• wpml-ls-flag
Blog > Online Security > How to (not?) get hacked and why website maintenance is essential

How to (not?) get hacked and why website maintenance is essential

Written by

Łukasz Pawłowski

in

Online Security

I want to show you a fairly elaborate, and quite convincing phishing attempt, to take over a Google account using true business, so you are aware that scammers are still in there, they are smart, and they are active. And we will try to learn a lesson here – for business or SaaS owner. I was just one step from getting scammed and what you should do.

Background – important part of scam

I have received a request for a website redesign and performance improvements (caching, speed, and similar items). The message was well written and sounded legitimate – not an amazing deal, but professional and plausible. It went through spam filters and landed in my mailbox. So, scam was themed (specific topic matching my business, not just general attempt) and thought through.

I have analyzed thoroughly scope of work, which took some time but ended positively, although to provide better assessment I required server access. And when I asked for more details and for access, I got a reply saying “they” had consulted with their team, were ready to work with me, and are ready to provide access to admin panel. I received login link to WordPress and instructions along the lines of: after completing Google authorization, I would receive a username and should send it back to them so they could grant full access. Everything sounds good, right…?

I also checked company Facebook account, which looked fairly legitimate: an older business page with posts going back some time (although the last post was about two years ago). Altogether, it suggested there might be a real business involved, but also that something wasn’t right.

Yellow flags and uncertainty

To provide best value I can, I always check who is trying to contact me – so I started verifying the company: where they are located, what their background is, what opinions do they have and so on. I couldn’t find clear location information (although that’s common mistake for valid businesses) but I did find a hint online that they might be in Arizona, which mattered because of when the email was sent– if the actual owner wrote it, they would likely have been awake around 5:00 a.m. local time. That’s not impossible, but it is unusual.

I noticed other inconsistencies as well, such as a phone number in the email footer that didn’t match another number shown elsewhere. I only looked at it because I was told that I can call anytime to clarify details. Again, not a definitive proof – just another small mismatch. All in all, every employee can have his own phone number, but this one was not located in Arizona, but North Carolina.

Another breadcrumb was that scammer was using Gmail account to contact me. Not very professional for a company to do this, if they have domain. But that could be just an incompetence, or lack of knowledge, or external worker, or attempt to reduce costs – many explanations fit.

Now you might think – “this all sounds good, but I don’t have time to check this every time. And it’s not a definitive proof. I won’t be able to catch such things as I don’t have knowledge.” And you would be right. I caught this small details only because of my experience and knowledge –  but lesson here is not to “analyze every detail of every email” (that’d be great, but ain’t nobody got time for that!). Lesson here is trust your guts. If something “feels” off – at least one thing – look closer. And that’s what I did.

Slowing down if uncertainty hits

The ultimate trigger for me to ask another person to consult was a way to provide credentials to website and server. Usually, less careful clients just share details through email granting new account with separate login details read access, or provide password through phone. If they are a bit more tech-oriented, they share password via password manager secret sharing service (like this one https://support.1password.com/share-items/?windows ). Instead, I was asked to log in to WordPress admin panel using my Google credentials. This is not a typical way to grant access to a website. Also, what I requested was server access, not access to the website admin panel—so the flow didn’t really match, even if it could be explained as “first step” of granted access or “internal processes”.

Here is what you should do if something feels off, if there is too much rush from unknown client, if there is something that sounds a bit off.

Take a step back. Breathe. Ask. Consult.

When my guts told me that there are just too many things off, I got more careful. I decided that onward I should consult and verify these small details with another person.

Am I being paranoid or something is off?– Yes, something IS off. Be careful. Use isolated environment. – I heard.

And so I did, but you should not. If you get feedback from another person that something really is off, it’s better to step back and consult person with actual technical knowledge with such stuff.

Further analysis – how you can loose your account access

Let’s see what you could find under the link. But first, warning.

Do not try this at home – I did it to show you what can be a red flag, so you don’t have to – and it is unsafe to you. I am a professional, using an isolated environment and a separate, empty Google account with nothing important in it, so it’s effectively disposable for me, but would not be safe for you.

One of the reasons why isolated environment is needed (yes, I know this is simplification), is that there can be a zero-day security issue that hacker is aware of and you are not.

When I opened provided login page, there were details that didn’t match a typical WordPress admin login. Login page URL was different (although it’s configurable in WordPress). The “Lost your password” link looked legitimate. But the real issue appeared when I clicked “Continue with Google” link. A window showed up that looked like a Google login/authorization popup.

At first it resembles a Google popup, but it’s slightly “off.” One key sign: you can’t drag the window outside the page, because it isn’t a real browser popup at all—it’s part of the website.

When I inspected the source, I saw the page is implemented as an iframe that forwards you to an unknown domain that is not owned by Google. There’s also a typo in the domain (“identy” rather than the expected “identity”), which may look legitimate at a glance, but is not.

Another clue is language/characters: despite of selected English, parts of the UI show the wrong alphabet (Russian characters). That’s not how a real Google authorization screen should look.

In summary: the page is trying to imitate a Google authorization popup, but it’s actually an iframe loading content from an unknown domain.

The scam is well done in other ways too: it detects that I’m using Mozilla Firefox and tries to mimic the browser UI. For example, showing a green lock icon near certificate. Even the address bar is not real—it’s crafted to look like you’re on Google, but you aren’t.  But when you click on it, an important detail shows up: (except from Cyrillic alphabet of course) – you can’t open and inspect the certificate the way you normally could. If something feels off, checking the certificate is one of the most important things you can do—because in this case it’s not a Google certificate. Checking certificate is nowadays fairly simple and is something that you should do too when unsure.

I wanted to push this further. I tried entering an email address that didn’t exist first but It didn’t went through, so I used a disposable Gmail account I mentioned before. It let me proceed, and I expected it would eventually request broad permissions for the account, but it didn’t – just the password.

Then another suspicious detail showed: the “authorization successful” message isn’t presented the way Google normally does.

I am using firewall/antivirus, I should be safe… right?

Well… no.

At the time of writing:

  • My antivirus did not detect any threat
  • No spam filters detected spam
  • No browser I tried detected threat (I have submitted scan attempt to Google of course briefly after I learned that this is scam)
  • VirusTotal did not detect any threat

So in summary – you ALWAYS need to be careful, no matter what other “security” software you are using. The best and most important security software you can use is your brain.

What are interesting points in this scam attempts?

Often scam attempts are crafted in a way that is pushing you through time constraint. You are encouraged to do things quickly. Here this wasn’t the case. Pace was natural, no time constraints and legitimate business behind website, with Facebook and Instagram history (although dead – last post 2 years ago – but historical posts were present).

Another thing was a background preparation. Scope of work to be done, that I was provided, was very plausible and natural thing to do. Scammers for sure did a great job by preparing technical details, expected scopes and using business, but technical language.

Also, Google login page was very similar to actual page. Some details were well crafted (like browser name scrapping), other could be “better” – like Cyrillic alphabet or no ability to check SSL certificate. I do imagine that unexperienced people would just click through the login details and loose access to their data.

What also interesting, scammers often besides trying to use time pressure, attempt to provide high value – but here this technique wasn’t used. I do suspect it is because they expected “too good to be true” to be immediately declined. It would be too obvious and it would raise a red flag immediately.

What is the lesson here for business owner?

Most important thing – always keep your software up to date. I do believe that this WordPress was left at least 2 years without updates or maintenance.

Next thing – compromising your website can be very costly. It is not just a matter of money that are being lost to fix the issue. It is also a matter of lost trust.

Scam attempts are not “harmless if you didn’t fall for it”. I have lost quite a bit of my company time to at least prepare initial analysis of scope of work.

My guess is that the real website owner was hacked and someone is now impersonating them. I have tried to reach out to actual business owner to inform him on this situation, but I haven’t heard back from him, so case was sent to Safe Browsing https://safebrowsing.google.com/safebrowsing/report_phish/ and left as is. That was least I could do to protect other form this scam.

Stay safe, pay attention to small details, and verify what you can. Even the lock icon and certificate behavior differ between the fake window and a real browser window. This is exactly the kind of thing that can get you hacked very easily.

Post Views: 33
Avatar photo
Author

Łukasz Pawłowski

CEO of Sailing Byte

Sailing Byte CEO and former PHP developer. Founder of a software house specializing in a partnership-driven approach, with expertise in Laravel, React.js, and Flutter. My objective is to deliver scalable SaaS solutions through Agile methodologies—offering clients a blend of experience, knowledge, and the right set of collaborative tools. To achieve this, I am committed to sharing my expertise on this blog with clients and readers across Europe, the UK, and the USA, empowering their businesses to flourish.

Suggested Posts

early adopters laughing saas

Unlocking the Secrets to Attracting Early Adopters for Your Startup

Get to know effective strategies to connect with and engage crucial first users, setting the foundation for your venture’s success.

Read More

Removing AI Part From Your Business

When to Remove AI from Your Business: A Complete Guide to De-AI-fying Your Software

Learn when AI implementation hurts your business and how to remove unnecessary AI features. Discover cost-effective alternatives, reduce operating expenses, and optimize user experience with evidence-based management strategies.

Read More

Development Company Meeting Decision

SH and Business: How to Choose a Good Software Development Company for Your Idea?

In the article we lead you through the process of choosing the best software house for your product. Choose a company that provides high-quality service!

Read More