Website security – gone phishing

website security addresses phishing spam

A friend of mine used to say, “fishing is a jerk at one of the line waiting for a jerk on the other end”.

We’ve been seeing many, many more phishing scams and here is our insight and our experiences.

Points covered in this post:

  • Hackers are focusing on VPS and dedicated servers
  • Why you should be concerned
  • Why they want access to your VPS or dedicated server
  • What can be done about it

Over the past 60 days, the number of phishing scams has drastically increased. With this we’ve also seen an enormous rise in the amount of spam being sent from VPS’s and dedicated servers.

Some of the servers we’ve removed malware from have had as many as 5 million messages in the email queue – most of them are phishing emails.

The subject lines vary but will typically be something like:

Your Apple ID was disabled: 23%

You have received a voice mail: 29%

I’ve shared a document
Important Doc file 27% (combined)

The rest were mostly focused on pharmaceuticals (viagra, levitra, cialis, etc.)

Why this is important

If you’re the owner of a VPS or dedicated server hosting websites, then this should concern you. You might think, “It’s an easy fix. I’ll restore all my sites from before the malware attack and I’ll have all my customers up in no time.”

A few negative points here for you:

  1. Your websites will be shut-down by your hosting provider
  2. Your domain(s) could be listed on
  3. Your IP address could be blacklisted by a number of SPAM blacklist sites
  4. Restoring files will not “close the hole” – the hackers will be back
  5. Your website(s) could drop in the search engine rankings
  6. Sites backlinking to your website(s) could remove their links – thereby lowering your search engine rankings
  7. Browsers could show a warning page before people try to visit your websites

Point 1 is temporary. Many hosting providers will deactivate your server until the issues are resolved – but most often you will suffer some downtime.

Point 2 may or may not cause you any issues. Some sites and browsers using the phishtank list block your site if you’re listed on there.

Point 3 is more severe if you’re hosting email for your websites on the same server. While many of the SPAM blacklists will remove your IP address or domain from their list quickly (sometimes within 10 – 15 minutes) others like Gmail will take weeks. Gmail doesn’t have a request process like Google does for websites. They monitor email coming from your IP address to their addresses for up to 4 weeks. If they don’t receive any other SPAM, then they’ll delist your IP address.

Point 4 we hear quite frequently. All this does is prolong the process of root cause analysis – how did this happen? Not to sound all “CSI” on you, but you could be writing over forensic information. Then it’s an educated guess as to how it happened.

Point 5 can be serious. Many of you spend large amounts of time getting your sites or your customer’s sites ranked highly for keywords. That will drop quickly if your website gets listed by one of the search engines for sending SPAM or hosting phishing files. Sometimes your rankings will return in about a week or so. However, if your server is infected again, the repeated drops will accumulate and it may take a lot more work to regain your search engine rankings.

Point 6 also affects your search engine rankings – backlinks. You spend a lot of time building up reputable backlinks. If the websites that link back to your site drop you, can you get them back? What will they need to know that your site or sites are safe again?

The last point, browsers showing a warning page, will usually go away within 24 to 48 hours after the infection has been removed and steps taken to secure the websites.

Possibly the best reason for you to be concerned is that anyone you know could fall victim to one of these phishing scams and lose their identity, lose their bank account balance or any number of potentially damaging events.

Why VPS and dedicated servers?

Why would hackers focus on VPS and dedicated servers? We believe the hackers know that these aren’t monitored by the hosting companies quite like the shared hosting accounts are. Some of the managed servers are, but many of people buying the VPS or dedicated server service don’t go with the managed offerings.

Hackers love VPS’s and dedicated servers because they have control over all the resources.

Some of the phishing sites we see are actually subdomains of a domain on the server. For instance, if you had a VPS with a website domain of The hackers could setup a subdomain of Would you notice that?

Probably not.

Hackers could send out millions of SPAM emails from your server and you wouldn’t know until you started getting bounce-backs of emails that were blocked or were sent to non-existent email addresses. Or your hosting provider shuts you down or worse yet, your website customers start complaining.

Often times the reseller and shared hosting accounts are monitored by the hosting provider and those types of accounts don’t have the resources that a server (VPS or dedicated) has. That’s why hackers love VPS and dedicated servers.

What can done?

Prevention can take many paths. First, you can be certain that your server is not being used to send phishing SPAM. The second path is to reduce the amount of phishing SPAM your clients are subjected to. Next, make certain your server isn’t being used to distribute this phishing SPAM. Last, be diligent about the files on your server. Are any of them phishing files? If so, how did they get there?

One of the easiest steps to take is to make certain your SPF record is setup correctly. This works toward reducing the potential of hackers spoofing or forging one of your domains. Here’s our slideshare about this:

How to stop hackers from sending emails as you or your domain

There are many ways to reconfigure SpamAssassin in your cPanel to reduce the amount of SPAM your webhosting customers are subjected to. If they don’t see as much SPAM, there’s a greater chance they won’t be fooled by any of it and fall victim to the phishing SPAM.

Have your email queue checked frequently. If you see a higher than normal amount of email being sent out, have it investigated to be sure it’s not SPAM.

Finally setup file integrity monitoring on your website files. You’ll want to be notified quickly if any phishing files have been uploaded to your server. You’ll not only want to be notified, but you’ll also want to know how it happened.

The external website scanners don’t see the phishing files because there is no link from the website to the phishing files. The only way sites like phishtank can find these phishing files is from the large volunteer network they have. These volunteers will collect the phishing SPAM emails and record the phishing URL and post it on


It’s important that you focus on SPAM in general but definitely phishing files. A few steps, that require little time, can help you help others.

Education is the first step. Please share this with other VPS or dedicated server owners, web developers and others.

We all need to do our part to help make the Internet a safer place.

Thank you.


Website malware hijacks 500,000 computers

Proofpoint security researcher Wayne Huang has released a report detailing the inner workings of a cybercrime group that reportedly had control of about 500,000 devices.

The entire scheme begins with the cybercrime group buying stolen passwords from others. What passwords did they seek?

Website passwords!

They would upload a backdoor shell, which still allowed the website to function normally, but as the website owner would draw more visitors to the site, the cybercriminals would inject their code into the website’s files and infect the devices (computers, tablets, smartphones…) of those visitors. Website malware was used to infect the visitor’s devices.

The infected devices would be used as usual, but the cybercriminals would be receiving any banking login information and other logins – which was their original plan.

As an additional bonus, the cybercriminals would also rent access to these infected (now controlled by the cybercriminals) devices for other underground criminals to use as they wish.

Since most of us have anti-virus programs on all our devices, how did they get so many devices infected?

This group of hackers (cybercriminals if you prefer), used a service that checks their malicious code against all the anti-virus programs available. If the service found any that detected the malicious code, the hackers would use a variety of techniques to change the malicious code enough to “fly under the radar”.

Their website malware would only attempt to infect the devices of “regular” looking visitors. They had lists of IP addresses for various security companies and sites and their malicious website code would only be displayed for IP addresses not in their list.


This graphic is from the Proofpoint research.

Notice where it all starts on the far left – infected websites.

Still don’t think hackers want your website?

Guess again.

This research shows how important your website, or if you’re a website developer or webmaster, how important all the websites you work on, are to the cybercriminals. They need your websites. They want your websites.

The security researcher Huang was able to find the address of the cybercriminals control panel. Believe it or not, they had left it unprotected – no password required. Once in he was able to grab more information and presented it in his research paper.

Huang contacted some of the website owners when he found out who had the website malware on their sites. Many of them checked their sites with some of the online scanners and the reports came back clean. This was due to the work with the IP address list the hackers had built-in to their malicious website code.

Please understand that cybercriminals are not all going after the Targets, Home Depots and banks. Quite often they need your website to start their money making schemes.

If you have any questions about this or website malware in general, please either contact me at or post a comment.

Thank you for reading.


Website security plugins exploited

website security is only as strong as your weakest link
This post is not to bash or degrade the work that some security plugins do for website security.

We don’t believe in them, but that’s our opinion. You’re free to have your own opinion.

The purpose of this post is to drive home 3 main points:

  • There is no “set it and forget it” website security strategy
  • There is no substitute for updating – daily
  • Sometimes the function of website security is also the point of entry

During the month of September 2014, three main WordPress security plugins had some major vulnerabilities.

First (I believe) was WordFence. This plugin provides many security features for a WordPress site:

  1. Two-factor authentication
  2. File Integrity Montioring
  3. Firewall
  4. Blocks ranges of IP addresses
  5. Scans for over 44,000 different forms of malware
  6. and many other features

As of 9-29-2014, according to the WordPress Plugin repository, there were 3,223,158 downloads. This plugin receives some very high ratings as well.

In early September it was disclosed that this plugin suffered from some vulnerabilities.

Next, came the vulnerabilities of the All In One WP Security & Firewall plugin. This plugin:

  • Helps you change the admin username
  • Protects against brute-force attacks
  • Block ranges of IP addresses
  • Adds CAPTCHA to login forms
  • Automates backups
  • and other features

As of October 11, 2014 this plugin shows 475,663 downloads and again is very highly rated.

September of 2014 closed out with vulnerabilities in the BulletProof Security plugin. Some of the features of this plugin are:

  • htaccess Website Security Protection (Firewalls)
  • Login Security & Monitoring
  • Security Logging
  • Backups
  • HTTP Error Logging
  • and other features

As of October 7, 2014 this plugin has been downloaded 1,290,979 times.

For all 3 that’s potentially almost 5 million vulnerable websites. It’s actually less than that because quite often we remove malware from WordPress sites with all three plugins installed. I’m sure they’re not all properly configured, but they are installed.

You see, quite often people are looking for “plug and play” security. We know it doesn’t quite work that way. It sounds cliche but security is a journey, not a destination. You don’t someday do this and this and that and then you’re secure – forever.


That’s done.

website security is all finished!

Not quite.

If there was a website security strategy that was “set it and forget it” then there wouldn’t be any need for our industry (website security). Someone would have published a YouTube video or a downloadable PDF report detailing the steps involved in this apply once and never worry again strategy.

Instead, website security is more like, “lather, rinse, repeat”, only the lather is applying new layers of shampoo. In this case, updating WordPress and your plugins is the shampoo. It must be done consistently. I’m sure you don’t wash your hair once and then you’re good for life, right?

Website security strategy is the same way. What’s safe today, could be vulnerable tomorrow. You can’t rest on what you’ve done today.

While you’re scouring the Internet or the WordPress Plugin repository for that “one” magic plugin that will end all your website security worries, just remember, it too has to be updated. There is no substitute for good, sound security principals.

This isn’t the website security blame game

You’ll notice I didn’t elaborate on the specific vulnerabilities of these plugins. That doesn’t really matter. What matters is that each of these had updates very soon after learning of the vulnerabilities. They did what they’re responsible for.

Or as some of our customers say, “they did the needful”. After that, it’s your responsibility to apply their updates.

I’ve said it before, hackers only need one way in. You need to keep every potential point of entry secured. Your website security is only as strong as your weakest link. Don’t forget that.

If you have any opinions about this post, please post a comment. If you feel this is something to be shared, please do.

Thank you.