A flaw in the company's web program was not officially identified, but the company claims the attack was through a "third-party application". Hackers are constantly developing new ways to find errors in web programs and codes and are able to use these codes maliciously and cause problems to all the users of the website. Its difficult to understand the joy hackers get out of attacking a website and being able to spread malicious malware to users of the website. If you are not a computer genius it may be hard to understand how it feels to crack into a company's web program and discover flaws within the code. It may be an unexplainable rush to know that you are capable of doing such a thing.
If companies want to avoid this problem, constantly checking or updating code in web programs must be a necessity! I agree with the security experts' statement in the article that the best thing to do as users when faced with a fake anti-virus message, is to shut down the entire browser. As for recommendations for the company, auditing must be done too, just to make sure things are running smoothly. If not, attacks like this will keep occurring. Then the company will be forced to send a message to all of their users stating, "there was a breach of security, your personal identity may be at risk!" (Something I definitely do not want to see as a user.) In fact, this was not the first attack of Kaspersky's website, in 2009 hackers were able to get in their U.S. support site after discovering a flaw in the web programming again. It is not fair for users to be worried about their personal information being stolen by hackers due to improper web programming.
As I stated before hackers are continuously developing new ways to hack into websites and alter their code to carry out malicious attacks. Companies need to understand that with the technology present in this world (especially the kind used by hackers) they must do the difficult task of constantly staying one step ahead of the hackers. And that means checking for errors in computer code and making sure their protection is updated.
Posts
You make an interesting comment,"Its difficult to understand the joy hackers get out of attacking a website and being able to spread malicious malware to users of the website." I agree that "joy" is a difficult motive to grasp, but I don't think joy is the motive at all.
ReplyDeleteWhile hacking used to be about bragging rights and showing off (late nineties) it has become a big business. It's not so much about pride anymore as it is about money. (University of Notre Dame, Internet and Society: Spring 2010)
In fact, when I looked up this Kaspesky hacking a little bit after reading your article, I found this tidbit that confirms the hackers' motives were in fact about generating profit: "When users tried to download software from Kaspersky on Oct. 17, they were redirected to a malware site that tricked users into downloading fake antivirus software called Security Tool. Once executed, Security Tool displays pop-ups reporting a number of vulnerabilities and threats "found" to scare users into buying what it says is a full version in order to fix these problems" (Rashid 2010, Eweek.com).
It seems like there are often many steps in the path of deceit until one gets to the point where they actually cough up cash for these hackers, which may have obscured the fact that this attack was about money. Regardless, like you mention, hackers are clever enough to engineer malware and predict how people will respond in such a way that they are able to make money even though the process they put their victims through involves a ton of steps, each of which bears the risk of non-participation by the victim.
References:
http://www.eweek.com/c/a/Security/Kasperskys-Download-Site-Hacked-Directs-Users-to-Fake-AntiVirus-336193/
Its interesting to see the level of complication that hackers can put into manufacturing viruses in this day and age. I actually had a virus similar to this one infect my computer and it was very aggravating to remove as it was able to integrate itself into the recesses of my computer. As mentioned in the article it wasn't all that dangerous if you recognized it as a scare tactic but it was annoying as it would flag every program as a potential breach and attempt to redirect you to a fake purchasing site.
ReplyDeleteStill there seems to be a trend among business to not report viruses and hacking attempts. I think that the pride exists more on the side of the companies being hacked than the hackers themselves because, such as in the case of the article, the hacked companies do not tell the public for fear of seeming incapable of securing their system. However, I think it would speak more to their credit if they had announced the hacking attempt the instant that they found out about it as a way of making sure the least number of users were affected by it.
The stigma of getting a virus is a valid fear but waiting it out and hoping that the virus goes away isn't an appropriate response to it. Especially in cases where having this virus can trick a user into revealing information that could be detrimental to their well-being.
The targeting of an antivirus company's web site with a fake antivirus scam is clever and the attackers successfully utilized and abused the trust associated with the Kaspersky brand. In that regard, this attack is similar to a phishing scam.
ReplyDeleteThis attack underscores the cost to organizations - for Kaspersky, the cost isn't just the immediate cost of the web audit and the fixing of the site, but also a cost to its reputation. For a company like Kaspersky, which depends on its reputation and trust to sell antivirus software, the cost of such an attack could be very damaging and it could take a while before users trust the company again.
These costs will hopefully cause Kaspersky to recognize the value of securing its own web site and servers. When taken into account during a risk assessment, this may make it more attractive for the company to invest more money in its own security.