Back to oDesk.com » Love the way you work.

Welcome to the oDesk Community! Connect here with fellow clients, contractors, and oDesk staff. Please review our Usage Policy.

Warning to Clients: Contractor injects malware. oDesk's response: Ignore.

I had a contractor who injected malware onto my website. Turned my servers into a spam farm, got me suspended, plus she put "contextual ads" all over my site with a malware plugin.

I contacted oDesk to try to get something done about it. Included screenshots, expecting them to at least warn the contractor if not ban her.

They needed evidence. Fine, "What do you need?"

After them hemming and hawing for over a week while waiting for them to determine what evidence they needed, I had to get my servers back, so I restored them from a "pre-contractor" backup (after paying the contractor, too!). I provided them with all the evidence I had, including screenshots, but was told that wasn't good enough.

Fast forward to a week ago.

My servers start going haywire again, sending spam, redirecting to porn sites, diet pill sites, you name it. Gathered all the evidence -- and definitive proof that this contractor installed the malware, along with the screenshots of her doing it. I even offered Skype logs.

Contacted oDesk. Asked for a callback and offered the evidence.

No response.

Followed up. No response.

After several days, finally got a call from oDesk. Said he'd call me back after he talked to a supervisor.

No response.

E-mailed to follow up today asking for an update. oDesk's response? "Can you refresh my memory". You don't even review tickets? Come on.

Still, I sent a friendly reminder.

And still... No response.

It's clear that oDesk has no interest in taking action against contractors who spam, install viruses and malware. They won't even look at the evidence let alone hear the complaint.

This contractor continues to work happily for oDesk, infecting other company's servers, no doubt.

So, a friendly warning to others who use this service: oDesk lets contractors who inject malware happily go from job to job, maliciously infect your websites and cost you thousands in business and thousands to fix.

I've had many great contractors on oDesk and I'm not a small customer.

Be forewarned: you're on your own when it comes to the bad apples -- oDesk lets them flit from company to company injecting malware all over the web.

Not only sad, but scary.

Vote Result

++++++++--
Score: 8.2, Votes: 5
If you want more protection,

If you want more protection, you should hire a contractor from your own country where you can take them to court or sue them. Its simple. Hiring low cost overseas providers is always a risk, one that I'm surprised so many people take without even a blink of an eye.

Malicious contractors should be dealt with

I think it's reasonable to expect oDesk to take action when a malicious contractor installs malware on your server, regardless of which country she is from.

The "About the Client" panel

The "About the Client" panel on the bottom right hand side is depicting absurd information.
It is not showing the correct number of reviews (it is showing “0” instead).

I am really curious as to

I am really curious as to what code, program you saw on the screen for him to
put this in there.

I had a new contractor post a

I had a new contractor post a link to an image online on skype saying "I found your picture is this you?" I did a virus check on the link online and turned out it was some trojan.

I contacted odesk about this.

Sad part is this contractor had done 2 jobs for me earlier and he got good feedbacka nd all, now he was trying to hack me.

Talk about biting the hand that feeds you.

Be careful with files and links contractors want you to see.

Sorry, but this one in

Sorry, but this one in particular has nothing to do with the contractor's intent. They were not 'trying to hack you' and they were not 'biting the hand that feeds them'. It's an old Skype virus (known problem for well over a year now) that infected thousands of accounts (pеак was last year). Once your Skype is infected, the message is sent periodically to all of your Skype contacts, in most cases the owner of the account isn't even aware that messages are sent.

It's strange for me that someone who does their business 90% online would be unfamiliar with that, it was a big deal in the Skype community. Instead of reporting to oDesk straight away and probably causing a great deal of trouble to someone who's worked with you, and delivered good service, it would've been more helpful to let them know their Skype is infected so they could clean it up.

/// Success is not final, failure is not fatal: it's the courage to continue that counts.

Virus

Hello, I've got this virus too. I think your contractor who sent you this in Skype clicked this link and transferred to all his/her contacts including you. He/she didn't meant it. Someone sent me this link in Skype, "I found your picture, is this you?" then followed by a link, I clicked this and unknowingly I sent this to all my contacts. I learned my lesson after, never click unknown and suspicious links.

Happened to me once too. Had

Happened to me once too. Had no idea for months until the I found out the hard way my domain was blacklisted. Called the host company to ask WTF, and they found the code.

it wasn't a matter of the contractor being cheap at all, but the problem was they live across the pond and only did a short task. he had nothing to loose and everything to gain

oDesk should be responding to

oDesk should be responding to employers' complaints about these things and barring contractors who do it. Instead they tolerate it, turn blind eye and give us the run-around.

This is bad policy for everyone involved: other contractors get painted with the same brush, employers (likely) flee, and oDesk's reputation and outsourcing in general gets sullied.

Seems like oDesk doesn't mind getting a reputation for supplying companies with workers who install malicious code. You'd think they'd want to do something about it. Counter-intuitive business model in my mind, but I guess it's oDesk's perogative.

In fairness, I'm *still* waiting for a response from oDesk. But the pace at which this is occurring is not encouraging.

Corey, why on earth would a contractor *DO* that??

Corey F. wrote:
oDesk should be responding to employers' complaints about these things and barring contractors who do it.

What makes you so sure that the "contractor did it" rather than the contractor being a victim of a virus, too?

Doesn't Bojana's explanation sound a hell of a lot more likely?

Quote:

Seems like oDesk doesn't mind getting a reputation for supplying companies with workers who install malicious code.

See above.

What POSSIBLE reason would the contractor have had to deliberately infect your site?

Clarification

Clarification: my explanation was only for what Linda described. What Corey described is beyond my knowledge and I can't comment on it. Although it does seem illogical for someone who wants online work to do that.

/// Success is not final, failure is not fatal: it's the courage to continue that counts.

On the other hand

Even if it is unintentional, a good contractor would protect their own computer from such infections to minimize the potential effect on their clients. It's really actually not hard to do if you are able to recognize the kinds of links that might be dangerous, but that also includes such things that are quite popular, like porn sites, which is how the problem is kept alive, just as sexually transmitted diseases keep alive in the offline world!

Lots of scams

- Affiliate marketing to collect commissions
- SEO to collect backlinks from valuable sites
- E-mail spamming to use legitimate servers, add to botnets, etc

There are lots of reasons a contractor would want to be malicious.

Many of these things can be more lucrative than oDesk itself, I'm sure.

I'll add one more

Killing parts of the application so they get hired back to fix it. It's the scammer's version of recurrent revenue.

It Might Be The Theme

Hi Corey. First, I'm sorry this happened to you. That's a terrible situation, and it's really hard to bounce back from. It is possible, and if you've got good support at your host, you might be able to engage their help at no cost (other than what you pay for hosting) to you.

Second, there's a chance the contractor you hired might not have *intentionally* harmed you. Are you running a WordPress or other CMS type of site? Did your contractor install a theme? It's a common scam in the WP community to offer "free" WordPress site themes that are loaded with terrible computer beasties, including malware, links to the darkest depths of the Internet, trackers, and more. If your contractor was inexperienced, or unaware of this issue, they might have uploaded a dastardly theme to your servers without meaning to hurt you. The evidence will be in the site footer.

As for the slow/magic 8 ball response from customer support, I know that's a frustration many contractors share as well.

just curious

Corey F. wrote:
I had a contractor who injected malware onto my website. Turned my servers into a spam farm, got me suspended, plus she put "contextual ads" all over my site with a malware plugin.

I contacted oDesk to try to get something done about it. Included screenshots, expecting them to at least warn the contractor if not ban her.

They needed evidence. Fine, "What do you need?"

After them hemming and hawing for over a week while waiting for them to determine what evidence they needed, I had to get my servers back, so I restored them from a "pre-contractor" backup (after paying the contractor, too!). I provided them with all the evidence I had, including screenshots, but was told that wasn't good enough.

Fast forward to a week ago.

My servers start going haywire again, sending spam, redirecting to porn sites, diet pill sites, you name it. Gathered all the evidence -- and definitive proof that this contractor installed the malware, along with the screenshots of her doing it. I even offered Skype logs.

Contacted oDesk. Asked for a callback and offered the evidence.

No response.

Followed up. No response.

After several days, finally got a call from oDesk. Said he'd call me back after he talked to a supervisor.

No response.

E-mailed to follow up today asking for an update. oDesk's response? "Can you refresh my memory". You don't even review tickets? Come on.

Still, I sent a friendly reminder.

And still... No response.

It's clear that oDesk has no interest in taking action against contractors who spam, install viruses and malware. They won't even look at the evidence let alone hear the complaint.

This contractor continues to work happily for oDesk, infecting other company's servers, no doubt.

So, a friendly warning to others who use this service: oDesk lets contractors who inject malware happily go from job to job, maliciously infect your websites and cost you thousands in business and thousands to fix.

I've had many great contractors on oDesk and I'm not a small customer.

Be forewarned: you're on your own when it comes to the bad apples -- oDesk lets them flit from company to company injecting malware all over the web.

Not only sad, but scary.

Corey,(following your story timeline) you mentioned that you had to restore your "server" from a "pre-contractor" backup and yet, it got infected again. How can you explain that? I mean - if you restored your "server" from a backup that was done BEFORE the(alleged) malintended contractor even got a chance to touch it.. how can you blame him?
Is it possible that you actually got hacked due to some previous(I mean waaaay back) vulnerability that got exploited by an internet worm(it`s a quite common thing)?

Corey F. wrote:
- Affiliate marketing to collect commissions
- SEO to collect backlinks from valuable sites
- E-mail spamming to use legitimate servers, add to botnets, etc

There are lots of reasons a contractor would want to be malicious.

Many of these things can be more lucrative than oDesk itself, I'm sure.

If you are so "sure" that aff marketing, SEO/backlinks from an already infected domain, spam from what it sounds to be a shared hosting and "many of these things" can be more "lucrative than oDesk itself", then you`re obviously one of those guys who pays peanuts(no offense).

"it got infected again. How

"it got infected again. How can you explain that?"

My choice of the phrase pre-contractor was a poor one. It was pre-this problem. I have identified the exact software that was installed, and I know that it was her who installed it.

She was being paid $12/hr IIRC, not that it should matter. oDesk should take action when a contractor installs malware. Period.