Site Security
We are learning about site security this week, and have been asked to share stories of websites we know of that got hacked – how it happened, how they fixed it. I’ve asked an acquaintance at the Mono Lake Committee to share what happened when their site was recently defaced, but other than that, and until I get the inside story on that, I really don’t know of any websites that were hacked, but I do know of an email account that got phished.
It was the webmaster email account of the site I used to be webmaster for – the new webmaster got phished. So embarrassing! I saw the email, and it was pretty obvious to me, but she had the flu and was barely keeping up with the email, and for some combination of those reasons and carelessness, she bit. It was a Yahoo! account, and we had tons of addresses saved in it (mainly to keep emails from going into the spam folder, but also for reference) and the phisher sent out emails to all the contacts saying the webmaster was stuck in Europe and needed money – it was obvious to everyone who got it that it was more phishing, but in the meanwhile, the webmaster was locked out of her email account, where job postings and events and all sorts of web updates came in daily. She had to frantically email everyone to not respond to the phishers, apologize, and set up a new email account for online forms, at the same time as working with Yahoo! to regain access to her account, change the password and lock out the hackers.
The annoying thing for me, as former webmaster, is she never changed all the emails on the website – even though she regained access to the Yahoo! account, she switched to a gmail account as they are so much better at filtering spam and phishing emails. But the old email account was on practically every page of the website! And it was not a dynamic site or even made with templates – each page was separate. However, all she had to do was a global find and replace in Dreamweaver – except it was more complicated than that as the emails on the site were disguised with Spam Vaccine, but it would have only taken a few passes to get all the old email addresses updates, and if it were me, I would have rather changed them all by hand than leave them on the site! Sloppy.
Of course that sloppiness is what got her phished in the first place.
Lesson: even if you are fairly tech savvy, you still need to “make haste slowly” to avoid making a fatal error.
4 Comments
Sorry, the comment form is closed at this time.
About
Maggie and Cricket
Hi, I’m Maggie Wolfe Riley. This is me and my dog, Cricket, on a hike near where I live in the beautiful Eastern Sierra. My husband and I are new homeowners in Bishop, California, and we love it here.
I’ve been studying web design through Cerro Coso Online, and this semester I’m taking PHP Site Management and Theme Design with Elaine Rudis Jackson, an awesome teacher. And I’m not just saying that because this blog is part of our grade! 
This course will be an introduction to using Content Management Systems with websites, which will be very helpful for designing sites that clients can easily maintain. I’ll be posting about my learning process here.
I picked up on one thing from your very detailed postin. Why is it that Yahoo has such terrible filtering? I keep an account, but I never used due to the fact that tons on spam gets through. Gmail all the way. I just wish they would adopt an interface like Hotmail or Yahoo. Talk to you later.
One last thing. When you have a moment can you tell me how you place your picture on you main page. I was never able to do it.
I don’t know why Yahoo!’s spam filters aren’t as good as Gmail’s, but they do get ~most~ of the spam. Just one or two get through, and occasionally non-spam gets put in the spam folder, and I don’t see any pattern to it. I don’t think I’ve *ever* had non-spam go into the junk folder in gmail, though rarely one or two spam messages get through to my inbox. The email address that was phished had TONS of spam, and lots of it got through – probably proportional, but it was a real hassle, so it’s just as well they switched to gmail! Gmail didn’t exist when they set up their accounts.
As far as adding images, I replied with a screenshot and instructions over a month ago in one of the Moodle forums – I just searched for it and here it is:
http://moodle.cerrocoso.edu/mod/forum/discuss.php?d=222498#p862208
There is also a Lynda.com video on it here: http://www.lynda.com/home/Player.aspx?lpk4=43161
If this is not what you wanted, I suggest you post a specific question in the help desk forum, where people who are willing/have time to help will be able to find it.
Wow, Maggie! So do you mean both the old yahoo email AND the new gmail emails were on the site? How long did it take to regain control, and did they ever catch the phisher?
It didn’t take too long for her to get back into her email account – she just had to prove that she was the rightful owner, which was a pain, as I recall – remembering security questions and such, but she got back in fairly soon. The damage had been done, however, and now spammers/phishers had email addresses for all the people in our address book plus anyone who emailed us while they were in control. I guess we could have kept the email address, but we had set up the gmail account just to cover incoming form submissions – our joblist was very active as it was a statewide site.
She started using the new gmail address and notified everyone she could, but then didn’t change the address that was at the footer of every page of the website from the old yahoo address. So, while the yahoo address was mostly getting spam, it still occasionally got official business, and she didn’t do anything about it. It was a volunteer webmaster position, but still, leaving an unused email address on your site, on almost every page of your site (and there were 100′s of pages), seems inexcusable to me. It bugged the heck out of me, as former webmaster of the site!