Website Hijacking!

[Ozzy]

Hello Folks,
I have a problem and not too sure what the legalities are let alone how to trace it.

Over the past week my orders have dropped rather noticably, and I could not for the live of me figure out why...until today.
A regular client has called saying he is having problems placing an order on my website, because every time he tries to pay he gets redirected to a competitors website! At first I thought he was going mad, but we went through it over the phone and he has emailed me screen shots of what is happening...

He goes to my website, clicked to order my Executive package on the front page of my website, enters the name of the company he wants to order and clicks save... then instead of being redirected to my sign-on/register page he gets redirected to a competitors payment page.

Firstly, please could I ask if all you guys can try this too. Go to http://www.quickformations.com/ and click ORDER on the left hand side for any package, but particularily the Executive package.
Then enter any name of company you wish to order and click on Save....

If you get directed to a page that is still at www.quickformations.com in the URL bar of your web browser, and teh page is asking you to register your contact details (has a postcode lookup button, etc) then you are fine.

If you get redirected to another website please contact me.

I have found out this company is using Spyware to cause this that watches what the user is doing and redirecting the user to their own website when the user goes to complete an order. I am trying to find how big this problem is, and also if it is affecting any other of my other competitors.

Many thanks for all your help, it is much appreciated.

 

[Top Hat]

I've tried and I don't redirect.

Has this competitor signed up with some kind of spyware?

 

[Ozzy]

That is what it would seem yes.

 

[LindseyMHC]

Hi Ozzy,

I've just tried and wasn't re-directed.

Hope you get this sorted out ... and soon.

Lindsey.

 

[Ozzy]

Hope you get this sorted out ... and soon.

Me too :cry:
Generally speaking if you have Anti-Spyware software installed and keep it up to date you should be fine. If not, then you could quite well be infected.

 

[webit]

Again not redirected. The link goes to:

http://www.quickformations.com/fo_incorp.qmd

Are you sure that it might not have been at a 'higher' level. That is a router (or DNS) might have been compromised and now put back in place? The only way I know of hyjacking a page directly is if I've access to displaying HTMl on the page (a BB or comments area) though I would quest the QED extension (Quicken) because I know nothing about it (is it held locally or remotly)

 

[Jayne]

Hi Ozzy,

Tried to look for you but I think I mucked it up :lol:

I put vshosting in the company box (first I thought of) then i'd to put loads of details in and I got an email saying i'd opened an account...Sorry, can you delete me :lol:

I'll have another go

Jayne

 

[Jayne]

Hi,

No idea what I was supose to do...but all the top bits had your name on all the pages I went on.

If that helps :lol:

Jayne

 

[Marina Stone]

It was ok for me as well, but could you delete the Marina Stone Limited enquiry please!! :?

Marina

 

[Stephen]

Fine from here too. Good luck!

 

[Stephen]

Are you able to get the guy with the problem to ping your domain? Perhaps it could be a DNS hijacking problem. (I think that's about the easiest way of doing something like this?)

 

[bitsnstuff]

I have just tried most of the packages and they are all fine for me too.

Maybe it is random, so that you don't suddenly lose all of your business immediately and a red flag raised. If it is more subtle then they perhaps hope it will take a while for you to notice. :shock:

Hope you sort it out soon.

Kate

 

[Ravenfire]

Worked fine for me

Toni

 

[TWD-Tony]

Worked ok here too???

I had a peak at the page source code, and although the page is generated dynamically (and the resulting cource code will only tell me the created code and not the code used to create the page) I didn't see much out of the ordinary?
Seeing as this is unique to 1 or 2 customers then it has to be either at their end (spyware) or somewhere between them and your server (DNS / routing hijack) but I doubt a hijack would be the cause to be honest....

Tony

 

[Astaroth]

Worked fine for me too on my work PC.

I am not an expert on spyware (or any aspect of IT really to be honest these days) but I would be surprised if the kinds of people that create spyware would be interested in depriving your company of business in favour of a competitor when there are so many other larger companies which they could have a much greater effect on.

 

[Deleted member 3454]

Worked fine for me - I went this page http://www.quickformations.com/fo_incorp.qmd?bho=1129733869#startstage.

 

[Ozzy]

YOu can actually pay people to do this for you, as during my investigations I have had a chat with someone who paid to have some Spyware developed to divert traffic from one particular high profile website to his.
Not at all legit, but it means it can be done.

 

[Ozzy]

The serial number code in the url now is an attempt by my developer to bypass the Spyware and it seems to be working on the people who are getting redirected.

 

[Jayne]

I hope you find who has been doing it...i'd go round and give him a good bashing (not very business like I know, but the Crays did ok that way :lol: )

Jayne

 

[Top Hat]

Next step is to find out if the competitor is behind it, or if its an affiliate, and the competitor is ignorant of the shanagigans.

Let us know how it goes

 

[Ozzy]

Ofcourse will do... and it could be someone else trying to harm my business but hoping someone else gets the blame - I am aware of that possability.

 

[tommy]

Worked fine for me.

I remember having the same sort of problem with my old jobsite, found out that the DNS had changed so reset it back to what it was and it was sorted. Dont know if that is any good for you.

 

[Ozzy]

News Update for those interested

It does appear to be a Spyware application rather than domain hijacking, and it seem(ed) to be trickered at the end if the order stage where the customer searched for teh company they wish to form (my system does an XML lookup at Companies House, and then redirected the user to a page to enter their details and create an account).
I am guessing this stage is chosen as the trigger point as it intercepts the user before they enter any identifiably information on my website so I would not be able to track any lost orders.

The application redirects the user to a reseller of one of my competitors, direct to the Stage 2 of their order process.

The competitor is question is co-operating in trying to ascertain what is happening here, by analysing all their log files for any odd activity (orders that started at Stage 2 in their system, orders where the customer referrer information is my website, and so on).

Personally I believe this not to be the work of the competitor themselves as that would be too obvious and incriminate them instantly. More than likely, another 3rd party who would like to us two fight it out and/or cause other problems.

I never knew this sort of stuff was possibly to be honest, but its amazing for a few hundred quid can buy you from a middle east software developer!

Anyone want to intercept traffic to ebay.co.uk, bbc.co.uk... microsoft.com ?

 

[Ozzy]

Actually something I am having trouble explaining so I hope someone here can explain/help...

My daily average unique visitors to my website over the past 3 months have increased from around 500-600 uniquie visitors a day to what currently stands as 3,122 average unique visitors a day!!!! That is on avergae, some days are a lot high and weekends are lot lower - but that is a massive hugh jump and will explain the extra load on my servers and slowing of my website speed.

Ever get the feeling someone doesn't like you

 

[DuaneJackson]

Do your logs show what the traffic is? I assume sales haven't gone up at the same time and you're assuming it's an attempt to do a Denial of Service attack on the server?

If the visitors IP's are pretty random and they are doing little activity other than requesting the occasional page, then your new 'friend' may also have had software developed to randomly request pages from your site in order to drain your resources.

Is the upwards trend continuing or has it plateued(Spelling?)?

 

[Ozzy]

It is a very rapid upwards trend, but there is sooo much traffic that I am struggling to find any useful log analysis software to give me useful information on this volume of traffic.

 

[DuaneJackson]

If you zip up a couple of logs and send them over to me I can take a look for you.

duane at keyone.co.uk

 

[Top Hat]

Perhaps the same soyware is also requesting pages randomly, as well as redirecting.

 

[DuaneJackson]

That's what I'm suspecting.

Log analysis software is awkward to do in this scenario. It's best to pull a few raw logs into ms access and run some manual queries.