Tag: Bluehost

Mr.ToKeiChun69 Defacement Campaign Seems to Be Targeting Websites Hosted with Endurance International Group (EIG) Brands

Yesterday we were contacted by someone looking for second opinion as to whether the web security company SiteLock’s claim that their website contained malware was true. The website’s owner believed that their web host BlueHost and SiteLock might be trying to scam them.

In the case of this website it wasn’t hard to determine that the website was hacked, as this is what was shown on the homepage:

That type of hack is referred to as a defacement hack.

By malware, that may have been what SiteLock was referring to because as we found while previously giving someone a second opinion, for some reason SiteLock labels evidence of a defacement hack as malware (that seems to be a general issue, as they also labeled a spam link that way as well).

After we let website’s owner know that unfortunately the website was hacked, they responded that they felt it was an inside job. We didn’t believe that to be the case, but instead of just saying that was unlikely, we wanted to be able to provide more concrete evidence.

One way to do that would be to find some other websites hit with same defacement that were not hosted with the same web hosting company or another one partnered with SiteLock. When we did a search on Google for “Mr.ToKeiChun69” the first result was a page documenting defacements by Mr.ToKeiChun69 on the web site Zone-H.org, which documents defacements of websites.

In looking at some of the websites that had been defaced by Mr.ToKeiChun69 we found that they all were hosted by web hosting brands owned by the Endurance International Group (EIG). Their brands include BlueHost, as well as A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others. SiteLock has a “security partnership” with EIG where SiteLock pays EIG a majority of the fees from services sold through the partnership. The majority owners of SiteLock also run EIG.

While that might lead some to see the worst case, that this was inside job, for us it didn’t. But it did seem rather odd that all the websites would be at one web hosting company and that was possibly an indication that the company has some security problem.

To better understand if there was really a correlation between the web hosting provider and these defacements we did a more thorough check of where the defaced websites were hosted. We checked the first ten websites listed on the 1st, 11th, 21st, 31st, and 41st page of results for this defacement on Zone-H.org. That checked websites that are dated on there as far back as June 29.

Below are the results. We have listed each domain name, the IP address it currently is hosted on, and finally the ISP listed for that IP address or the web host. The ISP Websitewelcome.com is connected to HostGator and Unified Layer is connected to BlueHost, though the websites might be hosted with other EIG brands.

Page 1

  • endblameshameguilt.com: 192.254.236.84 (Websitewelcome.com)
  • acimfordummies.org: 192.254.236.84 (Websitewelcome.com)
  • wakechild.com: 192.254.236.84 (Websitewelcome.com)
  • tena-frank.com: 192.254.236.78 (Websitewelcome.com)
  • acourseinmiraclesfordummies.com: 192.254.236.84 (Websitewelcome.com)
  • decodingacim.com: 192.254.236.84 (Websitewelcome.com)
  • endblameshameguiltgame.com: 192.254.236.84 (Websitewelcome.com)
  • toddtylermusic.com: 192.254.236.80 (Websitewelcome.com)
  • lachildrensridingcenter.com: 192.254.236.8 (Websitewelcome.com)
  • topsportscamcorders.com: 192.254.236.8 (Websitewelcome.com)

Page 11

  • iphonenstuff.com: 192.254.236.82 (Websitewelcome.com)
  • sneakerpicks.com: 192.254.236.82 (Websitewelcome.com)
  • dalmatianadvice.com: 192.254.236.82 (Websitewelcome.com)
  • subscribesave.com: 192.254.236.82 (Websitewelcome.com)
  • helpmebuilda.com: 192.254.236.82 (Websitewelcome.com)
  • bestboatplans.com: 192.254.236.82 (Websitewelcome.com)
  • spelbonusar.com: 192.254.236.82 (Websitewelcome.com)
  • gamingnshit.com: 192.254.236.82 (Websitewelcome.com)
  • marenart.com.au: 192.254.236.82 (Websitewelcome.com)
  • retailstartupbookinabox.com: 192.254.236.82 (Websitewelcome.com)

Page 21

  • www.blackandwhitesecurityltd.com: 192.254.232.90 (Websitewelcome.com)
  • dallasgayboys.com: 192.254.232.86 (Websitewelcome.com)
  • untieeecs.com: 192.254.232.86 (Websitewelcome.com)
  • jonathanjoyner.com: 192.254.232.86 (Websitewelcome.com)
  • www.smcntx.com: 192.254.232.86 (Websitewelcome.com)
  • www.culinairteamzeeland.nl: 192.254.232.90 (Websitewelcome.com)
  • strandvakantieman.nl: 192.254.232.90 (Websitewelcome.com)
  • napers.nl: 192.254.232.90 (Websitewelcome.com)
  • www.camping-renesse.nl: 192.254.232.90 (Websitewelcome.com)
  • www.campingdebrem.nl: 192.254.232.90 (Websitewelcome.com)

Page 31

  • 81tagorelane.com: 50.87.147.75 (Unified Layer)
  • skies39-newlaunch.com: 50.87.147.75 (Unified Layer)
  • newlaunch-gshplaza.com: 50.87.147.75 (Unified Layer)
  • 3dinvisibilitycloak.net: 192.232.251.55 (Websitewelcome.com)
  • professional-liability-insurance.net: 192.232.251.55 (Websitewelcome.com)
  • lyynx.net: 192.232.251.55 (Websitewelcome.com)
  • aksolution.net: 192.232.251.55 (Websitewelcome.com)
  • krilloils.org: 192.232.251.55 (Websitewelcome.com)
  • 3dinvisibility.org: 192.232.251.55 (Websitewelcome.com)
  • ellipticalmachineshelp.com: 192.232.251.55 (Websitewelcome.com)

Page 41

  • topwebber.com: 192.185.21.208 (Websitewelcome.com)
  • yoholly.info: 192.185.21.208 (Websitewelcome.com)
  • myironsuit.com: 192.185.21.208 (Websitewelcome.com)
  • laptoplifestylecafe.com: 192.185.21.208 (Websitewelcome.com)
  • bellyfatcombat.net: 192.185.21.208 (Websitewelcome.com)
  • herbzombie.com: 192.185.21.208 (Websitewelcome.com)
  • biggerbuttshortcuts.com: 192.185.21.208 (Websitewelcome.com)
  • blowtalk.com: 192.185.21.208 (Websitewelcome.com)
  • waisttraineraustraliaco.com: 66.198.240.58 (A2 Hosting)
  • besthairextensions.co.nz: 192.185.44.88 (Websitewelcome.com)

With 49 of the 50 websites currently being hosted with EIG that would certainly seem to point to there is some correlation between the web host and the hackings. As with something that doesn’t have a connection to a web host, you would expect to see a fair amount of different web hosts showing up with that many websites.

So what about the one website that isn’t currently hosted with EIG? It turns out it was hosted with them at the time it was defaced. The IP address of the website on June 29 according to Zone-H.org was 192.185.44.88, which is one connected to HostGator. The records for the domain name were changed on July 4, which is probably when the web hosting was changed.

We don’t know what the cause of this is. It could be that the person or persons behind the Mr.ToKeiChun69 defacements is only targeting EIG hosted websites, has been unsuccessful in targeting websites at other web hosts, or only notifying Zone-H.org of websites hosted with EIG. What would seem more likely is that they are taking advantage of some security issue in EIG’s systems.

To be clear we don’t think that this is an inside job.

We notified the person that contacted us about the correlation, which they hopefully will pass along to BlueHost.

SiteLock and Bluehost Falsely Claimed a Website Contained Malware Due to SiteLock’s Poor Scanner

When it comes to the web security company SiteLock, one of the frequent complaints is that they and their web hosting partners falsely claim that websites have malware on them. After that happens the web hosting company frequently suspends access to the website and pushes the customer to hire SiteLock to clean up not existent malware. We thought it would be useful to look at an example of this we were recently consulted on, as those dealing with the possibility of a false claim should know a number of things when dealing with it.

This situation involved the web host Bluehost. Bluehost is one of many brands the company Endurance International Group (EIG) does business under. Some other major ones are A Small Orange, FatCow, HostGator, iPage,  IPOWER, and JustHost. The company’s web hosting brands are very open about having a partnership with SiteLock, what they have, at least in the past, refused to acknowledge publicly is that partnership involves EIG getting 55 percent of revenue for SiteLock services sold through that partnership (that information was disclosed to investors). That obviously raises some serious questions and it probably explains in large part a lot of the problems that arise from that partnership. What they also don’t disclose to their customers is that the majority owners of SiteLock are also a member of the board and the CEO of EIG, so they are well aware of SiteLock’s practices.

What we have repeatedly said is that if you get contacted by SiteLock or one of their web hosting partners claiming that the website is infected or otherwise is hacked, is that should not ignore it. While there are plenty of situations like the one discussed here where there is a false claim, the claim is also often true. For a hacked website, the longer you wait to do properly clean it up, the bigger the problem can be. Instead we recommend that you first get any information that SiteLock and or the web host will provide and then get a second opinion as to whether the website is hacked. We are always happy to provide that and we would hope that other security companies would as well (when someone contacts us about a hacked website we always make sure it is actually hacked before taking on a cleanup).

One of the reasons for getting a second opinion is that someone familiar with hacked websites should understand how to easily check the validity of the claims made. While someone not familiar with the situation might try doing checks that won’t necessarily be very useful. In this situation one the things the website’s owner did was to download a copy of the website’s files and run them through a malware scanner. That likely is going to fail to identify many files that contain malicious code because a malware scanner for a computer isn’t designed to detect those files (our experience is that scanners designed to scan website files don’t produce great results either).

When we were provided the information that the website’s owner had received, the first element that caught our eye was this result of SiteLock’s malware scanner:

What was shown was rather odd as the malware scanner claimed to have detected a defacement hack (labeled as “SiteLock-PHP-HACKEDBY-klw”), which isn’t malware. So at best the scanner was incorrectly labeling a hacked website as containing malware, when it had a different issue.

More problematic is that it looks like they might are flagging websites as being defaced just because they have text that says “hacked by” something. That could produce some rather bad false positives, since this post itself could be claimed to contain malware simply by using that phrase. They also mark that detection as having a severity of “Urgent”, despite that.

So was the website defaced as that scan seemed to indicate? The website was taken down by the point we were contacted, which wouldn’t need to be done just because there was a defacement and makes it harder for someone else to check over things (whether intentional or not, it seems like something that makes it easier to push someone to hire SiteLock to resolve the issue). Looking at the Google cache of the website’s homepage though, we were able to see what happened.

The website’s page contains a section that shows RSS feeds items from other websites. One of those websites had been impacted by a vulnerability in outdated versions of WordPress that allowed defacing posts and the results of that defacement was showing on this website:

That “hacked by” text on showing there didn’t mean this website was infected with malware or otherwise hacked and the website didn’t pose any threat. That is something that anyone from Bluehost or SiteLock familiar with hacked websites should have spotted by looking over the website for a few seconds, but clearly that didn’t happen, even when they suspended access to the website. Both of them have an incentive to not check to make sure the website is hacked, since they have monetary interest in selling security services in this situation even though they are not needed. As we mentioned recently it appears that when you are in contact with SiteLock you are dealing with a commissioned sales person, not a technical person, so they might not even understand what is actually going on either (one situation we looked at recently would strongly seem to indicate that as a possibility).

Looking at the files that Bluehost had listed as being infected, they were just cached copies of the content from the website that had the RSS feed section in them. So there wasn’t any malware in them.

It also seems that no one from Bluehost or SiteLock bothered to contact the other website to let them know that there website was actually hacked, seeing as it was quickly fixed after we notified them of the issue they had.

At this point the website’s owner is planning to move to a new web host, which doesn’t seem like a bad idea (we think that people should avoid web hosts that have partnered with SiteLock even if they have yet to run into this type of situation).

Bluehost Had Different Response to a Hacked Website When the Press Questioned Their Pushing SiteLock

When it comes to SiteLock and their taking advantage of people, a critical component of that successfully happening is their partnerships with various web hosting providers. These partnership do not seem to be based on the web hosting companies thinking that SiteLock is really great company to help out people with security issues (from everything we have seen over several years they don’t even understand the basics of what they are supposed to being doing), instead the web host is getting significant amount of money when SiteLock sells services through their partnership. In the case of the parent company of Bluehost, the Endurance International Group, they disclosed to investors that they receive 55% of the revenue (they seem to unwilling to disclose that to the broader public, as one the company’s other web hosting brands won’t even acknowledge that they even are getting paid). In the case of Bluehost and the other web hosting brands owned by the Endurance International Group there is likely reason for the partnership, the majority owners of SiteLock are also the CEO and a board member of the Endurance International Group.

In theory this would likely lead to bad situation for customers, the web hosts have an incentive to treat a security issue in way that makes them the most money and SiteLock would necessarily be overcharging people, since over half the fee for the service doesn’t go them. In the real world things look a lot like that. Take for this instance, what is describe in an article from NBC’s San Francisco Bay area station when their problem solvers look into a Bluehost’s handling of hacked website:

But recently, Rose’s website was taken down. A message on the site read “temporarily unavailable.” She didn’t know how or why it happened, but she did know it would hurt business.

“It means we don’t get sales, so I don’t make money,” Rose said.

Scrambling to get her site back up, Rose called Bluehost, her hosting site, and was connected to SiteLock, a website security company.

Rose said SiteLock referenced an email it had sent her – that it detected malware on her site. Rose recalled the email, but had dismissed it as spam. After all, she didn’t do business with SiteLock; she’d never even heard of the company.

Still, Rose said SiteLock told her she had to pay upwards of $120 a month to fix the malware and get her site up and running again.

Over year that $120 a month plan would work out to $1440, which is much more than you normally pay to have a website cleaned and purchase a security service (the $648 that SiteLock would get would be more in the realm of reasonable).

When Bluehost was contacted by NBC had very different response:

Bluehost explained that SiteLock is a security partner, and it did in fact find malware on Rose’s site. So it took down the site so the malware wouldn’t spread to other websites hosted by Bluehost.

Bluehost acknowledged that the SiteLock email could be perceived as spam, so it’s working to evolve its email communications.

And eager to help out Rose, Bluehost jumped in and fixed her site for free. Boo Boo’s Best is back in business.

Thats right, Bluehost has the capability to clean up hacked websites themselves and it didn’t cost anything for the customer. Its telling how different the response from Bluehost was when what they are doing was having some light shined on. We have to wonder if they were concerned that if they didn’t get this cleared up quickly, then more digging might have be done and the reality of their partnership might get more exposure.

The takeaway seems to be if you run in to this situation you should make a public scene about it, or better yet, before that can ever happen move to a web host that isn’t partnered with SiteLock so you don’t risk running into this (properly securing your website would also limit the chance of this, but entirely as SiteLock is known to sometimes falsely claim website have been hacked).

A Case Study in SiteLock Leaving a Website Insecure While Labeling It as Being Secure

When it comes to the security of websites we frequently see that while security basics are often not being done, security companies are pushing more advanced security products and services. Sometimes those two things come together, last month we looked at one cyber security company that claims to have “clients in the intelligence community, DoD and nearly every cabinet agency” and isn’t bothering to keep the software running the various parts of their website up to date while telling the public they need to take advanced measure to protect their websites. As we mentioned in a post the other day, by comparison the web security SiteLock does keep the software on their own websites up to date, while leaving the software out of date on their customers websites that they are supposed to be securing. We ran across another example of that while looking at one of their case studies that is supposed to show how great their services are.

The case study is missing basics details that would be needed to understand what was actually going on and if SiteLock had done anything to actual secure the website. The post claims the website in the case study was targeted by cybercriminals, but they don’t even mention what type of attack there was:

When cybercriminals began to target Airspeed-Wireless.com last year, he became alarmed. Spiridigliozzi took an investigative approach and soon determined the attacks were coming from an IP address in Iran. His host-provided security options were limited so instead he blocked the malicious IP, hoping it would solve the problem. Unfortunately it did not and the hacking attempts continued.

Most hacks are not targeted, so it is entirely possible that what was actually happening was that website was being hit as part of mass hacks that wasn’t even trying to exploit vulnerabilities relevant to the website and there wasn’t a real threat.

Blocking IP addresses is not an effective security measure because if there is a actually a vulnerability then a hacker could easily get around it by simply using another IP address. It is important to note that the web host, the one that SiteLock says has limited security options, is Bluehost, which is not only a SiteLock partner, but it’s parent company, Endurance International Group, is run by the owners of SiteLock. SiteLock’s partners get paid handsomely for pushing SiteLock services, so providing a poor security options would likely be financial advantageous for them (that might be a good reason to avoid web hosts that have partnered with SiteLock).

The case study that then moves on to another website:

During the process Spiridigliozzi was attacked again, this time on a website he was developing. The new attack came from an IP address in Morocco. The hacker injected malware into the newly developed site and taunted Spiridigliozzi by engaging him in online chat.

There is no explanation as to how the website was hacked, which would be important information for people to know to protect their own websites and to determine if SiteLock could have actually prevented it and whether there might a more effective way to do that.

In the next section the tout their TrueShield Web Application Firewall:

SiteLock also wanted to provide Spiridigliozzi with a preventative solution. They installed the SiteLock® TrueShield™ Enterprise Web Application Firewall (WAF) on Airspeed-Wireless.com. This top tier WAF blocks bad bots, the Open Web Application Security Project (OWASP) Top 10 threats, backdoor connections and meets PCI standards.

First it is worth noting that contrary to how they promote the service, this isn’t actually their service, instead they just slap their branding on Incapsula’s WAF.

Next, just the other day we discussed an instance where one of their customers using the WAF was hacked again and they were told that they don’t cover backdoor access :

Now, after we’ve been hacked yet again, I find out that is not true. SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point.  They don’t cover that. Bluehost doesn’t cover that. I’m screwed.

That obviously doesn’t match up with their claim in the case study that WAF blocks backdoor connections.

Then they claim that numerous threats were blocked:

Since it was installed, TrueShield has blocked 9,478 malicious threats, five SQLi attempts, and 27 visitors from blacklisted IP addresses.

What stands out is the fact that most of threats that were supposed be blocked are vaguely “malicious threats”, but a few SQL injections attempts are broken out even those would also be a malicious threat. That vagueness is important since the reality is that probably only a small fraction of one percent of hacking attempts have the possibility of being successful (many hacking attempts will involve trying to exploit vulnerabilities in software not being used on a website for example). A useful measure would how many of the blocked attempts would have actually lead to the website being exploited if not running through the WAF, SiteLock probably doesn’t have any clue as to that sort of things since they don’t actually provide that service.

The next section points to SiteLock odd idea of how to protect a website:

Spiridigliozzi is grateful for the upgraded security, “The SiteLock suite of security tools now allows me to be more proactive in preventing unwanted visitors and bots from accessing my website, the dashboard gives me an immediate indication of any problems and I also receive email alerts if there are any issues.”

If there is a vulnerability on a website the best way to protect against it is to fix it, trying to stop people that might exploit it is going to be harder to do and SiteLock doesn’t provide evidence of its effectiveness.

It turns out that the website is actually insecure now in an easy to check for way. It is running an outdated version of Magento with known security vulnerabilities:

sitelock-case-study-outdated-magento-version

Magento does provide patches for older versions, so an outdated version might be secure, but in this the website MageReport.com reports that the security patch that provides the same fixes as Magento 1.9.3 is not installed (both the security patch and Magento 1.9.3 were released on October 11):

sitelock-case-study-security-patch-8788-not-applied

SiteLock seems to be unaware of this as they are currently labeling the website as secure:

sitelock-case-study-insecure-website-labeled-secure

The Previous Case Study Is Running An Outdated Version of Joomla

In the case study that proceeding the one we just discussed, SiteLock promoted its scanning service:

The SiteLock 360-degree Security Scan was placed on bluedgebiz.com. As the name suggests, the scan provides a comprehensive scan of Wilson’s entire site. This includes a complete malware, network, spam, SQL Injection, and Cross-Site Scripting scan. With this scan, Wilson is alerted immediately if suspicious code or vulnerabilities are found.

In the past we discussed that we couldn’t find evidence that SiteLock was actually able to find vulnerabilities and a past commenter who had a gotten their scanning service ended up with their website hacked four months later. Both of which don’t point to this service being that great, but the other issue with this is that even if you are alerted vulnerabilities you would need to take action.

Clearly something hasn’t worked in the case of this website as the website is currently running an outdated version of Joomla 3.6.3:

sitelock-case-study-outdated-joomla-version

Version 3.6.4 was released on October 25. That version fixed “three critical security vulnerabilities” and by critical, Joomla really meant it in this instance as websites still running older versions (the vulnerabilities existed back to version 3.4.4) were quickly being exploited (it should be noted that Joomla provided a heads up to everyone four days before that version was released).

Looking At How SiteLock Sells Their Services Versus the Reality Behind Them

We recently have been taking a close look at the practices of the web security SiteLock after finding that not only were they providing poor quality services (as is par for the course for web security companies), but a lot of what they look to be doing falls more closely to outright scamming. We thought it would be useful to show how some of what we have found comes in to play to their interactions with a customer. To do that lets look at a recent complaint from one of SiteLock’s customers that hits on a number of issues with what SiteLock is doing.

After their website had been hacked in February of last year SiteLock sold them on one of their services:

[L]ast February we purchased “SiteLock Premium” for $500/year. I was told this was the best security product available. With it, I would have a firewall that would prevent any further attacks.  And since it runs “in the cloud” it would actually make our site faster. We were assured that SiteLock has never been hacked and even if we are hacked, our site would be cleaned.

There are a number of issues we see with that.

We are not sure how SiteLock’s website never being hacked (if that were even true) would mean that their customer’s website wouldn’t be hacked, but that would seem to require the same practices being done on both, but that isn’t the case as we will get to in a later in the post.

Then there is the issue that as best we can tell SiteLock’s web application firewall (WAF) isn’t actually their own, instead there are reselling Incapsula’s WAF service. That raises several issues. One is that SiteLock promotes the service as if they are providing it, if they would lie about that, you can reasonably wonder what else they are not being honest about. Since the service involves sending the website’s traffic through the CDN, that means all the traffic is flowing through a company the SiteLock’s customers are not even aware of, much less have a relationship with. Finally you have to wonder if SiteLock is even aware of how good or bad the WAF is at protecting against attacks, since it isn’t actually something they run.

Another serious issue is that SiteLock failed to do a basic part of a proper hack cleanup, making sure that they software is brought up to date. In this case the website is still using Joomla 2.5:

A Website That Is Supposed to be Secured by SiteLock is Still Running Joomla 2.5.28

That version of Joomla reached end of life on December 31, 2014 and therefore was not receiving further security updates. So any cleanup in 2015 should have included upgrading to a supported version of Joomla. (It is important to note that SiteLock is certainly not alone in doing this important part of hack cleanup, many providers cut corners like this.)

By comparison SiteLock does keep their website up to date. Both their blog and their WordPress focused sub-domain, wpdistrict.sitelock.com, are using the latest version of WordPress:

The SiteLock Blog is Running WordPress Version 4.6.1

SiteLock's The District Website is Running WordPress Version 4.6.1

Keeping the software running your website up to date is going to provide real protection, whereas other security services may not (we haven’t seen SiteLock present any evidence that their services provide better protection then doing the security basics). Its telling that SiteLock does that for their own website, but doesn’t for their customers.

More Money

One of the things we frequently see brought up with SiteLock is after purchasing one security services that was supposed to protect the website and then doesn’t, they want to sell your more expensive services (that was even mentioned by someone who praising their service (and then deleted their post for some reason)). Remember that this person was sold a $500 a year plan that they say SiteLock claimed was the “best security product available”, then the website got hacked again and they are pushing a $720 a year plan:

We were recently informed by SiteLock that our site had sustained a Pharma attack that had inserted links directly into our code. This attack could not be automatically cleaned their software could not remove the malware systematically without risking bringing down our site. The SiteLock technician suggested that we purchase their “Infinity Scan” product for $60 /month.  That product includes manual cleaning of our site.

Again there are multiple issues raised here.

You can start with the fact that SiteLock makes a big deal about their automated malware removal in their marketing material, but never mention that it can have the serious problem of taking down a website. It also seems to us that in an instance where it isn’t up to task they shouldn’t be charging extra to deal with the situation, as it is unable to do what it is promoted to do (and considering their track record you would also have to wonder if they sometimes claim it couldn’t to get more money from people).

The other troubling aspect of this is that they have a service that provides manual hack cleaning on a repeated basis. If a website is properly cleaned then it shouldn’t get re-hacked, so unless you are not taking basic security measures or get unlucky and have get hacked thorough multiple zero-day vulnerabilities in a year you shouldn’t need multiple cleanups in one year. The fact that they provide this would be a red-flag on it own that they don’t do proper hack cleanups, but we already knew that SiteLock doesn’t proper clean up hacked websites, so you don’t have to wonder about that.

What would seems to have happened here seems to be another example of that. So how did SiteLock explain how the website was hacked again after they were brought in:

Now, after we’ve been hacked yet again, I find out that is not true. SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point.  They don’t cover that. Bluehost doesn’t cover that. I’m screwed.

The backdoor access must have either existed when SiteLock was first brought in to deal with the website and should have been handle during the cleanup or was gained after the were supposed to protecting the website. In either case we don’t understand how that wouldn’t be on them. The explanation seems to be that since things were set up correctly it couldn’t be their fault, which doesn’t make any sense to us.

Also worth noting here is that their web host, Bluehost, who pushes SiteLock services as one of their “partners”, is ultimately run by the owners of SiteLock and looks to be getting a majority of the money from services sold through their partnership (which explains the high price of SiteLock’s services and the low quality for the amount paid). That isn’t something they publicly disclose and something that one of the other web hosting owned by the same company, Hostgator, wouldn’t even acknowledge is after it was pointed out those facts were coming from their parent company.

WordPress Giving Legitimacy to SiteLock By Allowing Them to Sponsor and Attend WordCamps

As we have continued to hear more troubling stories from the public about the web security SiteLock’s business practices and seen the damage they can cause, we have been very troubled that other organizations would provide them with legitimacy by getting involved with them.

One set of organizations is the various web hosts that had partnered with them. We recently found that the CEO of the parent company of many of those web hosting partners is also the owner of SiteLock, so it isn’t surprising that those web hosts wouldn’t have a problem with what is going on since their CEO is in on it. It would seem the others are getting paid handsomely to help them out.

Due to SiteLock discovering a couple of vulnerabilities in WordPress plugins some time ago, we had started following their blog for Plugin Vulnerabilities service. While no more vulnerabilities were disclosed on the blog, we did start noticing that they were sponsoring and attending quite a few of the official conferences for WordPress, WordCamps (and oddly giving presentations unrelated to security, including Creating a Digital Download Business – What to Sell, How to Sell It and Shortcuts to Success. and Contact Forms are Boring – 5 Creative Ways to Use Forms in WordPress.). That seems like a really bad idea, considering that imprimatur of WordPress is then connected with this company, provided them legitimacy they shouldn’t have.

There is also the issue that money that SiteLock makes taking advantage of people funding these WordCamps, which seems to be reasonable to consider as a moral and ethical issue.

It also doesn’t seem to be great idea to have a company that has shown that they lack a basic understanding of how WordPress responds to security isues, leading them falsely claim that WordPress website contain critical vulnerabilities, involved with WordPress events.

Just in the next couples of weeks SiteLock is sponsoring WordCamps in Pittsburgh, Raleigh (with a presentation also not security related, Using Curated Content in WordPress—Why and How), and Dallas. They are also a sponsor of the WordCamp for the whole US in December.

We would like be able to give you WordPress and WordCamp’s side of the story as to why they have are involved with SiteLock, but it has been a week since we contacted them with the following email asking for comment and we haven’t received any response:

We are writing a post about the fact that the security company SiteLock is being allowed to sponsor and attend numerous WordCamps despite be well known for taking advantage of its customers.

We first became aware of their practices after we had written a number of posts about other issues we had noticed involving them and then we started getting contacted by people who had been take advantage of by them, http://www.whitefirdesign.com/blog/2016/05/03/it-looks-like-sitelock-is-scamming-people/. There are a litany of complaints that can be see if you do a search on Google for something like “SiteLock scam”, including this page with numerous complaints https://sitelock.pissedconsumer.com/. While some of the complaints seem to be unfair to them, there is a pretty clear pattern of actions that seem quite problematic, to say the least.

We would like to include in our post any comment you might have as to why they are allowed to sponsor and attend WordCamps in light of that, so that the public has a better understanding of why WordCamps would get involved with such a company and take money that has been made by taking advantage of people. We would also like to include in our post any comment you might have as to any restrictions you place on what kinds of companies can sponsor and attend WordCamps.

If they were not aware of SiteLock’s reputation before, it seems that could have at least indicated that and that they reviewing things, but the lack of response points to them being aware of what SiteLock does and being okay with being involved with them.

If would like to let them know how you feel about that you can contact the central organization for WordCamp’s here. You also might want to contact ones happening locally that SiteLock is involved in, to see if they are aware of what one their sponsors is up to.

Hosting Recommendation Too

This isn’t the only Sitelock connection with WordPress. As we discussed in a recent post, one of the owners of Sitelock is also the CEO of a major web hosting provide, Endurance International Group. Endurance has many brand names they provide web hosting under, one of those being Bluehost. Bluehost has come up repeatedly in complaints about Sitelock. Bluehost is also one of the web hosts listed on the Hosting page on wordpress.org:

wordpress-bluehost-hosting-recommendation

That page has a top level menu link of the website, so we would assume that brings in a lot of business to them.

One of SiteLock’s Owners is Also The CEO of Many Of The Company’s Web Hosting Partners

SiteLock is a web security company that we had originally became aware and wrote a number of posts about due to our seeing the poor quality of their services when working on client’s websites that had previously used their services. Due to those posts we started started getting contacted about more serious issues with them, namely that in a lot of cases they seem to be scamming people. One of the things that has stood out to us in looking into the situation was the fact that so many web hosts have partnered and continued to stay partnered with them. Was the money that we assumed SiteLock was paying them for the partnership worth the damage to their reputation, seeing as in complaints about them the web host who had partnered with them is frequently brought up?

In looking for some information for another post about the company we ran across the fact that the CEO of a major web hosting provider is also the one of the owners of SiteLock (the other owner is a director of the same provider), which does a lot to explain their partnerships and also raises even more question as to the probity of what is going between them.

On the about page of SiteLock’s website there is no mention of the ownership of the company, doing a Google site search of their website didn’t bring up any mention of either of the two entities that appear to be their parent company.

On the website of one of those, UnitedWeb, SiteLock is shown as one of their brands of the company, while the web hosting companies Endurance International Group and IPOWER are listed as public companies:

unitedweb-brands

The connection between of all of those entities isn’t clear based on that, though.

A little searching brought us to this page that seemed to point to a direct connection between SiteLock and Endurance International Group, which with more checking seems to be confirmed. In Endurance International Group latest quarterly report it states that:

The Company also has agreements with Innovative Business Services, LLC (“IBS”), which provides multi-layered third-party security applications that are sold by the Company. IBS is indirectly majority owned by the Company’s chief executive officer and a director of the Company, each of whom are also stockholders of the Company.

What is Innovative Business Services? That is the entity that owns SiteLock (referred to as a member on that page). So the CEO and a director of Endurance International Group are the owners of SiteLock.

It not clear where UnitedWeb falls in that, but it looks like it might be the owner of Innovative Business Services, and then in turn that is owned by the CEO and directory of Endurance International Group.

Unless you are very involved in website hosting you probably don’t recognize the name Endurance International Group, but they own many well known web hosts. The brands page of their website they highlight some of the more high profile ones including A Small Orange, Bluehost, FatCow, HostGator, iPage, and IPOWER:

endurance-international-group-brands

But that just scratches the surface, here is the all of their current brands (most of them appear to be web hosting companies) as listed on the Wikipedia page for the company:

  • 2slick.com
  • AccountSupport
  • Arvixe LLC
  • A Small Orange
  • ApolloHosting
  • AppMachine
  • Berry Information Systems L.L.C.
  • BigRock
  • BizLand
  • BlueBoxInternet
  • BlueDomino
  • Bluehost
  • BuyDomains
  • CirtexHosting
  • Constant Contact
  • Directi
  • Dollar2Host
  • Domain.com
  • DomainHost
  • Dot5Hosting
  • Dotster
  • easyCGI
  • eHost
  • EmailBrain
  • EntryHost
  • Escalate Internet
  • FastDomain
  • FatCow
  • FreeYellow
  • Glob@t
  • Homestead
  • HostCentric
  • HostClear
  • HostGator
  • HostNine
  • HostMonster
  • HostV VPS
  • hostwithmenow.com
  • HostYourSite.com
  • HyperMart
  • IMOutdoors
  • Intuit Websites
  • iPage
  • IPOWER/iPowerWeb
  • JustHost
  • LogicBoxes
  • MojoMarketplace.
  • MyDomain
  • MyResellerHome
  • MySocialSuite
  • NetFirms
  • Networks Web Hosting
  • Nexx
  • PUBLICDOMAINREGISTRY.COM
  • PowWeb
  • PureHost
  • ReadyHosting.com
  • ResellerClub
  • Saba-Pro
  • SEO Gears
  • SEO Hosting
  • SEO Web Hosting
  • Site5
  • Southeast Web
  • SpeedHost
  • Spertly
  • StartLogic
  • SuperGreen Hosting
  • Typepad
  • Unified Layer
  • USANetHosting
  • vDeck
  • Verio
  • VirtualAvenue
  • VPSLink
  • Webzai Ltd.
  • WebHost4Life
  • webhosting.info
  • Webstrike Solutions
  • Xeran
  • YourWebHosting