WHMCS victim of social engineering; over 500,000 client records stolen, deleted from server, and dumped publicly

Why hack when you can socially engineer employees into giving you the keys to the kingdom?

Client management billing platform WHMCS reports that hacker group UGNazi successfully socially engineered their web hosting firm into providing the hackers with admin credentials. The hackers then proceeded to acquire their data, delete it, and dump it.

The attack took place yesterday, and within hours, WHMCS had reported the problem on their blog.  Later in the day, developer Matt Pugh posted an update:

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

This means that there was no actual hacking of our server. They were ultimately given the access details.

This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.

According to John Leyden of The Register:

UGNazi also gained access to WHMCS’s Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm’s customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack.

In an email to their clients today, WHCMS wrote:

Date: 22 May 2012 01:40:03 GMT-03:00
To: XXXxxx
Subject: Urgent Security Alert – Please Do Not Ignore

Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.

To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained.

As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately.
Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk.

This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.

We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.

WHMCS Limited

But UGNazi was not done interfering with WHMCS’s business. In an update to their blog today, Matt writes:

Right now to compound matters, we are experiencing a large scale DDOS attack, which started at around 1am last night, and continues to this moment, so accessing the site may be intermittent for the time being due to the protection hardware that has been put in place for that.

According to Ted Samson of InfoWorld, client passwords:

were stored in a hash format, and the credit card information was encrypted — but evidently not PCI-compliant, a point raised by WHMCS clients on the company’s forum. “Any support ticket content may be at risk — so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, [so] we recommend changing them now,” Pugh cautioned.

Reportedly, WHMCS lost the previous 17 hours’ worth of support tickets and new orders from the attack.

There has been no statement from the hosting firm.

Update: There has reportedly been an arrest in the case.

About the author: Dissent

Has one comment to “WHMCS victim of social engineering; over 500,000 client records stolen, deleted from server, and dumped publicly”

You can leave a reply or Trackback this post.
  1. IA Eng - May 23, 2012

    I seen a post on ISC.sans.org along time ago – May have been about Palins’ yahoo account being broken into. You do NOT need to answer the challenge questions with the so called correct answer. There is no reason for it. As long as YOU know the correct answer is all that matters.

    Paypal is the way out for most corporations – but that isn’t enough. They offer more options so there is a better chance they will get thy cash. So, with those avenues the data is stored and often not encrypted.

    Businesses are into making money and slicing away at the security to save cash. They also lean heavily on the fact they have an insurance type plan that supposedly protects them from some harm. Fallig back on that insurance – or being able to claim this as a loss IF it is deemed their fault is their escape goat. They ride the gravy train until it crashes into something, and then make ammends to correct it and see if it will ride again for a long time.

    It just proves that people are gullible. It’s an easy way out to just give data away rather than double checking the caller ID and doing a call back of a number on file or having software that can shoot the person an email with a confirmation code that they can read back to the rep. Security takes additional steps in any environment. Its nuts, they are willing to jump through a wide variety of security hoops at airports, and accept them – but when it comes to using security software and making the necessary setup and adjustments from time to time is eithr beyond their comprehension or just lack of due diligence.

Comments are closed.