oles@ovh.net
10-08-2008, 09:46 AM
Hello,
In July / August, we had a lot of problems with many kinds of abuse. Non-payments, hackers, scans, it was our daily routine. These problems are due to hackers from North Africa, who are specialized in phishing and credit card theft. They order domain names, hostings and dedicated servers to implement PayPal and bank phishing sites. This allows them to recover credit cards. They also implement "other" phishing pages (as Ovh, Free, Orange etc) to retrieve customers access to have Internet services in France. This gives them an infrastructure to phish (to create the page, send email, usurp identity etc). With the same aim, they scan the networks of service providers in order to find unprotected VNC, allowing them to take control of a PC remotely (and dig into the PC of the victim). There are subgroups that are specialized in each activity and each of them brings his contribution to the group.
We have taken measures in September to deal with these problems. We have strengthened ordering with a confirmation by SMS and a postal confirmation for some "sensitive" orders (dedicated servers and RPS). We improved the detection of scans from our network (and to our network). We have reviewed our secure payment system to avoid non-payments due to hackers with stolen credit cards.
The result: we closed more than 380 servers ordered by hackers in June, July and August, sometimes still in September. And finally, the hackers were left without any infrastructure for abuse on the net. They went to our competitors, but we are the only one on the market to deliver servers in 1 hour. The hackers were very annoyed. They can no longer place any order because we validate addresses via a letter. They have decided to attack the Ovh customers to recover their access and then to order dedicated servers pretending they are placed by existing customers. This is useless since all orders are validated in the same way. Last week, we had 3 phishings of our manager. We immediately strengthen the security of the manager. But how to protect our customers against themselves? Here are some answers. Now you get an alert message when you try to connect to your manager from a malicious page: everything is in red. You have an explanation about the address of the manager: you must be on a site with SSL [url] www.ovh.co.uk [/ url] When someone connects to the manager, you immediately receive a notification by email of connection (1 notification / 1 IP connection / day). If we believe that it's a suspicious connection, in the email you have a link through which you can immediately block your manager. When you perform some operations (email change of contact) the operation is not performed immediately. You receive an email that you can accept or decline. If you don't do anything, the operation validates itself after 24 hours. When you order an RPS or a dedicated server, each order is analyzed and validated by a human being (not a robot). This may take between 5 minutes and 24 hours (and therefore may delay the deployment of the servers). Upon detection of scans, the server is automatically suspended, and for some scans, the contract is broken.
These measures brought some results we have almost no more non-payment. Yesterday, our network has not generated any scans (we underwent scans but we have not generated any). No more phishing for 4 days (we will have some, we have no doubt about it but we now have a team that is dedicated to this problem 24/7 and the necessary is almost automatic).
To sum up, we slowly begin to emerge our head above water with this story about hackers. By protecting ourselves and by protecting our customers, we "lost" a lot of time on the development of new services. But at the end of the day, everyone wins because our network is cleaner, the customer is better protected and we have less non-payment.
Regards,
Octave
In July / August, we had a lot of problems with many kinds of abuse. Non-payments, hackers, scans, it was our daily routine. These problems are due to hackers from North Africa, who are specialized in phishing and credit card theft. They order domain names, hostings and dedicated servers to implement PayPal and bank phishing sites. This allows them to recover credit cards. They also implement "other" phishing pages (as Ovh, Free, Orange etc) to retrieve customers access to have Internet services in France. This gives them an infrastructure to phish (to create the page, send email, usurp identity etc). With the same aim, they scan the networks of service providers in order to find unprotected VNC, allowing them to take control of a PC remotely (and dig into the PC of the victim). There are subgroups that are specialized in each activity and each of them brings his contribution to the group.
We have taken measures in September to deal with these problems. We have strengthened ordering with a confirmation by SMS and a postal confirmation for some "sensitive" orders (dedicated servers and RPS). We improved the detection of scans from our network (and to our network). We have reviewed our secure payment system to avoid non-payments due to hackers with stolen credit cards.
The result: we closed more than 380 servers ordered by hackers in June, July and August, sometimes still in September. And finally, the hackers were left without any infrastructure for abuse on the net. They went to our competitors, but we are the only one on the market to deliver servers in 1 hour. The hackers were very annoyed. They can no longer place any order because we validate addresses via a letter. They have decided to attack the Ovh customers to recover their access and then to order dedicated servers pretending they are placed by existing customers. This is useless since all orders are validated in the same way. Last week, we had 3 phishings of our manager. We immediately strengthen the security of the manager. But how to protect our customers against themselves? Here are some answers. Now you get an alert message when you try to connect to your manager from a malicious page: everything is in red. You have an explanation about the address of the manager: you must be on a site with SSL [url] www.ovh.co.uk [/ url] When someone connects to the manager, you immediately receive a notification by email of connection (1 notification / 1 IP connection / day). If we believe that it's a suspicious connection, in the email you have a link through which you can immediately block your manager. When you perform some operations (email change of contact) the operation is not performed immediately. You receive an email that you can accept or decline. If you don't do anything, the operation validates itself after 24 hours. When you order an RPS or a dedicated server, each order is analyzed and validated by a human being (not a robot). This may take between 5 minutes and 24 hours (and therefore may delay the deployment of the servers). Upon detection of scans, the server is automatically suspended, and for some scans, the contract is broken.
These measures brought some results we have almost no more non-payment. Yesterday, our network has not generated any scans (we underwent scans but we have not generated any). No more phishing for 4 days (we will have some, we have no doubt about it but we now have a team that is dedicated to this problem 24/7 and the necessary is almost automatic).
To sum up, we slowly begin to emerge our head above water with this story about hackers. By protecting ourselves and by protecting our customers, we "lost" a lot of time on the development of new services. But at the end of the day, everyone wins because our network is cleaner, the customer is better protected and we have less non-payment.
Regards,
Octave