The Entrepreneur Forum | Startups | Entrepreneurship | Starting a Business | Motivation | Success

eCommerce Store Hacked???

Remove ads while supporting the Unscripted philosophy...become an INSIDER.

Trevor Kuntz

Professional Dog Owner
Feb 5, 2012
475
629
281
Arizona
EDIT: Apologies for alarmist thread title; initially thought that my site was hacked but it does not actually appear to be compromised.

TL;DR Problem: Someone has created 1300 customer accounts on my store using Russian email addresses and the automated customer registration thank you emails being sent to those Russian email addresses contains a spam/virus link. This spam-link automated email is only being sent to the customer accounts made with Russian emails and is not being sent to my real customers (at least, as far as I know).

Reward: $305 rep (100% of my rep) to anyone who can educate me on what might be happening and how to get rid of whoever is making the Russian-email customer accounts.


Ten minutes ago, I received a strange email in Russian from someone responding to an automated "Thank you for registering at [WebstoreName]" email that is sent out when anyone registers on my BigCommerce store.

I copy/pasted the Russian email text into Google Translate and the person had replied, "Look for fools elsewhere. And the money stolen from people will not bring you good" (This is Google Translate, so might be kind of rough)

I scrolled down to see the original email that he was replying to (the automated one sent from my site upon registration) and it read in Russian (Google Translated below):

Thanks for registering at [Webstore Name]!

Hi Hello! We have been waiting for you for a long time! We invite you to take a survey and get paid! ONLY TODAY by the link (spam/possible virus link here)

Thank you,


After reading this, I logged into the store and found almost 1300 customer accounts have been created since January 13, all with Russian names and email addresses with the last account created 20 minutes ago. It is totally possible for someone to do this without having access to the admin (just by entering email addresses and passwords, there are no order attempts from any of the Russian accounts), but I cannot figure out how they could be sending automated emails to customer accounts. I have checked the store logs and the only admin logins all match my IP addresses.

I also just checked my HTML email templates in the back end and none have been updated since December 28, 2017.

The site is secured by dedicated SSL but beyond this, I have little experience in store security. 100% of my rep points to anyone who can point me in a direction that will correct this issue.

Thanks!
 

Don't like ads? Remove them while supporting the forum. Subscribe.

Last edited:
OP
OP
Trevor Kuntz

Trevor Kuntz

Professional Dog Owner
Feb 5, 2012
475
629
281
Arizona
UPDATE

I just created a customer account on the store to see what automated email I would get and the email I received is the correct email as designed by me and there is no spam link in the email.

So someone is creating customer accounts on the front page of my store (nothing indicates to me that anyone has gotten access to the admin/backend) using Russian email addresses but only those Russian-email customer accounts are getting the automated email with the spam link in it.
 

Almantas

Nothing to Lose
Read Millionaire Fastlane
I've Read UNSCRIPTED
Speedway Pass
Dec 21, 2015
874
4,010
996
28
Ireland


On a serious note: I hope you sort this out soon!
 

theag

Most Aggressive Guy on the Internet on the Planet
EPIC CONTRIBUTOR
Read Millionaire Fastlane
I've Read UNSCRIPTED
Speedway Pass
Jan 19, 2012
3,688
10,382
2,456
Probably some malware on your site. I had some in my store about a year ago too and since then tightened security.

I used Website Security - Antivirus and Firewall | Sucuri Platform (business package) to scan for and remove it (they can remove it for you if you cant yourself) and now use their tools (mainly server side monitoring) to watch out for new shit.

Depending on your software/hosting a WAF might be needed, and tightening up security in your general codebase, especially if you use custom stuff.

I only use Sucuri for monitoring because I have WAF etc set up through managed AWS and tightened up the code myself.

The best security for your backend is to restrict access to a single static IP address (VPN) and only log in using that.
 
OP
OP
Trevor Kuntz

Trevor Kuntz

Professional Dog Owner
Feb 5, 2012
475
629
281
Arizona
Thanks, @theag for the insight based on your experience. $305 +rep for your help.

I will get in touch with Sucuri today and get this issue resolved. Were you able to determine how the malware got on your site?

I currently log in to the site using only three devices: my home computer, my office computer, and my iPhone. I’ll not use my iPhone from now on, but should I get a portable computer and only use that to login on the two separate wi-if networks or does it make any difference?


Sent from my iPhone using Tapatalk
 

Castillo

Bronze Contributor
Read Millionaire Fastlane
Speedway Pass
Mar 8, 2016
353
418
229
Vancouver, BC
Thanks, @theag for the insight based on your experience. $305 +rep for your help.

I will get in touch with Sucuri today and get this issue resolved. Were you able to determine how the malware got on your site?

I currently log in to the site using only three devices: my home computer, my office computer, and my iPhone. I’ll not use my iPhone from now on, but should I get a portable computer and only use that to login on the two separate wi-if networks or does it make any difference?


Sent from my iPhone using Tapatalk
If you know what a vpn is, get that set up. At home you need to ask your ISP if you have a static ip address. If you don't, ask them if you can get one. Then you will need to set up a vpn tunnel to your house so it doesn't matter what device you use, you'll be able to access it via vpn. And then you will have to restrict your websites admin panel to only be accessible by that single static IP.
 

theag

Most Aggressive Guy on the Internet on the Planet
EPIC CONTRIBUTOR
Read Millionaire Fastlane
I've Read UNSCRIPTED
Speedway Pass
Jan 19, 2012
3,688
10,382
2,456

PedroG

Silver Contributor
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Oct 1, 2013
297
753
293
NH
It doesn't sound to me like your site is compromised.

You can send an email from any address you want. The way email (SMTP) servers work is you can provide the FROM address that you want for the email you are sending.

Email clients like Gmail obviously don't allow you to pick your own FROM address but a person can install their own SMTP server and send from any address that they want. They, of course, won't be able to receive any replies, but they can send them.

I'm not sure why they also felt the need to create those accounts on your site. Actually, I can think of a reason...

If they had just sent the emails using their own SMTP server like I mentioned before, it's possible email clients were going to flag those emails as spam.

Maybe they are trying to get around that somehow by having a legitimate email sent from your site first, before sending their spam email from the same FROM address.

Maybe they figure a client like Gmail would lump those two emails together in a conversation.

No idea if this actually works or not, but my guess is that they are trying to get around the spam filters by having a legitimate email sent from your site first.

So I don't think you have anything to worry about as far as your store being hacked.
 
Last edited:
OP
OP
Trevor Kuntz

Trevor Kuntz

Professional Dog Owner
Feb 5, 2012
475
629
281
Arizona
I will research how to set up the VPN and get that done this week. Thanks for the info.

I will add the base package of Sucuri just for added security. I have never had any security issues in six years of running the site, but now that I’m actually trying to scale the store, I need to take security more seriously.

Peter, I think you are correct. I have limited knowledge of email servers, but this is the same conclusion that I came to last night after realizing that there was nothing to indicate a compromise. It’s possible that they are exploiting something in BigCommerce’s own servers, so I will reach out to BigCommerce today.

The emails being sent are being spoofed from my email (departmentnine@gmail.com). I know it’s not a crisis but I don’t want that email getting flagged or associated with spam.

Here is the email as I found it last night:


I think that confirms your thinking. I’ll be sending you both rep in the future for your help.


Sent from my iPhone using Tapatalk
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Sponsored Offers

  • Sticky
MARKETPLACE Fox's Web Design Guide: Earn $100K this year (Yes, 2020!) and Go Fastlane
Everything you write about is so convincing and so adequate to my expectations that I can't...
  • Sticky
FEATURED! Introducing... WEALTH EXPO$ED, A Short Story By MJ DeMarco
would this be available in paper version? I know it's short, but most of my family is...
  • Sticky
MARKETPLACE KAK’s “Kill Bigger” Incubation Program- With DAILY personal attention.
I would also like to welcome to the traditional incubator @JustinY I am excited for what we...
  • Sticky
MARKETPLACE Lex DeVille's - Advanced Freelance Udemy Courses!
April sucked. You were forced into your homes, into different lifestyles. For some, it was an...
  • Sticky
MARKETPLACE You Are One Call Away From Living Your Dream Life - LightHouse’s Accountability Program ⚡
Here is where you eliminate uncertainty from the future! I wanted to post this image as I...


Visit A Forum Sponsor
sponsor

New Topics

Fastlane Insiders

View the forum AD FREE.
Private, unindexed content
Detailed process/execution threads
Monthly conference calls with doers
Ideas needing execution, more!

Join Fastlane Insiders.

Top Bottom
AdBlock Detected - Please Disable

Yes, ads can be annoying. But please...

...to support the Unscripted/Fastlane mission (and to respect the immense amount of time needed to manage this forum) please DISABLE your ad-block. Thank you.

I've Disabled AdBlock