|
|
|
The Web Hacking Incidents Database
Last update:17 February 2008
Full List of Incidents
245 incidents listed
Reported: 17 February 2008Occurred: 09 March 2005
Classifications:
- Attack Method: Insufficient Anti-automation
- Country: USA
- Outcome: Leakage of Information
- Vertical: Information Services
The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.
In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.
As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.
Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.
References:
Reported: 17 February 2008Occurred: 09 November 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Planting of Malware
- Vertical: Media
The web site of a leading Indian newspaper is swamped with malware. A recent survey by WebSense cites by the Register found that of the sites hosing malware, 51% where legitimate sites that have been broken into. This is a major shift in the threat landscape, since keeping to web sites that you know is no longer a good protection strategy. Anecdotally undermining WebSense own web site classification technology as a security solution.
References:
Reported: 17 February 2008Occurred: 31 January 2008
Classifications:
- Attack Method: Unknown
- Country: Greece
- Outcome: Defacement
- Vertical: Government
This is yet another case of defacement of a governmental web site. It is amazing to note it is nearly never the large commercial and financial web sites that are defaced. It is either small mom and dad shops or government and political web sites. Don't you get the feeling the government IT is run like a mom and dad shop? Do you wonder if it is only the IT part that is run that way?
References:
Reported: 17 February 2008Occurred: 23 November 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Global
- Outcome: Defacement
- Vertical: Technology
The standard disclaimer that we do not cover each and every defacement is relevant to this entry as well. So why do we include the defacement incident this time? First and foremost, it is known to be an XSS abusing a WordPress zero day bug. Secondly, it is a targeted attack aiming to deface only Mac related web sites. Usually targeted defacement attacks are carried out against political targets. Did attacking apple become a political issue? Was Apple transformed into a nation overnight? Well certainly into a cult.
References:
Reported: 12 February 2008Occurred: 11 February 2008
Classifications:
- Attack Method: Unknown
- Country: Ecuador
- Outcome: Defacement
- Vertical: Government
Was it defaced or not? In this extraordinary incident, a hacker broke to the web site of the Ecuadorian president and said nice things about him. So nice in fact that the presidential office had to apologize in front of the opposition leader. Was it a hack or an over enthusiastic marketing person?
References:
Reported: 12 February 2008Occurred: 10 February 2008
Classifications:
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: Korea
- Origin: China
- Outcome: Downtime
- Outcome: Leakage of Information
- Vertical: Retail
A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.
The attack description is vague but can be best described as session hijacking.
This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.
References:
Reported: 10 February 2008Occurred: 09 February 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Entertainment
Sensitive information about people who created an account on the site leaked and was published through IRC.
References:
Reported: 10 February 2008Occurred: 01 August 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Sports
It is already February, and we still add 2007 incidents. If
you wonder why, it is because organizations such as MLS only now find
out that they were hacked last year! Sometime between January and
August of 2007, names, addresses, credit and debit card data, and
passwords of an unknown number of people, including 169 New Hampshire
residents were stolen from the site.
Why New Hampshire? Because the company has to report to the
authorities there about the incidents, but only specify the number of
individuals from this state affected. Why only New Hampshire? Since
regulations and bills requiring disclosures exist in many states, one
would expect that the company would have to provide such a testimonial
in many states. This incident is another good example of the size of
the hidden part of the iceberg.
References:
Reported: 04 February 2008Occurred: 04 February 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Finance
A computer hacker broke into the database of D.A. Davidson, a local Montana financial services firm and stole their entire customers' database: 226,000 records including names and social security numbers. Attack method is not known, but it seems very much like a web hack.
References:
Reported: 28 January 2008Occurred: 14 January 2008
Classifications:
- Attack Method: Brute Force
- Country: USA
- Outcome: Monetary Loss
- Vertical: Technology
Kurt already got his free MacWorld pass last year (WHID 2007-14), but it seems that nothing changes year after year and he was able to pull a similar trick this year. As the codes that allow customers to get the passes where hashed but stored on the client browser, Kurt was able to crack them.
References:
Reported: 28 January 2008Occurred: 06 January 2008
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Planting of Malware
- Outcome: Defacement
- Vertical: Government
You dfon
References:
Reported: 28 January 2008Occurred: 21 January 2008
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: Drive by Pharming
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: Mexico
- Location: Client
- Outcome: Leakage of Information
- Outcome: Monetary Loss
- Software: DSL Router
- Vertical: Finance
Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.
References:
Reported: 28 January 2008Occurred: 07 November 2007
Classifications:
- Attack Method: Administration Error
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Again a Microsoft Excel file was left on a University's web site for anyone to view.
References:
Reported: 22 January 2008Occurred: 20 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Attack Method: Denial of Service
- Attack Method: SQL Injection
- Country: Global
- Country: USA
- Outcome: Defacement
- Outcome: Downtime
- Outcome: Defacement
- Vertical: Entertainment
The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.
References:
Reported: 19 January 2008Occurred: 19 January 2008
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Disclosure Only
- Vertical: Retail
An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good". The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.
References:
- Online Retailer Settles Charges That It Left Consumer Data Open To Hackers
News Story, Information Week, 18 January 2008
- FTC Wags Finger At Site For Weak Consumer Data Security
News Story, Storefront Backtack, 18 January 2008
- n the Matter of Life is good, Inc., a corporation, and Life is good Retail, Inc., a corporation. FTC Matter No. 072-3046
Case File, Federal Trade Commission, 17 January 2008
Reported: 09 January 2008Occurred: 08 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Italy
- Outcome: Phishing
- Vertical: Finance
It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.
References:
Reported: 08 January 2008Occurred: 28 December 2007
Classifications:
- Attack Method: SQL Injection
- Origin: China
- Outcome: Planting of Malware
An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code. As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a Cacti vulnerability: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users. A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.
References:
- 70,000 Web Pages Hacked By Database Attack
News Story, Information Week, 08 January 2008
- Realplayer Vulnerability
Alert, SANS Internet Storm Center, 04 January 2008
- Massive embedded exploit web site attack underway
Alert, Heise, 08 January 2008
- SQL Injection Attack Infects Thousands of Websites
Technical Analysis, Ryan Barnett, 08 January 2008
- Mass exploits with SQL Injection
Technical Analysis, SANS, 09 January 2008
Reported: 08 January 2008Occurred: 05 January 2008
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV). The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment.... And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.
References:
Reported: 01 January 2008Occurred: 04 May 2007
Classifications:
- Attack Method: Misconfiguration
- Country: UK
- Outcome: Planting of Malware
- Outcome: Leakage of Information
- Vertical: Service Providers
Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites. This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.
References:
Reported: 01 January 2008Occurred: 06 November 2007
Classifications:
- Attack Method: SQL Injection
- Country: Turkey
- Outcome: Planting of Malware
- Vertical: Media
Another Malware defacement, but this time at a very prominent web site: MSNBC Turkish edition. There are indications that this is an application layer attack.
References:
Reported: 01 January 2008Occurred: 17 September 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Leakage of Information
- Software: Cerberus Helpdesk
- Vertical: Service Providers
A known vulnerability in the helpdesk software used by hosting provider Layered Technologies resulted in leakage of information, including names, addresses, phone numbers and email addresses of up to 6,000 of the company's clients.
References:
Reported: 01 January 2008Occurred: 23 May 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Planting of Malware
- Software: cPanel
- Vertical: Service Providers
The Washington Post ran a story about a large scale infiltration to IPower, a major hosting provider. According to the story and the following comments, it seems that the problem is plunging IPower for a long time without being resolved. Put in perspective the PlusNet incident which was serious but swiftly handled and publicly acknowledged by the company.
Actually the problem is so dominant that a recent StopBadware report lists Ipower as by far the most Malware infected hosting company. Reports mention that the problem started as early as mid 2006.
The root cause of the breach here is mentioned as being a vulnerability in either Apache, PHP or cPanel. I have selected the third as being more probably until further evidence materialize.
References:
Reported: 01 January 2008Occurred: 23 September 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Planting of Malware
- Software: cPanel
- Vertical: Service Providers
Hackers exploited an unknown cPanel vulnerability to break into HostGator servers and plant malware on hosted sites.
References:
Reported: 01 January 2008Occurred: 29 January 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: Brazil
- Outcome: Disclosure Only
- Vertical: Finance
IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.
Reported by Alexandre Sieira
References:
Reported: 01 January 2008Occurred: 09 November 2007
Classifications:
- Attack Method: SQL Injection
- Country: Brazil
- Country: USA
- Origin: Russia
- Outcome: Planting of Malware
- Vertical: Government
RBN was a big story. It was a hackers group that could work relatively freely in Russia due to rumors connections in high windows. This way it could allow safe hosting for malware. For getting people to the malware they penetrated web sites around the world, and the references article mentioned SQL injection as the method they infiltrated more high profile sites such as US government sites.
References:
Reported: 01 January 2008Occurred: 07 November 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Defacement
- Vertical: Service Providers
Yet another defacement, but this time at a very major telecommunication provider in India. These are the guys in charge of our network after all!
References:
Reported: 30 December 2007Occurred: 15 December 2007
Classifications:
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: UK
- Origin: Iran
- Outcome: Defacement
- Outcome: Blackmail
Many times we dismiss seemingly minor vulnerabilities in major web sites. Most notably, "yet another" XSS or CSRF vulnerability in a well known service is not considered news anymore. However the following story proves that no matter what, such vulnerabilities cannot be ignored. The attack is simple, the result pretty frightening. An attacker, presumably Iranian, stole the domain name of David Airey, a graphic artist and a known blogger. The attack was very well timed with David's leaving to a long vacation. The goal was to extort money in order to return the domain. In David's case there is a happy end, as the attention he got helped him receive his blog back, with some loss in traffic, search engine ranking and time. But other victims of the attacker who steal domains for living may not be as fortunate.
References:
Reported: 22 December 2007Occurred: 22 December 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: USA
- Outcome: Monetary Loss
- Outcome: Leakage of Information
- Outcome: Identity Theft
- Vertical: Security & Law Enforcement
The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.
The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts.
References:
Reported: 20 December 2007Occurred: 20 December 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Origin: Indonesia
- Outcome: Defacement
- Vertical: Security & Law Enforcement
Just like WHID 2007-60, this hack is probably a representative of many other incidents. The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your soul" on the Web site of the police department in Tucson, Arizona. Only unlike regular defacement, this time it is not the front page but rather the news section that was modified.
As many you know, the news section is one of the few database driven parts in many mostly static sites, as it allows the site owner to add news without requiring a web designer. Therefore it came as no surprise that the attack was identified by a public source as an SQL injection attack.
References:
Reported: 19 December 2007Occurred: 30 September 2007
Classifications:
- Attack Method: Unknown
- Country: Germany
- Outcome: Leakage of Information
- Vertical: Retail
An unidentified group had stolen credit card numbers and billing addresses of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of Ticketmaster. Some 66,000 customers who purchased tickets with a credit card from the Kartenhaus.de web site between October 24, 2006 and September 30, 2007 were affected.
References:
Reported: 19 December 2007Occurred: 27 October 2007
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: Insufficient Authentication
- Attack Method: SQL Injection
- Country: UK
- Outcome: Downtime
- Software: WordPress
- Vertical: Education
This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.
I am sure that the guys at Light Blue Touchpaper have the
expertise to protect their WordPress installation, but they
don’t have the time. They made the compromise between ease of
management of their web site and its security. Actually my personal blog might be
just as vulnerable, since as I write this I am very much not paying
attention to its security.
Apart from, or actually because of the fact that the
victims are security experts, this story is noteworthy due to two
additional twists in the plot:
- Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.
- The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.
References:
Reported: 19 December 2007Occurred: 26 November 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Link Spam
- Software: WordPress
- Vertical: Politics
Whether comment spam by itself is an application failure or a necessary evil for site allowing rich comments is an open question. However it is reported that in this case vulnerability in WordPress allowed the spammers to actually penetrate the site and modify pages and not just abuse comments.
References:
Reported: 19 December 2007Occurred: 19 December 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Worm
- Vertical: Internet
A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.
References:
Reported: 19 December 2007Occurred: 01 December 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: Canada
- Outcome: Disclosure Only
- Vertical: Government
The Web site of the Canadian passports authority enables users to access others' record by modifying a value of a parameter in the URI.
References:
Reported: 19 December 2007Occurred: 28 June 2007
Classifications:
- Attack Method: Insufficient Anti-automation
- Country: USA
- Country: Canada
- Vertical: Internet
Use of robots and automated software against a web site, as long as it is not done in order to break into the site, falls into a grey area. While hard to classify as an unlawful act, it is usually harmful to the site owner and possibly to the site users. Apart from using valuable resources, such an automated access may breach the site's usage license of public information and might also indicate unlawful activity such as using a botnet. Many times it is hard to know if such a blast of requests is a denial of service attack, brute force password cracking or just a search engine crawler. Going forward we are going to add such incidents to WHID if there is a reason to believe that they are not friendly, even if the actual goal of the attack cannot be easily classified. The Facebook case at hand is a perfect example: while the details are not clear, the fact that Facebook filed a law suit implies that there is fire behind the smoke.
References:
Reported: 19 December 2007Occurred: 17 December 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: UK
- Outcome: Link Spam
- Software: WordPress
- Vertical: Media
In an incident very similar to the Al Gore Hack, the personal blog of IT journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the breach and its origins.
References:
Reported: 19 December 2007Occurred: 14 December 2007
Classifications:
- Attack Method: Unknown
- Country: France
- Country: Libya
- Outcome: Planting of Malware
- Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more popular, the number of incidents, mostly insignificant, in which malware was planted on a hacked site is rising and WHID is not the right place to list all of them. We currently report such incidents if the hacked site is of interest or if the attack method is known.
References:
Reported: 19 December 2007Occurred: 01 December 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
The personal data of nearly 1,400 prospective Duke Law School students may have been stolen by a hacker from two separate databases, one including the prospective students' data and another filled with requests for information about the school.
References:
Reported: 21 November 2007Occurred: 20 November 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Planting of Malware
- Vertical: Internet
A Crimeware iframe tag on a site is not news anymore. On Monster.com it is.
References:
Reported: 20 November 2007Occurred: 01 March 2005
Classifications:
- Attack Method: Abuse of Functionality
- Country: USA
- Outcome: Monetary Loss
A woman exploited a bug in QVC shopping network web site to get, without paying, more than 1800 items worth $412,000 items from the March to November 2005. The glitch enabled her to cancel orders she placed at a specific time and still get the product.
References:
Reported: 07 November 2007Occurred: 18 September 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Media
Vertical Web Media, publisher of Internet Retailer magazine, suffered a security http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_server/breach and credit card information of readers had been stolen. The Irony is that Internet Retailed magazine is covering the risks of e-commerce. While the actual technique used is not known, signs are that it was a web hack as it was done by a distributed network of bots all over the world and since the information stolen belonged to customers who paid online. The information stolen includes names, addresses, e-mail addresses, phone numbers, credit card account numbers and card expiration dates. The number of records stolen is unknown.
References:
Reported: 07 November 2007Occurred: 11 September 2007
Classifications:
- Attack Method: Unknown
- Country: New Zealand
- Outcome: Information Warfare
- Outcome: Leakage of Information
- Vertical: Government
An attack on New Zealand government web sites required New Zealand Prime Minister, Helen Clark to comment and ensure the public that no confidential information was stolen. However official sources in New Zealand confirm attacks were carried out by unnamed, but known, foreign governments on New Zealand government web site that resulted in stealing of information.
References:
Reported: 07 November 2007Occurred: 23 September 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Disclosure Only
- Vertical: Retail
A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.
References:
Reported: 07 November 2007Occurred: 03 October 2007
Classifications:
- Attack Method: unknown
- Country: China
- Outcome: Planting Of Malware
- Vertical: Media
Defacement are a dime a dozen this days, and are not normally reported by WHID. Even invisible defacements in which sites are changed in order to infect their clients with malicious code are becoming too common. But this time it is the site of a security organization, and not just any one, but China's internet security organization. So in the light of the hot debate about china as the source of all hacking, we think that this story has a value.
References:
Reported: 07 November 2007Occurred: 17 September 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: UK
- Outcome: Leakage of Information
- Vertical: Security & Law Enforcement
An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.
While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.
References:
Reported: 07 November 2007Occurred: 02 November 2007
Classifications:
- Attack Method: Redirection
- Country: Global
- Outcome: Phishing
- Vertical: Internet
While most WHID entries are about web
site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them
to include a honest looking URL in their e-mail, this way bypassing
spam filters and observant users.
Symantec response team found actively
used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to
the first result of a search. All the spammer is left with is finding a
query for which his site would pop up first on Google.
This method has another advantage over a redirection page,
as the final target is specified by a search string and not by a URL,
bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.
References:
Reported: 05 November 2007Occurred: 05 November 2007
Classifications:
- Attack Method: Denial of Service
- Country: Australia
- Outcome: Loss of Sales
- Vertical: Retail
Seems that the there is a new trend to disrupt on line bidding using denial of service attacks. In this case, an auction for 37 very expensive watches was halted 20 minutes before the end as the site crashed, in what official sources describe as a hacker attack that did not result in a site compromise.
References:
Reported: 04 November 2007Occurred: 30 September 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
The web servers of Scarborough & Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers' names, addresses, telephone numbers, account numbers, and credit card numbers.
References:
Reported: 29 October 2007Occurred: 28 October 2007
Classifications:
- Attack Method: Unknown
- Country: Global
- Outcome: Leakage of Information
- Vertical: Retail
A hacker gained access to names and encrypted credit card numbers of Arts.com. While the reason is not known, since the information is known to belong to online shoppers who made transactions from July to September we assume it was a web site breach.
References:
Reported: 25 October 2007Occurred: 01 November 2004
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.
The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.
We somehow missed this story so it finds its way to WHID only now in late 2007.
References:
Reported: 25 October 2007Occurred: 23 October 2007
Classifications:
- Attack Method: Denial of Service
- Country: USA
- Outcome: Loss of Sales
- Vertical: Sports
The site of the Rockies was taken down by a denial of service preventing fans from buying tickets for the World Series games.
Like any DDoS attack, it is very hard to know if it was an application layer or network layer attack, but since this attack had a very significant financial impact by crippling a web site, we think it deserve a place in WHID.
References:
Reported: 17 October 2007Occurred: 09 October 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach.
References:
Reported: 12 October 2007Occurred: 10 October 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Finance
3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.
References:
Reported: 11 October 2007Occurred: 02 October 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.
References:
Reported: 10 October 2007Occurred: 09 October 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Australia
- Outcome: Defacement
- Vertical: Politics
Using XSS on the sites of both Australian major political parties a security researcher nicknamed Bsoric caused the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"
References:
Reported: 10 October 2007Occurred: 06 October 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: USA
- Outcome: Loss of Sales
- Vertical: Retail
A hacker exploited a leftover admin function on eBay to block users and close sales.
References:
Reported: 03 September 2007Occurred: 29 August 2007
Classifications:
- Attack Method: Unknown
- Country: Spain
- Outcome: Defacement
- Vertical: Government
Yet another defacement, and as usual in the political arena.
However, this one is worth a note as the attack is very targeted, while
usually such political defacements are carried quote randomly against
sites loosely related to the opponent and usually has little to do with
the actual message the attackers want to convey. In this case the
defacement seems to be a direct response to the hot debate about
housing prices in Spain.
References:
Reported: 03 September 2007Occurred: 02 September 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Planting of Malware
- Vertical: Finance
This very serious hacking incident provides insight into a lot
of the failures information security in general and web application
security particularly beyond the simple fact that the web site of the
largest state owned bank in India was invisibly defaced with Trojan
inflicting code.
Firstly, the entire discussion in the references is about the
Trojan payload, with no word about the vulnerability that led to the
defacement. Actually a reviewer on the SiteAdvisor report gives the
green mark to the web site after the Trojan is removed, without
requiring any information about the actual problem.
Secondly, most trust systems, including SiteAdvisor,
completely fail to detect the breach. Which makes me think about those
trust models: they check that the site was not breached, while they
should check that the site is not vulnerable. I guess the reason is
that their primary goal is to detect intentionally malicious sites and
not breaches is normative sites, but others use them to assess the
level of security of the later.
References:
Reported: 02 September 2007Occurred: 29 August 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: New Zealand
- Country: New Zealand
- Outcome: Defacement
- Vertical: Media
Still defacement but this time with a twist. This was a genuine XSS rewriting attack, and was carried out by well known people as a stunt. No information is provided on how the XSS vector found its way to the victim computers.
References:
Reported: 02 September 2007Occurred: 20 August 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Defacement
- Vertical: Government
Defacements seem to dominate the list recently, probably because they reach everywhere. Two important conclusions from this particular one are that patch management is a key problem and that it is a problem mainly at government sites across the world.
References:
Reported: 30 August 2007Occurred: 24 July 2007
Classifications:
- Attack Method: Unknown
- Country: Peru
- Outcome: Defacement
- Vertical: Politics
Defacements seem to start dominating this list. Alas, they are the most obvious web site hacks out there. While not every defacement is reported in the Web Hacking Incidents Database, key ones are. I included this one since the attacked web site is significant, and since it emphasizes what is becoming a major goal of attacking: politics and international affairs.
As a side note, this incident is also interesting because it was repeated after discovered and presumably fixed, which goes a long way to show how much effort there is in protecting web sites and how difficult it cab be.
References:
Reported: 30 August 2007Occurred: 07 August 2007
Classifications:
- Attack Method: SQL Injection
- Attack Method: OS Commanding
- Vertical: Technology
This gem is very interesting since it happened on Gentoo servers. It therefore combines transparency into the incident that only an open source project can offer with the importance and resource of a large one. As a result we have a detailed report about the vulnerability, exploit attempts and event people shouting at each other during the patching process.
What can we learn from this? That no server is secure, and that patching is hard.
References:
Reported: 14 August 2007Occurred: 31 December 2005
Classifications:
While lacking in technical details, this story is certainly juicy. It demonstrates well the business use of web site hacking. The downside is that the hacker got only a minimal punishment, which unless the incident itself is overrated in the media, is a very bad sign on how courts view computer crime.
References:
Reported: 13 August 2007Occurred: 12 August 2007
Classifications:
- Attack Method: SQL Injection
- Country: United Nations
- Outcome: Defacement
- Vertical: Government
Defacements are usually beyond the scope of the Web Hacking Incidents Database. We only publish those that stand out, and this one certainly stands out.
The site of the United Nations was broken into and defaced using a pretty basic SQL injection technique, and the referenced article has all the details
References:
Reported: 12 August 2007Occurred: 01 August 2007
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: OS Commanding
- Country: Germany
- Outcome: Downtime
- Software: Confixx
- Vertical: Service Providers
A command injection vulnerability at 1&1, a large German hosting provider, lead to denial of service and possible home page modification at 30 servers and up to 1700 web sites.
References:
Reported: 30 July 2007Occurred: 25 July 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: USA
- Outcome: Leakage of Information
- Vertical: Health
In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.
References:
Reported: 25 July 2007Occurred: 23 July 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Media
Fox News left non public files on a directory accessible to everyone on their web server.
References:
Reported: 22 July 2007Occurred: 20 July 2007
Classifications:
- Attack Method: Unknown
- Country: Thailand
- Outcome: Defacement
- Vertical: Government
While defacements are usually not the bread and butter of this database, when it hits an important government site, especially of a ministry in charge of information technology, it is worth mentioning it.
References:
Reported: 01 July 2007Occurred: 17 May 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Germany
- Outcome: Disclosure Only
- Vertical: Finance
I seldom add disclosures anymore to WHID, even less XSS disclosures, but since this time they were discovered in banking sites, I thought it was worth it. After all, too many times people think that application vulnerabilities are found only at less "serious" or less "important" web sites where no real damage can occur.
References:
Reported: 01 July 2007Occurred: 15 June 2007
Classifications:
- Attack Method: Unknown
- Outcome: Leakage of Information
Somebody snitched names, social security number and birth dates of approximately 1500 students at the vet school of UC Davis. Indication is that the web application used by the students was as fault. The school's web site described the incident as a result of "the computer attacker being able to manipulate a university computing application to accept unauthorized commands". A disgruntled cow?
References:
Reported: 01 July 2007Occurred: 27 June 2007
Classifications:
- Attack Method: SQL Injection
- Country: UK
- Outcome: Defacement
- Vertical: Technology
Yet another defacement, but with a very high profile target, and a detailed description of the attack which took advantage of an SQL injection vulnerability. The report even includes a video recording of the attack.
References:
Reported: 26 June 2007Occurred: 22 June 2007
Classifications:
- Attack Method: Unknown
- Country: Belgium
- Outcome: Defacement
- Vertical: Security & Law Enforcement
As you may know, defacement usually do not find their way to WHID, especially if the method used is not known. However, since in this case the victim was the Belgian police, I though it is worth including.
References:
Reported: 17 June 2007Occurred: 13 June 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: Jamaica
- Country: USA
- Outcome: Deceit
- Vertical: Government
If you live in a country from which you need a Visa to get to the states, you knew this would happen. The US online Visa appointment system is very open. Indeed too open. Someone in Jamaica took advantage of this to pre-allocate appointments.
While this might be classified as a business process design flaw, isn't security also about this?
References:
Reported: 12 June 2007Occurred: 19 April 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Leakage of Information
- Vertical: Education
An undisclosed vulnerability in a web application at the University of Virginia allowed hackers to access names, social security numbers and birth dates of faculty members from May 2005 until April of 2007. Approximately 5700 records where stolen in 54 distinct break-ins.
References:
Reported: 12 June 2007Occurred: 03 June 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: USA
- Outcome: Leakage of Information
- Vertical: Security & Law Enforcement
A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.
This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.
References:
Reported: 12 June 2007Occurred: 10 June 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Defacement
- Vertical: Government
The web site of the chief minister of Kerala (an Indian State) was hacked and defaced. The local police has contacted the Interpol to help in finding who is behind the web site hacking.
References:
Reported: 12 June 2007
Occurred: 11 June 2007
| |
