Attack Highlights Third-Party RisksHack of Online Billing Provider May Have Exposed 500,000 Cards
A social-engineering scheme waged by the hacktivist group known as UGNazi is to blame for the data leak and temporary takedown of WHMCS, a UK-based online billing platform used by Web hosting providers throughout the world.
The UGNazi hack may have exposed details on 500,000 payment cards and took WHMCS offline for most of the day May 21. UGNazi earlier this week posted a link, which has since been removed, highlighting details about the information it collected in the WHMCS database hack.
WHMCS declined to confirm the number of records and cards exposed. The 500,000 figure was reported this week by The Register, a London-based technology publication. The Register also reported that the card information was salted and hashed, but that a decryption key to recover the details was stored in clear text. The hackers allegedly found the decryption key in the root directory of WHCMS's compromised server.
Experts say the incident highlights the persistent security risks third parties pose when it comes to protecting cardholder data.
UGNazi fooled customer service representatives at HostGator, WHMCS's Web hosting firm, into providing admin credentials to WHMCS's servers, The Register reports. Once the hackers accessed the servers, they copied the company's billing database and left WHMCS's services unavailable.
Wendy Nather, research director of the Enterprise Security Practice at 451 Research, an online-security consultancy, says the social-engineering side of the WHMCS breach is telling.
"(It) was clever on the hacktivists' part: They counted on the fact that any given third-party support technician is not likely to be able to recognize a customer in e-mail or over the phone," she says. "A password reset request is a common form of a social-engineering attack, but one at this level, obviously, has even more impact."
Further, Nather says the incident reflects just how vulnerable third parties actually are.
"We've known for some time that third-party providers can be a weak link in an organization's security defense," she says. "Many breach incident reports have mentioned that a (third-party) provider used the same administrative passwords across all its customer accounts, which allowed attackers to spread out and hit more targets."
WHMC's Blog on the Incident
On May 23, WHMCS's founder and lead developer, known simply as Matt, posted updates and a statement about the breach on the company's blog. He says WHMCS's primary server was breached May 21. At that time, information from the customer database was exposed.
"Unfortunately, credit card details were taken, and we do urge any clients who feel their credit card might have been included in this to take appropriate steps to secure their card," the blog states.
Once access to that primary server was regained, the company's main server, the blog claims contains no card details or client information, was hit by a denial of service attack, which lasted through Wednesday, May 23.
The main server, the blog states, is only used for WHMCS's forums, documentation and blog.
"Further investigations have shown that the social engineering attack did not involve the compromising of any e-mail account," the blog states. "This was only done after access to the server had been gained."
"We've been working very hard with our web hosting provider to restore and secure services," the blog adds. "The DDOS mitigation continues to be ongoing, and we are doing everything we can to limit the impact of this."
WHMCS is reviewing its systems and operating procedures and plans to migrate to a new hosting infrastructure, the blog notes.
Ironically, UGNAZI claims it hacked WHMCS because the company ignored warnings that its hosting provider was not secure.
In a May 23 post on Pastebin, UGNazi hacker Cosmo, one of five hackers believed to be part of the group, says WHMCS's database was leaked to expose security vulnerabilities.
Cosmo writes: "WHMCS, the number 1 Web Hosting Client management company, stores your credit card on HostGator's servers. By Matt hosting this huge domain on HostGator he made himself and his domain very insecure, and that is why we took action and did what we did. It is now 2 days after the attack from us and the site is back up and it still remains on HostGator after Matt knows it is insecure. ... We laugh at your security."
Psychoanalyzing the Hacktivist
"The point of a hacktivist attack is an attack on the reputation of an organization," Nowak says. "Most organizations are not prepared to fight a public relations war on the Internet front."
Nather says the motives hacktivists offer for attacks often don't reflect reality.
"For many years, a wide range of hackers have scoured the Internet looking for vulnerable systems," she says. "As they find vulnerable systems, their personal agenda takes over. For some, they immediately look to see if there is a Web server running in order to deface the Web page. For others, they immediately look to see if there is a trove of sensitive information for personal gain or public disclosure."
But after the attack, the hackers will try to justify their actions, by claiming they were standing up for the public's right to know or, as in the WHMCS case, the need for stronger privacy controls.
"These high-level explanations are examples of popular 'go-to' justifications for criminal activity," Nather says. "Without vetted incident data, it is hard to qualify how often this happens; but based on one author's personal experience researching and communicating with hackers, this is certainly a prevalent theme over the last 12 years."