I agree with you former33t!

Maybe someone should've recommended a SANs course to the two? Haha.

I don't run into a lot of people in their 60's that are extremely tech savvy unless they've been in the industry for years. Their goal to set up an online web site for their entrepreneur business I think was a positive step in getting your business out there, but even plugging into the internet is even a risk.

Definitely should've taken something into consideration but in this scenario, I picture someone like my mom and dad setting up a web site for something they're running - and not taking into thought all the malicious nasty people on the net just looking to get their malware out there.

This article may be even a large hint to even people who could put sites together; take security into consideration always!

Long, but good read - Hope it works out for them!

I read about half of the article but a question springs to mind: how were they hosting their site? At home, something they set up themselves? I have no idea why they never approached a web hosting company that could have taken care of their site for them and I'm sure they could have got a good deal on a decent package that included sufficient security.

Even if they were with a hosting company (and I think they were) the hosting company is not liable for hackers on your website.  Nothing comes cheap in computing (especially security).  I had a client with a hosting site who didn't update joomla (CMS) and got exploited.  All the client's web pages had code inserted (base64encoded multiple times to obfuscate) that called out to a remote server to execute additional code.  At the time of the compromise, the vulnerability used to exploit the joomla installation was more than three months old.  Two hours max (to update the installation, time that had to be spent anyway) turned into 16+ hours of expensive code cleanup and testing to eradicate all the places the malware inserted itself (both in PHP files used to build the pages and in the CMD database itself).

This really is a story of a little up front saves a lot later.

BTW, sorry for not warning about the length of the story.  I am keeping this one around for future clients that doubt the importance of hiring a security consultant to audit their online business presence.  It's one thing to tell them horror stories you have seen (that of course they think can't happen to them), its another thing to see it in print from the newspaper.

I touched base with the owner mentioned in the article and pointed him to this thread, here is his reply:

Based on the article, I thought it was a server side hack that was causing the majority of the problems.  After seeing Bill's response, I can see that this was not the case.  Still, a number of possible technical solutions come to mind.

Without seeing the client side malware, it's hard to say what could be done to fix this problem most easily.  My first thought was a notice on the website that they were plagued by a particular type of malware and offering a malicious software removal tool.  Is this a pain?  Sure.  Costly, sure.  I hate to bring this up, but they must be making a good deal of money to be the victims of a targeted malware attack.  This type of attack takes some thought and resources, especially in the distribution phase.

From a legal perspective, they could make a pretty persuasive argument that any redirects from the malware should be redirected back to the site by the competitor.  The competitor is probably a guilty party here as well.

A final (non-ethical) solution is to fight fire with fire (if you are sure the competitor is the culprit).