NullCrew attack on Bell Canada was SQL injection and Bell knew weeks ago – NullCrew (update 2)

NullCrew has responded to Bell’s claim that it was a third-party supplier who got hacked by providing DataBreaches.net with more details about the hack and their conversations with Bell alerting them to the breach.

In an interview today, NullCrew revealed that they had access to Bell’s server for months, and had disclosed that to them in a chat with Bell Support weeks ago. A screenshot of the chat between NullCrew and Bell Support employee “Derek” shows that NullCrew was informing Bell that they were in possession of users’ information:

Bell_chat

 

NullCrew states they actually gave them the vulnerable url and details, but got nowhere with them.

I informed them they didn’t have much time, and the world would soon see their failure…. Their response was exactly what you see in their article, bullshit. “Bell Internet is a secure service.” They did not even say they would look into it, they did not try and assess the exploit.. it was up, for two weeks. And only taken down after we released our data.

NullCrew informs DataBreaches.net that the attack was by POST SQL injection.  The vulnerable url was Bell’s protection management login page: https://protectionmanagement.bell.ca/passwordrecovery_1.asp. Bell’s protectionmanagement subdomain is currently unavailable.

As proof, NullCrew provided DataBreaches.net with screenshots taken at the time (all screenshots in this article are copies of the screenshots provided to this site):

Bell_exploit1

 

Bell_exploit2

So what is Bell talking about in their statement where they claim they were not hacked but a third party supplier’s system was? The screenshots support NullCrew’s claim that it was Bell’s server that was successfully attacked. Bell has not yet responded to an email inquiry sent by DataBreaches.net asking if the third party supplier they mention would come forward and confirm their statement or if Bell would name the third party.

Right now, then, it appears that customers may have good reason to question Bell’s version of the breach.  “Who are you going to believe, companies, corporations, big brother? Or the people who fight against this system?” NullCrew asks. [See update below post for Bell’s response – Dissent]

And other big corporations may want to take note that the Bell attack may just be the beginning. NullCrew wants us all to know:

NullCrew is far from done, we want to make it evident that just because we lurked in the shadows; it does not mean we left. That we are here to stay. Simply put? Stay tuned. #FuckTheSystem is just beginning.

Update 1: Bell Canada was sent a link to this report and asked if they still stand by their statement of this morning. They do:

Yes, we stand by the facts in our release. The posting results from illegal hacking of an Ottawa-based third-party supplier’s information technology system.

Update 2: Adam Caudhill points out that it’s not uncommon to find a subdomain of a large company pointing to a third party. “So it’s quite possible they are telling the truth. They should still take more responsibility for their data though,” Adam tweeted.

A lookup of protectionmanagement.bell.ca resolves to IP 206.191.10.10, which is registered to Magma Communications in Ottawa, a subsidiary of Primus Communications.  Interesting.

About the author: Dissent