What happens when we find an infected website?

Regular readers of the SophosLabs blog will be well aware of the recent large scale infection of web servers by SQL injection attacks. With the rise in compromised high-profile websites such as Sony PlayStation and the Association of Tennis Professionals, it’s not uncommon for us to be asked the simple question: “Have you notified the company in question?”

So I thought would be useful to summarise the process we follow before we make details of an infected website public.

We scour millions of websites on the internet every day, automatically processing and adding newly-infected pages to our block list to prevent customers of our WS1000 web appliance from reaching them.

We also receive notifications back from customers of websites that have been scanned and where malware has been detected (these are URLs that we are not already blocked, but have been intercepted before they can do any harm to the customer’s computers).

High profile websites (those which receive a large amount of traffic, or domains which are of particular interest) are flagged to an analyst inside SophosLabs. The first thing they do is manually verify that the website is in fact still infected or if there is evidence that it was recently infected.

We then check to see if the company is one with whom we have an existing relationship. If so, we will contact them directly and assist them in resolving the issue with their website.

If we do not have a relationship with the organization, we will attempt to contact them by sending an email to their webmaster. We explain what the problem is with their site, and which pages have been affected, and offer assistance in helping them remove the problem.

We do all of the above, before we make details of the compromised website public. Our aim is to never cause any embarrassment to the affected organisation (they are, after all, the victims of a criminal act), but to notify the internet community and our customers of the nature of the threat so they can take appropriate actions to avoid the infection.

Unfortunately, as has been blogged before, it is not uncommon to receive no response from the owners of an infected website, and still find it is infected days later. During that time, hundreds if not thousands of innocent internet users could have been unwittingly hit by the malware infection.