China Crisis – hackers and me
Over the past few weeks, I’ve noticed something very odd on the website – hackers making determined and persistent efforts to break in.
It started on August 20, and seems to originate from the same group of attackers in the Far East.
It’s not unusual for someone to try to gain control of a website that isn’t theirs. Most of the time it’s so they can either slap up adverts for magic blue tablets, or perhaps to try to steal stored information.
I don’t keep any financial info on the website. Paypal takes all my payments and deals with the credit card numbers and money, so I’m not so worried about that.
What’s caught my attention is that it’s an evolving attack that’s taken place across more than one vector.
Bad login attempts
Here are attempts to log in to chipscheesegravy.com over the past couple of weeks. You can click on the IP address to follow it back to its origin. Yes, it is possible to spoof your IP, but these guys didn’t seem worried about that – at least at first.
2016-08-30 21:07:11 22.214.171.124
2016-08-30 21:07:06 126.96.36.199
2016-08-30 21:06:52 188.8.131.52
2016-08-30 21:06:37 184.108.40.206
2016-08-30 15:56:37 220.127.116.11
2016-08-30 15:56:20 18.104.22.168
2016-08-30 15:56:02 22.214.171.124
2016-08-30 10:43:03 126.96.36.199
2016-08-30 10:42:58 188.8.131.52
2016-08-29 22:05:43 184.108.40.206
2016-08-29 22:05:09 220.127.116.11
2016-08-29 17:36:04 18.104.22.168
2016-08-29 17:36:01 22.214.171.124
2016-08-29 17:35:52 126.96.36.199
2016-08-29 17:35:48 188.8.131.52
2016-08-29 17:35:44 184.108.40.206
2016-08-29 11:28:22 220.127.116.11
2016-08-28 21:20:40 18.104.22.168
2016-08-28 02:40:36 22.214.171.124
2016-08-26 06:55:59 126.96.36.199
2016-08-25 00:53:04 188.8.131.52
2016-08-23 22:36:26 184.108.40.206
2016-08-22 12:15:20 220.127.116.11
2016-08-21 13:38:42 18.104.22.168
2016-08-21 02:24:25 22.214.171.124
2016-08-20 21:30:26 126.96.36.199
2016-08-20 21:30:26 188.8.131.52
2016-08-20 21:30:24 184.108.40.206
2016-08-20 21:30:21 220.127.116.11
2016-08-20 21:30:18 18.104.22.168
2016-08-20 21:30:00 22.214.171.124
The vast majority are from China, with a couple from nearby Taiwan and Vietnam.
One hacker to rule them all?
So why would I think it’s the same hacker or hacking group? After all, they’re in at least three different countries.
Well, I also log the data they send, both the username and password they submit.
Interestingly, they’re going through an unusual dictionary attack: so far they’ve guessed “superman”, “jordan”, “fuckme”, “fuckyou” and other unlikely words.
Fortunately, I’ve a bit more sense than to leave “admin” as a username – and certainly more sense than to use a simple password. They’re going to be guessing for a long time.
The other reason I suspect it’s an organised campaign is that their tactics have changed as I’ve responded.
Move and counter-move
The first thing I did when I saw someone was trying to guess their way in was to ban the IP address. They’d used the same one over and over, so it was a simple thing to do.
But I think they must have figured that out, as they haven’t used the same IP address twice again.
It’s the same form of attack though – and still use different combinations of the same passwords and usernames.
The attacks only happen in short bursts, too. That’s probably to avoid alerting my webhost (Netcetera, of course – buy local!) and to avoid setting off my site defences. If you unsuccessfully try to login too many times, you’ll be banned.
Some hackers use a fully-automated “dictionary attack”, which runs through hundreds of thousands of attempts with different passwords in a relatively short space of time until the lock clicks and they’re in.
Restricting their number of attempts is a good way of stopping those cold.
Hack the planet
They’re still trying to get in – but now the hackers are boxing a little more cleverly. IP addresses trace from a variety of countries around the world.
However, they’re still using the same dictionary in that same burst pattern to crack the same page. That makes me think it’s the same hacker again, trying to see whether I’ve blocked a particular country.
Russia is the usual source for blackhats – no criticism of the country, there are just a lot of criminal hackers there.
China runs a close second, and in both cases not only do you see hacking groups but also state-sponsored hacking.
The third wave
The attacks have now become a bit more subtle. Here’s a comment left on a piece a wrote a little while ago:
(IP: 126.96.36.199, static.vnpt.vn)
Email: <email removed>
URL: <link removed>
In Southern California, the fast food chain Tommy’s has a thick, brown-gravy-based meat chili, and the ingredients of their chili cheese fries are comparable to those of poutine. The chili is thicker, however, and the cheese is American cheese. In Adelaide , Australia , chips, topped with yiros meat, tomato, barbecue and garlic sauce are served as “AB”.
How lovely, letting me know about chips, cheese and gravy dishes from around the world. Odd that the hotmail address didn’t match the name, though.
What a shame they used a VPN service from Vietnam, one of the countries featuring heavily in previous attacks.
Phish, chips, cheese and gravy
Not only that, but after calling in a friend who’s a security professional, we had a look at the link he sent as his URL. It was a URL shortener from klik.bz rather than a full web address, which I was very suspicious of.
That turned out to be hiding another shortened address. And where did that lead? You’ve probably guessed – it’s driveby malware. They wanted me to download it and have it run surreptitiously so they could harvest what they can from me. Passwords, usernames, logins to everything I do from home.
Fortunately, I still remember my “stranger danger” training and don’t click on URL shorteners unless I’m very very sure of where they’ll take me.
It’s a new one on me, though. I don’t really get many spam comments – and the ones I do get are all backlinks to other websites placed by the naughtiest of SEO marketers.
This was a nice attempt at a spear phish, with a comment that almost made sense unless you knew this site has as much to do with the Manx national dish as it does with Mars.
Conspiracy theory, anyone?
My security friend is very paranoid about hacking, and has two ideas about why I’m being targeted – although I have to say I find both equally unlikely.
First, Chinese hackers have gone after western journalists before. Particularly if they’re in a country involved with China. And especially if they think they can either use the hacked site to distribute malware more widely in that location.
But I have a number of doubts. Am I really so important a group of state-sponsored hackers would target me? And surely they’d have far more sophisticated methods available?
Second, I’ve annoyed somebody so badly they’ve hired a hacker to break in and either deface, delete or otherwise damage the site.
This is more of a possibility, although it would be hard to imagine someone taking so much umbrage at something I’d said they’d hired digital ronin to send after me.
Staying safe online
Whoever it turns out to be (and I’d love to hear from anybody else on the Island with similar problems), I feel pretty secure.
Long passwords, unique usernames, IP blocking, login attempt counting, geo-banning and two-factor authentication – use all of them.
After all, you never quite know who’s trying to break into your business – or why!
If you’d like training in digital and cyber security for your company, I’d highly recommend Intelect Solutions – based here on the Isle of Man. Although they didn’t help with this, they certainly know their stuff, and can help with online investigations and even due diligence and KYC investigations using deep web searches and other online resources.