About Last Week’s Malware Attack

November 21, 2011

As you may have noticed, on Thursday November 17th we received a warning from Google
that an automated scan had discovered that some of our site’s pages could “cause users
to be infected with malware.” Immediately after we were notified of this issue, our
hosting provider and website developers worked together to identify and remove
the threat, which was initially completed by mid-morning Thursday.

Unfortunately later on that afternoon our site was again hacked, which caused
us to take the site off-line for several hours. After removing the new malware script, we then proceeded to  implement even more rigorous security precautions above and beyond industry standard
practices for a site like this.
This was all completed by mid-day Friday
and our site was certified as malware-free by Google that afternoon.

In terms of the immediate afffects, From Wednesday to Friday we saw an 88% drop in traffic and a dramatic increase in our bounce
rate.  Although we were sorry to have to
incur the loss in traffic and out-of-pocket expenses in recovering from this
attack, we do think this is a good example of how the free market worked to
thwart malware
without government intervention.

Another theory pushed by certain proponents of SOPA is that
the malware warnings on our site are somehow analogous to, and a justification
for, the DNS blocking provisions in SOPA.  (Note: the specific malware warnings in
question were not implemented through the DNS system- they use browser-based
technology, similar to anti-virus software, to protect their users).

Perhaps if these proponents had pushed for someone with
technical expertise to testify about the DNS blocking provisions on SOPA at the
hearing last week, they would have learned why DNS blocking is a terrible and
ineffective approach to shutting down a website.

In fact, PK’s particular situation actually illustrates why
DNS blocking is a bad idea:

  • In this situation, the malcode blocking was
    warning from Google, which occurred well after leaving the DNS and hitting our site.
  • If you used Internet Explorer or a mobile
    device, you most likely didn’t see the warning.
  • If you followed PK on Twitter
    or Facebook you could have accessed our without seeing the warning by typing in
    our IP address:

So in brief, if individuals were to begin accessing sites directly
via their IP addresses, malware attacks such as these would be harder to detect
and combat.

Could Your System
Have Been Affected?

Short Answer:  Very
. Although the warning from Google was up for almost two days, the actual malware which caused it was only
present for a few hours

Long Answer: If you followed the warning and navigated away from the
site, you would not have been affected. However even if you continued to browse
the site (or never saw the warning because you were using Internet Explorer or
Safari), if your operating system was up to date and you were running
appropriate anti-virus software, it is extremely unlikely that your system was

What’s Next?

We have changed hosting providers to our own dedicated,
secure server and we are still very much investigating the execution of this
attack in cooperation with federal, state, and local law enforcement agencies
to report the intrusion.

If you think your system might have been affected, please
let me know.