It all started with a screenshot from a friend
My friend sent me a screenshot of their Google search result for an institution in Jamaica. The first result was the website she searched for and below the website’s name it read “This site may be hacked“. She sent me a message on WhatsApp containing a picture of her search result and here’s the brief dialogue:
- Her: Is that important?
- Me: Yes it means what it says
- Her: So if I use my card on the site, it will be compromised?
- Me: No but it means you can’t trust it right now. You can call them and report the issue but I would not recommend you use your card on their site.
**end of conversation**
TL;DR – The institution’s website may have been compromised since May 2017, almost 10 months ago, and it hasn’t been corrected since, based on public evidence from Google and other internet sources. This article is about my findings. The passive investigation into Google’s notice.
I was curious so I decided to ask the internet for more clues as to whether this may be true. In Cybersecurity our initial investigation of a suspicious incident or breach is often called Security Incident Response and the person assigned to investigate those things is referred to as the Incident Responder, among other fancy terms.
Red flags, red flags!
I googled for a few websites that claim they can check the reputation of web domains against several security databases. I came across a website sitecheck.sucuri.net by a company called Sucuri. Sucuri is popular for their website security services, especially for WordPress. I’m familiar with their services so I used them. I entered the institution’s domain and unsurprisingly, it said their domain (***.org) has been Blacklisted. Basically, marked as malicious, bad or unsafe for visiting.
When I selected the Blacklist tab, it showed the match was from ESET. ESET is an IT security company that offers anti-virus and firewall products such as ESET NOD32.
I was still a little sceptical
Okay, ESET has blacklisted the institution’s domain as malicious but I still wanted another opinion, just in case Sucuri was flagging the domain to push sales of their website security services.
I used another popular Website Reputation Checker at urlvoid.com which also flagged th institution’s domain and said its source for flagging the domain was scumware.org. Scumware.org aggregates a database of reportedly malicious domains and files.
From the result on scumware.org, it reports that a .PHP file located at ***.org/faq/profile.php matches the signature of a known Trojan, based on an MD5 hash of the file).
How do these free websites know malicious files?
Behind the scenes, a lot of these Website Reputation Checkers identify malicious files without also “hacking” because they check databases of known malicious files (and file hashes) reported across the internet against those files publicly provided by websites when you browse like a normal person. They do not attempt to attack or scan for private vulnerabilities, as far as they claim.
In this investigation, the malicious file was a .PHP file. PHP files are executed server-side when requested (on the web server hosting the website) instead of in your browser (client-side) so you would not typically see the contents in your browser, just a blank page. Unlike other popular files such as Text (.txt), HTML (), and CSS (.css), which would be displayed in your browser.
Be careful everywhere online
My recommendation to her goes for you too “No but it means you can’t trust it right now, …I would not recommend you use your card on their site”. That’s for any site with that flagged note (…may be hacked) until the note no longer exists. Removing the note from a Google search requires an administrator of the domain/website to do a couple things.
Disclaimer: You should know that some of those scans can produce false positives, and what I’ve illustrated here is just the tip of work that could be done to confirm whether a domain was compromised.
Four (4) tips to take from my friend:
- She was attentive when browsing
- She did not ignore her suspicion when she saw the abnormality below the domain.
- She contacted someone for advice who was more technical than her
- She thought about the consequences of still using her credit card.
How web admins could remove that bad note from Google’s search results
Well, according to Google, the webmaster (the website’s tech person) should:
- Register and verify the site in Google’s Search Console.
- Sign into Search Console and check which URLs were flagged.
- Fix the issue on the website that triggered the detection by Google. Ultimately, clean up your potentially hacked website.
- Read Google’s web page about “resources for hacked sites”
- From inside Google’s Search Console, request a review of the website by Google after you’ve cleaned/fixed what triggered the alert of being hacked.
Some reasons why Google and other malware scanners may flag your site as being hacked
The main reason that comes to mind is if a file on your website matches that of a malicious file reported online, which could happen if:
- An attacker may have compromised a site and uploaded a malicious file which has been detected elsewhere on the web.
- An administrator mistakenly uploads a known malicious file from the back-end into an indexed location on the website. E.g. uploading some of the following: a nulled(pirated) website theme, software key generators (aka keygens), unverified scripts, and known trojans.
- A user unknowingly pastes a malicious link through the front-end of a website or uploads a shady file that gets shown on the website’s user interface and then Search Engines, such as Google, index the location.
A career awaits in Digital Forensics and Incidents Response (DFIR
If Incident Response and Computer Forensics is something you may be interested in, then you could check out these certifications and start expanding your skills.
- GIAC Certified Incident Handler | GCIH Certification – https://www.giac.org/certification/certified-incident-handler-gcih
- Council Certified Incident Handler (ECIH) | EC-Council – https://www.eccouncil.org/programs/ec-council-certified-incident-handler-ecih/
- CERT-Certified Computer Security Incident Handler | CSIAC – https://www.csiac.org/certification/cert-certified-computer-security-incident-handler/
- CREST Certified Incident Manager – CREST – Ethical Security Testers – https://www.crest-approved.org/examination/certified-incident-manager
- CIHE | Mile2® – Cyber Security Certifications – https://mile2.com/penetration-testing…/certified-incident-handling-engineer
- CERT-Certified Computer Security Incident Handler – https://www.sei.cmu.edu/education-outreach/credentials/credential.cfm?customel_datapageid_14047=15102
- Sucuri Site Check scanner – https://sitecheck.sucuri.net/
- Info on Sucuri’s partnership with ESET – http://labs.sucuri.net/?eset
- URL void – Additional malware checker – http://www.urlvoid.com/
- Scummware – the website displaying the detected file flagged as malicious – https://www.scumware.org/search.scumware
- Google Search Help for “This site may be hacked” – https://support.google.com/websearch/answer/190597?hl=en
Note: The flag from Google was reported to the affected business by an employee who I sent the article.