New CodeGuard Extended ChangeAlerts: Best of Both Worlds

April 25, 2013 by davidmoeller Leave a comment
Twitter Facebook

CodeGuard ChangeAlerts Provide Peace of Mind

If you own a website, you should know if it has been compromised. With CodeGuard ChangeAlerts, you can have that confidence. Over the last three years, we have monitored thousands of websites and observed billions of file changes. Billions. We realized that webmasters cannot easily digest and comprehend the volume of changes to their sites, if that information is provided in a firehose format, with a list of files added, modified, and deleted.

So we conducted focus groups and listened to our valuable customers. They told us what they wanted to see in the ChangeAlerts, and helped us find a better way to display information that would allow them to quickly gain peace of mind that their website was OK.

Many of our customers, however, liked how the information was provided to them. And for those customers, we want them to be able to continue to enjoy ChangeAlerts as they want them. Within the website settings tab, under Email Notifications, the Legacy option provides just that.

We are excited to announce a new format that brings the best of the Legacy option and the best of the new Summary option together.

Extended ChangeAlerts Now Available

Last week, we released our new ChangeAlert emails that allow customers to better stay on top of which files are changing on their website. We got great feedback that while the new emails helped tremendously to provide greater visibility into the important files changing, the old format was helpful to quickly scroll to see *everything* that had changed. So we’ve incorporated this feedback, and now offer three ChangeAlert styles: Summary, Extended, and Legacy.

CodeGuard ChangeAlert Options

The Summary format is what I described in the ChangeAlert update blog post, with sections for Totals, Overview, Website Files, Media and Other. The Extended format differs from the Summary in two ways. First, all website files that have changed are listed, instead of just the first ten. Second, media and other files that have changed are listed underneath the Media and Other. In the Summary format, there is no visibility into Media and Other files, due to their decreased importance.

 

CodeGuard ChangeAlert Extended

→ Leave a comment

Posted in ChangeAlerts, CodeGuard How It Works

Tagged ,

AP Hacked: Twitter Account Compromised

April 23, 2013 by davidmoeller Leave a comment
Twitter Facebook

AP Hacked: Twitter Account Compromised at Approximately 1:07PM EST

In a developing story, it seems the Syrian Electronic Army targeted the Associated Press and succeeded with the AP hacked. The Associated Press’s twitter account was compromised and a tweet stated: “Breaking: Two Explosions in the White House and Barack Obama is injured”.

AP Twitter Account

Sam Hananel confirmed this, stating: “Please Ignore AP Tweet on explosions, we’ve been hacked.” But the POTUS is fine and the attacks did not occur. Spokesman Jay Carney says that “The President is fine”.

AP Hacked

The DJIA plunged almost 130 points after the tweet went live, but has rebounded since.

DJIA reacts to AP Hacked

Whether it is a media outlet’s twitter account or a website, on an almost daily basis, we are reminded of how vulnerable our assets are. The twitter compromise was most likely a phishing attack directed at AP writers. Whether the writers entered their full credentials or were the victims of session riding, it is too soon to know.

-David

 

→ Leave a comment

Posted in In the News

Tagged ,

Stay on top of your website with new ChangeAlerts

April 23, 2013 by davidmoeller Leave a comment
Twitter Facebook

New ChangeAlerts Help You Track File Changes

Last week, we released an update of our ChangeAlerts, a feature many of our customers value more than our secure cloud website backups. ChangeAlerts notify you when something on your website has changed, and are invaluable for detecting if your website has been compromised. URL redirects to scam sites, drive-by-download malware, and Blackhat SEO Spam (“Pharma Hack”) all rely on changes to your files. And with ChangeAlerts, now you will know if you have been victimized.

The ChangeAlert email summary is intended as a quick way to gain insight into what is happening on and to your website. If anything appears unusual, view the detailed information available once you have logged into your website. This is an abbreviated email summary and not exhaustive.

CodeGuard ChangeAlert

Key Sections: Backup Total, Overview, Website Files, Media Files and Other

Backup Total: High-level for all files

Under the Backup Total section of the ChangeAlert, the summation of files added, modified, and deleted is displayed. This provides a quick snapshot of what is going on with your site.

Overview: static and Dynamic File Granular

The Overview section provides more granular information into important static and dynamic files you should keep your eyes on. Static files are those rendered in the browser, while dynamic require a server to generate the output. Depending on your website and configuration, there are likely other file types that are important to you. This list is not exhaustive, but serves as a starting point for the vast majority of our customers. Html, css, javascript, htaccess, php & ruby files are those we place in the abbreviated overview. If any of these change and you or your developer did not change them, contact us immediately as you may have been hacked.

Website Files: Individual file Listing

In this portion, you can view the names of the files that have changed. The old ChangeAlerts resemble just this portion – pure additions, deletions, and modifications, along with the truncated filenames. We will list up to ten of the file changes here, with the rest viewable upon logging into codeguard.com.

Media Files and Other: The rest of your content

Changes to images and video files are much less likely to be problematic, and therefore, are listed last. In this portion, you can view images, videos, and all other file types, which are grouped under “Other”.

ChangeAlerts provide industry-leading visibility into how the content on your website is changing. Stay on top of your site, and gain peace of mind, knowing that if a site is compromised or a malevolent employee defaces the site, you will be the first to know it.

-David

→ Leave a comment

Posted in ChangeAlerts, CodeGuard How It Works

Tagged , , , ,

Hacked websites part of Yahoo! Mail exploit

April 22, 2013 by davidmoeller 1 Comment
Twitter Facebook

An attack directed at Yahoo! Mail users is now being utilized to drive traffic to scam and phishing sites. In the middle of it all are innocent and legitimate businesses whose websites have been hacked. The hacked websites serve no malware, do not appear on blacklists, and pass McAfee and Symantec security scanners. Sites built on WordPress and Joomla have been discovered as hosts.

Whether the Yahoo! Mail users were compromised via the XSS (cross site scripting) vulnerability announced on Jan 7, 2013, or via something more sinister, such as a server compromise, the end result is the same: Yahoo! mail accounts are being used to send email to their address books, which greatly increases the likelihood of deliverability. Recipients of the emails click on the links, since they are from a trusted source.  If the recipient is a Yahoo! Mail user, there is a good chance that the website they click on, once rendered, will compromise their account and send emails to their contacts. The recipient, in addition to serving as a distribution vector, is also a target.

The scam: weight-loss products that fly underneath the radar of the FDA, only occasionally getting attention, because, to paraphrase the FDA, since these scams do not represent severe health threats (aka bubonic plague), with the limited time & resources of the FDA, they have more important things to do. How does the scam work?

Step 1: Email from a friend, pure SPAM, or Google Ad

The email shown below is what it would look like after your email service provider had received enough complaints to give you more information. This email was delivered to my inbox because it came from a trusted sender. Gmail is one of the best email providers, and prevents more spam than the leading competitors. This warning did not initially appear when the message arrived, however; it took time for Gmail to gather information and then start reporting the message as potentially harmful.

Yahoo! Mail Compromise

Another way the exploit could be initiated is that you search for Dr Oz within Google. Three ads pop up, and all appear innocuous. One even says “www.womensdigest.org” – that looks safe, right?

Dr Oz Google Search

Whether you received an email or you conducted a Google search, the outcome is the same, you end up clicking on something that takes you to a landing page.

Step 2: Fake Health Article Landing Page

You search for the latest Dr. Oz promoted snake oil in google and click on a promoted ad, or click on a link in an email – either from a friend or pure spam. Almost certainly, you are taken to a landing page that appears to be a consumer health or women’s health publication. On this fake landing page resides an article about the latest diet drops or pills, with a video of Dr. Oz. He has promoted the following over the last five years: Acai Berry, Raspberry Ketones, Green Coffee Bean, HCG drops, and most recently, Garcinia Cambogia.

Giveaways: Look at the URL. In the example below, it is actually “http://womenshealthmag.com-most-popular-deal.com/womens_healthgarcinia-a/garcinia1-index.php”. A quick glance at the logo would lead one to believe it is the Women’s Health site. And a quick glance at the URL would reinforce this. This is a subdomain of “com-most-popular-deal.com”. Tricky, huh!

Fake Women's Health Landing Page

Step 3: Link to e-Commerce Diet Pill site

There will be multiple links on the fake landing page to a webpage where you can place your order for whichever fake product was promoted on the landing page. These days, the rage is Garcinia Cambogia. While the links will have different titles, and seem to reference different articles or sources, they will all go to the same place, the e-Commerce site. Celebrity endorsements are common on these landing pages as well.

Step 4: Buy now at e-Commerce site

The last part of the chain is a website, likely to be laden with fake “trustmarks” (McAfee Secure, BBB Accredited, etc), and fake testimonials, that will collect your credit card information in short order. The landing pages are simple, with a limited form to collect your name, address, phone, and email. On the next page, you will be prompted for credit card information. Either on the first or second page trust marks will appear, and if you right click on them you will see that they are a single image, not a verified trust mark.

Garcinia Cambogia e-CommerceGarcinia Cambogia 2

Be careful and don’t trust diet products on the web

These scams abound, and the legitimacy of Dr. Oz is a key piece to the scams identified thus far. Fake trust marks from Symantec, McAfee, and GoDaddy are common. Whether you have interest in the weight-loss product or not, if you are referred to a site that resembles a consumer health site, with an article about a new breakthrough product, accompanied by a video of Dr. Oz, the site is a fake intermediary, set up with the goal of directing you to purchase the product. There will always be a link on this page that takes you to a separate site on which you can purchase the product.

Just because you got an email from a friend, or clicked on a Google ad, does not mean the end destination is safe. Even if the product looks appealing, do not enter any personal information, log out of your facebook/email/twitter accounts, and if anything suspicious occurs (if you are a Yahoo! Mail user, reset your password).

What about Yahoo! and CodeGuard?

We came across these scams because websites and webservers are being compromised to make this process work. Sitting inbetween Yahoo! mail recipients and the landing pages are redirecting webpages – with legitimate reputations. These redirecting pages are used so that as the landing pages and e-Commerce sites are reported and disabled, the ruse can continue with new landing pages receiving traffic.

The key question is: when will the FTC and FDA step in? With limited research, it is blatantly apparent that a multi-level marketing scheme based around products marketed through Dr. Oz’s television show, is being used to defraud consumers.

Compromised Websites: WordPress & Joomla

We will explore how the compromised websites are being used. A member of our team received an odd email from a friend, and after firing up a virtual machine and turning off javascript within the browser, pasted the link: http://www.iolcus.gr/kfaiyjg/ddswjet. A rapid redirect occurred, and this is the website that was displayed.Fraudulent Landing Page

The subject line of the email was “Breaking news”, so the landing page seemed to be appropriate. A break through weight-loss product. If that is real, it is definitely breaking news. One big problem – the URL we input was www.iolcus.gr, not mxxfox.com.  Iolcus.gr’s website looks like this:

Hacked website: Iolcus.gr

This is a WordPress site, and from this screenshot, you cannot tell the site has been compromised. The only way that the redirect could have functioned is if someone had access to the folders on the webserver. There are countless ways for someone to get access, so we won’t spend time on that part now. The important part is that I highly doubt Iolcus had any idea they were a part of a diet-product scam. Another site that we observed to have been compromised was a Joomla! site.

Hacked website: Joomla!

This site was used to redirect to similar landing pages as we have seen already. Some cleverness exists in the process of the redirects that makes it difficult to follow everything that is happening.

Summary: When there’s smoke . . .

The processes used to market and sell these break-through diet products are complicated. Different companies seem to be involved in various aspects, with some sending SPAM emails, others using vulnerabilities to compromise webservers or commandeer user’s accounts without their knowing, and even others using Google Adwords. Customers are driven to landing pages that mislead and deceive. And then customers click and pursue their weight-loss dreams.

At this point, while there is a mountain of evidence that signals something nefarious about not just the marketing techniques used, but the underlying products themselves, we won’t comment more than to offer this one unique tidbit. Raspberry ketones were non-existent before Dr. Oz referenced them on February 6th, 2012. Since then, things seem to have progressed. You can research yourself to see how green coffee beans, garcinia cambogia, hcg drops, african mango, and other miracle products have found their way to the market.

Dr. Oz, Raspberry Ketones, and Garcinia Cambogia

→ 1 Comment

Posted in Compromised websites, Hacked websites

Tagged , , , , , , , , ,

WordPress Brute Force Attacks: Protect Yourself Now

April 15, 2013 by davidmoeller 1 Comment
Twitter Facebook

WordPress Brute Force Attacks: Quick Simple Solution

Protect yourself by limiting wp-login.php to your IP address

WordPress Brute Force Attack

If you are a WordPress user, this is all you need to know – the WordPress brute force attacks that occurred last week can be mitigated with one simple technique: restricting which IPs can access your wp-login.php page. That’s it. The reason last week’s WordPress brute force attacks were so effective is that rather than one single computer IP address attempting to guess your password, tens of thousands were used, which means that the attack could occur without sounding some of the traditional alarm bells.

But why risk relying on security plugins that may fail you when you can fix things yourself? And why install new software when the fix will take 2 minutes? Lastly, why rely on subpar solutions that can still cause your server to crash, due to the strain of rendering the wp-login page? How about you implement a solution that almost effortlessly rejects the unwanted advances in the most resource-effective way.

This is all that you need to do to protect yourself from a WordPress brute force attack:

  1. Identify your IP address (http://www.myipaddress.com/)
  2. Log into your server via FTP/SFTP or your hosting control panel’s file manager. HostGator’s file manager is below.
    HostGator File Manager
  3. Navigate to your .htaccess file (If it doesn’t exist, create it with a text editor)
    HostGator .htaccess
  4. Add this to the beginning (replacing the xxx.xxx.xxx.xxx with your ip): 
    <files wp-login.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</files>

Verify that your wp-login page cannot be accessed from a computer other than the one you are using. To do this, try using your phone or a friend’s computer. We are not claiming that this will protect you from all of the nefarious characters on the internet. This will, however, protect you completely from a WordPress brute force attack. Thanks to James Dunn from wpmu.org for providing much of the guidance.

Background Information

Last Thursday, April 11th 2013, hundreds of thousands (at least) of website owners across the globe became victims of a sophisticated attempt to gain access to the portions of their webservers controlled by the WordPress Content Management System (CMS). WordPress is installed as a subordinate on the Linux operating system, usually below software used by shared hosting providers to provide control panels. The leading software used is cPanel and Plesk, produced by cPanel, Inc, and Parallels, Inc, respectively. Custom made hosting software is also used by hosting providers. Notable users of each type:

  • cPanel: HostGator, Namecheap, WebHostingBuzz, BlueHost, A Small Orange
  • Plesk: Hostmysite.com, Media Temple
  • Custom-made software (GoDaddy, DreamHost, Endurance International vDeck properties: FatCow, iPage, etc). 

Vulnerabilities exist at each level of software installed: server (Linux), hosting provider (cPanel), and CMS (WordPress). I want to mention each level before focusing on the CMS and WordPress brute force attacks. To address only the CMS does a disservice, since a false sense of security can be created by closing every single window in the house if the front door is left open.

Server/Operating System/Hypervisor Vulnerabilities

Protection at this level is absolutely the responsibility of the hosting provider. WordPress users have no ability to control this, and only through picking a hosting provider focused on security can vulnerabilities at the hardware, operating system, and hypervisor be addressed. This equipment and software serves to create the base layer for hosting provider software to run.

Web Hosting Control Panels: cPanel, Plesk, vDeck, Custom

Locking down the control panel may be the responsibility of the hosting provider, or if you are running a VPS or dedicated server, it’s on you. Vulnerabilities do exist at this level, and have been exploited. Thousands of sites were hacked after a Parallels Plesk exploit was utilized - http://krebsonsecurity.com/2012/07/plesk-0day-for-sale-as-thousands-of-sites-hacked. It is common knowledge that no system is impervious, and that as software increases in usage, the benefit to hacking it increases to miscreants. Software exploits, while possibly indicative of poorly written code, are more often a sign that the software has become popular enough to be a target.

Content Management Systems: WordPress, Joomla, Drupal, etc

All content management systems have vulnerabilities. WordPress brute force attacks, however, just come knocking at the front door, again and again. By simply guessing at a website owner’s username and password, the only restricting factor is the speed the website owner’s computer can respond “Yes” or “No” and the speed at which the attacker can make requests.

→ 1 Comment

Posted in Backup, WordPress

Tagged , ,