24

We got an official email saying that our website had been hacked. They cited the URL to use to see the new suspicious file that had been dropped in our web root folder (s.htm). Just some text about a "Morrocan Made hacker - I'm Back" in the HTML file. Nothing else seemed damaged although we are investigating.

The link included in the email was exactly hXXp://example.com[.]au/s.htm in plain text, which is also a bit weird, although helped us find the file.

The date stamp on the file is only 7 hours and 3 minutes different to the Sent date on the email. 7 hours could easily be a timezone deviation.

My question is: How did the government agency (CERT) know that our website was hacked? It's an Australian hosted website, for a legitimate business - and the government agency is legitimate.

Anders
  • 64,406
  • 24
  • 178
  • 215
Grantly
  • 351
  • 2
  • 7
  • 77
    Are you quite sure this was really from the government? It smells a little phishy to me. – JimmyJames Jan 20 '17 at 20:09
  • 2
    The email didn't come to me, so I couldn't examine the headers...But it certainly 'appeared' genuine. With the appropriate Sender email and wording etc.... I mean this is the Attorney Generals office, so if its a scam, I think they would send the feds pretty damn quick :) – Grantly Jan 20 '17 at 21:05
  • 1
    But I agree JimmyJames ...The whole thing seems fishy. Except that the email was accurate...Why entice us to contact a govt body devoted to online security? Very strange.... – Grantly Jan 20 '17 at 21:06
  • 1
    I decided to post an answer instead of give a length response in comments. – JimmyJames Jan 20 '17 at 21:18
  • If anyone thinks I should add the body of the email into the Question, please let me know – Grantly Jan 20 '17 at 21:42
  • 18
    Sounds like it would be worth a call to the Attorney General's office (getting their number from a source *other* than the e-mail) and confirming it. – jpmc26 Jan 20 '17 at 21:53
  • 19
    This *so much* sounds like a phishing attack. – Bob Jarvis - Слава Україні Jan 20 '17 at 22:42
  • 12
    The body of the email isn't nearly as important as the _headers_. – Michael Hampton Jan 21 '17 at 04:27
  • 3
    Was the email digitally signed by the sender (which claims to be CERT AU?) [The CERT AU page](https://www.cert.gov.au/faq) mentions that they write to site owners but the wording is a bit disappointing. No word about digital signatures and, worse, a statement that the mail has contact information to confirm the legitimity of the sender....... I will drop them a note from Brad Pitt with his mobile number in the footer so that they can make sure that this is the right Brad. – WoJ Jan 21 '17 at 17:59
  • @Grantly If anything, post the header instead. – Num Lock Jan 23 '17 at 08:10
  • 1
    Please do read my answer. The file on your server should be a clear indication that an attack has succeeded. The letter may be suspicious, but the server has been breached regardless of the email. – STW Jan 23 '17 at 14:55

7 Answers7

58

It's extremely easy to fake email. If someone did fake this, I don't see how the agency would know about it. The concern is that the link they sent you was the attack itself. For example, this could be a CSRF attack:

With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.

One suggestion is to contact the office and find out if this is something they do. Just because the language seems right and says it's from the right sender means nothing. That's a common approach used in phishing emails.

JimmyJames
  • 2,956
  • 2
  • 16
  • 25
  • Thanks - a good suggestion, we will reply to CERT to ask. Unlikely to be a malicious email as it was opened by the 'owner' who does not have any credentials to edit the website whatsoever (This is deliberate, for security)...Myself and one other do. He forwarded the email to me. (And is on holiday, so I don't want to bust his balls yet lol) – Grantly Jan 20 '17 at 21:39
  • @Grantly It's possible. If they googled the string, and it brought up your site, that can happen. Weird that they would inform you that you've been hacked, though... unless your website is part of a government site? – Mark Buffalo Jan 20 '17 at 21:45
  • Thanks Mark Buffalo, no - totally unconnected to govt. Although we sell data - and take care to adhere to govt privacy laws... So perhaps that means we are monitored more closely...? First I've heard of it. And we don't keep data on the web server.... – Grantly Jan 20 '17 at 21:49
  • So, he forwarded it to you and then did you click on the link? It's somewhat unlikely that an attacker in such a situation knows exactly who has access and who doesn't. It's just like in fishing we don't know whether we will get a bite on a given cast. We keep trying and hope we get lucky. If the recipient doesn't have rights, it's somewhat predictable that it might get forwarded to someone who does. – JimmyJames Jan 20 '17 at 22:21
  • 1
    Hi JimmyJames, No I didn't click the link, as the email body was all text only, although the header had an image... The owners email probably strips some html, but chooses to keep some images upon forwarding the email (And he is in the bush so is using Webmail of some sort)...I can't be sure until I see the original. But no - it was not I that clicked lol :) But it could have been the owner - as you suggest – Grantly Jan 20 '17 at 22:27
  • 2
    I don't really understand why folks assume this is a phishing email. CERTs send out these sorts of emails. Phishers wouldn't use plaintext for the link, nor would it be genuine, not would you have actually found a hacked entry in your file stated if it was just a random phish. I know avoiding phishing is important but... logically there's nothing for a phisher to gain from this email given what we know. Worry about the fact that your web server is clearly compromised, and contact CERT directly via their channels. – Rushyo Jan 23 '17 at 02:34
  • 1
    @Rushyo It's not an assumption is that it is a phishing email. The problem is assuming it's not just because it looks OK. "nor would it be genuine": How do you know the email is genuine? "found a hacked entry in your file stated if it was just a random phish" Who said anything about 'random'? The person who put the file there could the be sender of the email. Clicking the link in the email might actually place the file there. See [spear-phishing](https://usa.kaspersky.com/internet-security-center/definitions/spear-phishing#.WIYYSlUrKUk) – JimmyJames Jan 23 '17 at 14:51
  • 1
    @Rushyo The point here is that this may very well be genuine but it's dangerous to start from the assumption that it is. The point of phishing and other types of social engineering is to trick you. It's important to verify first and then act. – JimmyJames Jan 23 '17 at 15:03
  • 1
    Just a note DONT REPLY, get the proper email from the internet – FreeSoftwareServers Jan 23 '17 at 18:23
  • These statements about emails apply to ALL emails. They are not unique to this case. Good anti-phishing behaviour applies to all solicitations; it doesn't mean every question about an email needs a lecture on Phishing 101. This is a plain text email asking somebody to independently verify something - it is not an obvious phishing candidate. any more than any other email supposedly from a trusted entity. This is a question about CERT, not about 'how do I decide whether to trust emails?'. Not a nail; doesn't need a hammer. – Rushyo Jan 24 '17 at 04:05
  • 1
    @Rushyo Part of the question was "how did they know" and one possible answer is that the sender of the email put it there. – JimmyJames Jan 24 '17 at 16:12
  • @Ryusho Maybe the sender of the email put the file there and is now trying to leverage a simple website exploit into a deeper attack on the company. Maybe it is a common drive-by attack to place this file, and the phisher scans for it? Many phishing emails attempt to invoke a sense of fear and urgency to circumvent better judgement... and leveraging knowledge of a real attack would certainly have that effect. – trognanders Jul 17 '17 at 22:38
31

A CERT (Computer Emergency Response Team) task is precisely to watch over the security problems on the actives under their constituency.

In the case of national CERTs like CERT-AU, they often care about everything hosted on their country, and if they are made aware of any issue, their task would be to contact with the affected owner so that he can fix the issue (as they did in this case). They could also have provided you some advice in case you had needed it to find the issue.

These services are free for the people (they are a governmental agency), and they won't ask you for any kind of payment for having notified you.

A full list of CERT-AU services is available at https://cert.gov.au/services

­­­ 

The way of providing you the url as hXXp://domain.com[.]au/s.htm is a quite common one of sharing malicious urls. The goal is that you receive the url (which you will need in order to find out where the malicious content is) but at the same time minimise the risk that you could inadvertently open it in the wrong environment or before reading the email in full (additionally, it also helps avoiding email filters that delete emails containing malicious urls¹).

­­­ 

There are many sources from which they may have learn about this incident:

  • An individual notified them
  • Another CERT or security company notified them
  • It appeared on some list of compromised sites they subscribed to
  • It appeared on some defacement forum they were watching (like zone-h)
  • They found it while performing some other investigation

­­­ 

Amongst the benefits of sending the notifications through the CERT are:

  • When there are multiple compromised sites, it's much easier to notify a single entity per country than to each website operator¹
  • The CERT will often have some procedure about retrying in case he was ignored by the admin. A third party would probably just attempt it once.
  • The CERT may have better contacts to send the notification to.
  • As a neutral party, the CERT is more likely to be payed attention to²
  • No language barrier: the CERT should be able to contact the website owner in his mother tongue.
  • The CERT will have technical people able to easily understand the issue, and able to explain that, if needed, to the website owner (which may have zero knowledge itself).

­­­ 

A list of worldwide CERTs (both public and private) is available at First: https://first.org/members/teams

A database of European CERTs and security teams is also available at Trusted Introducer.

­­­ 

¹ For instance, Google finds loads of malicious urls every day that it finds through their crawling, instead of attempting to report them directly to the owner, they share them with the relevant national CERT so that he can take care of the notification.

² Just imagine this question being «a random guy from a hotmail address sent our admin…»

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • 3
    Actually, Google in particular does notify the site owners directly, via the Google webmaster tools and by contacting some generic addresses for the domain. In general though, your statement does hold. – JackW Jan 21 '17 at 18:12
  • @JackW, I am aware of Google Webmaster Tools, but that is opt-in. The webmaster must have signed up to it. I didn't know that they also proactively used generic domain addresses, though. – Ángel Jan 22 '17 at 03:11
11

Unless they told you in the letter, there is no way of knowing how they were informed of the hack. The chances are that someone reported a problem, attack, or probe of some kind to CERT, and they were then able to trace the origin of the back to your server's IP address.

I recommend you at least continue your investigation; but consider engaging a security firm. There's a lot to do at this stage of an attack besides understand what happened. You may need to preserve evidence, you'll need to recover your systems, you may need to provide breach notifications, you may need your clientele to change their passwords; all kinds of activity can stem from a breach, and a professional will help guide you through it all.

John Deters
  • 33,650
  • 3
  • 57
  • 110
5

Without seeing the email headers, there is no way for us to be sure, but it sounds more likely that the email notice was the phish, as Jimmy James above says. Much easier for the attacker who placed the file there, to know about it, and "report" it to you "officially" to get you to click on it. CSRF sounds like the most likely attempt going on. The attacker has no way to know the person they sent it to didn't have credentials on the site, but as you pointed out, they helpfully forwarded the email to you, who does. Not saying it was successful, but the answer to "How did they know" seems most likely to be "They didn't, and the notification was faked."

JesseM
  • 1,882
  • 9
  • 9
  • 1
    Yeah thanks. I have asked the owner to reply and call CERT to find out. I can probably get hold of the email headers soon, just not today...(He is in the NZ jungle now lol) – Grantly Jan 20 '17 at 22:05
3

This would be a good way to Phish someone when you could hack into their site "a little".

Just write a benign file to their server then contact them and get a conversation going with their government "Tech". At that point if you were not suspicious, they could probably ask you to do anything and you'd just do it.

I realize you didn't say they asked you to contact them or anything, so maybe not, but I always like to err on the side of paranoia.

Bill K
  • 407
  • 2
  • 6
3

What does this website do? Does it host accounts, or accept credit cards?

The file should be taken as a clear sign that you have indeed been compromised. You don't know the extent or the vector of attack, but the file may well be a "flag" which a bot looks for to determine that the server is still compromised.

So be sure to keep backups and preserve date/time stamps, webserver logs, and the backups themselves. Go back to your earliest backup and see if the file is there, also compare the site contents with expected contents.

Also search your logs for requests to the s.htm file. You might find a bot network occasionally checking in to see that the lights are on. There's the odd chance that you can use the IP information you find there to search for other traffic--which may uncover the footsteps of the attack.

In the meantime do contact the sender of the email--be sure to look up their contact info from an official source and not the email itself. I've received similar notifications from hosting providers, they may well be scanning for the file as well if it's a known to indicate a compromised machine.

STW
  • 131
  • 3
  • No we host a handful of accounts, not high traffic at all. No credit cards, etc. Great advice STW...Following up now. Thanks – Grantly Jan 23 '17 at 23:02
2

I really think it's a phishing attack.

However, it's also possible for CERT agencies to get a list of hacked sites through deface mirrors, such as Zone-H. But I don't see why they'd do it.

Jefrey Sobreira Santos
  • 431
  • 2
  • 4