When Security is NOT Important
The initial contact
We received a website contact from a client in nearby Chicago Illinois. They currently had a basic five-page brochure website and wanted to completely re-brand their corporate image. They wanted someone close enough but not someone from Chicago due to the Chicago pricing. We thought that was more than reasonable. We covered what they were thinking and went through all of our initial questions. To this point they had avoided giving us their web address as it wasn't what they considered a good site. While talking we tried to find the site on any of the search engines and couldn't – and we soon found out why.
Our initial impression was like "uh oh". We were immediately stopped by Malwarebytes Anti-Malware as the site appeared to have malicious content on it. This immediately raised a red flag and they were confused as it loaded fine for them. Their website was an older site. There was no modern day content management system (CMS) like WordPress, Joomla, or any. They had to update it through FTP (file transfer protocol). They logged into their website and showed us the code through Skype screen sharing. We did inquire what the password was as we saw it only had four asterisks in the saved password box. The password was 1234 which was a very generic password (problem 1). As we they showed us what they last modified nothing out of the ordinary was there. It looked like decent HTML content.
As we continued our Skype call we had even more red flags coming out of the woodwork. The system was targeting every computer and was set to delete files from their Desktop (this is where the owners always saved their files). The company team members were getting angry at the two people let go (problem 5). As we talked we told them they couldn’t get mad or accuse those two as (1) passwords were never changed, (2) they hadn’t changed the password in 11 years (yes that long), and (3) there was no logging kept to determine who did what within their system.
We did multiple things on this initial call for them.
- We checked all the images that nothing was malicious was store in them, and uploaded the changes.
- We encouraged them to know that they may want to contact their legal team and let them know what happened and see about putting a notice on their site (Update: The legal team didn’t see a reason at this time to disclose the breach).
- All of the passwords were changed to more complex passwords and all 12 characters or more and completely random using our free password system.
- We have started the process of informing the search engines, Malwarebytes, and other malware sources that the errors of the past have been corrected. This will not happen overnight and they know this has hurt their online reputation. Maybe not to individual people but to the search engines that send people their way.
- They asked us for a recommendation for an IT company as we don't do IT work. We provided them one of our recommended IT companies we know that works out there and was familiar with their particular industry. Being we were talking to them early in the day the IT company was out at their location in a matter of four hours and has cleaned up their computers, put in-place a starting computer policy, and are continuing to develop an overall company plan.
Whether you are from a growing town in Northwest Indiana or in a big city like Chicago security should always be paramount in your mind when it comes to your website and your business. Whether it is a simple site like the one above or a complex one that needs continual updating like a modern day content management system (CMS). Your website is the first line many of your customers will see. You want to always present your best foot forward and always have good and accurate information. Your website is your online employee. Treat it with as much respect as that of any other employee working for you.
If you would like to talk about how to upgrade your website, create a new website, change or enhance your company brand JM2 Webdesigners of Valparaiso (Valpo) Indiana is here to help you with our in-house team of designers, content writers, and software developers. We can be reached at 219-229-1633, email at sales@FawkesDM.com, or through our online contact form here.