Are my websites a victim of (phishing) scam?

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
Medija
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Apr 04, 2014 2:23 pm

Are my websites a victim of (phishing) scam?

Post by Medija » Fri Apr 04, 2014 3:08 pm

Hi,


Several days ago, a notification appeared across a number of websites I built in Joomla 2.5.

The notification starts with "You have reached a domain that is pending ICANN verification.." and so on.

In that notification, it says a captcha needs to be typed in order to resend the verification email but there is no captcha displayed, only a placeholder for the picture where captcha should be.

I did not receive any prior email from ICANN.

I contacted one of the companies through which the domains are registered, their response was that ICANN does not inject the notifications into websites, especially not with country code-top level domains (.rs domain extension). They instructed me to contact the company where the websites are hosted.

I contacted HostGator, the company where the websites are hosted, but they did not give any reply for days now.

I tried to look for solution online by typing in Google search the notification text that appears on my websites, all I was able to find are more websites where the same notification is displayed.

I updated one of my Joomla website that was not up to date, from version 2.5.14 to 2.5.19, it did not help.

Does anyone know if this notification on my websites comes from ICANN or it is a phishing scam from someone who broke into the websites and injected the notification?

If this is something a scammer did, how to fix the websites and delete that notification? I never had my Joomla websites vandalized by a hacker before, this is the first time I'm in this situation.
Last edited by Medija on Sat Apr 05, 2014 9:31 am, edited 1 time in total.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Are my websites a victim of (phishing) scam?

Post by mandville » Fri Apr 04, 2014 6:30 pm

Starting on 01-01-2014 ICANN, the Internet Corporation for Assigned Names and Numbers, began requiring that all domain name registrants enter valid registrant information. To enforce this new policy all domains now must verify their registrant information. When a domain name is registered a verification email is sent to the email address entered as the Registrant contact address. This email will contain a link allowing the information to be verified.

If the information is not verified within fourteen days of registration the domain name will begin to direct to an ICANN landing page which can be used to request that the verification email be resent. Once the information has been verified it can take 24 to 48 hours for it to begin pointing to the site built with Webs.

If you did not enter any information or did not enter valid information you will not receive the email. In these cases you will need to update your registrant information through your Webs account in order to receive the email allowing you to verify the registrant information on file. Information may be updated by going to Dashboard, then Domains & Email, and then Registration Info. Be sure to scroll down and click the "Save Whois Settings" button after updating information.
The new ICANN validation process helps increase the reliability of each domain’s contact information, in case your registrar needs to contact you for any reason. If you currently own a domain, and trigger the validation process (see below), you will receive an email from your domain registrar. XMission customers, for example, will receive an email from OpenSRS, our registrar.

The email will contain a link that you must click. The link will take you to the following site: domainadmin.com

What triggers the validation process?

New domain registrations
Transfers
Any contact information update
WHOIS data reminder policy (WDRP) email bounce
Expired Registration Recovery Policy (ERRP) email bounce
To what TLDs (top level domains) does this apply?

This applies to all existing TLDs and new TLDs.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

dsrpmedia
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Thu Sep 27, 2007 4:53 am

Re: Are my websites a victim of (phishing) scam?

Post by dsrpmedia » Fri Apr 04, 2014 11:22 pm

I am having the same issue (godaddy shared hosting) I contacted godady & they said all my domain authentications are ok, and that his message is being generated from inside my joomla install (2.5.19) - mostlikely from a plugin/module/component referencing the file

Code: Select all

<script src="//cdn.optimizely.com/js/711892001.js"></script>


however I have downloaded my entire site so that I could use the dreamweaver 'fi.nd' tool to search all the source code in the entire site - and nothing

if anyone can figure out what is loading this message it would be greatly appreciated.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19553
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Are my websites a victim of (phishing) scam?

Post by leolam » Sat Apr 05, 2014 3:39 am

dsrpmedia wrote:if anyone can figure out what is loading this message it would be greatly appreciated.
In case of the original poster that code is included. See http://sitecheck3.sucuri.net/results/ww ... centar.com

Run your site through that scanner and you will see that it is probably present.

https://www.optimizely.com/opt_out

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

Medija
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Apr 04, 2014 2:23 pm

Re: Are my websites a victim of (phishing) scam?

Post by Medija » Sat Apr 05, 2014 9:30 am

Mandville, thank you for the quotes. The problem is that there was no prior verification email being sent from ICANN.

Dsrpmedia, I was able to identify what was causing the notification to appear, it is a module Plimun Nivo Slider, the notification does not come from ICANN.
That module used to be in Joomla Extension Directory, it's current status says it is unpublished and under investigation.

In Joomla Forums I found the solution how to remove the code that was causing the notification to appear:
http://forum.joomla.org/viewtopic.php?t=795946

Leolam, thank you

Denco
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sat Apr 05, 2014 12:00 pm

Re: Are my websites a victim of (phishing) scam?

Post by Denco » Sat Apr 05, 2014 12:32 pm

Hello everyone,

I have this same problem about a week now appeared across
website (You have reached a domain that is pending ICANN verification.)
etc..

Please help me to solve this problem.

Can some one explain to me step by step on how to fix this problem?

Thanks in advance

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Are my websites a victim of (phishing) scam?

Post by mandville » Sat Apr 05, 2014 1:40 pm

simple
. Check your site to see if you have any extensions installed from Autson.com AKA iNowWeb.com AKA Plimun.com (possibly more).
Extensions from this developer/company contain malicious code that fetches a file from their server and inserts it into your site.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Denco
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sat Apr 05, 2014 12:00 pm

Re: Are my websites a victim of (phishing) scam?

Post by Denco » Sat Apr 05, 2014 2:33 pm

Thanks very much problem fixed.

dsrpmedia
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Thu Sep 27, 2007 4:53 am

Re: Are my websites a victim of (phishing) scam?

Post by dsrpmedia » Sun Apr 06, 2014 11:56 pm

yes thank you - that was my problem as well

poseyfair
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Jan 22, 2015 6:49 pm

Re: Are my websites a victim of (phishing) scam?

Post by poseyfair » Thu Jan 22, 2015 6:59 pm

I am sooooo lost....I know very little but the local fair has asked me to help them as I am an IT guy. They have the ICNN issue but I dont know where to start to repair this for them. Any assistance would be great...they are a Non-profit and I am a volunteer.


Locked

Return to “Security in Joomla! 2.5”