Bluehost and SiteLock Still Trying To Profit Off of Phishing Emails Being Sent to Bluehost Customers

In August of 2017 we first interacted with someone that had gotten a phishing email made to look like it was from Bluehost, who then when they contacted the real Bluehost was attempted to be sold on a security service they didn’t need since there wasn’t any issue with their website. More than a year later Bluehost and their security partner SiteLock continue to do that. The latest incident is absurd on its own since they were trying to sell someone security services they largely couldn’t effectively use since there website is hosted with Squarespace, so much of the SiteLock service wouldn’t even work and others wouldn’t be relevant in that situation.

Below is the phishing email. Interestingly the domain used for the phishing is also a Bluehost customer (maybe that is from someone that fell for a previous phishing email).

Hello, [redacted]

We are contacting you today because we have disabled your outbound email services temporarily. The reason for this is because you’ve got a forum that spammers were subscribing to to get messages sent out. They used a spam trap email address that actually resulted in our mail server getting blacklisted.

We need you to add protection to it so it isn’t being exploited in the future. You will need to contact us and let us know this has been resolved for us to restore your email services.

For protection, we ask that you require an account to subscribe to topic notifications if you haven’t already. We also ask that you add protection to your sign-up page so that spammers cannot automate it. You can do this by using a captcha or something similar to that.

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.3483e5ec0489e5c394b028ec4e81f3e1.[redacted]/account/6626/reactivation.html

Thank you,
BlueHost.com Terms of Service Compliance
http://www.bluehost.com
For support go to http://helpdesk.bluehost.com/
Toll-Free: (888) 401-4678

Below is the email that was sent by SiteLock trying to sell this person on the unneeded services after they had tried to get in touch with Bluehost. Bluehost apparently directs people over to SiteLock before even doing basic checking to insure that there is actually situation that could use SiteLock’s input. The person that received this is not named Vish (or anything close to that) despite it being address to someone with that name.

You’ll notice they claim that the website has been infected, despite that not being the case or even what the phishing email claimed.

Hi Vish

Thanks for taking the time to speak with me today. Like I mentioned before your website has been infected and we need to clean it as soon as possible before its suspended by the host. The reason your website was fount with malware is that you currently have no security measures in place to stop malware from entering your site.

The simple solution to protect your website is adding a firewall as well as a smart scanner. The smart scanner removes malicious content from your source coding before it infects the website. Also a Firewall blocks any malicious traffic and hacking attempts from entering your website in the first place, its the single most important preventative measure you can have for your website. What I did was attach a couple of documents that fully go over the features of our upgraded scanner and firewall. You can also go to www.sitelock.com to get further details and services. If you have any questions or concerns my contact info is below.

So to break everything down price wise, it’s $30 dollars a month for our secure starter which includes a Professional firewall and Premium scanner. You will get a free cleaning for the website with this that will save you $300.

Best regards,

Secure Starter $30.00/Mo
Premium Scanner and Professional Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)

Secure Speed $50.00/Mo
Premium Scanner and Premium Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)

Secure Site $70.00/Mo with unlimited free manual cleans and vulnerability patching
Infinity Scanner and Premium Firewall
-Automated Malware Removal Tool (continual & non-stop scanning removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Unlimited access to our Cyber Engineers to manually adjust your website coding if malware removal tool does not clean the malware
– Multiple (19) Vulnerability Testing on the site

Bluehost’s Poorly Thought Out Attempt to Clean Up Hacked Websites

We have repeatedly brought up the web host Bluehost in the past on this blog due to various security related issues involving them, including things like using phishing emails to sell unnecessary security services and it looking like a security issue on their end might be leading to websites being hacked. Recently we have started running into another issue while working on hack cleanups with websites hosted with them, it appears that Bluehost is attempting to do some cleanup of hacks in way that doesn’t seem well thought out and can lead to websites having more problems beyond just the ones caused by the hack.

What looks to be going on is that to try to clean files with malicious code, Bluehost is removing code from the files and making a copy of the previous version of the files with a different name. As an example of those different names, in one recent instance the copy of a file named link-manager.php was named link-manager.php.suspected.1524640055. The new files have no permissions, so you can’t view the contents of them (or change the permissions to be able to do that). In many instances the original files have been totally emptied, even if it appears that they had contained legitimate code in addition to malicious code.

One of the problems that is causing is that legitimate files that are used to generate websites are being emptied, which then causes the website to stop working. Due to permissions on the new files it isn’t possible to easily see the previous contents of files to be able to quickly restore the non-malicious portion without getting access to another copy of the file.

Where things get more problematic is that they are changing the permissions on some directories as well as files, which not only restricts seeing what is in the directory, but also introducing a complication that doesn’t occur with the change to individual files, you can’t delete the directories through FTP or the file manager in Bluehost’s control panel.

Bluehost does have the capability to make the files and directories accessible if you contact them.

What is important note is that in every instance we have run into this so far there have been malicious files that were not dealt with by this cleanup, so the upside from them attempting to clean things up is limited while it can come with a fairly significant downside. Another problem with this type of approach is that simply cleaning up hacked files doesn’t deal with the underlying cause that allowed the hacker to be able to add or modify files in the first place, so the hacking could continue.

Just Because SiteLock Is Trying To Con You Doesn’t Mean Your Website Hasn’t Been Hacked

In interacting with people about hacked websites one of the things that comes up frequently is people conflating security companies trying to take advantage of them with a belief that their websites haven’t really been hacked. A lot of the blame for this resides with the security companies that are trying to take advantage of people (and look to be very successful at it) and others that help enable that, which includes their business partners and government entities that don’t take any action against them. But some of the blame has to be placed on customers of these services that seem to take a completely uncritical view of these services, as among other things, their funding of these companies allows the companies to expand and take advantage of more people.

As an example of that, we had someone contact us recently after they ran across a post we had written how the web host Bluehost was continuing to try to sell SiteLock services based on claims that were made in phishing emails meant to look like they came Bluehost support. The situation this person had was very different than that.

They had been contacted by a company informing them that their website was being used for phishing. Their web host, Bluehost, which is a SiteLock partner, had suspended their account for the same issue. They said they were “shocked” because they had SiteLock on the account and they thought that with that the website wouldn’t have been able to be hacked.

As company that deals in the field we obviously have a very different view of things, but it still is hard to understand a view like that when you consider that SiteLock and every other similar company we have run across don’t provide evidence that their services are effective at protecting websites. To us that seems like a baseline before purchasing any service like that, but clearly it isn’t.

The next part of the story is something that we have heard plenty of times before, but it still doesn’t make much sense to us. That being that they were then told they would need a higher level of SiteLock service to protect against the issue from happening again. To us that raises what seem to be some obvious questions, like why would SiteLock by their own admission be selling security services that don’t actually provide security. Another one would be why would at that point people still not expect some evidence to presented as to the effectiveness of the services considering SiteLock have just admitted that they are selling services that don’t actually work.

When we had responded explaining about that lack of evidence that SiteLock services are effective (along with plenty of evidence to the contrary that we have run across) and that SiteLock’s own marketing indicates that they are not even attempting to provide real security the response from the person was not concern with SiteLock’s practices, but that the whole situation seemed suspicious. We asked about the evidence presented that the website had been using for phishing, but the person seemed uninterested in actually checking over things. Based on past experience our guess is that the website was actually hacked in this case.

Dealing With a Possibly Hacked Website

While in this case we guess the website had actually been hacked, we have run into plenty of instances where SiteLock and their web hosting partners are falsely claiming that websites have been hacked. So what we recommend you do in that situation is get a second opinion on their claim. We are always happy to provide that for free and would hope that other reputable security companies (to the extent that there are any) would do the same.

If the website is hacked what you want done is to have it properly cleaned up, which involves cleaning up the hack, securing the website (which usually mainly involves getting the software up to date), and trying to determine how the website was hacked and fix that. If a service doesn’t do those things (as is true of SiteLock’s main services) then you stand a decent chance of having continuing issues. After things have been cleaned, instead of paying for a security service that won’t protect your website, you should make sure to do the basics to keep your website secure from most issues.

Bluehost Still Trying To Sell Unneeded SiteLock Security Services Based on Phishing Emails

Back in August we discussed a situation where the web host Bluehost had tried to sell one of their customers a $1,200 a year SiteLock security service based on the customer having received a phishing email that was supposed to have come from Bluehost. It obviously didn’t paint too good a picture of Bluehost, as despite it seeming that these phishing emails were rather common, they didn’t even do any basic checking on the claimed situation in the phishing email before trying to sell someone on an expensive security service that didn’t even have seem to have a connection to the issue mentioned in the email.

Fast forward to this month and it is still happening. We recently had someone contact us a looking for advice after having gotten an email they thought was from Bluehost about malware on their website and then when they contacted the real Bluehost, it was recommended that they spend $49 a month on a SiteLock service that was supposed to fix that. Before we even looked at the email that was supposed to have come from Bluehost, things seemed off since the person that contacted us said that the whole account had been disabled, but in our experience Bluehost only shuts off access to the websites, not other forms of access to the account. That seems like something a Bluehost employee should have also been aware of.

Looking at the email (shown below) we could see it was a phishing email as one of the links in it was to the website my.bluehost.com.f33ba15effa5c10e873bf3842afb46a6.co19331.tmweb.ru instead of my.bluehost.com.

Your account has been temporarily deactivated due to the detection
of malware. The infected files need to be cleaned or replaced with clean
copies from your backups before your account can be reactivated.

Examples:

/domain/[redacted]/public_html/config.php.suspected
/home1/[redacted]/public_html/post.php.suspected

/home1/[redacted]/public_html/administrator/components/com_weblinks/tables/s
ession.php

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.f33ba15effa5c10e873bf3842afb46a6.co19331.tmweb.ru/server/1012/reactivation.html

To thoroughly secure your account, please review the following:
* Remove unfamiliar or unused files, and repair files that have been
modified.
* Update all scripts, programs, plugins, and themes to the latest
version.
* Research the scripts, programs, plugins, and themes you are using
and remove any with known, unresolved security vulnerabilities.
* Remove all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent
unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program.
If you are already using one, try another program that scans for
different issues.
You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:
https://my.bluehost.com/cgi/sitelock

Please remove all malware and thoroughly secure your account before
contacting the Terms of Service Department to reactivate your account.
You may be asked to find a new hosting provider if your account is
deactivated three times within a 60-day period.

Thank you,

Bluehost Support

http://www.bluehost.com
For support, go to http://my.bluehost.com/cgi/help

That all seems like a good reason to not use Bluehost. As for SiteLock it isn’t like they are an innocent victim in this, as the majority owners of SiteLock also run the Endurance International Group (EIG), which is the parent company of Bluehost and numerous other web hosts. SiteLock also pays a majority of the their inflated prices to web hosts, which certainly could create an incentive to sell unneeded services.

This is also a good example of why anyone contacted by SiteLock or one of their web hosting partners about supposed malware issue or other type of hack of their website should get a second opinion from another security company (something we provide for free and we hope that other companies would as well), since we were able to quickly identify what was going on and let this person know as well and saved them a lot money.

SiteLock’s Poor Cleanup Leads to Website Being Down Long After It Should Have Been Back Up

We continued to be troubled by companies and other entities that would get involved with the web security company SiteLock, as even a quick check would show how they are taking advantage of their customers. Unfortunately you have far too many web hosts and WordPress that continue to do that. Is the money SiteLock is providing them really worth the damage they are helping to cause?

We recently ran into yet another example of the mess they cause not just for those that unfortunately hire them, but for the public as they their action in this situation would lead to website remaining hacked (and leading to more of the negative impact the hack causes) after it should have been fixed.

We were recently contacted by someone that said that multiple websites in an account they had with the web host Bluehost had been shut down due to malware and they were looking for some sort of help.

It wasn’t clear what clear what kind of help they were looking for as the message just said “Help!” after mentioning that the websites had been taken down. That isn’t much to go on, so we first asked them what evidence Bluehost had presented that the websites were hacked, seeing as we have seen some rather bad false positives coming from Bluehost in particular, and in general from SiteLock partnered web hosts. That being said, these days the majority of websites we are contacted about in this type of situation are in fact hacked. Usually Bluehost and other web hosting brands of the Endurance International Group (EIG) (which is run by the majority owners of SiteLock) will provide a list of files that are impacted or some example files or URLs that have been impacted along with the email informing the customer that their account has been disabled. For someone that knows what they are doing, that evidence is usually enough to determine if the claim is legitimate or not.

The response we got didn’t answer our question. Instead the person that contacted us responded that they were having the websites transferred to another hosting provider because they felt like the deal between Bluehost and SiteLock was a scam. We then explained that if the websites were hacked that it would not be a good idea to do that, as it could make it harder to properly clean up the websites, since transferring the websites could cause both data on the files (most importantly the last modified date) and the logging for the website during the time of the hack to no longer be available. That information can sometimes be important to make sure all of the files have been cleaned and is very important to determine how the website was hacked and therefore what needs to be done to fix it and make sure it doesn’t happen again.

After notifying them of that as well as mentioning that assuming this was a scam was not a good idea, since the majority of time in this type of situation we have been seeing that they websites were hacked, they told us they thought the websites were hacked. So they were moving websites they thought were hacked to get around their web host having taken an action to protect the public (though also possibly to get people more likely to hire SiteLock as well).

What they also mentioned was that they had in fact tried to get the website cleaned before doing that. The problem is they hired SiteLock and not surprisingly based on everything we have seen over multiple years, the website wasn’t actually cleaned up properly. Instead of SiteLock working to get things properly resolved here after they failed the first, they wanted more money, $200 a month to manually clean out malware. The fact that SiteLock is offering a service that will continually remove malware, is on its own a good indication that they don’t properly clean up hacked websites, as when done properly the website shouldn’t need to be continually cleaned up.

After that we told them again that moving the websites was not a good idea and that it likely would take longer to get them backup by doing that, which they said was their main concern, than getting them properly cleaned up. At that point they said they would take their chances.

Taking their chances on that turned out to be a bad bet. We usually are able to clean up hacked websites in a few hours and while there is some variability in how long it then take Bluehost and EIG brands to then restore access, it would usually be done within 24 hours (and possible happen in much sooner than that). When went to take a look the next day to see what had happened so far, we found that the website was still being hosted by Bluehost and not accessible. Another day later we took another look and the result was the same.

Properly Handling Such a Situation

As if there was another reminder needed, this situation is good example of why everyone should avoid SiteLock. At best you might get lucky their poor cleanups don’t lead to your website being hacked again right away, but you are going to greatly overpay for what you are getting. On top of that SiteLock often tries to lock in to people in to unneeded ongoing services that people have variety of problems trying to cancel later on.

If you are contacted by a SiteLock partnered web host with a claim that your website is infected with malware or is otherwise hacked, we would recommend that first get a second opinion as to the whether the website is in fact hacked. For someone to be able to do that, you should first get any evidence that the web host and or SiteLock will provide, which usually is something that should have already been provided to you. We are always happy to provide that second opinion for free and we would hope that others would as well.

If the website is hacked then what we would recommend, if you can afford it, is to hire someone that properly cleans up hacked website to do that for you. A proper cleanup involves three basic components: removing anything added by the hacker, security the website (which usually mainly involves getting the software up date), and trying to determine how the website was hacked. In a lot of cases it actually costs less to hire us to properly clean up a website than it would to hire SiteLock for their improper hack cleanup.

We have repeatedly seen that people try to instead clean it up themselves and cause themselves more problems, as they often don’t even know how or what to clean up (we recently have had a lot of people contact who have incorrectly just deleted the example files their web host listed). That often leads to continue problems which are then exacerbated by them purchasing security products and services that claim they will protect websites from being hacked, but don’t live up to that (which isn’t surprising since we have yet to run across one that is promoted with evidence much less evidence from an independent testing, that it is effective). At that point they are bringing us in to clean things, which if they had just done that in the first placed would have lead to the issue being quickly resolved and them spending less money.

Is SiteLock Not Even Saying What Website They Are Claiming is Vulnerable?

A few days ago we discussed a Forbes article about a report from the web security company SiteLock that claims be a score of how likely a website is to be compromised that seems to be based on nothing, as despite claiming a website had a “Medium” likelihood of compromised SiteLock couldn’t point to any way that the website would be compromised other than ones that are not considered in their score. In that post we noted that previously we have had people come to us after SiteLock had contacted and claimed that there was vulnerability on their website, but wouldn’t give them any details of it. It looks like they can provide even less information, as the following portion of an email sent to someone that was formerly a customer of one of their web hosting partners shows:

It is baffling that telling the owner of a website which one of their websites is claimed to have a vulnerability, without providing any details whatsoever of the vulnerability, is going to somehow expose the vulnerability.

What is a bit odd about this message is that Bluehost’s name is incorrectly capitalized as “BlueHost” with the “h” capitalized when it shouldn’t. It seems like you should get your partners name right, especially when that partner is ultimately run by SiteLock’s owners. Without seeing the rest of the email we can’t see if there is any indication that this actually another phishing email being sent to Bluehost customers, like the one we that came up last week when Bluehost was pushing someone to hire SiteLock to deal with a non-existent malware issue. Though that phishing email actually mentioned a specific website.

One alternate explanation that isn’t too far out there considering SiteLock’s track record and the fact this person isn’t even with the web host anymore is that there is no basis for the claim. By not mentioning a website they might hope to get more interest from webmasters than if they mentioned one and it wasn’t important.

False Claim From Bluehost Phishing Email Leads to Bluehost Trying to Sell Unneeded SiteLock Service

On a daily basis we are contacted by people looking for a second opinion after their web host and or their web host’s security partner SiteLock claim that their website contains malware. While a lot of the time there really is some hack of the website that has occurred, though not necessarily involving malware, there are many instances where the claim turns out to be false. There have been many different reasons for that, one of the latest seems like it might be the worst the one yet, since the web hosting partner, Bluehost, tried to sell someone on a $1,200 a year security service from SiteLock based on false information from a phishing email that didn’t even claim there was malware on the website.

What we were told at first about the situation didn’t make sense to us. The website’s owner said they were told by their web host Bluehost that their website was using excessive MySQL resources and that the cause was malware. MySQL is database system and malware and other hacks rarely involve interaction with a database, so we didn’t understand where the belief that malware would be the cause would have come from. Looking at the website made things seem odder. The one possibility we could think of is if a hack added spam content to a website it could cause increased traffic to the website that in turn could increases MySQL resource usage. Not only did we not see any indication of that type of issue, but there was also the fact that the website was built with the Weebly website builder software, which seems unlikely to be hacked in that way or using much in the way of database resources.

After asking if Bluehost provided any more information that might make their conclusion that malware was the cause seem more reasonable, we were forwarded the following email that had started the situation:

Bluehost abuse12@bluehost.com via annika.timeweb.ru

11:16 PM (12 hours ago)

Dear Bluehost customer [redacted]:

It has come to our attention that your site is using an excessive amount of MySQL resources on your BlueHost.Com account. This is causing performance problems on your website as well as for other customers that are on this server. It can cause our servers to crash and cause additional downtime.

Our research shows that server performance degrades when the MySQL usage is over 1,000 tables and/or 3 GB on a single account or 1,000 tables and/or 2 GB on a single database. In order to ensure optimal performance for your account and the others in your shared hosting environment, we request that you reduce the MySQL usage on your account to under these limits in 14 days.

You must confirm the current copy of our Terms of Service here:
http://my.bluehost.com.687fe34a901a03abed262a62e22f90db.d0013151.atservers.net/domain/[redacted]
How to fix:
http://mysql.bluehost.com.687fe34a901a03abed262a62e22f90db.d0013151.atservers.net/domain/[redacted]

Terms of Service Compliance Department
1958 South 950 East
Provo, UT 84606
Phone line: (888) 401-HOST Option 5 | Fax line: 801-765-1992

The very beginning of that caught our attention first, as it referenced “annika.timeweb.ru”, which seems like it shouldn’t be where an email from Bluehost should be coming from. A Google search on that showed that this email was part of an ongoing phishing campaign against Bluehost customers. Later on in the email the URLs being linked to are intend to look like it is Bluehost by starting “my.bluehost.com” and “mysql.bluehost.com”, but the rest of the domain is “687fe34a901a03abed262a62e22f90db.d0013151.atservers.net”. The server that is hosted from is in Belarus.

Since this was a phishing email there was not anything wrong with the website. So that makes Bluehost’s claim that it was malware and that the SiteLock service should be purchased when they were contacted even odder. The Bluehost support person must not have checked to insure that the issue the customer was contacted about actually existed, despite a phishing campaign going on making false claims along those lines. Even then it doesn’t make sense to say this was malware based on the claimed MySQL resource usage issue. So what explains it?

Well it might have something to do with the fact that Bluehost gets 55% of the revenue from sales of SiteLock services through their partnership or that SiteLock’s owner also run the parent company of Bluehost, the Endurance International Group. Based on what have heard in the past it sounds like when support persons don’t know what is going on they may blame malware for what is going on and point people to SiteLock.

In any case, it is a good reminder to make sure to get a second opinion when you are contacted by SiteLock or their web hosting partners so that you don’t end up spending over a thousand dollars a year on something you don’t need. If you were really hacked you also don’t need to spend anywhere near that amount of money to get the website properly cleaned up (SiteLock doesn’t even properly clean up websites for their high fees).

Mr.ToKeiChun69 Defacement Campaign Seems to Be Targeting Websites Hosted with Endurance International Group (EIG) Brands

Yesterday we were contacted by someone looking for second opinion as to whether the web security company SiteLock’s claim that their website contained malware was true. The website’s owner believed that their web host BlueHost and SiteLock might be trying to scam them.

In the case of this website it wasn’t hard to determine that the website was hacked, as this is what was shown on the homepage:

That type of hack is referred to as a defacement hack.

By malware, that may have been what SiteLock was referring to because as we found while previously giving someone a second opinion, for some reason SiteLock labels evidence of a defacement hack as malware (that seems to be a general issue, as they also labeled a spam link that way as well).

After we let website’s owner know that unfortunately the website was hacked, they responded that they felt it was an inside job. We didn’t believe that to be the case, but instead of just saying that was unlikely, we wanted to be able to provide more concrete evidence.

One way to do that would be to find some other websites hit with same defacement that were not hosted with the same web hosting company or another one partnered with SiteLock. When we did a search on Google for “Mr.ToKeiChun69” the first result was a page documenting defacements by Mr.ToKeiChun69 on the web site Zone-H.org, which documents defacements of websites.

In looking at some of the websites that had been defaced by Mr.ToKeiChun69 we found that they all were hosted by web hosting brands owned by the Endurance International Group (EIG). Their brands include BlueHost, as well as A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others. SiteLock has a “security partnership” with EIG where SiteLock pays EIG a majority of the fees from services sold through the partnership. The majority owners of SiteLock also run EIG.

While that might lead some to see the worst case, that this was inside job, for us it didn’t. But it did seem rather odd that all the websites would be at one web hosting company and that was possibly an indication that the company has some security problem.

To better understand if there was really a correlation between the web hosting provider and these defacements we did a more thorough check of where the defaced websites were hosted. We checked the first ten websites listed on the 1st, 11th, 21st, 31st, and 41st page of results for this defacement on Zone-H.org. That checked websites that are dated on there as far back as June 29.

Below are the results. We have listed each domain name, the IP address it currently is hosted on, and finally the ISP listed for that IP address or the web host. The ISP Websitewelcome.com is connected to HostGator and Unified Layer is connected to BlueHost, though the websites might be hosted with other EIG brands.

Page 1

  • endblameshameguilt.com: 192.254.236.84 (Websitewelcome.com)
  • acimfordummies.org: 192.254.236.84 (Websitewelcome.com)
  • wakechild.com: 192.254.236.84 (Websitewelcome.com)
  • tena-frank.com: 192.254.236.78 (Websitewelcome.com)
  • acourseinmiraclesfordummies.com: 192.254.236.84 (Websitewelcome.com)
  • decodingacim.com: 192.254.236.84 (Websitewelcome.com)
  • endblameshameguiltgame.com: 192.254.236.84 (Websitewelcome.com)
  • toddtylermusic.com: 192.254.236.80 (Websitewelcome.com)
  • lachildrensridingcenter.com: 192.254.236.8 (Websitewelcome.com)
  • topsportscamcorders.com: 192.254.236.8 (Websitewelcome.com)

Page 11

  • iphonenstuff.com: 192.254.236.82 (Websitewelcome.com)
  • sneakerpicks.com: 192.254.236.82 (Websitewelcome.com)
  • dalmatianadvice.com: 192.254.236.82 (Websitewelcome.com)
  • subscribesave.com: 192.254.236.82 (Websitewelcome.com)
  • helpmebuilda.com: 192.254.236.82 (Websitewelcome.com)
  • bestboatplans.com: 192.254.236.82 (Websitewelcome.com)
  • spelbonusar.com: 192.254.236.82 (Websitewelcome.com)
  • gamingnshit.com: 192.254.236.82 (Websitewelcome.com)
  • marenart.com.au: 192.254.236.82 (Websitewelcome.com)
  • retailstartupbookinabox.com: 192.254.236.82 (Websitewelcome.com)

Page 21

  • www.blackandwhitesecurityltd.com: 192.254.232.90 (Websitewelcome.com)
  • dallasgayboys.com: 192.254.232.86 (Websitewelcome.com)
  • untieeecs.com: 192.254.232.86 (Websitewelcome.com)
  • jonathanjoyner.com: 192.254.232.86 (Websitewelcome.com)
  • www.smcntx.com: 192.254.232.86 (Websitewelcome.com)
  • www.culinairteamzeeland.nl: 192.254.232.90 (Websitewelcome.com)
  • strandvakantieman.nl: 192.254.232.90 (Websitewelcome.com)
  • napers.nl: 192.254.232.90 (Websitewelcome.com)
  • www.camping-renesse.nl: 192.254.232.90 (Websitewelcome.com)
  • www.campingdebrem.nl: 192.254.232.90 (Websitewelcome.com)

Page 31

  • 81tagorelane.com: 50.87.147.75 (Unified Layer)
  • skies39-newlaunch.com: 50.87.147.75 (Unified Layer)
  • newlaunch-gshplaza.com: 50.87.147.75 (Unified Layer)
  • 3dinvisibilitycloak.net: 192.232.251.55 (Websitewelcome.com)
  • professional-liability-insurance.net: 192.232.251.55 (Websitewelcome.com)
  • lyynx.net: 192.232.251.55 (Websitewelcome.com)
  • aksolution.net: 192.232.251.55 (Websitewelcome.com)
  • krilloils.org: 192.232.251.55 (Websitewelcome.com)
  • 3dinvisibility.org: 192.232.251.55 (Websitewelcome.com)
  • ellipticalmachineshelp.com: 192.232.251.55 (Websitewelcome.com)

Page 41

  • topwebber.com: 192.185.21.208 (Websitewelcome.com)
  • yoholly.info: 192.185.21.208 (Websitewelcome.com)
  • myironsuit.com: 192.185.21.208 (Websitewelcome.com)
  • laptoplifestylecafe.com: 192.185.21.208 (Websitewelcome.com)
  • bellyfatcombat.net: 192.185.21.208 (Websitewelcome.com)
  • herbzombie.com: 192.185.21.208 (Websitewelcome.com)
  • biggerbuttshortcuts.com: 192.185.21.208 (Websitewelcome.com)
  • blowtalk.com: 192.185.21.208 (Websitewelcome.com)
  • waisttraineraustraliaco.com: 66.198.240.58 (A2 Hosting)
  • besthairextensions.co.nz: 192.185.44.88 (Websitewelcome.com)

With 49 of the 50 websites currently being hosted with EIG that would certainly seem to point to there is some correlation between the web host and the hackings. As with something that doesn’t have a connection to a web host, you would expect to see a fair amount of different web hosts showing up with that many websites.

So what about the one website that isn’t currently hosted with EIG? It turns out it was hosted with them at the time it was defaced. The IP address of the website on June 29 according to Zone-H.org was 192.185.44.88, which is one connected to HostGator. The records for the domain name were changed on July 4, which is probably when the web hosting was changed.

We don’t know what the cause of this is. It could be that the person or persons behind the Mr.ToKeiChun69 defacements is only targeting EIG hosted websites, has been unsuccessful in targeting websites at other web hosts, or only notifying Zone-H.org of websites hosted with EIG. What would seem more likely is that they are taking advantage of some security issue in EIG’s systems.

To be clear we don’t think that this is an inside job.

We notified the person that contacted us about the correlation, which they hopefully will pass along to BlueHost.

SiteLock and Bluehost Falsely Claimed a Website Contained Malware Due to SiteLock’s Poor Scanner

When it comes to the web security company SiteLock, one of the frequent complaints is that they and their web hosting partners falsely claim that websites have malware on them. After that happens the web hosting company frequently suspends access to the website and pushes the customer to hire SiteLock to clean up not existent malware. We thought it would be useful to look at an example of this we were recently consulted on, as those dealing with the possibility of a false claim should know a number of things when dealing with it.

This situation involved the web host Bluehost. Bluehost is one of many brands the company Endurance International Group (EIG) does business under. Some other major ones are A Small Orange, FatCow, HostGator, iPage,  IPOWER, and JustHost. The company’s web hosting brands are very open about having a partnership with SiteLock, what they have, at least in the past, refused to acknowledge publicly is that partnership involves EIG getting 55 percent of revenue for SiteLock services sold through that partnership (that information was disclosed to investors). That obviously raises some serious questions and it probably explains in large part a lot of the problems that arise from that partnership. What they also don’t disclose to their customers is that the majority owners of SiteLock are also a member of the board and the CEO of EIG, so they are well aware of SiteLock’s practices.

What we have repeatedly said is that if you get contacted by SiteLock or one of their web hosting partners claiming that the website is infected or otherwise is hacked, is that should not ignore it. While there are plenty of situations like the one discussed here where there is a false claim, the claim is also often true. For a hacked website, the longer you wait to do properly clean it up, the bigger the problem can be. Instead we recommend that you first get any information that SiteLock and or the web host will provide and then get a second opinion as to whether the website is hacked. We are always happy to provide that and we would hope that other security companies would as well (when someone contacts us about a hacked website we always make sure it is actually hacked before taking on a cleanup).

One of the reasons for getting a second opinion is that someone familiar with hacked websites should understand how to easily check the validity of the claims made. While someone not familiar with the situation might try doing checks that won’t necessarily be very useful. In this situation one the things the website’s owner did was to download a copy of the website’s files and run them through a malware scanner. That likely is going to fail to identify many files that contain malicious code because a malware scanner for a computer isn’t designed to detect those files (our experience is that scanners designed to scan website files don’t produce great results either).

When we were provided the information that the website’s owner had received, the first element that caught our eye was this result of SiteLock’s malware scanner:

What was shown was rather odd as the malware scanner claimed to have detected a defacement hack (labeled as “SiteLock-PHP-HACKEDBY-klw”), which isn’t malware. So at best the scanner was incorrectly labeling a hacked website as containing malware, when it had a different issue.

More problematic is that it looks like they might are flagging websites as being defaced just because they have text that says “hacked by” something. That could produce some rather bad false positives, since this post itself could be claimed to contain malware simply by using that phrase. They also mark that detection as having a severity of “Urgent”, despite that.

So was the website defaced as that scan seemed to indicate? The website was taken down by the point we were contacted, which wouldn’t need to be done just because there was a defacement and makes it harder for someone else to check over things (whether intentional or not, it seems like something that makes it easier to push someone to hire SiteLock to resolve the issue). Looking at the Google cache of the website’s homepage though, we were able to see what happened.

The website’s page contains a section that shows RSS feeds items from other websites. One of those websites had been impacted by a vulnerability in outdated versions of WordPress that allowed defacing posts and the results of that defacement was showing on this website:

That “hacked by” text on showing there didn’t mean this website was infected with malware or otherwise hacked and the website didn’t pose any threat. That is something that anyone from Bluehost or SiteLock familiar with hacked websites should have spotted by looking over the website for a few seconds, but clearly that didn’t happen, even when they suspended access to the website. Both of them have an incentive to not check to make sure the website is hacked, since they have monetary interest in selling security services in this situation even though they are not needed. As we mentioned recently it appears that when you are in contact with SiteLock you are dealing with a commissioned sales person, not a technical person, so they might not even understand what is actually going on either (one situation we looked at recently would strongly seem to indicate that as a possibility).

Looking at the files that Bluehost had listed as being infected, they were just cached copies of the content from the website that had the RSS feed section in them. So there wasn’t any malware in them.

It also seems that no one from Bluehost or SiteLock bothered to contact the other website to let them know that there website was actually hacked, seeing as it was quickly fixed after we notified them of the issue they had.

At this point the website’s owner is planning to move to a new web host, which doesn’t seem like a bad idea (we think that people should avoid web hosts that have partnered with SiteLock even if they have yet to run into this type of situation).

Bluehost Had Different Response to a Hacked Website When the Press Questioned Their Pushing SiteLock

When it comes to SiteLock and their taking advantage of people, a critical component of that successfully happening is their partnerships with various web hosting providers. These partnership do not seem to be based on the web hosting companies thinking that SiteLock is really great company to help out people with security issues (from everything we have seen over several years they don’t even understand the basics of what they are supposed to being doing), instead the web host is getting significant amount of money when SiteLock sells services through their partnership. In the case of the parent company of Bluehost, the Endurance International Group, they disclosed to investors that they receive 55% of the revenue (they seem to unwilling to disclose that to the broader public, as one the company’s other web hosting brands won’t even acknowledge that they even are getting paid). In the case of Bluehost and the other web hosting brands owned by the Endurance International Group there is likely reason for the partnership, the majority owners of SiteLock are also the CEO and a board member of the Endurance International Group.

In theory this would likely lead to bad situation for customers, the web hosts have an incentive to treat a security issue in way that makes them the most money and SiteLock would necessarily be overcharging people, since over half the fee for the service doesn’t go them. In the real world things look a lot like that. Take for this instance, what is describe in an article from NBC’s San Francisco Bay area station when their problem solvers look into a Bluehost’s handling of hacked website:

But recently, Rose’s website was taken down. A message on the site read “temporarily unavailable.” She didn’t know how or why it happened, but she did know it would hurt business.

“It means we don’t get sales, so I don’t make money,” Rose said.

Scrambling to get her site back up, Rose called Bluehost, her hosting site, and was connected to SiteLock, a website security company.

Rose said SiteLock referenced an email it had sent her – that it detected malware on her site. Rose recalled the email, but had dismissed it as spam. After all, she didn’t do business with SiteLock; she’d never even heard of the company.

Still, Rose said SiteLock told her she had to pay upwards of $120 a month to fix the malware and get her site up and running again.

Over year that $120 a month plan would work out to $1440, which is much more than you normally pay to have a website cleaned and purchase a security service (the $648 that SiteLock would get would be more in the realm of reasonable).

When Bluehost was contacted by NBC had very different response:

Bluehost explained that SiteLock is a security partner, and it did in fact find malware on Rose’s site. So it took down the site so the malware wouldn’t spread to other websites hosted by Bluehost.

Bluehost acknowledged that the SiteLock email could be perceived as spam, so it’s working to evolve its email communications.

And eager to help out Rose, Bluehost jumped in and fixed her site for free. Boo Boo’s Best is back in business.

Thats right, Bluehost has the capability to clean up hacked websites themselves and it didn’t cost anything for the customer. Its telling how different the response from Bluehost was when what they are doing was having some light shined on. We have to wonder if they were concerned that if they didn’t get this cleared up quickly, then more digging might have be done and the reality of their partnership might get more exposure.

The takeaway seems to be if you run in to this situation you should make a public scene about it, or better yet, before that can ever happen move to a web host that isn’t partnered with SiteLock so you don’t risk running into this (properly securing your website would also limit the chance of this, but entirely as SiteLock is known to sometimes falsely claim website have been hacked).