Bluehost

Bluehost’s New Account Management Interface Seems Rather Broken

We were recently dealing with what should be a fairly standard piece of work for us, transferring a website to a new VPS. That turned out to be a lot more complicated by a change made recently at the web host Bluehost. They replaced their long used account management interface. This causes a couple of problems we wanted to share in case others run in to problems as well and are wondering if they are alone in that.

First, we found that some of their support documents still are written for the old interface. One of those has instructions for something that isn’t even possible with the new interface. Our client contacted their support team about that and was told that it was no longer relevant, but the document is still up over a week later.

Second, we found that the interface seems rather broken. We found features that only worked some of the time. When we were trying to make a simple change, we found that the interface wasn’t showing information that it should have been showing. It isn’t a good situation.

SiteLock and Their Partners Including Bluehost and HostGator are Still Producing Bad Results

Earlier this week, we interacted with someone dealing with the mess that is having SiteLock brought in to clean up a malware infected website. They are not alone in that. Here was a review of them left on Trustpilot in October:

This is a company with no service and it’s a scam! It has been six weeks since I purchased their service and my site is down for the third time during their ‘monitoring’. I just keep receiving generic/automated emails about the removal of threats every two days or so while my website is still down!
I purchased it through Blue Host. I am puzzled as to why BH is recommending Site Lock. Service on both sides is mediocre or nonexistent. BH agents who barely spoke English were arguing with me with raised voices that I needed to be patient and wait until they had time to fix the website! I don’t want to use and be associated with either one of them! Site Lock is a scam and BH is not taking responsibility for recommending it. Thoroughly frustrated.

The person we were interacting with also is a customer of Bluehost. That reviewer wondered why they recommend SiteLock. The answer is pretty simple. Bluehost gets paid by SiteLock if they are hired.

It isn’t just Bluehost. Here was another review from October:

I was called up by “hostgator security” stating that my site had Malware. I asked them to revert it to a backup, and they said it would be $50 and no guarantee of fixing the malware, but I should use “Site Lock” instead. With 2 domains it would be $500, they would remediate the malware immediately, and then provide 12 months of monitoring service. Normally, I’d just handle malware myself, but I’ve got alot going on, so I decide to let these professionals handle it. I ask them what happens if my site goes down during this process, and they assure me that would not happen because the only files that would be removed is malware. I ask, ok, what if some kind of accident happens and it goes down anyway? “They will help you, they are on top of it.” Okay great. I pay the money, for the next 24 hours I get a dozen emails about site scans happening. I check the next day, and both of my websites will not load. I call the Site Lock number and they tell me there are 19 directories for which I have not paid for Sitelock, and he thinks the malware is hiding there, and I need to pay for service for each of those directories. 19 + 2 X $250 is $5,250, which is as silly, ridiculous, halfbaked and outrageous a number as is the premise that more site scans will fix the problem. I come to find out Hostgator and sitelock are two separate companies. This is not a professional team that works together to remediate malware, in my opinion. I call back the hostgator rep who sold me the services, which atleast I’m grateful he was easy to get a hold of, and I’m told he will open a ticket which may take up to 24 hours to get a response to. These are active business websites with advertising running to them. I should not have trusted Hostgator, and I should not have trusted Sitelock. After this is all over, I’m going to look at hosts who don’t charge to revert backups.

There were plenty of other Trustpilot recent reviews that are similar. This isn’t really news to us since we used to have a lot of interactions with people who had hired them to deal with hacked websites or who had web host were pushing to them to, where the same issues came up.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

It Shouldn’t Take SiteLock Days to Remove Malware From a Hacked WordPress Website

In dealing with hacked websites, a company that we used to have come up a lot in conversations with clients was SiteLock. There have been many problems we have run across with them in past years. We were contacted this week by someone dealing with them after malware was detected on their website by Bluehost. Bluehost gets paid by SiteLock if you hire SiteLock to clean up the website, which is why they promote hiring them to clean it up. It isn’t because SiteLock does a good job of it.

That was on display with what this person was dealing with this week. They were now on the fifth day of SiteLock working on removing the malware from their hacked WordPress website (or at least they were supposed to be working on it). It shouldn’t take that long. It usually should take a few hours to do that clean up. At least when we are cleaning up a hacked WordPress website, that is how long it takes. That is with us doing a proper cleanup, whereas lots of providers, including SiteLock in our past experience, don’t do, so it should take less time than that.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

Bluehost and SiteLock Still Trying To Profit Off of Phishing Emails Being Sent to Bluehost Customers

In August of 2017 we first interacted with someone that had gotten a phishing email made to look like it was from Bluehost, who then when they contacted the real Bluehost was attempted to be sold on a security service they didn’t need since there wasn’t any issue with their website. More than a year later Bluehost and their security partner SiteLock continue to do that. The latest incident is absurd on its own since they were trying to sell someone security services they largely couldn’t effectively use since there website is hosted with Squarespace, so much of the SiteLock service wouldn’t even work and others wouldn’t be relevant in that situation.

Below is the phishing email. Interestingly the domain used for the phishing is also a Bluehost customer (maybe that is from someone that fell for a previous phishing email).

Hello, [redacted]

We are contacting you today because we have disabled your outbound email services temporarily. The reason for this is because you’ve got a forum that spammers were subscribing to to get messages sent out. They used a spam trap email address that actually resulted in our mail server getting blacklisted.

We need you to add protection to it so it isn’t being exploited in the future. You will need to contact us and let us know this has been resolved for us to restore your email services.

For protection, we ask that you require an account to subscribe to topic notifications if you haven’t already. We also ask that you add protection to your sign-up page so that spammers cannot automate it. You can do this by using a captcha or something similar to that.

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.3483e5ec0489e5c394b028ec4e81f3e1.[redacted]/account/6626/reactivation.html

Thank you,
BlueHost.com Terms of Service Compliance
http://www.bluehost.com
For support go to http://helpdesk.bluehost.com/
Toll-Free: (888) 401-4678

Below is the email that was sent by SiteLock trying to sell this person on the unneeded services after they had tried to get in touch with Bluehost. Bluehost apparently directs people over to SiteLock before even doing basic checking to insure that there is actually situation that could use SiteLock’s input. The person that received this is not named Vish (or anything close to that) despite it being address to someone with that name.

You’ll notice they claim that the website has been infected, despite that not being the case or even what the phishing email claimed.

Hi Vish

Thanks for taking the time to speak with me today. Like I mentioned before your website has been infected and we need to clean it as soon as possible before its suspended by the host. The reason your website was fount with malware is that you currently have no security measures in place to stop malware from entering your site.

The simple solution to protect your website is adding a firewall as well as a smart scanner. The smart scanner removes malicious content from your source coding before it infects the website. Also a Firewall blocks any malicious traffic and hacking attempts from entering your website in the first place, its the single most important preventative measure you can have for your website. What I did was attach a couple of documents that fully go over the features of our upgraded scanner and firewall. You can also go to www.sitelock.com to get further details and services. If you have any questions or concerns my contact info is below.

So to break everything down price wise, it’s $30 dollars a month for our secure starter which includes a Professional firewall and Premium scanner. You will get a free cleaning for the website with this that will save you $300.

Best regards,

Secure Starter $30.00/Mo
Premium Scanner and Professional Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)

Secure Speed $50.00/Mo
Premium Scanner and Premium Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)

Secure Site $70.00/Mo with unlimited free manual cleans and vulnerability patching
Infinity Scanner and Premium Firewall
-Automated Malware Removal Tool (continual & non-stop scanning removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Unlimited access to our Cyber Engineers to manually adjust your website coding if malware removal tool does not clean the malware
– Multiple (19) Vulnerability Testing on the site

Bluehost’s Poorly Thought Out Attempt to Clean Up Hacked Websites

We have repeatedly brought up the web host Bluehost in the past on this blog due to various security related issues involving them, including things like using phishing emails to sell unnecessary security services and it looking like a security issue on their end might be leading to websites being hacked. Recently we have started running into another issue while working on hack cleanups with websites hosted with them, it appears that Bluehost is attempting to do some cleanup of hacks in way that doesn’t seem well thought out and can lead to websites having more problems beyond just the ones caused by the hack.

What looks to be going on is that to try to clean files with malicious code, Bluehost is removing code from the files and making a copy of the previous version of the files with a different name. As an example of those different names, in one recent instance the copy of a file named link-manager.php was named link-manager.php.suspected.1524640055. The new files have no permissions, so you can’t view the contents of them (or change the permissions to be able to do that). In many instances the original files have been totally emptied, even if it appears that they had contained legitimate code in addition to malicious code.

One of the problems that is causing is that legitimate files that are used to generate websites are being emptied, which then causes the website to stop working. Due to permissions on the new files it isn’t possible to easily see the previous contents of files to be able to quickly restore the non-malicious portion without getting access to another copy of the file.

Where things get more problematic is that they are changing the permissions on some directories as well as files, which not only restricts seeing what is in the directory, but also introducing a complication that doesn’t occur with the change to individual files, you can’t delete the directories through FTP or the file manager in Bluehost’s control panel.

Bluehost does have the capability to make the files and directories accessible if you contact them.

What is important note is that in every instance we have run into this so far there have been malicious files that were not dealt with by this cleanup, so the upside from them attempting to clean things up is limited while it can come with a fairly significant downside. Another problem with this type of approach is that simply cleaning up hacked files doesn’t deal with the underlying cause that allowed the hacker to be able to add or modify files in the first place, so the hacking could continue.

Just Because SiteLock Is Trying To Con You Doesn’t Mean Your Website Hasn’t Been Hacked

In interacting with people about hacked websites one of the things that comes up frequently is people conflating security companies trying to take advantage of them with a belief that their websites haven’t really been hacked. A lot of the blame for this resides with the security companies that are trying to take advantage of people (and look to be very successful at it) and others that help enable that, which includes their business partners and government entities that don’t take any action against them. But some of the blame has to be placed on customers of these services that seem to take a completely uncritical view of these services, as among other things, their funding of these companies allows the companies to expand and take advantage of more people.

As an example of that, we had someone contact us recently after they ran across a post we had written how the web host Bluehost was continuing to try to sell SiteLock services based on claims that were made in phishing emails meant to look like they came Bluehost support. The situation this person had was very different than that.

They had been contacted by a company informing them that their website was being used for phishing. Their web host, Bluehost, which is a SiteLock partner, had suspended their account for the same issue. They said they were “shocked” because they had SiteLock on the account and they thought that with that the website wouldn’t have been able to be hacked.

As company that deals in the field we obviously have a very different view of things, but it still is hard to understand a view like that when you consider that SiteLock and every other similar company we have run across don’t provide evidence that their services are effective at protecting websites. To us that seems like a baseline before purchasing any service like that, but clearly it isn’t.

The next part of the story is something that we have heard plenty of times before, but it still doesn’t make much sense to us. That being that they were then told they would need a higher level of SiteLock service to protect against the issue from happening again. To us that raises what seem to be some obvious questions, like why would SiteLock by their own admission be selling security services that don’t actually provide security. Another one would be why would at that point people still not expect some evidence to presented as to the effectiveness of the services considering SiteLock have just admitted that they are selling services that don’t actually work.

When we had responded explaining about that lack of evidence that SiteLock services are effective (along with plenty of evidence to the contrary that we have run across) and that SiteLock’s own marketing indicates that they are not even attempting to provide real security the response from the person was not concern with SiteLock’s practices, but that the whole situation seemed suspicious. We asked about the evidence presented that the website had been using for phishing, but the person seemed uninterested in actually checking over things. Based on past experience our guess is that the website was actually hacked in this case.

Dealing With a Possibly Hacked Website

While in this case we guess the website had actually been hacked, we have run into plenty of instances where SiteLock and their web hosting partners are falsely claiming that websites have been hacked. So what we recommend you do in that situation is get a second opinion on their claim. We are always happy to provide that for free and would hope that other reputable security companies (to the extent that there are any) would do the same.

If the website is hacked what you want done is to have it properly cleaned up, which involves cleaning up the hack, securing the website (which usually mainly involves getting the software up to date), and trying to determine how the website was hacked and fix that. If a service doesn’t do those things (as is true of SiteLock’s main services) then you stand a decent chance of having continuing issues. After things have been cleaned, instead of paying for a security service that won’t protect your website, you should make sure to do the basics to keep your website secure from most issues.

Bluehost Still Trying To Sell Unneeded SiteLock Security Services Based on Phishing Emails

Back in August we discussed a situation where the web host Bluehost had tried to sell one of their customers a $1,200 a year SiteLock security service based on the customer having received a phishing email that was supposed to have come from Bluehost. It obviously didn’t paint too good a picture of Bluehost, as despite it seeming that these phishing emails were rather common, they didn’t even do any basic checking on the claimed situation in the phishing email before trying to sell someone on an expensive security service that didn’t even have seem to have a connection to the issue mentioned in the email.

Fast forward to this month and it is still happening. We recently had someone contact us a looking for advice after having gotten an email they thought was from Bluehost about malware on their website and then when they contacted the real Bluehost, it was recommended that they spend $49 a month on a SiteLock service that was supposed to fix that. Before we even looked at the email that was supposed to have come from Bluehost, things seemed off since the person that contacted us said that the whole account had been disabled, but in our experience Bluehost only shuts off access to the websites, not other forms of access to the account. That seems like something a Bluehost employee should have also been aware of.

Looking at the email (shown below) we could see it was a phishing email as one of the links in it was to the website my.bluehost.com.f33ba15effa5c10e873bf3842afb46a6.co19331.tmweb.ru instead of my.bluehost.com.

Your account has been temporarily deactivated due to the detection
of malware. The infected files need to be cleaned or replaced with clean
copies from your backups before your account can be reactivated.

Examples:

/domain/[redacted]/public_html/config.php.suspected
/home1/[redacted]/public_html/post.php.suspected

/home1/[redacted]/public_html/administrator/components/com_weblinks/tables/s
ession.php

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.f33ba15effa5c10e873bf3842afb46a6.co19331.tmweb.ru/server/1012/reactivation.html

To thoroughly secure your account, please review the following:
* Remove unfamiliar or unused files, and repair files that have been
modified.
* Update all scripts, programs, plugins, and themes to the latest
version.
* Research the scripts, programs, plugins, and themes you are using
and remove any with known, unresolved security vulnerabilities.
* Remove all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent
unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program.
If you are already using one, try another program that scans for
different issues.
You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:
https://my.bluehost.com/cgi/sitelock

Please remove all malware and thoroughly secure your account before
contacting the Terms of Service Department to reactivate your account.
You may be asked to find a new hosting provider if your account is
deactivated three times within a 60-day period.

Thank you,

Bluehost Support

http://www.bluehost.com
For support, go to http://my.bluehost.com/cgi/help

That all seems like a good reason to not use Bluehost. As for SiteLock it isn’t like they are an innocent victim in this, as the majority owners of SiteLock also run the Endurance International Group (EIG), which is the parent company of Bluehost and numerous other web hosts. SiteLock also pays a majority of the their inflated prices to web hosts, which certainly could create an incentive to sell unneeded services.

This is also a good example of why anyone contacted by SiteLock or one of their web hosting partners about supposed malware issue or other type of hack of their website should get a second opinion from another security company (something we provide for free and we hope that other companies would as well), since we were able to quickly identify what was going on and let this person know as well and saved them a lot money.

SiteLock’s Poor Cleanup Leads to Website Being Down Long After It Should Have Been Back Up

We continued to be troubled by companies and other entities that would get involved with the web security company SiteLock, as even a quick check would show how they are taking advantage of their customers. Unfortunately you have far too many web hosts and WordPress that continue to do that. Is the money SiteLock is providing them really worth the damage they are helping to cause?

We recently ran into yet another example of the mess they cause not just for those that unfortunately hire them, but for the public as they their action in this situation would lead to website remaining hacked (and leading to more of the negative impact the hack causes) after it should have been fixed.

We were recently contacted by someone that said that multiple websites in an account they had with the web host Bluehost had been shut down due to malware and they were looking for some sort of help.

It wasn’t clear what clear what kind of help they were looking for as the message just said “Help!” after mentioning that the websites had been taken down. That isn’t much to go on, so we first asked them what evidence Bluehost had presented that the websites were hacked, seeing as we have seen some rather bad false positives coming from Bluehost in particular, and in general from SiteLock partnered web hosts. That being said, these days the majority of websites we are contacted about in this type of situation are in fact hacked. Usually Bluehost and other web hosting brands of the Endurance International Group (EIG) (which is run by the majority owners of SiteLock) will provide a list of files that are impacted or some example files or URLs that have been impacted along with the email informing the customer that their account has been disabled. For someone that knows what they are doing, that evidence is usually enough to determine if the claim is legitimate or not.

The response we got didn’t answer our question. Instead the person that contacted us responded that they were having the websites transferred to another hosting provider because they felt like the deal between Bluehost and SiteLock was a scam. We then explained that if the websites were hacked that it would not be a good idea to do that, as it could make it harder to properly clean up the websites, since transferring the websites could cause both data on the files (most importantly the last modified date) and the logging for the website during the time of the hack to no longer be available. That information can sometimes be important to make sure all of the files have been cleaned and is very important to determine how the website was hacked and therefore what needs to be done to fix it and make sure it doesn’t happen again.

After notifying them of that as well as mentioning that assuming this was a scam was not a good idea, since the majority of time in this type of situation we have been seeing that they websites were hacked, they told us they thought the websites were hacked. So they were moving websites they thought were hacked to get around their web host having taken an action to protect the public (though also possibly to get people more likely to hire SiteLock as well).

What they also mentioned was that they had in fact tried to get the website cleaned before doing that. The problem is they hired SiteLock and not surprisingly based on everything we have seen over multiple years, the website wasn’t actually cleaned up properly. Instead of SiteLock working to get things properly resolved here after they failed the first, they wanted more money, $200 a month to manually clean out malware. The fact that SiteLock is offering a service that will continually remove malware, is on its own a good indication that they don’t properly clean up hacked websites, as when done properly the website shouldn’t need to be continually cleaned up.

After that we told them again that moving the websites was not a good idea and that it likely would take longer to get them backup by doing that, which they said was their main concern, than getting them properly cleaned up. At that point they said they would take their chances.

Taking their chances on that turned out to be a bad bet. We usually are able to clean up hacked websites in a few hours and while there is some variability in how long it then take Bluehost and EIG brands to then restore access, it would usually be done within 24 hours (and possible happen in much sooner than that). When went to take a look the next day to see what had happened so far, we found that the website was still being hosted by Bluehost and not accessible. Another day later we took another look and the result was the same.

Properly Handling Such a Situation

As if there was another reminder needed, this situation is good example of why everyone should avoid SiteLock. At best you might get lucky their poor cleanups don’t lead to your website being hacked again right away, but you are going to greatly overpay for what you are getting. On top of that SiteLock often tries to lock in to people in to unneeded ongoing services that people have variety of problems trying to cancel later on.

If you are contacted by a SiteLock partnered web host with a claim that your website is infected with malware or is otherwise hacked, we would recommend that first get a second opinion as to the whether the website is in fact hacked. For someone to be able to do that, you should first get any evidence that the web host and or SiteLock will provide, which usually is something that should have already been provided to you. We are always happy to provide that second opinion for free and we would hope that others would as well.

If the website is hacked then what we would recommend, if you can afford it, is to hire someone that properly cleans up hacked website to do that for you. A proper cleanup involves three basic components: removing anything added by the hacker, security the website (which usually mainly involves getting the software up date), and trying to determine how the website was hacked. In a lot of cases it actually costs less to hire us to properly clean up a website than it would to hire SiteLock for their improper hack cleanup.

We have repeatedly seen that people try to instead clean it up themselves and cause themselves more problems, as they often don’t even know how or what to clean up (we recently have had a lot of people contact who have incorrectly just deleted the example files their web host listed). That often leads to continue problems which are then exacerbated by them purchasing security products and services that claim they will protect websites from being hacked, but don’t live up to that (which isn’t surprising since we have yet to run across one that is promoted with evidence much less evidence from an independent testing, that it is effective). At that point they are bringing us in to clean things, which if they had just done that in the first placed would have lead to the issue being quickly resolved and them spending less money.

Is SiteLock Not Even Saying What Website They Are Claiming is Vulnerable?

A few days ago we discussed a Forbes article about a report from the web security company SiteLock that claims be a score of how likely a website is to be compromised that seems to be based on nothing, as despite claiming a website had a “Medium” likelihood of compromised SiteLock couldn’t point to any way that the website would be compromised other than ones that are not considered in their score. In that post we noted that previously we have had people come to us after SiteLock had contacted and claimed that there was vulnerability on their website, but wouldn’t give them any details of it. It looks like they can provide even less information, as the following portion of an email sent to someone that was formerly a customer of one of their web hosting partners shows:

This amuses me as the only hosting I've had with @bluehost was cancelled months ago. Hey @SiteLock, GO AWAY KTHNXBAI! pic.twitter.com/oBcC0Ji3Rs

— Indie (@IndieAtWork) August 17, 2017

It is baffling that telling the owner of a website which one of their websites is claimed to have a vulnerability, without providing any details whatsoever of the vulnerability, is going to somehow expose the vulnerability.

What is a bit odd about this message is that Bluehost’s name is incorrectly capitalized as “BlueHost” with the “h” capitalized when it shouldn’t. It seems like you should get your partners name right, especially when that partner is ultimately run by SiteLock’s owners. Without seeing the rest of the email we can’t see if there is any indication that this actually another phishing email being sent to Bluehost customers, like the one we that came up last week when Bluehost was pushing someone to hire SiteLock to deal with a non-existent malware issue. Though that phishing email actually mentioned a specific website.

One alternate explanation that isn’t too far out there considering SiteLock’s track record and the fact this person isn’t even with the web host anymore is that there is no basis for the claim. By not mentioning a website they might hope to get more interest from webmasters than if they mentioned one and it wasn’t important.

False Claim From Bluehost Phishing Email Leads to Bluehost Trying to Sell Unneeded SiteLock Service

On a daily basis we are contacted by people looking for a second opinion after their web host and or their web host’s security partner SiteLock claim that their website contains malware. While a lot of the time there really is some hack of the website that has occurred, though not necessarily involving malware, there are many instances where the claim turns out to be false. There have been many different reasons for that, one of the latest seems like it might be the worst the one yet, since the web hosting partner, Bluehost, tried to sell someone on a $1,200 a year security service from SiteLock based on false information from a phishing email that didn’t even claim there was malware on the website.

What we were told at first about the situation didn’t make sense to us. The website’s owner said they were told by their web host Bluehost that their website was using excessive MySQL resources and that the cause was malware. MySQL is database system and malware and other hacks rarely involve interaction with a database, so we didn’t understand where the belief that malware would be the cause would have come from. Looking at the website made things seem odder. The one possibility we could think of is if a hack added spam content to a website it could cause increased traffic to the website that in turn could increases MySQL resource usage. Not only did we not see any indication of that type of issue, but there was also the fact that the website was built with the Weebly website builder software, which seems unlikely to be hacked in that way or using much in the way of database resources.

After asking if Bluehost provided any more information that might make their conclusion that malware was the cause seem more reasonable, we were forwarded the following email that had started the situation:

Bluehost abuse12@bluehost.com via annika.timeweb.ru

11:16 PM (12 hours ago)

Dear Bluehost customer [redacted]:

It has come to our attention that your site is using an excessive amount of MySQL resources on your BlueHost.Com account. This is causing performance problems on your website as well as for other customers that are on this server. It can cause our servers to crash and cause additional downtime.

Our research shows that server performance degrades when the MySQL usage is over 1,000 tables and/or 3 GB on a single account or 1,000 tables and/or 2 GB on a single database. In order to ensure optimal performance for your account and the others in your shared hosting environment, we request that you reduce the MySQL usage on your account to under these limits in 14 days.

You must confirm the current copy of our Terms of Service here:
http://my.bluehost.com.687fe34a901a03abed262a62e22f90db.d0013151.atservers.net/domain/[redacted]
How to fix:
http://mysql.bluehost.com.687fe34a901a03abed262a62e22f90db.d0013151.atservers.net/domain/[redacted]

Terms of Service Compliance Department
1958 South 950 East
Provo, UT 84606
Phone line: (888) 401-HOST Option 5 | Fax line: 801-765-1992

The very beginning of that caught our attention first, as it referenced “annika.timeweb.ru”, which seems like it shouldn’t be where an email from Bluehost should be coming from. A Google search on that showed that this email was part of an ongoing phishing campaign against Bluehost customers. Later on in the email the URLs being linked to are intend to look like it is Bluehost by starting “my.bluehost.com” and “mysql.bluehost.com”, but the rest of the domain is “687fe34a901a03abed262a62e22f90db.d0013151.atservers.net”. The server that is hosted from is in Belarus.

Since this was a phishing email there was not anything wrong with the website. So that makes Bluehost’s claim that it was malware and that the SiteLock service should be purchased when they were contacted even odder. The Bluehost support person must not have checked to insure that the issue the customer was contacted about actually existed, despite a phishing campaign going on making false claims along those lines. Even then it doesn’t make sense to say this was malware based on the claimed MySQL resource usage issue. So what explains it?

Well it might have something to do with the fact that Bluehost gets 55% of the revenue from sales of SiteLock services through their partnership or that SiteLock’s owner also run the parent company of Bluehost, the Endurance International Group. Based on what have heard in the past it sounds like when support persons don’t know what is going on they may blame malware for what is going on and point people to SiteLock.

In any case, it is a good reminder to make sure to get a second opinion when you are contacted by SiteLock or their web hosting partners so that you don’t end up spending over a thousand dollars a year on something you don’t need. If you were really hacked you also don’t need to spend anywhere near that amount of money to get the website properly cleaned up (SiteLock doesn’t even properly clean up websites for their high fees).