Website owners ignore infection warnings

Owners of infected websites are ignoring warnings that they are helping to distribute malicious computer programmes, claims a security software supplier.

Owners of infected websites are ignoring warnings that they are helping to distribute malicious computer programmes, claims a security software supplier.

Yuval Ben-Itzhak, chief technical officer of Finjan, said it often took websites owners four to five months, if ever, to respond to warnings that their website carry malicious code.

Ben-Itzhak said Finjan had identified 58 hackers who were targeting customers of western banks, mainly the EU and US. About 30% were British banks, he said. He declined to name the banks for legal reasons.

Finjan's Malicious Code Research Centre specialises in security holes in internet applications. In July it found more than half a million innocent users were infected with a banking information Trojan after they visited legitimate websites for shopping, government information, price comparisons, and to listen to music.

"The infection ratio is 16% from 3.1 million attempts, indicated from web traffic from the infecting sites," said Ben-Itzhak.

Ben-Itzhak said Finjan had notified webmasters of infecting sites. Few acknowledged the warning, and fewer took down the malicious code promptly, he said.

"Most of it was there three weeks later. Sometimes it is still there four or five months later," he said.

He said Finjan regularly reported infections and the IP address of hackers' servers to national authorities where possible. "Their reaction suggests this is not a high priority," he said.

The Trojan records bank account information such as user name, passwords, account numbers and security information.

Ben-Itzhak said hackers use the MPack toolkit to infect legitimate websites with an "iframe" that points to the malicious code. When the user's browser loads the main page of the compromised site, the malicious code loads and runs encrypted on the user's machine.

When the user logs on to his bank, the malware loads fake pages customised to that bank and runs a keylogger program. This captures account details which it sends secretly over an SSL link to the hacker's collection site. The hacker then logs in as the user to transfer money to his own accounts.

Ben-Itzhak said the hackers changed their sending and receiving websites as often as daily to avoid detection and blacklisting by internet service providers.

"The banks can do nothing because the code runs on the user's machine, and they have no control over the infecting" he said.

Spam is getting more sophisticated, says MessageLabs >>

IT professionals responding to increased security threats, say PatchLink >>

Comment on this article: [email protected]

Read more on Hackers and cybercrime prevention