How hackers turned a Cape Cod fishing guide’s site into a host for e-commerce fraud

Cape Cod fishing guide Eric Stapelfeld trusted me to look after his website the same way that I trust him to find fish. Until a few weeks ago, I believed I had the easier part of the bargain. After all, what’s hard about maintaining a simple WordPress site with a phone number and lots of striped bass pictures? As it turns out, everything is hard, really hard, when hackers go to work on a vulnerable site — even a simple one. And no fish ever put up a fight like the malware that took over Eric’s site.

Eric Stapelfeld, the fishing guide

The story began last fall, when Eric called me in San Francisco to report that  “some guy” had called to complain about fraud on his site.

“Yeah, like the guy said somebody is running a business inside the website and ripped him off. Said he knows it’s not my fault but I should know about it.”

Eric doesn’t sell anything on his site. It consists of posts about fishing and a phone number to book trips. No hacker would bother with a site like that, right?

“Hey forget about it,” I told Eric. “There’s no way your site could rip anyone off. I have no idea what the guy is talking about.”

That was more true than I realized. Three months later, I got another call from Eric. “Hey, Google is fucking with my site,” he said. “My friends are calling me and saying something is wrong.”

As soon as I typed in www.hairballcharters.com, Google dropped a screaming red screen warning that read: “The site ahead contains malware. Attackers currently on www.hairballcharters.com might attempt to install dangerous program on your Mac that steal or delete information (for example, photos, passwords, messages,  and credit cards).”

“Oh crap,” I thought. Maybe there was something more to that guy who called Eric.

My first move was to call customer service at Deluxe Hosting, where the site is hosted, and get them to open a ticket. After a few email exchanges, I realized that they were unlikely to sort out the problem. They found malware and said they deleted some of it, but Google was still showing a warning. After a few exchanges, Deluxe stopped responding.

Next I got in touch with Jennifer Zelazny, the WordPress developer who set up the site and had worked on it from time to time. She agreed to dive in.

What she found was nasty. Hackers had accessed the site either directly through WordPress or through a plug-in on the site. She found at least 20 suspicious WordPress core files. There were also non-core files on the site with file names like “list.php” and “apis.php,” which to an average user might not have raised any red flags. Their names looked typical, but the time stamps were all recent — since July 2016 — and upon further inspection revealed redirects to other sites. She deleted the files, reset passwords, updated the secret keys in the wp-config, cleaned up other valid files with malicious code and then ran scans with Exploit Scanner and Sucuri SiteCheck scanner to ensure she found every bit of malware.

Jennifer asked me if I had a Google Webmaster account so we could request that Google scan the site and give it a clean bill of health. I had not claimed the site before, so I went through the steps. Google provided a code snippet to drop into the site’s markup as a means to authenticate that I was in fact the owner of the site. Jennifer followed up; not long afterwards, Google admitted me to the account.

To my horror, there were already two other email addresses listed as owners of the site. They were really sketchy email addresses, like ones you’d make up if you were up to no good.

I looked around in the Google webmaster account and saw that the hackers had filed 47 sitemaps and submitted 565,192 web pages, of which 229,837 had been indexed by Google.

screenshot-2017-03-03-08-40-57

In case you’re wondering, Eric’s site has 130 web pages, most of which feature a picture of an impressive striped bass caught off Falmouth on Cape Cod.

It appears that the hackers were using the malware to insert links in Eric’s site and using the site map to create some kind of dynamic set of redirects. But that’s just a guess, and there may be a better explanation.

Neither of us was crazy about following the links. The hacker had created more than 47 separate sitemaps using links/redirects from the site — all averaging 70,000 lines of code each (that’s a lot of URLs!) The URLs all looked similar in their format:

And this example of the result on a Google search results page — needless to say, Hairball Charters does not have any business extensions in Japan:

By looking at this cached page, it’s pretty easy to imagine what was happening. In this case, the hackers had set up an e-commerce site targeted at Japanese consumers.

Google’s tools made it easy to kick the invaders out of the account. Google shows the tag associated with each registered account for the site, so I passed those to Jennifer, who deleted them from the mark-up. In an instant, the hackers’ access was gone. Then I gave Jennifer access to the account and she deleted all the fake sitemaps. Jennifer told me that she had worked on a lot of compromised sites, but this was the first time she had seen hackers take over the Google webmaster account in order to manipulate the sitemaps.

Jennifer updated the security patches for WordPress and all the plug-ins and implemented steps to make sure updates take place automatically in the future. We also set up two-factor authentication to access the site.

I always knew that it was important to keep patches up-to-date, but until now I did not know why an out-of-date site was so vulnerable. Jennifer explained that every time WordPress or any developer with an important WordPress plug-in becomes aware of a vulnerability, they usually document the vulnerability at the same time that they issue the security patch. (Here is a WordPress example and a Sucuri example.)  Once that documentation goes public, hackers immediately scan WordPress sites to find exploits. Get there late and you get nailed. Sorry to say, that was Hairballcharters.com.

Avoiding situations like Hairball’s is a lot more simple than dealing with the aftermath of a hack. Here is Jennifer’s five-step program to good security on a WordPress site.

Step one: Stay up-to-date with WordPress core upgrades. This is beyond simple: Insert one line of code — define( ‘WP_AUTO_UPDATE_CORE’, minor ) — in the wp-config.php file and your site will always auto update. (Here is the documentation.)

Step two: Keep your WordPress plug-ins up-to-date. The Jetpack plugin makes this straightforward; just use the Jetpack Manage option to select the plug-ins you want updated as soon as patches become available.

Step three: To make your site extra secure, consider the plug-in Sucuri Security: Auditing, Malware Scanner and Security Hardening, which allows you to do exactly what the name suggests. You can enable auditing to send immediate notifications if any files are modified, plug-ins are enabled/disabled and much more.

Step four: Install two-factor authentication for access to your WordPress site.

Step five: Claim your site in the Google Webmaster tool and check in from time to time to make sure your site has no content or sitemap errors — or stealthy invaders populating sketchy sitemaps.

As for HairballCharters.com, the site is back in good order and Eric is happy that Google’s big red screen is now gone. If you happen to be out Cape Cod way this summer, he would love to take you fishing and trash-talk two of his favorite topics: my fishing and my security smarts.

Uber’s VP of product and growth has left the company

Ed Baker, Uber’s VP of product and growth, has resigned from Uber, Recode first reported. Uber declined to comment on the story but TechCrunch has confirmed that Baker has left the company, and that Daniel Graf, Uber’s head of marketplace, will be the interim head of product and marketplace.

“I have always wanted to apply my experience in technology and growth to the public sector,” Baker wrote in an email to employees, obtained by Recode. “And now seems like the right moment to get involved.”

That’s an interesting rationale given that the last couple of weeks have been something else for Uber, between allegations of sexual harassment, sexism, Amit Singhal resigning as SVP and reports of some sketchy software to sidestep law enforcement. Baker formerly worked at Facebook, where he was head of international growth.

Nokia 3310 With Month-Long Battery Life, Snake Game Launched at MWC 2017

The iconic Nokia 3310 feature phone made a comeback on Sunday on the sidelines of MWC 2017. HMD Global unveiled the Nokia 3310 (2017) with what it calls with a “modern twist.” The Nokia 3310 is the Nokia brand’s one of the best-selling feature phones of all time, and it has been priced at EUR 49 (roughly Rs. 3,500).

Nokia 3310 With Month-Long Battery Life, Snake Game Launched at MWC 2017

Nokia 3310 (2017) India sales will begin in Q2 2017, HMD Global has confirmed. Nokia at its Sunday launch event in Barcelona also revealed the new Nokia 3 and Nokia 5 Android smartphones in Barcelona at the side-lines of MWC 2017 trade show.

The all-new will come with a 22 hour talk-time, and the company claims that it features month long stand-by time. With the iconic Nokia 3310, the company also brought back the Snake game. The Nokia 3310 will be available in Warm Red and Yellow with a gloss finish while will also come in Dark Blue and Grey colour with a matte finish.

The new Nokia 3310, much like its original sibling, features a massive standby time of up to a month, a highlight of the device. The new Nokia 3310 also includes the regular Micro-USB port and ditches the pin charger.

With the Nokia 3310 refresh, HMD Global also bringing the legendary Snake game. The company however touts that the new Snake game has been optimised for the new colour screen. The company also confirmed that the Snake game will be available to users via Messenger app.

The Nokia 3310 sports a 2-megapixel rear camera with LED flash. It features a 2.4-inch QVGA display. The handset comes with 2G connectivity and runs on Nokia Series 30+ OS. It comes with 16MB storage and supports expandable storage via microSD card (up to 32GB). It packs a removable 1200mAh battery.

Nokia 3, Nokia 5 Android Phones Launched at MWC 2017: Price, India Launch, Specifications, and More

Nokia 3 and Nokia 5 Android phones were launched by Nokia brand partner HMD Global at the company’s Sunday launch event at MWC 2017 in Barcelona. Alongside the two new Nokia Android phones, the company also announced the global availability of the Nokia 6, which was launched in China last month. The company also unveiled the iconic Nokia 3310 (2017) feature phone at the same event.

Nokia 3, Nokia 5 Android Phones Launched at MWC 2017: Price, India Launch, Specifications, and More

The all-new Nokia 3 has been priced at EUR 139 (roughly Rs. 9,800) while the Nokia 5 has been priced at EUR 189 (roughly Rs. 13,500). The Nokia 6, on the other hand, will be available at EUR 229 (roughly Rs. 16,000). The company also announced an all-new Nokia 6 Arc Black variant which will sport high-class piano black colour. It has been priced EUR 299 (roughly Rs. 21,000).

HMD Global has confirmed that the Nokia 3 and Nokia 5 smartphones will be making their way to the Indian market as well by Q2 2017. The company confirmed that the Nokia 6 will be also heading to the Indian market at the same time. All new Nokia phones are also set to launch in APAC, Middle East, Africa and Europe in Q2 2017.

While the Nokia 3 runs Android 7.0 Nougat, the Nokia 5 smartphones runs Android 7.1.1 Nougat out-of-the-box. The company at the launch event stressed that all the new Nokia smartphones running Android will get regular updates. Much like other Nougat powered smartphones, the Nokia 3 and Nokia 5 will come with unlimited cloud storage on Google Photos app. Both will be available as a single SIM and dual SIM variants though availability could be different depending on the markets

The Nokia 3 will sport a polycarbonate body, machined aluminium frame, and will come with Corning Gorilla Glass lamination on top. It will be available in Silver White, Matte Black, Tempered Blue, and Copper White colour variants. It sports a 5-inch HD (720×1280 pixels) IPS display. It is powered by a quad-core MediaTek MT6737 processor clocked at 1.3GHz coupled with 2GB of RAM. It comes with 16GB storage and supports expandable storage via microSD card (up to 128GB). The Nokia 3 sports 8-megapixel front and rear camera. Both the cameras come with autofocus. The company adds that the Nokia 3 sports display flash.

The Nokia 3 packs an integrated 2650mAh battery. It measures 143.4×71.4×8.4mm and supports 4G LTE. The Nokia 3 supports LTE Cat. 4 speeds with download speeds of up to 150Mbps and upload speeds of up to 50Mbps.

The Nokia 5, on the other hand, features a fingerprint sensor embedded on the home button. HMD Global touts “seamless” metal body. Similar to the Nokia 3, the Nokia 5 will be available as both single SIM and dual-SIM variants though availability will depend on the market. The Nokia 5 is also expected to receive regular updates from the company.

The Nokia 5 is powered by a Qualcomm Snapdragon 430 processor coupled with 2GB of RAM. The handset comes with 16GB inbuilt storage and supports expandable storage via microSD card (up to 128GB). The Nokia 5.2-inch IPS LCD (720×1280 pixels) IPS LCD display and comes with 2.5D Corning Gorilla Glass cover on top.

It sports a 13-megapixel rear camera with PDAF and dual tone flash. It also packs an 8-megapixel camera with autofocus and comes with 84-degress field of view lens. The handset will be available in Tempered Blue, Silver, Matte Black, and Copper colours. It measures 149.7×72.5×8.05mm and supports LTE Cat. 4 download speeds. The handset is backed by a 3000mAh non-removable battery.

Android Wear 2.0 is leaving behind one of the most beloved smartwatches

The Sony Smartwatch 3 is one of the best Android Wear smartwatches around and beloved by many, but it won’t be updated to Android Wear 2.0 .

Spotted by Xperia Blog , the product page for Smartwatch 3 now plainly states that the device will not receive the long-anticipated software refresh. Instead, it will remain on Android Wear 1.5 for the rest of time, unless its enterprising fans find a way to work around that limitation, of which there are many.

Loyal supporters of Sony’s forgotten watch even went as far as petitioning for the new software. Currently, just over 3,000 have signed, but alas, Sony seems to have already made up its mind.

The Sony Smartwatch 3 was one of the first Android Wear smartwatches on the market and it got a surprisingly large amount of things right. Its square design stood out from the rest. It has NFC, and sporty charm with its silicon bracelet, IP68 rating and built-in GPS, but blends right into just about every other scenario as well.

Its hardware button would have qualified it to work with Android Wear 2.0, too. But Sony’s decision likely has to do with its aging chipset, which lags behind the smooth experience put out by the Snapdragon Wear 2100 that we’ve found in a growing number of watches.

So, we’ll pour one out for the Sony Smartwatch 3. Its fate is similar to that of the Moto 360 and LG G Watch – they aren’t among the list of watches compatible with Android Wear 2.0 .

These were the early pioneers that helped Android Wear get to where it is today, but I swear, there’s just no respect for the elders anymore.

This strange VR accessory claims to help fight anxiety and help you sleep better

There are a number of unique virtual reality accessories out there. Sure, there’s your standard ones like the Oculus Touch and Vive Tracker which have very obvious applications in VR. But then you have some more nebulous products like, for example, the Kortex.

The device popped up on IndieGoGo and claims to help fight anxiety, manage stress and help you sleep better after using it for 20 minutes during your next VR gameplay session.

The Kortex straps onto any VR headset including the HTC Vive and Oculus Rift , though it looks like the Samsung Gear VR is where it will find the most success thanks to its low-cost ticket to entry. Back the device while it’s still on IndieGoGo and you’ll receive a discounted price and a copy of the game Land’s End.

We’ll let you watch the video for more specifics, but the idea here is that the Kortex uses alternating current via an electrode strapped to your temple to stimulate the production of serotonin and reduce cortisol in the brain. Two 20-minute sessions a day and its creators, a medical technology company called Fisher Wallace Labs, say you’ll be sleeping better.

While we don’t put a ton of stock in faux-medical devices, there are some potentially exciting applications here – either to enhance your mood while you play games or to help you wind down and relax when you’re feeling a bit too stressed out. Less anxiety and a free copy of a game? Sign us up.

Sophos CEO sounds the alarm on enterprise ransomware attacks

Ransomware is increasingly becoming a problem for companies, and the CEO of a leading computer security company says he fears 2017 could see entire companies shut down until they pay up, or risk losing all their data.170214 hagerman

Ransomware works by infiltrating a computer with malware and then encrypting all the files on the disk. The user is presented with a limited time offer: Lose all your data or send money with the promise your data will be unlocked. The fee typically varies from a few tens of dollars to hundreds of dollars and often has to be transmitted in Bitcoin.

The problem began on a fairly small scale, targeting individual users, but has been growing. Last year, a hospital in Los Angeles admitted to paying $17,000 to get its system unlocked, and a report in October said ransomware cases were on course to quadruple in 2016 over the previous year.

But Kris Hagerman, CEO of Sophos, fears this is only the tip of an iceberg.

“It’s not inconceivable you could see a bank get targeted and they could say I want $10 million overnight or I’ll delete your files,” he said in an interview at the RSA security conference in San Francisco.

Ransomware presents companies with an extra level of complexity: a ticking clock that provides only a limited amount of time to try to disable the attack and retrieve data or risk is all being lost.

“It can bring an organization to its knees,” he said. “There are plenty of organizations that are not up to date in their backups and have not taken the full comprehensive approach to security to be able to combat this thing.”

One of the things making matters worse is the proliferation of websites that offer attack tools to anyone with a credit card.

“Today, you can be a very successful cybercriminal and not know a single thing about computer code,” he said.

Some even offer a money-back guarantee, if would-be criminals are not completely satisfied with the results, said Hagerman.

Sophos sees a stunning 300,000 to 400,000 unique pieces of malware each day running through its systems, and each of those presents a potential problem for companies that don’t have the right defense.

And at the end of the day, it’s all about building a high enough wall that cybercriminals go elsewhere, said Hagerman.

“The way that you really fight cybercrime is you make it more expensive for them,” he said. “When it becomes hard and less profitable, they take their advanced skills and do something else.”

Hagerman said laws against cybercrime had a limited effect because of the problems with identification and pursuit, especially across borders.

“For [criminals], it’s an ROI as well,” said Hagerman. “If you make it harder, they’re going to find another target or find another line of work.”

A.I. faces hype, skepticism at RSA cybersecurity show

Vendors at this week’s RSA cybersecurity show in San Francisco are pushing artificial intelligence and machine learning as the new way to detect the latest threats, but RSA CTO Zulfikar Ramzan is giving visitors a reality check.artificial intelligence ai a.i.

“I think it (the technology) moves the needle,” he said on Wednesday. “The real open question to me is how much has that needle actually moved in practice?”

It’s not as much as vendors claim, Ramzan warned, but for customers it won’t be easy cutting through the hype and marketing. The reality is that a lot of the technology now being pushed isn’t necessarily new.

In particular, he was talking about machine learning, a subfield in A.I. that’s become a popular marketing term in cybersecurity. In practice, it essentially involves building algorithms to spot bad computer behavior from good.

rsa cto

Ads by Kiosked

Michael Kan

RSA CTO Zulfikar Ramzan speaking at RSA 2017 in February.

However, Ramzan pointed out that machine learning in cybersecurity has been around for well over a decade. For instance, email spam filters, antivirus software and online fraud detection are all based on this technique of detecting the bad from good.

Certainly, machine learning has advanced over the years and it can be particularly useful at spotting certain attacks, like those that don’t use malware, he said. But the spotlight on A.I. technologies also has to deal with marketing and building up hype.

“Now all of a sudden, we’re seeing this resurgence of people using ‘the how’ as a marketing push,” he said, after his speech.

The result has created a “lemons market,” where clients might have trouble distinguishing between useful security products. Not all are equal in effectiveness, Ramzan claimed. For example, some products may generate too many false positives or fail to detect the newest attacks from hackers.

“There’s no doubt you can catch some things that you couldn’t catch with these techniques,” he said. “But there’s a disparity between what a vendor will say and what it actually does.”

Nevertheless, A.I. technologies will still benefit the cybersecurity industry, especially in the area of data analysis, other vendors say.

“Right now, it’s an issue of volume. There’s just not enough people to do the work,” said Mike Buratowski, a senior vice president at Fidelis Cybersecurity. “That’s where an A.I. can come in. It can crunch so much data, and present it to somebody.”

One example of that is IBM’s latest offering. On Wednesday, the company announced that its Watson supercomputer can now help clients respond to security threats.

Within 15 minutes, Watson can come up with a security analysis to a reported cyber threat, when for a human it might have taken a week, IBM claimed.

Recorded Future is another security firm that’s been using machine learning to offer intelligence to analysts and companies about the latest cybercriminal activities. The company’s technology works by essentially scanning the internet, including black market forums, to pinpoint potential threats.

That might include a hacker trying to sell software exploits or stolen data, said Andrei Barysevich, director of advanced collection at the company.

“When you cover almost a million sources and you only have 8 hours a day, to find that needle in the hay stack, you have to have some help from artificial intelligence,” he said.

dsc05793

Ads by Kiosked

Michael Kan

The RSA 2017 show floor.

Customers attending this week’s RSA show may be overwhelmed with the marketing around machine-learning, but it’ll only be a matter time, before the shoddier products are weeded out, Barysevich said.

“We have hundreds of vendors here, from all over the country. But among them, there are five or ten that have a superior product,” he said. “Eventually, the market will identify the best of the best.”

Apple joins Wireless Power Consortium, charging up iPhone 8 rumor

Apple has joined the consortium behind the Qi wireless charging system, supercharging rumors that owners of future an iPhone could live tangle-free.apple member wpc

Last week, a financial analyst claimed Apple will release three new iPhones with wireless charging capabilities this year, reviving an on-again, off-again rumor about the next-generation iPhone’s capabilities.

The appearance of Apple’s name on the membership list of the Wireless Power Consortium, Qi’s creator, over the last week adds credence to that rumor. Its name was not on the list cached by Google’s search engine last Tuesday.

“After several years of increasing rumor, Apple’s membership with the Wireless Power Consortium points strongly to the expectation that the next iPhone will include wireless charging technology,” said Vicky Yussuff, an analyst at market watcher IHS Technology.

Don’t expect too much, though: That’s pretty much what IHS analysts said about the last iPhone, too.

In fact, Apple’s membership of the WPC may have nothing to do with phones. The magnetic charging adapter supplied with the Apple Watch will charge Qi devices (although the Watch itself is programmed not to work with just any Qi charger, only those supplied or approved by Apple) so membership may just be a delayed recognition of that usage.

Nine in 10 consumers want wireless charging on their next phone, according to Yussuff. The technology is now so widely adopted that it’s no longer something Apple can ignore, she added.

IHS expects around 350 million wireless-chargeable devices to ship this year, in a market largely driven by Samsung Electronics, which has included the capability in its top-of-the-range phones since the launch of the Galaxy S6 in 2015. Samsung also sells wireless charging covers for the older S4 and S5.

In fact, Samsung included not one but two wireless charging systems in its S6 and S7 phones: Qi and the rival Powermat technology from the Power Matters Alliance.

The PMA has since merged with another wireless charging consortium, the Alliance for Wireless Power (AW4P) to form the Airfoil Alliance. That organization does not list Apple among its members, however.

Samsung has put off its next phone launch until late March, while Apple is not expected to announce new models until September.

Later this month, though, mobile phone manufacturers will gather in Barcelona for the Mobile World Congress. Yussuff expects the show will see at least one major phone maker unveil a new device with wireless charging.

The Core i5 Surface Pro 4 just got even cheaper at $950

The Surface Pro 4 was impressive when it rolled out in late 2015, and even today it’s still a solid choice as a grab-and-go PC—as long as the price is right. Right now is a good time to grab one, as Best Buy’s selling the silver Core i5 Surface Pro 4 with an 256GB solid-state drive for $950. Normally, it goes for $1,200 MSRP.surface pro 4

This particular model sits just one notch down from the top of the line, offering a 12.3-inch display with 2736-by-1824 resolution, dual-core Skylake Core i5 chip, 256GB SSD, and 8GB RAM. Best Buy does force you through the whole “we’ll show you the sale price in the cart” charade, but if you can stomach that annoyance this deal is well worth it. Microsoft also has this same Surface Pro 4 on sale, but not nearly for such a good price: At its store, you’ll spend $1,049.

Savvy readers will notice that Microsoft hasn’t updated its Surface Pro line since 2015. That means you’ll lose out on the modest performance gains that Kaby Lake—the current generation of Intel Core chips—offers over Skylake. However, anyone hoping to see a “Surface Pro 5” loaded with Kaby Lake may be waiting a few weeks if not longer. There are rumors floating around that we could see new devices roll out around the release of the Creators Update in the spring. That said, a fancy new Surface Pro would likely roll out with an equally new price.

For now, the still-premium Surface Pro 4 is well worth a look at Best Buy’s much more affordable price.

Surface Pro 4 Core i5 version at Best Buya