Local residents looking to pay parking tickets or use other online services from the D.C. government in the past week were greeted with an ominous message, saying their use of the city’s website could expose them to malicious software.
The alert was a result of something or someone, such as a computer user looking to exploit weaknesses in the system, trying to burrow into the D.C. Community Calendar application on July 31, city officials said.
Ayanna Smith, spokeswoman for the office of the chief technology officer (OCTO), said the attack was resolved within a day and did not compromise any personal information or pose a threat to users’ computers. But people who later logged onto apps.dc.gov encountered a message from Google, which trolls the Web for potentially dangerous sites, that warned: “The website you are visiting appears to contain malware.”
The incident raised eyebrows among users who wanted to pay their parking tickets — fines double if they wait too long — or use other online services offered by the District.
Joshua Miller, 34, who lives in the Brightwood neighborhood of Northwest, was among several people who logged onto Twitter to ask the D.C. Department of Motor Vehicles whether its site was safe. He wanted to schedule an inspection but was not satisfied with the agency’s response to his query.
“Instead of saying, ‘No, there’s no problem,’ they said, ‘You need to use a browser other than Chrome,’” Mr. Miller said. “That’s the equivalent of saying, ‘Turn off your antivirus package and you’ll stop getting notices that your computer is infected.’”
DMV spokeswoman Vanessa Newton said Tuesday the agency’s website is secure, “and the public can continue to pay tickets as well as conduct other DMV business online.”
But the episode shined a light on the vulnerabilities attached to an increasingly cyber-based world. The District, like other governments, is leveraging user-friendly programs and apps that make it easier to tackle the concerns of city life, such as feeding the parking meter or sounding off on city agencies.
Ms. Smith acknowledged that it would be understandable for customers to be wary of entering their private payment information after seeing the message, which interrupted browsing with a warning inside a red-bordered box. It informed users of the potential malware and allowed them to click “Ignore Warning” or “Go Back.”
The screen also directed users to a Google diagnostics page, which said app.dc.gov was “suspicious” but had not hosted malware or served as an intermediary for infection of any other sites. Its testing over the past 90 days, however, showed “two pages resulted in malicious software being downloaded and installed without user consent.”
Google launched its Safe Browsing system five years ago to guard against malicious content on the Internet among its search results and ads as well as content on popular browsers such as Chrome, Firefox and Safari. While Google does not comment on specific websites, “our systems appear to be working as intended,” spokesman Jay Nancarrow said.
In general, small businesses that use common, commodity software are targeted for malware attacks more frequently than larger entities, said Maxim Weinstein, executive director of Stop Badware, a nonprofit organization that works to eliminate malware, spam and other invasive Web applications.
“I wouldn’t say we see it extensively on government sites,” he said, noting “Google’s detection accuracy is extremely high, without coming up with many false positives.”
But, he added, it is not uncommon for warning messages to linger after an issue has been resolved — calling ongoing attention to what can be an embarrassing situation.
OCTO is working “diligently” with Google to take down the message, Ms. Smith said.
“Once the bad content has been removed, the site owner can file a reconsideration request,” Mr. Nancarrow said. “If the offending content is indeed gone, the warning will come down.”
It was not the first time city residents encountered a hiccup on D.C. websites.
In April, city government sites in New York City and the District failed to load intermittently for hours on end. The “denial of service attacks” reportedly were launched by hacker group UGNazi as part of a protest against the governments, although it was unclear whether the true target was the federal government seated in the District. That type of invasion is far more serious than what occurred last week.
The community calendar at the source of the D.C. incident does not house confidential information, “so the ‘attack’ was more of an inconvenience than a threat to users,” Ms. Smith said via email.
However, she said, OCTO is re-creating the D.C. Community Calendar application with more current and secure features.