Hacking & Malware Attack on Tekzilver
Hacking & Malware Attack on Tekzilver
This is the story of the cyber attack on Tekzilver.com and other websites owned by us. We tracked down the perpetrators to a Noida (Uttar Pradesh, India) based criminal enterprise called M/S Digiversal Consultants, run by two individuals, Budhesh Chopra & Sudhanshu Sharma. These guys, apparently pursuing primitive blackhat techniques, managed to exploit about 12 of our websites, inject malware, generate junk pages & parameterized urls etc. AND they also left backlinks to their own website (called assignmentshelplite.com), which shows how brilliantly they operated! As the saying goes "every criminal leaves behind some clue or the other", but these two gentlemen literally left their behind their business card! This article also showcases the total incomptence of the UP police investigating this matter and they're still pretty lost even after 1 year after the crime took place. We will not stop pursuing this crime until it is taken to its logical conclusion, no matter how long it takes.

UP FIR #0432

We decided to write this article to clearly document what happened after we were hit by a cyber attack in Nov '21. This article showcases the total incompetence of the local "cyber" police and failure of governance at ground level along with the overall administrative and bureaucratic lethargy both by the UP state & the central government authorities. What we have seen in the movies is nothing compared to the horrible reality we are seeing now, in real life. For the record, we have approached ALL the police officials-starting with the CP Noida, DIG (L & O) Noida, DCP Noida, ACP Noida, ADG (Cybercrime) and then the UP CMO/Secretariat, Cybercrime.gov.in, Cert-in.gov.in, CPGRAMS and of course, the Ministry of E & IT. There was no response/action from anybody, except the Ministry of E & IT, Govt. of India.  But nothing has happened till date and the criminals are still roaming freely in Noida, even as we write this article. For these police officers, the UP state government and the central government organizations, the best way to 'resolve' a problem is to transfer it to somebody else and then close the case as 'disposed of'. In over 14 months, the ONLY action of the UP police has been to send 3 emails, (after over 12 months from the date of the initial complaint), knowing fully well that they will not be getting any response. But they did it anyway to just show that they in the process of "evidence gathering". The updates by the UP police are blatant lies, so far. We say this with full responsibiity and will stand by our statement(s) in any court of law. We will continue to raise this matter in all possible platforms, forums and institutions until the criminals who did this are apprehended and punished. No matter how long it takes. We also hope that appropriate action is taken against irresponsible officials who hold important positions but have failed to do their jobs.

QUESTIONS FOR THE UP POLICE

  • 1. Why did it take 8 months for the police to just register the FIR?
  • 2. Why NO action has been taken even after 1 year and even after the culprits have been identified?
  • 3. How can an individual with ZERO tech knowledge investigate a cyber crime?

See the image on the top? That's what our web pages looked like when we checked them in early November 2021. In what could have been a crime that could have even been solved by a school kid in like a couple of days, it's already over one year since we filed a complaint with the "cyber" police in Noida, sector 108, Uttar Pradesh, India and sadly, the cops are completely clueless. One year on, their official version is "they are in the process of gathering evidence". We will not get into the specifics of how these guys actually go about it because it's plain disgusting. Unlike what happens in a professional, corporate setup, there is no "management oversight" or guidance. If you happen to be the unfortunate individual who has been assigned to investigate a cyber crime and you have no idea about anything even remotely connected to the topic, it's still your responsibility to "investigate" it.  And, mind you, these cops are not even allowed to close the case saying they don't know how to proceed or transfer it to a more competent authority! The senior officers really have no sense of responsibility or accountabilty, they just shout out the orders and the subordinates are only "expected to" do it.  But, generally, they don't.  The same individual who, only a few minutes ago was seen nodding his head vigourously in front of his superior officer, would casually come out of his cabin and say he won't do it! And, the best part: all of them get away with doing nothing about anything! And the common man, or "aam aadmi" is simply left in the lurch.

SEQUENCE OF EVENTS so far

  • 04 Nov 2021 - Detection of the hacking incident.
  • 19 Nov 2021 - Reported to UP police, sec 108, culprits identified.
  • 20 July 2022 - FIR (#:0432) Registered against one of the culprits. I/O has zero tech knowledge.
  • 21 Nov 2022 - Police call for a 'generic' meeting with culprit in sec 6, Noida. Objective unknown.
  • End Dec 2022 - We are told they have sent the malware for analysis!

As is evident from the above sequence of events, the UP police have shown little or no interest in acting against the criminals who, we identified on 19 Nov 2021 itself, in our  complaint. By appointing an investigating officer, who has zero tech knowledge, they have undermined the investigation itself because the said officer neither understands the significance of the evidence provided nor has any idea how to proceed forward. Post the 'meeting' they had called for on 21 Nov 2022,  in sector 6, Noida, they even 'advised' us to not write anything against the culprits who engineered the attack! The UP police now appear to be handing out a long rope to the culprits and more than sufficient time to cover their tracks.  Think of this, sometime In late Nov 2022, we were called to sec 108 cyber police station, Noida by one of the cops so he could ask us what a backlink was! For us, it was almost an 80 km drive to answer just this one question. The concept of at least googling for information does not exist, though they  don't  hesitate to show off their latest smartphones.

DELIBERATE DELAY TACTICS BY POLICE?

So, how do delays happen? From our own experience, this is how: then, the officer concerned will start relying on "experts" and other organizations. Out here, you become an expert if you put up a couple of videos on Youtube about some vague topic or if you write a book about something, no matter how elementary or generic it could be. The point is, by putting out the videos on Youtube or by writing the book you have already become a public authority on the subject!  So, when you are considered an expert, and you have no idea about the topic, you start saying things like "I'm too busy to look into it" or "I'm too busy, but I can have one of my assistants to look into it, but it could cost you like, Rs.10,000/- per day!". And they say this AFTER we had conducted our own investigation and figured out the how and what of the incident and shared all the details with them! So, with their "experts" suddenly becoming "too busy" to help them, the cops now have just the excuse they wanted-"evidence collection is in progress!" Ironically, we tracked down the criminals in less than a week after we identified the the attack!

INCOMPETENCE & FAILURE

The total incompetence and failure of investigation at the local "cyber" police level is a big blow to those who have suffered the crime. And this is entirely the reason why the cyber criminals have been having a free run  all over town. Of course, the cops do get active at times, but only in instances where there are crores of rupees involved, like someone hacking into a bank or like what happened recently in a well-known government run hospital. They eventually call in the private players who do all the hard work and even solve the case. The cops then come in at the end for the optics, claim all the credit and declare to the world that they have solved the case. How brilliant! And then social media is flooded with memes on the topic!

In other cases, like ours for example, they simply don't care. I've seen panic stricken citizens, in tears, coming to the cyber police station in sector 6, Noida and saying they had lost huge amounts of money due to some cyber crime and that they had already filed a complaint. The cops who listen to them don't even bother to take their eyes off their phones and  look at the victims or at least offer them a word of reassurance and tell them that they would look into their complaints. They just tell them "80 to 90% chances are you will not get back your money. The rest, we can only try!" That's how brilliantly digital India is heading into the G20 leadership! With this reality, one can only look on and wonder what's going on with all the hype and tall talk about "digital this " and "digital that"! There is an absolute and blatant lack of genuine concern for the welfare of the citizens or protection of small & medium businesses in the country. 

COMPLAINTS RAISED TO UP STATE GOVERNMENT AGENCIES

COMLAINT NUMBERRAISED TOACTION TAKENCURRENT STATUSCOMMENTS
FIR 0432UP PoliceNothingNothingZero action till date.
92214100008851UP CM HelplineNothingClosedClosed with zero action.
60000220168935UP Jansunwai PortalNothingClosedClosed with zero action.
60000220168868UP Jansunwai PortalNothingClosedClosed with zero action.
60000220188377UP Jansunwai PortalNothingClosedClosed with zero action.

COMPLAINTS RAISED TO CENTRAL GOVERNMENT AGENCIES

COMPLAINT NUMBERRAISED TOACTION TAKENCURRENT STATUSCOMMENTS
23109220069408Cybercrime.gov.inNothingNo action. No update.This complaint is lying in limbo. Zero action.
No complaint numberCert-in.gov.inNothingNoneAsked to follow up with Cybercrime.gov.in
GOVUP/E/2022/47420CPGRAMSThe FIR was created after 8 monthsZero action on FIR.Zero action by UP cyber police.
MINIT/E/2022/03921 CPGRAMSNothingClosedThe complaint was quietly "disposed of"
PMOPG/E/2022/0250924CPGRAMSNothingClosedThe complaint was quietly "disposed of"
PMOPG/E/2022/0264176CPGRAMSNothingClosedThe complaint was quietly "disposed of"
PMOPG/E/2022/0275551 CPGRAMSNothingClosedThe complaint was quietly "disposed of"
MINIT/E/2023/0000048CPGRAMSNothingUnknownNo update so far.

DETECTION

I've been wanting to write about it for a long time now but had to attend to more pressing matters. We have to omit or generalize some of this information because of the sensitive nature of the information and because we don't want the Noida cyber crooks to know what we know. This is also going to be the first article on our official blog . The cyber crooks as well as the government authorities deserve to be named and shamed for what they do, well, actually what they DID NOT! These cyber crooks are low-life individuals who cannot make a straight living, whereas the government authorities are individuals who are blinded by power and authority and have lost any sense of responsibiity towards the citizens of this country, who they swore to serve. Now, they only listen to HNV (His Neta's Voice)!

This is how it all started-on the 4th of Nov 2021, we suddenly noticed a sudden & sharp drop in the organic traffic to our websites. We initially thought it was just one of those regular dips in traffic but then, it persisted and we had to investigate. Our initial investigation found that many of our top performing pages were not even loading and it was not an issue with the hosting server. Now, this called for a full-scale investigation.

Impact of the cyber attack on Tekzilver

We started looking into each and every page of our websites and found that many of the pages were infected and filled with junk code (like the one in the main image for this post) just before the start of the html code. Different pages were in different stages of infection. In some pages, the junk code had almost overwritten our code and in some, it was partial. But the end result was the same-our pages were not loading and we were losing traffic and customers and sales. But that was not all the cyber crooks did. They did a lot more damage:

Thousands of Junk Html Pages Generated

Junk pages generated by the cyber attack

The cyber attack also generated thousands of junk html pages in order to make our websites appear to be spammy to search engines.

Screenshot from Google Search Console

The cyber attack also created a fake CSS folders and created fake index.php and .tmp files which could not be removed. They kept appearing back even after we deleted it. Obviously, these crooks had placed their code in other areas of our hosting area which kept regenerating these malicious files & folders. We had no other option but to shut down our websites, format the whole hosting area and relaunch the websites one by one, after cleaning up the code.

Parameterized URLs

They also created parameterized versions of urls:

Parameterized versions of URLs

THE NOIDA CYBER Crooks maDe mistakes

We all heard of the saying that no matter how smart crooks are, they always make mistakes. In our case, they did exactly that and it did not take more than a couple of days for us to track them down after that. These guys were so confident of themselves that they left backlinks from our websites to their own website. Check the image below:

Backlinks created by hackers from Tekzilver.com

These guys created backlinks to their own website from our websites and used some elementary html & CSS code to hide it. These stupid cyber crooks did not realize that people will start looking at the backend code when something goes wrong. It was like these hackers left their business card after committing a cyber crime. Reminded me of the Wet Bandits in the popular movie Home Alone. Having privacy protection is good but nobody will be sympathetic to hackers and criminals and conceal their identity when they have sufficient evidence of their criminal activities.

Wet Bandits from the movie Home Alone

How we caught the CYBER crooks?

After we saw the backlinks to their website, it did not take us long to find out more details. Next, we found the email id of one of the crooks. Take a look at the screenshot below:

Email id of hackers

So, from the backlinks left by the hackers, we zeroed in on their email id - the email we found was '"sudhanshu@digiversal.in" which belonged to an individual called Sudhanshu Sharma, who was one of the owners of a firm in Noida, called Digiversal Consultants. A simple Google search on this firm and we got to know that Digiversal Consultants was owned by two individuals called Sudhanshu Sharma (a.k.a Narmadeshwar Nath Sudhanshu) & Budhesh Chopra as seen in the screenshot below:  (we'll call them cyber crooks from hereon)

Owners of M/s Digiversal Consultants

Now we got to know who was behind the attack, the company and the people who owned and ran that company. We were finally able to put a face to their names. We got their pictures from their company's website. This is what these two cyber crooks, our 'Wet Cyber Bandits' look like:

THE REAL WET BANDITS
Budhesh Chopra & Sudhanshu Sharma-Owners of Digiversal Consultants, Noida

And the crooked duo claim to be runnng some kind of "education first technology company"! Who would have ever thought that evil lurks behind those warm smiles and folded arms. 

What happened after that?

Well, what happened after we identified the crooks is an ordeal by itself and is still ongoing. We will not want to get into the intricacies of the matter because we do not want our cyber crooks to know what we know at this point of time. But we have filed a police complaint with the cyber cell in Noida, sector 108, and the police have even registered a FIR agaist the culprits (Unfortunately, it took the cops over 8 months to just register the FIR!). The FIR number is 0432 dated 20 July 2022.

FIR against owers of M/s Digiversal Consultants, Noida

The opening of an FIR against the owners of M/s Digiversal Consultants, Noida was just the first step. We faced a number of challenges, with regard to the investigation but we will not get into the specifics here at this time. One of the objectives of writing this post is to also create awareness about the nefarious activities of this company, called Digiversal Consultants and the people who run it.

From our own investigation, we have seen that these guys adopt black-hat methods to get their own websites to rank well in the search engines. They do not hesitate to spread malware to take down other websites. In our case, they put their finger into the wrong hole-because we caught them at it. But we suspect there could be many other websites and companies that could have been targetted by this duo, (who could in fact, be running a whole criminal network of hackers and malware spreaders), and caused irreparable damage.

We took a seriously hard knock because almost all 12 or more of our websites were completely knocked out of Google and other search engines. We lost more than 95% of our business. We had to work night and day just to get all the spammy URLs removed from Google and it is still an ongoing effort even after more than 1 year after the attack. And all the while, our cyber crooks were roaming freely in Noida & the cops are still clueless.

In spite of all this, we are trying to get these state & central government agencies in India to apprehend these criminals. But that is easier said than done. And though we have shared all the relevant details and evidence, including access logs, malware samples, host names, IP addresss, hosting history, names, addresses, phone numbers and physical locations, none of these agencies have done anything  so far. Now they have resorted to delay tatics because they have nothing else to show. It could take a while, but we are pretty confident that these crooks will be caught and held accountable for what they did. We will also make sure that these crooks feel the full force of the Indian laws no mater how long it takes. We will hold them accountable for the damages we suffered and the financial losses we incurred.

We have also initiated a number of corrective measures to make sure that something like this never happens again (which I will write about in a different post).

Current Status-Evidence gathering

The UP police are at the best of their delaying tactics. For one, they (the UP cyber cops) had approached one web hosting service provider after over 1 year and demanded the access logs etc. They (the service provider) simply refused and referred the cops to somewhere else. Now, they have written to the other service provider, who has no connection to this case and are "waiting for information" that will never come. Hence, their status updates always reads "evidence gathering in progress"! And oh, lest I forget, there are other agencies who are supposed to provide some information, but they don't have a timeline to get back. "Yeh sab bahut time lagta hai" is what they are saying now (after more than one year of doing nothing!) So, this is how our cyber police are in the process of "gathering evidence", oblivious to the overwhelming evidence that is already right under their very noses! The crooks, in the meantime, are laughing their backsides off, looking this colossal incompetence. This is just what they wanted, and probably, even expected. Now can you see how hard our cops worked to "gather evidence" in over 1 year? They sent 2 emails to two different service providers (well, actually 3 emails, one was sent to me!).  Exhausted with all that effort, they are now waiting for replies and information.

What Next?

The cyber attack on our company is unacceptable & we will not tolerate it, or forget about it and move on just because the cops and other agencies have not done anything so far. But it is a life-changing event for us. We are not even a small company. We are just a tiny startup with a handful of people who worked from different places. The last thing we expected was somebody to attack our business and take down our websites. In fact, all our websites. All our struggle and toil of over five years went down the drain for no reason.

But this has only strenghtened our resolve to fight back. It took us almost a year to relaunch all our websites. Many lessons learnt:

  • Spread out the risks: when operating online.
  • Lesson number 1: No company is too small to be targetted by cyber criminals.
  • Lesson number 2: NEVER host all your mission-critical websites in one location.
  • Lesson number 3: We will talk about it at a later time.

We will also offer cyber-security & related services because we have felt the pain of the attack first-hand and understand how crucial it is to move fast and collect all the evidence so that the criminals can be quickly apprehended. In our case, the police have not acted even after more than one year from the date of our complaint, which is giving the cyber criminals more than sufficient time to try and cover their tracks and destroy evidence. But, in tech, as the saying goes, "you can run, but you can't hide". Cyber-criminals always leave a trail in some manner and people will eventually find it sooner than later.

We will also be happy to work with cyber crime prevention agencies and organizations to prevent cyber crime in all forms and bring criminals to justice at the earliest. We will also be actively working to bring about awareness about cybercrime in the society.

Note: Do you want to get in touch with us? Drop us an email at contact@tekzilver.com.