GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

A new chapter opens for merchant cash advance


Industry Update

Strong positions in NRF lawsuit against Durbin regs

LinkedIn confirms breach, passwords theft

First Data, SecurityMetrics settle lawsuit over data access

Academy prepares industry for EMV implementation

Trade Association News

Selling Prepaid

Prepaid in brief

Google Wallet turns one

Obopay offers license to transfer


Prepaid industry rewrites Washington playbook

Patti Murphy
ProScribes Inc.


Street SmartsSM:
How to avoid post-close mistakes

Jeff Fortney
Clearent LLC

Expanding e-commerce payments in China

Caroline Hometh
RocketPay LLC

Combating faceless fraud

Nicholas Cucci
Network Merchants Inc.

mPOS - it's about more than payments

Kevin Cola├žo
Retail Cloud

Company Profile

Cardinal Commerce Corp.

New Products

Swipe or tap, your choice

NFC Swipe
ROAM Data Inc.

Cash advance enters B2B world

B2B Cash Advance
Merchant Cash and Capital LLC


Disruption is good


The value of CQ


10 Years ago in The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

June 25, 2012  •  Issue 12:06:02

previous next

Combating faceless fraud

By Nicholas Cucci

Recently, a variation on an old type of fraud surfaced: a social engineering scheme. This type of fraud can be described as the art of manipulating people into performing actions or divulging confidential information. And one such scheme recently exposed 500,000 credit card numbers.

Social engineering techniques

There are certain techniques used in order to achieve a social engineering scheme, including pretexting, phishing and diversion, which are defined below:

A case in point

WHMCS is an all-in-one client management, billing and support solution for online businesses that was recently hit with a social engineering scheme. According to The Register, a U.K.-based technology news and opinion website, 500,000 credit cards were compromised as a result. Experts believe the incident highlights the persistent security risks third parties pose when it comes to protecting cardholder data.

A group called UGNazi claimed responsibility for this attack and the temporary takedown of WHMCS. UGNazi fooled customer service representatives at HostGator, which is WHMCS' web hosting firm, into providing administrative credentials to UGNazi servers. Once hackers accessed the servers, they copied the company's billing database and left WHMCS' services unavailable. UGNazi also temporarily took over the WHMCS Twitter account.

This was a clever third-party hack. It relied on a third-party provider for WHMCS because chances are a support technician is not likely to recognize a customer via email or over the telephone. One of the most common requests is a password change.

Damage control

WHMCS followed up this incident with a May 23, 2012, post on its blog. Matt Pugh, the founder and lead software developer of WHMCS, wrote, "The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

"This means that there was no actual hacking of our server. They were ultimately given the access details. This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software."

Once access was gained, the company's main server was hit by a distributed denial of service (DDoS) attack. A DDoS attack is an attempt to make a machine or network unavailable to its users by saturating the target machine with external communication requests. The attack rendered WHMCS temporarily unable to deliver its web hosting control panel and client management, billing and support services to its customers.

"Further investigations have shown that the social engineering attack did not involve the compromising of any email account," Pugh added. "This was only done after access to the server had been gained. ... We've been working very hard with our web hosting provider to restore and secure services. The DDoS mitigation continues to be ongoing, and we are doing everything we can to limit the impact of this."

The role of payment pros

What can you, as payment professionals, do to help prevent this from happening to you and your merchants? Educate. As simple as it sounds, it really is the truth. There are organizations whose goal is to educate the end user and reduce fraud. One such company is Florida-based KnowBe4, an Internet security awareness training provider. Among other fraud prevention efforts, KnowBe4 strives to enable businesses to quickly solve the urgent security problem of social engineering.

Japan's Consumer Credit Association recently released information stating that the country's online credit card fraud recently increased to 5.2 billion yen ($65 million) in 2011, up from 2 billion yen ($25 million) in 2010. Japan's CCA put out a warning stating that a credit card number and its expiration date are not enough to obstruct fraud on the Internet, and that online merchants need to change their guidelines of verification in order to reduce the rate of crime.

Online fraud is faceless and occurs worldwide every second of every day. Fraudsters and hacktivists will find new ways to infiltrate systems. Advanced solutions and training are needed to protect ISOs, merchant level salespeople (MLSs), and merchants from this constantly evolving threat.

Services to provide

What can payment professionals provide to assist merchants with bolstering system security? Keep it simple. Help merchants set up their fraud monitoring systems. Small or large, all merchants should use some type of fraud scrubbing software. Monitoring should include the following:

Providing assistance of this kind will help ensure that your merchant customers' systems are safe from intrusion while also adding tremendous value to your services as an ISO or MLS.

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios