Tag Archives for " phishing "

Email Scammers Get More Saavy

This brightened up my morning today. I get tons of spam like this but I have yet to have seen one that actually included my real name in the body. A few things about this are very cool:

  1. I never knew I had a relative named Michael Nedelko. It's even more ironic that my relative has a similar name to mine (my middle name is Michael).
  2. I never knew that my relative worked in West Africa as "Director of Produits petroliers" - although my French is a bit rusty I think that might mean he was the Director of Petroleum Products. Well done!
  3. Sadly, even though I never met my successful relative (the dude was worth over $10M!) the poor guy was the victim of a tragic plane crash. I hardly even knew ya.
  4. Happily, the money is in an estate account! Yippee! The lawyer was kind enough to track me down with all of this pertinent information. Thanks Lawyer person!

Sadly, this is the same old Nigerian email scam. It just seems they get better and better at composing their emails. Undoubtedly some poor schmuck will get a letter like this and send these people $10,000 to get the $10,000,000. But that poor schmuck probably already verified their banking and credit card information through a similar email.

Beware the Nigerian email scams, although if for some reason you're reasing my blog you would fall for this kind of thing (at least I hope to hell you wouldn't).

Check out this email though - pretty impressive overall:

BARRISTER  HUDSON JUNE AND CHAMBERS
03 BP 2082,Cotonou,
Republique du Benin
E-mail: hudsonjune1970@yahoo.co.jp

ATTN: Daniel Nedelko

I am Barr. Hudson June, the Attorney at law to Late Mr. Michael Nedelko, a native/national of your country, who used to work as the Director of Produits petroliers (TOTAL BENIN) in Benin Republic West Africa Here in after shall be Referred to as my client..

On the 29th of April 2007, my Client, His wife and their three Children were involved in a plane crash and unfortunately lost their lives. Since then I have made several enquiries to your embassy to locate any of my clients extended relatives  but all efforts was just in vain.

After  these several unsuccessful attempts, I decided to track his last name over the Internet, to locate any member of his Family hence I contacted you. I have contacted you to assist in repatriating the money left  behind by my Client before they get confiscated or declared unserviceable by the bank (BANK OF AFRICA, BENIN REPUBLIC). These huge deposits were lodged particularly, with the "BOA" where the deceased had an account valued at about $10.5 million dollars (Ten Million Five Hundred Thousand United States Dollars).

The Bank has issued me a notice to provide the next of kin or have the account confiscated. Since I have been unsuccessful in Locating the relatives for over Six years. Now I seek your consent to present you as the next of kin of the deceased since you have the same last name so that the proceeds of this account valued at $10.5 million dollars can be paid to you and then you and I can Share the money 50% to you and 50% to me.  I will procure all Necessary legal documents that can be used to back up any claim we may make. All I require is your honest cooperation to enable us seeing this deal through.

I guarantee that this will be executed under a legitimate arrangement that will protect you from any breach of the law, but you must also agree not to disclose or pass any information related to this business to any body for security reason and to avoid eye brow, and the way we are going to achieve this is.

I will need the following information from you:

Your Full Name and Address,
Your Age, Occupation and Position,
Your Telephone, Mobile and Fax Number for Communication Purpose.

My private email address is :  hudsonjune1970@yahoo.co.jp  Please feel free to contact me immediately for further action.

Waiting to hear from you urgently.
Best Regards
Barr. Hudson June.

Continue reading

WordPress Injection Attack

March 4, 2009 Update: My plan has worked out very well and everything is back to normal without too much of an interruption. My request for Google site review took a total of 12 hours and it was completely handled through Google Webmaster Tools. Google spidered the entire site for about 6 hours checking every existing page on the site from Mountain View California. Around 6pm EST I was given a new notice in my Webmaster Control panel that the notice would be removed with the next update which took place about 90 minutes later.

I'd like to thanks a few people who gave me some good advice. If this does happen to you make sure that you:

  1. Remove any old plugins may have or update them.
  2. Ensure the source of the plugin is using best practices for PHP coding. If the plugin is not listed In the Official WordPress Plugins Directory then be careful.
  3. Add the following plugins: WP Security Scan and WordPress Firewall (Thanks to Ruud Hein for the suggestion!).
  4. Backup your content, themes, and plugins on a regular basis so a roll back is easy in the event that you are attacked again.
  5. Be careful of who you send your site to on Twitter! See the end of the post for the official Twitter email I received and this was the source of the attack.
  6. This one is obivious but make sure you WordPress version is current as many security fixes are implement in point releases (ie 2.7.1).
  7. Secure you Web Server or have your System Administrator or Web Host ensure that everything is in order.

/Update.

I woke up this morning ready to get to work and as per usual I check my sites indexes in Google, Yahoo and MSN. Even though it's a beautiful sunny day outside I was shocked to see the following:

Bad News for Tuesday MorningBad News for Tuesday Morning to be sure. So the question is what do I do and how do I get this bad message off my Search Listing?

I'm not too concerned to be honest except for the fact that my site is vulnerable to this injection attack. I would love to smack the hacker that instituted this attack.

So first things first:

What is this message all about? Well when I viewed the source of my site I saw what is called an obsfucated injection attack on the footer of every single one of my pages. This is a bit of a pain since I am using WordPress MU with a number of plugins.

That means that  the hackers could have injected their little code block into my theme, my plugins into the core WordPress MU files. Not a pretty thought to have to go through all of those areas to remove these individual code blocks. Bottom line: my site got hacked. What steps do I take to repair the damage that's been done?

[poll id="3"]

My plan to remove the PHP injection attack:

  1. Identify which files on the web server are compromised.
  2. Identify if the compromised files are plugins, comments, themes, or WordPress Core files.
  3. If the compromised file is a plugin then determine if the plugin should be removed completely (is it the source of weakness?) or simply a victim and should be reuploaded and reactivated.
  4. Upload a clean version of WordPress MU core files. This prevents me from having to wade through all of the compromised files.
  5. Go through comments and identify any potentially malicious links to malware sites. I am very lucky since I have recently moved the domain to a new server since my previous horrible host disabled access to the phpMySQL instance through the cPanel (yes EMC Web Hosting Sucks NEVER use them). This will not be a huge issue.
  6. Go through my theme which is a customized version of Revolution Theme by Brian Gardner. I frequently backup this theme since it is a a simple matter  of uploading the theme to the web server.
  7. Visit Google Webmaster Tools and submit a request for Google to audit my site to remove the malicious tagging on my site.
  8. Audit the entire site to ensure the malicious code in completely removed.
  9. Back up the theme again, ensuring I have the ability to restore clean code in the event that I am on someone's hacking list.
  10. Harden WordPress MU to ensure that this does not happen again.

That's my plan. I am about half way through it but there are some serious issues at play here since it is not only Google which is tagging my site as malicious (bad for business!). Check out the number of blocks which exist:

Google Malicious Message:

I'm not Malicious but Google thinks I am

I'm not Malicious but Google thinks I am so next step is to click on the SERP that's when Firefox jumps in:

After clicking the SERP Firefox jumps in and says I am bad too!

After clicking the SERP Firefox jumps in and says I am an attack site. How fascinating but just wait. It's not over yet when I get to the site:

Firefox toolbar warningFirefox toolbar warning

So clearly the powers that be and the tools on my computer are working hard to identify malicious sites. It is very clear that this site could be malicious and even though it was through no intent on my part the bottom line is that my site was hacked and turned into an attack site. This is a good line of warnings to any user and in the time frame that I am repairing the site and hardening my WordPress to ensure this does not happen again I don't really mind having these messages there.

They are good for users.

Update - Twitter just sent me the source of this injection attack:

Uh oh! We found a bad apple in your Twitter feed.

We detected a link in your account pointing to a phishing site or other harmful material that we identified as malware. Here's the troublesome post:

"@BlogDuJour hey there try out my blog [ your unsafe link was here ] - I am in the process of redesigning now but should be back to normal soon!"
March 02, 2009 22:07

We removed this update from Twitter. Please be mindful of others in the Twitter community, and post only safe links on Twitter.com.

Thanks! Twitter Support


Reblog this post [with Zemanta]

Continue reading