When it comes to computer viruses, you’re now more likely to catch one visiting a church website than surfing for porn.

As with herpes, one of the peripheral embarrassments of contracting a computer virus is that everyone has a pretty good idea of what you were up to when you got it. Oh sure, it’s possible you just chastely pecked a misleading email link. But odds are you picked it up because you were dallying on one of those shady, fly-by-night websites that people visit when they’re seeking fulfillment. You know—religious sites.

What’s that? Church blogs and Christian youth forums aren’t the first thing that comes to mind when you think of scareware, malware, worms, and Trojan horses? They should be. In its latest annual Internet security threat report, Symantec, the maker of Norton AntiVirus software, found that “religious and ideological sites” have far surpassed pornographic websites as targets for criminal hackers. According to the company you’re now three times as likely to encounter malware—insidious software that can steal your data, pelt you with spam, or enslave your machine in a botnet—on your local church blog as you are on a porn site.

The explanation is straightforward: The entrepreneurs who run adult websites are old hands at Web security, and they’ve long since learned to use protection. Those who build and host church websites, by contrast, may have the best intentions, but they tend to be naive and inexperienced. For hackers, that makes them easy prey.

Take Stephen Morrissey, a Pittsburgh-area e-commerce architect who moonlights as a Web developer for churches looking to establish an online presence. He admits he didn’t have the first clue about Web security when he volunteered to build a website for his mother’s small church in Wilkes-Barre, Pa. three years ago. He had designed simple, static Web pages before, but for the church he used a popular, freely available scripting language called PHP to add a few interactive elements.

Three months after the site went live, Morrissey took a glance at its Web traffic numbers and saw they had dropped off a ledge. Trying to visit the site himself, he found the path blocked by Google, which had posted an alert marking it as malicious. Scanning his code, he ran across a snippet he hadn’t put there and didn’t understand. “It was a bunch of gobbledygook,” he recalls. He immediately took the site offline and reported the intrusion to Symantec. He never did find out just what type of malware had been installed there. And luckily, the Google warning seems to have scared off most of the parishioners before their machines could be infected.

In retrospect, Morrissey says, he should have consulted security experts before building the site. The problem, in his view, is that churches are eager to get online, but many don’t understand what’s involved. And they’re so used to relying on volunteers to run their programs that they don’t realize that might be a bad idea when it comes to websites. “Oftentimes it’s an IT person who maybe has a clue about websites, but no real experience at the professional level,” he says. For his part, Morrissey moved that site, and the others he manages, from GoDaddy’s bare-bones hosting service to WordPress, a popular, standardized content management platform that regularly adapts its code to thwart hackers. To his knowledge, none of his sites have been compromised since.

But experts in the field point out that WordPress can be vulnerable too, especially for users who don’t recognize the importance of downloading its security updates as soon as they’re released. Those experts include Carmen Merighi, co-owner of a Florida-based Web development company called Online Technologies Group. The bland name belies the company’s racy clientele, which is dominated by adult websites. Merighi has been building and hosting sites for adult domains since 1996, before most churches had ever conceived of the idea of an online presence.

Merighi says the online porn industry in the 1990s resembled the online religious community today—technologically speaking, of course. Enterprising photographers, filmmakers, bloggers, and businesspeople with limited Web savvy were starting their own sites in droves, often using the cheapest and simplest platforms available. Hackers soon capitalized, giving porn sites a well-deserved reputation as cesspools of malware, spam, intrusive pop-up ads, and sneaky redirects. But as traffic soared and companies began to cash in, competition became stiff, and the industry consolidated. Homespun sites were squeezed out, and commercial sites that failed to clean up their pages developed toxic reputations. Merighi says a few of his own sites were hacked, mostly with relatively innocuous “scareware” and “redirect” programs that try to trick people into buying fake anti-virus products or visiting sites they didn’t intend to visit.

Most of the porn sites that withstood the consolidation have beefed up their security considerably. At a porn expo this month in Miami, Merighi says that nearly all the webmasters he talked to subscribed to one of a few well-established hosting services. “Two to three years ago is really when it became much more of a part of your business plan to look at how you’re going to secure your site.” The credit card companies have pushed the process along, requiring privacy and disclosure standards for any site that processes customers’ financial information.

According to Symantec, pornographic sites now rank at the bottom of the top-10 list for malware threats. Blogs are first, followed by personal and self-hosted sites, business sites, and shopping sites. Religious sites aren’t a category unto themselves, but are split between blogs, self-hosted sites, and “education/reference” sites, which rank fifth on the “most-infected” list.

McAfee, another leading Web security firm, doesn’t break down its threat statistics by website category, but McAfee Labs security strategist Toralv Dirro tells me he isn’t surprised by Symantec’s findings. Malware is on the rise across the Web, he says, and small sites—including personal blogs, religious and nonprofit sites, and small business sites—are among the hardest hit.

The people who run these sites often assume that there’s safety in their obscurity. What hacker is going to bother installing a Trojan horse on a personal blog that gets only a few hundred hits per day? But these days, many hackers don’t even look at what sites they’re targeting, McAfee’s Dirro explains. The spike in malware is a result of a proliferation of downloadable attack kits, which automatically scan the Web looking for sites that appear likely to have vulnerabilities in their code, regardless of their actual content. The attack software probes for weaknesses, then automatically injects malware wherever it finds them. It just happens that church sites tend to be among the weakest.

Symantec’s numbers back that up. It found 403 million different variants of malware in 2011, a drastic increase from 286 million in 2010. And it found 55,000 malicious domains, a jump from 43,000. Three out of five attacks were the work of software kits.

How can devout churchgoers—or avid porn-surfers, for that matter—protect themselves when visiting their favorite sites? In many cases, you can’t—the malware installation begins as soon as you load the page. Norton, McAfee, and several competitors offer free and premium programs that assess sites’ risk levels before you visit them—a good precaution for the paranoid, though others might find the browser clutter almost as annoying as the malware they’re trying to avoid.

Once you’re infected, the symptoms can range from the irritating (programs that send your friends spam links from your email or social media accounts) to the insidious (those that log your keystrokes and steal your personal information). Among the most devious are rootkits, which can burrow beneath your computer’s operating system and take control of your machine, blocking your attempts to download the anti-virus programs that could knock them out. In these cases, professional help may be the only option.

The easier solution is for the websites themselves to clean up their act. Jose Gomez, who runs a business called NetMinistry, which does Web design for religious organizations, is among those trying to professionalize the religious content-management sector. He regularly evangelizes to his clients about the importance of Web security. Some churches are getting the message about the dangers of reaching their parishioners on the Web, he says. But others are more interested in growing their flocks, and take a devil-may-care attitude to safety. “Churches are racing to grow and to stay alive,” Gomez says. “In that race, they’re cutting a lot of corners and adapting technologies faster than they can handle.”

Views: 726

Comment by matt.clerke on July 15, 2013 at 10:58pm

Of particular interested (to avoid): www.nuns-gone-wild.com

Comment by Kairan Nierde on July 16, 2013 at 1:50am


Comment by James Cox on July 16, 2013 at 9:02pm

Puts 'STD' (Sacred Transmittable Disease) into a whole new context. Would there be any preferable church websites for these STD''s? Do church websites offer special holy water computer dips for 'A blessing of the Great Mother Board', or an 'Exorcism of The Drives'?

Comment by H3xx on July 16, 2013 at 11:56pm

God went viral... Sorry, someone had to get that horrible pun out of the way.

@James Cox

I've had to perform an exorcism of the drives before, and it wasn't fun. Nasty little bug called InVitro. It injected itself into .exe files, and propagated very quickly, and appeared to do nothing but completely corrupt the system. I lost 300gbs of software that I had, um, "test driven" Good thing that was before the NSA started spying. I wonder how many copyright "infringers" they've found, because it doesn't seem like they were actually looking for terrorists. (otherwise they could have just flipped on Fox News, "Look, there they are, and they're talking!")

Comment by Unseen on July 17, 2013 at 1:31pm

One of the websites I maintain was infecting visitors for a while before I was put wise to it. The way it happens is some hacker hacks the server the site is on and puts their nasty code onto a page in the site. Usually, this would be the first page, and that is what happened to my site. A couple users told me that their anti-malware went nuts when they visited, so I looked into it and, sure enough, there was code on that page I didn't put there. I cleaned it up and changed the password I use to work on the site (my FTP login for the benefit of the more computerly astute here). That fixed it.

If I were a hacker wanting to distribute some sort of virus, I would NOT put it on a porn site. Actually, some sort of megachurch site would be great because I would expect a lot of very unsophisticated visitors to be there. Visitors who trust in God to protect their machines from viruses. 

Comment by Reg The Fronkey Farmer on July 17, 2013 at 3:43pm

Don't ask John McAfee for help with virus protection. He is too busy with other stuff.


Comment by Sagacious Hawk on July 17, 2013 at 3:53pm

That was ridiculous, Reg.

Comment by Unseen on July 17, 2013 at 4:28pm

I knew a guy who worked for McAfee. He admitted that a lot of the other stuff, much of it free, did a better job.

Comment by Unseen on July 18, 2013 at 12:47am

OMG, the unix people are as annoying as the vegans. 

Linux is powerful, free of charge, you don't need an anti-virus, and unlike Microsoft or Apple software products the source code is open and public, so you know it's NSA-free.

How would someone like me, who neither reads nor writes any form of unix, and doesn't want to get down to the level of the coding, know that it's NSA-free?

Comment by Unseen on July 18, 2013 at 2:52am

Sorry to put you on a wild goose chase. My fault. I wasn't really thinking of the NSA but about viruses in the code of the programs running on Linux. I have no way of being sure they are virus free.


You need to be a member of Think Atheist to add comments!

Join Think Atheist

© 2020   Created by Rebel.   Powered by

Badges  |  Report an Issue  |  Terms of Service