.

Sad story about what happens when you don't hire a pro..

<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Mon Mar 08, 2010 11:21 am

Sad story about what happens when you don't hire a pro..

The more visibility their sites got -- being on the first page of a Google search, for example -- the worse their bottom line became. Being on top drew attacks from adware companies that stole customers away with pop-up ads as they were ready to buy.

The more they fought back, the worse things became, drawing direct hacking incidents from the adware companies.

Though those companies have been sued out of existence by other victims, the presence of the infections in millions of computers continued to plague the Martinez entrepreneurs and forced them off the Internet.


http://chronicle.augusta.com/news/busin ... l-touch?v=

How about hiring a pro folks?  I'm not having pity on someone who called the FBI and expected them to handle a mass adware problem.  Although the article lacks a number of technical details, I'm not into watching someone play the victim here.  Don't assume that you can just jump on the Internet with no technical background and be successful.  And if you run into problems, hire a pro.

The route these two took is analogous to buying a house that later has leaky plumbing.  They call a priest (wrong profession) to look at the leak and when he can't handle it, they move out (at a loss) without ever having consulted a plumber.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Mon Mar 08, 2010 11:40 am

Re: Sad story about what happens when you don't hire a pro..

I agree with you former33t!

Maybe someone should've recommended a SANs course to the two? Haha.

I don't run into a lot of people in their 60's that are extremely tech savvy unless they've been in the industry for years. Their goal to set up an online web site for their entrepreneur business I think was a positive step in getting your business out there, but even plugging into the internet is even a risk.

Definitely should've taken something into consideration but in this scenario, I picture someone like my mom and dad setting up a web site for something they're running - and not taking into thought all the malicious nasty people on the net just looking to get their malware out there.

This article may be even a large hint to even people who could put sites together; take security into consideration always!

Long, but good read - Hope it works out for them!
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Mon Mar 08, 2010 11:44 am

Re: Sad story about what happens when you don't hire a pro..

Ouch! Indeed a stupid move to call the FBI. Should have hired some expert, well they could still do that. It's like they totally gave up on the internet part of business. Also the FBI could have told them to hire someone else, since they couldn't handle it.

Long read :P
ZF
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Mon Mar 08, 2010 2:29 pm

Re: Sad story about what happens when you don't hire a pro..

I read about half of the article but a question springs to mind: how were they hosting their site? At home, something they set up themselves? I have no idea why they never approached a web hosting company that could have taken care of their site for them and I'm sure they could have got a good deal on a decent package that included sufficient security.
All men by nature desire knowledge.

Aristotle
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Mar 09, 2010 6:43 am

Re: Sad story about what happens when you don't hire a pro..

No, I don't think they were hosting their website at home. It looks like it is/was hosted with a web hosting company. They claimed that whoever was behind the adware also got into their personal computers somehow...
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Tue Mar 09, 2010 6:22 pm

Re: Sad story about what happens when you don't hire a pro..

Even if they were with a hosting company (and I think they were) the hosting company is not liable for hackers on your website.  Nothing comes cheap in computing (especially security).  I had a client with a hosting site who didn't update joomla (CMS) and got exploited.  All the client's web pages had code inserted (base64encoded multiple times to obfuscate) that called out to a remote server to execute additional code.  At the time of the compromise, the vulnerability used to exploit the joomla installation was more than three months old.  Two hours max (to update the installation, time that had to be spent anyway) turned into 16+ hours of expensive code cleanup and testing to eradicate all the places the malware inserted itself (both in PHP files used to build the pages and in the CMD database itself).

This really is a story of a little up front saves a lot later.

BTW, sorry for not warning about the length of the story.  I am keeping this one around for future clients that doubt the importance of hiring a security consultant to audit their online business presence.  It's one thing to tell them horror stories you have seen (that of course they think can't happen to them), its another thing to see it in print from the newspaper.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Mar 09, 2010 11:07 pm

Re: Sad story about what happens when you don't hire a pro..

former33t wrote:Even if they were with a hosting company (and I think they were) the hosting company is not liable for hackers on your website.  Nothing comes cheap in computing (especially security).  I had a client with a hosting site who didn't update joomla (CMS) and got exploited.


Not trying to argue, but it depends on the hosting company. The DataCenter (They provide hosting too) work uses, pride themselves on their security parts including in their hosting. They're not cheap, but even the service we have (rented racks, and ds3), we get ids and ips. They offer firewall too, and I may block somethings in the future at their firewall (to get it off mine).
OSWP, Sec+
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sun Mar 14, 2010 3:23 pm

Re: Sad story about what happens when you don't hire a pro..

I touched base with the owner mentioned in the article and pointed him to this thread, here is his reply:

Saw some of the postings in the Forum. We did seek help from "professionals" when we noticed the problem, spent thousand, even conatcted Ed Skoudis, who would not help.

Problem: the adware resides on consumer's computers, especially those with kids, our target audience. We know exactly who did this to us, initially, and spoke with them personally, making matters worse. In the end, we could not afford an attorney.

We don't feel sorry for ourselves, we are moving on.

Our websites are no longer active. We are allowing one company to make use of any old links that are still active.

Please post this message on the Forum. Our story is very long. It's hard th mention all the steps we have taken to resolve our problem. We have hundreds of files collected over a six year period and probably know more than we want to know.

We know our websites and names are "marked". Do you really think that we could have been helped?

Thank you for your inetrest.
<<

KamiCrazy

Jr. Member
Jr. Member

Posts: 78

Joined: Wed Jun 17, 2009 8:40 pm

Post Sun Mar 14, 2010 7:13 pm

Re: Sad story about what happens when you don't hire a pro..

My understanding of their issue is that their internet presence was being exploited by their competitors to sell their competitor's products.

So when a customer would go and pay for their order some sort of local malware would redirect the customer to another website via a pop up effectively stealing the custom.

I think this sort of targetted client side attack is hard to prevent for a company so small. The whole problem is not just the security of the hosted website but also the security of the customer's own computer here.

I think it is true that hiring a pro is definitely the way to go but I don't think a 2 person home based business is going to be able to afford a security pro long enough to develop a solution to such a problem.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Sun Mar 14, 2010 9:23 pm

Re: Sad story about what happens when you don't hire a pro..

Based on the article, I thought it was a server side hack that was causing the majority of the problems.  After seeing Bill's response, I can see that this was not the case.  Still, a number of possible technical solutions come to mind.

Without seeing the client side malware, it's hard to say what could be done to fix this problem most easily.  My first thought was a notice on the website that they were plagued by a particular type of malware and offering a malicious software removal tool.  Is this a pain?  Sure.  Costly, sure.  I hate to bring this up, but they must be making a good deal of money to be the victims of a targeted malware attack.  This type of attack takes some thought and resources, especially in the distribution phase.

From a legal perspective, they could make a pretty persuasive argument that any redirects from the malware should be redirected back to the site by the competitor.  The competitor is probably a guilty party here as well.

A final (non-ethical) solution is to fight fire with fire (if you are sure the competitor is the culprit).
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Mon Mar 15, 2010 4:41 am

Re: Sad story about what happens when you don't hire a pro..

I am kind of curious as to why Ed Skoudis would not help.  I am guessing it was really beyond repair once he got called into this.  InGuardians is one of the best companies that I am aware of.  Perhaps they could not afford their services. 
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software