1 Reply Latest reply on Feb 18, 2013 1:06 PM by Hayton

    Website Hacking Fixed on CreditCure.mobi and CreditClean.us

      Hello McAfee.


      On Feb10, 2013 my CreditCure.mobi site via Domain.com had been

      turned into a fraudulent access site being routed to "candofinance.com."


      Parts of my website texts had been turned into BLUE HIGHLIGHTS


      which were access points for their hyperlinks.


      Detailed information, including multiple snapshots of the hacking are


      included in the attached pdf file.


      My CreditClean.us site was also hacked with similar fraudulent access


      routed to "freeScore360.com".


      My pdf attachment shows how I stopped the problem, but I would like to


      know how others worked around such problems.  The fraudulent activity


      is directly related to the content of the text, suggesting that this is not a


      random malware. The hyperlinks were moved around during a period


      of one hour. My CreditClean.us site is still blocked to some access by McAfee.


      McAfee does not indicate what the problem might be.


      Please offer suggestion on how it can be cleared now that it is fixed.


      See my pdf attachment.


      Thank you




      Email address removed to protect poster - Hayton


      Message was edited by: chasgauvin on 2/17/13 5:01:16 PM CST


      Message was edited by: Hayton on 18/02/13 00:03:30 GMT
        • 1. Re: Website Hacking Fixed on CreditCure.mobi and CreditClean.us

          I've done some investigation and your sites are coming up clean. Did you clean up the websites at all, or simply adopt the workaround to prevent words and phrases from becoming redirection links to those other sites?


          Edit - The question is significant. Either someone installed malware on the server or your network traffic is being intercepted and altered in transit. It may be relevant that urlquery is reporting a number of submissions for testing in the past couple of days for AS29873, the ASN covering CreditCure.mobi. This ASN also includes a website (malwaremustdie.org) which has come under attack and is currently hosting malware. It's a different IP address but very close to yours. The attackers may also have scanned other sites on attacked servers looking for vulnerabilities.


          Edit - I checked with Brian Krebs to see if he knew anything about an attack against malwaremustdie.org and he says the report is a false positive. That doesn't necessarily explain the sudden spate of checks on websites having the same AS number but might do so.


          Message was edited by: Hayton on 18/02/13 18:02:42 GMT


          Message was edited by: Hayton on 18/02/13 19:06:53 GMT