (ATP) were both hit by a sneaky form of automated hacking that hijacked their pages and downloaded malicious code onto the PCs of innocent third party visitors.

Though the damage to Sony and the ATP turned out to be mild, site hijacking can be a catastrophe. Once a hacker has broken into a site it’s easy for them to collect passwords, which can result in full-scale identity theft. For a company making its first forays into online commerce, the damage to reputation if customers start having their details hijacked could be fatal.

Sony and ATP quickly fixed the problem in the wake of negative publicity. But many companies fail to do so: ‘It is not uncommon to receive no response from the owners of an infected website, and still find it is infected days later,’ says Mark Harris, director at IT security-firm Sophos. ‘During that time, hundreds if not thousands of innocent internet users could have been unwittingly hit by the malware infection.’

Expensive security software and consultants can help protect a company, but good programming is enough to prevent many types of website attacks. ‘If fields ask for a name, limit it to a maximum of 25 characters and don’t allow brackets,’ Graham Cluley, a technical consultant for Sophos suggests.

While attacks like those against Sony and ATP have been around for a while, they recently surfaced in the shape of the ‘Asprox botnet’. This involved a network of computers run by a hacker which automatically searched and attacked websites.

The high level of automation means any vulnerable site will eventually be found and compromised. Victims include BMW Mexico and the soft-drink maker Snapple.

‘These are genuine companies doing ordinary business’ says Cluley. ‘It makes it hard to give common sense advice because any site can be infected. In the old days we could just tell consumers to avoid risky sites like gambling and porn sites, but now you can’t say things like “sites about bird watching are less likely to be infected”.’