The Web Hacking Incidents Database

WHID 2005-65: LexisNexis Data Breach

Sun, 17 Feb 2008 00:00:00 +0000

The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.

In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.

As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.

Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.

WHID 2007-85: IndiaTimes.com Visitors Risk High Exposure To Malware

Sun, 17 Feb 2008 00:00:00 +0000

The web site of a leading Indian newspaper is swamped with malware. A recent survey by WebSense cites by the Register found that of the sites hosing malware, 51% where legitimate sites that have been broken into. This is a major shift in the threat landscape, since keeping to web sites that you know is no longer a good protection strategy. Anecdotally undermining WebSense own web site classification technology as a security solution.

WHID 2008-12: Greek ministry websites hit by hacker intrusion

Sun, 17 Feb 2008 00:00:00 +0000

This is yet another case of defacement of a governmental web site. It is amazing to note it is nearly never the large commercial and financial web sites that are defaced. It is either small mom and dad shops or government and political web sites. Don't you get the feeling the government IT is run like a mom and dad shop? Do you wonder if it is only the IT part that is run that way?

WHID 2007-86: Mac Blogs defaced using XSS

Sun, 17 Feb 2008 00:00:00 +0000

The standard disclaimer that we do not cover each and every defacement is relevant to this entry as well. So why do we include the defacement incident this time? First and foremost, it is known to be an XSS abusing a WordPress zero day bug. Secondly, it is a targeted attack aiming to deface only Mac related web sites. Usually targeted defacement attacks are carried out against political targets. Did attacking apple become a political issue? Was Apple transformed into a nation overnight? Well certainly into a cult.

WHID 2008-11: Hacker breaks into Ecuador's presidential website

Tue, 12 Feb 2008 00:00:00 +0000

Was it defaced or not? In this extraordinary incident, a hacker broke to the web site of the Ecuadorian president and said nice things about him. So nice in fact that the presidential office had to apologize in front of the opposition leader. Was it a hack or an over enthusiastic marketing person?

WHID 2008-10: Chinese hacker steals user information on 18 MILLION online shoppers at Auction.co.kr

Tue, 12 Feb 2008 00:00:00 +0000

A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.

The attack description is vague but can be best described as session hijacking.

This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.

WHID 2008-09: Hacking Stage 6

Sun, 10 Feb 2008 00:00:00 +0000

Sensitive information about people who created an account on the site leaked and was published through IRC.

WHID 2007-84: Soccer league's online shoppers get kicked by security breach

Sun, 10 Feb 2008 00:00:00 +0000

It is already February, and we still add 2007 incidents. If you wonder why, it is because organizations such as MLS only now find out that they were hacked last year! Sometime between January and August of 2007, names, addresses, credit and debit card data, and passwords of an unknown number of people, including 169 New Hampshire residents were stolen from the site.

Why New Hampshire? Because the company has to report to the authorities there about the incidents, but only specify the number of individuals from this state affected. Why only New Hampshire? Since regulations and bills requiring disclosures exist in many states, one would expect that the company would have to provide such a testimonial in many states. This incident is another good example of the size of the hidden part of the iceberg.

WHID 2008-08: Hacker steals Davidson Cos. clients' data

Mon, 04 Feb 2008 00:00:00 +0000

A computer hacker broke into the database of D.A. Davidson, a local Montana financial services firm and stole their entire customers' database: 226,000 records including names and social security numbers. Attack method is not known, but it seems very much like a web hack.

WHID 2008-07: Another Free MacWorld Platinum Pass? Yes in 2008!

Mon, 28 Jan 2008 00:00:00 +0000

Kurt already got his free MacWorld pass last year (WHID 2007-14), but it seems that nothing changes year after year and he was able to pull a similar trick this year. As the codes that allow customers to get the passes where hashed but stored on the client browser, Kurt was able to crack them.

WHID 2008-06: Hackers Take Down Pennsylvania Government

Mon, 28 Jan 2008 00:00:00 +0000

You dfon

WHID 2008-05: Drive-by Pharming in the Wild

Mon, 28 Jan 2008 00:00:00 +0000

Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.

WHID 2007-83: More Social Security numbers leaked at Montana State University

Mon, 28 Jan 2008 00:00:00 +0000

Again a Microsoft Excel file was left on a University's web site for anyone to view.

WHID 2008-04: RIAA web site cleared

Tue, 22 Jan 2008 00:00:00 +0000

The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.

WHID 2008-03: FTC settles with a retailer for lack of reasonable security

Sat, 19 Jan 2008 00:00:00 +0000

An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good".

The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.

WHID 2008-02: Italian Bank's XSS Opportunity Seized by Fraudsters

Wed, 09 Jan 2008 00:00:00 +0000

It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.

WHID 2007-82: An SQL injection Mass Robot

Tue, 08 Jan 2008 00:00:00 +0000

An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code.

As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a Cacti vulnerability: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users.

A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.

WHID 2008-01: Information stolen from geeks.com

Tue, 08 Jan 2008 00:00:00 +0000

Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV).

The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment....

And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.

WHID 2007-75: PlusNet blames itself for webmail spamfest