VeriSign’s Bad Advice on Protecting Websites from Malware

If you do a Google search related to website malware right now you might right run across the following ad from VeriSign:

VeriSign Malware Scan
What you need to know about malware & how to protect your site

Someone interested in how to protect their website from malware might click on the ad hoping to learn about doing that. From the page the ad takes you to you could visit a page titled FAQ: Web Site Malware Scanning. One of the questions in the FAQ is “How can I protect my site from malware?”. This looks like the information their advertising was promoting.  Here is what they say:

Like most thieves, malware hackers look for easy targets—such as a Web site where malware will go undetected for as long as possible. Posting the VeriSign Trust Seal on your Web site is like posting an alarm security sign in your front window. It shows hackers that your site is scanned daily to detect malware.

There are probably many variations on what would be a good answer to this question. Verisigns answer is certainly not one of them. Not only have they given really bad advice for protecting websites, but the answer suggests a scenario that is almost never going to happen.

The scenario in the answer suggests that hackers are going to view the website before they attempt to hack it. In almost all instances that is not the case. Not only is someone not likely to view the website before attempting to hack it, but there probably will not be a person directly controlling the attempted hack. Instead, the hacking attempt is likely to be automated.

For example, someone might setup a program to go through every domain name attempting to exploit a vulnerability in an outdated version of WordPress. Because no one is viewing the website before attempting to hack it the VeriSign Trust Seal will have no impact on whether the website is hacked or not. The best that malware scanning could do in this case would be to quickly warn that the website is infected. The worst case would be the scanner not detecting the infection until it has potentially infected many visitors. What is hopefully obvious is that if you are not running an outdated version of WordPress you would not get infected in the first place.

The right way to protect your website against these types of hacks, which are done in this automated fashion, is by taking the measures we have written about here. If your website is properly secured you are very unlikely to get infected so malware scanning is of little use. If you wanted make sure that you are warned quickly if your website is ever infected you set it up so that Google will send email to an address of your choice if they ever detect malware on your website.

So would the seal have any deterring effect on someone who has decided to target your website? It is hard to say for sure, but it seems unlikely it would have any effect. If someone were looking for easy targets they wouldn’t be trying target specific websites at all. It is much more efficient for them to use untargeted methods to find easy targets. What would be more likely to happen if they were targeting you is that they would test their malware to make sure it is not detected by the scanning done by Verisign before infecting your website. In that situation letting them know it was going on would not be helpful.

Verisign is owned by a major security company, Symantec, so they should be aware of all of this, especially since they decided to run advertising promoting that they would tell “What you need to know about malware & how to protect your site”. Either they don’t know about website malware, but are offering the service any way, or they know about it and they appear to be intentionally misleading potential customers.