Keeping Online Shopping Secure

Online shopping is convenient and often less expensive than going to a store. You won’t have to pay for gas to drive to the mall, you can get online exclusive deals, and you may even avoid sales tax depending on where you live. Making payments online can open you up for a world of potential headaches, however. In the wrong hands, your credit card number or checking account information might lead to you becoming the victim of thousands of dollars of  fraudulent charges that you don’t know about until it’s too late. Here are some tools that can help you to shop online securely.

Use Anti-Virus Protection

When you are under the protection of an Anti-Virus program like SparkTrust, your computer can detect when a site has compromised security or it’s not safe to enter payment information. This can stop you in your tracks before you make a purchase on a site that is unsafe. Anti-Virus software can also detect when someone tries to access your computer via an email link that is pretending to be from a reputable shopping site, or other malicious attempts for people to steal your information.

Look for a Security Lock

Once you’ve put items into your online shopping cart and are about to move on to purchasing, you should see a gold lock in the URL field. Depending on your browser, the symbol may also appear somewhere near the bottom of the screen. In any case, this is a sign that the payment pat is secure and your data will be adequately encrypted. If you don’t see this symbol, don’t make a purchase on that website. It’s either an insecure site or has been temporarily compromised.

Check the URL

Sometimes scam sites pop up that are made to look like a legitimate site. Always manually type the URL of the website you want to visit into the browser, as opposed to clicking on an email link or a link on another site. Sometimes spoof sites are set up to look like a major retailer. In reality, these sites only exist to steal your payment information and potentially your identity. Instead of clicking on an email link to The Gap from a promotion email, for example, type “” in your web browser just to make sure you’re accessing the real deal.

Shop Over a Secure Connection

Avoid doing your online shopping in a coffee shop or anywhere you’re not logged into a secured connection. This allows someone to use the open wireless Internet network to hack into your computer remotely and potentially steal personal information. Always password protect your own home Internet network and use that network to shop. If you are at friend’s home or work where you know that the connection is password protected, you are also safe to make purchases there.

In addition to exercising the above precautions, it’s wise to use a credit card when you shop online. If you pay via a debit card linked to your checking account, or provide a checking account number, you may not have the same fraud protections. A major credit card will generally reimburse you for fraudulent charges while your bank may not have the same policy.

Nothing but big phishes

I came across this PayPal phishing scam that I thought was kind of funny.

First time I see scammers ask for the account’s current balance! Do they not bother if your balance is too low? Maybe not ;-)

Jerome Segura

Achtung: this site may harm your computer!

This German website for a PC repair company warns its users about the DNS Changer Trojan and advises to check if one’s computer is infected.

(click to enlarge)

However what they don’t know is that their own site is compromised with malicious code and will infect unpatched PCs…

(click to enlarge)

The JS code redirects to a bad site ( Wepawet report here.

Jerome Segura

Anonymous site hosts malicious script

The site: hosts a malicious script:

It looks like an automated injection to me because it is right after the <body> tag. (click  to enlarge)

Wepawet report ( shows an iframe to

Thankfully the page has been parked.

Jerome Segura

Canada Post Phishing scam and malware served from your local preschool

This is a clever phishing scam that targets Canadians:

I say clever because beyong the legitimate looks, the payload is distributed by a malicious URL combined with a legit one.

One thing we always tell people is to never trust links, even if they look fine. This is because it is easy to create a hyperlink that says: but instead really is

Let’s take a closer look:

By placing the mouse cursor over the link (NO CLICKING!!), you can see in the taskbar that this indeed is a match for the real site. If you did click on it, you will be sent to Canada Post’s official website:

At that point, you think this email must be legit after all and you are ready to click on the second link. That’s the catch!

Here I repeat the same mouse over process but look at the URL: it is NOT the same!! Sneaky…

What we have here is a zip file called

If you open it up, it contains the malicious file the bad guys want you to run:

The file is poorly detected by Anti-Virus products. (VirusTotal 3/42).

Let’s take a look at where this file is hosted:

This is the site for a preschool in California. They probably aren’t aware that they are being used to host a malicious file used by scammers. (I will let them know soon).

They are running the Content Management System (CMS) Joomla!:

and it is out-of-date (Joomla Version 1.5.15) current is 1.5.26 which could very well be why the site got hacked.

Speaking of out-of-date, WordPress released version 3.4 today, so if you haven’t updated your CMS yet, do so quickly :-)

Hat tip to Marlee for reporting the phishing email.

Jerome Segura

Password sharing site gets hacked, redirects to adult site

These guys have an ‘interesting’ business model which consists of providing you with passwords for popular websites (torrent, file sharing sites) if you take a couple of minutes of your time to answer a survey.

Sounds fishy? Right, I don’t like it too much either. However, this is not where the problem lies. The site itself has been hacked:

and redirects the user to an adult site instead:

At least the site content is within the realm of what file sharing people are used to…

Jerome Segura

LinkedIn passwords leaked, cracked

LinkedIn, the popular networking site, was hacked and more than 6 million passwords were leaked. The breach was confirmed today.

It took only minutes for the full dump of passwords to spread virally (

The decrompessed file weighs 258 MB and contains 6458019 lines of hashed passwords.

LinkedIn hashed the passwords (meaning they created a checksum of the plain text strings) but did not apply any other level of security, including salting.

For example the password ‘password’ was stored as e4c9b93f3f0682250b6cf8331b7ee68fd8 (SHA1).

It is trivial to find the original (clear text) password using tools such as hash-cat:

It is quite interesting to look at passwords people use… it reveals a lot about human nature ;-) Warning, coarse language ahead!

LinkedIn announced that they are taking immediate action by blocking accounts that have been affected as well as introducing new security measures (in the form of salting their passwords).

This is a reminder that there is no total security. However, strong passwords are still a great protection. For example, to retrieve those passwords hackers use a ‘wordlist’ or dictionary attack. That means if your password was weak, it will be uncovered in seconds. If your password was fairly complex, it will take hackers a lot of pain and effort to crack it.

On that topic, we should change the word password to passphrase. The term is so much more meaningful and shows that actual phrases such as ‘Jimmylovescarsespeciallyatnightonchannel99′ are so hard to crack versus your typical password.

Jerome Segura

A happy website owner

Getting testimonials like this one really makes you feel like you provided value to the customer.


I can’t believe the amount of work this company did for me in such a short period of time.

It all began when I started getting strange messages when going on to a few of my websites, these messages would say things like do not go to this website for possible phishing and Malware… WHAT? I couldn’t believe it, these were MY websites and I know I didn’t install anything like that. Next thing I know I get an email from telling me the same thing while at the same time reassuring me that they could help me fix the problems. I called them by phone and spoke to Jerome, who first showed me that my websites had been banned from Google and others because of the phishing and malware. I started to sweat, my business was based on my websites and if they were gone so is my business. But then Jerome, made me feel very at ease and confident that he could help me and definitely fix my problem. They then found hundreds of corrupt files, they found back doors, a bunch of stuff that quite frankly I have no clue to what they are but these guys fix it all by that afternoon and I mean ALL!!! The monthly or yearly fee they charge for their work is so reasonable that I think anyone would be a fool to have a website without this kind of protection because yes, the protection doesn’t stop after the problem is fixed but continues on a daily basis with emails anytime something is detected on any of my 18 websites… however small.

I am truly amazed and very grateful to Jerome, Jean Phillip and Sparktrust.

Guys if I could give you a medal I would.

Thanks again for everything

Your faithful customer for life.
Alain, AbsClubLA

Jerome Segura

Reporting Badware: a better way?

As some of you may remember, I’ve had quite the experience (read The joys of reporting hacked websites) reporting malicious websites to their owners.

I spent a lot of time crafting various email templates, following guidelines from StopBadware’s Best Practices for Reporting Badware URLs, but yet at the end of the day it was a total disaster.

For starters, an email marketing guy I know told me quite clearly:

Hi Jerome,

This is a risky campaign to run, as it is unsolicited with, as you said, no prior relationship.

You probably want to avoid doing this.



Let’s stop and think for a moment. I am trying to alert someone that their site has been hacked and is serving malware but yet because of the strict CAN SPAM rules and what not, I am not allowed to because I don’t have a previous relationship, an opt-in etc… This is stupid. Let’s take a real life example, I see someone’s car has a flat tire. Should I not be allowed to tell them about it so they don’t get into an accident?

OK, once you can get over that nonsense, here is the reality with most website owners:

  • they have little knowledge about internet security
  • they don’t trust any email warning and label it as a SCAM (have they been trained too well?)
  • they can be rude
  • they send their lawyers

My conclusion is that contacting website owners directly is not the way to go. It is a waste of time and energy because these days nobody trusts anyone whether it’d be by phone, email, snail mail, etc… You can blame the spammers and scammers for that.

So instead, I chose a different route which maybe I should have taken to begin with… I am contacting the hosting provider directly with irrefutable evidence:

I understand abuse departments don’t want to spend time trying to confirm something is bad. So I give them all the details they need, and more.

This email is made from a template since I don’t have the time the write a few hundred of those every day. I wrote long and complex Bash/PHP/Python scripts to gather all the information needed from a specific URL.

As such, for each URL:

  • the malicious code (or file) is downloaded
  • it is sent to be analyzed by Virustotal with MD5/SHA256 checksums
  • an IP and ASN are identified
  • an abuse email contact is found by querying the ASN whois
  • an email is created from the template and then the email is sent

It was a fair amount of work to get that automated, but it is worth it to watch thousands of URLs being parsed and abuse emails being sent ‘magically’.

So far the response has been pretty good. Most abuse departments are quick to act and resolve incidents. They know what I’m talking about and I don’t have to convince them that this is not a scam but rather an effort to get infected websites cleaned up.

Will this be the end of the story… who knows? there might be more developments and surprises, although I think I’ve seen a fair share of stupidity already.

Jerome Segura

Huge text blurb allows malicious code to go undetected

I recently wrote a spider that crawls a site for malicious code. While testing it, I ran into a particular issue that I thought would be worth sharing.

The first thing this spider does is download the content of the site using a specially crafted wget command passing parameters such as user agent, number of tries, recursion level etc…

Then I came across a domain that had been hacked (as the picture below shows) but the page was so incredibly long that the spider got caught into downloading a huge file. The length of the file being unspecified, you cannot know in advance what you are up against…

This method could allow an attacker to fool security tools that try to parse a site’s source code in real-time, while still executing a malicious payload.

Jerome Segura