Pages in topic:   < [1 2 3 4] >
Nov 20 malware incident
Thread poster: Ty Kendall

Anne Diamantidis  Identity Verified
Germany
Local time: 10:45
English to French
+ ...
Hell yes... Nov 23, 2012

Just finished restoring my entire system to its initial state. Luckily I had done back-up last week so I lost almost no data, but my computer got badly infected, just like that - it was working just fine last night but when I got up this morning, it was chaos - blue screen, system failure, etc. Only option was to nuke everything and restore the system (thanks God for recovery softwares).

My antivirus had not reported anything over the last few day.

Sorry Jason, I have n
... See more
Just finished restoring my entire system to its initial state. Luckily I had done back-up last week so I lost almost no data, but my computer got badly infected, just like that - it was working just fine last night but when I got up this morning, it was chaos - blue screen, system failure, etc. Only option was to nuke everything and restore the system (thanks God for recovery softwares).

My antivirus had not reported anything over the last few day.

Sorry Jason, I have no antivirus log files - I could not start any application on the PC anyway, any attempt to open anything the only time Windows started resulted in complete system crash - I saw this forum thread just now, which is a relief as I really wondered what had happened. At least now I probably know where it came from... (I had received the email but confess I did not pay too much attention).

So no major harm done on my side, no major data loss, so, well. Can't complain much...

[Edited at 2012-11-23 14:16 GMT]
Collapse


 

Jason Grimes
Local time: 04:45
SITE STAFF
The affected ad server is completely separate Nov 23, 2012

opolt wrote:
I don't know about the details, but there is always the (theoretical) risk that the password database stored on the site gets compromised too,


The affected ad server is completely separate from the rest of the ProZ.com site, with no access to the ProZ.com site database, code, or the servers that store them. There is no reason as a result of this incident to change your site password, though it's always a good practice to change your passwords periodically.

Thank you for trying to help, opolt, but in the future please get more facts before spreading an alarm that could panic people unnecessarily.

Thanks,

Jason


 

Doron Greenspan MITI  Identity Verified
Israel
Local time: 11:45
Member (2005)
English to Hebrew
+ ...
Kudos to Norton Nov 23, 2012

I'd like to add that my Norton Internet Security 2012 discovered it right from the start with a frightening pop-up message ("Severity = High").

That error message popped up as soon as I opened the ProZ.com homepage.

I wrote to a site staffer (out of the website of course) and got an immediate reply.

My kudos to Norton then!

[Edited at 2012-11-23 16:13 GMT]


 

opolt  Identity Verified
Germany
Local time: 10:45
English to German
+ ...
Not spreading alarm Nov 23, 2012

Jason Grimes wrote:

The affected ad server is completely separate from the rest of the ProZ.com site, with no access to the ProZ.com site database, code, or the servers that store them. There is no reason as a result of this incident to change your site password, though it's always a good practice to change your passwords periodically.

Thank you for trying to help, opolt, but in the future please get more facts before spreading an alarm that could panic people unnecessarily.



Well no, Jason, with all due respect, I am not "spreading alarm" at all -- I've said that the risk is "theoretical". But the fact is, an internal ProZ server got broken into. Whether there was a viable path for the cracker from the ad server to the rest of your internal infrastructure, whether your other servers were also exposed to that vulnerability, due to the setup of your firewalls etc., we just don't know. Nor do we know whether you've found the vulnerability already, and fixed it. And I'm sure you won't tell us about it, about your network configuration and server and database setup, as that would be quite unwise from the security standpoint. But again theoretically, given that this thing was spreading a Windows virus of some sort, it could also have spread to other Windows servers, if they are indeed Windows based.

Your original email only stated that your "dedicated ad server" was affected, and that was it. I take your word for it, and it's ok for you to keep the rest to yourself. But it was still a server under the control of ProZ, and we, as outsiders, can't be so sure about the rest, the only thing under our control is the password. As you'll know there have been many such server break-ins in the past, on high-profile sites, and often the real damage becomes visible only after some time.

It's all "in the interest of being cautious", Jason, as you said in your original email. So please don't take it personally. If some people got their computers completely crashed by it, it's surely not completely unwise to change the password. The effort involved is very small.

I'm not spreading an alarm here, I'm alerting people to potential (that is including future) risks. That should be in your own interest.



[Edited at 2012-11-23 14:52 GMT]


 

XXXphxxx (X)  Identity Verified
United Kingdom
Local time: 09:45
Portuguese to English
+ ...
Might I ask... Nov 23, 2012

What assurances do we have that this won't happen again? Have you pinned the issue down or should we be steering clear of the site until you have?

 

Déborah Essers-Jansen  Identity Verified
Netherlands
Local time: 10:45
Member (2007)
English to Dutch
+ ...
Me too! Nov 23, 2012

I tried to log into my online banking system and got a very suspicious message right after logging in. When I contacted my bank, they said that the problem was probably caused by a virus (at that time I didn't receive the mail from Proz yet) that tried to find out my banking details. They advised me to do a thorough scan of my computer to delete the virus. My normal antivirus program didn't indicate anything, but luckily my husband ran some other programs for me. There were indeed several threat... See more
I tried to log into my online banking system and got a very suspicious message right after logging in. When I contacted my bank, they said that the problem was probably caused by a virus (at that time I didn't receive the mail from Proz yet) that tried to find out my banking details. They advised me to do a thorough scan of my computer to delete the virus. My normal antivirus program didn't indicate anything, but luckily my husband ran some other programs for me. There were indeed several threats and after deleting those, I was able to use my banking system again. So please, be very careful and take this message from Proz seriously!Collapse


 

Henry Dotterer
Local time: 04:45
SITE FOUNDER
What has been reported in this thread has not been reported outside the thread -- we'll be in touch! Nov 23, 2012

Hi all,

Thanks again to the people who reported this incident, and to those who have worked with us to search for signs of negative consequences.

There were approximately 6700 people who could have been served ads during the period that the malware could have been active. The notice contained in this thread was sent to all of them (including you, Lisa; your server accepted the email, according to our logs. Would you mind checking on your end?)

Many replied
... See more
Hi all,

Thanks again to the people who reported this incident, and to those who have worked with us to search for signs of negative consequences.

There were approximately 6700 people who could have been served ads during the period that the malware could have been active. The notice contained in this thread was sent to all of them (including you, Lisa; your server accepted the email, according to our logs. Would you mind checking on your end?)

Many replied to the notice, and we have followed up with everyone who did. (Unless they just did.) The investigation is ongoing, and we have two fairly tame possibilities that we are continuing to look into, but so far we have not been able to find an instance where it can be confirmed that someone picked anything like a virus up in this incident.

If we are able to validate such a report, even one, we will provide details here, and via email, so that appropriate steps can be taken.

And by the way, opolt, thank you for your postings. Changing a password is never a bad idea.

(You may conclude from my post that what is being reported in this thread goes well beyond anything we have found in our investigation so far. If these reports can be verified and tied to the malware that hit us, the problem would be more significant than it has so far appeared to be. We really need details to substantiate what you have written here, I hope you will be willing to work with us on this. You'll be hearing from one of us if you have not already.)
Collapse


 

Henry Dotterer
Local time: 04:45
SITE FOUNDER
The malware is gone now Nov 23, 2012

Lisa Simpson, MCIL wrote:

What assurances do we have that this won't happen again? Have you pinned the issue down or should we be steering clear of the site until you have?

Hi Lisa,

We found it and removed it, it is gone.

Can we be sure there will never be another incident involving malware and viruses in the future? Of course not. So its a partnership, you need antivirus software, etc. Thanks again to those helping out in this instance.


 

XXXphxxx (X)  Identity Verified
United Kingdom
Local time: 09:45
Portuguese to English
+ ...
I have antivirus software Nov 23, 2012

Henry Dotterer wrote:

Can we be sure there will never be another incident involving malware and viruses in the future? Of course not. So its a partnership, you need antivirus software, etc. Thanks again to those helping out in this instance.


As, I believe, do others on this site who got infected. Furthermore, a virus scan showed no results. I believe this was the same for others. Not sure what more I could have done.


 

XXXphxxx (X)  Identity Verified
United Kingdom
Local time: 09:45
Portuguese to English
+ ...
When was the email sent? Nov 23, 2012

Henry Dotterer wrote:

There were approximately 6700 people who could have been served ads during the period that the malware could have been active. The notice contained in this thread was sent to all of them (including you, Lisa; your server accepted the email, according to our logs. Would you mind checking on your end?)


Can you tell me roughly when this email went out? Date and time (GMT) I must confess that if it came in when I was in the throes of the computer meltdown it may have just got deleted as "low priority".


 

Henry Dotterer
Local time: 04:45
SITE FOUNDER
Thanks, Lisa Nov 23, 2012

Lisa Simpson, MCIL wrote:
Henry Dotterer wrote:
There were approximately 6700 people who could have been served ads during the period that the malware could have been active. The notice contained in this thread was sent to all of them (including you, Lisa; your server accepted the email, according to our logs. Would you mind checking on your end?)

Can you tell me roughly when this email went out? Date and time (GMT) I must confess that if it came in when I was in the throes of the computer meltdown it may have just got deleted as "low priority".

Since you are now connected with Jason I suggest we just continue this directly. I know you've had a rough patch and appreciate your help as we try to determine whether or not this was related to the malware incident.


 

Henry Dotterer
Local time: 04:45
SITE FOUNDER
Trying to reach Déborah Nov 23, 2012

Déborah Essers-Jansen wrote:

I tried to log into my online banking system and got a very suspicious message right after logging in. When I contacted my bank, they said that the problem was probably caused by a virus (at that time I didn't receive the mail from Proz yet) that tried to find out my banking details. They advised me to do a thorough scan of my computer to delete the virus. My normal antivirus program didn't indicate anything, but luckily my husband ran some other programs for me. There were indeed several threats and after deleting those, I was able to use my banking system again. So please, be very careful and take this message from Proz seriously!

This is a very serious report. We have had no other similar reports. We are trying to get hold of Déborah to get more information, but so far have not been able to.

If anyone has had this sort of experience, please tell us about it.

Déborah, if you see this, sorry for the trouble, but I am sure you understand that we have to take this sort of report very seriously, even if it does not appear likely to us that the malware we found would have led to this sort of thing. Therefore, we would appreciate if you could help us get a bit more information about what happened to you. (The office number is +1-315-463-7323. Call that or use Skype (check your voicemail.)) Thank you very much in advance.


 

Dominique Pivard  Identity Verified
Local time: 11:45
Finnish to French
AdBlock Nov 23, 2012

FWIW, I use the AdBlock extension in Firefox and it blocks links from ads.proz.com by default:



In addition to the extra security provided (if you don't see them, you won't be tempted to click on them), it also makes for a more pleasant browsing experience.


 

John Fossey  Identity Verified
Canada
Local time: 04:45
Member (2008)
French to English
+ ...
Ads Nov 23, 2012

Dominique Pivard wrote:

FWIW, I use the AdBlock extension in Firefox and it blocks links from ads.proz.com by default:

In addition to the extra security provided (if you don't see them, you won't be tempted to click on them), it also makes for a more pleasant browsing experience.



Trouble with that is that some of us actually benefit from the proz.com ads, which are industry specific.


 

Henry Dotterer
Local time: 04:45
SITE FOUNDER
It could be worse than a redirect Nov 23, 2012

Samuel Murray wrote:
Ty Kendall wrote:
ProZ.com's dedicated ad server was infected with malware around 09:55 GMT. ... The direct effect of this malware is that a site user who visited a page with banner advertisements could have received content from, or could have been redirected to, a site other than ProZ.com.

Well, I don't think the infection was the type that spread to other computers.

The infection caused certain ProZ.com pages to automatically forward to another site, and such a forwarding action is recognised by anti-virus programs, but it does not actually infect the user's computer. It merely redirects to the user to another site.

Thanks, Samuel. Hopefully it was a redirect and nothing more, as you say. We can not rule out the possibility, however, that the site one gets redirected to could try to install something worse than a redirect script. It might not even take any effort on the part of the user to become infected.

Although we have located and removed the malware that infected our system, we don't have a means of determining what the destination site was putting out. All we can do is follow up on reports of anything abnormal. We continue to do that, and appreciate the cooperation of many of you in that respect.


 
Pages in topic:   < [1 2 3 4] >


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Nov 20 malware incident

Advanced search






Anycount & Translation Office 3000
Translation Office 3000

Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.

More info »
TM-Town
Manage your TMs and Terms ... and boost your translation business

Are you ready for something fresh in the industry? TM-Town is a unique new site for you -- the freelance translator -- to store, manage and share translation memories (TMs) and glossaries...and potentially meet new clients on the basis of your prior work.

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search