"No Seriously... YOU HAVE BEEN HACKED."

So I find myself yet again trying to do the right thing... as I sit there on the phone with someone's customer support line trying to explain to them that someone has exploited their website (or mailing list provider)... usually with my hand on my forehead.

I have highly restrictive email account settings (on purpose) and do not use a "catch-all" account for non-existent email addresses. So when I sign up for a new account as a rule I go in and create a new email address specifically for the site at hand. This helps me track whether they're sticking to their Terms of Service.

Calvin Klein (Yes they're still around.)

The last time this happened was way back in May 2012 and I was registering for the Calvin Klein website. So I go in and set up ck@[mydomain_for_potential_spam].com and register for the mailing list. (Since I'm requesting this it's not spam.) Two hours later I get a spam (non-solicited) email to this address from a completely different site than Calvin Klein. I think to myself... that's fast!

So I contact customer support and explain to them that Yes, I did just register for the emails today. Yes I did just create this very email account today. Yes, nobody else but your website has this email address and I have only shared it with you. All other connections to make the account were "secure."

Calvin Klein follows up to say "our site is secure and there is no way it was anything on our end." This prompts a swift response stating "Your site is not secure in the truest form of the word on the Internet. You're not using any sort of encryption whatsoever, so if anyone wanted to read any traffic from your site all they would need to do is run a packet sifter and they can read everything that transacts between your site and their machine and look for an exploit." (This is of course not the check-out portion of the site we're talking about.) I get no further feedback from them.

I think to myself... let me check on my end... so I close the CK account and open a new account called CK2. I go in and this time, I register on a Mac (just on the off chance that my firewall didn't catch that I've random traffic communicating directly with my Windows box, or my machine's firewall seems to think that some Trojan [something I installed on purpose that really infected me] is perfectly acceptable.) 30 minutes later more spam for the newest address.

So I go in and take a look at all of the stuff that's being loaded on the CK site using a plug-in for Firefox called Firebug. There are (at the time) no less than 30 scripts running from the CK site... 4 of which keep off-site live open feeds (AJAX and the like). For anyone who doesn't know what this means AJAX is a way for your browser to send information to a web server without you having to really enter anything. People can track your mouse movements, things you click on, all sorts of stuff. So on the CK site I narrowed it down to Omniture,  Shoprunner, and a couple of others before I gave up (it takes a long time to create new email addresses and sign up for stuff when you're just curious)... also I don't want to create too much traffic and make them think I'm the one who took over their mailing form.

So I respond to CK with a second notice that the same thing happened... copied customer support and the default admin@ and abuse@ accounts. I get a reply of "please leave our website alone, we have not been hacked." Oh well. (I still get random spam messages off of the custom CK emails.)

Enter Walthers

So I totally dig toy trains... they're quite a bit more pricey than what I'm willing to pay, but Walthers is one of THE places to get trains if you're considering keeping the hobby alive. I get a print catalog and subscribe to their email newsletters (on the off-chance I win the lottery some day). So today I go into my email account and see a message in the Walthers folder for HVAC air handlers. I contact Walthers and the conversation goes something like this.

Me: "Hello, my name is Chris and I'm calling to let you know that I think your email mailing list has been compromised." (They could have sold my name... A.K.A. shared it with their business partners.)

Support person: "What makes you say that?"

Me: "I've setup a custom email account specifically for Walthers and have been receiving your newsletters for some time, but today I received a message I believe to be Spam at the address that I specifically set up to work with your company."

Support person: "What kind of spam message?"

Me: "Air handlers from Nicor Services."

Support person: "We didn't send that to you. I get Spam all the time... there's no way to stop it."

Me: "No, you don't understand... I only get messages on this email account from Walthers and have only ever shared it with your company, so either you have an infected machine, someone got to your main database of subscribers, or your list handling service was compromised."

Support person: "What's the email address?"

Me: "walthers@[mydomain_for_potential_spam].com"

Support person: "Well I get spam on my Walthers account all the time and I work at Walthers so it's not surprising that you would get spam too."

Me: "I think you're not getting what I'm trying to say."

Support person: "We send out to over 100,000 people every time we send a newsletter... I think we would have heard about it before now."

Luckily my other line started ringing so I had to hang up quick...

Common misconceptions about Online "Safety"

Note: Nothing online is completely "safe."

1.  Our website is secure
   Your website is only "secure" if you're using SSL. Your email is more than likely NOT secure unless you work for a bank and you're sending your email to another person inside the bank behind the company firewall... even then it's iffy at best because some of the firewalls will decrypt SSL so they can speed up the transfer. When you have a form on your website people and someone hits submit, the site transmits that information over the Internet from their browser to your server. If your server stores the information through and encrypted channel, then it's "safe" only because the channel was encrypted. Anyone who was able to get the handshake keys at the start of the transactions could decrypt everything you've sent. If your site sends you an email containing the information, what happens is that the web server has its own email sending server... this server more than likely uses the standard email protocols and sends the message in what's called "clear text" or "plain text" if it's not configured to log into your server directly with SSL. Most mail servers allow the people sending the messages to send in clear text because it's faster and not everyone submits messages in SSL (or any of the other encryption protocols).
2. We are a big company, we're invincible
   This is funny. I work with a lot of big companies. The reason the big companies are super successful is because the investors come in, take a look at operations and cut out everything that seems to be non-important. If you're not in a financial market then chances are your IT staff has been cut, just like everyone else's. Most IT guys that I've had the experience of working with are sort of "old-skool" in the sense that they learned what they do mostly on the job. Sometimes these guys have been at a company for eons and they started in some other department, learning the ropes as they go. If they've not been hacked, or if they're not resourceful enough to look stuff up, chances are they're not as up-to-date on the latest threats as most companies would like to believe... despite what they're being paid. It's a lot of work to read 25 blogs a day, check all of the latest security threat sites for zero-day attacks (attacks without warning) AND help Pat in HR figure out how to copy and paste (for the 25th time this week).
3. We have a custom website, nobody knows about it except for the developers
   There are a couple of things that happen here... sometimes you do have a real custom site where it's been written from the ground up. If that's the case then there were definitely corners cut somewhere. Not everyone has the time to make sure that all of the form fields in every form being submitted conform to what you're expecting (it's almost impossible). The other thing I typically run into with "custom websites" are sites that were created with something like WordPress and then they have a custom skin on the front-end. At some point in time the site goes down and then people start asking "How did this happen?" or "How can my site be infected by trackbacks when we don't even know what those are?" There are hundreds of thousands of lines of code in the "industry-leading" CMS systems out there. All of this code is available on the Internet and there are people overseas who have nothing better to do than look for an exploit and take advantage of some website.
4. We don't have a very big company, someone's surely not going to target us.
   People who hack servers don't care about who they're hacking unless it's a site in the security industry or some large company where they can get "street cred." If you're not in those two categories most "hackers" won't make a distinction between your site or anyone else's... and here-in lies the problem. You have a web server and you have server space somewhere in a server farm on the internet. This server is publicly accessible from all over the world. In the industry we refer to it as real estate. If someone takes over your server, now they can use your real estate to do things like launch attacks, or steal information from your customers while they pretend to be you, or they can use your system to host something called a "bot net" for example. Botnets are hundreds upon hundreds of machines that have also been infected by some exploit that now answer to the main control server... in this case your web server. So there are a lot of reasons why someone who has a need might want to take over your server real estate. Unlike regular real estate because you're on the internet location doesn't really matter, unless you're hosting a web server on dial-up, then your "safe."
5. "How come we've never heard about this before?" or the best of all... "We've never been hacked before."
   This may be true, but it all starts somewhere. The first step to fixing the issue is realizing that you have an issue.

               

That's all I have for now. Hopefully this wasn't too wordy. Until next time, if someone says "we think you might have been hacked," there may be an off-chance that they're trying to help you out.

-Chris