A great deal of the malware going around these days is spread through the web. And yet, many web hosting companies don’t recognize that their hosted pages have been infected by malware or that one of their web hosting customers is deliberately distributing bad code. Reporting these types of malware-based incidents should be easy, so it can be removed quickly. When let loose on the web, malware has enormous potential to cause harm using things like stolen banking and credit card credentials; DDoS attacks; corporate proprietary data breaches; and downtime for hospital and government networks. And it’s not just traditional computers that are using the web these days—it’s also happening with IoT (Internet of things) devices like medical equipment and industrial controllers.
How do web hosting companies deal with malware?
Abuse.ch cybersecurity activist, Roman Hussy, has done some tremendous research on how web hosting companies react to malware. Hussy works with a web blacklisting platform known as URLhaus, so he has excellent access to relevant data. And what he discovered about web hosts through this process is disturbing at best.
As far as web hosting company email addresses for reporting malware incidents are concerned, the connected inboxes are often stuffed-to-the-gills, exceeding their quota. Hussy sees this as a symptom of negligence on the part of the host, as they aren’t addressing their malware reporting emails—or at least not often enough. He believes this may indicate that network owners don’t care about abuse problems in their networks.
What are some other ways we are missing malware?
To make matters worse, the spam filters connected to these email accounts are often blocking many malware reports because they contain malicious URLs. It is often necessary to report a malicious URL via email, so this is a bit like having the flu and being told you can’t go the ER because you might make the other patients sick. What a Catch-22.
Sender email address verification is usually a good security measure for keeping spammers and cyber attackers away. But unfortunately, like the malicious URLs being blocked, this can be a security measure which renders emailed malware incident reports useless. Malware incident reports often have to be reported by automated systems, and those systems don’t tend to work well with incident-reporting web forms either.
Often, a web host’s tech support department is the only destination for malware reports. But web host tech support departments are usually designed in a way that only their paying customers may use them. That means if you are a visitor to a website or web app and you need to report malware you discovered on a site that they host, well that’s just too bad.
What else should you know about web-based malware?
Hussy also finds that malware reporting systems rely too much on prewritten form email responses and not enough on specifically trained and experienced human staff. Here’s an example he cites:
“Thank you for contacting the Comcast Customer Security Assurance team. Unfortunately, we need more information to better understand your issue. Please select the option below that best describes your question. We’ve provided easy instructions to help us resolve your issue.”
Perhaps the algorithms deployed by the bot haven’t found enough key terms or word patterns in the email body to narrow the incident report down into a particular category for further processing. Human beings don’t have these sorts of problems. Then again, human labor is way more expensive to maintain than that of bots. The web host may be thinking of cybersecurity as a “non-revenue generating segment,” but what about the cumulative harm and reputational damage that comes with not taking security seriously—and even more importantly, not spending money on it?
Hussy finds that major web hosts like GoDaddy and DreamHost often change the email subject headings in a way that makes it difficult to track which emails correlate with which reported incidents. When one person or entity makes multiple reports a day it can be a real problem. An example:
Subject: Incident 37181924: We received your feedback.
Subject: Thanks for your report. Here are some extra resources.
Subject: Thank you for reporting abuse on Google Cloud Platform
Subject: Regarding your DreamHost Abuse message…
Subject: Action Required
Subject: Questions About Our Abuse Policies
Subject: Support Ticket Not Opened
Subject: Confirmation of Domain Abuse Inquiry
Hussy has been measuring the reaction times for most of the world’s top web hosting companies. Reaction time in this context refers to the duration between specific malware being reported and when it’s removed. Among the over 600 hosting providers he has researched since August 2018, the average reaction time is three days, two hours, and 33 minutes. Hussy believes that reaction time should only be a few hours at most. Here’s more “Wall of Shame:”
- PROLOCATION: 13 days, 3 hours, 14 minutes
- MAXIS: 13 days, 18 hours, 54 minutes
- Gigabit Hosting: 14 days, 16 hours, 5 minutes
- ITGRAD: 14 days, 18 hours, 36 minutes
- HGC Global Communications: 15 days, 7 hours, 56 minutes
- Varnion Technology Semesta: 17 days, 12 hours, 37 minutes
- HNPL Australia: 19 days, 20 hours, 42 minutes
And conversely, here’s the “Wall of Fame:”
- HostRocket: 39 minutes
- 34SP UK: 38 minutes
- NETSEC: 37 minutes
- TELIANET: 33 minutes
- Quadrant Televentures Limited: 32 minutes
- Cox Communications: 30 minutes
- CYBERFUSION: 23 minutes
- CLOUVIDER: 19 minutes
You can do your part to help curb web malware by choosing one of the web hosting providers with a better reputation for reacting to incidents quickly and correctly for your website, web app, or cloud service.