A Thing
The Green SheetGreen Sheet

Wednesday, May 23, 2012

Hactivists nab and leak 1.7 gigabytes of sensitive data

A group called UGNazi claimed responsibility for breaching online software and services provider WHMCS Ltd. on May 21, 2012. UGNazi stole hundreds of thousands of customer records, as well as took over WHMCS' Twitter account. UGNazi also deleted all files from the WHMCS server and launched a distributed denial of service (DDoS) attack. The attack rendered WHMCS temporarily unable to deliver its web hosting control panel and client management, billing and support services to its customers.

While U.K.-based WHMCS's target market is web hosts, it serves a variety of online businesses. The intrusion resulted in the leaking of the 500,000 user names, passwords, Internet Protocol addresses and some credit card details, according to posts by UGNazi on the WHMCS Twitter account it commandeered.

Press reports following the breach said UGNazi released 1.7 gigabytes of data and also made off with and leaked WHMCS' encryption key, which was allegedly stored in clear text in the server's root directory.

A social engineering maneuver

In the WHMCS company blog shortly after the attack, Matt Pugh, WHMCS' lead software developer, confirmed, "credit card information although encrypted in the database may be at risk." Pugh also said the incident was the result of a social engineering attack. He wrote, "The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

"This means that there was no actual hacking of our server. They were ultimately given the access details. This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software."

Pugh later said the FBI had been called in to investigate the attack. He also acknowledged that "a more robust hosting infrastructure" should have been in place and said the company will be moving to a multiserver hosting infrastructure soon.

UGNazi claimed it targeted WHMCS because the company allegedly does business with fraudsters. "Many websites use WHMCS for scams," UGNazi tweeted from the compromised WHMCS Twitter account. "You ignored our warnings. We spoke louder. We are watching; and will continue to be watching."

The security industry perspective

Coincidentally, Mark Bower, Vice President of Cupertino, Calif.-based Internet security firm Voltage Security Inc., led a Voltage-sponsored webinar on mobile security strategies on May 22 – when WHMCS was still in the throes of the DDoS attack. In the discussion, Bower stressed there are security risks "across the payment ecosystem." Voltage provides data encryption and key management security services.

Bower feels payment security risks are so great that he recommended companies assume they have already been breached. "You need to work out a way to be sure your critical assets are protected irrespective of whether there is a breach or not," he said. "You don't need a separate strategy for mobile data. You have to get down to the data level and have a consistent policy to manage data's many risks."

After the webinar, Bower commented on the WHMCS break-in and theft. He said the breach "is troublesome on many levels," including the relatively easy access to administrative controls; the lack of correct Payment Card Industry Data Security Standard implementation; and, assuming the reports are accurate, encryption keys stored in the clear on the same system as the data itself.

Bower said data breaches are avoidable using techniques such an encryption and tokenization, which render data useless to thieves. end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing