|
WHMCS Billing system database compromised
Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised.
To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained. As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately. Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk. This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly. We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time. ---- WHMCS Limited www.whmcs.com |
And why are they keeping CC numbers on their server? Aren't they supposed to keep those with their merchant?
|
Quote:
|
Quote:
:1orglaugh |
baddog, props for full disclosure.
Quote:
Your brief post also indicated at least one other specific vulnerability, with a specific fix that should be done. I won't post details here. Sure there was a social engineering component, and there were a couple of architecture problems that turned that attack into something much more serious than it should have been. ONLY tickets should have been exposed by a successful attack, not login passwords, CC info, etc. You don't need to, and aren't supposed to by PCI, store ANY track information on a public web server. |
Quote:
You would probably be a good one to ask, what do they mean that it was done via social engineering? |
They aren't talking about phishing are they? Like they responded to one that screwed us all?
|
Quote:
http://en.wikipedia.org/wiki/Social_...%28security%29 |
Following an initial investigation I can report that what occurred today was the result of a social engineering attack.
The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details. This means that there was no actual hacking of our server. They were ultimately given the access details. |
Quote:
Another example would be if I called your web hosting company pretending to be you. I would call at 2AM, when their boss isn't there, just the new guy working the shit shift. I'd claim (or cause) a server down and ask for a KVM to be put on it immediately. That KVM would let me boot into special rescue modes where passwords aren't required. But yeah, phishing would be the most simplistic form of social engineering, social engineering for morons. |
password changed ... everything looked normal .
|
Quote:
Quote:
|
Quote:
|
Looks like they took over their twitter account as well? http://twitter.com/#!/whmcs/status/204596829042638848 jesus.
|
Quote:
|
Quote:
|
Lloyd,
We are happy to help WHMCS setup through our gateway under our PCI certification which will ease the burden of them having to store any credit card data. Let me know if you.they are interested. Mitch |
social engineering? it is a new wording for "our admin used the same password for master billing account and also for some social crap"? congrats lol :1orglaugh but good they said it at least, one of few :2 cents:
|
Quote:
-edit- and data has been leaked and does include credit card information according to some people...that sucks :( |
There appears to be a lot of confusion in this thread!!
|
Social engineering, send a pretty girl and some alcohol and people (insecure guys who want to brag) will start talking. And if the girl is any good at pretending to be interested, he will show her, login and try to show off.
Easiest thing in the world. Or if you need an access code to a locked part of the building, to open a door, easy peasy to just hang out by the digit pad and pretend to be on the phone walking up or down and then "just happen" to glare over when the access code is punched by someone. Or pretend to be from AT&T to get into almost any building, just claim there was an error report called in about their phone system and that you're here to take a look. Won't get you into any secure parts of the building but will certainly get you through the door! |
Quote:
Surprised you are unaware of social engineering. Kevin Mitnick was asked if a computer locked in a safe offline was the safest place to put it. He replied no, he'd just ring up, get someone to open the safe and turn it on for him. The best one his did before he turned whitehat was to go into an office and 'accidentally' drop a floppy disc with salaries.xls written on it. SOMEONE would find it, and they would, out of curiosity put it in their PC. Bingo. He was then in. Nowadays hardly anyone does brute force attacks. It's so much easier just to ask people to tell you the information. A survey showed that 70% of people would give up their passwords in return for a bar of chocolate. http://www.techrepublic.com/blog/sec...-near-you/5368 Fascinating. |
Quote:
Phishing. |
Quote:
|
| All times are GMT -7. The time now is 03:54 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123