UPDATE BT Plc Website Blocked by AntiVirus Firms for Phishing Attack

The official BT Group website (http://www.btplc.com) is today being flagged up by a number of Internet security checks and Anti-Virus firms due to an alleged infection of Phishing Malware (malicious software), which is normally used to help hackers steal personal information.

The problem came to light this morning when we attempted to load the btplc.com website on several computers protected by ESET NOD32 Anti-Virus software, which instead returned an Alert! page warning of a “Potential phishing threat“. Digging deeper we were able to confirm that the website had very recently been added to the vendors Anti-Phishing Blacklist.

A few quick checks around the Internet reveal that some but not all other anti-virus vendors had either made a similar block or noted a related event on the btplc.com website. For example, AVG’s free anti-virus software hasn’t detected anything but others like ESET’s NOD32 and Sucuri Inc. had. It’s not unknown for Anti-Virus firms to be overzealous when it comes to computer security software, but that’s not always a bad thing because it helps to keep you safe.

Digging deeper we were able to discover that the issue relates to an alleged infection by the MW:ANOMALY:SP8 malware virus, which has been around for a few years and is described by Sucuri as being, “A suspicious block of javascript or iframe code [that] loads a (possibly malicious) code from external web sites … Those types of code are often used to distribute malware from external web sites while not being visible to the user.”

The malware is generally hidden inside the websites existing javascript files and various checkers pointed to the following pages on btplc.com as being infected:

Infected Pages (may not be a complete list)
http://www.btplc.com/sharesandperformance/sharepricegraphs/index.cfm
http://www.btplc.com/news
http://www.btplc.com/Sharesandperformance/Annualreportandreview/index.cfm

Apparently all of the above exhibit the same line of remote-executed JavaScript code and we chose not to visit the main site until BT can confirm that it’s been dealt with. ISPreview.co.uk has notified BT of the issue, although they didn’t respond to our hails yesterday so we might not receive one today either.

All websites can be hit by this sort of thing and it’s likely that BT has already spotted and dealt with it, although if history is anything to go by then anti-virus vendors often don’t remove related warnings immediately and in some cases they can continue for several weeks even after the threat has been wiped.

Incidentally the http://www.bt-ngb.com website has also been offline for several days now, although this is not believed to be related and is just an unusual occurrence.

UPDATE 2:27pm

After an investigation BT has confirmed that the blocks, which have now been removed, were triggered by a false positive and ESET has updated their database accordingly. However one or two online security tests and web scanners probably won’t remove the issue from their lists until tomorrow or later. But the good news is that BT’s website is safe.