IPOWER Hosting 10% of World’s Web Malware?
Brian Krebs has an excellent article in the WaPo here today talking about IPOWER web hosting provider and its number of hosted websites that serve up drive-by downloads, phishing and other badness.
Some highlights of the article:
Organized crime groups have modified a significant share of the Web sites operated by one of the Internet’s largest Web hosting companies to launch cyber attacks against visitors.
Last month, Phoenix-based IPOWER Inc. was featured prominently in an unflattering report by StopBadware.org. StopBadware has identified more than 90,000 sites that attempt to install malicious software on visitors’ computers via Internet browser security holes or programming tricks.
StopBadware found that about 10 percent of the sites in its database were operated by IPOWER.
A review of (compromised) sites indicate that both virtual servers are running outdated, insecure versions of the Apache Web server software and PHP, a popular Web scripting language that many hosting companies provide for their customers.
Large hosting providers should not be allowed to host tens of thousands of compromised sites for months at a time. There is little excuse for failing to apply long-overdue security updates to seal frequently targeted Web server software flaws, and no reason why hosting providers cannot keep closer tabs on the content being served by their customers.
An Internet service provider or Web host can take action within 48 hours if it receives a “takedown notice,” under the Digital Millennium Copyright Act. The law protects network owners from copyright infringement liability, provided they take steps to promptly remove the infringing content. Yet ISPs and Web hosts often leave sites undisturbed for months that cooperate in stealing financial data and consumer identities.
There is no “notice and takedown” law specifically requiring ISPs and Web hosts to police their networks for sites that may serve malicious software.
Bugtrack lists are public for a reason. Lots of enterprises subscribe to vendor patch notifications as they should. So why can’t companies like Ipower?
Bad ISP’s know when they have poor security practices. Refusing to patch or upgrade on a regular cycle is not only bad practice, but possibly criminal from a liability standpoint. And bad webhosters need to be called out.
Im afraid that it may take one large webhosting provider being sued for assisting in identity theft to get them to patch with regularity.
