The London Stock Exchange has been hit by malware that infected user computers, in an attempt to persuade them into buying bogus anti-virus software.
It is thought that the breach of security occurred due to third party ads being installed on the website, though these have now been removed, with LSE claiming that site visitors would have only been infected if they had clicked through.
However, according to Ian Shaw, Managing Director of MWR InfoSecurity, it is still the LSE’s job to ensure that its site is safe for users to view, labelling the attacks “very concerning”.
“The London Stock Exchange has a responsibility to users to ensure that content on its site has been cleared, and that there is no open access to third parties in future that could allow such breaches,” Shaw told TechEye.
“With lots of businesses’ sites becoming mash-ups of different sources such as advertising, it is increasingly becoming a problem for all companies, not just on an operational level but also in terms of brand protection.”
The infection meant that Google was eventually blocking users from accessing it once the malware threat was established, as well as the search engine highlighting the fact that it had been breached in its search results.
Rather embarrassing for the London Stock Exchange, considering it comes not long after a similar attack on NASDAQ, though there are no immediately signs that the two attacks are linked according to Shaw.
“Of course it is very important that a stock exchange keeps this will involve a combination of human and technical measures to avoid the situation occurring again, as they are big targets,” Shaw said.
”The London Stock Exchange need to ensure that it completes a thorough investigation, as while this appears a regular attack, given the target and the similar incident at NASDAQ earlier in
the month the integrity of the site needs to be assured.”
Shaw insists that more thorough checks are needed to ensure that third party firms such as advertisers are not able to continue these breaches, as well as informing all site users that their personal information such as passwords may have been compromised.
“There is now consistent evidence to suggest that the security measures being taken by UK business to protect their online portals are insufficient, they are not keeping pace with the threats,” he said.