Social Engineers Breach Billing Site

Wednesday, May 23, 2012 @ 01:05 PM gHale


Social engineering works, if you don’t think so, just look at the thousands of passwords and credit card details exposed online after a breach of the billing platform WHMCS.

Attackers obtained the data after masquerading as the platform’s lead developer, Matt Pugh, and managed to con the company’s hosting provider to release administrator credentials.

RELATED STORIES
Companies Hit in Targeted Attack
Gas Pipelines Under Attack
Using Malware for Recon Work
Russian Cybercrime Consolidates, Grows

Pugh’s details then went to work accessing WHMCS’s database and stealing hashed customer credit card numbers and passwords, usernames and support tickets. Along with that data, they also dumped a 1.7Gb cache that included Delft, The Netherlands-based WHMCS control panel and website information.

Almost a day’s worth of data ended up erased from the compromised servers, while attackers hijacked links to the cache and other smaller files.

Pugh wrote on the corporate blog attackers from the group UGNazi provided correct answers to identity verification questions.

“The person was able to impersonate myself with our web hosting company and provide correct answers to their verification questions, and thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details,” he said.

“This means that there was no actual hacking of our server. They were ultimately given the access details. We are immediately reviewing all of our hosting arrangements, and will be migrating to a new set-up at the earliest opportunity.”

Pugh initially said the database of its ticketing system may have suffered a compromise, and recommended any users who had recently sent a ticket containing their WHMCS or FTP login details to change them.

Around four hours later, Pugh said the main server suffered a compromise. That server hosts the main website and WHMCS installation; he said a malicious user had proceeded to delete all files, losing all new orders placed within the previous 17 hours, as well as any tickets or replies submitted.

Troves of information from Australian hosting companies were on display during a cursory scan of the breach databases.



Leave a Reply

You must be logged in to post a comment.