The Entrepreneur Forum | Financial Freedom | Starting a Business | Motivation | Money | Success

Welcome to the only entrepreneur forum dedicated to building life-changing wealth.

Build a Fastlane business. Earn real financial freedom. Join free.

Join over 80,000 entrepreneurs who have rejected the paradigm of mediocrity and said "NO!" to underpaid jobs, ascetic frugality, and suffocating savings rituals— learn how to build a Fastlane business that pays both freedom and lifestyle affluence.

Free registration at the forum removes this block.

eCommerce Store Hacked???

Trevor Kuntz

Professional Dog Owner
FASTLANE INSIDER
Read Fastlane!
Speedway Pass
User Power
Value/Post Ratio
274%
Feb 5, 2012
655
1,794
Arizona
EDIT: Apologies for alarmist thread title; initially thought that my site was hacked but it does not actually appear to be compromised.

TL;DR Problem: Someone has created 1300 customer accounts on my store using Russian email addresses and the automated customer registration thank you emails being sent to those Russian email addresses contains a spam/virus link. This spam-link automated email is only being sent to the customer accounts made with Russian emails and is not being sent to my real customers (at least, as far as I know).

Reward: $305 rep (100% of my rep) to anyone who can educate me on what might be happening and how to get rid of whoever is making the Russian-email customer accounts.


Ten minutes ago, I received a strange email in Russian from someone responding to an automated "Thank you for registering at [WebstoreName]" email that is sent out when anyone registers on my BigCommerce store.

I copy/pasted the Russian email text into Google Translate and the person had replied, "Look for fools elsewhere. And the money stolen from people will not bring you good" (This is Google Translate, so might be kind of rough)

I scrolled down to see the original email that he was replying to (the automated one sent from my site upon registration) and it read in Russian (Google Translated below):

Thanks for registering at [Webstore Name]!

Hi Hello! We have been waiting for you for a long time! We invite you to take a survey and get paid! ONLY TODAY by the link (spam/possible virus link here)

Thank you,


After reading this, I logged into the store and found almost 1300 customer accounts have been created since January 13, all with Russian names and email addresses with the last account created 20 minutes ago. It is totally possible for someone to do this without having access to the admin (just by entering email addresses and passwords, there are no order attempts from any of the Russian accounts), but I cannot figure out how they could be sending automated emails to customer accounts. I have checked the store logs and the only admin logins all match my IP addresses.

I also just checked my HTML email templates in the back end and none have been updated since December 28, 2017.

The site is secured by dedicated SSL but beyond this, I have little experience in store security. 100% of my rep points to anyone who can point me in a direction that will correct this issue.

Thanks!
 
Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.
Last edited:

Trevor Kuntz

Professional Dog Owner
FASTLANE INSIDER
Read Fastlane!
Speedway Pass
User Power
Value/Post Ratio
274%
Feb 5, 2012
655
1,794
Arizona
UPDATE

I just created a customer account on the store to see what automated email I would get and the email I received is the correct email as designed by me and there is no spam link in the email.

So someone is creating customer accounts on the front page of my store (nothing indicates to me that anyone has gotten access to the admin/backend) using Russian email addresses but only those Russian-email customer accounts are getting the automated email with the spam link in it.
 

Almantas

Nothing to Lose
Read Fastlane!
Read Unscripted!
Speedway Pass
User Power
Value/Post Ratio
475%
Dec 21, 2015
887
4,210
32
Ireland
jmcesfhmnmsx.jpg


On a serious note: I hope you sort this out soon!
 

theag

Legendary Contributor
FASTLANE INSIDER
EPIC CONTRIBUTOR
Read Fastlane!
Read Unscripted!
Speedway Pass
User Power
Value/Post Ratio
297%
Jan 19, 2012
3,903
11,580
Probably some malware on your site. I had some in my store about a year ago too and since then tightened security.

I used Website Security - Antivirus and Firewall | Sucuri Platform (business package) to scan for and remove it (they can remove it for you if you cant yourself) and now use their tools (mainly server side monitoring) to watch out for new shit.

Depending on your software/hosting a WAF might be needed, and tightening up security in your general codebase, especially if you use custom stuff.

I only use Sucuri for monitoring because I have WAF etc set up through managed AWS and tightened up the code myself.

The best security for your backend is to restrict access to a single static IP address (VPN) and only log in using that.
 
Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

Trevor Kuntz

Professional Dog Owner
FASTLANE INSIDER
Read Fastlane!
Speedway Pass
User Power
Value/Post Ratio
274%
Feb 5, 2012
655
1,794
Arizona
Thanks, @theag for the insight based on your experience. $305 +rep for your help.

I will get in touch with Sucuri today and get this issue resolved. Were you able to determine how the malware got on your site?

I currently log in to the site using only three devices: my home computer, my office computer, and my iPhone. I’ll not use my iPhone from now on, but should I get a portable computer and only use that to login on the two separate wi-if networks or does it make any difference?


Sent from my iPhone using Tapatalk
 

Castillo

Bronze Contributor
Read Fastlane!
Speedway Pass
User Power
Value/Post Ratio
119%
Mar 8, 2016
354
420
Vancouver, BC
Thanks, @theag for the insight based on your experience. $305 +rep for your help.

I will get in touch with Sucuri today and get this issue resolved. Were you able to determine how the malware got on your site?

I currently log in to the site using only three devices: my home computer, my office computer, and my iPhone. I’ll not use my iPhone from now on, but should I get a portable computer and only use that to login on the two separate wi-if networks or does it make any difference?


Sent from my iPhone using Tapatalk

If you know what a vpn is, get that set up. At home you need to ask your ISP if you have a static ip address. If you don't, ask them if you can get one. Then you will need to set up a vpn tunnel to your house so it doesn't matter what device you use, you'll be able to access it via vpn. And then you will have to restrict your websites admin panel to only be accessible by that single static IP.
 

theag

Legendary Contributor
FASTLANE INSIDER
EPIC CONTRIBUTOR
Read Fastlane!
Read Unscripted!
Speedway Pass
User Power
Value/Post Ratio
297%
Jan 19, 2012
3,903
11,580

PedroG

Silver Contributor
Read Fastlane!
Read Unscripted!
Summit Attendee
Speedway Pass
User Power
Value/Post Ratio
264%
Oct 1, 2013
298
786
NH
It doesn't sound to me like your site is compromised.

You can send an email from any address you want. The way email (SMTP) servers work is you can provide the FROM address that you want for the email you are sending.

Email clients like Gmail obviously don't allow you to pick your own FROM address but a person can install their own SMTP server and send from any address that they want. They, of course, won't be able to receive any replies, but they can send them.

I'm not sure why they also felt the need to create those accounts on your site. Actually, I can think of a reason...

If they had just sent the emails using their own SMTP server like I mentioned before, it's possible email clients were going to flag those emails as spam.

Maybe they are trying to get around that somehow by having a legitimate email sent from your site first, before sending their spam email from the same FROM address.

Maybe they figure a client like Gmail would lump those two emails together in a conversation.

No idea if this actually works or not, but my guess is that they are trying to get around the spam filters by having a legitimate email sent from your site first.

So I don't think you have anything to worry about as far as your store being hacked.
 
Last edited:

Trevor Kuntz

Professional Dog Owner
FASTLANE INSIDER
Read Fastlane!
Speedway Pass
User Power
Value/Post Ratio
274%
Feb 5, 2012
655
1,794
Arizona
I will research how to set up the VPN and get that done this week. Thanks for the info.

I will add the base package of Sucuri just for added security. I have never had any security issues in six years of running the site, but now that I’m actually trying to scale the store, I need to take security more seriously.

Peter, I think you are correct. I have limited knowledge of email servers, but this is the same conclusion that I came to last night after realizing that there was nothing to indicate a compromise. It’s possible that they are exploiting something in BigCommerce’s own servers, so I will reach out to BigCommerce today.

The emails being sent are being spoofed from my email (departmentnine@gmail.com). I know it’s not a crisis but I don’t want that email getting flagged or associated with spam.

Here is the email as I found it last night:
7a3c543a1b4f2507d20f46900629ca17.jpg


I think that confirms your thinking. I’ll be sending you both rep in the future for your help.


Sent from my iPhone using Tapatalk
 

Post New Topic

Please SEARCH before posting.
Please select the BEST category.

Post new topic

Guest post submissions offered HERE.

New Topics

Fastlane Insiders

View the forum AD FREE.
Private, unindexed content
Detailed process/execution threads
Ideas needing execution, more!

Join Fastlane Insiders.

Top