Hacked Nursery Website

Anything that does not fit in another Forum...

Moderator: needmore

User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

Hacked Nursery Website

Post by foxd »

I went online Sunday to locate a plant for a friend and found the one site that actually had what I was looking for, had been compromised (hacked). I emailed the nursery about this, which promptly responded that it would quickly be taken care of. Two days later I revisited the site and discovered the problem had still not been corrected.

I dug into the hack and this is what I found:
Visiting the site downloads a Javascript from the hacker's site that examines your system and decides what sort of attack to use. A call back to the hacker's site is made passing a string telling it what sort of attack to use on your system. I was fortunate that my anti-virus caught it.
I did discover that one of the attacks pretends to to be a Norton Anti-Virus Add-On if you are running Vista with Symantec software. I strongly suspect one of the things the malware is doing is trying to download a keylogger program to send back credit card/paypal information to the hackers.

I emailed the contact person about this and he emailed back that the information was forwarded to the site manager immediately.

Today I checked and there look to be a few less links to the malware, but I think that there is still something on the computer that is slowly changing the links back to point to the hacker's malware. The site manager is an idiot.

I am a bit reluctant to post links to either the compromised nursery website or the hacker's server, for obvious reasons.

They do NOT sell bamboo, so the bamboo nursery owners here can breath a *sigh* of relief.

But be careful shopping online this holiday season.
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
User avatar
mike best
Posts: 287
Joined: Sat Sep 09, 2006 3:51 am
Location info: 0
Location: Orlando, Florida
Contact:

RE: Hacked Nursery Website

Post by mike best »

One could have ones credit and personal identity compromised like that and the thief's use your number to by themselves something nice for Christmas. Only protection there is a credit freeze that takes a 4 digit pin to release it.

I always use a real visa or MasterCard, or pay pal , they have 60 days of fraud protection that gets your money back if there is a problem, also I do not use a debit or checking card attached to my checking account.

also with electronics, if I use my card it will extend the factory warranty!
Mike Best
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

RE: Hacked Nursery Website

Post by foxd »

Just to make the record clear, I spotted the attack immediately and didn't get infected. Still, it has made me leery about ANY on-line shopping this holiday season.
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

RE: Hacked Nursery Website

Post by foxd »

This just keeps getting scarier and scarier.

Today I found several other websites hacked by the same people, including one that advertises itself as "hacker safe".

I was able to piece together a bit of how they operate. They steal credit card and Paypal information. They also advertise for people to "work at home" doing things like cashing checks. The people then send the money to the hackers leaving the people they "hired" to catch the heat.

From what I know today, I have a really bad feeling about this....

I can't even think of an appropriate emoticon.
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

RE: Hacked Nursery Website

Post by foxd »

I've posted this in a few places:
Okay, you probably won't see this on Snopes, this is something I've been researching and I KNOW the information to be accurate.

Some of you may have heard of the Money Transfer Job Scams. If not click hear and read:

http://www.joewein.net/fraud/fraud-job-2007-12.htm

The question is "How do these scammers get the credit card or other financial information?

One method they have recently been using is inserting a script tag in unsuspecting websites that conduct a lot of commerce over the web. These sites may use secure websites for their transactions, but the transaction is only secure as the customer's computer.

Anyway, a script tag is inserted somewhere in the companies web page that loads a Javascript program from the hacker's server. (Usually named J.JS) Now, this Javascript program is harmless in of itself, it just looks at your system, compiles information about it and then sends it back to the hacker's server which then sends the best exploit to try and hack their system. This can include a keylogger to get the information the customer typed to do the transaction on their website.

I have found at least a dozen websites where this tag has been inserted.

While I could post a link to one of the compromised sites, I'm not going to because I don't want people clicking on it and having their system hacked. Besides, there is enough information here to find them, but you had better have your system completely patched and your anti-virus uptodate. (BTW, I checked out one of these sites on a Vista machine and the hack tried to trick me into downloading an "Add-On" for Norton Anti-virus!)

If you do any on-line shopping this holiday season, be EXTREMELY careful!

-----

On the lighter side, I did have this exchange of dialog with one site manager:

me: Enter the URL _________________________________

him: Okay.

me: Look at the source code and scroll down to where it says, "Hacker Proof Certified Secure". Just below that is the script tag I was telling you about.

him: *Long Pause* Am I infected?

me: *Long Pause* I don't know.

-----

I'm not sure how I feel about how my good deeds this holiday season are causing fear and dread.
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

RE: Hacked Nursery Website

Post by foxd »

A bit of an update. The hacked nursery site has been cleaned and has stayed clean. One hacked site was cleaned, reinfected and cleaned again.

I also discovered that emailing details of the hack are a problem, because if I give to many details, the email gets blocked as having a virus or being spam. :shock:
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

RE: Hacked Nursery Website

Post by foxd »

Over the past few days there has been a new script tag being added to websites via SQL injection. If you try Googling "uc8010", you get close to 100,000 results returned showing the tags involved. :shock:
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

RE: Hacked Nursery Website

Post by foxd »

A couple of URLs:

http://www.pcworld.com/article/id,14135 ... ticle.html

http://www.finjan.com/Pressrelease.aspx ... 1819&lan=3

Now if I can just re-find that article about how ScanAlert doesn't think there is a problem with their certification of websites as "Hacker Safe". :shock:
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

RE: Hacked Nursery Website

Post by foxd »

This was what I posted about back in December.

http://www.pcsympathy.com/2008/03/22/ja ... urce-code/

I just tried pinging the Hacker site and it appears to have been removed from the DNS servers. It only took something like three months. :shock:
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

RE: Hacked Nursery Website

Post by foxd »

Well, I have a new round of hacked websites I want to warn people about. Apparently websites are being hacked to cause a warning to pop-up on peoples computers offering to scan their computer for viruses using Antivirus 2009. Don't even try and close the pop-up, instead open Task Manager (CTRL-ALT-DEL) and end the program.

If you try and cancel or close the pop-up, an "improved" TROJAN.VUNDO gets downloaded to your computer for Antivirus to find (or not if you cancel). You will have pop-up ads for scams.

My wife got hit by this, which ruined my Thanksgiving break. I showed some people a hacked site at work and described the infection. One person suddenly realized his computer had been infected by this.
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
User avatar
millerlightman02
Posts: 153
Joined: Sat Jul 26, 2008 3:36 pm
Location info: 46
Location: Brownsville Indiana

RE: Hacked Nursery Website

Post by millerlightman02 »

what are the website names so i dont go there?
Michael Geis
wiener dogs and bamboo
what else is there?
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

Re: RE: Hacked Nursery Website

Post by foxd »

millerlightman02 wrote:what are the website names so i dont go there?
That's just it, you don't know until you stumble across one. Hence my instructions about CTRL-ALT-DEL.

If you want to read about the problems do a Google search on: antivirus 2009 scam
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
ghmerrill
Posts: 1873
Joined: Thu Jul 19, 2007 12:20 am
Location info: 26
Location: Kerby, OR
Contact:

RE: Hacked Nursery Website

Post by ghmerrill »

would it be under the tab 'aplications' or 'proceses' that you would look for to close it down?

im pretty computer illiterate, and dont wander alot of sites, so the chances are slim, but I would like to know how to prevent it from happening.
User avatar
foxd
Posts: 3221
Joined: Wed Feb 09, 2005 7:30 pm
Location info: 21
Bamboo Society Membership: ABS - America
Location: Zone 5b/6a Bloomington, INElevation: 770-790 feet

Re: RE: Hacked Nursery Website

Post by foxd »

ghmerrill wrote:would it be under the tab 'aplications' or 'proceses' that you would look for to close it down?

im pretty computer illiterate, and dont wander alot of sites, so the chances are slim, but I would like to know how to prevent it from happening.
Its under Applications, you want to shut down the web browser that way because otherwise you will be fighting for control of your browsing session in an attempt to scare you into installing their software.

I've poked a bit at their opening attack. What they do is shrink your browser window down to a small size and hide it behind a confirm box that pops up saying:
'ATTENTION! If your computer is struck by the spyware, you could suffer data loss, erratic PC behaviour, PC freezes and creahes.\n\nDetect and remove viruses before they damage your computer!\nAntivirus 2009 will perform a 100% FREE and quick scan of your computer for Viruses, Spyware and Adware.\n\nDo you want to install Antivirus 2009 to scan your computer for malware now? (Recommended)'
If you click "No" an alert box pops up saying:
'Antivirus 2009 will scan your system for threats now.\n\nPlease select "RUN" or "OPEN" when prompted to start the installation.\n\nThis file has been digitally signed and independently certified as 100% free of spyware, adware and viruses.'
If you click "Yes" you don't get the alert box before the attempted installation.
Your web browser is also resized to fill the screen with the installation page which I haven't looked at yet.

There are some news items turning up on this:
http://www.pcworld.com/businesscenter/a ... tware.html
Southern Indiana.
My Bamboo List.

The legal issues that will arise when the undead walk the earth are legion, and addressing them all is well beyond what could reasonably be accomplished in this brief Essay. Indeed, a complete treatment of the tax issues alone would require several volumes.
ghmerrill
Posts: 1873
Joined: Thu Jul 19, 2007 12:20 am
Location info: 26
Location: Kerby, OR
Contact:

RE: Hacked Nursery Website

Post by ghmerrill »

Thanks. I have never run into that, but I have run into pop up windows you can get rid of by closing them by hitting the X. guess I should stop touching them and do it the other way to be safe.
Post Reply