Fear, Uncertainty, and Doubt

Fear Uncertainty Doubt - Sucuri Blog

There’s a term for the practice of scaring potential customers into purchasing products or services they don’t need: FUD; fear, uncertainty, and doubt. This practice is widespread in the computer/IT industries at large, but is especially present in the security industry.

People don’t want to get hacked—but may also not understand the issues and forces at play. This makes them easy targets for overzealous sales representatives who see an opportunity to use misinformation to increase their paycheck via commission payouts.

Recently, we worked with a client where the abuse of this practice was one of the worst examples of FUD we’ve experienced.

Contacting the Host

It happened on Thanksgiving. A client of ours had purchased one of our agency plans to clean and protect all of the websites in their hosting account.

As is typical with many hosting providers, their sites had been disabled and were inaccessible to the outside world after being infected. Not all hosts do this, but it’s typical within the industry since the presence of malware on a website can put visitors at risk or cause issues for other sites on the server. However, this tactic can also be misused by hosts trying to sell their own in-house or contracted security services—which can sometimes feel like a shakedown from the perspective of the client/website owner.

While performing the website remediation on the client’s account all the malicious files were cleaned to ensure that nothing that would pose a risk to the client, server, customer, or host. Afterwards, we advised our client to touch base with their host to get the sites back up and running so we could perform some additional checks and also put the websites behind our firewall to help prevent further attacks and issues. The client came back reporting that the host found some additional files which required removal before the account could be re-enabled.

The files were checked one by one. None of them would really pose a risk to the websites; they were junk files left over from the hack. Nevertheless, each file was reviewed just to be sure.

Now, being as though it was Thanksgiving, I figured that our client was probably at home with their family enjoying a nice holiday dinner. Since I reside in Canada and I was at work (fun fact: we have our Thanksgiving in October) I figured I’d do the client a solid favor and contact their hosting provider on their behalf. This way, they wouldn’t have to either wait two extra days or spend the holiday waiting on hold for tech support.

Since I was absolutely certain that no additional malware was present on this account, I asked for the websites to be re-enabled.

The Chat Transcript

Below is the transcript from our chat. Names have been removed for privacy reasons however, typos and formatting have remained intact.

TL;DR: I jump into a host’s support chat and immediately get passed along to agents whose roles are clearly to generate sales for the host. False positive files that were flagged as malicious by the host prevent their chat representatives from re-enabling the sites unless I obtain their cleanup services; I eventually resort to calling their support line to get the site back online.

B******* joined

Support1: Hello.  My name is B*******  and I am a website security consultant here at <company-name>

From what I have read on your chat ticket you cleaned out all the malware, I can get you over to your host to get the site back online.

Me: Great thanks!

Support1: I can also show you a way to find, fix, and prevent this malware in the future.  Is that something you would be interested in learning more about today?

Me: Websites are already clean, thanks though 🙂

Support1: Can you please confirm the email on file for security purposes?  I can then get you to your host to get the sites back online

Me: should be ********@********.com

Support1: Thank you for that

The site will still be vulnerable without preventative measures. I have seen sites hacked and cleaned and the malware came back again the same day without preventative measures

With that being said, would you also be interested in securing the contents of the site with us here at <company-name> today?

Me: Already have protection with Sucuri, but thank you for the offer

Support1: No worries

I will need to transfer you to a Host department that can properly assist you.

Is that ok?  Do you have any questions for me before I connect you to your host?

Me: Sounds good. No more questions, thanks!

Support1: I will transfer you now

B******* left

D******* joined

Support2: Hello ********. My name is D******* and I am happy to help you. How are you today?

Me: Fine thanks!

Support2: In order to assist you further, please provide the last 4 characters of the Main account password to authenticate you as the owner of the account.

Me: ****

Support2: Thank you for validating.

Can you please hold 8-9 minutes? I am going to check this for you right now and it should take about . I will be back as quickly as I can.

Me: sure thing, no rush

Support2: Thank you for your patience, I am still working on your issue, please hold for 8-9 minutes

Me: roger that

Support2: The can is still going on

I will let you know ocne the scan is done

Me: ok

Support2: It may take nearly 15 minutes

Me: sure thing, keep me posted

Support2: It is taking more time thn expected. I will update the list of malicious contents in ********.txt in Filemanager outside public_html

Please check it after one housr

Did you receive my last message?

I have scanned the website files and updated the contents in ********.txt

Me: checking

those files are not malicious

they all seem to be false positives

Support2: Those are files we got whole scanning it

Me: wp-includes/ID3/module.audio-video.quicktime.php

Core wordpress file, not modified, for example

Support2: You can restore clean copy of website files

Me: /home4/********/public_html/********/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

this file matches the wordpress repository perfectly, there are no modifications

the files are not malicious, they are false positives

plus these files did not come up in previous scans

Support2: I would suggest that you to contact ******** so they will remove only the malicious codes in the website files and get back to you

Me: Sucuri has already cleaned the files. The sites are clean.

/home4/********/public_html/********/wp-includes/ID3/module.audio-video.quicktime.php

This is an unmodified core wordpress file

you are flagging wordpress as malicious?

Support2: Our system shows those files are malicious. We cannot activate it without removing the malcious contents

Me: The files are false positives. They are not malicious.

They match the wordpress.org repository perfectly

Support2: I am sorry I have contacted our specilaists and they say we cannot activate the account without removing the malicious files

Me: Can I speak with your supervisor please?

Support2: Supervisor is assisting other customers. However, you can call us at: 1-800-***-**** and ask our supervisor

Me: how long will the supervisor be assisting other customers for?

i can wait

Support2: It may take 1 to 2 hours

You can call us so our terms of service can assist you on this

Me: I will wait on chat, thanks.

You can forward me to the supervisor as soon as they are available

Support2: Or you can contact us after two hours

Me: I’ll wait, thanks

Support2: I would suggest that you to call us and ask for superviosr

Me: You can forward me to your supervisor via chat as soon as they are available

Support2: The supervisor is busy right now

Me: That’s fine. I’ll wait.

D******* left

H******* joined

Support3: Hello ********. How may I help you ?

Me: Hey there, my websites are disabled and need to be re-enabled. Please read through the chat transcript it’ll explain everything

Are you a supervisor?

Support3: Thank you for your patience. I have gone through your chat.

Re-scanning the account. This could take 5- 10 minutes depending on the size of the account.

Me: Ok. Are you a supervisor?

Support3: No.

Me: I would like to speak with a supervisor please

Support3: Unfortunately our supervisor is busy assisting other customers.

Me: That’s fine, just send me to a supervisor as soon as they are available.

Support3: I don’t you can make it in the next couple of hours.

Please check after few hours.

Me: I will wait.

Support3: Sorry I can’t hold long enough we have other customers on queue.

Me: I will wait for a supervisor.

Support3: I can see that your account still contains infected files.

I will updated the ********.txt file once the scan has finished in the home folder. Please check the ********.txt file after 30 minutes. Please delete all the files mentioned in the ********.txt file. Don’t delete the ********.txt file as it just contains logs of infected file. Once you have done with cleaning, please check back with us for reactivation.

Me: the files in ********.txt are false positives, I just checked them

Support3: Is there anything else I can assist you with today?

Me: Yes, I’m waiting for a supervisor. Send me to them when they are available.

Support3: Supervisor is assisting other customers. However, you can call us at: 1-800-***-**** and ask our supervisor

Me: I will wait on chat

Support3: I will have to end this chat.

Is there anything else I can assist you with today?

Me: I don’t think you want to do that.

Support3: Thanks for chatting with us. If you have any further questions, please don’t hesitate to contact us. We are available 24×7.

Are you happy with my help? Please answer a quick survey by clicking the “Rate & Exit” button in the top right corner of this chat window to rate my support.

H******** left

Please wait for the next available agent

You will be connected to an agent within 5 minutes…

This is a textbook shakedown: Pay us or we won’t re-enable your account.

Now, the interesting part of this conversation is that the sales reps were woefully unaware they were not speaking to a gullible client but a seasoned website security analyst. It’s quite likely that these were outsourced agents just looking to meet their daily quota.

The Malicious Files

Let’s take a look at the “malicious” files flagged in the account after their initial scans:

/home4/********/public_html/***************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/**********************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/**********************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/**********************/wp-content/plugins/contact-form-7-mailchimp-extension/lib/system.php

/home4/********/public_html/***********/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/***********/wp-content/plugins/sucuri-scanner/src/lastlogins.php

/home4/********/public_html/***********/wp-content/plugins/sucuri-scanner/src/sucuriscan.lib.php

/home4/********/public_html/***********/wp-content/plugins/gotmls/safe-load/index.php

/home4/********/public_html/***********/wp-content/plugins/worker/init.php

/home4/********/public_html/***********/wp-content/plugins/worker/src/MWP/Http/RedirectResponse.php

/home4/********/public_html/***********/wp-content/plugins/worker/src/MMB/Backup.php

/home4/********/public_html/***********/wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php

/home4/********/public_html/*****************/wp-content/plugins/si-contact-form/includes/class-fscf-process.php

/home4/********/public_html/*************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/*************/wp-content/plugins/mailchimp-for-wp/assets/js/*orms-admin.min.js.map

/home4/********/public_html/*************/wp-content/plugins/worker/init.php

/home4/********/public_html/*************/wp-content/plugins/worker/src/MWP/Http/RedirectResponse.php

/home4/********/public_html/*************/wp-content/plugins/worker/src/MMB/Backup.php

/home4/********/public_html/*************/wp-content/plugins/wp-fastest-cache/inc/css-utilities.php

/home4/********/public_html/*************/wp-content/plugins/wp-fastest-cache/inc/cache.php

/home4/********/public_html/*************/wp-content/plugins/wp-spamshield/wp-spamshield.php

/home4/********/public_html/*************/wp-content/plugins/wp-spamshield/includes/class.utils.php

/home4/********/public_html/*************/wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php

/home4/********/public_html/****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/********************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/********************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/********************/wp-content/plugins/all-in-one-event-calendar/app/model/api/api-ticketing.php

/home4/********/public_html/*********************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/*********************/wp-content/plugins/worker/init.php

/home4/********/public_html/*********************/wp-content/plugins/worker/src/MWP/Http/RedirectResponse.php

/home4/********/public_html/*********************/wp-content/plugins/worker/src/MMB/Backup.php

/home4/********/public_html/*********************/wp-content/plugins/ninja-forms/includes/Admin/Menus/SystemStatus.php

/home4/********/public_html/*********************/wp-content/plugins/ninja-forms/includes/Dispatcher.php

/home4/********/public_html/*********************/wp-content/plugins/ninja-forms/deprecated/upgrade/class-submenu.php

/home4/********/public_html/**************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/**************/wp-content/plugins/sz-google/lib/Google/Service/IdentityToolkit.php

/home4/********/public_html/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/****************/wp-content/backup-1432592533-plugins/cleantalk-spam-protect/cleantalk-public.php

/home4/********/public_html/***************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/*****************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/*****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/******************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/******************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/******************/wp-content/plugins/si-contact-form/includes/class-fscf-process.php

/home4/********/public_html/****************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/*************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/*************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/******************/wp-content/plugins/sucuri-scanner/src/lastlogins.php

/home4/********/public_html/******************/wp-content/plugins/sucuri-scanner/src/sucuriscan.lib.php

/home4/********/public_html/******************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/*****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/*****************/wp-content/backup-1485204493-plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/*****************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/*****************/wp-content/backup-1476041652-plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/*****************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/*****************/wp-content/plugins/contact-form-7-mailchimp-extension/lib/system.php

/home4/********/public_html/*****************/wp-content/backup-1476042509-plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/*****************/wp-content/backup-1476041649-plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/******************/contactengine.php

/home4/********/public_html/*************/wp-includes/ID3/module.audio-video.quicktime.php

/home4/********/public_html/*************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/**************/wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

/home4/********/public_html/**************/wp-content/plugins/wp-fastest-cache/inc/css-utilities.php

/home4/********/public_html/**************/wp-content/plugins/wp-fastest-cache/inc/cache.php

/home4/********/public_html/**************/wp-content/themes/Touch/contact-send.php

/home4/********/public_html/********************/wp-content/themes/swift/lib/includes/content-width-slider.php

/home4/********/public_html/********************/wp-content/themes/swift/lib/includes/np-slider.php

/home4/********/public_html/********************/wp-content/themes/swift/lib/includes/*ull-width-slider.php

/home4/********/public_html/********************/wp-content/themes/swift/lib/admin/swift-options-input.php

/home4/********/public_html/*****************/wp-content/plugins/estatik-mortgage-calculator/estatik-calculator.php

/home4/********/public_html/*****************/wp-content/plugins/estatik-mortgage-calculator/*ront/css/es_calc_color.php

False Positives

What is most interesting about this is that these files do not appear in the hosts previous security scans, only after we had cleaned the malware from the files. All of a sudden these files appeared out of nowhere and also needed to be cleaned.

However, there was nothing malicious about these files. They were all false positives, as I had mentioned during my interaction with the chat representatives. Moreover, a lot of the files flagged were part of the WordPress core and other popular plugin files from Jetpack and wp-fastest-cache.

When comparing the files on our client’s account to the ones from the official wordpress.org repository, they matched perfectly. There were no modifications, let alone anything malicious.

Why would this particular hosting provider flag unmodified core WordPress files?

Here are two possibilities:

  1. After their initial scans, they pushed a new, poorly written malware signature that it couldn’t tell the difference between a core WordPress file and malware.
  2. This was a completely bogus and typo-ridden attempt at holding our client hostage and demanding that they pay for additional security services that they didn’t want or need.

It’s also worth mentioning that in the most recent scan performed, the files they flagged contained no signature in the report, as is customary in security scans. You can’t just go about flagging files left and right without giving a reason for it.

Not knowing what else to do, and certainly not wanting our client to experience this dreadful attempt at upselling them without a cause, we decided to give their host a call via telephone.

Fortunately, the telephone support representative we contacted was much more forgiving. He mentioned that although there were files flagged by their system, since we at Sucuri verified the files and confirmed they were not malicious, he kindly re-enabled the account for us.

Conclusion

This story describes an alarming scenario:

The impossible situation clients may face when trying to re-enable their sites after a compromise. Some website owners aren’t skilled in the art of telling malware apart from benign code (that’s why they hire us) and may believe whatever the outsourced sales/support representatives tell them.

As a website owner and consumer, it’s important to be on the lookout for attempts to take advantage of you. Be wary of high pressure sales tactics, misinformation, and situations where you feel something may be amiss.

We at Sucuri have always been proud of our willingness to help clients in an honest and transparent fashion, and that is something we will always continue to do.

You May Also Like