etenders site hacked/phished?

I received a troubling email this morning from a friend of mine. He ran into a problem when he tried to log in to etenders this morning (etenders is an Irish government website where you can find tender notices on government and public sector procurement).

He said:

I went to log on to the etenders website this morning. I typed in www.etenders.ie and didn’t look carefully as I then entered my username and password. Nothing happened. I quickly realised it wasn’t the official site (www.etenders.gov.ie). So now “they” had my username and password. “They” are a company called Segaps Limited, registered no. 410457 – in Clare. Why are they doing this, what happens to my username and password (quickly changed and not one I use anywhere else) and how does the government allow a site like this to exist? Why does the .ie domain registry allow it to be registered? Why do webhost.ie host it?

It turns out that Segaps is registered to a guy called Des Crosbie who also appears to be the registrant of a software company called Ardlee Ltd.. Ardlee, according to their About page:

provide a range of services that complement your existing business model.

Now I have no idea why someone would want to register etenders.ie (or how they would be allowed to in what is supposed to be a managed tld!) but there very well may be a legitimate reason.

Does anyone know anything about etenders.ie, who is behind it, why it was registered or what is happening to the usernames and passwords being accidentally filled in on their submission form?

Is it possible that etenders.ie is a legitimate site who themselves have been hacked/phished by someone trying to harvest real etenders site logons?

28 thoughts on “etenders site hacked/phished?”

  1. Unfortunately, a quick web search shows that (probably through lazy writing) an awful lot of webpages refer/link to the ‘wrong’ site.

    For example, Dublin City Council sez:

    Can I get specifications on line from the City Council and can I return my tender on line.? #5971

    Specifications may be obtained on line from the http://www.etenders.ie web site. You cannot as yet return your tender on line. This may be posted or hand delivered before the deadline for receipt of tenders.

    Brilliantly, there are pages on the etenders.gov.ie site that refer to etenders.ie (mostly text reproductions of print ads that say ‘look at etenders.ie for further information):

    The pre-qualification questionnaire and full details are available from http://www.etenders.ie and http://www.limerickcoco.ie (a href=”http://www.etenders.gov.ie/search/search_show.aspx?ID=JAN052435″>source)

    Bit of a problem, if it’s malign, and irresponsible if it’s not.

  2. Hi Tom,

    I would go Devil’s advocate here and say, all respect to that worried individual, if he called a wrong telephone number, and gave his credit card to the person who answered, who’s fault would it be?

    Two things here:

    1. lack of vision/cop-on on the etenders organisation for not registering etenders.ie

    2. lack of management on the IEDR’s side. I think everyone knows just how managed the .ieTLD is.

    The only positive message here is: always read the URLs you type in. Always read what it says on the tin.

    I could understand how worrying it could be. Maybe he should contact IEDR and ask them if they think its alright.

    b

  3. One more note, from reading Ardlee’s Data privacy statement:

    General statement
    Ardlee Ltd fully respects your right to privacy, and will not collect any personal information about you on this website without your clear permission. Any personal information which you volunteer to Ardlee will be treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts, 1988 & 2003.

    So, then, he’s login details are safe!

    🙂

  4. There could be an innocent enough reason for why there is a login screen as the home page. We’ve done that with sites that we use for intra-company purposes.

    However the choice of domain name seems sufficiently close to the Government’s that it would be reasonable enough to say that they might be trying to piggyback on the name, whatever they are up to.

    I’d be very surprised if there was deliberate phishing going on as it is far too easy to trace the owner of the site.

    Suppose they want to set up a site for tendering for non-government contracts / properties…..should they be prevented from registering etenders.ie by the IEDR. Probably on the basis that “etenders” is a well established Govt. site, but the Govt. wouldn’t win a case if it went the WIPO route….the hurdles there are higher than in common law and in general favour domain squatters. It might do better in the High Court with a “passing off” claim – although I doubt they would bother.

  5. oh come on…

    http://www.etenders.gov.ie/

    and

    http://www.etenders.ie/

    are very different looking.

    First off – they are not pretending (nor phishing) to be eTenders.gov.ie

    Second Off – ‘eTender’ as a word is ‘Electronic Tender’, and to ‘Tender’ is not only a government process. Why can’t somebody else use the domain. I actually doubt if the name ‘eTenders’ is a protected name, more so than a government name for the method.

    Third off – eTenders.gov.ie is as sub domain. I don’t see why the IEDR would have any visual of it. Registering g0v.ie for eTenders.g0v.ie might be a different case all together.

    As above – if I rang the wrong phone number – and nobody answered…. would I give them my credit card?

  6. It is a tricky one because I don’t think that etenders.ie was ever owned by the government. Though Roger is potentially right about the WIPO, the government, via Minister Dempsey has ultimate control of .ie ccTLD so there may be grounds for applying the doctrine of eminent domain and taking the etenders.ie domain. (I know. It is a terrible pun. :))

  7. Wouldn’t it be cool if an icon on the browser status bar changed colour when you land on a legit site. Or better still, the logo that belongs to the site appears in the browser crome.

    Well, that’s possible with Content Labels and a use case I’ve intended to address.

    VeriSign have addressed this through a partnership with Microsoft but you need to pay around $800 per certificate which to me, is very expensive.

  8. Hi,

    McAfee SiteAdvisor (http://www.siteadvisor.com) does actually change an icon on their toolbar when you land on a dodgy site. I have been using it for a couple of months now and find it very effective.

    It spots scam sites, phishing sites and sites with bad downloads. It also tags each link returned by google so you can see if a site has any problems before you go to it.

    It doesn’t reference this one as I don’t think the site is a true phishing site – i.e. it isn’t making any effort to look like the real site.

    Disclaimer: I do actually work for McAfee so am not exactly impartial but I do think that SiteAdvisor is one of the best things we do.

  9. Aidan – it’s using proprietary technology though, as does VeriSign and a few others. Content Labels can do all that stuff and it’s an open standard (er, soon to be). Furthermore, it’ll be proposed as a replacement to PICS – the filter method in use by IE today.

    BTW, I was introduced to Paul Walsh (at McAfee, do you know if he received the email because I haven’t heard back?

  10. The Department of Finance tried to register etenders.ie as a domain name in 2002 but it was already registered. There is no copyright on the etenders name as it is a generic term widely used in electronic procurement. There are lots of other examples out there – http://www.health.ie vs http://www.health.gov.ie, http://www.ppp.ie vs http://www.ppp.gov.ie so unfortunately it often lies with the user to ensure that they have entered the correct URL (and usually it’s fairly obvious from the home page if you’re on to the correct site). Anyone using etenders.gov.ie will be familiar with the home page and be aware that it’s not necessary to sign in to view notices.

    I take your points about the notices having incorrect information and we will alert all buyers (and our registered suppliers, 35,000, to this issue. The notices are created by buyers in over 1600 public sector organisations and it’s not possible to monitor each one individually. There are about 1,000 ‘active’ tenders at any given time.

  11. Guys,

    Those of you saying “how could anyone get caught by a site like that” may be missing an important point I think.

    Daithi touched on it.

    Many sites link to etenders.ie mistakenly taking it for the legitimate government tenders site.

    Also, the real etenders site is actively being marketed to SMEs most of whose knowledge of tech is on a level with my Dad’s (that is to say poor at best).

    These people have never heard of phishing. They take it as read that if they follow a link from the Dublin City Council site, for example, to the etenders site, that it is legitimate.

    And if they are asked for login details, they simply look for the piece of paper with the username/password scribbled on it and proceed as normal.

  12. Liz,

    thanks for dropping by and commenting.

    A couple of points.
    1. The new/del history on the domain is:
    | etenders | 2002-02-04 00:00:00 | NEW |
    | etenders | 2006-04-20 00:00:00 | DEL |
    | etenders | 2006-05-08 00:00:00 | NEW |

    So the domain could have been registered by the dept in 2006. It might have been advisable to do so.

    2. Has the dept made any representations to the domain owner to place a notice on the home page re-directing people who land there inadvertently thinking they are on the government’s procurement site?

  13. Liz – my team had to justify (by phone!) the registration of paulwalsh.ie So, I’m surprised the same can’t be said for the domain that we’re talking about.

    I’m delighed mTLD are taking over the .ie stuff as we’ve been ripped off for long enough!

  14. Yes Robin,

    thank you, you have just proven my point.

    The title of my post (and the text of the post asks the question:

    Is it possible that etenders.ie is a legitimate site who themselves have been hacked/phished by someone trying to harvest real etenders site logons?

    You were obviously confused and thought, when I said etenders.ie, I meant etenders.gov.ie and I was asking had the government site been phished by etenders.ie

    An easy mistake. Just as easy as it is for someone to mistake the two sites and inadvertently enter their login details on the etenders.ie site.

  15. Paul,
    As I told you before, mTLD is not taking over .ie ccTLD. The policy control of .ie ccTLD will move from IEDR to ComReg under the E-Commerce Misc. Provisions Act. 🙂 IEDR will still run the ccTLD on a day to day basis. Also the registration of personal names is still tricky because you have to prove that you trade under it or are famous or are a politician. Since the domain does not seem to be registered, it looks like your team didn’t convince IEDR. Get a Registered Business Name cert and then apply for it.

    Liz,
    The etenders.ie domain in 2002 was registered to a company called Xtender Deals Limited which was apparently part of an EU wide government tenders website. The etenders.ie domain was deleted and reregistered very quickly so it is doubtful if anyone from etenders.gov.ie was keeping an eye on the domain. The best way to remove the brand confusion would be to use Google and type link:www.etenders.ie to see what sites are linking to the etenders.ie site and contact them about correcting the links so that they point to the official Etenders site.

  16. Thanks for correcting me John, I must have missed that particular point in our long threads 🙂

    I know some of the guys who help startup mTLD (in fact, one of their consultants used to be my acting CTO for a while). I should have just asked them before getting it wrong, twice!

  17. Hi Tom,

    Guys,

    Those of you saying “how could anyone get caught by a site like that” may be missing an important point I think.

    Daithi touched on it.

    Many sites link to etenders.ie mistakenly taking it for the legitimate government tenders site.

    Also, the real etenders site is actively being marketed to SMEs most of whose knowledge of tech is on a level with my Dad’s (that is to say poor at best).

    These people have never heard of phishing. They take it as read that if they follow a link from the Dublin City Council site, for example, to the etenders site, that it is legitimate.

    And if they are asked for login details, they simply look for the piece of paper with the username/password scribbled on it and proceed as normal.

    I take your point about people mistaking one thing for the other, BUT, like everything in life, commonsense has to be applied.

    If one day you go to etenders.gov.ie (whos login page seems to be http://www.etenders.gov.ie/login.aspx), you will plainly see:

    “eTenders has been developed by the Department of Finance”

    you have a visual recognition that it is the valid website you want to go to.

    If the next day you go to the address, http://www.etenders.ie, which looks completely different, commonsense applies.

    I am sure your father, like mine, would: stop, think, and say “this looks different than normal”.

    What then: they look at the piece of paper they have the address written down on (Tom-I’m sure your father has his passwords written in his diary, as mine does!), he will then see, “shit, I made a mistake”.

    And will then go to the correct site.

    This is what *should* happen.

    I spent almost 2 years working in an Internet café and I had many “senior aged people” coming in.

    I understand your point about the “piece of paper”, but my experience of people who do things this way is they want to see the same thing as they normally do. (I remember a woman who came in every week to send an e-mail to her daughter living abroad. She would look for the same computer, at the same time every day. She would have her notebook with the steps 1. http://www.hotmail.com, 2. her address, 3. her password, 4. create new e-mail, etc…)

    If that was applied to this situation, the person would have looked at the screen, seen the difference and thought “hang on something wrong here”.

    Caution needs to be applied on the Internet as in real life-again the example of the telephone number, or the wrong shop, etc.

    Now, talking about should the etenders.gov people have registered the etenders.ie domainname?

    Yes, they most definately should have. If it was registered at the time, like Liz Nolan said, fair enough. BUT they should have been keeping an eye on it all the while.

    This happened recently with a company I used to work for. I explained and explained that we needed to register a domainname with our company name in it. It never happened, and someone else managed to get it.

    I don’t see it being phished, but before I left I recommended that they keep an eye on the registration of it, and if possible enter into some legal proceedings to get it back.

    With regards the linking from official governmental agencies (Dublin Corpo, etc) to an incorrect website, then those guys should be shot.
    Seriously. Again, if that were a telephone number and they gave an incorrect telephone number, they would be harrased until they changed it.

    All in all, common sense and safe browsing needs to be explained to people.

    Internet is not anything new, its just a new way of doing something.

    Sorry for the extended comment!

    bernard

  18. The etenders.ie domain was deleted and reregistered very quickly so it is doubtful if anyone from etenders.gov.ie was keeping an eye on the domain. The best way to remove the brand confusion would be to use Google and type link:www.etenders.ie to see what sites are linking to the etenders.ie site and contact them about correcting the links so that they point to the official Etenders site.

    John, your comment is bang on the nail.

    I do think that the etenders.gov people need to contact their clients, and the misguiding websites to direct them to the correct website.

    Not their fault, in total, but people would appreciate it more if they did.

Comments are closed.