In 2010, Todd Christopher’s 25-employee photography business landed a choice gig snapping shots of prominent locals at a swanky fundraiser. But when attendees went online the next day to search for their portraits, they got security warnings from their Internet browsers stating that Christopher’s site had been blacklisted, or blocked due to malware, which is malicious software put on a site without the owner’s consent.
Pretty embarrassing for the third-generation family business in the tight-knit community of Cumberland, Md. “It was unfortunate timing,” says Christopher, who had hoped to persuade attendees to keep Christopher Imaging in mind for their own events. The owner of the $2 million business had anti-virus software in place to protect his computers but hadn’t realized he needed separate security software for his website.
As the ability to hack individual computers has been narrowed by automatic operating system updates and effective anti-virus software, hackers are now targeting small companies’ websites, according to Anirban Banerjee, chief technology officer at StopTheHacker, a three-year-old San Francisco company funded with a $950,000 National Science Foundation grant to develop Internet security technology.
Once malware infects a website, it harms both the company and its customers, says Banerjee, whose company protects websites and cleans up those already infected. Google (GOOG) blacklists about 6,000 malware-infected sites every day, says Peter Jensen, StopTheHacker’s chief executive. Other search engines also flag infected sites so that unwary visitors won’t stumble into them. “If you get infected, all your visitors get infected just by visiting your site,” says Jensen. “That’s something you don’t want to do to your customers or potential customers.”
Not only does blacklisting hurt a company’s reputation; it may also put the website out of bounds for days or weeks before a small business owner realizes it. Teri Dourmashkin, founder of New York skin care company La Via Céleste, has no idea how much revenue she lost while her website was blacklisted due to malware last year. She estimates that the site may have been dysfunctional for two or three weeks before she discovered the problem while doing a routine Google search. “I have virus protection on my personal computer, but I never thought about it for my website,” says Dourmashkin.
Malware gets on websites using various avenues, including weak passwords that are easily deciphered and visits to already infected sites. Website owners typically have no idea they’ve been infected until the vicious programs wreak havoc, stripping customer banking and personal data or sometimes redirecting visitors to pornography sites that install yet more malicious software.
Malware is also spread through so-called “phishing” attacks, in which scammers send business and personal accounts what looks like a familiar e-mail but when opened and acted on allows malware into their computers, making their websites, customer lists, and banking data vulnerable. “Small businesses are especially vulnerable to this phishing scam,” says Katherine Hutt, spokeswoman for the Better Business Bureau. “They often don’t have in-house IT help or budgets for training their employees. And that’s exactly what the scammers are counting on.” Her organization has been hit by a massive phishing attack that has gone through five iterations since Thanksgiving weekend and is under investigation by the FBI.
Last week the BBB scam was the second-biggest phishing scheme in the country, according to a computer forensics project called the Spam Data Mine at the University of Alabama at Birmingham. The fake e-mails look like notifications from the BBB that the business has received a complaint from a customer. When the concerned owner clicks on a link or opens an attachment to find out more information, the malware gets downloaded. Some small businesses have been hacked and had money stolen as a result of these phishing e-mails in the past six months, Hutt says.
Jensen recommends that small business owners ask their website host companies whether security protection is bundled into their standard service or can be added on for an extra fee. “Ten or 15 years ago, no one wanted to pay for anti-virus protection for their company PCs. Now small business people with 20 employees are spending $30 per person for anti-virus software, and they don’t even blink when they renew it. Our contention is that spending $200 a year to protect your website, which is your face to the outside world, will be just as automatic in the future,” he says.