WHMCS Billing system database compromised

[baddog]

Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.


To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained.


As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately.
Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk.


This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.


We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.


----
WHMCS Limited
www.whmcs.com

[Just Alex]

And why are they keeping CC numbers on their server? Aren't they supposed to keep those with their merchant?

[baddog]

Quote:

Originally Posted by Just Alex

And why are they keeping CC numbers on their server? Aren't they supposed to keep those with their merchant?

Anxiety guy, capable of leaping to the worst possible conclusion at a single bound. They would have name, type of card, security code, exp date and last 4 digits. Makes it a lot easier to brute force.

[Just Alex]

Quote:

Originally Posted by baddog

Anxiety guy, capable of leaping to the worst possible conclusion at a single bound. They would have name, type of card, security code, exp date and last 4 digits. Makes it a lot easier to brute force.

Brute force what? 8 numbers in the middle?

[raymor]

baddog, props for full disclosure.

Quote:

Originally Posted by Just Alex

And why are they keeping CC numbers on their server? Aren't they supposed to keep those with their merchant?

Or an a firewalled INTRANET machine with a trap door. Baddog, we may be able to assist your people with setting this up a in way that is both secure and convenient to use. One major trick is to FEDERATE the database to the CC module, except for the CC table. In that way, the billing module sees the whole database and the support module sees everything but the CC table. That is, the internal server can see the part of the database that's on the web server, but the public web server can't see the sensitive data, it's a one way door.

Your brief post also indicated at least one other specific vulnerability, with a specific fix that should be done. I won't post details here.

Sure there was a social engineering component, and there were a couple of architecture problems that turned that attack into something much more serious than it should have been. ONLY tickets should have been exposed by a successful attack, not login passwords, CC info, etc. You don't need to, and aren't supposed to by PCI, store ANY track information on a public web server.

[baddog]

Quote:

Originally Posted by raymor

baddog, props for full disclosure.




Or an a firewalled INTRANET machine with a trap door. Baddog, we may be able to assist your people with setting this up a in way that is both secure and convenient to use. One major trick is to FEDERATE the database to the CC module, except for the CC table. In that way, the billing module sees the whole database and the support module sees everything but the CC table. That is, the internal server can see the part of the database that's on the web server, but the public web server can't see the sensitive data, it's a one way door.

Your brief post also indicated at least one other specific vulnerability, with a specific fix that should be done. I won't post details here.

Sure there was a social engineering component, and there were a couple of architecture problems that turned that attack into something much more serious than it should have been. ONLY tickets should have been exposed by a successful attack, not login passwords, CC info, etc. You don't need to, and aren't supposed to by PCI, store ANY track information on a public web server.

Thanks, I wish I owned WHMCS, but alas I do not. Was just passing along info we just received. Figured there were others here than may have missed it. We are changing our passwords just to be sure.

You would probably be a good one to ask, what do they mean that it was done via social engineering?

[baddog]

They aren't talking about phishing are they? Like they responded to one that screwed us all?

[BareBacked]

Quote:

Originally Posted by baddog

They aren't talking about phishing are they? Like they responded to one that screwed us all?

Could be phishing
http://en.wikipedia.org/wiki/Social_...%28security%29

[BareBacked]

Following an initial investigation I can report that what occurred today was the result of a social engineering attack.

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

This means that there was no actual hacking of our server. They were ultimately given the access details.

[raymor]

Quote:

Originally Posted by baddog

They aren't talking about phishing are they? Like they responded to one that screwed us all?

Spear phishing is a good example of social engineering, which generally means fooling humans. The most commonly used example is probably calling and pretending to be part of the same company, saying "this is Fred from the Omaha office". Typically the caller has an urgent problem that is a big deal for the boss. Perhaps the boss is about to give a big presentation and his laptop with the presentation on it just died, so he needs remote access to his desktop NOW.

Another example would be if I called your web hosting company pretending to be you. I would call at 2AM, when their boss isn't there, just the new guy working the shit shift. I'd claim (or cause) a server down and ask for a KVM to be put on it immediately. That KVM would let me boot into special rescue modes where passwords aren't required.

But yeah, phishing would be the most simplistic form of social engineering, social engineering for morons.

[directfiesta]

password changed ... everything looked normal .

[baddog]

Quote:

Originally Posted by raymor

Spear phishing is a good example of social engineering, which generally means fooling humans. The most commonly used example is probably calling and pretending to be part of the same company, saying "this is Fred from the Omaha office". Typically the caller has an urgent problem that is a big deal for the boss. Perhaps the boss is about to give a big presentation and his laptop with the presentation on it just died, so he needs remote access to his desktop NOW.

Another example would be if I called your web hosting company pretending to be you. I would call at 2AM, when their boss isn't there, just the new guy working the shit shift. I'd claim (or cause) a server down and ask for a KVM to be put on it immediately. That KVM would let me boot into special rescue modes where passwords aren't required.

But yeah, phishing would be the most simplistic form of social engineering, social engineering for morons.

That is precisely why some things will just not be done by phone. And if what Bareback posted is true; wow.

Quote:

Originally Posted by directfiesta

password changed ... everything looked normal .

Safety first. Wonder how the person was able to answer the security questions properly; must know him.

[anexsia]

Quote:

Originally Posted by baddog

That is precisely why some things will just not be done by phone. And if what Bareback posted is true; wow.

What he posted is right on WHMCS's website/blog

[anexsia]

Looks like they took over their twitter account as well? http://twitter.com/#!/whmcs/status/204596829042638848 jesus.

[raymor]

Quote:

Originally Posted by baddog

Safety first. Wonder how the person was able to answer the security questions properly; must know him.

Or found him on Facebook. Which high school attended? It's on Facebook. Pet's name? On Facebook. Favorite sports team? Also on Facebook.

[k0nr4d]

Quote:

Originally Posted by baddog

You would probably be a good one to ask, what do they mean that it was done via social engineering?

Could have been somethign as simple as someone phoning pretending to be their webhost saying something is wrong with the server, the password they have on file doesn't work and they don't want to reset it if they can avoid it.

[NETbilling]

Lloyd,

We are happy to help WHMCS setup through our gateway under our PCI certification which will ease the burden of them having to store any credit card data.

Let me know if you.they are interested.

Mitch

[lucas131]

social engineering? it is a new wording for "our admin used the same password for master billing account and also for some social crap"? congrats lol but good they said it at least, one of few

[anexsia]

Quote:

Originally Posted by k0nr4d

Could have been somethign as simple as someone phoning pretending to be their webhost saying something is wrong with the server, the password they have on file doesn't work and they don't want to reset it if they can avoid it.

Yeah, they're saying it was someone that compromised their email and pretended to be them which they than contacted their host (Host Gator) and went from there...there's a long thread going on about it at WHT...this isn't the first time WHMCS has gotten hacked either....

-edit- and data has been leaked and does include credit card information according to some people...that sucks

[EddyTheDog]

There appears to be a lot of confusion in this thread!!

[Adraco]

Social engineering, send a pretty girl and some alcohol and people (insecure guys who want to brag) will start talking. And if the girl is any good at pretending to be interested, he will show her, login and try to show off.

Easiest thing in the world.

Or if you need an access code to a locked part of the building, to open a door, easy peasy to just hang out by the digit pad and pretend to be on the phone walking up or down and then "just happen" to glare over when the access code is punched by someone. Or pretend to be from AT&T to get into almost any building, just claim there was an error report called in about their phone system and that you're here to take a look. Won't get you into any secure parts of the building but will certainly get you through the door!

[DamianJ]

Quote:

Originally Posted by baddog

That is precisely why some things will just not be done by phone. And if what Bareback posted is true; wow.



Safety first. Wonder how the person was able to answer the security questions properly; must know him.

All of that personal information is on the web. Shared willingly.

Surprised you are unaware of social engineering. Kevin Mitnick was asked if a computer locked in a safe offline was the safest place to put it. He replied no, he'd just ring up, get someone to open the safe and turn it on for him.

The best one his did before he turned whitehat was to go into an office and 'accidentally' drop a floppy disc with salaries.xls written on it. SOMEONE would find it, and they would, out of curiosity put it in their PC. Bingo. He was then in.

Nowadays hardly anyone does brute force attacks. It's so much easier just to ask people to tell you the information.

A survey showed that 70% of people would give up their passwords in return for a bar of chocolate. http://www.techrepublic.com/blog/sec...-near-you/5368

Fascinating.

[candyflip]

Quote:

Originally Posted by baddog

hat do they mean that it was done via social engineering?

Pretty much guessing passwords or convincing someone to give up a bit of info that makes it easier for them to obtain the password.

Phishing.

[raymor]

Quote:

Originally Posted by Adraco

Or if you need an access code to a locked part of the building, to open a door, easy peasy to just hang out by the digit pad and pretend to be on the phone walking up or down and then "just happen" to glare over when the access code is punched by someone.

Put a little baby or powder (or plain dirt) on the keypad first and with a glance you only need to see if they start by pressing the buttons near the top or the ones near the bottom. I once rescued some servers from the old Alphared / Acronoc datacenter after the operators fled, leaving everyone's servers locked inside. Not saying HOW I got into the building, just that I did.