Blog

We were hacked

Thursday, March 5, 2009, 5:12 PM

IMPORTANT UPDATE (3/6/09 6:13 a.m.):  Several people have inquired if their credit card information was at risk during this hacking event.  The answer is noWe do not (ever) store any credit card information at this site.  We use a gateway service for credit card transactions and do so specifically so that we do not have to worry about storing and defending such important information. 


Well, we were hacked.  Somehow someone got access to our files and went about trying to destroy the site.

The good news is that some in the IT community would call this a sign of progress.  We have arrived!  Even better, we noticed this very rapidly and caught it early, thereby limiting the damage.  Ron did a spectacular job of detection and repair.

The bad news is the site was out for four hours and we spent time, money, and energy doing something that, frankly, wasn't on any of our priority lists over here.

So, sorry for the outage; we've taken steps to patch the probable hole and we'll carry on from here.

Best,
Chris

Endorsed Financial Adviser Endorsed Financial Adviser

Looking for a financial adviser who sees the world through a similar lens as we do? Free consultation available.

Learn More »
Read Our New Book "Prosper!"Read Our New Book

Prosper! is a "how to" guide for living well no matter what the future brings.

Learn More »

 

Related content

40 Comments

LindaBobzien's picture
LindaBobzien
Status: Bronze Member (Offline)
Joined: Dec 12 2008
Posts: 34
Re: We were hacked

It appears that Financial Sense Newshour was hacked too.  And Steven Leeb.  Am I just being paranoid or is that quite weird?

 

 

randallriggs's picture
randallriggs
Status: Member (Offline)
Joined: Apr 16 2008
Posts: 21
Re: We were hacked

can you track it back and find out who or where the hack came from? Maybe the NSA?????

randallriggs's picture
randallriggs
Status: Member (Offline)
Joined: Apr 16 2008
Posts: 21
Re: We were hacked

if there is any connection withe US government..........you have arrived!

dickey45's picture
dickey45
Status: Bronze Member (Offline)
Joined: Oct 12 2008
Posts: 77
Re: We were hacked

I noticed your drupal was out of date and I think there were security updates.  Looks like you've updated it now...

markf57's picture
markf57
Status: Bronze Member (Offline)
Joined: Aug 25 2008
Posts: 62
Re: We were hacked

I think something is still going on. Look at that picture of that movie star on the home page! Cool

cmartenson's picture
cmartenson
Status: Diamond Member (Offline)
Joined: Jun 7 2007
Posts: 5568
Re: We were hacked

Photoshop!

Oh wait, you meant Davos, right?

 

Smile

 

 

Damnthematrix's picture
Damnthematrix
Status: Diamond Member (Offline)
Joined: Aug 10 2008
Posts: 3998
Re: We were hacked

He scrubs up pretty well, doesn't he.....?

Mike 

Mike Pilat's picture
Mike Pilat
Status: Platinum Member (Offline)
Joined: Sep 8 2008
Posts: 929
Re: We were hacked

Good to see things have been fixed here so quickly and that the damage is contained.

I noticed the financial sense issue too. Hope the site is ok..it's one of my favorites.

capesurvivor's picture
capesurvivor
Status: Platinum Member (Offline)
Joined: Sep 12 2008
Posts: 963
Re: We were hacked

Steve Leeb is uncannily close to CC material in his new book, "Game Over."

Someone doesn't like forward thinkers.

 

SG

Bobo's picture
Bobo
Status: Member (Offline)
Joined: Sep 8 2008
Posts: 6
Re: We were hacked
Hi
Chris,
 
I wonder what was
the motive to hack your site. Data access, zombie controlled server or someone
doesn't like you.
 
Bets
Regards,
Brainless's picture
Brainless
Status: Silver Member (Offline)
Joined: Dec 9 2008
Posts: 150
Re: We were hacked

I just happened to be online when it got cracked. My browser came up while reading some topics with a malware warning which i for some idiotic reason did not copy (and that for an IT guy who always asks his customers to copy the error messages). Soon after that i tried to get an email address to send a warning and the site was down.

I think the reason is that this site is getting the number of hits that attracts attention. In that way it is some weird form of a compliment.  

I am happy to see the damage was undone quickly, kuddos to the IT guys.

To be precise it was not a hacker (those are the good guys) but a cracker!

 

The.Techno.Luddite's picture
The.Techno.Luddite
Status: Bronze Member (Offline)
Joined: Nov 26 2008
Posts: 34
Re: We were hacked

Your IT folks find any tracks as to what data they saw?  Passwords?  Subscriber info?

Also, I'll bet your IT people DO have some IP info about the origin connections the invaders used.  They probably have it under control, but if more legwork is needed. I know a geek with a computer lab who would happily donate some neuron & CPU time to tracking them down.  

Bobo's picture
Bobo
Status: Member (Offline)
Joined: Sep 8 2008
Posts: 6
Re: We were hacked
Brainless wrote:

To be precise it was not a hacker (those are the good guys) but a cracker!

 

It all depends of witch side of the "good guys"
you're ;)

Example: Obama is a good guy! He is gonna help all people
who cannot afford their houses with money (he doesn't have) from our kids and idiots
like me who where saving all live and renting because I want to put down 35%
deposit. Is he a good guy for me........eh noo

Cheers,

 

Jeff Borsuk's picture
Jeff Borsuk
Status: Silver Member (Offline)
Joined: Jul 25 2008
Posts: 150
Re: We were hacked

...inside scoop is that it's a rented jacket and he's wearing shorts.

Jeff

:

 

Davos's picture
Davos
Status: Diamond Member (Offline)
Joined: Sep 17 2008
Posts: 3620
Re: We were hacked

Heard about the shorts, didn't know the jacket was a rent job.

Glad your up again, and OBTW I used photoshop cs  

Impartial's picture
Impartial
Status: Member (Offline)
Joined: Feb 24 2009
Posts: 7
Re: We were hacked

I do not know if this can help but My AVG shield showed that some attemp of redirection to 78.110.175.249 had happened IP belongs that belongs to (according to dnsstuff.com)

person: Alexander A Solovyov address: LIMT Group Ltd. address: Karpinskogo 97a address: Moscow address: 111423 address: Russian Federation phone: +7 342 2763167

Morpheus's picture
Morpheus
Status: Diamond Member (Offline)
Joined: Dec 27 2008
Posts: 1200
Re: We were hacked

Chris. About two months ago I got a database error when logged in. The problem was that IT CONTAINED TOO MUCH INFORMATION.

Root directory, file structure, ect. 

I emailed an admin telling that person to fix it. (I was a superadministrator on a Vbulletin site, I saw the hacking risk immediately). 

I don't know if that error message was what the hackers used but please, have your database error pages remove ALL server information. 

pinecarr's picture
pinecarr
Status: Diamond Member (Offline)
Joined: Apr 13 2008
Posts: 2236
Re: We were hacked

This morning I am unable to access Safehaven.com .  I'm wondering if I'm just having a local problem accessing it, or if they may have also gotten hit...

VictoriaPandora's picture
VictoriaPandora
Status: Member (Offline)
Joined: Jan 11 2009
Posts: 9
Re: We were hacked

I was on yesterday when the site went down. I was getting a line overflow on stack 13 message over and over.

I am such a genuis that I decided to reload the page to fix that, haha. Needlesss to say it didn't work. However, I am still getting that stack overflow message today. It's making getting through the page difficult because it has to be ok'ed everytime it comes up. So, I think something is still going on:/

caroline_culbert's picture
caroline_culbert
Status: Platinum Member (Offline)
Joined: Oct 2 2008
Posts: 624
Re: We were hacked
Jeff Borsuk wrote:

...inside scoop is that it's a rented jacket and he's wearing shorts.

Jeff

:

 

what a beautiful picture

caroline_culbert's picture
caroline_culbert
Status: Platinum Member (Offline)
Joined: Oct 2 2008
Posts: 624
Re: We were hacked
LindaBobzien wrote:

It appears that Financial Sense Newshour was hacked too.  And Steven Leeb.  Am I just being paranoid or is that quite weird?

 

 

they claimed 2 have gotten a virus but I they got it is a mystery

admin's picture
admin
Status: Administrator (Offline)
Joined: May 6 2007
Posts: 346
Re: We were hacked
MGhandi wrote:

I emailed an admin telling that person to fix it. (I was a superadministrator on a Vbulletin site, I saw the hacking risk immediately). 

MGhandi,

This is Ron, the site adminstrator.  I just tried to email you through your account but received a message in return that the email delivery failed.  Please contact us directly using the contact form, and please note in the form that "Ron asked me to forward this information to him."

Ron

ByronS's picture
ByronS
Status: Member (Offline)
Joined: Dec 11 2008
Posts: 12
Re: We were hacked

Yep, I'm still getting that "Stack overflow..." error every time I navigate from page to page on the CM site. Doesn't happen anywhere else, and it started sometime yesterday.

Glad it's not just me.

Byron 

 

admin's picture
admin
Status: Administrator (Offline)
Joined: May 6 2007
Posts: 346
Re: We were hacked
ByronS wrote:

Yep, I'm still getting that "Stack overflow..." error every time I navigate from page to page on the CM site. Doesn't happen anywhere else, and it started sometime yesterday.

Glad it's not just me.

Byron  

 

Byron,

Please refresh your browser.  I spoke earlier with Victoria and she confirmed she is no longer receiving this issue.  Everything should have been fixed as of last night, but you may have a lingering issue in your local browser cache.  Clicking the refresh button should take care of it.

Ron

Richard_Bennett's picture
Richard_Bennett
Status: Member (Offline)
Joined: Jan 4 2009
Posts: 4
Re: We were hacked

Gathering from the IP address posted by Impartial it looks like the site was infected by a 'drive-by-download' used for spreading banking trojans.

These are generally not targetted at specific sites, but take advantage of known weaknesses in software like Drupal or Joomla to infect a site with an 'iframe attack'.

When a Windows user visits the site (Apple and Linx are currently not targetted) the iframe attack will attempt to download a trojan (like sinowal or Torpig) onto their computer.

This trojan then installs itself onto the victims master boot record, and during boot it attaches to a legitimate windows process. This is known as a 'bootkit' and makes it very hard to detect by anti-virus software.

You can try to scan your system with  http://www.gmer.net/index.php which can have a degree of success in detecting them.

The trojan then remains active in the background monitoring the computer. Any passwords for email, FTP, websites, online banking etc are logged and sent 'home'. Specialised hacks are downloaded to prompt the user for additional information (like your ATM pincode etc) while the user is doing their online banking.

Often the administrator of a web-site becomes infected themselves, their admin passwords for the websites or FTP are stolen, and the websites are re-infected with an iframe attack simply using the admins credentials.

I presented a research paper on this last month at an OWASP security meeting. The paper and slides should be online in the next few weeks, I'll post a link when they are - it is almost as compelling reading as the economy.

 

Of course this hack could have a different cause... there are many possibilities. 

Best regards.

 

 

 

cmartenson's picture
cmartenson
Status: Diamond Member (Offline)
Joined: Jun 7 2007
Posts: 5568
Re: We were hacked

Hi Richard,

Thanks for the info.  I just did the GMER detection and it came up with nothing on my computer.  However, I still am having an issue with a browser redirect which will take either a Yahoo or a Google search and turn the results (which are legitimate) into redirects to commercial sites that have nothing to do with the search itself.

I run Crap Cleaner, Easy Cleaner, have McAfee and SPYDoctor, and none of them can find this little devil.

Any ideas?

I'm worried this could indicate I have something tracking me as well....

Richard_Bennett's picture
Richard_Bennett
Status: Member (Offline)
Joined: Jan 4 2009
Posts: 4
Re: We were hacked

Hi,

To be honest the conclusion I came to when researching this, was that people's chance of solving these problems themselves was slim, I phrased it as: 'they don't stand a chance' .

That goes for the web-masters, victims, banks, e-commerce sites etc.

When you see the level of sophistication, planning, infrastructure, management etc behind this, check http://en.wikipedia.org/wiki/Russian_Business_Network for some background info (out of date already though)...

It is literally like trying to fight the KGB with a penknife.

And the browser-redirection is just a sideshow. The real harmful parts can sit undetected in your MBR for months, so even a complete Windows re-install cannot eliminate them.

If you are using a self-maintained Windows PC it is safest to assume it is infected, and not to mix banking/e-commerce with your daily internet use (and remember any passwords you use anywhere are probably known).

Possible tips:

Keep 1 computer specifically for banking, e-commerce payments and other secure use - preferably a Mac or Linux machine (they also have vulnerabilities, but are currently not targeted yet), and don't use it for anything else.

Or boot from a read-only medium like a Ubuntu live CD (http://www.ubuntu.com/getubuntu/download ).
This means you run your operating system from a CD, so at least you know nothing changes between boots, but of course you cannot save any documents or bookmarks either.

Using virtualisation (vmware, virtualbox etc) for daily internet use also helps. If a VM becomes infected you just delete it and start a new copy.

Hope that helps somewhat...

 

 

pwoody82's picture
pwoody82
Status: Bronze Member (Offline)
Joined: Sep 26 2008
Posts: 51
Re: We were hacked

I attempted to go onto the Financial Sense site yesterday and Mcafee gave me a trojan stopped message, but stupid me, I tried it again and the second time it crashed Mcafee. Fortunately, my spyware checker caught it the second time but I could not get Mcafee back up and had to change virus checkers. I tried all kinds of scans and contacted Mcafee but to no avail. Financial Sense was still down with only a temp site up this afternoon. They really got hammered.

 This site was fortunate that someone was on the ball and stopped the attack.

pwoody82's picture
pwoody82
Status: Bronze Member (Offline)
Joined: Sep 26 2008
Posts: 51
Re: We were hacked

I attempted to go onto the Financial Sense site yesterday and Mcafee gave me a trojan stopped message, but stupid me, I tried it again and the second time it crashed Mcafee. Fortunately, my spyware checker caught it the second time but I could not get Mcafee back up and had to change virus checkers. I tried all kinds of scans and contacted Mcafee but to no avail. Financial Sense was still down with only a temp site up this afternoon. They really got hammered.

 This site was fortunate that someone was on the ball and stopped the attack.

LindaBobzien's picture
LindaBobzien
Status: Bronze Member (Offline)
Joined: Dec 12 2008
Posts: 34
Re: We were hacked

Steven Leeb's www.completeinvestor.com is still down.  I have a feeling they are behind the 8ball due to the unprofessional amount of spam they send.  No admin worth their salt would allow that to go out (I wouldn't).   Does anyone have any guess why all of these financial news sites were targeted?  That seems significant somehow.

 

BTW, I use Kaspersky and appear to be unaffected. 

admin's picture
admin
Status: Administrator (Offline)
Joined: May 6 2007
Posts: 346
Re: We were hacked
LindaBobzien wrote:

Does anyone have any guess why all of these financial news sites were targeted?  That seems significant somehow.

Linda,

One of the earlier posts I think said it best ... more than anything, these sites were probably targeted because they have been getting a lot more traffic recently.  Hackers target sites that have lots of visitors, because their work can have a larger impact.  I think the fact that sites are focused on financial news just happens to be coincidential.

Ron 

Peter G's picture
Peter G
Status: Member (Offline)
Joined: Sep 17 2008
Posts: 11
Re: We were hacked

Its not uncommon to be cracked. The last two nights an unrelated site I visit often for tech info has been down on several occasions. It too uses Drupal. I'm still trying to get word what there issues have been.

A little side not even Kaspersky is not safe. It has been cracked several times official and who know how other times . Most recently in late Jan.09. It just the nature of the beast of the internet. 

hucklejohn's picture
hucklejohn
Status: Gold Member (Offline)
Joined: Dec 13 2008
Posts: 281
Re: We were hacked

I might as well as the question.  How often should we change our passwords to sites that contain financial information, such as our banks, internet stock brokerage firms, etc?  How often for other sites?

Richard_Bennett's picture
Richard_Bennett
Status: Member (Offline)
Joined: Jan 4 2009
Posts: 4
Re: We were hacked
hucklejohn wrote:

I might as well as the question.  How often should we change our passwords to sites that contain financial information, such as our banks, internet stock brokerage firms, etc?  How often for other sites?

As a matter of best-practice you could do this monthly, but I think few people do. I don't.

The problem is, if your computer IS infected the new password will be stolen the moment you type it in, and you won't know.

If you change them often you might choose simple passwords so you can remember them, or write them on a post-it, making them less secure rather than more...

And you can't know if you are infected, so basically you should assume you are and not do anything important from a self-maintained Windows computer without taking extra precautions.

Even security professionals don't stand a chance in fighting this. For example, the Conficker worm had the ability to phone-home and spread through 250 different domains each day, so the security consortium tried to stop it spreading by registering these 250 domains each day themselves. Now conficker has updated itself to support 50.000 domains per day... that'd be about $250.000 a day to counter, and then they'd simply increase it again...

http://www.theregister.co.uk/2009/03/07/conficker_upgrade/

 

Richard_Bennett's picture
Richard_Bennett
Status: Member (Offline)
Joined: Jan 4 2009
Posts: 4
Re: We were hacked
pwoody82 wrote:

I attempted to go onto the Financial Sense site yesterday and Mcafee gave me a trojan stopped message, but stupid me, I tried it again and the second time it crashed Mcafee. Fortunately, my spyware checker caught it the second time but I could not get Mcafee back up and had to change virus checkers. I tried all kinds of scans and contacted Mcafee but to no avail. Financial Sense was still down with only a temp site up this afternoon. They really got hammered.

This site was fortunate that someone was on the ball and stopped the attack.

On their site they say:

Quote:

Details on Virus Infection

On 4 March 2009, it came to our attention that
www.financialsense.com had become infected with a new Trojan virus that
had embedded itself in the website's code. This virus redirected our
visitors to sites that attempted to download malicious software. In the
interest of protecting our many visitors from infection by this virus,
we immediately disabled the site and are in the process of diagnostic
testing and rehosting of the site. We are making every effort to
resolve this issue as quickly as possible; however, the full site may
not be available until Friday, 6 March, or later, depending upon the
severity of the impact of the virus on our site's code.

We appreciate your support and understanding as we resolve this issue.

—PFS Group/Financial Sense Staff, 4 March 2009 3:42 pm PST

Both their visitors and the admins don't really stand much of a chance. The banks and CC companies have been suppressing information on this for years now (this type of direct banking attack started in 2007). They quickly pay any losses and minimise the issue so as not to affect customer confidence in the internet.
Their whole business-model is based on people administering their finances from home on the internet...
But now nobody is aware of the risks that are there, and criminals have built a huge network and marketplace where they sell access to your information backed by a well-funded infrastructure and the collusion of corrupt law-enforcement. 

LindaBobzien wrote:

BTW, I use Kaspersky and appear to be unaffected. 

The problem is that the only thing an anti-virus can prove is that you ARE infected. If they find nothing it doesn't prove anything, just that they didn't find anything.
One of the first things a trojan will do is disable your anti-virus from working properly, which is what makes detecting trojans so hard.
Also, a trojan that is deeply nested in your operating system will periodically download new 'payloads' to carry out specific attacks (sending spam, attacking sites etc). These will sometimes be detected and removed by your anti-virus, which will then claim your system is clean, while the real trojan remains active.

 

Davos's picture
Davos
Status: Diamond Member (Offline)
Joined: Sep 17 2008
Posts: 3620
Re: We were hacked

Richard gives excellent advice!

Some additional things that can help once you get your box clean:

 

  • Keep kids off your box
  • Dedicated bank box (like Richard advised)
  • Password protect your box
  • Turn off the guest account in windows, make sure all acounts have passwords or kids can go into safe mode and get onto your account in 2 seconds at teh dos prompt, easy exploit you can watch 9 year olds on youTube show adults this
  • Run http://technet.microsoft.com/en-us/sysinternals/default.aspx which will show you who certificates each process with verfication, Google anything unverified or un-named
  • Treat computers like tooth brushes (don't share them)
  • Norton 2009 Internet Security (not just anti-virus) seems for the average Joe who isn't a geek - to be good
  • Know the basics about Phishing
  • Dont use public computers
  • Watch out for WiFi at the coffee shops/aiports
  • Make sure your network (WiFi) is secured (WPA or alike)
  • Don't use one password for email, banking, blah blah blah 
  • Keep password book in fireproof box (locked)
  • Don't store passwords on local box
  • Use credit NOT debit card for purchases online
  • Buy a Mac
  • Watch this video,http://www.msnbc.msn.com/id/6713753/  it is an eye opener, last I recall he is still suing the bank, the banks have gotten a little tighter but this says it all
  • Most infections I have seen were kid induced, house guest used porn, or an online poker site
  • DON'T FILE SHARE tell the kids iTunes or NO_Tunes
  • If it is free it probably has an added bonus-one you DON'T want
  • Back up your data, hard drives crap out all the time
Hope that helps. BTW Reformatting your box, loading Norton and scanning and reloading your data take care of 98% of the problem - but if someing is living in the boot, like Richard says, you need to disk boot the box...

 

laviera's picture
laviera
Status: Member (Offline)
Joined: Jul 11 2008
Posts: 1
Re: We were hacked

Quick question for anyone who might know:  are the members of this website at risk of the virus infecting their computers as a result of the recent attack?  I was on the website the day the attack happened and I am not clear from reading the thread if my work windows machine could possibly be infected.  Thanks for any thoughts.

gregroberts's picture
gregroberts
Status: Diamond Member (Offline)
Joined: Oct 6 2008
Posts: 1024
Re: We were hacked

"Indeed, Facebook has seen five different security threats in the past week. According to Trend Micro,
four new hoax applications are attempting to trick members into
divulging their usernames and passwords. And a new variant of the Koobface worm is running wild on the site, installing malware on the computers of victims who click on a link to a fake YouTube video."

http://tech.yahoo.com/news/nf/20090305/tc_nf/65095;_ylt=AnevMUzNU8M_K8kP...

 Not sure if this is revelant to what happened here but thought I'd post it anyway.

Greg

hucklejohn's picture
hucklejohn
Status: Gold Member (Offline)
Joined: Dec 13 2008
Posts: 281
Re: We were hacked

Thanks Richard & Davos for your advice.  It looks like no matter what precautions we might take we still remain vulnerable in some way.

admin's picture
admin
Status: Administrator (Offline)
Joined: May 6 2007
Posts: 346
Re: We were hacked
laviera wrote:

Quick question for anyone who might know:  are the members of this website at risk of the virus infecting their computers as a result of the recent attack?  I was on the website the day the attack happened and I am not clear from reading the thread if my work windows machine could possibly be infected.  Thanks for any thoughts.

laviera,

Yes, it certainly is possible if you were using a computer that does not have anti-virus protection, or a firewall, or if the protection was out of date.  I would recommend running your virus scan software to check for issues.  At a minimum you should run your virus scan software at least weekly to always monitor for potential problems.  In general surfing the Internet is risky business relative to the potential for viruses.

Ron

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Login or Register to post comments