Shooting the messenger. Who do you trust?

Filed Under: Malware, SophosLabs

A few weeks ago I posted a blog article about how scareware distributors are now using cold calling techniques. Many will quickly dismiss such tactics, believing only fools would fall victim to such an obvious scam. However, there is another repercussion to this, and that is loss in trust.

Let me illustrate my point with an example. Here at SophosLabs we encounter tens of thousands of malicious web pages every day. As it turns out, the bulk of these are actually pages within legitimate web sites, that just happen to have been hacked in order to distribute malware. One of the questions we regularly get asked during customer visits to SophosLabs is how we go about notifying the webmasters and site administrators. Do we contact all of them to let them know of the problem and help them resolve it?

Well, the short answer is no, we do not contact all of them. To do so would be impractical. But we do have a service available as part of our customer support package which enables them to be notified if we ever see malware lurking within sites they manage.


Inevitably however, we come across compromised sites belonging to organisations that aren't customers of ours. In such cases (particularly for high profile or popular sites) we do still make efforts to contact them. Central to this contact is trust. When we phone them, we need them to trust who we are and what we say in order for them to set about fixing the problem. This is the nub of the issue.

How does the individual we contact know to trust what we are saying?

The adoption of cold calling tactics in scareware distribution makes the situation worse. On one hand we advise users to be wary of telephone calls informing them of suspicious activity, and on the other, we expect them to trust us when we call them to let them know of an issue on their web site!

In some cases, we even have to explain to them why they cannot see the malware we are talking about when they check the site. Instead, they have to rely on us talking them through the various hoops they have to jump through in order to confirm its presence.

About 18 months ago I decided to investigate how receptive webmasters were to these sort of ill tidings. After several weeks in which I contacted numerous victims (via email), the conclusion was obvious - the vast majority did not trust me. Despite my email containing links to Sophos, links to the description of the malware found in their site, links to my bio, links to free tools they could use to confirm the issue and absolutely no links whatsoever to anything remotely 'salesy', the bulk of my emails were never acknowledged (and the sites remained compromised). Of the replies I did get, some were even bordering on hostile!


I have to say that I was not that surprised at this. I should probably be pleased that webmasters are (initially at least) distrusting of such a message. Nonetheless, I would have hoped that more would have at least taken the time to confirm what I was telling them, and get the issue resolved. The truth is that many seemed to care only if the site was up and running and looking "normal".

So what can we do to improve matters? Perhaps the most important thing we can do at our end is ensuring that we make contact with the correct person. This can be hard, and is not helped by useless or irrelevant contact details within the WHOIS information or the contact page on the site. The message that we give to the individual is crucial as well. It has to be concise enough to be read and understood, yet detailed enough for the individual to be able to successfully confirm the problem.

Finally, there needs to be more education amongst webmasters, site administrators and site design firms about how web sites are compromised in order to distribute malware. Then, in the unfortunate situation that we come calling, the relevant individuals will be better placed to resolve the issue quickly, thereby improving internet safety for all of us.

, ,

You might like

8 Responses to Shooting the messenger. Who do you trust?

  1. @itinsecurity · 1401 days ago

    I suspect that part of the reason sending such requests to webmasters is futile, is that they do not want their record blemished.

    Send it to a sales contact / PR-manager, however....

    • fraserhoward · 1401 days ago

      Perhaps, although you would expect that if they wanted to protect their reputation/brand, then removing malicious code from the site ASAP would be a priority!

  2. Do you have a page set up with tools that can be used to check sites out? If not, that would be a help. ;)

  3. Zachary_B · 1400 days ago

    What about posting a list of compromised websites somewhere? That might get some attention if it became even remotely well known. Maybe team up with some other organization? I'm sure that the other sites would love the extra traffic. Maybe contact Gizmodo, Engadget, Slashdot, or any other tech-blog type site.

    Of course it would just focus on reputable websites that were hacked to serve up malware on the side... Just an idea!

  4. Svish · 1400 days ago

    Add their site to a list of sites with malicious stuff on it so that browsers block it from their visitors. That should speed up their willingness to fix things...

    Certainly did with us, haha. A big red screen with "This website contains bad stuff, go somewhere else" isn't exactly what we want to show our visitors when they come to our site :p

    • Matt · 1400 days ago

      Getting onto Google might help with this. If an
      administrator suddenly realises that the 75% of his traffic just
      vanishes because Google has blocked their site, fixing the problems
      will be his top priority.

  5. Would signed email not help this whole trust thing?

    Not enough signed email used these days.

  6. I have been a victim of a compromised site, twice. The first time, it was a JavaScript injection. Luckily, the injected JavaScript interfered with existing ASP, so the site broke, and I was able to find out about it right away. Getting rid of it, however, was not so easy. I wound up having to reformat the hard drive and install the files from a safe backup.

    The second time, it was SQL Injection, and there was also a zombie bot on the database server, that was waiting for a command from its master. I got rid of it, shored up the server, shored up scripts that talked to the database, and put the db server behind a firewall that only the web server has access to. I also turned off FTP access to the web server from the outside.

    What made this all the more difficult was my boss, who was convinced that all that was wrong was a coding error on my part. She did not believe that anyone would break into the servers. It finally took her seeing the zombie bot for herself before she believed that the server had been broken into.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.