Predatory Sales Tactics of Web Security
Disclaimer: This is not a review or a recommendation for the site protection services the company discussed in the article offer. I’m sure that the services they provide are top notch and worth the enormous cost (/s) they are charging. This article means only to discuss the predatory sales tactics that were employed by the sales representative.
I got hacked. A few months ago a shared server account I have got compromised. The hacker (or probably bot) gained enough access to deploy and execute some scripts that recursively ran through my server directories, pasting and injecting its nefarious code. Google Webmaster tools noticed some weird behavior on one of the sites hosted at that box and notified me. The hack was a version of the Japanese Keyword Hack. Google security has a pretty good article discussing and fixing the Japanese Keyword Hack. Luckily the account was primarily used for hosting dev projects and personal projects – none of my paying customers accounts were on the box. This article isn’t about that. It happened and I cleaned it up – lesson learned – Protect your server with a password better than “password123”. Nope, this article is about the company that called me offering to clean up the mess.
This specific hosting account was on Hostgator.com – I’ve used them for years and have only had good interactions with them. They are good. – This article isn’t about them.
JH: “Hello this is John”.
S: “Yes Mr. Harbison, I am _____ with Site ________. Hostgator provided us your information due to your account being hacked. It is in jeopardy of becoming blacklisted by Google.”
JH: “Yes, I know the account was compromised. Is there a specific domain that is being flagged by Google?”.
S: “Well Mr. Harbison, there are many directories that were accessed in that account – What sites are active in that account?”.
JH: “There are a few sites still active through that account. Those directories are A, B, C, D, and E so I’d say 5 or 6 sites are active off that account.”
S: “OK good, those sites will need to be cleaned of malware – we can protect your sites by removing any malicious code, protect your domain and provide Google with an Updated clean site report that will let Google know that the site is free of any malicious code.”
JH: “Wait, that can’t be cheap what is the cost?”
S: “Normally it $50 per domain, but since you have 6 it will just be $15 per domain”
JH: “Is that a one time charge or monthly?”
JH: “Whoahhh Okay – well I was moving that content off anyways – if my account and IP are at risk that’s okay it mostly just dev work – I’ve been cleaning the accounts anyway – So I was planning on moving off that server anyway. You can just block the account”
S: “. . . Unfortunately we don’t have access to do anything like that to the account”.
JH: “Why not?”
S: “We aren’t authorized to do anything to your Hostgator account”
JH: “Okay. Well I’m just going to shut down that account anyway and move the domains to another service with cleaned code – I’ll get it sorted”
S: “Well that isn’t going to protect you – Your domain was hacked”
JH: “What do you mean? If I set up a completely new account – with completely non-hacked files – and point my domain to that new code base – how can that be hacked? It would all be new”
S: “Your domain was hacked. Hackers can target the domain and compromise it”
JH: “How on earth can a domain be hacked? A domain is just a DNS record – specifically an A record pointed to an IP address of a server. How can you hack a record?”
S: “The hackers have targeted your domain and will distribute malware and spam through the domain – ”
At this point I was losing my mind. The idea that a domain could be hacked – separate from a server, and separate from someone compromising my domain registrar account, was completely, mind-meltingly, absurd. The idea was absolutely insulting. I couldn’t believe I was hearing this FROM A WEB SECURITY FIRM!!!!. How could it be possible for a hacker – even the best hacker in the world – be able to distribute and display hacked content from my website without a host? How could it be possible for them to do anything without a server running?
Back to the convo with rep…
JH: “What you are proposing is hard to understand. The server has nothing to do with domain – the domain points to the server and server serves the content – you can hack a server, you can even hijack a domain record – but you can’t hack the domain. and We aren’t even talking about my registrar account being compromised”
S: I don’t think I’m explaining this well. Let me get a supervisor on the line. Please hold.
When they placed me on hold I hung up.
Security is Important
Hey kids – protect your server accounts. That means restrict your permissions on folders and files. Don’t use your root user on multiple domains – in fact don’t use your root user for anything except root management. Also protect your registrar accounts. If someone gets into your Godaddy account they can point your domain to whereever they please. So use hard passwords – or even better use multi-factor authentication (Like use + pass + phone text)
If you get Hacked – you can clean it up
The service I was being sold is not some crazy magic. I’m sure the firewalls and cleaning they were going to do was awesome, but with an ssh client, text editor and google, you too can clean up the mess! Using the google document I stated above helped me to clean up the account. Google’s Webmaster tools with Google Web Crawl allowed me to see the cloaking going on the site. Sure the hack made a mess, and cost me time and headache, but at least I’m not out $90+ per month.
A Domain is just a domain – nothing more
A domain is like an address. Your home is at a location – you could describe it with Latitude and Longitude or you could describe it with a Road and a number. 124 Maple Ave is a lot easier to share than 38.0406° N, 84.5037° W. Likewise Google.com is much easier to share than 18.104.22.168. A domain points to a computer (server).
Being hacked sucks. It’s nerve-racking to think that every second your site is up and hacked your online reputation could be tarnished. Your Google ranking and indexed content is tanking and money and clients are at stake. Web security firms know this, and if you aren’t vigilant or experienced it would be easy to be taken advantage of. That’s what makes this so disheartening. It is bad enough to be in this vulnerable position, but to then be told incorrect information or aggressively sold unneeded services is almost as bad as being hacked in the first place! Just as I rely on a doctor to be honest with me when I’m sick, I’d expect a Web Site Security firm to be honest with me when I need them.