ProZ.com and Security

On November 20, 2012, at around 09:55 GMT, ProZ.com's dedicated ad server was infected with malware. That malware was active for about four hours, after which time ProZ.com's banner ads were turned off. The cause was determined to be known vulnerabilities in out-of-date versions of the ad server software. The ad server was reinstalled with the latest software, and brought back online.

Then, on December 3, 2012, the ad server was infected with malware again, between 11:55 and 13:08 GMT. The infected ad server was taken offline again--this time, permanently.

The direct effect of this malware is that a site user who visited a page with banner advertisements could have received content from, or could have been redirected to, a site other than ProZ.com. It is possible that this content could have been malicious. This caused alerts to be issued by some antivirus programs (such as Norton, Avast, and Kaspersky.)

Beyond redirects, there have not been any substantiated reports of service interruptions or other consequences from this malware. However, anyone who accessed ProZ.com during this time is strongly advised to run an anti-virus scan as soon as possible, even if no symptoms have been noticed. If you don't have anti-virus software, try the free Avast anti-virus (for Windows and Mac) and MalwareBytes anti-malware programs.

Frequently asked questions about this incident

Who was potentially affected?

Any user who viewed a ProZ.com page containing banner ads between 09:55 and 14:00 GMT on November 20, 2012, or between 11:55 and 13:08 GMT on December 3, 2012, could have been affected.

Email notification has been sent to users who appear to have viewed ads during this time.

What steps are being taken to ensure this doesn't happen again?

The ad server software that enabled this exploit has been taken offline permanently. ProZ.com will switch to Google's ad service (DFP Small Business).

This means ProZ.com will no longer be hosting its ads--they will be hosted by Google. That service is covered by Google's advertising privacy policy, and you can control (or opt-out of) the advertising cookies using Google's Ads Preferences Manager.

What should I do if I may have been affected?

Users who may have been affected by this incident are highly advised to scan their computers for malicious software using a tool such as the free MalwareBytes anti-malware utility and/or the free Avast anti-virus program. If any malicious software is found, follow the utility's instructions to quarantine or remove it.

If you think you were affected by this incident, please notify ProZ.com staff by submitting a support request.

Has the problem been resolved?

Yes. The malware causing the redirect / loading of third-party content was found and removed.

Is the malware found at ProZ.com the type of thing that could have infected my computer?

What was found by ProZ.com would not have infected your machine. However, the possibility can not be ruled out that the site or sites users were being redirected to (or served content from) could have tried to install something worse than a redirect script. It might not even take any effort on the part of the user to become infected, especially if up-to-date anti-virus software were not being used.

What was the nature of the malware?

Some users running Norton anti-virus software received an alert about an attack it called "Exploit Toolkit Website 4". According to Symantec, this attack attempts to exploit various vulnerabilities, including those in outdated versions of Adobe Reader and Adobe Acrobat. See more information about this report from Symantec.

Other reports have indicated that the malware may have tried to run a Java application, possibly exploiting vulnerabilities on outdated versions of Java.

How can I protect myself from malware in general?

Keep your software up to date, and enable automatic updates when possible. Malware attacks are common against outdated versions of Java and Adobe products, for example. Install an anti-virus program and keep it up to date.

Could Mac users have been affected?

Possibly, though there have been no reports of Mac users affected by this issue.

Contrary to popular belief, Macs are not immune to malware. Mac users should make a point of keeping their software up to date just like Windows users should, and consider using an anti-virus program. (Avast and ClamXav make anti-virus software for Mac.)

Note: the incident described below could potentially have affected up to 8,000 site users. Chances are you were not affected, but please read the following and take the precautions described if you feel you meet the description of one of the potentially affected users.

On February 23, 2011, banner ads which may have included malicious JavaScript code were displayed on ProZ.com.

In at least one instance, a user who viewed the banner ads received an intrusion alert from her Norton Internet Security software, reporting an "MSIE Java Deployment Toolkit Input Invalidation" attack. This type of exploit could allow an attacker to install a Java application on computers with vulnerable versions of Java.

ProZ.com staff have not been able to reproduce such an attack from viewing these banner ads. However, the conditions in which the ads were displayed made such an exploit possible, and given the report from an affected user the decision was made to take down the banner ads and issue this announcement.

ProZ.com has updated its advertising policy to disallow third-party advertisements from containing scripting or active content that might pose a similar threat in the future.

Many thanks to member Alison MacG for bringing this issue to the attention of ProZ.com staff.

Frequently asked questions about this incident

Who was affected?

Any user who viewed a ProZ.com page containing these banner ads between 12:30 and 22:30 GMT on 23 Feb 2011 could have been affected. The banner ads in question were for "24-Hour Fitness". They were displayed to users who appeared to be in the United States, Canada, or the United Kingdom. Though the ads were shown to only a small percentage of users, if you accessed ProZ.com during this time it is possible that you may have been affected.

Email notification has been sent to users who appear to have viewed pages containing the ads in question.

Of the users who viewed pages containing the ads, those running affected versions of Java were vulnerable to the reported attack. The vulnerability was introduced in Java 6 Update 10, and fixed in Java 6 Update 20.

What was the affect of running the potentially malicious code?

Because ProZ.com staff have not been able to reproduce the exploit, it is not known what the potentially malicious code would do if it had been allowed to run.

The "MSIE Java Deployment Toolkit Input Invalidation" attack reported by the Norton Internet Security software could have allowed an attacker to install a Java application on vulnerable computers.

More information about this type of exploit can be found at the following links:

• Description of the vulnerability by Norton Internet Security / Symantec
• Description of the vulnerability by CERT
• Post announcing discovery of the vulnerability on the Full Disclosure mailing list

What should I do if I may have been affected?

Users who may have been affected by this incident are encouraged to scan their computers for malicious software using a tool such as the free MalwareBytes Anti-Malware utility. If any malicious software is found, follow the utility's instructions to quarantine or remove it.

If you think you were affected by this incident, please notify ProZ.com staff by submitting a support request.

How can I test if I am vulnerable to this type of exploit?

It is possible to test how an attack like this might affect you by visiting this test page created by the person who originally discovered the vulnerability. That page will attempt to make your computer run the Windows calculator program (calc.exe). If the calculator runs without your consent, you are vulnerable to exploits of this kind.

How can I protect myself from this type of exploit in the future?

Upgrade to the latest version of Java.

How could this have happened?

The banner ad code supplied by the advertiser contained HTML which loaded JavaScript from a third-party server, outside of ProZ.com's control. This could have allowed an attacker to serve malicious JavaScript code to users who viewed pages containing those ads.

What steps have been taken to prevent this type of incident from happening again?

ProZ.com has updated its advertising policy to disallow third-party advertisements from containing any scripting or active content, so that this type of incident cannot happen again.

I'm on a Mac. Should I be worried?

Macs may also be affected, if you are running certain older versions of Java (less than version 1.6.0_20). If you are running Mac OS X 10.5 Update 7 or higher, or Mac OS X 10.6 Update 2 or higher, you should be protected from this exploit.

I run a Linux (Ubuntu) system. Is this virus likely to have infected if I have a vulnerable version of Java?

Possibly. The vulnerable Linux versions of Java have the same logic error as the Windows versions, but it appears that different attack code would be required to exploit the vulnerability in Linux than in Windows. If that's correct, it seems unlikely that the reported attack would affect Linux systems.

Some technical details can be found here.

I have a question not addressed here. Who should I talk to?

Please ask via ProZ.com's online support system. The support team is standing by to answer questions related to this incident. As questions come in, they will be added with their answers on this page.

Certain ProZ.com user information -- including private data -- was accessed improperly by a site intruder in June of 2009. The following forms of data were accessed:

• Name
• Email address
• Postal address
• Phone number
• Login information (note that passwords are protected by encryption)

The security breach became apparent after some ProZ.com users reported receiving unsolicited email from a website called outsourcingroom.com (or oroom.com). Others reported finding that their personal information had been used to create profiles at that site without their permission, and an investigation was launched.

The security hole that was exploited was filled, and a number of steps were taken to make it more difficult for exploits of this nature to be performed in the future.

Frequently asked questions about this incident

How could this happen?

Hackers exploited a weakness in ProZ.com's security systems. The problem has since been fixed.

Were credit card details or other financial information obtained?

No. In fact, ProZ.com does not store such data.

Which profiles were accessed?

Profiles at least three years old.

Were all profiles that are at least three years old accessed?

There was an automated routine that attempted to access the data in profiles one by one in sequential order. If your profile was created before May of 2006, unfortunately it is reasonable to assume that your data was accessed.

I registered after May of 2006. Does that mean that my profile was not accessed?

Yes, it is reasonable to assume that your data was not accessed. Note, however, that if you are are registered with Elance or other similar services that were accessed by the perpetrators, your data may have been accessed through another source.

How would I know if a profile has been created at outsourcingroom.com using my data?

There is a search function on the site. (Try searching for both your last name and your ProZ.com username.) You may also enter a support request to ask about your specific profile.

My name is there. What might happen as a result?

If your name is there, it is likely that your email address has been obtained, and it is therefore possible that you will receive unsolicited email. If you have a telephone number in your profile, it is possible (but not likely) that you would be called.

Has anyone received unsolicited email?

Yes. A number of users have reported receiving unsolicited email inviting them to register at "oroom.com", which was described in terms similar to those used to describe ProZ.com, Elance and similar services.

How can I prevent that?

If you maintain a spam filter, you may want to filter out email from "oroom" and "outsourcingroom".

Has anyone been called, or otherwise been affected in relation to this incident, other than by spam?

Not to our knowledge; there have been no such reports.

I am concerned about identity theft as a result of this incident. Should I be worried?

No. The data accessed in this incident does not include the types of data normally associated with identity theft, ie. credit card, bank info, national identity numbers, etc.

Spam is the worst that anyone has reported as a direct result of this incident.

My name is not there, even though I created it before May of 2006. Does that mean I am in the clear?

Not necessarily. It may be that your information has been posted, but is simply not coming up in a search. It may also be that your information was obtained, but for some reason was not placed on the site.

Encrypted passwords were accessed. Does this mean someone can log into ProZ.com as me?

Since the passwords were encrypted, and therefore not human-readable, it is unlikely. Still, it is good practice to use passwords that are difficult to guess, and to change your password periodically. (For additional reassurance, it is now also possible to view data on any open logins you have.)

Can you explain in more detail how password encryption works?

If your password is "uncle3pablo", what is stored in the database is something completely different: an encrypted version of the password like "dW5jbGUzcGFibG8=". What was accessed in this incident were the encrypted versions. If a person attempts to log in to your account with the encrypted version of your password, it will fail.

Then why should we change our passwords?

It is generally good practice to select complex passwords and change them periodically, and in this case it is an added security precaution.

How do I change my password?

Go to: http://www.proz.com/?sp=new_password

Is this incident related to similar news from Elance.com?

Yes. Several sites were hit similarly around the same time. (Some ProZ.com users with profiles less than three years old have reported finding profiles created for them at outsourcingroom.com, and upon investigation concluded that their information had been obtained via Elance.)

What are ProZ.com staff members doing about this?

From the time it became clear that user data had been accessed improperly, ProZ.com's staff made it their top priority to address this incident. The following steps were taken:

• Attempts have been made to halt the unauthorized use of your information by those operating outsourcingroom.com, or failing that, to get the site de-indexed. Efforts by other sites appear to have resulted in the temporary removal of the site from the internet, however, it has been moved and reappeared.
• A security review has been performed and various measures have been taken to increase site security.
• An outside firm will be hired to monitor and certify ProZ.com security practices.
• Password requirements have been strengthened.

Could you be more specific? What attempts have been made to get the information removed from the Internet?

ProZ.com staff members consider it the responsibility of the site to do everything within reason to have the private content that was improperly accessed removed from the web. To this end, as a first step a request for removal was sent to those operating outsourcingroom.com. There was no response and attempts to establish contact were not successful. A "cease and desist" letter and DMCA filings were then prepared. Legal options have been investigated but no action has yet been initiated. A report has been given to appropriate law enforcement bodies, ISPs hosting the site have been notified, and other steps have been taken. Unfortunately, there is no guarantee that any of these efforts will be successful in the near term, if at all. However, the process will be pursued to the extent possible.

What laws govern ProZ.com's handling of personal data? How does ProZ.com go beyond that?

It is a goal of ProZ.com to meet and exceed the minimum requirements in all jurisdictions in which the site operates. Following the incident, ProZ.com began working towards certification according to the U.S.-E.U. Safe Harbor Framework guidelines for handling private data, earning the certification in early 2010. Beyond that, privacy will continue to be an emphasis among the site team. Training in data privacy has always been a part of ProZ.com employee training; this training will be repeated and expanded upon. In addition, further controls will be given to members to reduce privacy related risks. For example, users will be provided with options to remove in batches data that no longer has any value. (Old quotes, etc.)

Why did it take approximately a month for notification about this to go out?

The breach was not noticed until reports of spam began to be received. At that time, information was shared in a forum thread as it was obtained, and the breach was announced in that thread hours after it had been confirmed (and within a few days of the start of the investigation).

As for follow-on steps, including sending a general notification, it was advisable for reasons of security (and in the interest of protecting user data that had not been accessed) to take certain technical precautions before calling additional attention to the matter.

There is no question that those affected deserved to be informed much sooner, and we regret that it has taken two weeks for the necessary steps to have been taken, even as staff worked overtime and through the weekends to carry out the tasks. (We admire the ability of Elance to take measures similar to those taken by us in much less time.) We have resolved to become much better equipped to respond rapidly to challenges like this in the future.

Some people have reported success in asking directly that their data be removed from outsourcingroom.com. Should I do that?

We can not advise for or against accessing outsourcingroom.com or interacting with those operating it. Exercise caution when entering any information into the site. (One member described the method she used to remove a profile from the site in a forum post.)

Will I be giving away my email address in requesting removal from that site?

If your name is listed on the site, the odds are that your email address has already been obtained. (In other words, you would not be giving new data, but rather confirming data that they already have.)

"Security breach." Do you mean that I breached the security? Or was it someone else?

It was not you, it was someone else. There has been no evidence to suggest that access was gained to user accounts, in other words, we do not believe that anyone logged in as anyone else. Rather, direct access was gained to the aforementioned data in the profiles.

"Financial information" - what do you mean exactly? There was no financial information on my profile.

Exactly.

I have a question not addressed here. Who should I talk to?

Please ask via ProZ.com's online support system. The support team is standing by to answer questions related to this incident. As questions come in, they are added with their answers on this page.

Why should questions related to this incident go through support instead of the forums?

The thread that existed on this topic contained some incorrect speculation that led to undue alarm and inconvenience for some members. The decision was made to post the facts of this incident in one "official" page, and to field any unanswered questions via the support channel, updating the page as necessary to ensure that all questions are answered efficiently and thoroughly. Your cooperation in this respect will be appreciated.