Shooting the messenger. Who do you trust?


A few weeks ago I posted a blog article about how scareware distributors are now using cold calling techniques. Many will quickly dismiss such tactics, believing only fools would fall victim to such an obvious scam. However, there is another repercussion to this, and that is loss in trust.

Let me illustrate my point with an example. Here at SophosLabs we encounter tens of thousands of malicious web pages every day. As it turns out, the bulk of these are actually pages within legitimate web sites, that just happen to have been hacked in order to distribute malware. One of the questions we regularly get asked during customer visits to SophosLabs is how we go about notifying the webmasters and site administrators. Do we contact all of them to let them know of the problem and help them resolve it?

Well, the short answer is no, we do not contact all of them. To do so would be impractical. But we do have a service available as part of our customer support package which enables them to be notified if we ever see malware lurking within sites they manage.

Inevitably however, we come across compromised sites belonging to organisations that aren’t customers of ours. In such cases (particularly for high profile or popular sites) we do still make efforts to contact them. Central to this contact is trust. When we phone them, we need them to trust who we are and what we say in order for them to set about fixing the problem. This is the nub of the issue.

How does the individual we contact know to trust what we are saying?

The adoption of cold calling tactics in scareware distribution makes the situation worse. On one hand we advise users to be wary of telephone calls informing them of suspicious activity, and on the other, we expect them to trust us when we call them to let them know of an issue on their web site!

In some cases, we even have to explain to them why they cannot see the malware we are talking about when they check the site. Instead, they have to rely on us talking them through the various hoops they have to jump through in order to confirm its presence.

About 18 months ago I decided to investigate how receptive webmasters were to these sort of ill tidings. After several weeks in which I contacted numerous victims (via email), the conclusion was obvious – the vast majority did not trust me. Despite my email containing links to Sophos, links to the description of the malware found in their site, links to my bio, links to free tools they could use to confirm the issue and absolutely no links whatsoever to anything remotely ‘salesy’, the bulk of my emails were never acknowledged (and the sites remained compromised). Of the replies I did get, some were even bordering on hostile!

I have to say that I was not that surprised at this. I should probably be pleased that webmasters are (initially at least) distrusting of such a message. Nonetheless, I would have hoped that more would have at least taken the time to confirm what I was telling them, and get the issue resolved. The truth is that many seemed to care only if the site was up and running and looking “normal”.

So what can we do to improve matters? Perhaps the most important thing we can do at our end is ensuring that we make contact with the correct person. This can be hard, and is not helped by useless or irrelevant contact details within the WHOIS information or the contact page on the site. The message that we give to the individual is crucial as well. It has to be concise enough to be read and understood, yet detailed enough for the individual to be able to successfully confirm the problem.

Finally, there needs to be more education amongst webmasters, site administrators and site design firms about how web sites are compromised in order to distribute malware. Then, in the unfortunate situation that we come calling, the relevant individuals will be better placed to resolve the issue quickly, thereby improving internet safety for all of us.