Sometimes bad things happen to good people. This was the case last Christmas for a friend of mine, Jean-François Asselin of Atelier Boisteck, a company he founded that specializes in custom woodwork and cabinetry for individuals. We had the pleasure of meeting J-F a few years ago when we were renovating our house, and he does a tremendous job at creating timeless masterpieces that transform rooms into works of art.
I had the pleasure of meeting with him again last week to discuss some new work for our house. After we caught up and he’d taken all the necessary measurements to start sketching out the project, he was on his way out when he mentioned that something terrible happened to him last Christmas. His main Gmail account atelierboisteck [at] gmail.com was hacked, likely through a phishing attack, and they had not only changed the password, but also taken over his website, www.atelierboisteck.com, which included a gallery of some of his work, a history of his company, and a contact page.
So, What is a Phishing Attack?
A phishing attack is when you receive a link to a page designed to look like the login page of a site you’re used to using. For example:
- If you receive an email that looks like it’s from your bank, maybe saying you received money or your password needs to be changed, followed by a link
- An email that looks like it’s from Facebook with a link to login
- An email that looks like it’s from UPS or FedEx or any number of postal services telling you that you have a package waiting
In all these cases, even a seasoned online entrepreneur can fall for the tricks, especially if they’re services they use on a daily basis. Companies like Google, Firefox, and Microsoft have worked hard protecting their users as they browse the web by keeping an updated list of phishing websites and showing a large warning message such as this:
However, it is based largely on domain names and IP addresses, which can easily be changed. Once that happens, it takes time before the next one makes it onto the list, which opens up the possibility of many people falling for it.
How Do I Identify a Phishing Attack?
Here’s a sample email that looks pretty harmless:
While the email looks like it came from American Express, once you hover your mouse over the link that says Check Balance or American Express, you’ll see in the status bar of your browser that it’s not at all the location you would be headed once you click the link. If these two URLs don’t match, or if the destination page URL doesn’t match the content of the page, you’re headed for trouble.
The next page pretends to look like you’re logged out of the service you’re trying to access. By entering your information on that page, you’ve just given away your information to a third party that can now access your accounts.
Another sample page that does just that:
For most businesses online, security is not a priority because, in their eyes, they’re seemingly not a target; they’re simply trying to have an online presence to ensure they can be found on major search engines and “get with the times”.
Google, as well as many other large companies, has attempted to address this problem by adding 2-step verification to protect your account.
What is 2-Step Verification?
I’m glad you asked. You may have noticed some companies ask you to enter your mobile phone number in case you lose the password to your account and to add extra security. This actually ensures that whenever a new computer is logging into your account, even with the correct password, a verification code (usually 6-8 digits) will be sent to your phone by text message which you’ll use as a 2nd step to confirm you are really you. If you think about it, what are the chances of a hacker in India getting your password and also stealing your phone when you’re sitting at a bar with friends in America? … Pretty low. This code usually expires after a short amount of time so it can’t be reused in the future. If you don’t have this turned on, you need to check it out. The extra few seconds (which I admit, are a pain in the ass at times, especially when you’re out of the country), can mean the difference between keeping and losing your accounts.
I say accounts because, let’s face it, deep down you know that:
- You re-use the same password for many different services.
- Most (or all) of those services have your email account associated with them at signup.
- You have emails from those services in your inbox dating back to the day you opened your email account, which identify what those services are.
- Most of those services, which might require confirming your email address, can be found by simply searching your mail account for “confirm your email”.
Once an attacker has gained access to your email, they can control almost everything you have access to. All they need to do is hit “Forgot Password” on most websites, and those websites will send a password reset email to the email address they have access to.
So, Back to the Story at Hand
J-F’s email got hacked into. Once the attackers got in, they changed his password and they turned on 2-step verification, but they entered their own cell phone number instead. This effectively locked J-F out from doing a simple password recovery and put him into a tedious process of proving to Google that the account belonged to him. Google claims this process can take three to five business days, but even after entering all the correct information (or whatever he could remember in 2015 about things he put into his account in 2009), they got back to him and told him he hadn’t done enough to prove it was him. As of the date of this article, J-F still doesn’t have access to his email, his list of contacts, or any history of communication with his clients, friends, and family.
For some companies, getting infiltrated could mean shutting down your entire business. Code Spaces, for example, was put out of business by hackers who accessed their system and deleted both their website and their backups.
J-F’s story didn’t end there. They managed to get access to the registrar for his domain name and redirected www.atelierboisteck.com to a different service, shutting down his website and wiping out his access, even to this day. They then sent out an email to all of J-F’s contacts pretending to be J-F, asking friends and clients for help (read: money).
In English this translates to:
How are you? Not me, I’m in trouble !! Tell me, where are you now? I hope I’m not disturbing you? I need your help, Contact me by e-mail (I’m unreachable via phone) since I am out of the country. Above all, I hope that this is kept with complete discretion. I’ll explain!
Thank you for your answer
He told me the story and had just left my house when I decided to see what I could do to help.
The first thing I did was go directly to www.atelierboisteck.com.
As you can see from the website, there isn’t much going on there:
The attacker changed the hosting account and now has it simply showing sponsored Cost-Per-Click (CPC) ads to make money off of the few people trying to access his website.
The first thing to look for is if (by chance) the hacker is an idiot and left trails. Perhaps they backed up your website folder and saved it in the accessible web folder, so I first tried to access:
… and other combinations that the average person would name an archive of files. This is pretty much a shot in the dark, but it also gives an indication of some other things going on. In most of those cases, you only see a blank page and not the standard “404 Not Found” error page when trying to access something that doesn’t exist. This is hint #1.
The next step is to look at http://www.atelierboisteck.com/robots.txt. If the hacker is using some sort of rootkit or standard open source software, or if he’s simply trying to hide some information from being searchable on major search engines, they would most likely have it in this file:
Attempting to access those files opens up hint #2. For example, http://www.atelierboisteck.com/fcmedianet.js finally shows us the 404 page we were looking for:
But don’t miss the important detail: The URL says fcmedianet.js and the 404 page says fcmedianet.php. This is an indication that the attacker is probably using an htaccess RewriteRule to redirect all requests of type .js to a php handler, rather than just serve out the content. In English: they are probably redirecting any request coming in that doesn’t match a specific path or file type to go to the same file. Try it yourself:
The results are always the same: The URL stays the same, but we see the same page with CPC ads. While this didn’t yield anything super useful, it did identify that the URL was simply pointed to a domain parking service to monetize the site, which means the original site might still exist somewhere on the internet.
How Do We Find It?
When your website switches hosting providers, the IP address also changes (in most cases). It’s not as simple as transferring your cell phone number over to a new carrier. So we need to find out the original IP address of www.atelierboisteck.com. Most services will charge you, but here’s a good free one that I used in this case: http://viewdns.info/iphistory/.
It was able to happily provide me with the IP history it had gathered over time:
Since I received his email on December 23rd, 2014, I knew the latest IP address for 2015-03-23 was the one the hackers were pointing to, so I had to look for ones earlier on. Since he’s based in Montreal, I decided to go with the one at the bottom of the list 18.104.22.168. Attempting to access it at http://22.214.171.124 shows his old hosting provider’s login page:
This was still not what I wanted. While he could potentially use this to login and access his files, chances are that the person who designed his website in 2009 had that information and that information was lost in the email account he didn’t have access to. I knew that if his files were still there, the webhost would be expecting the connection to identify itself as www.atelierboisteck.com, otherwise if there were multiple websites hosted on the same IP address (which is very common nowadays), it wouldn’t know what to display. Think of it as a 1-800 number that has thousands of extensions. You want to contact John, but you don’t know the extension, and there’s no directory that can show you which extension number is John’s.
Here’s a simple trick to make your computer think a website is pointed somewhere else.
In Windows, run Notepad (Start -> Run -> notepad.exe), then open C:\Windows\System32\drivers\etc\hosts in Notepad.
You may have to type it in manually in case your system folder is hidden, and the path name may differ depending on your Windows installation.
On a Mac, you can follow these great instructions: http://www.tekrevue.com/tip/edit-hosts-file-mac-os-x/
I added a row at the bottom of the file and saved it:
This overwrote the IP address that my computer thought it needed to connect to in order to access www.atelierboisteck.com. Now my computer is connecting to the old hosting provider and…
Bingo! We have access to the old website, which is still intact!
A simple search for a Website Downloader for Mac yielded a program called SiteSucker which allowed me to type in the website and download all the accessible content. It crawls through all the pages and media, and since it’s doing it from my computer, it’s accessing the new IP address I specified in my hosts file. After about five seconds, I had the entire website downloaded and was able to email it over to J-F.
While we’re still waiting for Google to restore his account, it should be noted that J-F is not alone in this mess. Large businesses are not the only targets. Medium-sized businesses and individuals accounts are the main targets, due to their lack of security.
You can help educate your friends and loved ones by sharing this article and warning them of these dangers online so they can become prepared, instead of becoming the next unfortunate story.