Hello everyone, I apologize for the English, I used Google Translate because I live in Brazil and I only speak Portuguese. Let’s get to the problems:
I looked for some answers here in the forum that could have something similar with my problem and I didn’t find much similar thing and that’s why I’m writing. The domain in question that I will report is: oticaspizani-com-br. Also, all results from Cloudflare Diagnostic Center were positive with the exception of the speed one which returned “slow_ttfb_on_cache” for loading above 800ms.
I’ll summarize the problem in one paragraph and then I’ll detail all the downside below:
I noticed a massive international hit on a client’s website since last week, a small local business website in Brazil. In addition, they managed to hack our wordpress and install a Back of America phishing page. At the same time, we exchanged hosting, addressed Cloudflare, removed all malicious content from our server and now received a notification from Cloudflare of a trademark infringement complaint (which is now neither official nor yet another malicious attempt).
Now detailing the problem:
About last week, my client’s website started getting a high volume of international traffic (and we are a small local business in Brazil).
This seems to have happened right after shutting down and removing Cloudflare on the customer site and in my Cloudflare account (not sure if it was for this reason).
We already had a hosting transfer scheduled before that and I made this switch even during that time (source hosting service: gBlix [gblix-net] to Hostinger [hostinger-com-br]).
In addition, just before the change, we received notifications from Google Search Console about detection of social engineering activities and also from CERT.br passing on a notification from PhishLabs Security Operations that we had a phishing page created inside our Wordpress, in the folder wp_includes, simulating a Bank Of America page, since 01/08/22.
After discovering the issues, I installed WordFence on the website’s Wordpress, enabled some firewall features, in addition, I switched the website back to Cloudflare and enabled Under Attack Mode. I also removed the malicious files from our server and 2 days later, I started migrating the site to the new hosting (Hostinger.com.br) (I imagined that changing hosting would not solve the problem, as I would continue using the same domain, but that was already a scheduled job even before these problems).
After the migration, where I just transferred the emails files and started a Wordpress from scratch, importing only the pages and posts files, installed the plugins, made the settings, addressed Cloudflare, notified Google Search Console that the problems were resolved and we received positive validation on this.
Everything seemed to be ok (but we are still observing international traffic on the site, through the Wordfece monitor and also through the Wordpress Dashboard (our real traffic is around 200 to 400 visitors per day and peaks of 2,600 unique users have been recorded in some days, with requests around 36,000).
The problem, besides that, is that today I received 2 emails from Cloudflare about trademark infringement for using Bank of America’s trademarked symbol (and I was even in doubt if it was a real email from Cloudflare and with that, I didn’t want to enter contact by the same e-mail or the contact of the applicant who was informed in these same e-mails as well).
With that, I would like to ask some questions:
1. It is common to receive these emails from Cloudflare and if so, what should I do to inform you that it was an unintentional Phishing action and that the problem has already been resolved and all files related to the Bank Of brand America were removed?
2. Is it possible to stop this unwanted international traffic? I mean, in addition to firewall rules and such, will I always be receiving these accesses?
3. What is the reason for receiving these accesses? I don’t have much knowledge in this area of security and I don’t know if this characterizes a DDoS attack, but if so, what would be the ill-intentioned objective to architect this?
4. Taking this whole story into consideration, does anyone recommend any immediate action or best practice adoption to deal with this? (and I know that paid resources may appear, but my client is a micro-company and receives in Brazilian Reais and probably won’t have many resources to pay for it).
I’m a new user and that’s why I couldn’t attach a screenshot (I had taken 7) and no links.
Needing me to detail more information about the problem, our website or anything else that I didn’t mention that could help formulate a better answer, I kindly ask that I asked myself here and I will try to respond promptly.
Thanks in advance!