What to do if you get hacked or phished?



On April 17th 2013, I woke to this email from my hosting provider:

>> Dear Jacalyn 

this is a notification that your service for your website has been suspended. 

Suspension reason: Phishing Site

Please submit a support ticket here: https//:blablabla.com

Service provider
www.bla.com >>

Half asleep I dismissed the email (ironically) as a ‘phishing’ attempt to gain my server’s login and password information. Half an hour later I checked my url: www.babydoesnyc.com (NOT THIS BLOG) to view a virtually blank page with the word: SUSPENDED, strewn across the screen. To say I was shocked is an understatement.  In fact I was too freaked out to do anything other than scan my host provider's website searching for a contact number.

I called them (located in Canada) and was informed by their representative that I had to submit a ticket from their client log-in site. In other words, they could not change the status of my url or explain how when or why my url had been hacked over the phone.

I hysterically explained that there might be a chance my contact email had been hacked too and that hackers could in theory be tracking all of our communications. I requested that they conduct communication via my cell phone and then via a second email address. But they only operate an automated customer services process.

I submitted a ticket and waited.I requested information on what was being done specific containment/repair so that I could pass this along to my technician. They could not provide me with any data about the individuals who had been defrauded via phishing pages attached illegally onto my url. The ticket submission ‘back and forth’ system was excruciatingly slow.

Fortunately Google was more forthcoming. On April 16th 8pm Google sent me this almost jolly little email notification:


For clarification here are the pages Google reported on:

http://paypal.co.uk.babydoesnyc .com/update/0fb7a486a53a17156c9b0644e377edc4/processing.html
http://paypal.co.uk.babydoesnyc .com/update/2aed7731aef1c33bf8eb766d3e982b44/processing.html
http://paypal.co.uk.babydoesnyc .com/update/cc2ad792188e5aa4c49e11aabf9f572c/

This meant that hackers attached false pages to legitimate ones on my url. These pages looked like paypal.co.uk and paypal.com, only they were not. I contacted PayPal immediately and they confirmed that my account had not been compromised. But it did mean some visitors could be lured away to a 3rd party site masquerading as PayPal. 

Here is a snapshot of the Google warning page, if you had tried to land on my url before I got it contained:

Ouch!!

Between April 17-20 I continued to work with my host provider in removing all files associated with my url, both legitimate and illegitimate, in an attempt to: (a) contain and stop internet fraud, (b) contain the url and secure it, (c) reinstate my url as a legitimate site, (d) recover the sovereignty of my url, (e) alert online organizations of my experience to help broader efforts against hacking and other forms of online piracy.


How did this happen to me

Disclaimer: this is a presentation of information that may shed light on my url’s compromised status. It is not a definitive accusation of guilt or liability.

It’s not that my url was big. In fact, the traffic was so slow it resembled a dripping tap. I had done nothing to promote it because I was building up the brand offline, locally and organically. Still, something had gone wrong. My url had existed unmolested since 2007 in one form or another. There were a few clues:

1)    When the phishing happened my hosting provider maintained that the server was never compromised only the website.

2)    Six months previously I had uploaded a new website template from an off the shelf company. Was there an inherent weakness in this template's programming?

3)    In early March someone claiming to be from a tech company based in India, offered to run a free SEO report on my url. I thought this would be a good idea, as no personal information would be exchanged. I received two reports from the company, which I opened in Google view. No … I did not download the documents.

Here are the emails I received from persons reporting to be from this company (personal info hidden):

1) bla@bla.in

Hi,
Hope you are doing well.

In this era of cut throat online competition, it is not easy for a website to occupy a place on the first page of any search engine and reach its targeted audience without the help of unbeatable search engine optimization services. Therefore, search engine optimization has become the need of the present competitive business era, as this helps people to accelerate their online business by offering the website 1st page Google ranking and potential traffic.

Would you be looking to gain your potential customers/visitors online?
Would you be looking to generate traffic on your website?
Would you be looking to increase your sales/leads online?
Would you be looking to see your website in Top 3 positions in Google or other major search engine?

If yes, please reply me on this email with the list of keywords and domain, which you want to target.

We will analysis your website for free and send a free analysis report along with full SEO proposal that would not only improve sales of your company but also brand your products.

Waiting for your valued response.

Thanks & Regards,

A

2) I said “sure”.

3) Hi Jak,

Thanks for showing your interest in our services.
From here BDM (S) will assist you for further discussion.

Regards,

A

4) bla2@bla.com

Hi Jak,

Hope this find you well.

I am S at "Bla"

I analyzed your website that is really good, might be fulfilling your purpose and it will go up with right SEO strategy. After analyzing your given keywords, I will suggest you to not use all these as they are not very much business generated keywords for your website and will not fulfill your purpose.

I am attaching your given keywords searches (Globally and Locally) and the current ranking and some of facts about your website along with recommendations. Please have a look.   What we will do? My technical team will come up with more traffic and profit oriented keywords and your competitors full analysis once you clear your project running with us. We will also make you socialize among top Social Media Websites. We will increase likes of your company's Facebook page. We will promote your Fan Page. We will do blog promotion for your blog.

We charge 200 US$ for 10 keywords. For pricing module use this URL: "http://www.bla.html"

Mail me along with you further query if you have.  Waiting for your valued response.

Regards,
S
Skype: S
Gtalk: s@bla.com

4) I was not interested in using their services primarily because “A” and “S” had two completely different email address providers. The company they directed me to had a CONTACT US page embedded in their url. So something felt ‘off’. I kind of just ignored them.

5) I received this email a few days later:

bla2@bla.com

Hi Jak,

I am still waiting for your response. Please let me know your interest level so that we can put our discussion further.

6) On March 15th I emailed "S" declining their services for the time being. That was our last correspondence.


Just over ONE MONTH later my url was suspended for phishing activities. Coincidence? You decide ….


Lessons learned?

I have learned a lot since my url was hacked. Hindsight is 20/20. I share this information with you in an attempt to help you prevent this type of experience. Here are my prevention tips:

     Never ever engage an unsolicited offer to conduct any type of     SEO or other service on your url.

Never provide email solicitors with any personal information, even confirming a url address.

Discuss security, hacking prevention and recovery protocol with your hosting provider or url designer BEFORE you launch your site.

When using off the shelf templates make sure that there are no back-door loopholes that can allow hackers into your site. Add extra security measures just to make sure. There are many Open Source malware patch apps. Check them out now.

Pick up strong passwords for your main cPanel account, MySQL, FTP and mail users.

Never use the same passwords for different users. For example a MySQL user should not have the same password as your cPanel user or an FTPuser.

It is essential that your cPanel user's password is not found in any file on your account by any means. Also please try changing the passwords frequently. Write them down in a notebook that you keep secure but handy.

Check whether all of your web applications are up-to-date. This includes any modules, components and add-ons you have added and/or integrated. This is because old applications have a backdoors so that the intruder can easily gain access to your account.

Avoid having directories with permissions above 755. If your applications require such directories, try to put them outside your webroot (public_html) or place a htaccess file in them containing "deny from all" to restrict public access to these files.

Download a handy PDF by APWG (internet watch dog) called “What to do if your web site has been hacked by phishers, from this website: www.apwg.org

Ask your tech guy about “Hardening” your url. This is the process of securing an operating system. Use commercial and open source vulnerability scanners and security baseline analysis tools to identify unnecessary services, accounts, and improper configuration settings. The Center for Internet Security offers analysis tools and security templates for commercial and open source operating systems commonly used for web server hosting.

Restrict traffic flow at firewalls as tightly as practical. Only allow access to TCP or UDP ports where your authorized services are listening, and further restrict flows to the IP addresses of the systems on which you are hosting listening services. Restrict outbound traffic flows from servers as well.

Stay up to date. Web vulnerabilities are discovered and exploited on an almost daily basis. Subscribe to a vulnerability notification service offered by regional CERTs, SANS, and SecurityFocus.

Swimming with the phishers

Getting hacked is unfortunately a growing crime. Websites that attract high volume users are magnets to hackers. Hackers enjoy a challenge, cracking codes and overcoming firewalls. To them it’s a game and one that can be highly profitable. Knowing that components of my organic url were used to hook confidential information from innocent and potential customers, is just awful. Add to that :brand damage, a loss of genuine market confidence and the cost and time it takes to rectify an url, and you get the picture. It sucked.

Right now (April 21st 2013) this is what my url looks like:





There’s a saying “what ever doesn’t kill you makes you stronger”; I have to believe that this is true. In the eye of the hacking/phish storm one feels powerless and violated. Over time equilibrium returns and one discovers a golden opportunity to reinvent one’s brand presence. Learning from others like me might even keep you from a hacker’s reach. I hope so.


Jak Burke is a NYC fanatic and a lover of all things baby. She owns the IP Baby Does NYC. Visit her blog for useful updates: http://babydoesnyc.blogspot.com; and one day real soon be brave enough to check her url: www.babydoesnyc.com.
  
Questions? babydoesnyc@gmail.com

Baby Does NYC t-shirts, bibs and onesies are now available for wholesale. For individual sales contact Jak for an outlet near you. babydoesnyc@gmail.com


Baby Does NYC ™ Jak Burke Industries LLC, 2013

Article source material:
http://www.apwg.org

Labels: , , , , , , , , , , , , , , , , , ,