13

A text message was sent to my phone stating that my Bank of America account had been suspended due to suspicious activity. It then provided a link to reactivate it. Obvious phishing scam. The URL they provided was through tinyurl.com. I was curious so I went to the site.

I was surprised to find that the domain of the actual URL pointed to what seems to be a legitimate business @ http://griffinconstruction.com.au. If desired, I can provide the path to the malicious page as well. I thought it probably best to not include it here.

Doing a little research I discovered this is a wordpress site. And doing a little more research I discovered that many wordpress sites have been hacked before. On the main website page there is a Contact Us link. I have attempted to contact the owner. But I would think attempting to contact the owner of a hacked website through the website itself would be an exercise in futility.

I have reported it to Google but that seems a bit like reporting a burglary to the NSA. I don't expect much if anything to come from it. I have also contacted Bank of America to inform them.

Is there anything else I should do?

Update

A little more than 24 hours later and I just received a 2nd text message. The phone number is slightly different. But it's the same country code and area code as the first message. The message itself is the same except now they're using bit.do to shorten the URL. After reading the comments I decided to check this one using an online link expander.

The bit.do URL expanded to http://deichelmauspics.de/

Yet another hacked Wordpress site. The path of the URL leading to the phishing page is exactly the same as before.

Update #2

http://griffinconstruction.com.au now shows:

This Account has been suspended. Contact your hosting provider for more information.

I guess that explains the 2nd message :)

Thank you to everyone who contributed their thoughts on this

I suppose there is no real way to know exactly what caused the website to be taken offline. But at the end of the day, the important thing is that it is in fact offline. And in my opinion, that would not have happened without the contributions from the people of Information Security Stack Exchange. That's pretty awesome.

Update #3 So it's been 8 months. I was looking at another Wordpress site today and it made me wonder what had become of the site mentioned in this question. So I went to their website and... nothing has changed. There is still a fake Bank of America page buried deep down within folders that shouldn't be publicly accessible but are. And that's just stupid and careless. I doubt that most people would fall for the Bank of America scam as it was presented in this case. But still, someone might. See for yourself.

MALICIOUS LINK (no longer works)

http://griffinconstruction.com.au/wp-includes/SimplePie/XML/Declaration/1

MALICIOUS LINK

mbomb007
  • 181
  • 13
I0_ol
  • 281
  • 3
  • 7
  • 6
    Just report the issue to tinyurl and/or send one to phishtank. – mootmoot Aug 31 '17 at 12:46
  • 1
    *"I was curious so I went to the site."* Next time you are curious about a link in a scam email, try using an online "link expander" instead of clicking the link. Curiosity is good, but more caution is necessary when you know the destination is a scam. Several websites also offer to screenshot web pages for you, and you can use these to view a suspicious page without visiting it directly. – Tom Brossman Sep 01 '17 at 06:37
  • 5
    @TomBrossman TinyURL provides a preview.tinyurl.com service, and by setting a cookie you can make tinyurl.com pages redirect to their preview page instead. – wizzwizz4 Sep 01 '17 at 08:47
  • This is exactly why, in the rare circumstances we had to host a wordpress site, we always kept them all on their own servers in separate security zones. Wordpress itself isn't even always the problem anymore The security of the modules in Wordpress' app store is an increasing problem, IMO. Some individual wordpress modules have been popular enough with large enough security holes to join the list of applications that have botnets automatically scanning the internet for them. – Conor Mancone Sep 01 '17 at 18:39

3 Answers3

16

I would contact the business in question. They are the ones who are most directly affected and can also shut it down quickest. Of course, the phishers will probably just move on to another server to host their requests, but if the site owners act quickly, it will at least immediately invalidate any past phishing messages that have gone out, potentially saving a lot of people a lot of trouble.

Contacting them through the website is not as bad of an idea as it seems. Such hacks inevitably like to keep a low profile (which is to say that the website itself usually continues to work), because if they break anything the infection is more likely to be found and fixed, ending their phishing campaign. Having previously helped people pick up the pieces after a wordpress site gets hacked, often times the "infection" can go on unnoticed for quite a while before someone finally notices. Usually it is unintended side-effects that finally ring the alarm bells: I saw one site on a VPS where every email sent out by the spammers resulted in a small log file stored on the servers disk. The logs weren't being monitored, but after a few million emails got sent out the server ran out of inodes and crashed.

All that to say that if you submit a contact through the contact form there is a very good chance that it will actually goes to the owners. There are such a wide-variety of ways to manage contact forms on wordpress sites, there isn't an easy way for hackers to just turn it off or intercept it after breaking in. I doubt they bother trying. That being said, you can always try to find some public contact information for the company and contact them directly: you might not call them (unless you are in australia), but you can probably find an email.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • 2
    Theres an interesting side effect here. With the number of "fix your computer" phone and email scams users are being trained to be wary of anyone contacting them cold about computer trouble. Even if that contact form or phone call reaches the owners, would they listen to the concern or think its a scam/ransom attempt? – Freiheit Sep 01 '17 at 15:09
  • lol! That's a hilarious (and not wrong) point. Unfortunately the reality of the situation is that it can be hard to get people to act quickly about these things anyway. "The website is working so everything is fine" is a very normal approach, even if an outsider suggests there might be a problem. 90% of the time the website is being managed by a design/marketing vendor anyway. The business usually has no direct control, and the marketing company has little technical expertise. Unfortunately there aren't a great number of options. – Conor Mancone Sep 01 '17 at 17:02
  • Well, 24 hours later and the site is now offline. Apparently somebody took notice. :) – I0_ol Sep 01 '17 at 17:12
  • That's awesome! It obviously wasn't the actual owners of the website though. It looks like it was blocked by the hosting company: maybe they noticed anomalous traffic flowing through their network? I'm mildly impressed by how quickly the scammers managed to respond to the original website being taken offline (although who knows if that one is even the original). It's all just a gigantic game of cat vs mouse, except in this case everyone loses. lol! – Conor Mancone Sep 01 '17 at 18:34
  • Yeah, I'm curious to see what happens with this newest site. Maybe they'll send me a 3rd text message hahaha. :) – I0_ol Sep 01 '17 at 21:45
9

Multiple carriers in the USA allow you can forward the text message to 7726 (SPAM).

schroeder
  • 123,438
  • 55
  • 284
  • 319
John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 2
    This is also the number in the UK and is supported by all carriers as it's [designated by OFCOM](https://www.ofcom.org.uk/phones-telecoms-and-internet/advice-for-consumers/problems/tackling-nuisance-calls-and-messages/spam-texts) the communications regulator in the UK –  Sep 01 '17 at 10:04
5

I would think attempting to contact the owner of a hacked website through the website itself would be an exercise in futility.

Think about the possible outcomes:

  1. the message is not read be either the attacker or site operator - in this scenario, there is no net benefit to anyone

  2. the message is intercepted by the attacker - the attacker now knows the address from which you sent your message (i.e. you might consider doing this from a low value account, e.g. hotmail, gmail etc if it's not an anonymous web form). But no benefit to other potential victims nor the site operator

  3. the message is sent to the site operator - they are likely to take action. Whether that action will be effective or not...? but there is a good chance that at least temporarily, fewer victims will access the phishing

  4. the message goes to both the site operator and the attacker. The phishing site is now essentially burnt - while you could argue that this allows the attacker to cover his tracks before moving the site elsewhere, its more likely that the attacker has already done everything they can to hide their connection to the phishing site, hence the outcome is the same as 3

On balance, I think there's a net benefit to sending the notification.

I have reported it to Google but that seems a bit like reporting a burglary to the NSA.

Not really - IME they do seem to take some action on these. Although they also monitor sites like phishtank - reporting it there too would be a good idea.

symcbean
  • 18,278
  • 39
  • 73
  • Does point 2 necessarily matter much? I'd expect that the attacker wouldn't be using the site owner's contact email to continue the phishing attempt (too easy to lose access to and just plain more work than a burner email). Even if they were intercepting it, I can't see them viewing it the same way as a "sucker who replies to spam" (the typical reason that replying to spam would be detrimental). – Kat Sep 05 '17 at 20:02