A long but worthwhile note about the internet bastards out to get you
* * *
As many of you are also aware, our very good friends at Coffee Time Romance and More were hacked last week. It was a very serious incident that required the entire site go down and they are still working around the clock to restore it. Coffee Time Romance and More has the full support of all of us here at TRS and we hope yours as well. Like you, we're really looking forward to having them back.
BUT the incident isn't an isolated one. What the hackers are doing is new, there is nothing that can be done to prevent it. I won't go into a lot of technical jargon but these incidents made me think that I really wanted to put some information out there to our community -- anyone with a web site or blog ...
In simple terms, the hackers find a way to get into your web site and then post their wares on it -- usually links to sites where you can illegally purchase prescription drugs, porn sites, and other sites where more than likely, there is malware that can infect your computer if you click on the links. Chances are you won't. That being said, they can also load malware onto your site so that when a visitor arrives to visit you, their computer will be infected with a trojan/virus etc. that can either damage their computer or give the hacker access to that computer remotely. These tactics can be used for many reasons including identity theft.
Add to that the fact that Google bots, the ones that normally crawl your site at regular intervals to index you for the Google search engine, are now looking for malware and if they find it on your site, they will report it to Google. It will also appear as a warning tied to your site on the Google search engine. If this happened to TRS for example, when people googled us, they would see The Romance Studio with the line under the title reading -- "This site may harm your computer." Once your site has been cleared of any malware, you can request for Google to review your site and have that message removed. But it's still another time consuming process and in the meantime, new visitors are told that your site is harmful and chances are they won't come back. Waiting for Google to review your site again can take days or weeks.
What can you do to help keep your site safe? Many of you work with good, reputable web hosting companies and they likely are aware of these things already. But if you maintain your own web site or blog, here are some things you should know and can do to help keep your site as safe as possible.
1) Check your site regularly. I know from visiting many author web sites each day in the running of TRS, I'll see sites that haven't been update for weeks or months -- even when I am in the way of knowing that author has new books out. =) If you aren't paying attention to your site, you have no way of knowing if someone is trying to get in. Pay attention in particular to any area where there is outside user content -- forums, blogs, guestbooks, etc. These are what spammers want to use to post their ill intended junk. These are usually the scripts they can find a hole in to give them access to your entire site. I've seen people get hacked through guestbook scripts mostly but now they are really hitting on site blogs like WordPress and forums very hard.
2) Check your statistics regularly. I have some web clients who are so good at keeping an eye on their stats. This will often give you a warning that someone is looking at your site. Maybe they are really really interested in your books or product but often an abnormal spike in hits can mean hackers are taking a very close look at your site and considering how they may use it. If you see such a spike, keep a close eye on your site and maybe consider changing your passwords. If someone manages your site, let them know immediately.
3) If you use a script on your site like WordPress or any type of web forum or guestbook, please check at least once a week for updates to the script. This is extremely important. Some updates are made because a vulnerability was discovered that a hacker can exploit. When updates come along, install them immediately.
4) Passwords. Even if you change your password often, please don't make it easy for hackers by using a pet name with a number tacked on the end. Any hacker worth his salt can decode FLUFFY09 in less than a minute. A good password should be at least 8 characters long, should be a mix of upper and lower case letters, include numbers, and other symbols if allowed. I know people want to have passwords they can remember but in this day and age, simple passwords are a risk. Come up with a complex password (ex. Mh?>1h#ggAs) and simply write it down and keep this in a safe place. Change your passwords often. Don't share your password with anyone not involved with the management of your site.
5) Check your site to see if Google has picked up malware. As a disclaimer, this isn't to be used as a way to check your site at once quick and easy glance. If you submit your URL using the utility here, it will simply tell you if Google found anything suspicious on your site within the last 90 days. Check this periodically but don't rely on it as a way to keep your site safe. If this utility tells you that your site has been reported for suspicious activity, you've already got a problem. http://blogoscoped.com/archive/2008-05-23-n62.html
6) Back up your site. Many hosting companies will tell you that you get backups. Sometimes it doesn't mean a complete and full copy of your site that you can use to restore it if a hacker gets it. Sometimes it means an image you can look at. Often you CAN get a backup of your complete site from a hosting company but it will cost you extra -- I've seen amounts from $50 - $100. You can take away this worry pretty easily by making a backup of your site on a regular basis. It doesn't take long. If I can back up TRS using plain FTP in about an hour, and it's a pretty large site, you might be able to back up your site in a matter of moments. Backing up your site once a week or once every other week can be a life saver. Also considering keeping a periodic copy on a disk. If you're like me, bad things happen in groups. It would be my luck to have my site hacked and then my computer crash before I could restore it. Take no chances. Make sure you have a viable copy of your site at all times. The more up-to-date, the better.
7) Spam/Spoofing. I get a lot of email from folks interested in our web services asking what they can do about spam and wondering how they got an email from themselves that they didn't send selling Viagra.
How do spammers get your email in the first place? They get them from your site. You'd think this would take a lot of effort but it takes actually very little effort. They use programs called spiders. The programs crawl sites looking for things like @ symbols and tags. They know there's a good chance they'll grab an email address from either of those instances. The program finds that and grabs your email. Your email then goes on the spammer's list. Then it can be shared with other spammers but is often sold on lists to people marketing stuff you don't want (or other spammers). So in a very short period of time, your email can be placed on literally thousands of spammer email lists. And you're right to worry that may mean viruses and harmful things. Only it's not just for your site and your email. What about your visitors? Which brings me to bad thing #2
Spoofing. What's that? Well, once spammers have your email, they don't just use it to send you hundreds of emails. They send out emails saying they are from YOU! They'll send out thousands of emails in a single second peddling viagra and the email might say its from email@example.com. This is very easy to do. They don't need access to your email or your web site. They just plug that email into their program as the "sent by" email. Maybe they'll put in Tina Pavlik as the name or maybe not. That part doesn't matter. What matters is that they are sending emails claiming to be you and there's nothing you can do to stop them. They set things up so they can't be easily traced or reported. That's why they lie and use other people's emails.
Once you're being spoofed, people can report the spam that says its from you. Only ISPs won't take the time to look into the matter to see if you really sent it. Some have automatic reporting systems that are rarely looked at by actual people. The end result? Enough people reporting these emails saying they are from you will get your domain black listed. Black listed means that if AOL black lists you because enough people at aol reported spam that you didn't send but says it's from you, they can keep anyone using AOL as a service or aol browsers from even being able to visit your site or receiving your emails. That's bad. Very bad. And it can take months to get a site white listed again once this happens.
You want to have email without worry? I would suggest doing two things.
First, reconsider having a domain name email. I know that's probably not what you want but if you get another email address (gmail, hotmail, etc), if someone spoofs it as I explained above, it won't have an impact on your web site. They won't black list gmail. TRS got rid of all of its @theromancestudio.com emails last year for this reason. Now if any of our gmail accounts get spoofed or reported? The worst thing that can happen is that we have to get a new email. But TRS itself, the site, won't be reported. It's safe. That's not to say that spoofers can't send out firstname.lastname@example.org emails anyway and get us reported but we've found that these spoofing incidents dropped dramatically for us when we stopped using a domain name email.
I'd recommend a good free email account from gmail.com, yahoo.com, or hotmail.com. Gmail is my favorite. It's free, offers limitless space, and has a pretty wonderful spam filter. It's very user friendly.
Second, consider getting your email off the site if it is posted there. Does your current web host offer an email form you can place on your site? If so, that's really the way to go. We use forms like this one at Psyche: http://psychedesigns.com/contact.php?firstname=Psyche&lastname=Designs and at TRS. Basically, the script hides the email from the spiders so they can't grab it. Using a secure email form for your new email will start you off right. Since we went to this method, we maybe see 10-15 spam emails in a day. Still annoying but it's a low number all things considered. And with gmail's spam filter, you don't have to sort through the spam to get to the emails you want -- unless you want to. It's still a good idea to eyeball it every couple of days.
Anyway, I hope you find some of this information useful. In the next few days, today we'll be busy changing TRS over for October and we're also scanning all of the sites we take care of in light of these events, we'll be starting a new section of our forums dedicated to hacking issues. I'll bet there are some of you out there with some other good information to offer and I think that sharing of these ideas helps keep us all a little safer.
Remember any of us can hacked at any time. Be vigilant. And let's work together to help keep our sites -- romance or otherwise -- safe.