go to sections menu

Targeted, now what? from blog The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: security news and commentary > Targeted, now what?

Go to Homepage, contents or to navigation menu



Targeted, now what?

Hello folks,

Disclaimer: I thought I’d take this opportunity to talk about something that happened, but yet, users have seen this type of thing before. If this doesn’t interest you, you may skip it. It

may be technical, but yet, people might be interested in this.

You’ve probably gotten warnings from your browser that the site you’re trying to visit may not be safe. This is a true story, and one that happens all the time. Do you really know what the behind

the scenes things go on so if it is something not supposed to be there, you can meraculously come back to the site after some time?

My provider E-mailed with some information that needed immediate attention across the network. I usually make sure the accounts have good passwords that match the password generator scale and I

always try to advise that the passwords on the accounts at the meter’s score of 100. I forwarded the report to someone who can handle what it had to say, because I personally did not maintain

this domain.

At the same time, a company entitled phishlabs contacted the individual with simular reports, and the person had no idea what was happening.

Without going into detail on the report, the average user needs to know that web browsers today, especially chrome and firefox, have mechanisms in place to let the user know if a website is

phished, hacked, or taken over.

>What is Phishing? Webopedia Definition (Accessed August 4, 2016) The page describes the act of sending an E-mail falsly claiming to be

an established entity who’s soul purpose is to scam the user. The user would be directed to a site, usually by E-mail, to get information to be used in identity theft, or other type of criminal

activity the scammer wishes to use it for. For more information, please click through for the full definition word for word.

The Jared Rimer network can’t confirm if any type of E-mail was ever sent to the potential page or pages that the report found, and it was interesting what the report had to say. Both Firefox and

Chrome reported mid week of the particular week in question the site being a problem, even after the webmaster cleaned the server of the offending information.

Look at this as cleaning your computer of unwanted programs or data you no longer need. Webmasters need to follow these reports if gotten, to make sure their site is clean for visitors like you

who come to it to get information, purchase things, or seek information that you may want that the site offers.

What was interesting about this whole thing, the control panel was also flagged, and to this day, I am baffled why a control panel, which a website operator has access to, would be flagged. The

control panel is similar to the Windows control panel where you have various options to set up various items such as accessibility controls, displays, and other aspects of the operating system.

The web site panel has options to set up and maintain various aspects of the site such as blogs, E-mail, and maybe a shopping cart platform. Each site is going to be set up differently, and that

makes it unique.

From what I am able to understand, the control panel was flagged based on the IP address, but once things got cleaned, that warning was removed.

According to the ticket created with us: along with giving us effected URL’s, talked about safe browsing. The safe browsing

initiative is Google’s project and I think it is a good one today. The URL talks more about the project and how things have grown. I do like the idea of what they are doing, even if it is

intrusive, it is helpful in the end.

That portion of the E-mail as part of the ticket says: “Safe Browsing is a service provided by Google that enables applications to check URLs against Google’s constantly updated lists of suspected

phishing and malware pages.

Google uses automatic algorithms and user feedback to compile lists of sites that may be dangerous. The two major types of dangerous pages on their lists are phishing pages and malware pages.

You are required to respond to this ticket, however your great source of assistance at this point would be Google themselves. We encourage you to obtain a Google Webmaster Tools so you can manage

your sites there. You may obtain this account at the following URL by clicking the red “SIGN UP”
link at the top right. ”

The account holder in question saw the same thing, but how did they get there? The site in question did not have any type of PHP file, and so, just like cleaning your computer by removing files,

we removed the offending files.

Sometimes, at least in the old days, files would not be deleted unless the machine was rebooted. Viruses were left in memory on the PC, so cleaning them with antivirus needed a reboot. Just like

the home computer, a web server has for its user, an antivirus program. I am personally not familiar with the web server version, but it was not giving us much help in identifying any issue,

although I bet if we ran it, it may have.

There have been dodgy hosts who would leave sites up, even after getting complaints of such content on them. Several recent aarticles I’ve read indicate that Phishing is on the rise, and it does

not matter if you’re large or small. One such article is entitled: The Reincarnation of a Bulletproof Hoster

(aug 3, 2016) which talks about how a hosting provider practically did nothing about any reports it got and their eventual shut down. The provider in question than changed names, and even they

went so far as to have different names under their identity, thinking they couldn’t be tracked.

One of the things I usually do is to ask my users what they’re going to have on their sites before I sign them up and give them an account. Its always a good idea to clean your computer once in

awhile, and for us webmasters, a good idea to check on sites and make sure they’re behaving themselves.

One thing we did on the effected account was to change the password on it. My question would be, how did the files come back online if the password was changed? Could they have gotten in another

way? I don’t think we’ll know, although someone is still looking for things that are well long gone.

The reason why I had asked was because after we changed the password, I was alerted to the files being back on our server. A virus could do the same thing, put things back for it to run after it

was cleaned. It does this by knowing what was deleted and it went to get what was missing again. After some further discussion, we think we were doing it the wrong way. There should be a

specific way to do this type of clean up.

This is what I sent my client. I removed the site name as it doesn’t matter. “We have a security alert in regards to (site removed) that needs immediate attention.  The 4th through 6th links in

the report, followed by the 9th through 12th.  You may need google webmaster tools to help you.  Please let me know when this is resolved. ”

I took the time to be specific on what URL’s where the issue was. They were strange files, not ones that I’ve ever seen on any site, and on top of it, the report came in that a brand new site

along the network was also targeted with the same material. I’m quite confused.

What should we do?

First, as an internet user, be careful when you see these warnings. You definitely don’t want to get infected with whatever the browser may be telling you. If you know the person who runs the

site, I would contact them by phone if possible to let them know of the issue. There may be an address they can give you to send an E-mnail of the page in question you’re seeing. If you proceed

with caution, look for things that are familiar such as a contact form to send an E-mail. Chances are, the provider has contacted them and they may have delbt with it, and if so, they’ll tell you

to tell the browser its safe. That sends a report off to Google or Mozilla who will reinvestigate the page and make the correction accordingly.

If you’re visiting the site for the first time, and you see it, there are a couple of things. First, you could have mistyped the URL, doublecheck that and try again. If you still see the message,

you can proceed with causion, or you may chose to leave it alone and possibly come back later. The who is directory can have information on who to contact if the registrant allows that to be

public.

Webmasters, I would take these reports seriously. According to the initiative’s page, Google will mark pages in search results that it is not safe, which could hurt you. Be vigilant in your site

by making sure you go up to the computer hosting it and looking from time to time to see if something doesn’t belong. That is usually your first clue. I would also get a Google Webmaster tools account and put all the sites you run on it. Then, if you are attacked, they’ll be E-mailing you and you’ll know whats up.

The Google Webmaster tools will have you put up a file which is pretty much harmless, but they need it for verification only. You upload this file to the root of your directory and forget about

it.

The various tabs of the google webmasters panel will show you errors, security alerts, and other things that might be of interest to fix.

Questions? Please feel free to reach out via E-mail or comment. I hope that this has been of use to you, and maybe you’ll find it of interest.

Be Sociable, Share!

Informazioni sull'articolo

Targeted, now what? was released on August 8, 2016 at 8:30 am by tech in security news and commentary.
Last modified: August 7, 2016.


Comments (2)

go to sections menu


navigation menu

go to sections menu