Author: Olly

  • Mailgun.com Scam – Fake Support Ticket Phishing Scam Email

    Wow, this one took me by surprise to be honest. We use Mailgun for many of our customer sites, as it provides great logging and flexibility for delivering emails. It also means the outgoing emails aren’t tied to the same server the website is on, as emails can get people on blacklists and that can cause website access issues for customers.

    Anyway, a customer emailed this to me this morning, they asked if it was a support ticket we had raised but straight away I knew something was wrong, as the format of the email/support ticket was all wrong.

    This is the fake one;

    Mailgun spam email support ticket phishing

    To the novice user or someone not familiar with their email format would deffo fall for this. You should always hover over or inspect links in emails like this, before clicking on them;

    Mailgun spam email support ticket phishing

    Hovering over the app.mailgun.com link shows that it would actually take me to kapsicum.com which I can only assume is a hacked website. Normally I would click on it and screenshot the website it takes me to, but it’s early on a Monday and I have a bad feeling about this one so dont want to risk the malware infection to be honest! 🙂

    Just FYI, this is the format of a support ticket notification from Mailgun;

    Mailgun actual support ticket email

    And this is how newsletters come from Mailgun;

    Mailgun Newsletter format

    So none of the official emails look like the spam one, but to the untrained eye it would be easy to mistake and click on the link.

    Be warned!

    If you didnt ask for or request the email in some way, its probably a scam – so forward it to me so I can blog about it!

  • Securing phpMyAdmin… the Easy Way… any OS, any version…

    We work with various servers at work, and one of the areas that gets targeted the most by bots and stuff, seems to be the phpmyadmin login page.

    Now, you could obfuscate the folder name to throw them off the scent… but that probably means renaming loads of things other than the core foldername & time is money!

    The best way (before this blog post) of doing it has always been to secure it with htpasswd but the amount of times i’ve done this quickly and set the password to something obvious, and then forgotten the password. Then unpicking the password configuration to get in, to then have to reapply it… Screw that!

    So whilst I was once again sat staring at the good ol’ “how to secure phpmyadmin with htaccess” guide early this morning, I thought to myself “there must be a better way of doing this!” and I pondered… and pondered… then it hit me!

    Cloudflare!

    We use Cloudflare for DNS management on all our websites, it’s by far the best tool for the job and despite them taking most of the internet down (twice) the other month, its an awesome toolkit for keeping the baddies out and the websites online.

    Anyway, in the cloudflare dashboard there is a firewall section, in that section you can set rules under “Firewall Rules” and a quick 5 minute rule later and my phpmyadmin screen is secured with a captcha screen and cloudflare is beating up the baddies that try and come and hack my gibsons.

    Here is the rule;

    Rule to secure phpmyadmin with Cloudflare

     

    And here is my bitchin challenge screen;

    It’s worth noting that when I originally added the above rule I used “contains” in the rule Operator field, and then the screenshots I added above had ‘phpmyadmin’ in the filenames,  so the cloudflare rule kicked in blocking the images from loading!

    Be careful when setting the rule and ensure it matches my example above.

    It logs how many times it kicks in too, and already since adding it its been hit 50 times!

    Secure your phpmyadmin on ubuntu, cloudlinux, redhat, CentOS, debian, fedora, coreos, freebsd, windows hosting, and anything else with this 5 second rule.

    Oh, it works in cloudflare free accounts too – so even if you dont use cloudflare you can set it up at no cost and have the rule protecting your phpmyadmin from the hackers, bots and baddies of the internet world in no time!

  • Vehicle Request Enquiry – GOV.UK SCAM EMAIL!

    Don’t get it twisted, this isn’t FROM the .gov this is someone pretending to be them to get ya deets.

    The email looks like this;

    The page looks like this;

    Even the footer is identical to the actual gov website;

    The domain name, however, isnt;

    hXXps://majesvehicle-onthereq.com (t’s replaced with X’s)

    I clicked the link in the email (you shouldnt ever do that) and it was actually a legit Constant Contact URL which forwarded me to the above URL. So Constant Contact are helping these scammers. Well done.

    Someone less savvy would fall for this.

    Tell ya friends, share this article, repost, duplicate, idgaf, I just work here.

  • An Open Letter To Anyone Working With a Digital Agency

    Ok, so this is something that ive been thinking about putting out there for a while. Many of you know that my day job is working at a digital agency, we make websites, we do marketing, we work with code & pixels and help people use the internet to run or grow their businesses.

    This post is the result of over 12 years of constant erosion of our sanity, by people who need us, but dont know why they need us, and then despite them not knowing why, they feel the need to question why they should have to pay so much for something they requested that they dont really understand… Confusing right?

    Let me explain…

    The Internet: The thing everyone uses, and no one* understands.

    Now first and foremost, i’m not saying I know all there is to know about the internet, but as its something I have mucked about with since there were only 257,601 websites (June 1996) on the whole internet – I feel i’ve got a good baseline understanding of what it is and how it works and on that note – I feel I am more than qualified to write this open letter.

    So What’s My Problem?

    To put things into an example that anyone can understand, let’s pretend we’re building a house instead. First, you must have it planned by an architect. A good Architect will firstly listen to what you would like then take into account the plot of land, your budget and a 1000 other factors and will come up with ideas that tick all the boxes. If you then question things, or ask for it to be changed he/she may say no – and explain that you can’t do X, Y or Z due to A, B or C.

    At that point you would more than likely take their work for it, and push on? Surely?

    Then why is it then, that when me or a colleague of mine tries to express our concerns regarding an item or feature a customer has suggested, our years of experience, our long lists of qualifications and our unique – finely tuned – mindset is suddenly worth less than something they read in a Newspaper article that morning on the train? The best ones are when CEOs who visit the business once a quarter and havent been fully active in the business for 20 years, DEMAND that a feature to be present on a new proposed system, as their friend at the Golf Club has it on theirs….

    The web isn’t a platform for people to try and “Keep up with the Joneses” and in fact simply copying what other people are doing could be the exact opposite of what you would be advised to do by a proper digital agency that had created you a proper digital strategy based on your actual requirements. Sure, borrow ideas and evolve existing concepts, but you achieve success by innovating, not by cloning your competition!

    What sense is there in employing the services of a professional company, and then telling them what to do throughout the whole process??

    It doesnt make sense to hire smart people and tell them what to do, we hire smart people so they can tell us what to do.

    If you dont know, now you.. still probably dont know.

    My bastardised Biggie quote is intended to highlight the fact that the “Internet” that we all take for granted every single day, is propped up by digital agencies, hosting companies and IT professionals all over the world. Not only that, but additionally we can now access the web via toasters, fridgers, irons, televisions and speakers now (amongst many other things) and I bet the majority of the human population that have access to the internet have ZERO idea how their tech is “smart” or how it works, or how their Fridge can communicate with the internet via a button press on an app on your phone..

    It’s just Magic, right?

    Wrong.

    It’s the internet, it’s a mix of protocols, ports, networks and servers. Its made up of pixels, megabytes, packets and abbreviations. It’s a hugely complex “Thing” that was never really intended to do what it is doing right now. It was never meant to do banking, or control your heating – but thanks to the amazing minds of some of the world cleverest people, we’ve been able to evolve and improve the world we live in, in many ways thanks to the opportunities and evolutions made possible thanks to the internet.

    However, due to the constant, rapid evolution that happens every day online it has become the fastest moving playing field that has ever, and will ever exist. What was popular 10 minutes ago is now laughably uncool, how your website engaged with your target audience six months ago may no longer resonate with them, and the app or the online store that you had someone who “knows everything about IT” make you five years ago may now need constantly patching up due to depreciating server dependencies and new conflicts between scripts being used to add or enhance certain functionality on your website. Sound confusing? Thats my point.

    There will be pirates and cowboys in our industry (I have actually blogged about a few) but generally, a good, credible, well reviewed digital agency will not try and rip your off, they have nothing to gain from doing that, and the reason for that invoice that came in much higher than you expected, is because they are professionals that have probably saved your bacon more times than you realise, and are probably the main reason your business is still competitive in 2019.

    “Oh just quit whining, you chose your career!”

    Yes, I did choose to go into the web industry, but what no one could predict was how rapidly it would consume the world. Every single corner of the world, of innovation, of family life, of education…. every single nook and cranny is now connected to the web and utilises the internet for something.

    So whereas most of us in this industry trained and learned how to do our job 10+ years ago, the job we’re now required to do is ten times more complex and one hundred times more in-depth. 

    I encourage anyone confused about a quote or an invoice sent to them from their web company to just be open and talk to them – and just remember that you’ll no doubt be contacting them via an email account that they provide to you, on a device that they help you fix when the latest OS update breaks everything.

    So how do we fix this?

    Treat Web Pros With Respect

    A good web design company, a good digital agency, a good digital marketing company…  Do you know what the one thing they all have in common regardless of their size, location or niche is?

    They are all Professionals.

    And in the rest of society, when someone is a professional they are paid the wage a professional would expect – and people dont question it.

    • Do you haggle with your solicitor?
    • Do you shop around for the best deal at a Funeral Home?
    • Do you question invoices sent to you by your Accountant? (OK, well we did used to question our Accountant quite a lot, which is why we now use Kashflow, that’s another story…)

    Then why do we, as Web Professionals, have to justify to clients why we have charged you for something on an invoice we have sent? We’re not trying to trick you!

    Our time is all we have. We dont ship pretty boxes, we can’t tie a shiney bow to your new website – its data held on a system somewhere. So we MUST charge you for the time we spend, just like a Barman will charge you for all the alcohol you drink, and just like you get charged for all the items you put in your Shopping Trolley at Asda –  you will be (or should be) charged for whatever time you use at any Digital Agency and whereas the DA should explain what they’ve done and why – questioning and haggling with them once they’ve presented you this info is demoralising and belittling. Their time is worth the price they ask you to pay.

    Thanks for reading.