InMotion Hosting Support Center

My website is attacked by phishing attack

Category: Fighting Spam

InMotionFans
n/a Points
Asked:
2014-10-25 11:00 pm EST

Hits: 4,723
Hi there,

Google sent me a phishing notification email few days ago.
Could anyone let me know how to solve the problem?
Also, I found a post with similar issue, but not sure it is the exactly the same problem: http://www.inmotionhosting.com/support/community-support/fighting-spam/phishing-on-my-site


The message in the email is here:

Dear site owner or webmaster of sprintron.com,


We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.

Below are one or more example URLs on your site which may be part of a phishing attack:

http://www.sprintron .com/~nidhip5/cgi-bin/ggdocsggdocs/

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.sprintron.com/~nidhip5/cgi-bin/ggdocsggdocs/

We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content


If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.

Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting
http://www.google.com/safebrowsing/report_error/?tpl=emailer
and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.

Sincerely,
Google Search Quality Team

Note: if you have an account in Google's Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.

You must login before you can ask a follow up question.

You must login before you can submit an answer.

OTHER ANSWERS

1

scott
Staff
43,761 Points
2014-10-27 7:57 am EST
Hello,

The link that Google gave you is incorrect. It references an account on your server, but it is not yours. Google sends that message out to anyone who is on the same server, but only the account referenced has an issue. You can ignore the message as it does not apply. We have contacted Google about this, but they have yet to adjust the way they determine the affected site and notify it. You do not have to worry about the server security as the affected site was infiltrated through the normal means of weak password or brute force, ie: their site was compromised at the site level.

Kindest Regards,
Scott M

You must login before you can post a comment about this answer.

Hi Scott,

Thanks for the response.
However I found the link from Google is correct (there is a blank in between, I removed it):

http://www.sprintron.com/~nidhip5/cgi-bin/ggdocsggdocs/
In the link it shows "Phishing attack ahead"
It makes me concern since it is really under our domain name (http://www.sprintron .com)

Also, I wonder the really hacked account you mentioned is "nidhip5"?

Thank you!
FollowUpQuestion
6 Points
2014-10-27 4:55 pm EST
Hello,

If you go to the link, you are met with a Google warning page. You can click through it if you like, but it leads to a suspended page for an account. Your account is not suspended, so the link is not really on your account. The username of the hacked account is in the link, so you can tell that is not yours. Even if you get a future email about another account, as long as the username is not yours you are safe. Still, this does mean that the account in question was compromised so it is always good to take this time to ensure your passwords are secure and changed regularly.

Kindest Regards,
Scott M
scott
43,761 Points
Staff
2014-10-27 5:02 pm EST
Got it! Thanks for the explanation~
FollowUpQuestion
6 Points
2014-10-29 5:07 pm EST
Like this Question?

Forum Login

You are NOT logged in. You can still browse our Support Center.

To participate within our Community Support Forum:

Need more Help?

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!