GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Join the race to prepaid


Industry Update

PayPal aims for ubiquity with new partnerships

MasterCard's EMV push, introduction of mobile POS

Hactivists nab and leak 1.7 gigabytes of sensitive data

PCI SSC issues mobile help, calls for SIG topics


Payments industry infographic

Research Rundown

Prepaid in ascendance

Selling Prepaid

Prepaid in brief

Repeal of N.J. gift card law advances

CFPB takes first steps to regulate prepaid


Street SmartsSM:
Do your best and move on - no matter what

Jeff Fortney
Clearent LLC

A sense of urgency

Steve Norell
US Merchant Services Inc.

The shifting ground of pricing

Adam Atlas
Attorney at Law

What is the most productive thing you've done today?

Tom Waters
Bank Associates Merchant Services

Marketing your business with YouTube

Peggy Bekavac Olson
Strategic Marketing

Company Profile

Veritrans Merchant Services LLC

New Products

A new 'Jack' in town

PaySaber Jack
USA ePay

Hand-held printer hits stateside

SPP-R300 mobile printer
Bixolon America Inc.


Each sale is a new tent to pitch


10 Years ago in The Green Sheet


Resource Guide



2012 events Calendar

A Bigger Thing

The Green Sheet Online Edition

June 11, 2012  •  Issue 12:06:01

previous next

Hactivists nab and leak 1.7 gigabytes of sensitive data

A group called UGNazi claimed responsibility for breaching online software and services provider WHMCS Ltd. on May 21, 2012. UGNazi stole hundreds of thousands of customer records, as well as took over WHMCS' Twitter account. UGNazi also deleted all files from the WHMCS server and launched a distributed denial of service (DDoS) attack. The attack rendered WHMCS temporarily unable to deliver its web hosting control panel and client management, billing and support services to its customers.

While U.K.-based WHMCS's target market is web hosts, it serves a variety of online businesses. The intrusion resulted in the leaking of the 500,000 user names, passwords, Internet Protocol addresses and some credit card details, according to posts by UGNazi on the WHMCS Twitter account it commandeered. Press reports following the breach said UGNazi released 1.7 gigabytes of data and also made off with and leaked WHMCS' encryption key, which was allegedly stored in clear text in the server's root directory.

A social engineering maneuver

In the WHMCS company blog shortly after the attack, Matt Pugh, WHMCS' lead software developer, confirmed, "credit card information although encrypted in the database may be at risk." Pugh also said the incident was the result of a social engineering attack. He wrote, "The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

"This means that there was no actual hacking of our server. They were ultimately given the access details. This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software." Pugh later said the FBI had been called in to investigate the attack. He also acknowledged that "a more robust hosting infrastructure" should have been in place and said the company will be moving to a multiserver hosting infrastructure soon.

UGNazi claimed it targeted WHMCS because the company allegedly does business with fraudsters. "Many websites use WHMCS for scams," UGNazi tweeted from the compromised WHMCS Twitter account. "You ignored our warnings. We spoke louder. We are watching; and will continue to be watching."

The security industry perspective

Coincidentally, Mark Bower, Vice President of Cupertino, Calif.-based Internet security firm Voltage Security Inc., led a Voltage-sponsored webinar on mobile security strategies on May 22 - when WHMCS was still in the throes of the DDoS attack. In the discussion, Bower stressed there are security risks "across the payment ecosystem." Voltage provides data encryption and key management security services.

Bower feels payment security risks are so great that he recommended companies assume they have already been breached. "You need to work out a way to be sure your critical assets are protected irrespective of whether there is a breach or not," he said. "You don't need a separate strategy for mobile data. You have to get down to the data level and have a consistent policy to manage data's many risks."

After the webinar, Bower commented on the WHMCS break-in and theft. He said the breach "is troublesome on many levels," including the relatively easy access to administrative controls; the lack of correct Payment Card Industry Data Security Standard implementation; and, assuming the reports are accurate, encryption keys stored in the clear on the same system as the data itself. Bower said data breaches are avoidable using techniques such an encryption and tokenization, which render data useless to thieves.

For additional news stories, please visit and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio