|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Year
Select Year: 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
List of incidents for the year 2008
12 incidents listed
Reported: 17 February 2008Occurred: 31 January 2008
Classifications:
- Attack Method: Unknown
- Country: Greece
- Outcome: Defacement
- Vertical: Government
This is yet another case of defacement of a governmental web site. It is amazing to note it is nearly never the large commercial and financial web sites that are defaced. It is either small mom and dad shops or government and political web sites. Don't you get the feeling the government IT is run like a mom and dad shop? Do you wonder if it is only the IT part that is run that way?
References:
Reported: 12 February 2008Occurred: 11 February 2008
Classifications:
- Attack Method: Unknown
- Country: Ecuador
- Outcome: Defacement
- Vertical: Government
Was it defaced or not? In this extraordinary incident, a hacker broke to the web site of the Ecuadorian president and said nice things about him. So nice in fact that the presidential office had to apologize in front of the opposition leader. Was it a hack or an over enthusiastic marketing person?
References:
Reported: 12 February 2008Occurred: 10 February 2008
Classifications:
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: Korea
- Origin: China
- Outcome: Downtime
- Outcome: Leakage of Information
- Vertical: Retail
A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.
The attack description is vague but can be best described as session hijacking.
This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.
References:
Reported: 10 February 2008Occurred: 09 February 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Entertainment
Sensitive information about people who created an account on the site leaked and was published through IRC.
References:
Reported: 04 February 2008Occurred: 04 February 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Finance
A computer hacker broke into the database of D.A. Davidson, a local Montana financial services firm and stole their entire customers' database: 226,000 records including names and social security numbers. Attack method is not known, but it seems very much like a web hack.
References:
Reported: 28 January 2008Occurred: 14 January 2008
Classifications:
- Attack Method: Brute Force
- Country: USA
- Outcome: Monetary Loss
- Vertical: Technology
Kurt already got his free MacWorld pass last year (WHID 2007-14), but it seems that nothing changes year after year and he was able to pull a similar trick this year. As the codes that allow customers to get the passes where hashed but stored on the client browser, Kurt was able to crack them.
References:
Reported: 28 January 2008Occurred: 06 January 2008
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Planting of Malware
- Outcome: Defacement
- Vertical: Government
You dfon
References:
Reported: 28 January 2008Occurred: 21 January 2008
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: Drive by Pharming
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: Mexico
- Location: Client
- Outcome: Leakage of Information
- Outcome: Monetary Loss
- Software: DSL Router
- Vertical: Finance
Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.
References:
Reported: 22 January 2008Occurred: 20 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Attack Method: Denial of Service
- Attack Method: SQL Injection
- Country: Global
- Country: USA
- Outcome: Defacement
- Outcome: Downtime
- Outcome: Defacement
- Vertical: Entertainment
The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.
References:
Reported: 19 January 2008Occurred: 19 January 2008
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Disclosure Only
- Vertical: Retail
An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good". The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.
References:
- Online Retailer Settles Charges That It Left Consumer Data Open To Hackers
News Story, Information Week, 18 January 2008
- FTC Wags Finger At Site For Weak Consumer Data Security
News Story, Storefront Backtack, 18 January 2008
- n the Matter of Life is good, Inc., a corporation, and Life is good Retail, Inc., a corporation. FTC Matter No. 072-3046
Case File, Federal Trade Commission, 17 January 2008
Reported: 09 January 2008Occurred: 08 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Italy
- Outcome: Phishing
- Vertical: Finance
It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.
References:
Reported: 08 January 2008Occurred: 05 January 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV). The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment.... And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
