The last 5 days have been some of the worst in my time online. I seem to have been targeted by a series of scammers and hackers, the worrying thing is it’s not like it’s a concerted campaign it just a series of people who have decided that it’s easier to try and scam and hack their way to an income than work at it. Luckily for me all I lost was about 6 hours getting my sites back to normal but it could have been much worse.
First off lets look at 4 types of scams that people have tried to catch me out with.(and caught me with!)
1. Domain Renewals.
I got an invoice today for a domain renewal for $75, Luckily I know that my domain renewals cost me $8.19 and that as I am my own domain registration company I get notifications when they are due and this domain wasn’t due for renewal until October. If I had been new to IM or just had 1 domain then this might have caught me out.
2. Search Engine Registration
I got An email once again asking for $75 telling me that my search engine registration was due to expire.
The full text below including the small print.
This solicitation is to inform you that it’s time to send in your search engine registration for Domainname.COM. DRS is a search engine ranking and submission service company.
Failure to complete your registration by Sep 14, 2011 may result in the cancellation of this offer.
Your registration includes search engine submission for domainname.COM for 1 year. You are under no obligation to pay the amount stated above unless you accept this offer by Sep 14, 2011. This notice is not an invoice. It is a courtesy reminder to register damonain name.COM for search engine listing so that your customers can locate you on the web.
3. Domains Available.
I’ve been getting a few of these recently, they involve an email telling me that a domain is available that is very similar to one I already own. They then ask me to make a bid on it. The thing about this scam …and it is a scam, is that the domains are due to expire in 1 or 2 days and they can get picked up for normal prices if you wait for them to become available. the people offering the domain to me don’t actually own it , they will do exactly what you can do and either wait for it to become available of bit for it on TDNAM or Freshdrop.
4. Refund Fraud
I’ve been a victim of this 3 times, I won’t go into this too deeply but it involves buying a product with instant affiliate commissions then doing a refund afterwards, the end result is that it ends up costing the vendor money. I’ve recently had over 150 people apply to become affiliates using the tell tale signs that they are going to commit refund fraud ..in my book it means that it widespread. Oh an while I am here this is to the person that bought a product a few weeks back and issued a charge back 3 minutes after they bought it, charge backs cost vendors far more in fees than the cost of the product … karma will get you!
Now onto the hackers. There are several types of hacking, there is the type that exploits a plugin or theme and then leaves some malicious code and then there is the more despicable type where your site is accessed and then defaced.
One of my WPG members had his site hacked last week and was then sent a ransom demand telling him that if he paid his sites would be returned to him. This is the first time I’ve heard of this happen and it takes the hacking we as site owners normally experience from an annoyance to a criminal act.
Last week I had 2 sites compromised by an exploit in a Theme I was using. The theme was from Woo Themes and the exploit was via the TimThumb plugin. Luckily for me this hacking happened on a mass scale so there was lots of information about how to deal with it. One greatt site I found to help check your sites for malware was Sucuri.net and in particular their malware scanner. I’ve since added their blog feed to my iPad feed reader so I get updates daily (I use Pulse for iPad and iPhone highly recommended!)
It seems that incidences of scamming and hacking are growing and it’s no longer if you’ll be a target but when. There are certain things you can do to prevent being a victim.
- Verify the source of all emails asking for payment.
- Never Never Never follow a link in an email that asked you to login one of your accounts.
- Use a Tool Like Lastpass to set your passwords. It’s free so use it! 3a?h8u^g4 is a good password, jimmysue isn’t
- Do not use the same password twice. If you use a password there is always someone who can access it. I could go to flippa today and buy a forum or a membership site and I guarantee I would have peoples username and passwords that are used on more than 1 site. Now Imagine if I was a hacker…scary thought isn’t it!
- Have a proper backup process. Test it.
- If you use Admin as a Username change it.
- Keep all themes and plugins unto date.
Consider buying LockDown WordPress – It will show you how to secure your wordpress sites tighter than a ducks ass
It really is time to take take your security seriously Don’t be a victim.
If you have any advice, experience or tips please share them via the comments