Say you’re going into a store and ask your friend to look after your dog. The friend decides she needs a pack of gum and hands over custody of the pup to her friend who, by chance, happens to be strolling by. When you exit the store, you find your friend, your friend’s friend, but no Rover.
Something similar happened to 500,000 WHMCS customers when the UK-based online billing platform — used by Web hosting providers worldwide — had its customers’ information hacked on a third-party site. In a bit of irony, the third party site was WHMCS’s own Web hosting company, HostGator.
The hacker group, UGNazi, tricked customer service representatives at HostGator, into handing over admin credentials to WHMCS’s servers. Once the hackers accessed the servers, they copied the company’s billing database and left WHMCS’s services unavailable. The Register, a London-based technology publication, reported that some 500,000 customer records and cards were compromised in the attack.
Tracy Kitten in bankinfosecurity.com quoted The Register’s report that “the card information was salted and hashed, but that a decryption key to recover the details was stored in clear text. The hackers allegedly found the decryption key in the root directory of WHCMS’s compromised server.”
Wendy Nather, research director of an online-security consultancy, noted, “(It) was clever on the hacktivists’ part: They counted on the fact that any given third-party support technician is not likely to be able to recognize a customer in email or over the phone. A password reset request is a common form of a social-engineering attack, but one at this level, obviously, has even more impact.
“We’ve known for some time that third-party providers can be a weak link in an organization’s security defense. Many breach incident reports have mentioned that a (third-party) provider used the same administrative passwords across all its customer accounts, which allowed attackers to spread out and hit more targets.”
WHMCS’s founder and lead developer, known only as Matt, said in the company blog that the company was reviewing its systems and operating procedures and planned to migrate to a new hosting infrastructure.
UGNAZI hacker, Cosmo (believed to be one of five attacking hackers), using some “Alice in Wonderland through the looking glass” logic, explained that the hackers breached WHMCS’s security because WHMCS ignored warnings that its hosting provider was not secure. Said Cosmo, “WHMCS, the number 1 Web Hosting Client management company, stores your credit card on HostGator’s servers. By Matt hosting this huge domain on HostGator he made himself and his domain very insecure, and that is why we took action and did what we did. It is now 2 days after the attack from us and the site is back up and it still remains on HostGator after Matt knows it is insecure. … We laugh at your security.”
Gregory Nowak, principal research analyst for the Information Security Forum, an independent global authority, who presumably wasn’t laughing, said, “The point of a hacktivist attack is an attack on the reputation of an organization. Most organizations are not prepared to fight a public relations war on the Internet front.”
Cosmo’s pronouncement elicited this reaction from Wendy Nather as to what really motivated the attack. “These high-level explanations are examples of … justifications for criminal activity…..(It) is hard to qualify how often this happens; but based on (my) researching and communicating with hackers, this is certainly a prevalent theme over the last 12 years.”