Oh, merry hackers!

Most hackers are stupid.   (I’ll probably be hacked for writing that.)   They like to demonstrate how clever they are by stealing passwords from the gullible, breaking websites with out-of-date software, and putting up truly idiotic messages on the web.   This is like proving your cleverness by grabbing the purses of little old ladies, stealing 1973 Volkswagens, and spray-painting your name on people’s houses.   Stupid.

And like a mindless virus, they are persistent.   Whenever one matures enough to realize that messing up websites isn’t really a meaningful way to spend one’s life, another crop of teenage boys figure out how to visit hacker discussion groups, and the process continues.

Even though it’s not my job, I often find myself helping out folks who have been hacked and are trying to pick up the pieces.   Today’s minor episode started with an email I received:

Dear Customer,

This is a notice that an invoice has been generated on 02/03/2009.

Your payment method is: 2CheckOut

Invoice #763
Amount Due: $19.94 USD
Due Date: 01/15/2009

Invoice Items

Personal – appact11.com (02/02/2009 – 02/14/2009) $4.99 USD
Domain Registration – appact11.com – 1 Year/s $14.95 USD
——————————————————
Sub Total: $19.94 USD
Credit: $0.00 USD
Total: $19.94 USD
——————————————————

You can login to your client area to view and pay the invoice at http://www.webhosting.com/billing/viewinvoice.php?id=763

Hosting Team

This is a “phishing” attempt.   The email is bogus, invented simply to get people to click on the link and then enter their login information.   I knew it was bogus by several indications:

  1. I never registered any such website (“appact11.com”).   The hackers know I know this, but they hope that I will click on the link anyway to “clear up the misunderstanding.”
  2. The email didn’t come from any company that I recognize, and is deliberately vague (“Hosting Team,” “Dear Customer”).
  3. Despite how it appears, the link for the invoice actually went to an entirely different website.   I could tell this without clicking on the link simply by pointing my mouse at it but not clicking.

The link was actually to a website of an innocent fellow in Canada who does weddings, but the hackers obscured that by creating a secret web address on his site which looked like a standard login page.   If you fell for this one, you’d probably enter your web host login and you’d get an error message that said you did it wrong.   Since this is a fake, no combination of username/password would ever work.   Eventually you might get tired of it, or realize your mistake, but by then it would be too late.   The hackers would take the usernames and passwords you so generously entered and use them to hack your website, too.

The first guy who thought up this approach was clever, but the millions of followers who are doing it today are just copycats. It takes no special skills.

Being a good netizen, I wrote to the legitimate owner of the website and told him:

Sorry to be the bearer of bad news, but it appears that your website at www.namewithheld.com has been hacked.   I received this email today (along with thousands of other people probably):     …

… and then explained to him what “phishing” was, and told him what to do:

You need to have this cleaned off your site, then change all passwords related to your site.   If you don’t know how, you should get someone experienced to help you.

I was a little trepidatious about reaching out in this way.   A lot of people would assume I was the hacker.   Others might respond with requests that I fix the problem, thinking that I was a higher level of good Samaritan than I am. I could get an angry email, or get sucked into a long series of explanatory emails.   I wanted to help, but I didn’t have tons of time to spend on this.

Fortunately, this contact worked out well.   Within a couple of hours, he wrote back:

I have contacted my web host and indeed my site was hacked.   They have removed the contaminated files.   I have reported the matter to Toronto Police Services and have also contacted the Ontario   Provincial Police.

They informed that this type of activity is very common.   As it originates off shore there is little they can do about it.   I am personally quite upset and feel somewhat victimized.   I am very embarrassed that my site and reputation have been brought into disfavour.   I am not sure what else I can do or say.

Thank you for being so watchful.   I do appreciate it.

Why am I writing about this?   Because hacks happen.   Phishing attempts succeed.   I hate to see it happen to innocent people and friends of mine.   Anyone who uses the Internet needs to be at least a little educated about the hazards of it.   A little mis-step in cyberspace can translate to an empty bank account in the real world.   Take care, folks. It’s happening every hour of every day.

Comments

  1. says

    Thanks for posting this little snippit Rich. I haven’t yet come close to having this particular experience thankfully, but it serves as one more piece of arsenal when it comes to being a little more “net savvy”.
    And…..joy riding around in a ’73 VW is heads and shoulders above riding in a 73 lowrider Cadillac….but the notion is pretty much the same.
    What would be more fun of course, but a total waste of time, would be to hack the hackers.
    May you experience good internet Kharma…

    Regards from the Netherlands,

    Bob

  2. Malcolm says

    Rich,

    Thanks for reminding people of the dangers of blindly clicking away on embedded links in emails. I work for a major financial institution in Canada and we get over 10,000 attempts to hack everyday! Our customers receive thousands, if not hundreds of thousands, of phishing attempts each month. You can’t be too vigilant!

    MD

  3. says

    Ok, my comment about the 73 VW didn’t come out right. What I meant was, stealing a 1973 car is no challenge and thus it is analogous to breaking into obsolete software. The weaknesses have long been demonstrated and so people who take advantage of them are just doing it because they read how to, on the Internet. I changed the wording in the post from “joy riding” to “stealing”.

    For the record, I used to own 1965 & 1967 VW bugs, and a 1966 VW bus and they were all fun to drive!

  4. CMLo says

    Just got this message in my SPAM Folder, I check the spam folder all the time, to grab my legit email’s. But this looked just like the one you have posted, but it is linking to AT&T

    Friday, February 6, 2009 7:48 PM
    From: “WebHosting” Add sender to ContactsTo: undisclosed-recipientsDear Customer,

    This is a notice that an invoice has been generated on 02/06/2009.

    Your payment method is: 2CheckOut

    Invoice #763
    Amount Due: $19.94 USD
    Due Date: 02/06/2009

    Invoice Items

    Personal – (02/06/2009 – 02/22/2009) $4.99 USD
    Domain Registration – 1 Year/s $14.95 USD
    ——————————————————
    Sub Total: $19.94 USD
    Credit: $0.00 USD
    Total: $19.94 USD
    ——————————————————

    You can login to your client area to view and pay the invoice at http://www.webhosting.com/billing/viewinvoice.php?id=763

    Hosting Team

  5. says

    Yep,
    Been getting porno and pill-pushing email from…my own email address…go figure…also getting emails telling me that Sears, or Target, or Home Depot, or-fill in your store of choice, telling me I have a bonus to be redeemed…thanks for the update, Rich…
    mike