By

SPAM for law firms

Since we started offering our VPS and dedicated server software, we’ve been handling many SPAM issues for clients. Not only outgoing, but incoming as well.

One recent rash of SPAM seems to focus on law firms. I’m sure others are receiving these as well, but our experience has mostly seen these emails sent to law firms.

The scenario begins with an email with a subject line like:

New Fax: 2 pages

The body of the message will be something like:

Scanned from MFP61725171 by (domain of recipient).com
Date: Tue, 1 Apr 2014 20:17:54 +0800
Pages: 2
Resolution: 200×200 DPI

It appears to be an internal fax. It will usually show the sender (From:) as fax@(domain of recipient).com and the number of pages will vary.

The email contains an attachment, typically a .zip file – obviously infectious.

When we look at the headers here’s what we see:

Return-path:

Envelope-to: willie.james@(domain of recipient).com
Delivery-date: Mon, 31 Mar 2014 10:15:53 +0000
Received: from [106.79.10.18] (port=49927)
by server.(server for client).com with esmtp (Exim 4.82)
(envelope-from )
id 1WUZFv-0005zC-8e; Mon, 31 Mar 2014 10:15:53 +0000
Received: from 289-SN2MPN2-345.582d.mgd.msft.net ([106.79.10.18]) by
115-SN2MMR2-207.895d.mgd.msft.net ([106.79.10.18]) with mapi id
14.03.0563.358; Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:
<6BY1VKL42LR58X56ARUF4VNG59U3YS6B@316-SN2MPN2-342.397d.mgd.msft.net>
From: "FAX"
To: john.assistant@(domain of recipient).com

Subject: New Fax : 5 pages
Thread-Topic: New Fax : 5 pages
Thread-Index: 9P7N7EWX4M3T3HCICOQW==
Date: Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:

Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/mixed;
boundary="----=_Part_49160_3775187661.5707552433783"
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:

MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: 092-SN2MMR2-965.296d.mgd.msft.net
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 09
X-Originating-IP: [106.79.10.18]
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Spam-Status: No, score=3.0
X-Spam-Score: 30
X-Spam-Bar: +++
X-Ham-Report: Spam detection software, running on the system
"server.(server for client).com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

Content preview: You have received a new fax (fax-954672.zip). Date/Time:
Mon,
31 Mar 2014 15:45:51 +0530. Number of pages:5 [...]

This is a case where the spammers are spoofing the from email address so it appears to be an internal fax communication.

This line tells us it did not originate internally:
Received: from [106.79.10.18] (port=49927)

According to whois.domaintools.com (an awesome service, you should subscribe!) that IP address is in India. Our client was here in the United States. Therefore we know it was fake.

If you use Outlook for email, you can see how to view the full headers by Googling “outlook view full headers”. If you use Outlook 2007, Outlook 2010, etc. you can further refine your search by adding that version. For instance you can use this in Google for Outlook 2007:

outlook 2007 view full headers

If you start getting these, just mark them as SPAM and move on with life. Your server is not infected. Your local computer is not infected either.

By

How hackers use your website

Due to our work in website security, quite often we’re asked “Why?”

As in, “why do hackers want my website?”

From this article by Webroot: http://www.webroot.com/blog/2013/07/11/new-commercially-available-mass-ftp-based-proxy-supporting-doorwaymalicious-script-uploading-application-spotted-in-the-wild/

you can see that sometimes hackers use your website as a proxy. A proxy is a buffer to their real location. Some of you ask if we can tell you exactly where the hacker is. Unfortunately we can’t. Not for any legal reason, but because hackers hide behind multiple layers of these proxies.

The website security industry would love to be able to track down hackers, but it’s rarely possible.

For instance, they might be in one country. Their computer connects to a server in South America (that they’ve already compromised), from there to a server in Switzerland, then to a compromised server in North America. The last IP address is all that will appear in your log files. In our example here, the last IP address would be from the compromised server in North America.

When we have access to the log files, we mine the IP addresses out of the log files and report them to the proper abuse department. This is a small step toward making the Internet safer, and is some what time consuming, but we do it to help notify others that they have an infected website or server.

The tool mentioned in that article also shows one of the tools used by hackers to upload infectious content to your site – automatically. Many of you believe that someone is sitting behind a computer and attacking your website, or uploading malicious files to your site.

Not at all.

Most, if not all, of today’s website infections are the result of an automated tool.

After one of the screen captures this caught my attention:

The tool works in a fairly simple way. It requires a list of user names and passwords, which it will then use to automatically upload any given set of files/scripts through the use of automatically syndicated fresh lists of proxies.

So, when the hackers have a list of compromised FTP users, they load it up in this tool and then they can send the same infectious code to hundreds or thousands of websites.

With the log files activated, we can see the FTP account used and the IP address of where the connection originated (the last proxy IP address).

Here’s our Website Security Best Practices for FTP accounts:

  • Create a separate FTP account for each user. Not all hosting providers allow this. Many only allow one. But if you’re with a hosting provider who provides cPanel, then you can create separate FTP accounts. Also make certain they have good strong passwords.
  • Activate the logs. Most hosting providers have the logs turned off by default. They know that nobody other than us, ever read the logs so why consume so much disk space? Again, if you’re on a cPanel account, scroll down to the section labeled “Statistics” and select the “Access Logs” icon. It might be different on various hosts, but that should get you in the general area. You can check both boxes. If you’re not on a cPanel account, then ask your hosting provider.
  • If you provide access to a web developer or anyone else, ask them what anti-virus program they use on their local computers. Every potential point of entry needs to be accounted for. If they have a virus on their computer and it steals the login credentials for the FTP account you provided them, guess what? You could have the best website security team in the world (yes – us!) and your website will still get infected.
  • Be diligent about the FTP accounts. If someone that you’ve provided FTP access to no longer needs that access, then delete their FTP account. Remember, hackers only need one way in. Yes, this is a pain, but so is getting your website infected.

You’ll notice that we didn’t recommend SFTP as many do.

Why?

We understand how hackers work. While SFTP sounds more secure, the reality of it is – that it really isn’t.

All SFTP does is encrypt the traffic between your computer and the destination – your website. However, a few things to mention.

Most hosting providers will only allow you to create one SFTP account and frequently it’s the same account used to login to your hosting account. If you want to provide access to someone who will be making changes to your website – legitimate changes, you have to give them access to your hosting account. If you have 3 or 4 people who need access to your website files, now you have 3 or 4 more potential points of entry for hackers.

With only one account, you have lost the advantage of FTP logging. There will only be one account listed in there. If your website security is compromised, looking in your log files will tell you how it happened, but you have no idea who has the virus that is stealing the account information.

Which brings me to the last reason we don’t recommend SFTP.

We’ve seen the way the viruses/trojans work. They steal the login URL, username and password from your computer. It doesn’t matter if you you’re using SFTP or FTP, it steals the login address and protocol. The hackers will login and upload their malicious files using an encrypted channel (SFTP). They can thank you later for thinking of their need for security.

This is the same reason we don’t recommend changing the login URL and username for WordPress. When hackers steal the information you may have changed your login URL to http://(yoursite.com)/Supercalifragilisticexpialidocious and your admin user to: rumpelstiltskin, but when the hackers steal the information, they steal that as well.

Let me know your thoughts about this. Post a comment. Ask a question.

Thank you for your time.

By

BlackOS helps website hackers automate their “business”

Trend Micro has released a report which gives some details about the automation of website hacking. Their report: http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackos-software-package-sold-in-underground-forums/ set us off on a search for more information.

We found that this software allows hackers to manage large lists of stolen FTP credentials. The hackers can easily inject custom iframe code into compromised websites. The code can be modified to redirect visitors depending on their operating system (Mac, Windows, etc.), browser (Safari, FireFox, Internet Explorer, Chrome, etc.) and even different versions of those operating systems and browsers.

They can even customize their code to redirect based on the referrer (Google, Yahoo, Bing…) and country of origin.

When you see how the hackers talk about easily finding 10,000 websites, it becomes very alarming. One clip we found is this:

Approximately 15-20% have access to FTP SSH, you can also check behind mail + pass on base have access to FTP or SSH. – all accounts reviewed by our SSH server exploits to get root. With 10k SSH accounts you can get in the area of 500 root access to the servers!

What it appears they’re saying is that 15-20% of FTP accounts are also the credentials for SSH. If so, the hackers can gain “root” access via SSH.

Out of 10K accounts you can get about 500 with server root access! Simple backdoor is installed for all ‘root’s to elevate the rights for consequent access.

If you’re on a VPS or dedicated server, this type of access typically means complete server rebuild or reload. When they have root access it’s game over. They won.

Why do we bring this to your attention?

You have to constantly think about all the possible ways hackers have of getting into your server – always.

Frequently we see many FTP accounts created for the various websites on a VPS or dedicated server. If you’re going to host multiple websites on your server, please create a separate cPanel account for each site. That creates a separation between your sites.

By

Let’s be careful out there

If you’ve read anything online, undoubtedly there have been headlines about exploits, vulnerabilities, identities stolen and other compromises.

Are you one of the 9.3% using Internet Explorer 10 (IE10)? Hopefully, you keep your software updated, as Microsoft did squeak in a patch last Tuesday. However, if you haven’t, please stop reading this and update it and all other Microsoft patches immediately.

FireEye recently found a combination of watering-hole attack and drive-by download that utilizes the exploit in IE10.

You don’t know what a watering-hole attack is?

Let’s say the hackers find an exploit in a particular browser and they want to use that to infect the computers of people most likely to use that browser. They will find one or more websites that focus on that particular group of people. The hackers will then try to infect those websites with some drive-by download code. This means that anyone visiting those websites will be subject to the download which will infect their computer.

After the websites have been infected with the drive-by download code, hackers will blast out a series of SPAM emails that include a link to one of their infectious sites. The SPAM will be targeted to people in the targeted industry. This is called a watering-hole attack.

Just so you don’t think I’m focusing on Microsoft, these same types of attacks happen on FireFox, Chrome and yes, even on Macs.

Your best defense against these and other attacks is to keep your software updated – constantly. This doesn’t mean just your browser, but all Adobe products, your operating system and all other software programs installed on your computer.

April of 2014 will see the end of support for Windows XP and Office 2003. If you haven’t upgraded these yet, you should make plans. Without support from Microsoft, you will no longer get updates to that software. Hackers know there will be many people refusing to upgrade so not upgrading will make you the “low hanging fruit” for hackers.

In addition to keeping your software updated, please let everyone you know to use strong passwords. This cannot be emphasized enough. About 30% of the websites we clean are the result of compromised passwords. Make it at least 9 characters long and DO NOT use common, related words.

A recent informal survey we conducted shows that many passwords end with either the year, 123 or the exclamation mark (!). If this sounds familiar, please change your passwords immediately.

One other key point that we’ve been “pushing” for some time now is to schedule daily full system scans with your anti-virus software.

Here’s why.

If the anti-virus company finds a new virus “in the wild” on Monday, they will analyze it and create a rule to detect that virus. Then on Tuesday, you update your anti-virus software – either automatically or manually, this means your computer is protected from getting infected by that virus from Tuesday moving forward. However, if your computer was infected by that virus on Monday, your anti-virus program won’t remove it until you run a full system scan.

That’s why it’s critical that you run full system scans – EVERY DAY!

If you have any questions, please either email me at: traef@wewatchyourwebsite.com or post a comment.

Let’s be careful out there, huh?

Thank you for reading.

By

Our business is a painkiller, not a vitamin.

I recently read an article on entrepreneur.com that asked the question, “Is your product a vitamin, or a painkiller?”

It got me thinking about the thousands of website owners we’ve talked with over the years of removing website malware.

We’ve been told, “You’re a saint!”, “You’re so awesome!”, “I love you for fixing this.” “You’re a genius!” and many other compliments.

You see, rarely do people “want” our service – until they need it. Then, it becomes a must have – immediately.

It appears that most website owners don’t believe they’re on the radar of today’s cyber criminals. They believe that hackers focus more on companies like Target and other high profile websites.

We get asked, “what do they want with my little website?”

I remember years ago, there was a book, “Multiple Streams of Income” by Robert Allen. In that book he describes the need to create multiple streams of income so that you slowly, but purposefully, build your net worth. This strategy protects you from the “all your eggs in one basket” disaster.

Hackers (cyber criminals), use this same strategy. A report from a few years ago by Symantec showed that hackers can make up to $1,000 per computer they infect. I believe this number might be a little high now as the cyber criminal world has increased in members, but it must still be relatively accurate.

Websites are at or very near the 1 billion mark. This creates various opportunities for cyber criminals. They can infect a 1,000 or websites in a week (yes they can!) and use 250 to try and infect the computer of anyone visiting those sites. The next 250 websites out of that 1,000, can be used for a phishing campaign that steals the banking login credentials of unsuspecting people. The remaining 500 websites can be sold to another cyber criminal who wishes to send out spam emails that lead people to the phishing based websites.

Ah, all in a days work!

Hackers have many ways to use your website – for their nefarious purposes.

When it happens, people call us to remove the pain. We become their painkiller.

The pain they encounter includes:

  • Loss of search engine rankings
  • Complaints from visitors
  • A sense of being violated

Website owners want and need our services at that point. Then we become their painkiller. Not a vitamin.

Thank you for reading.

By

Our automated malware removal software for VPS and dedicated servers

As some of you know, we’ve been busy adding more features to our VPS and dedicated server software.

I thought it was time to let you know what we’ve been working on.

Currently our software works amazingly well at detecting the instant any files are changed or added to a VPS or dedicated server. If infected, it quarantines the original file and cleans it. If the infected file is a backdoor, it automatically removes it.

However, that is where our software stops – until now.

Our latest upgrade now reads the log files as well. So when a file in the themes folder is infected for a WordPress site, our software reads the log files and knows that it was the result of a stolen passwords. We know get a notification like this:

2013/12/23:06:03PM Samplewebsite.com had /public_html/wp-content/theme/xyz/index.php, header.php, footer.php files infected with the following code:
(malicious code would be displayed here)
According to the log files, a successful login was recorded from: 123.456.789.000 (show country of origin). This indicates that a stolen password was used.

So, not only will our software be able to clean the site, but it can also determine how it happened so we know, as your website security department, what to do to protect it.

Currently,  for VPS and dedicated servers that are using cPanel, we can also determine if the infection came in through a form on the infected website, if it was FTP and many other methods.

As part of our next development, we are working on tying into cPanel so we can change passwords on the fly as well. Imagine that your site was infected due to stolen FTP passwords. Wouldn’t it be nice to have our software, change the password for you, record it and save it? That would be like self-healing.

This would prevent a reoccurrence of that infection. We get notified, you get notified. It’s a beautiful thing.

We’re also working on auto-reporting to hosting providers. In our above scenario, we see that the IP address of: 123.456.789.000 is for a certain hosting provider. Our system will send an email with sanitized log file entries to abuse@… notifying that hosting provider that they have an infected site/server that is being used to launch attacks on other websites. We do this manually now and it’s been working quite well.

The hosting providers have been very quick to take care of the situation which just removes one more infected system from the Internet.

Another development in this latest update is that all file changes are sent to us. That way we can further analyze them to determine if a new type of infection has been released. With over 500 installations of our software installed on clients VPS’s and dedicated servers, we’re growing our database of infectious code, which helps us – help you.

If you have any other needs or wants, please send them to me and I’ll research the idea and it could be included in one of our upcoming releases.

Questions? Let me know…

If you’re a hosting provider and would like to offer this to your VPS and dedicated server customers, feel free to contact me.

You can always contact me at: traef@wewatchyourwebsite.com

Thank you.

By

Internet Storm Center sets Threat Level to Yellow

Due to the appearance of exploits targeting the vulnerabilities in Internet Explorer 8 and Internet Explorer 9, Internet Storm Center (http://isd.sans.edu) has raised the Threat Level to Yellow.

You can read their write-up here:

https://isc.sans.edu/forums/diary/Threat+Level+Yellow+Protection+recommendations+regarding+Internet+Explorer+exploits+in+the+wild/16634

As always, update your browsers daily.

You know hackers will be infecting websites with code that will be targeting this vulnerability. This means that if your website is infected, anyone visiting your site while using Internet Explorer 8 or 9 could have their computer infected.

Please post back if you have any questions or comments.

Thank you.

 

By

FTP Password Stealing Malware

For years now, I’ve been writing about how often websites are infected by hackers stealing their CMS (WordPress, Joomla, etc.), FTP or hosting account login credentials.

I know that some of our competitors roll their eyes whenever we help someone in a forum seeking help with an infected website and we determine that their site was compromised due to stolen login credentials. However, our experience shows this to be a widely used method by today’s cybercriminals.

Here is a link to an article about how this malware works: http://vinsula.com/hunting-down-ftp-password-stealer-malware-with-vinsula-execution-engine/

In the article you’ll see how this malware works. It seeks certain files on your local computer and sends them to the hackers CnC server (Command ‘n Control server). You’ll see in that article that it also seeks out certain anti-virus programs and either disables them or reconfigures them.

One other interesting point of this article is how they obtained the malware – via an infected email. You have to be suspicious of all emails. We constantly see one that looks like it’s from LinkedIn, but if you hover over the link to see their profile before accepting their invitation to connect, you’ll see it does not go to www.linkedin.com. This is a very cleverly crafted email designed to infect the unsuspecting recipient.

Please share this others. The more knowledge shared about how hackers (cybercriminals) work the better and safer we’ll all be. Have any incidents like this to share? Let me know…

Thank you for reading.

By

What’s the best anti-virus program?

In cleaning infected websites and protecting them, we constantly see infected websites that have been infected due to stolen passwords.

Which passwords?

That all depends. Sometimes it’s the CMS (WordPress, Joomla, Drupal, etc.) or the ecommerce (Zen Cart, osCommerce, etc.). Other times it’s either the hosting account or the FTP account’s password that is stolen.

How can we tell?

There are numerous ways of determining when stolen passwords were used as the point of entry into a hosting account or website, but frequently we can see successful logins in the log files from places all over the world. Mind you, these are not attempted logins, but actual logins.

Often times we can tell by the type of infection or where the infectious code is located, whether or not the point of entry to an infected website is via stolen passwords.

How does this happen?

Typically there is a virus on someone’s local computer that is stealing the password. When this happens you can “cloak” your WordPress login page, you can have a 52 character password with multiple special characters, you can rename the admin account, but none of this matters as the password stealing viruses and trojans steal: the login URL, the username and the password.

This can also happen if you’re using SFTP or FTPS, the “secured” file transfer protocol.

Yes, this even happens to Mac users. Quite often we find that Mac owners don’t have any anti-virus program or they’re using ClamAV for Mac.

With everyone seeking “free” anti-virus programs, we typically recommend: Free version of Avast for Mac, or Sophos for Mac.

On PCs, the most used anti-virus program is Microsoft Security Essentials. That is not what we recommend, but that is what most people are using.

Today, I read an article that gives some details into why Microsoft Security Essentials may not be a reliable program to use if you’re trying to keep your PC safe.

Here is the article I read:

Please understand I am not a Microsoft hater. I don’t hate anyone. But in our efforts to lower our already low re-infection rate (currently at .048%) we like to recommend products that will save you money and be highly effective.

If you could take a minute, let me know what anti-virus program you use and whether you’re on a Mac or a PC.

Thank you.

By

Unauthorized access to drupal.org

We received an email yesterday:

Dear community member,

We respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about an incident that involves your personal information. The Drupal.org Security and Infrastructure Teams have discovered unauthorized access to account information on Drupal.org and groups.drupal.org. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

This unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within the Drupal software itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

We have implemented additional security measures designed to prevent the recurrence of such an attack, and to protect the privacy of our community members.

The next time you attempt to log into your account, you will be required to create a new password.

Below are steps you can take to further protect your personal information online. We encourage you to take preventative measures now to help prevent and detect the misuse of your information.

First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords, even though all passwords on Drupal.org are stored salted and hashed. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org were not salted. To make your password stronger:

* Do not use passwords that are simple words or phrases
* Never use the same password on multiple sites or services
* Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

Second, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email. Also, beware of emails that threaten to close your account if you do not take the “immediate action” of providing personal information.

For more information, please review the security announcement and FAQ at https://drupal.org/news/130529SecurityUpdate. If you find any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately, by sending an email to password@association.drupal.org.

We regret that this incident has occurred and want to assure you we are working hard to improve security.

If you have an account with drupal.org or groups.drupal.org you should definitely be changing your password. Also, if you use the same email address and password on other sites, you should change those as well.

Please note, if you read this carefully, the unauthorized access was due to a third-party software on the server – NOT a vulnerability with the drupal software and does not affect your own drupal installation.

Just an FYI…