Phishing for Anonymous Alligators

Anonymous Alligators

Everyone has encountered phishing at some point – fake emails and web pages designed to look legitimate. This tactic is becoming more popular as attackers are learning how to produce new and convincing phishing lures.

You might receive spam emails claiming to have some important document for you. Some of them have malicious attachments and others have links to the documents online. In the latter case, the links might go to sites that require visitors to log in (fake bank sites and other online services).

In this post, we’ll tell you about one such Google Drive phishing attack.

Read More

How Social Media Blacklisting Happens

Social Media Blacklists

In today’s world, we are all browsing websites online and sharing content on a multitude of social media platforms every day. Worldwide social media users exceeded 2 billion back in August 2014, with an adoption rate unlike anything we have seen in history. Social media continues to grow around the world, with active user accounts now equating to roughly 29% of the world’s population. Monthly active user (MAU) figures for the most active social network in each country add up to almost 2.08 billion – a 12% increase since January 2014.

What is Social Media Blacklisting?

Legitimate links on social media platforms are sometimes hijacked by criminals to direct visitors to a website where malware will be automatically downloaded. The more that people share and use social media, the more often these situations will occur. This is why social media platforms have specific security measures to protect their users from being victims of malicious shared content.

In the same way that websites can be blacklisted by Google for having malware hosted on their pages, social media blacklisting occurs when security triggers detect malicious activity, thus placing the infected links on their internal blacklist. Sometimes they can match the URL with the help of an external blacklist authority, such as McAfee, Google, Web of Trust, or Websense.
Read More

Targeted Phishing Against GoDaddy Customers

I do get a lot of phishing emails, we all do, but as security professionals we tend to recognize them immediately. Either the syntax is wrong, or it’s missing a name. When you get them from a bank you don’t even deal with that’s a pretty good clue.

However, when the phishing is well done and targeted, the game changes. Today, I received one that was well targeted. It uses my email registered at GoDaddy and my real name. And their guess that I have too many folders is a good one as I do have many test and demo sites.

If this wasn’t bad enough, our users are also reporting that they are receiving similar targeted emails. The emails are all very well written and warn the user about a large number of directories being used on their sites and a possible suspension of their account. This is what the email looks like:


We heard reports of this type of targeted phishing a few months ago, but it seems to be picking up steam lately. Webmasters have to be extra careful not to be fooled by this. This is the full copy of the email:

Dear Valued GoDaddy Customer RealName.

Your account contains more than 5271 directories and may pose a potential performance risk to the server. Please reduce the number of directories for your account to prevent possible account deactivation.

In order to prevent your account from being locked out we recommend that you create special directory.

Or use the link below:

However, when clicked (or moused over), the link actually redirects to a secondary phishing page located at httx:// asking for your GoDaddy user and password:


Are you a GoDaddy customer? Did you receive a similar email with your real name? If you ever need to login to your hosting provider, make sure you go straight to it and do not follow email links.

Website Malware Removal: Phishing

As we continue on our Malware Removal series we turn our attention to the increasing threat of Phishing infections.

Just like a fisherman casts and reels with his fishing rod, a “phisher-man” will try their luck baiting users with fake pages, often in the form of login pages. These copied website pages are cast into infected websites with the hope that some users will bite, and get reeled into giving away their secret data. Wielding the web development and scripting knowledge necessary to make forms that look convincingly realistic, hackers lure unsuspecting users into entering their credentials on the imitated page.

Read More

The Art of Website Malware Removal – The Basics

When talking about defense against malicious hacks, the attack vector is a common topic for Information Security (InfoSec) professionals. The primary concern is to understand the anatomy of the attack and prevent it from happening again. However, there is a less glamorous task that must take place once an attack vector is exploited; that is malware removal (a.k.a., cleaning up the mess).

The task of cleaning, removing, malware often falls on your shoulders as the website owner / administrator.

While unfortunate and frustrating, malware infections greet us like flat tire or a burst water pipe in the middle of the night. It’s never expected, it’s always while you are sleeping and it’s impacts are felt greatly. They hurt search engine rankings (i.e., SEO), spread malware to users, introduce branding issue, cause websites to be shutdown and a slew of other less than pleasant experiences. The important thing to note though, is that like other problems that surprise us in life, malware infections must be dealt with quickly and correctly. You cannot drive your daily commute on a flat tire, nor can you operate a website that is infected with malware.

Malware needs to be removed as soon as possible before the consequences begin to amplify themselves and their impacts.

Four Common Malware Families Affecting Websites

Like the real-life pests and diseases that they are named for, worms, viruses, and other types of cyber-menaces that have earned metaphorical aliases have many varieties, purposes, and ways to deal with different types of malware. The treatment of one kind of skin infection may have no effect when applied to another, and attempting to remove a hornet nest with the same caution as a bird nest would lead to disastrous results. The scenario is virtually the same when cleaning an infected website.

Due to the multitude of technologies, languages, frameworks and tools, code on the web can be as diverse as human culture itself. This brings about millions of possibilities to achieve very similar goals in software development. Malware takes on this model, and rears it’s ugly head in many different forms, functioning to serve many different purposes.

1. Blackhat SEO Spam Injections

Everybody who reads this blog has seen it before: a website with some very out of place looking advertisements, that are usually of the pharmaceutical, pornographic, knock-off designer brand or fast-money lending nature. These websites have been hit by a criminal user looking to feed off of the website’s traffic in order to advertise for products and services that would normally be very restricted or banned by most hosting policies. Using the victim website as a billboard, the hacker earns commission based income off of the number of clicks or forced redirects that are generated because of the injected malware.

The malicious code that causes injected spam content can be structured in several ways, placed in many locations, or be encoded in a multitude of ways to appear like normal software. Because of this, it is very difficult to have an across-the-board detection method for all types of SEO spam. There are many varieties in the wild that infect websites every day. Furthermore, some infections are scripts can activate based on time or events on your site. These can constantly update posts and pages to display junk or redirect users to affiliate pages, even after you’ve done the work to get rid of it. This can cause a major strain on cleanup, so the best solution is to be prepared with a full backup. By updating to a recent clean version from before a successful attack, website owners can go back in time to a moment before the hack took place, and update their security measures to make sure their content is not overshadowed by blackhat SEO spam.

2. Phishing

Little do many webmasters know, but millions of websites across the internet have pages that definitely should not be there. These hidden pages are home to code that is crafted to resemble other websites on the Internet, like,,, Hotmail, Gmail, Facebook, and many others.

The hackers that put these pages on your site are using them to trick other users to mistakenly put their credentials into a form controlled by the hackers, instead of the official website they think they are sending their password to. This is the reason those policy memos from your bank are always telling you to thoroughly check the links you click when going to manage your finances, or that you should never click a link to go to your bank account from your email. Those links may actually be under the control of someone looking to steal your information, to then steal your money, from pages hosted on a website of an unknowing person, not actually looking to help criminals steal usernames and passwords.

3. Drive-By Downloads

Malware can be difficult to detect, and often employs social engineering tactics, or methods that trick users into playing into the clutches of the attacker. Forms, pop-ups, ads and other site functions can be compromised to force a user to click on something other than intended, or answer a question where the secret answer is actually Yes, I would like to download that .exe file.

These infections, called Drive-By Downloads, are incredibly dangerous to end-users, as they allow attackers to escalate their control from an infected website, to the potential administrative access of any computer that accesses that website. Once the malicious payload has been delivered to the victim user’s machine, it may activate automatically or wait to be activated by some other method before scraping the user’s machine of sensitive information, and sending that along with remote access privileges to a waiting attacker.

4. Backdoors

While some infectious files are meant to actively perform tasks, create spam or attack visitors, other types are meant to lay in wait, and appear only to the hackers that know they are there. These are called backdoor infections. These can lead to large scale attacks by allowing the attacker to build up a number of websites to use as attack surfaces. They can look very different in separate cases, but often have a similar function at the end of their task list: to provide the hacker with the access needed to control the website or server at any chosen time.

Backdoors can serve multiple purposes, ranging from being able to reinfect websites after cleanup, to linking the targeted site to a network of other sites used in DDoS attacks, or massive spam mail campaigns.

Scrubbing Away the Hacker Residue

Learning to deal with each type of malware infection individually is quite challenging at a technical level, but having a plan to get back to normal under any circumstance is important nonetheless.

If detection fails, a keen eye is needed to analyze website content, functionality and code for any signs of intrusion. Once a thread is noticed, it must be followed to determine where in the files or database that the malware located, so that it can be removed.

Once the code showing the infection (i.e., symptom) is removed you must ensure that you go through the rest of the website and remove / repair any backdoors or potential attack vectors. In further efforts to prevent reinfection, all software should be updated fully to minimize the chance of known vulnerabilities being exploited, and all passwords changed, to eliminate the risk that they were stolen during the attack.

It can always be assumed that a stable backup from before a time where malicious files or database entries existed on the server will solve almost any problem. It is therefore, extremely important to maintain backups that are scheduled to be made on a timeframe that will suit to overwrite the infected aftermath of a website. We’ve spoken about backups at length before, but it’s a necessity.

Contrary to popular belief, malware removal is not a Do It Yourself (DIY) project. It has affected the brightest developers and security professionals; it’s time consuming, and can be the cause of many restless nights and days. If you find yourself in this predicament know that there are professionals out there that specialize in this work.

Remember, website infections are like Icebergs, they only display 10% of the problem.

Phishing with help from Compromised WordPress Sites

We get thousands of spam and phishing emails daily. We use good spam filters (along with Gmail) and that greatly reduces the noise in our inbox. Today though, one slipped through the crack and showed up in my personal inbox:

Gmail Phishing

Read More

Simplifying the Language of Website Security

Screen Shot 2014-07-09 at 3.40.59 PM
A couple of weeks ago, the Sucuri team was at HostingCon. We rubbed elbows with the people who bring your websites to the world and spoke at length with them about the importance of website security. However, the most interesting conversation we had over the whole week was with a small business owner on vacation with his family.

After a long day of conversations with the rest of the tech world, we needed to get a bite to eat and we decided to wait at the bar while the restaurant got our table ready. While there, we started talking to a man sitting next to us. As it turns out, he owns an auto body business in the Philadelphia area. Eventually, our new friend asked us what we were doing in Miami so we told him that we helped to run a firm focused on website security and, from our perspective, that’s when the conversation got really interesting.

“That’s For Big Websites, Right?”

Our new friend knew about the data breaches at the big retailers like Target and then went on to tell us, “But I’m not worried, because I have a really simple website and just ask people to fill out a form so we can contact them later.”

Tony and I were floored when he told us that… but should we have been? When you live every day in the security space, it can be easy to forget that the rest of the world doesn’t live there with you.

We’ll always use this blog to break security news and to educate the community about the latest malware removal techniques we’re pioneering, but the more we learned about our new friend’s business, the more apparent it became that we have an obligation to translate the language of website security so that website owners everywhere understand its importance. In that spirit, here’s our first primer in a once-in-a-while series for the everyday blogger, website enthusiast and small business owner on why security is important for their site.

Read More

Is My Website Hacked? If You Have to Ask, Then, “Yes.”

The problem with phishing, and therefore the reason so many people have trouble with it, is that the code is fairly benign and can be very difficult to spot. This is because it usually looks almost exactly like legitimate code. Oftentimes, a website owner won’t know their site is hacked with a phishing scam until visitors inform them, which is why finding phishing pages can feel like searching for a needle in a haystack.

That’s what makes the following story so instructive.

Many thanks to our own Ben Martin for walking us through the scam (and for cleaning the client’s website).

The Problem

Recently, we cleared malware from a client’s website and our malware removal expert, Ben, found some interesting phishing pages.

Where Was the Injection Located?

It’s in the hacker’s best interest to hide their phishing pages and they’re often able to do so because the code is so benign. They don’t need to run malicious scripts or inject iframes. In this case, the page doesn’t contain any suspicious functions nor calls to Russian domains. It just consists of text input fields like normal code you’d see on any website. The key then is to know what you’re looking for, and to do that you have to think like a hacker.

What Are Phishing Scams Attempting?

This is where it becomes important to remember what a phishing scam is normally attempting to do. In many cases, they’re looking for bank records like credit card or debit card numbers, so we kept it simple and searched for “bank” and look what we found:


See it? The title_netbank.jpg looked suspicious and, interestingly enough, all it took was that one reference in index.htm to the JPG file to lead us to the phishing pages. We didn’t stop there though. We also dug a little deeper and found an .htaccess file in the directory.


What you’re seeing here are IP addresses that are allowed to view the phishing page. In this case, only those with Danish IP addresses are being redirected to view the page. In this way, the hackers are able to to narrow the scope of their attacks to those who are most likely to enter their bank numbers, while not showing a suspicious page to extra people who may alert the bank or our client to the scam.

Here’s what this specific page looked like. It was being used to redirect customers to something that looked like a Nordea Bank AB user page (Nordea Bank is a financial group operating in Northern Europe). Even if you’ve never heard of Nordea, potential customers based in Northern Europe would have heard of the bank and would have been put at risk.


What Did We Learn?

The hack we cleaned here isn’t extravagant. It wasn’t obfuscated behind layers and layers of code. In fact, it was relatively simple, which is instructive. Malicious code can affect your website even when its relatively easy to spot. The lesson as always is, if you have a feeling that your site has been compromised, then it probably has been.

Was the FIFA Website Hacked?

As many know, our company has deep Brazilian roots, as such we have no choice but to enamored with the upcoming World Cup. Yes, the World Cup is coming, soccer news is everywhere and like most things, websites are being used to disseminate the news. The Federation Internationale de Football Association (FIFA) is perhaps one of the largest websites in the world dedicated to Football news (or soccer, for you Americans).

This morning however I awoke to the most startling of news; Twitter was all the rage with the most unexpected, yet expected, FIFA appeared to be hacked.

twitter hacked

Hactivisim Amidst

Is it possible that the FIFA website was hacked? Could it be Hacktivism?

This wouldn’t be the first time of course, big events like this are usually a big target for hackers and this defacement sure is getting a lot of attention from the public. This is what the reported hacked website looks like:

fifa fake defacement

Everything in the site looked the same, except that they added an animation of FIFA’s president, Joseph Sepp Blatter, dancing with a funny song.

At first glance it seems to be legitimate, but taking a closer look you quickly realize it is a fake. FIFA’s official website is and the one that is being reported as hacked, defaced is

If you search for these two websites on Google, you will get the same description, which can certainly lead people to believe that it is a legitimate website for FIFA.


If you take a minute to dig a little deeper though you’ll find it’s really not.

$ host has address

$ host domain name pointer

CH = Abbreviation for Switzerland

Samba-Hack = Name being given to the hack

Registered at:
Registrar URL:

Creation Date: 2013-06-06 09:11:09

Registrant Email:
Admin Name: Andrea Arezina
Registrant City: Zurich
Registrant State/Province: Switzerland

If you look at the real FIFA website you’ll find this information:

$ host has address

Registrar URL:

Registrant Email:
Admin Name: Domain Name Administrator

Registrant City: Zurich
Registrant State/Province: Switzerland

What’s most peculiar however is that they appear to be in the same city. Definitely an awkward moment for sure.

Lesson To Be Learned

Opportunistic attacks can happen at any time, but we can’t allow ourselves to be fooled by what we find online (even if it comes from Twitter… especially if it comes from Twitter). We have to remain diligent when visiting websites we’re unfamiliar with. This caution extends to Google as well as you can see above. Although this specific attack only injected a defacement, the attack could have been much worse, it could have been used to deliver a desktop trojan or any variety of other malware payloads.

Stay safe and don’t be fooled :)

Phishing Tale: An Analysis of an Email Phishing Scam

Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we’d tell the story of some spam that was delivered into my own inbox because even security researchers, with well though-out email block rules, still get SPAM in our inboxes from time to time.

Here’s where the story begins:

Today, among all the spam that I get in my inbox, one phishing email somehow made its way through all of my block rules.

Spam email in our security team's inbox

Even our security team gets SPAM from time to time.

I decided to look into it a little further. Of course, I wanted to know whether or not we were already blocking the phishing page, but I also wanted to investigate further and see if I could figure out where it came from. Was it from a compromised site or a trojanized computer?

The investigation started with the mail headers (identifying addresses have been changed, mostly to protect my email ☺):


The headers tell us that is being used to send the spam. It’s also an alert that some of the sites in this shared server are likely vulnerable to the form: X-Mailer: PHPMailer [version 1.73]. I decided to look into the server and found that it contained quite a few problems. This server hosts about twenty sites, some of which are outdated–WordPress 2.9.2 is the oldest–while others are disclosing outdated web server versions (Outdated Web Server Apache Found: Apache/2.2.22) and still others are blacklisted ( This makes it pretty difficult to tell where the spam came from, right?

Luckily, there’s another header to help us, Message-ID:. is hosted on and it has an open contact form. I used it to send a test message and although the headers are similar, the PHPMailer differs:


What Do We Know Now?

We know who is sending the phishing messages, but what host are they coming from? There are some clues in the message body:


From that image, we can see that is hosting the image and the link to the phishing scam, but it doesn’t end there. As you can see from the content below, we’ll be served a redirect to, which loads an iframe hosted on

Here is the content:
Phishing email

Problem Solved – Or is It?

In this case, there are three compromised sites being used to deliver the phishing campaign and it’s becoming very common to see this strategy being adopted. The problem from the bad guy’s point of view, is that if they store all of their campaign components on one site, then they lose all of their work when we come in and clean the website. If they split the components up and place them on multiple sites, with different site owners, then it’s unlikely that all of the sites will be cleaned at one time, which means their scam can continue.

As always with malware, it’s not enough for your site to be clean. You also need to rely on everyone else to keep their own site clean. When others don’t, your computer or website can be put at risk.

If you’re interested in technical notes regarding the type of research we do be sure to follow us on Twitter and be sure to check in with our Lab Notes. If you something interesting you’d like us analyze please don’t hesitate to ping us, we’re always looking for a new challenge.