• Greg (unregistered)

    It seems that they already changed their "secure" username and password. Too bad it is still stored in the page source!

  • mauhiz (unregistered)

    They changed their login/pw since the article. But not the method. The guy writing that JS has to be the dumbest dumbass ever...

  • mister (unregistered)

    Something interesting: google for "This Script allows people to enter by using a form that asks for a"

  • sageman (unregistered)

    Looks like they caught on and fixed their site... well.... Sort OF... they changed the credentials.

    <script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="fsg2008") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>
  • jtl (unregistered) in reply to Steve
    Steve:
    Damn, they just re-secured it by changing the jscript to: <script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="fsg2008") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>

    That's really unhackable.

    lol, they did it again!

    <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="buyers") { if (form.pass.value=="gov1996") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //-->
  • Rob (unregistered)

    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?

  • (cs)

    TRWTF is on http://www.federalsuppliers.com/federal.html.

    PAPERLESS PROCUREMENT!

  • (cs) in reply to Rob
    Rob:
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?

    WHOIS indicates that they're somehow related to a publishing company that is also based in FL.

    WHOIS

  • jtl (unregistered) in reply to mister
    mister:
    Something interesting: google for "This Script allows people to enter by using a form that asks for a"

    lololol http://www.dynamicdrive.com/forums/archive/index.php/t-9560.html

    He got the code from a forum. Here's en excerpt:

    MuffinMan 05-12-2006, 06:03 PM If you're looking for a real simple login page, here's some code that I use on our internal website all the time. Change the yourusername, yourpassword, and the www.theurlyouwantogoto.com variables to suit your own code. I hope it will help you.

    <script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="yourusername") { if (form.pass.value=="yourpassword") { location="http://www.theurlyouwanttogoto.com" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>

    ...

    elliot 05-12-2006, 08:43 PM Many thanks MuffinMan, I've gone and added that in place which will do nicely http://www.bhbgroup.co.uk/client.html

    It doesn't need to be overly sercure only holding a form on the other side for clients to submit orders. They'll need a product code via email to use on the order form so this is more than adequate.

    cheers mate!

  • (cs)

    The really scary part is that anybody who wasn't technically savvy could easily be pulled into a ludricous scheme like this.

  • Frameless Joe (unregistered)

    The real WTF is the use of frames on the site.

  • Thane (unregistered) in reply to Steve

    Actually, you can avoid the "hacking" by just going to "http://officers.federalsuppliers.com/agents.html"

  • Richard Sargent (unregistered)

    I wonder how the page displays using a web browser like Lynx (I think that is the right name for a text-only browser)?

    I wonder how the page works with screen readers for the visually impaired (they probably do something with the JavaScript, but who knows)?

    [Footnote: My captcha code was already in the IE drop list of previously used text strings. How secure is that?!?!]

  • (cs) in reply to Rob
    Rob:
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?
    Easy-peasy.

    The companies registered in Delaware have had a hundred years or so to get their shit together. The ones in Florida tend to be unsophisticated morons in a trailer park, with a stand-by ticket to one of Ronnie's favourite hot-spots of democracy, like El Salvador or Panama, or even the Grand Caymans.

    If your scam is going to have a half-life measured in months, then go to Florida. If you reckon it's measured in decades, then register in Delaware.

  • (cs) in reply to Henrik
    Henrik:
    I love how you didn't even bother anonymizing it.

    Best WTF of the year!

    I just clicked through some listings and found this, quite sad actually:

    Alligator Marine 12/05 3435 Mangrove Ave Norfolk, VA 23502 Telephone: (757) 455-5123 Fax: (757) 455-5124 Email: [email protected] Website: www.alligatormarine.com Contact Name: Dennis Richardson Description: Service-Disabled Veteran-owned small business. Zodiac preferred professional dealer specializing in military, commercial, and first responder boats.

    Soooo this company stole upwards of $600 from a combat-wounded U.S. soldier...shame on them.

    also, I notice that all the pages were written in Microsoft Word 9...sweet.

  • (cs) in reply to The Usual Dosage

    Actually, it isn't even obscurity, since the page's URL is right in the login page's source. So it's security through... um...

    Hm.

  • BEtter (unregistered)

    If you have any questions about the state listings, you can just call the person who wrote the Word document that generated the list (View Source for the Frame after choosing a state).

    <head> <meta http-equiv=Content-Type content="text/html; charset=us-ascii"> <meta name=ProgId content=Word.Document> <meta name=Generator content="Microsoft Word 11"> <meta name=Originator content="Microsoft Word 11"> <link rel=File-List href="newjer_files/filelist.xml"> <title>newjersey</title> <!--[if gte mso 9]><xml> <o:DocumentProperties> <o:Author>Donna DeBoer</o:Author> <o:LastAuthor>FSG</o:LastAuthor> <o:Revision>58</o:Revision> <o:TotalTime>29</o:TotalTime> <o:Created>2001-01-17T19:20:00Z</o:Created> <o:LastSaved>2008-01-21T14:10:00Z</o:LastSaved> <o:Pages>1</o:Pages> <o:Words>907</o:Words> <o:Characters>5173</o:Characters> <o:Company>Cybertown Communications Corp.</o:Company> <o:Lines>43</o:Lines> <o:Paragraphs>12</o:Paragraphs> <o:CharactersWithSpaces>6068</o:CharactersWithSpaces> <o:Version>11.8132</o:Version> </o:DocumentProperties>
  • (cs) in reply to RogL
    RogL:
    Surprised nobody has commented on the real WTF:

    It doesn't matter that the username/password are in the page source, because the "SECURE" page isn't.

    You don't need the username/password if you have the URL to the page; it opens right up.

    That was the point of the WTF...did you even read it?

  • jtl (unregistered)

    doing some looking about, this script goes back to 2002.

    Here is where I think it originates:

    http://www.javascriptkit.com/script/cut76.shtml

  • Dave (unregistered)

    I'm really dissapointed that the newsletter on the home page ...

    Suppliers guides offer inside track on contracts By Jane Meinhardt – Staff Writer Tampa Business Journal (http://www.federalsuppliers.com/newsletter1.pdf)

    doesn't actually exist. Seems like a real nice community all federal suppliers should be a member of!

  • (cs) in reply to Whitey

    [quote user="Whitey]I think it would be good if the people listed on all those pages were somehow contacted and pointed back to this site. I'm sure most of them are obvlivious to the fact that they have been scammed. [/quote] An e-mail scraper that sends a form message telling people to come to this thread?

  • Henk Poley (unregistered) in reply to Steve

    Too bad the page it points to if offline

  • Adam (unregistered)

    Hah. I'm going to start trying this on more sites. Surely there isn't more of these sites around...

  • Fry-kun (unregistered) in reply to Henk Poley
    Henk Poley:
    Too bad the page it points to if offline

    It was taken offline a few minutes ago, probably in response to all the "hacking" that's been going on.

  • (cs)

    A change as simple as this would make it infinitely more secure. At least neither the password or "secured" page are available by looking at the source.

    <script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { location="http://officers.federalsuppliers.com/"+form.pass.value } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>
  • Matt (unregistered)

    Damn, 404, now that really is secure!!

  • (cs) in reply to Dave

    I'm really bored, so I just clicked through to ALL the states - all the pages are not found, except the one from NY.

  • Jay (unregistered) in reply to German B.
    German B.:
    I would be surprised and utterly disappointed if that crappy site would be considered to be "protected" and if their accusation of hacking would be legally viable. ...

    Years ago Congress proposed some law to make it a felony to use an electronic device to eavesdrop on cell phone conversations. I don't know if it ever passed, but I read a very entertaining editorial on it where the writer pointed out that cell phone transmissions were unencrypted radio signals (maybe with digital phones today that's no longer true, I don't know) that could be easily intercepted by anyone with the technical expertise to modify a radio to the appropriate frequences. So, he said, a law banning eavesdropping would be about as effective as a law saying that page 18 of the New York Times is now reserved for private messages and no one is allowed to read that page unless they are notified that there is a message for them.

    Much the same could be said for many lame security efforts.

    Back when I worked for the military there was one site I had to access that required a password, only given out after you passed a security check ... but every page other than the login page could be reached by simply entering the URL into the browser. I bookmarked several useful pages.

    And hey, don't laugh about the analogy of a gate with no fence. At a former job the big boss's office had a partition in the middle to separate his work area from the secretary's. The partition was several feet short of the walls on either side and well short of the ceiling. In the middle of the partition was a door. And every night the secretary carefully locked this door.

  • hehe (unregistered)

    All you IPs belonging to me

  • Henry Miller (unregistered)

    Really the poster should have contacted a lawyer first. Someone who specalizes in class action lawsuits would love to investigate this scam, and is sure to find some i that isn't dotted that he can turn into a pile of money. The submitter get a few pennys for his finders fee, and the knowledge that he helped save the world from one more scam.

  • bramster (unregistered) in reply to Rob
    Rob:
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?

    You need a spot to hang the chad

  • Nick (unregistered) in reply to Henry Miller

    The last thing we need is more lawyers!!

  • Observer (unregistered)

    Steve, you just made my day!

    Great addition to a very funny WTF.

  • JM (unregistered) in reply to Steve

    And now the page isn't even available :(

  • Smash (unregistered) in reply to Noam Samuel
    Noam Samuel:
    Actually, it isn't even obscurity, since the page's URL is right in the login page's source. So it's security through...
    ... wishful thinking "Our users won't try and see the source code"?
  • (cs) in reply to Rob
    Rob:
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?

    Hmm... I live near Palm Harbor (like, within 20 minutes). Mayhaps its time to offer my services as an "expert security consultant" to these people?

    Addendum (2008-02-29 13:40): But then again, if they're so stupid/cheap as to not be able to hire a real developer (or anyone with half a brain, evidently), then I doubt they could afford my consulting rate.

  • (cs) in reply to Herohtar
    Herohtar:
    Hah, I just hacked their site too! I am so awesome.
    pls send teh codez
  • (cs) in reply to Fry-kun
    Fry-kun:
    Henk Poley:
    Too bad the page it points to if offline

    It was taken offline a few minutes ago, probably in response to all the "hacking" that's been going on.

    that's even better, now anybody actually logging in, if they exist, gets directed to 404 Not Found.

  • Yep (unregistered)

    They're back online!

    Excellent new security measure.. they've changed the USERNAME!

    <script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="fsg2008") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>
  • FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT (unregistered) in reply to Fry-kun

    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

  • Justin (unregistered)

    From what I see you do not even need to "login" as you can just go to the link. Obviously in apache you could configure some restrictions on the access to the files but from their use of javascript i'm sure they do not have someone who knows how apache works other than the fact that there is a web root folder.

  • (cs)

    As an employee of the company, I was just made aware of your site. Our company is legitimate and we're not a scam. The fact that our site security is weak is something we are addressing. We are staffed with good people, we offer a great service, and you are trying to ruin our reputation. You are crossing legal lines.

    I am asking you to stop your actions immediately.

  • (cs) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

    Would you folks be in the market for consulting services? Your site is not secure by any means, you don't want to be open to hackers, do you? I doubt you would want to lose business and customers to a competitor. For a nominal fee, I could develop a REAL website with security and the like that would actually help increase your business.

  • blunden (unregistered) in reply to Yep

    Still 404 though. :(

  • Tyr (unregistered)

    heheh Now the document is no longer found on their site. They've taken it down. However, the code is still the same:

    "<script language="javascript">

    <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="fsg2008") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>"

    And this is the response if you put in this login:

    "Not Found The requested document was not found on this server.

    Web Server at federalsuppliers.com "

  • Mike626 (unregistered)

    They decided to take down the agents.html file. That's pretty secure.

  • Alex (unregistered)

    It's a pity the page has been taken down. It would have been a marketing jewel.

    ¿Do you have any silly product to sell? Start calling the people listed there, and you'll be amazed at the results.

  • Smash (unregistered)

    Not being american, I may be wrong but AFAIK if this company had any government endorsement it should be in a .gov domain.

    Then if I am right TRWTF are people trusting the scammer is government related just because he says so, and his website appears to be (it is even USflag themed). Of course, there are other measures to ensure you're not being fooled but this is a start

  • Z (unregistered) in reply to Fry-kun

    Umm, not taken offline, just changed.

    http://www.federalsuppliers.com/warning.html

  • (cs) in reply to Smash
    Smash:
    Not being american, I may be wrong but AFAIK if this company had any government endorsement it should be in a .gov domain.

    Then if I am right TRWTF are people trusting the scammer is government related just because he says so, and his website appears to be (it is even USflag themed). Of course, there are other measures to ensure you're not being fooled but this is a start

    .gov domains are reserved for sites which are for actual government entities. Government contractors do not get .gov domains.

    See http://en.wikipedia.org/wiki/.gov

Leave a comment on “So You Hacked Our Site!?”

Log In or post as a guest

Replying to comment #:

« Return to Article