09.13.18

Stratatomic Hacking Report

The Not-So-Good, the Really Bad, and the Very Ugly

By Ryan Owens



Over the years we've helped rescue (far too many) clients from website hacking incidents, some of them quite serious. Every one of them utilized common web platforms such as WordPress, Drupal and Joomla, but each incident was also somewhat unique in nature and took advantage of different vulnerabilities. What is important to note about these hacking intrusions is that in most cases the client was not aware of the problem, having no idea that their site was distributing malware, or that their domain was sending spam, or that their email had been blacklisted.

"Hackers attack WordPress sites both big and small, with over 90,978 attacks happening per minute." – Wordfence

According to Wikipedia, malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server or computer network. Malware does the damage after it is implanted or introduced in some way into a target's computer and can take the form of executable code, scripts, active content, and other software. The code is described as computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware, among other terms.

Wikipedia goes on to explain, "It is especially important to keep WordPress plugins updated because would-be hackers can easily list all the plugins a site uses, and then run scans searching for any vulnerabilities against those plugins. If vulnerabilities are found, they may be exploited to allow hackers to upload their own files (such as a PHP Shell script) that collect sensitive information.

Developers can also use tools to analyze potential vulnerabilities, including WPScan, WordPress Auditor and WordPress Sploit Framework developed by 0pc0deFR. These types of tools research known vulnerabilities, such as a CSRF, LFI, RFI, XSS, SQL injection and user enumeration. However, not all vulnerabilities can be detected by tools, so it is advisable to check the code of plugins, themes and other add-ins from other developers"


We've compiled this guide to show you the real emails, screenshots, and search engine reports so that you can see for yourself the common issues faced with these CMS systems.

In some examples we've blurred out the names to protect the innocent.

THE HACK: Malware
THE PLATFORM: WordPress

In this case, Google had detected malware on the client's WordPress site and had flagged it in search results and also put up this scary red warning page that popped up whenever someone tried to visit the client's website. The client found out about it only after this warning page was displayed on their website. Who knows how long it had been distributing malware or stealing credit card info, etc before it was detected? And even if you aren't aware of malware on your site, Google usually is. However it may take time for Google to discover and flag your website once it has been compromised. When they eventually do detect something malicious is installed it will stop sending traffic to your site until it has been fixed. Furthermore, you could potentially expose yourself or your company to certain legal liabilities.

Custom Web Design Greenville SC
THE FIX: Build a Custom Stratatomic Website
We were able to solve the problem for good when we launched a new, completely-custom HTML5 website and submitted the new site to Google in order to remove the warning.

THE HACK: Trojan Horse Domain Hijacking
THE PLATFORM: WordPress

This client, located in New Zealand, was completely unaware that their site was referring customers to illegitimate malware distributors and a complaint had been filed under the US Digital Millenium Copyright Act. As part of our due diligence when we launch a new website, we do a site-specific scan of their domain in Google's Search Engine Results Pages (SERP) to see how their site appears in the index and setup redirects as needed so that any broken links are minimized. What we found were pages and pages of hidden, secret URLs that were invisible on the site but were prevelant throughout the SERP pages. If a potential customer searched for the client on Google, they would encounter all of these nefarious links that would take them to illegitimate malware distributors, which in turn offered illegal software available for download and infected with viruses, malware, ransomware and other nasty stuff. The Chinese characters shown in the bottom search result show that this was most likely the result of black hat Chinese hackers. Unfortunately, this was not the first time we'd seen this (see below).

Custom Web Design Greenville SC
THE FIX: Build a Custom Stratatomic Website
Good thing we do a Google site search on behalf of our clients or they would have never realized this was happening. A new, custom HTML5 website developed by Stratatomic solved their WordPress headaches for good, and we cleaned up these SERP results by submitting a new site map to Google and requesting that these bad URLs be removed using our Google WebTools™ site management technology.

THE HACK: Malware
THE PLATFORM: WordPress + GoDaddy Web Hosting

Our client began receiving notices from their web host, GoDaddy, that informed them that their WordPress site contained known malware. This situation was previously unknown to the client. Fortunately their web host had detected the issue, but again we do not know how long this had been going on or what type of malware was being distributed. As you can see from the email, there were a lot of WordPress modules and extensions that were affected. Some of them were removed by the web host, however many others were not, as they were deemed integral to the site's operation and it would require a knowledgeable website administrator to further troubleshoot the problem. Unfortunately for the client, the current website developer was no longer returning their phone calls, which is all too often the case.

And by the way, GoDaddy is one of, if not the, worst web hosting companies extant. Combine WordPress and GoDaddy and you might as well just invite the hackers over for dinner. Just saying those two companies in the same sentence sends shivers down my spine. Read the reviews here on webhostinggeeks.com or just ask and we'll be glad to share some good horror stories with you.

Custom Web Design G</a>reenville SC
THE FIX: Build a Custom Stratatomic Website
We were already busy working on a new, custom HTML5 website as the client kept receiving these disturbing emails from GoDaddy. When the new site was completed and launched we solved their WordPress issues permanently. We also transitioned their website to our secure, dedicated web hosting infrastructure that is SAS 70 Type II Certified and powered by the latest Apache HTTP Server technology, which is the backbone of the Internet and used by many of the largest eCommerce firms and government agencies, including Amazon, Google, IBM, NASA, NYSE, the US Department of Defense, and many more.

THE PROBLEM: Emergency Security Maintenance (Again)
THE PLATFORM: WordPress + WP Engine Hosting

A customer came to us after receiving a barrage of constant, worrying emails and notifications from WordPress. This particular one he forwarded to us indicates that a security situation had been discovered and exploited on the WordPress platform. Unfortunately, these warning messages had become a recurring thing for our client, and he had decided enough was enough - it was time to build a better website.

Custom Web Design Greenville SC
THE FIX: Build a Custom Stratatomic Website
We designed and built a new, completely custom HTML5 website for the client that stopped these pesky messages from WordPress and eliminated many of the usability issues and errors that plagued his previous site.

THE HACK: Customer Credentials Stolen
THE PLATFORM: WordPress + WP Engine Hosting

This was yet another troublesome email that same client received from WordPress. We're not sure which one broke the proverbial camel's back, but let's just say there were a bunch more where these came from. Any one of these warnings should be enough to trigger serious consideration as to the security or lack thereof inherent in this platform. In this instance, WordPress had experienced a hacking intrusion and an "unknown" number of their customers' credentials had been exposed and placed at risk of identity theft.

Custom Web Design Greenville SC
THE FIX: Build a Custom Stratatomic Website
The new website we built for our client completely eliminated the constant worry and headaches that kept him up at night. Simply put - your website should make you money, not cause heartburn.

THE HACK: Trojan Horse Domain Hijacking
THE PLATFORM: WordPress

Those Chinese hackers aren't playing around. Another local client, located in Greenville, had no idea that their site had been hijacked and was referring customers to illicit websites in China that distributed malware. Upon launch of the new site we created for them, we performed our usual site-specific scan of their domain in Google's Search Engine Results Pages (SERP) to see how their site appears in the index and setup redirects as needed so that any broken links are minimized. Again we found hidden, secret URLs that were invisible on the site but were all throughout the SERP pages. Searching for the client on Google would return countless illegitimate URLs that didn't lead to the client's website but rather took them to a Chinese website that would begin to immediately download infected files to the customer's computer. Not only does this do irreperable harm to the customer's computer, but it reflects poorly on the client as well. The Chinese characters shown on the third row of the search results below are a dead giveaway of who is behind this.

Custom Web Design Greenville SC
THE FIX: Build a Custom Stratatomic Website
Unfortunately we, and the client, have no way of knowing how long this scheme had been going on or how many customers had been affected. Fortunately we do a Google site search on behalf of our clients whenever we launch a new website and we uncovered this scam before it could do further damage. The new, custom HTML5 website created by Stratatomic eliminated these WordPress vulnerabilities permanently, and we cleaned up these SERP results by submitting a new site map to Google and requesting that these bad URLs be removed using our Google WebTools™ site management technology.

THE HACK: "Shocking" Automated Malware Attack
THE PLATFORM: Drupal

This incident wasn't one that personally affected one of our clients, but it isn't hard to find these or hear about them for any of these common open-source platforms such as WordPress, Drupal or Joomla. They all work the same basic way, which means they all suffer the same inherent vulnerabilities, flaws, and exploits. A quick Google search for will turn up millions of these reports. We've included this one because it is rather scary if you read it closely:

Custom Web Design Greenville SC
THE FIX: Don't Rely On Free Software!
As stated in the Sucuri™ Website Hacked Trend Report (2017), "This user adoption however brings about serious challenges to the Internet as a whole as it introduces a large influx of unskilled webmasters and service providers responsible for the deployment and administration of these sites." As the report goes on to say, "Out of the 11,000+ infected websites analyzed, 75% of them were on the Wordpress platform and over 50% of those websites were out of date. Compare that to other similar platforms that placed less emphasis on backwards compatibility, like Joomla and Drupal, the percentage of out-of-date software was above 80%."

Other highlights from the Sucuri™ report include, "As of March 2016, Google reports that over 50 million website users have been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million. Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing. PhishTank alone flags over 2,000 websites a week for phishing. These numbers reflect only those infections that have an immediate adverse effect on the visitor (i.e., Drive by Download, Phishing) and do not include websites infected with Spam SEO and other tactics not detected by these companies."

If you're ready to see the difference that Stratatomic can make in your business, contact us at 864.271.7021 or click here to send us a message.