Thick Skull, Thicker Skin
Selective storytelling can sometimes lead to inaccurate conclusions.
For example: reading through the posts on this blog might lead you to think that I have a high rate of interactions with the owners of compromised sites. That’s because I tend to focus on only the interesting stories (or at least what I think are the interesting stories - you may feel differently). Those stories tend to be ones where I actually have some interaction with a site owner - for better or for worse.
This post isn’t going to be about that.
This post is about the vast majority of the dull boring stuff that goes on from day-to-day.
It’s a story of unanswered emails, phone calls that get ignored, and tweets that seem to fall on deaf ears.
Through the years, I’ve notified well over a thousand sites that they’ve been 0wned. I say that not to brag (seriously I send emails to people telling them that their site’s been whacked to sell boner pills and term papers - not really a braggin’ kind of subject…) but just to give you an idea of scale.
Over the past four days, I’ve tracked down and attempted to notify the owners of 19 websites that have been the victim of blackhat SEO attacks. Nineteen.
Most of these sites have been altered to flog the aformentioned boner pills. A handful are selling cheap NFL jerseys and one is selling knockoff designer handbags - unless, of course, the makers of real designer handbags have resorted to whacking sites to boost sales.
One lucky site is selling all three. And Nike shoes. And term papers.
Somebody is an overachiever…
Sixteen of nineteen are running WordPress. Two are running what appears to be homegrown PHP code. One is an apparent exercise in self-flagellation via Java (I don’t know which to feel worse about - that they got 0wned or that they wrote their site in Java).
A few are sites that were “professionally” designed. They have these goofy “Created by X” taglines at the bottom of the page, proudly proclaiming that an “Online Marketing Professional” was involved in the making of the disaster. (Tom’s $0.02: You probably wanna think twice about putting your name on a crappy WordPress site that’s likely going to get neglected and 0wned. That’s really not a good look.)
Among the owners: a private school, a pharmacology college, a community outreach center, a professional lighting company, a couple of local governments, a county superior court, and really good photographer.
I’ve sent emails and I’ve sent tweets. I’ve contacted the “professional” website design firms along with their customers. I’ve left four voicemails for IT folks.
Cutting to the chase: I’ve heard back from exactly zero.
Zip, zilch, nada.
Today, I’ll probably do a few more Google searches, find a few more sites, and spit out a few more emails/tweets/calls.
Why not? I've spent a lot of time over the years pounding my head against The Big Internet Wall of 0wned Sites™. What's a few more blows to the head? Ask anyone: my skull is pretty thick.
And who knows… maybe, if I’m lucky, I’ll get to chat with someone who will get angry at me, or accuse me of hacking their site. That’s ok too… my skin is pretty thick.
But I do get tired. Over these years I’ve taken a break or two. The last one was for about four and a half years. You see, all of this gets to be wearing after a while.
Not the mean, crabby people…
Not the accusations.
Far more wearing is the silence. That feeling like you’re standing and screaming into the void. That’s what makes me tired.
But it’s all good. After some time off - a little vacation - I always come back.
Why?
Because, every once in a while, a site gets fixed. The boner pill ads silently disappear.
I take those as a win.
Even more rarely, someone sends me an email and says, “Thank you for letting me know.”
And, believe it or not, that one small gesture fixes a whole lot of silence.
-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
March 7, 2021