There’s a term for the practice of scaring potential customers into purchasing products or services they don’t need: FUD; fear, uncertainty, and doubt. This practice is widespread in the computer/IT industries at large, but is especially present in the security industry.
People don’t want to get hacked—but may also not understand the issues and forces at play. This makes them easy targets for overzealous sales representatives who see an opportunity to use misinformation to increase their paycheck via commission payouts.
Recently, we worked with a client where the abuse of this practice was one of the worst examples of FUD we’ve experienced.
Contacting the Host
It happened on Thanksgiving. A client of ours had purchased one of our agency plans to clean and protect all of the websites in their hosting account.
As is typical with many hosting providers, their sites had been disabled and were inaccessible to the outside world after being infected. Not all hosts do this, but it’s typical within the industry since the presence of malware on a website can put visitors at risk or cause issues for other sites on the server. However, this tactic can also be misused by hosts trying to sell their own in-house or contracted security services—which can sometimes feel like a shakedown from the perspective of the client/website owner.
While performing the website remediation on the client’s account all the malicious files were cleaned to ensure that nothing that would pose a risk to the client, server, customer, or host. Afterwards, we advised our client to touch base with their host to get the sites back up and running so we could perform some additional checks and also put the websites behind our firewall to help prevent further attacks and issues. The client came back reporting that the host found some additional files which required removal before the account could be re-enabled.
The files were checked one by one. None of them would really pose a risk to the websites; they were junk files left over from the hack. Nevertheless, each file was reviewed just to be sure.
Now, being as though it was Thanksgiving, I figured that our client was probably at home with their family enjoying a nice holiday dinner. Since I reside in Canada and I was at work (fun fact: we have our Thanksgiving in October) I figured I’d do the client a solid favor and contact their hosting provider on their behalf. This way, they wouldn’t have to either wait two extra days or spend the holiday waiting on hold for tech support.
Since I was absolutely certain that no additional malware was present on this account, I asked for the websites to be re-enabled.
The Chat Transcript
Below is the transcript from our chat. Names have been removed for privacy reasons however, typos and formatting have remained intact.
TL;DR: I jump into a host’s support chat and immediately get passed along to agents whose roles are clearly to generate sales for the host. False positive files that were flagged as malicious by the host prevent their chat representatives from re-enabling the sites unless I obtain their cleanup services; I eventually resort to calling their support line to get the site back online.
| B******* joined Support1: Hello. My name is B******* and I am a website security consultant here at <company-name> From what I have read on your chat ticket you cleaned out all the malware, I can get you over to your host to get the site back online. Me: Great thanks! Support1: I can also show you a way to find, fix, and prevent this malware in the future. Is that something you would be interested in learning more about today? Me: Websites are already clean, thanks though 🙂 Support1: Can you please confirm the email on file for security purposes? I can then get you to your host to get the sites back online Me: should be ********@********.com Support1: Thank you for that The site will still be vulnerable without preventative measures. I have seen sites hacked and cleaned and the malware came back again the same day without preventative measures With that being said, would you also be interested in securing the contents of the site with us here at <company-name> today? Me: Already have protection with Sucuri, but thank you for the offer Support1: No worries I will need to transfer you to a Host department that can properly assist you. Is that ok? Do you have any questions for me before I connect you to your host? Me: Sounds good. No more questions, thanks! Support1: I will transfer you now B******* left D******* joined Support2: Hello ********. My name is D******* and I am happy to help you. How are you today? Me: Fine thanks! Support2: In order to assist you further, please provide the last 4 characters of the Main account password to authenticate you as the owner of the account. Me: **** Support2: Thank you for validating. Can you please hold 8-9 minutes? I am going to check this for you right now and it should take about . I will be back as quickly as I can. Me: sure thing, no rush Support2: Thank you for your patience, I am still working on your issue, please hold for 8-9 minutes Me: roger that Support2: The can is still going on I will let you know ocne the scan is done Me: ok Support2: It may take nearly 15 minutes Me: sure thing, keep me posted Support2: It is taking more time thn expected. I will update the list of malicious contents in ********.txt in Filemanager outside public_html Please check it after one housr Did you receive my last message? I have scanned the website files and updated the contents in ********.txt Me: checking those files are not malicious they all seem to be false positives Support2: Those are files we got whole scanning it Me: wp-includes/ID3/module.audio-video.quicktime.php Core wordpress file, not modified, for example Support2: You can restore clean copy of website files Me: /home4/********/public_html/********/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php this file matches the wordpress repository perfectly, there are no modifications the files are not malicious, they are false positives plus these files did not come up in previous scans Support2: I would suggest that you to contact ******** so they will remove only the malicious codes in the website files and get back to you Me: Sucuri has already cleaned the files. The sites are clean. /home4/********/public_html/********/wp-includes/ID3/module.audio-video.quicktime.php This is an unmodified core wordpress file you are flagging wordpress as malicious? Support2: Our system shows those files are malicious. We cannot activate it without removing the malcious contents Me: The files are false positives. They are not malicious. They match the wordpress.org repository perfectly Support2: I am sorry I have contacted our specilaists and they say we cannot activate the account without removing the malicious files Me: Can I speak with your supervisor please? Support2: Supervisor is assisting other customers. However, you can call us at: 1-800-***-**** and ask our supervisor Me: how long will the supervisor be assisting other customers for? i can wait Support2: It may take 1 to 2 hours You can call us so our terms of service can assist you on this Me: I will wait on chat, thanks. You can forward me to the supervisor as soon as they are available Support2: Or you can contact us after two hours Me: I’ll wait, thanks Support2: I would suggest that you to call us and ask for superviosr Me: You can forward me to your supervisor via chat as soon as they are available Support2: The supervisor is busy right now Me: That’s fine. I’ll wait. D******* left H******* joined Support3: Hello ********. How may I help you ? Me: Hey there, my websites are disabled and need to be re-enabled. Please read through the chat transcript it’ll explain everything Are you a supervisor? Support3: Thank you for your patience. I have gone through your chat. Re-scanning the account. This could take 5- 10 minutes depending on the size of the account. Me: Ok. Are you a supervisor? Support3: No. Me: I would like to speak with a supervisor please Support3: Unfortunately our supervisor is busy assisting other customers. Me: That’s fine, just send me to a supervisor as soon as they are available. Support3: I don’t you can make it in the next couple of hours. Please check after few hours. Me: I will wait. Support3: Sorry I can’t hold long enough we have other customers on queue. Me: I will wait for a supervisor. Support3: I can see that your account still contains infected files. I will updated the ********.txt file once the scan has finished in the home folder. Please check the ********.txt file after 30 minutes. Please delete all the files mentioned in the ********.txt file. Don’t delete the ********.txt file as it just contains logs of infected file. Once you have done with cleaning, please check back with us for reactivation. Me: the files in ********.txt are false positives, I just checked them Support3: Is there anything else I can assist you with today? Me: Yes, I’m waiting for a supervisor. Send me to them when they are available. Support3: Supervisor is assisting other customers. However, you can call us at: 1-800-***-**** and ask our supervisor Me: I will wait on chat Support3: I will have to end this chat. Is there anything else I can assist you with today? Me: I don’t think you want to do that. Support3: Thanks for chatting with us. If you have any further questions, please don’t hesitate to contact us. We are available 24×7. Are you happy with my help? Please answer a quick survey by clicking the “Rate & Exit” button in the top right corner of this chat window to rate my support. H******** left Please wait for the next available agent You will be connected to an agent within 5 minutes… |
This is a textbook shakedown: Pay us or we won’t re-enable your account.
Now, the interesting part of this conversation is that the sales reps were woefully unaware they were not speaking to a gullible client but a seasoned website security analyst. It’s quite likely that these were outsourced agents just looking to meet their daily quota.
The Malicious Files
Let’s take a look at the “malicious” files flagged in the account after their initial scans:
/home4/********/public_html/***************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/**********************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/**********************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/**********************/wp-content/plugins/contact-form-7-mailchimp-extension/lib/system.php /home4/********/public_html/***********/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/***********/wp-content/plugins/sucuri-scanner/src/lastlogins.php /home4/********/public_html/***********/wp-content/plugins/sucuri-scanner/src/sucuriscan.lib.php /home4/********/public_html/***********/wp-content/plugins/gotmls/safe-load/index.php /home4/********/public_html/***********/wp-content/plugins/worker/init.php /home4/********/public_html/***********/wp-content/plugins/worker/src/MWP/Http/RedirectResponse.php /home4/********/public_html/***********/wp-content/plugins/worker/src/MMB/Backup.php /home4/********/public_html/***********/wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php /home4/********/public_html/*****************/wp-content/plugins/si-contact-form/includes/class-fscf-process.php /home4/********/public_html/*************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/*************/wp-content/plugins/mailchimp-for-wp/assets/js/*orms-admin.min.js.map /home4/********/public_html/*************/wp-content/plugins/worker/init.php /home4/********/public_html/*************/wp-content/plugins/worker/src/MWP/Http/RedirectResponse.php /home4/********/public_html/*************/wp-content/plugins/worker/src/MMB/Backup.php /home4/********/public_html/*************/wp-content/plugins/wp-fastest-cache/inc/css-utilities.php /home4/********/public_html/*************/wp-content/plugins/wp-fastest-cache/inc/cache.php /home4/********/public_html/*************/wp-content/plugins/wp-spamshield/wp-spamshield.php /home4/********/public_html/*************/wp-content/plugins/wp-spamshield/includes/class.utils.php /home4/********/public_html/*************/wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php /home4/********/public_html/****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/********************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/********************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/********************/wp-content/plugins/all-in-one-event-calendar/app/model/api/api-ticketing.php /home4/********/public_html/*********************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/*********************/wp-content/plugins/worker/init.php /home4/********/public_html/*********************/wp-content/plugins/worker/src/MWP/Http/RedirectResponse.php /home4/********/public_html/*********************/wp-content/plugins/worker/src/MMB/Backup.php /home4/********/public_html/*********************/wp-content/plugins/ninja-forms/includes/Admin/Menus/SystemStatus.php /home4/********/public_html/*********************/wp-content/plugins/ninja-forms/includes/Dispatcher.php /home4/********/public_html/*********************/wp-content/plugins/ninja-forms/deprecated/upgrade/class-submenu.php /home4/********/public_html/**************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/**************/wp-content/plugins/sz-google/lib/Google/Service/IdentityToolkit.php /home4/********/public_html/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/****************/wp-content/backup-1432592533-plugins/cleantalk-spam-protect/cleantalk-public.php /home4/********/public_html/***************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/*****************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/*****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/******************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/******************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/******************/wp-content/plugins/si-contact-form/includes/class-fscf-process.php /home4/********/public_html/****************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/*************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/*************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/******************/wp-content/plugins/sucuri-scanner/src/lastlogins.php /home4/********/public_html/******************/wp-content/plugins/sucuri-scanner/src/sucuriscan.lib.php /home4/********/public_html/******************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/*****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/*****************/wp-content/backup-1485204493-plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/*****************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/*****************/wp-content/backup-1476041652-plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/*****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/*****************/wp-content/plugins/contact-form-7-mailchimp-extension/lib/system.php /home4/********/public_html/*****************/wp-content/backup-1476042509-plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/*****************/wp-content/backup-1476041649-plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/******************/contactengine.php /home4/********/public_html/*************/wp-includes/ID3/module.audio-video.quicktime.php /home4/********/public_html/*************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/**************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php /home4/********/public_html/**************/wp-content/plugins/wp-fastest-cache/inc/css-utilities.php /home4/********/public_html/**************/wp-content/plugins/wp-fastest-cache/inc/cache.php /home4/********/public_html/**************/wp-content/themes/Touch/contact-send.php /home4/********/public_html/********************/wp-content/themes/swift/lib/includes/content-width-slider.php /home4/********/public_html/********************/wp-content/themes/swift/lib/includes/np-slider.php /home4/********/public_html/********************/wp-content/themes/swift/lib/includes/*ull-width-slider.php /home4/********/public_html/********************/wp-content/themes/swift/lib/admin/swift-options-input.php /home4/********/public_html/*****************/wp-content/plugins/estatik-mortgage-calculator/estatik-calculator.php /home4/********/public_html/*****************/wp-content/plugins/estatik-mortgage-calculator/*ront/css/es_calc_color.php
False Positives
What is most interesting about this is that these files do not appear in the hosts previous security scans, only after we had cleaned the malware from the files. All of a sudden these files appeared out of nowhere and also needed to be cleaned.
However, there was nothing malicious about these files. They were all false positives, as I had mentioned during my interaction with the chat representatives. Moreover, a lot of the files flagged were part of the WordPress core and other popular plugin files from Jetpack and wp-fastest-cache.
When comparing the files on our client’s account to the ones from the official wordpress.org repository, they matched perfectly. There were no modifications, let alone anything malicious.
Why would this particular hosting provider flag unmodified core WordPress files?
Here are two possibilities:
- After their initial scans, they pushed a new, poorly written malware signature that it couldn’t tell the difference between a core WordPress file and malware.
- This was a completely bogus and typo-ridden attempt at holding our client hostage and demanding that they pay for additional security services that they didn’t want or need.
It’s also worth mentioning that in the most recent scan performed, the files they flagged contained no signature in the report, as is customary in security scans. You can’t just go about flagging files left and right without giving a reason for it.
Not knowing what else to do, and certainly not wanting our client to experience this dreadful attempt at upselling them without a cause, we decided to give their host a call via telephone.
Fortunately, the telephone support representative we contacted was much more forgiving. He mentioned that although there were files flagged by their system, since we at Sucuri verified the files and confirmed they were not malicious, he kindly re-enabled the account for us.
Conclusion
This story describes an alarming scenario:
The impossible situation clients may face when trying to re-enable their sites after a compromise. Some website owners aren’t skilled in the art of telling malware apart from benign code (that’s why they hire us) and may believe whatever the outsourced sales/support representatives tell them.
As a website owner and consumer, it’s important to be on the lookout for attempts to take advantage of you. Be wary of high pressure sales tactics, misinformation, and situations where you feel something may be amiss.
We at Sucuri have always been proud of our willingness to help clients in an honest and transparent fashion, and that is something we will always continue to do.
Victor Santoyo
Daniel Cid
Mohit Jawanjal
Ben Martin
Denis Sinegubko
Yuliyan Tsvetkov
Celise Davison
Cesar Anjos