Jan. 6, 6:55 p.m. | Updated See our followup post on the reaction to this one.
On New Year’s Day, Robert Epstein woke to nine e-mails from Google. His Web site had been compromised by hackers, Google informed him, and until Dr. Epstein, a psychologist, cleaned up his site, Google would warn any would-be clickers to stay away.
Their ensuing exchange offers a glimpse into the frustrating nature of Web site infections, which are increasingly widespread but hard to diagnose and cure. Dealing with them, or even dealing with an Internet giant’s claim that it has spotted one, can cause even the most sensible people to throw up their hands and seek court injunctions.
Dr. Epstein, a former editor in chief at Psychology Today, says his Web site, which offers free interactive mental health screening tests, can draw up to 5,000 visits a day. Now, four days after Dr. Epstein first heard from Google, a search for his site yields the digital equivalent of a skull and crossbones: “This site may harm your computer,” Google warns. Click on the link and another message pops up. This one does not mince words: “Reported Attack Page! This web page at drrobertepstein.com has been reported as an attack page and has been blocked.”
Dr. Epstein contacted his Web host and Google. The former could not find any evidence of malware but reset his site’s configurations anyway. The latter would respond only in boilerplate. So Dr. Epstein responded to Google’s e-mail, this time copying Larry Page, Google’s chief executive; David Drummond, Google’s legal counsel; Dr. Epstein’s congressman; and journalists from The New York Times, The Washington Post, Wired and Newsweek.
“Dear nameless Google worker,” Dr. Epstein’s e-mail begins. “Your company is continuing — initially through incompetence and now through negligence and malice — to do irreparable harm to my good name and reputation.”
“I am not a spammer and I do not run ‘attack sites,’ as you have now been claiming to the world for three days,” the e-mail continues. “I demand that you unblock my websites immediately.”
Google responded to Dr. Epstein (and the journalists), telling him that it had re-scanned his site and had found it was still infected and still redirecting users to a site known to host malicious code.
“We understand that your site has been compromised against your will, but in the spirit of protecting users, we hope you understand that we will continue to display a warning for as long as we continue to detect malware on your site,” it said.
Dr. Epstein says Google’s automated crawler is referring to a nonexistent page on his Web site. He now plans to seek a court order forcing Google to remove its warnings.
The fact is, unbeknownst to their owners and administrators, hundreds of millions of Web sites have been programmed to infect visitors with malware. In one month in 2010, Symantec reported seeing 40 million Web attacks, on average, every day.
“Mainstream Web sites are one of the primary ways computers are getting infected,” said John Harrison, a project manager at Symantec. “We’ve seen physicians’ Web sites, news sites, even a Fortune 1,000 company infect visitors with malicious code.”
Hackers troll the Web using automated software that looks for legitimate Web sites with security weaknesses. Once they find vulnerabilities, they install Web attack toolkits or redirect visitors to sites that host malicious code.
“Anyone with a hundred dollars and basic computer skills can use these automated tools,” Mr. Harrison said. “They’ve lowered the barrier to entry, and they are getting harder and harder to track down.”
Hackers have become so adept at covering their tracks, Mr. Harrison said, that it’s getting more challenging for Web host providers and even skilled security researchers to track them down.
In some cases, hackers will only redirect users to malicious sites if they come to the site through a particular search engine. Or they will serve up malicious code the first time a user clicks on a site and then never attack again, to confuse security experts.
So what can the owner of an infected Web site do? Mr. Harrison suggests working with the Web host provider, installing updated Internet security software and using stronger administrator passwords.
Having exhausted those options, Dr. Epstein e-mailed Google demanding telephone numbers for Larry Page so he could let Mr. Page know his search engine had made a grave mistake.
“Everything I’m getting back is automated or boilerplate. This is going nowhere,” Dr. Epstein said. “How can Google come between an Internet service provider and an end user? How did Google come to have so much power?”