“ISIS” Hacks: Is Your Site a Target?

By Laura

Over the weekend, a number of websites were hacked and defaced by a group claiming to be ISIS.  While the FBI is reportedly investigating this act of cyberterrorism, there is no concrete evidence that it is linked to the Islamic State. In this case, claiming ties to an esecurity-265130_1280xtremist group may be more about the shock value than an international threat.  This is not the first time that a hacker has claimed to be linked to ISIS.

It is common for hackers to deface websites with their “calling card”, the image and message left behind to deface the webpage.  In this case, it was a black banner with the ISIS flag.  It included the message “Hacked by Islamic State (ISIS) We Are Everywhere ;) ”.  Images like this can distract website admins from the real problem: hackers usually leave a backdoor or two so they can access the sites later.  These backdoors allow hackers easily enter websites, even if the administrator has changed the password.

Some reports suggest that these hacks are related to a plug-in vulnerability in WordPress.  WordPress is currently the most popular blogging system, used for over 60 million sites.  However, these hacks did not occur solely because these websites use WordPress as their platform.  It’s the updates and the plugins that you have to be concerned about.

Outdated software is one of the biggest exploits that cyberattackers use to hack websites.  In fact, it can leave your whole computer system vulnerable.  Software is updated or patched to fix bugs and improve functionality.  If these updates aren’t performed, your system is left with holes for attackers to use.

Protect Your Website From Being Hacked

The best way to protect your website is to keep everything up-to-date, and to use a website security service.  The security experts at SparkTrust Certified can monitor your website 24/7.  If there are any issues, you get alerted right away.  Websites that have been hacked, or infected with malware, are immediately cleaned, so they are back online as soon as possible.  Sometimes this is only a matter of hours.  If a site is blacklisted by Google, SparkTrust’s reputation and industry relationships often result in a faster response time than if you were to contact Google yourself.

Take care of your website to avoid a hack like many experienced this week.  Website hacks are not usually a personal attack, but an exploit of system weaknesses.  Make sure that your platform is updated to the latest version, and that all plug-ins are up-to-date.  If you don’t have a lot of time for site maintenance, have security professionals, like those at SparkTrust, take care of it for you.

Watch out for a phishing scheme claiming to be from the Canada Revenue Agency

Beware of this phishing scheme that claims it is from the Canada Revenue Agency.

Beware of this phishing scheme that claims it is from the Canada Revenue Agency.

Inboxes around the country are receiving a phishing email that claims to be from the Canada Revenue Agency. The Canada Revenue Agency is warning people not to fall for this phishing scheme that focues on an Interac email money transfer.

While the Canada Revenue Agency phishing emails can vary, the basic form of this identity theft attempt is:
Dear TaxPayer:
Canada Revenue Agency has sent you an INTERAC e-Transfer (previously INTERAC Email Money Transfer).
Amount: $487. 29 (CAD)
Sender’s Message: A message was not provided
Expiry Date: 08 October 2014

Action Required:
To deposit your money, click here:
{fake URL here}
2014 Canada Revenue Agency (CRA) Online Support

The Canada Revenue Agency has gone out of its way to explain that these are phishing scams and not real communication from the CRA. On its website, the Canada Revenue Agency states:
People should be especially aware of phishing scams asking for information such as credit card, bank account, and passport numbers. The CRA would never ask for this type of information. Some of these scams ask for this personal information directly, and others refer the taxpayer to a Web site resembling the CRA’s, where the person is asked to verify their identity by entering personal information.

Learn how to avoid phishing schemes

One way to help yourself avoid phishing schemes is to use a premium antivirus. SparkTrust AntiVirus not only cleans and removes viruses, spyware and other malware. As well, this antivirus software helps prevent phishing attacks by removing suspicious links from emails and blocking malicious websites. Download SparkTrust AntiVirus.


Don’t Get Hooked! Learn How to Avoid Phishing Schemes

Learn how to avoid phishing schemes. Image courtesy of Stomchak from Wikimedia Commons

Learn how to avoid phishing schemes. Image courtesy of Stomchak from Wikimedia Commons

Phishing schemes keep coming and you definitely don’t want to get hooked!

Being a victim of a phishing scheme can cost you financially and hurt your credit scores. A typical phishing scheme starts with you receiving an email purporting to be from your bank, a trusted online company, or even a well known charity. You are asked to click on a link that takes you to a website that looks legitimate. However, it is a fake page where cybercriminals hope to steal your confidential data. They will use this info to loot your account or commit identity theft.

You can avoid ending up on a phishing hook by taking some precautions:

  1. Avoid clicking hyperlinks in emails. It is best not to click a hyperlink in an email – especially if it comes from someone you don’t know personally. You never know where a link is going to take you! In most cases, you can navigate to a company’s legitimate web page through your browser and get to any page you need.
  2. Look for https. When you are entering financial or confidential info into a website, such as banking credentials or your credit card number, look for “https://” rather than “http://” in the url in your web browser. There should also be a secure lock icon in the bottom right hand corner of your browser, whether you are surfing with Internet Explorer, Firefox, or Google Chrome. The lock icon and https:// means that the page is encrypted and your info is secure.
  3. Use a premium antivirus. Quality antivirus software can help ward off all kinds of attacks. Malware can disguise your web address bar or mimic https:// links. A premium antivirus like SparkTrust AntiVirus finds and removes viruses, spyware, adware, keyloggers, Trojan downloaders, and other malware. This advanced antivirus product also provides premium phishing protection by removing suspicious links from your emails and blocking known malicious websites.
  4. Install a firewall. Firewalls are great to have and not just for phishing attacks. They prevent hackers from getting in to your PC and stop outward communication from malware. In regards to phishing schemes, firewalls can prevent malware from entering your PC and hijacking your web browser. SparkTrust AntiVirus offers an advanced firewall.
  5. Don’t enter confidential info into pop-up windows. A common tactic for phishing criminals is to pop up a window when you click on a phishing email link. This pop-up window could be set up to go over the window of a company you trust! You should close the window by clicking the “X” in the top right corner. If you click cancel on the phishing pop-up window, it might take you to another fake page or download malware to your PC.
  6. Watch your credit card and bank statements. Sometimes things happen and even the most security savvy people fall victim to phishing schemes. By watching your statements you can catch any irregularities early and contact your bank to have them fixed or cancel your credit card.

Keeping Online Shopping Secure

Online shopping is convenient and often less expensive than going to a store. You won’t have to pay for gas to drive to the mall, you can get online exclusive deals, and you may even avoid sales tax depending on where you live. Making payments online can open you up for a world of potential headaches, however. In the wrong hands, your credit card number or checking account information might lead to you becoming the victim of thousands of dollars of  fraudulent charges that you don’t know about until it’s too late. Here are some tools that can help you to shop online securely.

Use Anti-Virus Protection

When you are under the protection of an Anti-Virus program like SparkTrust, your computer can detect when a site has compromised security or it’s not safe to enter payment information. This can stop you in your tracks before you make a purchase on a site that is unsafe. Anti-Virus software can also detect when someone tries to access your computer via an email link that is pretending to be from a reputable shopping site, or other malicious attempts for people to steal your information.

Look for a Security Lock

Once you’ve put items into your online shopping cart and are about to move on to purchasing, you should see a gold lock in the URL field. Depending on your browser, the symbol may also appear somewhere near the bottom of the screen. In any case, this is a sign that the payment pat is secure and your data will be adequately encrypted. If you don’t see this symbol, don’t make a purchase on that website. It’s either an insecure site or has been temporarily compromised.

Check the URL

Sometimes scam sites pop up that are made to look like a legitimate site. Always manually type the URL of the website you want to visit into the browser, as opposed to clicking on an email link or a link on another site. Sometimes spoof sites are set up to look like a major retailer. In reality, these sites only exist to steal your payment information and potentially your identity. Instead of clicking on an email link to The Gap from a promotion email, for example, type “http://www.gap.com” in your web browser just to make sure you’re accessing the real deal.

Shop Over a Secure Connection

Avoid doing your online shopping in a coffee shop or anywhere you’re not logged into a secured connection. This allows someone to use the open wireless Internet network to hack into your computer remotely and potentially steal personal information. Always password protect your own home Internet network and use that network to shop. If you are at friend’s home or work where you know that the connection is password protected, you are also safe to make purchases there.

In addition to exercising the above precautions, it’s wise to use a credit card when you shop online. If you pay via a debit card linked to your checking account, or provide a checking account number, you may not have the same fraud protections. A major credit card will generally reimburse you for fraudulent charges while your bank may not have the same policy.

Nothing but big phishes

I came across this PayPal phishing scam that I thought was kind of funny.


First time I see scammers ask for the account’s current balance! Do they not bother if your balance is too low? Maybe not ;-)

Jerome Segura

Achtung: this site may harm your computer!

This German website for a PC repair company warns its users about the DNS Changer Trojan and advises to check if one’s computer is infected.

(click to enlarge)

However what they don’t know is that their own site is compromised with malicious code and will infect unpatched PCs…

(click to enlarge)

The JS code redirects to a bad site (vesuqpu.ru/count7.php). Wepawet report here.

Jerome Segura

Anonymous site hosts malicious script

The site: www.anonstillalive.com hosts a malicious script:

It looks like an automated injection to me because it is right after the <body> tag. (click  to enlarge)

Wepawet report (http://wepawet.cs.ucsb.edu/view.php?hash=5600b7a8b41a216d6f2cb4b353590076&t=1340388312&type=js) shows an iframe to http://zfhbsvcererr.myredirect.us/?go=2

Thankfully the page has been parked.

Jerome Segura

Canada Post Phishing scam and malware served from your local preschool

This is a clever phishing scam that targets Canadians:

I say clever because beyong the legitimate looks, the payload is distributed by a malicious URL combined with a legit one.

One thing we always tell people is to never trust links, even if they look fine. This is because it is easy to create a hyperlink that says: http://www.goodsite.com but instead really is http://www.badsite.com.

Let’s take a closer look:

By placing the mouse cursor over the link (NO CLICKING!!), you can see in the taskbar that this indeed is a match for the real site. If you did click on it, you will be sent to Canada Post’s official website:

At that point, you think this email must be legit after all and you are ready to click on the second link. That’s the catch!

Here I repeat the same mouse over process but look at the URL: it is NOT the same!! Sneaky…

What we have here is a zip file called shipment_capost_invoice.zip:


If you open it up, it contains the malicious file the bad guys want you to run:

The file is poorly detected by Anti-Virus products. (VirusTotal 3/42).

Let’s take a look at where this file is hosted: dayspringpreschool.org

This is the site for a preschool in California. They probably aren’t aware that they are being used to host a malicious file used by scammers. (I will let them know soon).

They are running the Content Management System (CMS) Joomla!:

and it is out-of-date (Joomla Version 1.5.15) current is 1.5.26 which could very well be why the site got hacked.

Speaking of out-of-date, WordPress released version 3.4 today, so if you haven’t updated your CMS yet, do so quickly :-)

Hat tip to Marlee for reporting the phishing email.

Jerome Segura

Password sharing site gets hacked, redirects to adult site

These guys have an ‘interesting’ business model which consists of providing you with passwords for popular websites (torrent, file sharing sites) if you take a couple of minutes of your time to answer a survey.

Sounds fishy? Right, I don’t like it too much either. However, this is not where the problem lies. The site itself has been hacked:

and redirects the user to an adult site instead:

At least the site content is within the realm of what file sharing people are used to…

Jerome Segura

LinkedIn passwords leaked, cracked

LinkedIn, the popular networking site, was hacked and more than 6 million passwords were leaked. The breach was confirmed today.

It took only minutes for the full dump of passwords to spread virally (combo_not.zip)

The decrompessed file weighs 258 MB and contains 6458019 lines of hashed passwords.

LinkedIn hashed the passwords (meaning they created a checksum of the plain text strings) but did not apply any other level of security, including salting.

For example the password ‘password’ was stored as e4c9b93f3f0682250b6cf8331b7ee68fd8 (SHA1).

It is trivial to find the original (clear text) password using tools such as hash-cat:

It is quite interesting to look at passwords people use… it reveals a lot about human nature ;-) Warning, coarse language ahead!

LinkedIn announced that they are taking immediate action by blocking accounts that have been affected as well as introducing new security measures (in the form of salting their passwords).

This is a reminder that there is no total security. However, strong passwords are still a great protection. For example, to retrieve those passwords hackers use a ‘wordlist’ or dictionary attack. That means if your password was weak, it will be uncovered in seconds. If your password was fairly complex, it will take hackers a lot of pain and effort to crack it.

On that topic, we should change the word password to passphrase. The term is so much more meaningful and shows that actual phrases such as ‘Jimmylovescarsespeciallyatnightonchannel99′ are so hard to crack versus your typical password.

Jerome Segura