INCIDENT SUMMARY: SWEETCAPTCHA MALWARE
Not so sweet after all.
In 2014 we started using a new captcha tool called SweetCaptcha. It used simple phrases like "drag the carrot onto the bunny" to prompt the user to interact with cartoon-like images on the screen. We used this for human verification on our Contact Us page.
In July 2015, a user emailed to alert us of a fake NetShade download being offered via a pop-up window. After confirming that the pop up was being triggered by (but not hosted by) our website, we identified the SweetCaptcha widget as the source. This widget was hosted on SweetCaptcha's own servers, so our servers were not compromised.
After using our Contact Us form and closing the window, a very spammy-looking popup was shown behind our webpage, offering a link to a so-called NetShade Installer. The enclosed app was almost certainly some malware or phishing tool. We're not aware of any of our users actually installing it. Regardless, this type of incident is obviously bad.
In this case, the solution was clear: take a flamethrower to SweetCaptcha 🔥. We immediately deleted it and everything associated with it from our website on July 15, 2015.
The SweetCaptcha malware incident drove home one point which has always been central to our software engineering mantra: don't use third-party stuff. That mantra may be an oversimplification, but the core ideal holds true: excessive reliance on third-party tools, libraries and widgets is a recipe for all manner of ills.
After the incident, we went through our servers rooting out and trashing any other questionable third-party software. Fortunately we never used much of this, so there wasn't much to get rid of. We deleted RoundCube Webmail and the tracd server from our webserver in response to this incident. Those tools hadn't been causing problems, but we took these steps as a preventive measure so we don't end up with another SweetCaptcha.
WHO WAS BEHIND IT?
There are two possibilities: 1: SweetCaptcha themselves got hacked and the attacker used their servers to distribute malware. Or 2: SweetCaptcha was in on it. Initially I assumed the former, but after reading SweetCaptcha's response tweets I began to think they were part of it. They blamed some third-party-ad-click-revenue-sharing-BS as the cause of the malware distribution. In other words: they got greedy, tried to "monetize" the sites who were using their captcha, and they started running with a bad crowd. Moral of the story, again: do not use third-party 💩 on your website! I should have known better. Since the SweetCaptcha incident, we've maintained an unblemished security record. (knock on wood)
June 7, 2019