back to article Dodgy Dutch developer built backdoors into thousands of sites

Dutch police are this week warning 20,000 users that their email accounts were hacked after a malicious web developer left backdoors in the sites he built. Cops found the credentials in the un-named 35-year-old man's email account and say he used the stolen personal details to open accounts, convince family members to transfer …

  1. frank ly

    Hence the advice not to re-use passwords.

  2. Anonymous South African Coward Silver badge

    Hence the advice to think twice before outsourcing something.

    1. A Non e-mouse Silver badge

      [Dutch police] also warn web masters to employ trustworthy web developers

      But if you're outsourcing because you don't know how to do something (e.g. You're running a small business, want a website but know nothing about how to build or design one) how are you going to know someone is (or is not) trustworthy?

      1. David Roberts Silver badge
        WTF?

        Trustworthy web developers

        And remember, don't get mugged by criminals, and always work smarter not harder.

        Plus many other sound bites which shift the blame onto the victim.

        Unless, of course, the job description included "actual or potential criminals are encouraged to apply". Are they in fact suggesting that the businesses went out of their way to employ untrustworthy web developers?

        Oh, and always remember, kids, stay away from untrustworthy lawyers and accountants. Umm..and stay way from all politicians both local and national; that one at least is easy.

        Sadly noting that the criminal is not a criminal until after the crime has been committed, detected, and then the perpetrator convicted. Criminals aren't always easily detectable.

    2. Anonymous Coward
      FAIL

      "Hence the advice to think twice before outsourcing something."

      But then smart arses such as yourself say not to use the likes of Wordpress and Joomla and leave it to professional web developers. So which is it?

      1. Anonymous Coward
        Anonymous Coward

        This isn't outsourcing. This is paying another business to do something you need to have done. My colleagues and I need to travel for our jobs. Should we build our own cars, planes and airports? Have our own network of petrol stations, along with refineries and oil fields?

        1. anonymous boring coward Silver badge

          "Should we build our own cars, planes and airports? Have our own network of petrol stations, along with refineries and oil fields?"

          Yes.

        2. Anonymous Coward
          Anonymous Coward

          Re: Should we build our own cars, planes and airports?

          What a neat excuse to buy the cheapest piece of something labelled "a car" or "a plane". One is free to buy a car which has never undergone a crash test. He might even survive couple of years without crashing that car. Similarly recently the Ukrainians have bought flying drones worth tens of millions only to discover they have been manufactured back in the 80's, and the analogue radio channel had missed the concept of security completely. A corn field can quickly be converted to an airfield. All one needs is a pole, piece of wood and some paint.

      2. Anonymous Coward
        Anonymous Coward

        "But then smart arses such as yourself say not to use the likes of Wordpress and Joomla and leave it to professional web developers. So which is it?"

        Well the classic route to starting / growing a business is to formulate a business plan and seek funding if the idea is financially feasible. If you've done your research and have a solid plan you will get funding.

        If you're simply punting crap from a drop ship outfit you won't.

        Cutting corners and bastardising a blog platform to work as a store front isn't a business plan. Sure, it can be done...but are really caring about your customers when you do things on the cheap?

        Wordpress, Joomla etc online shops are a cancer...a bit like those dodgy "phone unlocking" tat shit holes that spawn on high streets selling low grade Shenzen specials.

        You don't have to get your store front built from scratch but you really should pay the extra dough to deploy a purpose built product rather than try and bend a blog to your will.

        Wordpress is badly out of date with its practices. These days there should never be a situation where your front end connects directly to a database. You should have an API in between and your payments should be processed on a box nowhere near your frontend.

        Its not expensive to do something like this. Id usually charge in the region of £1000-£2000 for this which for a proper business is peanuts. I can see why this price would look unattractive to someone moonlighting as online vendor attempting to make beer money though.

        For a bonafide business (one that is declaring income and trading legitimately), this is barely a cost as it can be written off as an expense against tax.

        1. Doctor Syntax Silver badge

          "Id usually charge in the region of £1000-£2000 for this which for a proper business is peanuts."

          Nice rant but how would a customer know you're trustworthy and not a cowboy?

          1. Anonymous Coward
            Anonymous Coward

            £1000 - £2000?

            Are you not for profit or something?!

        2. Anonymous Coward
          Anonymous Coward

          Wordpress, Joomla etc online shops are a cancer...a bit like those dodgy "phone unlocking" tat shit holes that spawn on high streets selling low grade Shenzen specials.

          You don't have to get your store front built from scratch but you really should pay the extra dough to deploy a purpose built product rather than try and bend a blog to your will.

          Nonsense. Joomla and WP are simply tools, neither good nor bad but they deliver only results if you understand how to use them. I cannot see anyone run a shop on WP, that's simply not what it was designed for (it's OK for a little "public only" website), but it's quite possible on Joomla because it has the fundamental controls in place to make that happen.

          The benefit of starting with a standard CMS is that you have fairly well tested fundamentals. To write something that is Internet proof is a long process, and by using a CMS that has been through this sort of warfare already means that you can focus on the bit that makes it from "a Joomla/Plone/Drupal/homebrew patchwork/whatever site/toolkit" to YOUR site. It means you don't have to start from the ground up with functionality, DB design, user management, 2FA embedding etc etc - you can focus on making it yours. That's how you get to good functionality without having to start from scratch. It also means you benefit from a fairly large network of people who pick up problems and vulnerabilities instead of sitting on a island with no idea of impending shark attacks (with or without lasers).

          In addition, you don't just have an API separation at application level, you also segregate at network level. Anything that takes in data from the public should live on a DMZ and should not retain that on the site but should push this through to another network - money and personal details must be at least 2 walls away from the raw Internet. I know that's not the modern way of working, but when it comes to protecting revenue as well as users I prefer a bit of old school.

          Its not expensive to do something like this. Id usually charge in the region of £1000-£2000 for this which for a proper business is peanuts.

          For a full website handling user details and payment data? Yeah, right. And who will you be selling my users' details to to make up the shortfall?

          1. mootpoint

            WooCommerce?

            You make very good points about "standing on the shoulders of a crowd of giants" when using an established open-source CMS. I will back WordPress against a bespoke e-commerce site any day of the week, simply because it has been stress-tested to f**k in the wild.

            I cannot see anyone run a shop on WP, that's simply not what it was designed for (it's OK for a little "public only" website)

            WooCommerce extends WordPress to do just that. It does it pretty well, and is now used by 40% of the world's online stores. In other words, WordPress is the most popular e-commerce platform in the world.

      3. Blitheringeejit
        Trollface

        My arse is indeed smart...

        ..because I know that it's just as easy to put a backdoor/logger capability into a Wordpress or Joomla site as it is into a custom store-front, if you're the one building the site.

        1. Anonymous Coward
          Anonymous Coward

          Re: My arse is indeed smart...

          Such downvotes. Wow.

          My point was if you cut corners and do things on the cheap you're more likely to be a victim of this kind of practice.

          An Ikea wardrobe is much cheaper than a hand made oak wardrobe made by a carpenter. The handmade one will be higher quality, will last longer and is less prone to structural issues however it costs a metric shit ton more simply because it takes longer to produce and is made of more expensive materials. The carpenter knows you're paying more and will put in the effort to try and win repeat business.

          If you purchase a shitty store front of Fiverr et al you probably arent really building a relationship with your supplier and its likely that wont give him any repeat business, you'll likely move on and find a cheap wanker to support the site and screw him as well. Opening the door for another potential thief.

          Being a cheapskate is a slippery slope. You'll never acquire the quality you need to show your customers you care.

          This is a trap a lot of small businesses fall into and its a common reason why small businesses fail.

          Do it right or dont do it. After all if you're trying to convince your customers that your products are of a high quality why would you do it through a low quality site?

          If your store front sucks your ability to identify high quality products might suck as well.

    3. Tom Paine

      Why, did no in-house IT people ever go bad? Hmmm...

      http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/

      1. Peter2 Silver badge

        I'm not a professional coder, just an ops person. However, I have discovered on a live production website post handover that the original developer had put in a few unrequested easter eggs, such as comments viewable in the outputted HTML source that he was the developer (and contact *dev* via details if you need work done) , which was somewhat fair enough.

        I was inclined to leave those since the bloke had done a good job up until I noticed that the dev was essentially getting all of the customer details put through the system copied to him. This could quite legitimately have been a development thing as he hadn't got access to our systems and may have just set up a test system identical to our internal system while he was developing the system.

        However, equally it could have been deliberate. Obviously, it took no more than a few seconds to delete the lines of code in question but I do wonder how many companies even bother to look through code that's been developed for them.

        Trust nobody, check everything. You'll be surprised what you discover on occasion.

  3. tr1ck5t3r
    Trollface

    The public cant even choose trust worthy politicians with the "aided" scrutiny of the media or have a so called choice in the tech ecosystems on offer to the world, so when clever people make up the rules and then exploit their own rules, is it any wonder some people resort to effectively imitating global "leaders" without the contractual paperwork detailing his actions?

    1. Timmy B

      "trust worthy politicians" == oxymoron.

  4. GrapeBunch

    This is the gobsmacking part:

    "He used stolen social media accounts to convince victims' family members to transfer money to him"

    It's a small country. Wouldn't normal people talk on the phone or meet before sending dosh?

    1. Anonymous Coward
      Coat

      Re : Wouldn't normal people talk on the phone or meet before sending dosh?

      Yes we would... but there's an idiot born every minute so...no...

    2. anonymous boring coward Silver badge

      "It's a small country. Wouldn't normal people talk on the phone or meet before sending dosh?"

      Why?

      Becasue they suddenly suspect that an email from their own son or daughter may be a fake?

      After 10 years of genuine emails.

      And what does talking on the phone have to do with the size of the country?

      Or driving for that matter. Do you drive 100 miles to borrow what amounts to the petrol money to get there and back? You ask for money to be withdrawn. Drive there. Get the money. Drive home again. Go to the bank. Deposit it into your own account. Seems stupid, doesn't it?

  5. Anonymous Coward
    Anonymous Coward

    To the cheapskates out there...

    That Magento dev you're eyeing up on Fiverr...cheap for a reason.

    #justsayin

  6. AustinTX

    I've seen this movie

    It was called "Sneakers" -1992

    1. Alister

      Re: I've seen this movie

      It was called "Sneakers" -1992

      I don't recall seeing the bit where there's a dodgy web developer... in fact I don't think the world wide web was in general use when that film was made? It was all about a piece of hardware that could decrypt encrypted information.

  7. Warm Braw Silver badge

    Worse...

    There's an update on the Dutch police website linked from the article.

    The police had sent out an e-mail to around 20,000 accounts warning that their account details had been compromised. Shortly afterwards, the police started to receive phone calls reporting that this had triggered a wave of fake e-mails purporting to come from the police with the same warning but containing a dodgy "click here"...

    It seems no opportunity goes unexploited.

    1. anonymous boring coward Silver badge

      Re: Worse...

      Authorities just can't help being totally effing stupid. It's just in their nature it seems.

      1. Tom Paine

        Re: Worse...

        Eh? Are you suggesting the police shouldn't have contacted the victims? Or that they should have made 20,000 in-person visits?

    2. Anonymous Coward
      Anonymous Coward

      Re: Worse...

      It seems no opportunity goes unexploited.

      Yes, but the speed of that attack suggests it must have been prepped by people somehow related to this guy, or even people he worked with. It's too quick a turnaround without some people having had advance notice. Something stinks here, badly.

      1. Anonymous Coward
        Anonymous Coward

        Re: Worse...

        Having a grasp of the language and worked there for a couple of years, I think another option is also important to consider: the Dutch police themselves also seem to fall in the "dodgy Dutch", opportunistic category. Taking personal experiences, familiarity with the countries culture (and being a grumpy old fart) I wouldn't be surprised if one of them would have seen this opportunity and reacted quickly...

        Not that bad? Well... (sorry people, you'll need Google Translate I'm afraid)

        https://www.transparency.nl/nieuws/2015/10/corruptie-politie/

        http://justitie.eenvandaag.nl/tv-items/71379/_drugs_met_medeweten_politie_land_in_gesmokkeld_

        http://www.rtvoost.nl/nieuws/default.aspx?nid=238345

        1. harmjschoonhoven
          Mushroom

          @Anonymous Coward who lived in the Netherlands for a few years

          Of course corruption exists in a country with Rotterdam, the largest habour in Europe where cocaine is smuggled with assistence of corrupt borderpolice and Aalsmeer the largest flower auction in the world, which is infiltered by the Italian mafia.

          But it is unfair to say that the Dutch policeforce as such is corrupt.

    3. Nolveys

      Re: Worse...

      I only trust email that comes from Action Fraud.

  8. SVV

    What to do?

    Try this : code review(s) by independent experts followed by software build done b said experts. Hire a company with a good reputation to do this. Keep sole control of authentication credentials (said good company will advise on how to do this easily). Do not store user information in unencrypted form.

    Sure it'll cost some money. But nowhere near as much as you might lose if you don't.

    Say thank you for my free consultancy advice here.

  9. andy 103

    If a developer has access to a site's code, this is trivial

    There are many people who are (incorrectly) suggesting that by using a platform such as Wordpress or Joomla there is somehow a greater risk of this sort of thing happening.

    Absolute nonsense.

    Both of those systems are written in PHP. If you have access to the source files for a website, you can easily capture (and log, or do whatever you want) with any form data that the user submits. All that's required here is for the rouge developer to add code to things like registration or login forms, and store it somewhere for use later on. All it requires is access to the POST data, which is trivial in any language.

    And before some idiot suggests SSL or encryption - no, that doesn't make any difference here. When the form is submitted to the server all of the information entered is readable within the scripting language. Things like password hashing happen AFTER the data is posted to the server. So if you capture it before, it's readable, in plain text.

    Basically if someone has access to the source files of a website where users are inputting information, they can do essentially anything with that data.

    This is not specific to PHP and could be done in any server side language.

    1. Alistair

      Re: If a developer has access to a site's code, this is trivial

      I doubt I'd have a cosmetics designer touching my code.

    2. Anonymous Coward
      Anonymous Coward

      Re: If a developer has access to a site's code, this is trivial

      Unfortunately it is not "if" but "when". I've seen quite a few cases where the developer is considered a support person as well, and had an unlimited access to the server. No checks, no controls, nothing. Super-puper-admin.

    3. cbars

      Re: If a developer has access to a site's code, this is trivial

      Password hashing done server side, after submission...

      Ok. But couldn't/shouldn't you hash it in JS using your algorithm of choice on the client side, then submit the hash. I mean, that is what I understood to be the way to go.

      I've been wrong before

      1. andy 103

        Re: If a developer has access to a site's code, this is trivial

        "But couldn't/shouldn't you hash it in JS using your algorithm of choice on the client side"

        No. You should never rely on anything client side for security. Anything client side can be manipulated - or disabled (e.g. turn off javascript in a browser) - by the end user. Any security measures must be done server side.

        Any type of "validation" you see being done in Javascript is purely for cosmetic purposes. If you disable js in your browser and submit a form that's only being validated with Javascript you can submit anything to the server - and if no checking is done there - the consequences can be severe.

        1. cbars

          Re: If a developer has access to a site's code, this is trivial

          Cheers for the correction, you are bang on and I am a flippant fool!

        2. cbars

          Re: If a developer has access to a site's code, this is trivial

          So it's three months later - but I thought I'd leave this here on the off chance someone sees it:

          http://www.ietf.org/rfc/rfc2945.txt

          My original comment was about password security, while not relevant to the security of a website's source code (hence the admission of flippancy), the above is an interesting protocol I had not come across before - and validates my original statement.

  10. Hans Neeson-Bumpsadese

    Given the amount of power that a developer has, and so much of what they do can remain un-checked by whoever is buying their services, what really surprises me is that this sort of thing doesn't happen more often

    1. Tom Paine

      That's exactly what I came here to say. Curse my metal body, I wasn't fast enough!

    2. Rich 11 Silver badge

      I expect it does happen more often, but we don't get to hear about it because the smarter people don't keep a shitload of incriminating evidence in their inbox...

  11. John Smith 19 Gold badge
    Unhappy

    "Legitimate webmaster"

    and identity thief.

    It's not about "trust."

    It's about ensuring that even if someone wanted to do this they can't.

    Temptation is tempting. Don't temp people and they won't have to decide to do the right thing, they just do it.

  12. John Smith 19 Gold badge
    Coat

    Dodgy Dutchman arrested. Websites not "Top Gear."

    Sorry, couldn't resist.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021