We were hacked! We do an audit of seczine.com every now and then, obviously not often enough based on what we found.
Essentially a year ago, Feb 2017, there was a version of WordPress that allowed the bad guys to edit your posts remotely, we updated our site a few weeks after the fix was made widely available, our bad.
In the meantime the bad guys had been busy, a huge number of our web pages were updated, we caught the obvious stuff pretty quickly because it was script kiddies defacing entire webpages, so the impact was very noticeable. We were able to reverse the hacked content back to the original content by using a built in WordPress feature that allows you to revert back to a previous version of the content, we even wrote an article on how you can do that here.
The obvious indication that you had been hacked is the username logged against the revision, which you will find at the bottom of your “Post Edit” page, if there has been changes, would be blank, followed by a comma and the date that the change was made, as shown below:
You can see this page was modified by an unauthorised user a total of eight times in the space of a week, most likely by multiple bad guys. What we discovered at the time was the “last” article posted was the one that was modified, so reverting back to the original was an easy task, and clean up was pretty easy.
However, this weeks audit of our site has found we made a bad assumption, we actually had dozens of pages hacked an modified remotely by the bad guys. Interestly they didn’t deface the other web pages, which is why it was not obvious what had occurred, they got a bit clever.
Instead of defacing the web page they decided to use the hack to make some money. You see, Google ranks your website higher in its rankings the more links you have from independent third party sites. Having a link from seczine.com is like a stamp of approval that your website is good and therefore Google is more likely to present your webpage to users looking for content on their search engine.
These bad guys edited dozen of seczine.com articles to link to their websites. Who were these bad guys? Let’s investigate.
First is an online pharmacy called unipillz.com. They didn’t connect directly to unipillz, they went via a short code link from biturlz.com, there were multiple links using this short code url. The biturlz is privacy protected, so we can’t see who the owner is, but their server is hosted by Ile-de-france – Paris – Online S.a.s. and was created on 2017-02-13, which was one day before our site was hacked.
Unipillz is hosted on Ile-de-france servers and has the registered tech contact as :
Shelly Hackett
Marin Heights 810,
Torphyton, Ohio, 49545-4004, US
This site new, but of course because the bad guys control biturlz.com and where their links point to, they can redirect them to new scam pharmacies whenever the current one is to hot to handle.
The second scam sites were all selling “Cheap NFL Jerseys” These guys were not using a url short code, they had links related to NFL Jerseys that linked directly to their current web pages, such as nfleaglesonline.com.
The website was registered around a year ago and has privacy mode turned, it is hosted in San Jose and registered by GANDI SAS. The original link that redirected to their site was www.philadelphiaeaglesjerseyspop.com, also registered at GANDI SAS to Harrison Peter.
The other scam website the hackers linked to was wholesale-jerseys2018.com.
The website was registered around a year ago and has privacy mode turned, it is hosted in San Jose and registered by GANDI SAS. The original link that redirected to their site was www.cheapjerseyslan.com, which has the registered tech contact as:
LiBibin
ShiZhongQu ZhongYangLu No.23-37,
neijiangshi, sichuansheng, , CN
Yet another link that redirected to the above site was www.greenbaypackersjerseyspop.com, this has the registrant as Harrison Peter, also registered via GANDI SAS.
The problem with linking to your actual site is the NFL can find you and shut you down, one of the hacked links was taken over by court order by the NFL, as shown below:
Look, if they are willing to hack websites across the globe, greenbaypackersjerseyspop.com had 10,220 active links, then can you really trust them to keep you credit card details secure, or provide you non-counterfeit drugs?
It is just dangerous, stay away.