My apologizes if this is not placed in the correct area..

Recently the owner of a hosting company (we'll call them company X for now) emailed all of our current hosting customers.

This new company informed the customers by email that they purchased our hosting company and as a result wanted to welcome each of them to the new company. This welcome came with links to sign up for their new hosting account along with signup of the new account they of course would have to pay for the new service.

We did not sell our company nor had we sold our clients. It appeared to me a typical fake email scam just like the ones most people get from paypal, ebay, banks, etc each day.

You glance over the email "common sense" kicks in and you think for a moment then realize it's either a fake email or you get on the phone or ticket system and check just to make sure with that the email is legit.

The mess I'm dealing with now is that several of our prepaid clients followed the links, paid and signed up for new hosting services with this new company, then promptly changed their nameservers to the new hosting and then after all that contacted us to ask about refunds for the money they already prepaid to us.

Um hello! What on earth made them wait to contact us until after they paid more money and then changed their sites to a new location.. It's quite the mess to clean up.

My question is has anyone else ever seen something like this happen? With all the spam crap I get everyday I've yet to come across such a clever way of confusing people into signing up with a new hosting company.

Company X even pasted a copy of the email they sent our clients to pastebin and then made several new entries to pastebin for the emails that were undelivered due to delivery failure notices and posted full headers and the error messages with the email intact.

The owner of company X states he didn't send the emails to our clients but can not answer why he has had so many new signups and why they are all clients from our company. I'm going insane and basically just wanted to know if this has ever happend to anyone else.

I've not posted company names at this time because I'm trying to minimize the exposure of the ordeal. If you want to see the pastebin links or know the name of company X please let me know. I just don't want our company name and company X to get any farther into google results than it currently is thanks to the issue.

Does company x run a affiliate system? If they do, company x could check to see if it was one of their affiliates that did this, and then ban them.

If they do not run an affiliate system, then why would anyone else (other than company x) want to do something like this? There would be no financial gain from it.

Have you checked the email headers to see where the emails originated from.

That's the thing that has me so mad..

The email headers from the emails that were sent to our clients are identical to the email headers from the emails from company X's owner explaining to us that he didn't send out the notice.

I've even got email from several of our customers that fell for the scam and bought the new hosting. One of those customers flat out asked company X's owner why he had to pay again when he had already renewed annually with us. Customer asked for a refund or credit for what he already paid us. Company X told him they couldn't refund but would provide the services at a great discount to keep his business after the acquisition of buying our company.

The original emails to our customers were signed by company X's owner with all his contact info including instant messenger contacts listed.

He said if we provide him a list of the domains he will look into the issue but didn't send our customers an email and is not responsible. Blah he has not responded to my last contact further showing him the headers or showing him that his full contact info was included in the emails.

In the mean time I've contact ThePlanet which hosts his company and asked for any help their abuse department can give.

Added details:

One of the shared hosting accounts on our server was hacked two weeks ago. Techs for us reported the defacing of that one account was done via 777 folder permissions for a cms script. We were able to handle the issue and clean up the mess with only the one account being attacked.

Now almost 2 weeks after the 1st fall out our customers were contacted via the email address listed in the whm as the domain contact email for each of the shared hosting accounts.

This mess is really driving me insane. Like I said earlier I've seen plenty of email spam in the past to get unsuspecting users to provide user/password/bank information. I have never seen something like this done to gain new hosting customers it's a brand new ball of wax to me.. LoL

How did anyone get access to your entire client base details in the first place?

How did anyone get access to your entire client base details in the first place?

We have no clue..

I'm guessing that it had something to do with the one shared hosting customer who got hacked weeks ago. The support provided to us by our reseller simply told us that that shared customer had most of his files set to 777 this allowed the way in for that customer's account in our whm to be attacked.

They cleaned up the mess and told us all was good. There have been no further problems and we got rid of that shared customer to avoid him reloading the same backups to the server and starting the mess all over again.

My only thought is that maybe they got access to that information at the time.

Immediately after we changed all passwords for each client and passwords for the whm. We then went account to account and looked over ever file in each customer's account.

All has been well until now with the email fiasco.

I believe this would be a criminal offense, I would report this to the authorities for fraud.
You are in tiled to receive compensation for this.
This is no joke and you should contact an attorney and seek the proper action and file a claim against the x company for damages that you have received.

GS

I believe this would be a criminal offense, I would report this to the authorities for fraud.
You are in tiled to receive compensation for this.
This is no joke and you should contact an attorney and seek the proper action and file a claim against the x company for damages that you have received.

GS

If it's a criminal offence then he has no need to get an attorney as the state would does this on your behalf.

If it was me, I would make a report with the police. Even if you make them aware of the issue. If it gets worst then you can get the police to look into it.

Scott

If he wants compensation for this because he has lost some valuable business he can file a suite claim for damages that he has recieved.

I would just call a atturney and ask for advise, there is no charge for this.
Depending on the suit claim and the atturney fees you can make the call than which route you want to go.
In most cases a simple atturney letter can help and you can recieve conpensation without going to court.

Greg

I'm still not clear on how they managed to get your client list?

--Tina

I'm still not clear on how they managed to get your client list?

--Tina

Hi Tina

I'm sorry I can't give any detailed information on how they got access. Because I don't have a direct answer from my reseller.

As I mentioned previously the server was hacked a few weeks ago, through some 777 folders and files on one of the shared accounts that was using an outdated cms script, the customer on that account had almost all of his files set to 777.

After talking to our host whom we buy the reseller account from yesterday with this latest incident with the email spam/phising ordeal he said, "The attacker got in through a backdoor on the server".

Now what backdoor I don't know he didn't provide that information.

Hi Tina

I'm sorry I can't give any detailed information on how they got access. Because I don't have a direct answer from my reseller.

As I mentioned previously the server was hacked a few weeks ago, through some 777 folders and files on one of the shared accounts that was using an outdated cms script, the customer on that account had almost all of his files set to 777.

After talking to our host whom we buy the reseller account from yesterday with this latest incident with the email spam/phising ordeal he said, "The attacker got in through a backdoor on the server".

Now what backdoor I don't know he didn't provide that information.


I'd say its time to switch providers ASAP. Having an account compromised through an insecure script is NOT the same as having a backdoor on the server. Those are 2 completely different levels of intrusion. The first only being a problem for the user with the insecure script. The second being a problem for everyone on the server.

--Tina

Thank you all for the great advice concerning contacting our attorney. We have actually already done so but are not interested in compensation for the attack.

After crossing all Ts and dotting all Is this morning we have a grand total of two customers that did not question the email and went on to signup for the new service with company X. It is not a large financial loss and we are a small budget hosting group anyhow.

The hardest part of this ordeal has been cleaning up the mess. Fielding questions, sending notes to current customers, LONG phone calls to customers trying to explain, etc, and quickly answering all support tickets for customers that saw the notice but thought better of it and wanted to know what was going on before they purchased with the new company X.

My intentions for this thread were to see if anyone had ever heard of such an issue or experienced something similar.

It just amazes me that this company X would say to hell with an advertising campaign and/or well thought out ways to bring in new customers for his hosting company. Instead of doing the leg work and putting in the effort to get customers he just sends a fake email to ours and bam he instantly has new clients and $$ to go with it.

I suggest you report company X to the BBB and the authorities.

Below is a copy of the email sent out to our clients if that helps shed more light on what happened.

Again I thank you all so very much for your suggestions and thank you for allowing me to vent about the situation!

-PwtGirl

To all COMPANYNAME clients / resellers / users,

** COMPANYNAME has been acquired by companyX **.

We are excited to announce that companyX has acquired COMPANYNAME and all accounts. This is a notice to inform you of the accuisition (sent via Web Host Manager - if you require any more info please contact us support@companyX).

companyX is a hosting company backed and established on the foundations of success, reliability, accountability, performance and communication. companyX servers are backed with advanced and state of the art infastructure ensuring your websites are online and accessible at very fast speeds.

Please contact sales@companyX with your current domain and username. Once we have received your email; we can further assist you in transfering and relocating to our new and improved servers!

(You can choose to keep your current plan or have a custom quote around your specifications; whether new or old)

--------------------------------------------------------------

Here is a glimpse of our 2 best selling plans:

Standard

Quota: 10GB space
Transfer: 100GB/month
Cost: $7.95USD/month or $65USD/year
Setup: FREE
Signup link:
companyX/account/signup.php?clienttype=5&package=13


Deluxe

Quota: 25GB space
Transfer: 200GB/month
Cost: $12.95USD/month or $105USD/year
Setup: FREE
Signup link:
companyX/account/signup.php?clienttype=5&package=3


Features include; Latest cPanel 11 Stable

With; Unlimited Sub domains, Unlimited Email Accounts, Unlimited MySQL databases, Fantastico (hundreds of ready to go scripts!), Image Magick,Web Mail, Unlimited E-mail Aliases, Auto Responders, Unlimited Mailing Lists, Catch All’s, Spam Assassin, Mail Forwarding, IMAP Support, SMTP, Hotlink Protection, IP Deny Manager, Custom Error Pages, Instant Blogs, Instant Portals, Instant PHPnuke, Instant Forums, Instant Guestbook, Web Based File Manager, Password Protected Directories, phpMyAdmin, URL Redirection, Instant Counters, Real time AWStats / Webalizer, Referrer Logs, FREE Shared SSL access, Agora Cart, osCommerce, ZenCart, Cubecart and more!

--------------------------------------------------------------

We look forward to hearing from you all :)

Kind Regards,
companyX - owner's name
companyX
----
E: companyX owner's email
W: companyX
M: companyX owner's msn messenger

(E: email W: website M: msn messenger)

CONFIDENTIALITY NOTICE:
This communication is only for the person(s) named above. Unless otherwise indicated, it contains information that is confidential, privileged or exempt from isclosure under applicable law. If you are not the person(s) named above, or responsible for delivering it to that person(s), be aware that disclosure, copying, distribution or use of this communication is strictly PROHIBITED. If you have received this communication in error, or are uncertain as to its proper handling, please immediately notify us by telephone and e-mail the original to us at the above e-mail address.
.

I suggest you report company X to the BBB and the authorities.

I usually stay out of this, but reporting anything to the BBB can sometimes be a complete waste of time. They are not a law enforcement agency, and if the business is not even registered with the BBB then even less can be done.

As for reporting this to the authorities, what would you report exactly? I'd like to think (and hope) that they have better priorities than this...

lol. Does anyone seriously believe that the owner of "CompanyX" really has no idea about this?

When stuff like this happens, the easiest and most assured way to know who perpetrated it is to look at who is the beneficiary of the action.

Seems to me that CompanyX is the beneficiary. Now add on further "proof" which is that the email headers sent to you by the owner of CompanyX match the headers sent for the email to your customers.

I have never heard of a hacker who sends emails begging people to "go sign up at CompanyX" unless the hacker is getting some kind of benefit.

I'd say that either the owner of CompanyX is lying straight to your face, or he hired someone to do the emails. (ie: An affiliate.)

Depending on how much of the header information is the same in the mails, even an affiliate might be ruled out.

I'd like to know who CompanyX is

Then be a little bit creative, I found it out from the info provided solely in this thread. :p

I'd like to know who CompanyX is

Sent you a pm with the details..

hello pwtgirl - sorry to hear about your situation - but you are doing the right things!

one thing you may want to consider, is that the perpetrator looked up your clients domain whois info, and possibly you have your own info listed somewhere in that data...?

make sure the registrar you use can and does enforce WHOIS PRIVACY. if they cannot - change registrars as soon as you can to one that supports this. it may at least help you out down the road with an extra layer of privacy.

another option - if YOU are managing your clients registrar settings -> lock those registrar settings, so that no changes may be made to them such as transferring registrars, or even just changing the dns records. Yes this adds an extra layer of tasks for your company for things such as domain renewals, etc - but it also gives you more security to stop unwanted domain transfers - even if they originate from your clients themselves.

sure, once in a while you may get a client who attempts to transfer away from you legitimately, and they will have to go through you to get that control (which may tick them off a bit) but if you can handle those occasional incidents, i think locking your registrar records is still advisable.

you are wise to keep the names out of your posts - don't be tempted! as your lawyer has probably advised you already - this could make you actually liable, crazy as that seems.

keep your head up, you are doing the right things - justice may take a lot of effort and time, but stay positive, keep good records and be persistent!! best of luck. /tre

I agree with Mr. Zippy about the owner of company X. I also suspect that he got your client list from someone connected with your reseller.

If Mr X is really innocent, as he absurdly claims, then he would procatively be reimbursing the fraudulent signups and working to return the accounts to you. I don't see that happening.

I won't be surprised if we see other customers of this reseller have the same problem shortly.

look, of course it is obvious what is happening. the problem however, is proving it in such a manner as to satisfy the legal jurisdiction in which it took place. not as simple as it seems, and possibly quite expensive.

it's likely that you should contact mr X's isp. you can get that from the IP address in the headers. Next, under subpoena from the police, start the ball rolling to gather proof that the emails DID originte from his/her ip address, using data from the ISP. With that isp data, and a clear motive, the case becomes stronger - but do not waste time - have mr X's isp contacted by your lawyer ASAP.

further - and **important** for you -- DON'T send out the details to anyone except your lawyer - this will NOT help you and it may indeed HURT YOU.. Months from now after the case is resolved through the courts - you will be advised what you can legally publicly state. don't cut off your foot trying to help yourself! you can be totally liable for slander, even if what you say is true - DON'T DO IT. talk only to your lawyer and keep all the names out of your other correspondence regardless of how tempting it is to rat out this fink and dirty player.

again - good luck.

Talking to his upstream is actually not a bad idea - contact their abuse departement and if you can prove your point they might actually cut X off. After all, regardless of all other consequences, this e-mail might be classified as spam and thus be against the ToS of his upstream provider.

I agree with Mr. Zippy about the owner of company X. I also suspect that he got your client list from someone connected with your reseller.

If Mr X is really innocent, as he absurdly claims, then he would procatively be reimbursing the fraudulent signups and working to return the accounts to you. I don't see that happening.

I won't be surprised if we see other customers of this reseller have the same problem shortly.

Actually my reseller is a great guy we've been with him for years. I've recommended him countless times in the past and will continue to do so.

Accidents or mistakes happen and if the open window to allow this POS company X into our company was server/reseller related then I can totally forgive it as our reseller does EVERY thing under the sun to help us. He normally is very detailed on the hows, whys, and whos when something happens. This time he was busy making sure there weren't more problems and I didn't push for more details.

My first thoughts when this happened was, "great another phising email scheme to watch out for." Not only do we deal with it from large companies like ebay and paypal but now the scum is moving over to the hosting community.

Actually, I don't think your reseller would have done this...that would make no sense. But your information could be available to other people by way of your reseller: an unscrupulous contractor brought in to help out with some admin work for example.

Do your logs show anything interesting? I think the site defacement, bad permissions may be a red herring.

Update & Clarification:

I thought I mentioned earlier in the thread but I may have left it out due to the crazy state of thought over the last few days, but..

We did do ip checks, whois checks and server lookups. I followed his site up the chain to his server ip and found out he is with Theplanet.com. We then contacted the planet for help through their abuse system.

We explained the situation and provided full email headers both directly from that company X owner to myself, from company X to our clients, and then from the original fake email he sent to all of our clients, all header and ips were identical.

Previously when visiting company X's website there was a coming soon index page up with a craptastic design styling displayed. Today the index page has been replaced with a search page much like when you park a site with godaddy etc.

As of today the site is still listed with theplanet and still shows it's nameservers to be the same.

To be completely honest I knew there wasn't much I could do about the whole ordeal. The thought of actually taking court action seemed like a waste of time since it would more than likely cost more to bring suit than I'd get out of the ordeal. The income loss was minimal and my position was to clean up the mess and move on. My reason for starting the thread was to share what happened and see if anyone else has run across a like situation before. If not then I wanted to put it out there that look wtf happened and watch out because apparently it's something new to look out for.

I sincerely thank all of you for your help and suggestions! You guys are great. I've dealt with the fall out and we're running smoothly again. I just really wanted others to know what happened and be on the look out in case some one else had the same problem. I didn't know how to really prevent this from happening to someone else because I couldn't publicly name the company X. But thought at least mentioning what happened may be of some help to some one down the line.

The reality was we lost 2 customers, it could have been worse. The sad part or maybe I should say the a**hole part on my end is that I'm not sad at all to see those two customers go. Yes I'll miss the money but NOT the constant support tickets that come in every other day for questions that the customer should already know the answers to.

Example support ticket from one of them that I get frequently from the same man:
"I've uploaded new changes to my index page 10 minutes ago but your server is not showing the changes! I'm tired of always having to contact you every time I make a change because the server doesn't update the changes."

Fix for that support complaint:
He wasn't hitting refresh to refresh his changed pages so his browser was still showing him the old page. This customer is a self proclaimed master webmaster. Shouldn't he know that he needs to refresh the browser window by now. Especially since I've answered that exact same support ticket more than a few times for him.

Another lesson learned the hard way but I'm almost looking at it as a blessing.. LoL

Thanks for everything gang I really do appreciate being able to vent about it and learn from all of your replies.

Its actually not hard to find out who a web host is hosting I can pull up any hosts customers (legally) would be pain as would have to go each domain name and get contact info but lists of current domains on servers is public info

If you use WHM/Cpanel, it is very easy for someone to get a full list of all your clients, without any access to the server at all... I have used this once or twice to checkup how big a webhosting company is, this is down to WHM/Cpanel putting all of its websites onto one IP Address (Shared IP) then only one or two manually specified hosts on seperate ip addresses...

If you use WHM/Cpanel, it is very easy for someone to get a full list of all your clients, without any access to the server at all... I have used this once or twice to checkup how big a webhosting company is, this is down to WHM/Cpanel putting all of its websites onto one IP Address (Shared IP) then only one or two manually specified hosts on seperate ip addresses...

Sure, but this doesn't really have anything to do with cPanel more than it has to do with name-based virtual hosting. This is simply a side effect.

Which host was this, would you please share?