CANCUN, Mexico — Kaspersky Labs senior security researcher Stefan Tanase knows all about the old adage “You never know until you ask.”
Tanase conducted an experiment recently where he emailed the webmasters of 100 websites infected with malware informing them of the problem asking in return only for some data on the infections in the form of log entries. What Tanase got in return was a big fat zero, as in no replies.
Undeterred, Tanase said Wednesday during the Kaspersky Lab Security Analyst Summit 2012, that he emailed another 200 and actually got a 3% reply rate time on his second attempt.
“The assumption I made is that webmasters don’t know their sites are infected,” he said. “The reality is that webmasters don’t care if their sites are infected.”
Tanase said he knows 52% of his emails reached their destination; 48% bounced back to him.
Of the three percent who did reply, one came from a monestary and a priest who asked for help in cleaning up the websites and under what conditions. Another respondent came from an advertising agency that wasn’t interested because the infected site in question was an old site no longer in use. Another, from an industrial equipment supplier, said they didn’t have a dedicated IT person on staff, but offered to send Tanase an administrative username and password and wondered if he could help–a major security fail.
The experiment, however, wasn’t a total bust; 3% may have replied, but upon a second scan, 5% had removed the malware from their sites.
“They may not have replied,” Tanase said, “but they did clean up their site.”