Domain registrar OpenSRS warns that there is an ongoing phishing attack against domain owners.  The object is to trick you into providing credentials that will let the bad guys hijack your domain.

If you get email claiming that your domain has been suspended, do not click any of the links or reply to the email even if the message looks legitimate.  If you’re an HIS customer, report the email to support@his.com and we’ll help determine your domain’s actual status.

You may have heard that many high-profile domain registrars are being targeted by a massive phishing attack against domain owners.

We have received reports that some of those attacks are using Tucows branded emails to target some of our resellers and possibly end users all over the world. The fraudulent emails claim that a particular domain name has been suspended and ask users to click a link. domainabuse@tucows.com.org is being used as “From” and “Reply-to” addresses.

We are asking all OpenSRS resellers to be extra vigilant of these fraudulent suspension notices. In case you or your end users receive an email from tucows.com.org:

• Do not click any links
• Do not reply to the email
• Do not call any phone numbers listed within the email

We strongly encourage all resellers to communicate this information to their end users.

The OpenSRS team

The FBI has warned that ISIL is exploiting vulnerabilities in WordPress sites running out-of-date versions of WordPress or old versions of certain plugins or themes to deface the sites.

The FBI’s statement:  http://www.ic3.gov/media/2015/150407-1.aspx

Sucuri’s writeup with mention of specific plugins to check:  http://blog.sucuri.net/2015/04/fbi-public-service-annoucement-defacements-exploiting-wordpress-vulnerabilities.html

The current version of WordPress (as of 4/8/2015) is 4.1.1.  If you are running any earlier version, you are vulnerable.  If you need to upgrade, you can do so from your WordPress admin login or by downloading the latest version of WordPress from https://wordpress.org/  Don’t forget to  update any out-of-date plugins or themes as well.

If you need help updating your HIS-hosted WordPress site, open a support request ticket at http://info.his.com/support/support.his.com.html

According to Ars Technica, encrypted eBay passwords and other information have been stolen by cyberattackers.  If you have an eBay account, change your password ASAP.  If your eBay password is one you’ve used on other services, including your accounts with HIS, change those passwords too, and don’t use the same password on more than one service.

When password lists are leaked this way, even in encrypted form, the bad guys have very powerful tools for cracking the passwords, and the cracked passwords go into their database of passwords that are used somewhere and thus are probably also used somewhere else, increasing your likelihood of being hacked on another system if you’re using the same password there.

We know that it’s a pain to change passwords, especially email passwords where you might have several devices checking your account (a phone, a tablet, multiple computers), but it’s a bigger pain to get hacked.  When we detect a hacked account, we change the password immediately and there’s a period of time between then and when we can reach you when you’re without access to your account.   If you use strong passwords (mixed upper/lower case, numbers, punctuation) and you don’t use a password on more than one account, your odds of having your account hijacked are greatly reduced.

You may have read about the bug in OpenSSL that allowed attackers to access random 64k byte chunks of memory.  This bug was reported by CERT on Monday, April 7, 2014.  Software vendors supplied patches on April 7 and 8.  A few of our SSL servers were vulnerable, and we had all patches applied and were able to confirm that the patches worked on all servers April 7 and 8.

Many of the most popular internet sites were affected, including Google, Facebook, Youtube, Yahoo!, Bing, Pinterest, Blogspot, Instagram, Tumblr, Reddit, Netflix, Yelp, Blogger, Dropbox, and the Washington Post (to name a few).

This was a nasty bug – it left no traces in server logs, so there’s no way to tell whether it was exploited by bad guys.  There’s an XKCD cartoon that shows how the exploit worked.

We prefer to err on the side of caution, so we have replaced our own SSL certificates and have changed important passwords.  Odds of your password being exposed on a server that we host are low, but not zero, and since many people use the same passwords on multiple sites (a really bad idea – don’t do this), we’re encouraging everybody to change their passwords.  If you use the same password on, say, Facebook, that you use with your email account, and bad guys managed to get the password from Facebook, you’re exposed.

Our Zimbra email servers were not vulnerable, but we still recommend that you consider changing your password anyway in case you’ve used the same password somewhere else.  Instructions for customers on Zimbra servers are here (use the webmail URL for your domain).  If your email account is on a Plesk server, instructions are here.  If you need  help, open a ticket at https://support.his.com/home.

Changing your password isn’t mandatory, but it’s a good idea, especially if you think you may have used the same password anywhere else.