5 {{ upvoteCount | shortNum }}
5 {{ upvoteCount | shortNum }}

Has My Site Been Hacked?

by forrestsmyth
4 replies
I got an email saying my site has been hacked and a folder called pomo/chaseonline/login.php has been placed on the wp-includes directory. Sure enough, that folder is on my site and it sure looks suspicious, but I want to confirm before deleting it and get warriors advice as to what else I need to do.

Please have a look at the email below ...is this in itself part of the scam or legit?

Any help and advice much appreciated!

Dear Website Administrator,

We are contacting you to report that your website ledflashlightsreviewed.com has been compromised and fraudulent content targeting our client Chase Bank has been placed at:

Chase Personal Banking Investments Credit Cards Home Auto Commercial Small Business Insurance


IP Address: 184.154.128.18

A criminal has placed this fake login page for the purpose of credit card fraud and identity theft. Please remove all files related to this attack and take action to secure your website.

We are an Internet security company located in Tacoma, Washington. If you are unable to resolve this problem yourself, please contact your webhost for assistance.

Additionally, we invite you to help us and the Anti-Phishing Working Group (APWG) in the fight against phishing.

Please help us to educate consumers who are fooled by this criminal web site. You can do this by pointing the illegal URL to an educational page at:

Welcome to APWG & CMU's Phishing Education Landing Page

The instructions on how to implement it can be found here:

AWPG/CMU Phishing Education Landing Page - How to redirect

We can be reached 24/7 if you have any questions.

Best Regards,

--
IID -- on behalf of Chase Bank
Actively Securing the Extended Enterprise

E-mail: alert@internetidentity.com
Office: +1.253.590.4100 | Fax: +1.425.699.6597

II Email Number 175777 II
Case Number: SIT111680
#hacked #site
  • Profile picture of the author Robert Michael
    Seems legit to me.

    Why would a site about flashlights need a Chase Online login?

    Also, most of the time when people say their site was hacked, they eventually find the problem originated from a plugin they had installed.

    So you might want to double-check your plugins if you have any. Just a heads-up in case you do.

    Also, a quick call to those phone numbers that they gave you (hell, or even a google search on them) might give you the answer you're looking for.
    Signature
    {{ DiscussionBoard.errors[5280332].message }}
  • Profile picture of the author ATH
    why would somebody tell you to remove their scam?
    "im gonna rob a bank"
    "ok, got your mask and gloves and shotgun and getaway driver and a guy to help you?"
    "yah hold on lemme make this phonecall"
    "who you callin"
    "the bank"
    "why?"
    "so they know im comin"
    {{ DiscussionBoard.errors[5280360].message }}
    • Profile picture of the author forrestsmyth
      Thanks Whos That Guru for the suggestion a plugin may be the cause. I called the number and got a whole string of options so didn't speak to anyone, but the company seemed legit. I also googled various combinations of pomo and chasonline etc. but came up with nothing to suggest it was a common scam.

      ATH: My logic was that scammers might perpetrate a phishing scam by emailing site owners and telling them a folder on their site which was actually part of the WP install had been placed there by hackers. As pointed out by Whos That Guru, it's highly unlikely that there would be a 'chaseonline' folder as part of the WP install, but those like me new to this WP thing, anything is conceivable, so thought it worth getting advice before deleting any files from my WP installation!

      By the way ATH - love your ironic sense of humor
      Signature
      The Second Edition of "The Online Entrepreneur's Toolbox" Is Now Available!
      DOWNLOAD IT FOR FREE HERE
      {{ DiscussionBoard.errors[5280656].message }}
  • Profile picture of the author Awesomo
    I got this email too, consulted my friend who is a webmaster. He says it's probably some plugins... Gave me a scare when my hosting threaten to suspend my account..
    Signature
    Get my free traffic report now! ===TRAFFIC SEIZE===
    {{ DiscussionBoard.errors[5280489].message }}

Trending Topics