Archive for the ‘Internet Security’ Category

Beware the Adobe Echosign Phishing Scam

Echosign scam

I just received the following email with title “Review the document“:

From: [email protected]


You have received a document via Adobe Echosign.

Sign in with your googlemail to review the document.

Sign In Here.

Thank you.

Clicking the “Sign In Here” takes you to a page on that I think is pretending to be a Google log in page, even though it actually looks nothing like one:

Echosign scam


When you enter your details your are then redirected to – the real, official page. However, you are not logged in to Google or Echosign (I tested with fake details).

Obviously if you enter your Google email address and password all you are doing is giving them access to your account. They are then free to steal your data, spam your friends, hack your websites and generally be complete bastards.


O2 Customers, be Careful – New Scam / Virus email

O2 bill scam virus emailJust had an email pretending to be from O2 informing me of a large monthly bill. The email:


Your O2 bill for 11/06/14 is now ready. You can look at your bill here.

In total, your bill for this month comes to £356,87. We’ll request this amount from your chosen account on, or just after, the date in your bill.

Is your bill more than you were expecting ?
If so, here’s a few reasons why this might be:

You could have gone over the minutes, texts or data that’s in your allowance.
You could have called or sent texts to numbers that can’t be taken from your allowance such as International, 0800, 0845 numbers or directory enquiries.
You have used your phone for calls, text or data whilst abroad.
To view any charges outside your allowance click here

Best regards

O2 Payment

This email is sent from Telefónica UK Limited. Registered office:
260 Bath Road,Slough, Berkshire, SL1 4DX. Registered number: 9104398.
Please do not reply.

There are links in the email (I have removed them to protect you) which result in a download.

My bet is that the download is one of those nasty encryption viruses that are doing the rounds, although it could be anything. Definitely not good.

I am not an O2 customers so it was pretty obvious, but O2 customers might be fooled by it.

WordPress Users – Block Access with IP Restriction

Just looked at an error log for a site that has IP restriction in place for the /wp-admin directory and wp-login.php pages. In one hour there were 28 attempts to access wp-login.php. Errors look like this:

[Wed Apr 23 09:51:39 2014] [error] [client] client denied by server configuration: /home/acountX/public_html/wp-login.php

Blocking is easy, you just edit your .htaccess file. Do this via your web host admin control panel or FTP it.

.htaccess in the root directory:

# Deny WordPress login page to all but my IP
<Files wp-login.php>
order deny,allow
deny from all
# whitelist IP addresses
allow from

.htaccess in the wp-admin directory:

<Files ~ “\.(php)$”>
order deny,allow
deny from all
# whitelist IP addresses
allow from

I could probably put the wp-admin directory part in the root domain too, but for reasons I cannot remember, I did not.

If you do not have a static IP it is trickier, but with a bit of searching you can find the IP ranges of your ISP and add those. Works most of the time, sometimes you might get switched to a new IP that is not on the public lists, but easy to update.


If you wish to access from mobile, other offices etc, these IPs will need to be whitelisted too.

For security it is a good idea to restrict as much as possible though. It is the difference between leaving your front door open and asking bad individuals to leave and locking your front door and only giving trusted people a key. Stay safe people!

A Week at IKEA – daily strange spam

I get a lot of spam, it comes with running websites I guess. Today was possibly the strangest. OK, no mention of spells to get an ex-girldfied back or a sure way to rocket my website to the top of all search engines, but strange all the same.

The subject of the email was “A Week at IKEA”

It was from a [email protected], and sent today (19th March 2014) at 14:52 (4 hours ago no less). This is what it said:

Harry said Fred elbowing Percy out of the way and bowing deeply Simply splendid to see

i’ve sent you a facebook alert

Click Here To Show Email Contents

The “click here” goes to an IP address, this is the format. I have changed the IP by adding one to each number, the rest of the URL remains the same. I have not opened it as I suspect that it could be worse than the usual spam, i.e. it could be a virus / malware. But if somebody who is tech savvy wants to open it and update me below, go for it.

Just remember kids, never click weird looking links in weirder looking emails. Even if your best friends are Harry, Fred and Percy.

Update. OK, I tentatively looked at the root domain, and it goes to a website called “” and offers a chance to win £2000 to spend at Asda. It then invites you to sign up with Facebook or sign in if you are a member. None the wiser, still do not trust the link, and certainly do not trust that website now that I am getting strange spam from it.

Is the BT Infinity / Broadband hub safe?

You may have seen in the news this week that some routers are failing security tests putting home computers at serious risk of being hacked.

Over the past week owners of Linksys and Asus routers have experienced hacking attacks which are exploiting loopholes in the built-in firewalls.

The Moon virus

A virus, called The Moon, has been created to seek out vulnerable routers, take control and then scan for other vulnerable systems.

The InfoSec Community Forums has a page dedicate to what we know so far about TheMood virus: Linksys Worm “TheMoon” Summary: What we know so far

There is only a risk to PC owners if the Remote Management Access feature on a Linksys router is turned on.

Many routers sold online are posing a serious risk. The BBC reports that; “A separate study by security firm Tripwire has found that 80% of the 25 best-selling routers available on Amazon are vulnerable to compromise.”

There is no sign that BT’s home hubs, which are one of the most popular routers in the UK and supply BT’s broadband and Infinity services to homes, is in any way vulnerable.


New Paypal Phishing Scam? “Your account has limitations – you can resolve this now”

Just had an email which appears to be from PayPal. Has the logo and comes from [email protected]

The first line says “Your account has limitations – you can resolve this now” and then:

You may have noticed that some limitations have been placed on your PayPal account. This is part of our security process and helps ensure that we continue to be a safer way to buy and sell. Often all that’s needed is a bit more information about you.

We know this can be frustrating but our aim is purely to protect you and your account. The sooner you provide the information we need, the sooner we can resolve the situation. We aim to review your account within 48 hours.

There is then a button to click to “Remove Limitation”.

The “Remove Limitation” but using a Google short URL to link to the destination:

This seems unusual – why would Paypal do that? The link redirects to a website that looks like Paypal, but is on the domain

Here a screen shots of the email and the destination:

Email apparently from PayPal

Email apparently from PayPal

The page that looks like Paypal, but is

The page that looks like Paypal, but is

Maybe coicidence, but I am in the process of selling a car on ebay. Could this be connected? Was I targeted?

Or, it could be Paypal! At the moment I am not entirely sure, but am certainly going to err on the side of caution and not sign in to that page.

Tip: if in doubt go direct to and sign in, and check your account for messages.

Hopefully Paypal will resolve this for us and confirm whether or not it is their website.

Update: I just looked at the s24sms home page – does not look like Paypal at all, in fact, it has the default Joomla! logo on it.

Windows Security and the W3C Validators Telephone Scam

Just had a telephone call from India telling me they were representing the Windows Security Centre and that my Windows Inique ID had been shared with up to 4 other people, that my computer had been hacked and that my operating system would soon be switched off!

At first I thought that this was the old ZFSENDTOTARGET CLSID scam which I blogged about in 2010, but no, they have a faster way to scam you!

Today the scam ran as follows:

  • I was told the above – i.e. that my Windows ID had been hacked and I Microsoft were about to block my operating system in 18 hours time. However, they could fix it.
  • I asked the lady if it was illegal to have my Windows ID used by 5 other people, and she told me yes, it was. So I asked her to block it immediately and to be extra safe, I will throw my computer in the bin and buy a new one.
  • Once I agreed to use their services I was transferred to a 2nd person, this time a man who was apparently an engineer. He explained it all in much more detail. I asked how much it would cost, he could not tell me. He did say it would cost “29″, and after some encouragement he said “£29″, but that was the minimum price, the total price depended on how many errors I had. He then transferred me to a third man.
  • The third guy asked me to “open a Google page” and then in the Google search box to type “W3C validator“. This leads to the first result being
    • Note: is used by web designers to check that all their code is compliant with current HTML standards. If you put into it you will see “23 Errors, 4 warning(s)
  • One the W3C is opened you are asked to enter your email address - yes, suddenly all the errors are in the email! Doing so in my case resulted in 14 errors, 1 warning. By this point  I was bored and told the man I had “25 million errors”. He said “25 errors?” and I said “no, 25 million” to which his response was “oh dear, that is really bad”. I was then told that this meant that my email account had also been hacked.
  • I then begged him to fix it, and tell me how much it would cost. He transferred me again, to the fourth man.
  • The 4th person turned out to be the 2nd person again. He told me I had a lot of errors, to which I replied “no I don’t, the W3C validotor is used for validating the HTML on websites and has nothing to do with my email account“. This did not deter him!
  • I asked again how much? and he replied “29 euro dollars”. To which I said “what??? dollars????” and he said “sorry, sorry, sorry, sorry, I made a mistake, I mean pounds“. Phew!
  • I then noticed that it was time to get my son from playschool, so said “bye, gotta go”.
  • I got as far as the front door and the first lady (not Obama’s wife) phoned me back to say she had my new Windows code. I said “thanks, please email it over, your colleague has my email address – I put it into your error tool” and hung up. They did not call back.

So, a new scam circulating. Sounds like the same people (Indian call centres) being used to sell dodgy software or services which will likely cause a lot more harm than good.

Remember: Microsoft will never call you.

The W3C Markup Validation Service

Note: a tool for web designers only, not for checking errors on your computer or email account.

wc3 validor scam

Basic WordPress Security

I run several WordPress sites which have not been updated for ages. None have been hacked.

I feel the need for a new blog post…. 

WordPress Security

I do this for all my sites and the only time I have been hacked was when I installed an image uploader plugin which had a vulnerability.


Pick your plugins wisely. Many plugins, and also some themes, can carry vulnerabilities. Often the problems are caused by a small part of the plugin or theme. While the core plugin may be fixed / patched, plugins which use the core files are often left out of date and vulnerable.

TimThumb is a good example of this. The actual TimThumb plugin (a php image resizer) is safe now, but older plugins and themes which used the original TimThumb code are still open to hackers.

Avoid plugins which have not been updated for a long time, especially those which allow users to uploaded or edit content. Image uploaders are common problem.

Whitelist Your IP

Add a .htaccess file to your wp-admin directory with the following (IP addresses are made up, you should change these to your own):

<Files ~ “\.(php)$”>
order deny,allow
deny from all
# whitelist Range of IP addresses – office and home
allow from
allow from

You can also add IP ranges – I do not have a static IP at home, but by adding ranges for my ISP I can still access even when my IP changes. Offer Banner On Your Website for $750 / mo

I just received an email asking to purchase advertising space on my website for up to $750 a month. Here is the full email (warning – do not click the links / enter the email, it attempts to run a Java program on your computer!!!):


My name is Liza Mecklenburg, representing the advertising department
of the JPP Consulting company. We are interested to place an ad
(banner), of your choice, on your website.
Design and sizes can be seen on our website at id_8ae87/
Depending on the banner size you choose we can pay up to

If you are interested please let me hear from you.

Kind Regards,
Liza Mecklenburg
[email protected]

It sounds too good to be true doesn’t it? I can chose the banner design and size ( I will obviously chose the most expensive), and they will pay me $750 a month.

They do not ask about the number of visitors I get to my site either. Amazing!

When you follow the link Java asks if it can run (I use Chrome and have set Java to always request permission to run). This is so that you can see these banners. This is all very, very suspicious. I mean, why not just have a page with jpg or gif banners like other sites? Or, why not add the banners to the email? All seems very, very fishy.

I did a quick Internet search and the first result is a Fake Banner Ad – WARNING on Warriorforum (an Internet marketing forum).

Even just opening the email (which I did) may cause more problems. Brad Mc Bard opened such an email and afterwards received a virus-infected email.

So this is certainly a scam, designed to con you into thinking that you have just attracted a wealthy advertiser, but it really just wants to infest your computer with a virus and do all sorts of nasty things. So, if you get an email like this, do not click the links, do not respond. No sensible advertiser will offer you $750 a month, or any amount of money, without know more about your website first.

WordPress Password Hijkack? pwd = W1seb0x50

As I have mentioned before I run several WordPress sites, and on them I have a firewall that reports any odd goings ons. Today a bunch of sites had this warning:

WordPress Firewall has detected and blocked a potential attack!

Web Page:   www.***********
Warning: URL may contain dangerous content!
Offending IP: [ Get IP location ]
Offending Parameter:   pwd = W1seb0x50
This may be a “WordPress-Specific SQL Injection Attack.”

Sometimes these are innocent, this may not be. I suspect at the moment then it is trying to find a vulnerability in an old version of WordPress. Of course, many people get WordPress installed by a web designer, or DIY, and forget about it. So there are many out-of-date versions on the Internet.

Come to think of it, Google Webmaster Tools even alerts its customers when it spots old software.

Anyway. Be careful, update your WordPress.

Just Googled [W1seb0x50] and it appears to be a typical (or atypical) attempt to access a computer by guessing the password. Odd that it comes up a few times.

Another Russian Invasion – WordPress Uploadify Targeted

Today I woke up to see hundreds of alerts on my firewall. Today it seems that the WordPress plugin Uploadify is being hammered for an old vulnerability. According to SEO Egg Head, who created the firewall that I use, most of these current attacks are coming from Izhevsk Udmurt in the Russian Federation. Of course, they could come from anywhere!

Here are some URLs that have been hit this morning:

Plugins with Uploadify

  • /wp-content/plugins/uploadify/includes/process_upload.php
  • /wp-content/plugins/uploader/uploadify.php
  • /wp-content/plugins/qr-color-code-generator-basic/QR-Color-Code-Generator/uploadify/uploadify.php
  • /wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
  • /wp-content/plugins/pods/js/uploadify.php
  • /wp-content/plugins/nmedia-user-file-uploader/js/uploadify/uploadify.php
  • /wp-content/plugins/motorcycle-inventory/uploadify/uploadify.php
  • /wp-content/plugins/wordpress-member-private-conversation/js/uploadify/uploadify.php
  • /wp-content/plugins/wpmarketplace/uploadify/uploadify.php
  • /wp-content/plugins/lbg-vp2-html5-bottom/js/uploadify/uploadify.php
  • /wp-content/plugins/kish-multi/uploadify/scripts/uploadify.php
  • /wp-content/plugins/image-symlinks/uploadify/uploadify.php
  • /wp-content/plugins/html5avmanager/lib/uploadify/custom.php
  • /wp-content/plugins/gpress/gpress-admin/fieldtypes/image_upload/scripts/uploadify.php
  • /wp-content/plugins/1-flash-gallery/js/uploadify/uploadify.php
  • /wp-content/plugins/squace-mobile-publishing-plugin-for-wordpress/uploadify.php
  • /wp-content/plugins/annonces/includes/lib/uploadify/uploadify.php
  • /wp-content/plugins/apptivo-business-site/inc/jobs/files/uploadify/uploadify.php
  • /wp-content/plugins/bulletproof-security/admin/uploadify/uploadify.php

Themes with Uploadify

  • /wp-content/themes/fresh_trailers/uploadify.php
  • /wp-content/themes/aim-theme/lib/js/old/uploadify.php
  • /wp-content/themes/zcool-like/uploadify.php
  • /wp-content/themes/pronto/cjl/pronto/uploadify/uploadify.php
  • /wp-content/themes/wpnavigator/scripts/uploadify.php
  • /wp-content/themes/fresh_trailers_v2/uploadify.php
  • /wp-content/themes/wp-eden/admin/uploadify/uploadify.php
  • /wp-content/themes/wp-eden/admin/uploadify/uploadify.php

Plus a lot more. Get the idea? If you have a plugin that has upoadify built in, you are at risk of being hacked. Uploadify is suffering a similar attack to the one we saw on Tim Thumb earlier. But was it is?

What is Uploadify?

Uploadify.php is a jQuery plugin that provides a way to upload files to a WordPress blog without having to use the Media Upload in the admin area. A “front end” uploader.

From their website:

HTML5 or Flash Multiple File Upload jQuery Plugin Script”

The plugin, or at least older versions, have a vulnerability that allows anyone to upload a file. This is what the hackers are sniffing out. The standard plan is to infect a site with Malware and / or add SEO links to the site template files.

Why Is Uploadify a Problem?

It is the classic old WordPress problem. Uploadify is used in other plugins and themes. People create a plugin or theme, incorporate Uploadify (kist like Tim Thumb is added to others) and then these get downloaded and used by WordPress web developers.

Unfortunately, the plugin and theme developers do not update them, but people still use them. If you use uploadify as a standalone plugin you would have received an update.

According to

“There were several major changes in version 3.0+ that helped make Uploadify more secure.  The most major of those changes was the removal of the folder option.  Exposing the upload folder on the client-side was a bad idea.  This time around, the upload folder is set in the uploadify.php file where it’s harder to discover.”

More advice on making Uploadify secure:

Your Solution

First, if you run a WordPress site, check for uploadify – you may have it installed as a part of a theme without realising. Check your plugins too.

Then, check for the date of the last release for your theme or plugin. Make sure everything is updated and if you have a plugin or theme which has not been updated in a long time disable it and seek a new solution.

If you are confident with modifying files and testing – get the latest version of Uploadify from or and replace your current uploadify directory /file (whether in a theme or in a plugin) and see if your site still works.

If you really need it but cannot replace it, you can try renaming all mentions of uploadify.php in your plugins or theme to something else (random) as the hacking attempts are all automated and will only target known files.

Add Secure WordPress and one of the WordPress Firewalls too. Read Hardening WordPress on

WordPress Vulnerability Being Pounded – Front End Upload Plugin

I run a few WordPress sites (this is one of them) and today have seen several attacks coming in (all bouncing off the firewall).

The latest seems to be attacking a vulnerability in a WordPress plugin called Front End Upload. The URL people are hitting is /wp-content/plugins/front-end-upload/upload.php

Front End Upload requires WordPress 3.2 or higher, so is likely to be on relatively up to date blogs. It has been downloaded 9460 times so far, so is being used a fair amount too.

On the WordPress site they do warn “Uploading files should be considered risky“.

Front End Upload allows you to create an upload page on your site by simply adding [front-end-upload] to a page. The uploader will appear when the page is published.

Version and 0.5.4

The latest versions may be secure, as on the changelog it says - Additional security precautions to better validate submissions to upload.php

0.5.4 - Fixed a security threat that allowed for potential code execution. Upgrade right away. This was not an issue in Front End Upload Pro.

These current attacks may be attempting to exploit older versions. Upgrade, or if in doubt, disable until the develop confirms that the latest version is not being exploited.

Update – Security Focus

Just found this on

Front End Upload plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Front End Upload is vulnerable; other versions may also be affected.

In my cases files with names iwoxiek.php and similar files names were tried. The latest version is I have no idea if this is safe or not!

What are some of the Worst Computer Viruses ever Made?

A guest post from

Call them what you want: viruses, worms, malicious software or Trojans.  Really, it is all one and the same thing.  And, just as with human viruses, the amount of viruses that exist are on the increase.  Identity thieves, spammers and hackers are constantly look for new and innovative ways to get into other people’s computers, clean out their bank account or spread mayhem across the digital highway, just for the fun of it.

There are some viruses that are created only to show that it is possible to create them, but if they end up in the wrong hands, there will be a serious problem.  Let’s look at the ten worst viruses of all times.  Amusingly enough, many of these viruses have quite pleasant names.  But don’t be fooled by their appearance!  Bet you will run a virus scan over your computer after reading this.

The Morris Worm

The Morris Worm was created by Robert Morris, who aptly named the virus after himself.  This took place in 1998, when Morris was still at university.  His worm managed to affect 10% of all computers across the world that were connected to the internet.

All these computers were slowed down to a complete halt.  Luckily, in 1998, only some 60,000 computers were hooked up, but imagine what it would do now.

The Concept Virus

The Concept Virus was another great one.  This one took place in 1995 and was actually caused by Microsoft.  Naturally, it was an accident, but it only took a few days for it to become the worst virus ever.  This is because it affected Word documents, and people easily share these over the internet.

The Chernobyl Virus

The Chernobyl Virus goes live every year on the 26th of April, which is the anniversary of the Chernobyl nuclear disaster.  It was written by Chen Ing Hau, who has since been arrested in Taiwan.  If you find your computer doesn’t work specifically on this day, you will know what’s happened to it.

The Anna Kournikova Worm

Jan de Wit, a Dutch man who stalked the tennis player Anna Kournikova, was the creator of this particular worm.  A picture of Anna would be received by those affected, in essence then stopping them from being able to use their computer.  De Wit was arrested and served a community sentence.


ILOVEYOU or the Love Bug is a particular bad guy.  In May 2000, millions of internet users suddenly received ILOVEYOU messages.  These messages would then forward automatically to all people in that user’s address book.  The creator, from the Philippines, wanted to gain internet access through the virus.

The Melissa Virus

Melissa was the brainchild of David L Smith.  He wrote this to honour his favourite stripper from Florida.  It was the very first virus to be successful through email aware.  It inserted a Simpsons quote in any Word document.  Smith was arrested and jailed because the damage he cost was estimated to be over $80 million.

Netsky and Sasser

Netsky and Sasser was written by a German teenager, Sven Jaschan.  As it turns out, he was actually responsible for around three quarters of the malware that was available on the internet.  Interestingly, he was caught but was spared jail.  He was then hired by a prominent security company who still employs him to this day as an “ethical hacker”.

Storm Worm

Storm Worm was a very interesting virus that caught many people unawares.  This is because it presented itself as a breaking news alert, warning people of seriously bad weather hitting Europe.  It infected millions of users, who became the victims of spamming campaigns (at best) or stolen identity (at worst).

You are right to be worried about all these bad programs out there.  However, with McAfee antivirus installed on your computer, you should be almost entirely safe.

The Security Implications of Tethering a Mobile Phone To Your Computer

The ability to tether a mobile phone to a computer has allowed for much more flexible ways of using the Internet. Whether connected by USB cables, Bluetooth, or Wi-Fi networks, tethered connections enable 3G and 4G cellular networks to be joined onto a core laptop or desktop. Most of these connections rely on a mixture of networks that are either provided by cell phone companies and Internet Service Providers.

These companies often charge an additional fee for tethering devices, or require a user to have a phone contract in order to access mobile hotspots when on the move.

This convergence of mobile and fixed connections has developed out of improvements in 3G networks. Better packet switching, and faster downloads have improved connections, while smartphones and tablets have begun to take over from laptops as a primary device for some users.

Emerging 4G networks, which rely on a range of technologies, also demonstrate that a large portion of Internet users are now going online through their portable devices, with expectations of faster speeds and higher download limits. However, there are serious security risks for tethering mobile devices to fixed broadband networks.

Problems and Risks

The most basic problem with connecting different devices to a computer and a network is the lack of an equal level of encryption security. The more networks and devices you have, the more chance there is of signals being illegally intercepted in transmission. Risks here include Denial of Service attacks, and virus threats to both core and mobile networks. Mobile phones that connect to Wi Fi and fixed computer networks through Bluetooth have also had problems in the past with their GPS chips being illegally activated.

Broadband security problems consequently break down to a higher risk for hacking. This risk applies to both individual users who connect to different networks with inconsistent security features, and businesses that use tethering. A hacker could potentially bypass a central corporate network through an unsecured mobile connection. Other problems have arisen around jailbroken smartphones, which tend to lack the same levels of encryption as other devices.

Some Solutions

The only practical way to improve security for tethering is to increase encryption on both ends of a network. Software like MAPSec, or Mobile Application Part Security, has recently offered better encryption at the mobile end. Moreover, phone carriers are doing more to improve their 3G and 4G networks by adding software like McAfee. Users should also consider applying the same security approaches to their mobile or portable devices as they would to their desktops and laptops.

Vigilance on malware and website security is essential for mobiles, while users should be careful about transmitting information. Passwords for all networks should be difficult to crack, while WiFi networks should have the most up to date WPA2 encryption. More generally, using cables to connect devices is safer than wireless connections.

It is also likely that the next few years will see improved policing and packaging of tethered connections from providers. A key part of this change should involve providers lowering their tethering charges and usage limits to stop people from illegally hacking into connections, or from using jailbroken smartphones.

Sebastian is a full-time security analyst at leading blue chip corporation. He’s currently writing for one of the best independent broadband comparison websites in the UK –