Listen to my story and see if it makes you think again.
Tuesday afternoon, I got a call from Bank of Montreal, telling me to shut down the “phishing” site my server was hosting. (A phishing site looks just like the bank’s site and seeks to trick customers into logging in and thus giving up their user IDs and passwords.)
“Ridiculous,” I said. But the screen didn’t lie. Right there in one of my directories was the site. And that was just the first step in a week from hell that involved shutting down a malicious massive email script as well as another phishing site two days later — this one stealing account information from customers of JP Morgan Chase.
Needless to say, the only communications work I did was with the geeks at my new hosting company. As we continued to play whac-a-mole with the repeated security breaches, I finally said “look guys, we’re losing this battle. What tests can we do to find out how they’re getting in?”
To be sure, I was nailing the usual suspects — making sure all my scripts had the latest security updates and changing to more secure passwords. But the attacks kept coming. Finally, the hosting company’s security department reviewed the server logs and found that people were logging into my account with the company from Brazil, the United Kingdom and several parts of the United States.
Why would they do this? When you’re in the business of setting up phony sites to steal people’s bank accounts, it’s rarely a good idea to host them on your own servers. So you do what they did — “borrow” somebody else’s. Apparently, my username and password had been sold to multiple hackers, who then had full access to my servers and sites.
How bad was it? Really, really bad. J.R. Ewing bad. Evil vampires-without-the-sex-appeal bad. Did I mention it was bad?
Once the hacker logged into my account, he could place anything he wanted on any directory. Phony sites? Piece o’ cake. Back doors to allow him and other hackers in later? No problem. It was all there. Further, he had access to all my ftp accounts, and content management systems’ administrative panels. He could enable shell access that would enable him to wipe out all my sites in moments and replace them with his own. He could run programs. My site was his site.
And apparently, I had more than one of these hackers helping themselves.
But nobody — nobody — would ever know the name of your favorite teddy bear, right? Maybe not, but consider this: I had just moved my sites from another hosting company, and when I set up the account with the new company, I used the same old comfortable password. No, it wasn’t my old teddy bear, but it was insanely simple. Keep in mind that the hosting company I left is filled with hundreds of programmers, tech support specialists, server administrators and other web experts. All it would take is just one misfit — maybe one who felt he wasn’t getting paid enough — to set up a side business selling customer information.
Think of it this way. If you know my email address, my old password and the company in which I’ve opened a new account — all readily available inside the old company — you have a good chance of hacking your way into my new account. I can’t prove it, but my guess is that this — or something like it — happened. There are other ways, of course. Recently, I misspelled the URL of an account we all access, and it took me to a phony site where I was asked for my password. If I’d typed it in, some stranger would have had access to all my contacts, passwords, bank account numbers, friends and more.
Have I got your attention yet? Did I mention that my communications efforts came to a screeching halt while all this was going on? Or that Google was threatening to de-list my domains? Or that I couldn’t update client reports? Or that I ended up having to re-build my corporate web site (with 11,000 files) from scratch?
Why? Sheer laziness. Because remembering a new password is a pain. Trust me, it’s not nearly as big of a pain as what I’ve just experienced. Do yourself a favor. Find every password you can locate and change it. Right now. Web hosting account? Check. Google? Check. Bank? Triple Check. FTP access to your web site? Check. CMS administrative panel? Check.
And I’m just getting started. While you’re at it, Google some tips on creating strong passwords. No more teddy bears and poodles.
Trust me on this. I’ve been into hacker hell, and it isn’t pretty.