Social engineering content detected, what could be the problem?


#1

So yesterday I had a problem where people could not sign up to our forum, they either didn’t receive mail or were given this error message:

“Something went wrong, perhaps this email is already
registered, try the forgot password link”

Now since I was running a giveaway at the time, it was urgent to correct that, and with the guidance of @codinghorror I did a rebuild.

Two hours later I have this email in my inbox

Social engineering content detected on http://techweez[.]com/

To: Webmaster of http://techweez[.]com/,

Google’s Safe Browsing systems have detected that some pages on your site might be hacked or might include third party resources such as ads that are designed to trick users into installing malicious software or giving up sensitive information. To protect your site’s visitors, your site has been demoted in Google’s search results and browsers such as Google Chrome now display a warning when users visit your site.

Act now to fix this problem and remove the warning:

1
Identify compromised pages
Check the example URLs in the “Security Issues” page in Search Console. Note that this page displays a list of samples and not an exhaustive list of problematic URLs.
View examples
2
Remove the deceptive content
If you’re having trouble identifying and removing all the problematic content on your site, consider restoring an older version of your site. If you have ads on your site, ensure that they are not designed to trick or deceive visitors.
3
Secure your site from any future attacks
Identify and fix any vulnerabilities that caused your site to be compromised. Change passwords for administrative accounts. Consider contacting your hosting service to assist with the issue.
4
Request a security review
Only do this once you’re sure your site is free of problematic content. Include any details or documentation that can help understand the changes made to your site.
Request a review
Here is a sample of URLs from your site where we detected social engineering content:
http://forums.techweez[.]com/t/now-downloading-windows-10-anniversary-update/667/39

)

What could be wrong and how can I correct it?


(Jeff Atwood) #2

Do you serve ads or anything unusual? Also

Check the example URLs in the “Security Issues” page in Search Console

Look at those URLs.

Since this is for your entire domain, why does it have to be Discourse? Is Discourse literally the only content on your domain?


#3

Jeff, thanks for responding to this. I currently have no ads outside of Adsense, and that’s on the main domain. There are no ads on Discourse, and the example given is a discourse entry. I have gone through all the links in that forum entry and I don’t find any with a problem.


(Jeff Atwood) #4

If you view source on the URL do you find any “extra” links or content?

Also try viewing the page as Google crawler in case your server was compromised and is serving “special” content only to Google’s webcrawler. This is a common tactic.


#5

On Google Search console, this is the link with a problem


#6

Can’t find anything, which makes me wonder, could what Google captured be the same reason users couldn’t sign up earlier and that it’s corrected with the upgrade?


(Mittineague) #7

Are you offering “driver downloads” ?

I’ve seen quite a few dodgy sites that have supposed Windows drivers downloads that aren’t from a Microsoft site.

I’d be more suspicious about them containing malware than I would classify them as social engineering.

But if you look at it not so closely it does seem it could be taken the wrong way. i.e.

A tech site - the niche group is more likely to have an interest in downloading Windows files.
The post contains the text "downloading Windows"
It isn’t a Microsoft site

So a script that didn’t have a human brain to help it make judgement may have simply misclassified the post.

Have you asked for a (hopefully human this time) review ?


(Jeff Atwood) #8

Here’s the fetch as Google URL:

https://www.google.com/webmasters/tools/googlebot-fetch

If the page looks clean both in your browser (incognito) and as Google fetch I would ping Google about it… definitely getting this at the moment:

Getting view-source and parsing for URLs on that page, after deleting all the <script> elements, I see:

https://github.com/discourse/discourse version 1f0793ac50f4f8700126b317a02a93419d20f264
http://www.techweez.com/wp-content/uploads/2015/04/icon_256x256_20131015021738-96x96.png
http://forums.techweez.com/t/now-downloading-windows-10-anniversary-update/667
http://forums.techweez.com
http://forums.techweez.com/opensearch.xml
http://forums.techweez.com&amp;2&v=4.5.0
http://forums.techweez.com&amp;2&v=4.5.0
http://forums.techweez.com/t/now-downloading-windows-10-anniversary-update/667.rss
http://forums.techweez.com/uploads/default/optimized/1X/4662bc911550caf24475c56e5c8b3a0e01bde0c0_1_690x387.png
http://forums.techweez.com/t/now-downloading-windows-10-anniversary-update/667
http://159.203.84.138/uploads/default/original/1X/fbad2e4adf39fab2dbb09fb3b7d47d7b4e13dedf.png
http://forums.techweez.com/tags/windows10
http://forums.techweez.com/tags/microsoft
https://support.microsoft.com/en-us/help/12387/windows-10-update-history?ocid=update_setting_client
http://www.techweez.com/2015/11/29/winpad-10-rotation-bug-fix/
http://www.discourse.org

One thing that stands out is this:

http://159.203.84.138/uploads/default/original/1X/fbad2e4adf39fab2dbb09fb3b7d47d7b4e13dedf.png

I suggest removing that, it’s your logo, it should use a proper URL.


#9

Thanks @codinghorror, I made the changes and yes @Mittineague, I have requested for a review.


(Luke S) #10

I wonder if it might be twigging off of the “Now downloading” phrase in the title? I would expect such phrasing to be a common part of the page payload on shady, fake-downloads sites.


#11

UPDATE: Google review returned positive.

Google has received and processed your security review request. Google systems indicate that http://techweez[.]com/ no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen