The Green Sheet Online Edition
June 11, 2012 • Issue 12:06:01
Hactivists nab and leak 1.7 gigabytes of sensitive data
A group called UGNazi claimed responsibility for breaching online software and services provider WHMCS Ltd. on May 21, 2012. UGNazi stole hundreds of thousands of customer records, as well as took over WHMCS' Twitter account. UGNazi also deleted all files from the WHMCS server and launched a distributed denial of service (DDoS) attack. The attack rendered WHMCS temporarily unable to deliver its web hosting control panel and client management, billing and support services to its customers.
While U.K.-based WHMCS's target market is web hosts, it serves a variety of online businesses. The intrusion resulted in the leaking of the 500,000 user names, passwords, Internet Protocol addresses and some credit card details, according to posts by UGNazi on the WHMCS Twitter account it commandeered. Press reports following the breach said UGNazi released 1.7 gigabytes of data and also made off with and leaked WHMCS' encryption key, which was allegedly stored in clear text in the server's root directory.
A social engineering maneuver
In the WHMCS company blog shortly after the attack, Matt Pugh, WHMCS' lead software developer, confirmed, "credit card information although encrypted in the database may be at risk." Pugh also said the incident was the result of a social engineering attack. He wrote, "The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.
"This means that there was no actual hacking of our server. They were ultimately given the access details. This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software." Pugh later said the FBI had been called in to investigate the attack. He also acknowledged that "a more robust hosting infrastructure" should have been in place and said the company will be moving to a multiserver hosting infrastructure soon.
UGNazi claimed it targeted WHMCS because the company allegedly does business with fraudsters. "Many websites use WHMCS for scams," UGNazi tweeted from the compromised WHMCS Twitter account. "You ignored our warnings. We spoke louder. We are watching; and will continue to be watching."
The security industry perspective
Coincidentally, Mark Bower, Vice President of Cupertino, Calif.-based Internet security firm Voltage Security Inc., led a Voltage-sponsored webinar on mobile security strategies on May 22 - when WHMCS was still in the throes of the DDoS attack. In the discussion, Bower stressed there are security risks "across the payment ecosystem." Voltage provides data encryption and key management security services.
Bower feels payment security risks are so great that he recommended companies assume they have already been breached. "You need to work out a way to be sure your critical assets are protected irrespective of whether there is a breach or not," he said. "You don't need a separate strategy for mobile data. You have to get down to the data level and have a consistent policy to manage data's many risks."
After the webinar, Bower commented on the WHMCS break-in and theft. He said the breach "is troublesome on many levels," including the relatively easy access to administrative controls; the lack of correct Payment Card Industry Data Security Standard implementation; and, assuming the reports are accurate, encryption keys stored in the clear on the same system as the data itself. Bower said data breaches are avoidable using techniques such an encryption and tokenization, which render data useless to thieves.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.