Re: Strange tags for 0 products in collection

Strange tags for 0 products in collection

joeldebruijn
Tourist
7 0 9

Symptom

A lot of webshops have these strange tags, containing the text "Contact-My-Telegram [KungHac]" or variants with added strings, see attachments for examples.

 

Context:

For a certain webshop I subscribe to a Google Alert to discover new places it got mentioned or new terms by which it got indexed by search engines. So 24 of April I got an alert containg a tag
"/ hack-call-details + My + Telegram【@Kunghac】-hack-call-history-of-airtel-mobile-number + hack-airtel-mobile-number-details + idea-call-history-hack + call-details-hack-app + hack-vodafone-number-call-details + hack-airtel-call-details + vodafone-call-details-hack + call-detail-hack-kaise-kare + call-details-hack + 74d2"

 

Reproducing this

Use Google or DDG for the string "Shopify【@Kunghac】" and among the search results it shows many Shopify powered webshops containing this tag.

 

Question

Does anybody know what causes this?

Insecure third party app?

And how to remove it?

 

btw why are png for screenshots not supported to attach?

The file type (.png) is not supported. Valid file types are: mpp, xls, xlsx, ppt, pptx, csv, mp4.

Replies 13 (13)

Barrett1
Shopify Partner
3 0 6

Seems to be a widespread Shopify issue across especially Canadian Shopify stores. This Google search shows multiple sites compromised by this: https://www.google.com/search?q=instagram+kunghac&oq=instagram+kunghac&aqs=chrome..69i57j69i60.4522j...

 

@Shopify you need to look into this, as many sites have been potentially compromised. 

RV SnapPad | The World's Only Permanent Jack Pad
joeldebruijn
Tourist
7 0 9

Thank you for your response. 🙏

And I dont get it, did contact Shopify webcare team, pinged their CISO at LinkedIn. Just radio silence. 

At this stage I even don't know if its just a silly wannabee hack or something serious. 

But littering countless webshops with bogus tags cant be good either. 

And I am no customer so can't call support directly. Posts here cant be labeled "security" or "infosec" either. If anyone knows of a Responsible Disclosure procudere for Shopify please help me. 

The whole ordeal sure makes a good first impression. 

Barrett1
Shopify Partner
3 0 6

We are Shopify Plus customers so I've alerted our Success Manager, we will see if that raises any alarm bells on their end. Most likely it's an app that's been compromised, and from what I can tell, not a serious issue, but something to monitor closely none-the-less.

RV SnapPad | The World's Only Permanent Jack Pad

Skrim87
Tourist
4 0 5

I have a similar index on my site in /collections/all Here's a screenshot of a random website I found with the same issue. If you Google search for "Shopify collections/all diablo iv" you'll find there's many

Screenshot_20230503-164004_Chrome.jpg

Barrett1
Shopify Partner
3 0 6

Interesting, that's a similar URL but slightly different. It makes me think Shopify has been compromised from the infrastructure level. 

RV SnapPad | The World's Only Permanent Jack Pad
Skrim87
Tourist
4 0 5

On my website if I type anything in the url bar after collections/all/ for example collections/all/spamtest it doesn't 404, it generates my text "spamtest" as a sort of home button. I think the spammer is hoping to get exposure for free by piggy backing off any and all sites once Google indexes it. It's bizarre because I have 2 other nonindexed pages in addition to the third, but the third is indexed

According to Google Analytics:

 

 

Indexed, though blocked by robots.txt.

Crawl allowed? - No. Blocked by robots.txt

Page fetch - Failed: Blocked by robots.txt

Indexing allowed? Yes

 

Not sure why it would index after being blocked? Shopify support told me to Do this. 

However this comment seems to be the best solution for the recent vendors query spam problem, so maybe there's a similar solution to this, I don't know much about liquid.

joeldebruijn
Tourist
7 0 9

Can reproduce:

- Search for a Kunghacked Shopify webshop

- In the URL remove everything after "https://www.your-domain.com/collections/all/"

- Instead type something random after the slash, like "stupidproducts". 

 

If someone continues with:

- Screenshot this micro-defacing. 

- Share on social media for reputation damage. Add the authentic URL for credibility.  

 

This last steps are obviously no advice but more of a risc.

joeldebruijn
Tourist
7 0 9

Got a rather generic answer from support to one of the affected webshops.

 

- Advise: use two factor authentication for every staff member. Good one but besides the point.

- Diagnose: its a spam backlink.

- Advise: Ignore it if SEO isnt affected much and otherwise use Googles Disavow Tool

- Advise: They took a look on the shops Google Analytics page and give some advice on conversion optimization. Also rather besides the point I guess.

 

What I really want to check is their diagnose: afaik spam backlinks are links to a spammers website as part of a profile of somebody posting a comment, review or forum message.

 

But this:

- is a tag/collection (albeit bogus) instead of a comment, review or forum message.

- doesnt link back at all, but links to the store's page itself.

 

All in all I'd rather see them giving this problem to a second-line support member with a focus on security.

joeldebruijn
Tourist
7 0 9

Oh, finally got time to study your links to other forum threads @Skrim87 ... thnx

 

Solved: Website hacked ?! - HELP - Shopify Community

Solved: Has my site been hacked? - Shopify Community

 

Could it be possible its 'just' the same 'malware' or bot but the theme itself actually doesnt create the backlink or the rendered page omits this?

lemri025
Tourist
7 0 3

Did anyone resolve this? I have the same issue. 

joeldebruijn
Tourist
7 0 9

Sadly, radio silence from Shopify.

Was also thinking "what does someone hope to gaine from this"?

 

Its like spray-painted graffiti, tagging oneself everywhere. Like defacing a site, but in a 'micro' way. And it doesnt lead to traffic to malicious sites because they lack backlinks.

 

But I think these little hack-adverts help to grow credibility for someones services. Because if thousands of sites mention you even without linking, they must represent a legit service?

 

Anyway, two cents.

 

 

Skrim87
Tourist
4 0 5

That's what I think, they're spamming big sites like Caterpillar construction to take advantage of their SEO rank to boost their own somehow. I wonder if their fake product url come up as a "recommended" search term on their websites like CAT?