Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Cosmetic Retailer Lush Targeted By Hackers

Posted by timothy on from the people-are-bad dept.

Tasha26 writes "Cosmetic retailer Lush stopped its online activities on Jan 21 due to hacking activities. Their website is still down due to 'continuing attempts to re-enter,' and Lush is thinking of spinning a small PayPal outlet as a temporary solution. The company is urging customers who placed an order between Oct 2010 and Jan 2011 to contact their banks for advice on compromised credit card details. The company even posted a message addressed to the hacker, saying, 'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'"

23 of 109 comments (clear)

  1. Oh come on... by samcan · · Score: 3, Interesting

    It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

    1. Re:Oh come on... by rtfa-troll · · Score: 5, Insightful

      A "top notch" IT team will have

      • offline backups
      • the ability to restore quickly
      • the ability to expand capacity quickly
      • the ability to do almost immediate updates*
      • basic forensic ability to work out what's going on

      Sure, your system may be compromised. Sure; the first replacement system may be compromised again. During the compromise of the second you should get enough logs that the third (or at worst fifth time) you come back, all the zero day attacks the attacker is using have gone.

      Anyone can lose a few hours of outage. To be down for a day and have to start begging for mercy is not a sign that their IT "skills are formidable"

      * at the cost of a short term outage;

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    2. Re:Oh come on... by Elentari · · Score: 2

      This is the forum post from their singular IT team member about the incident: http://img35.imageshack.us/img35/3715/lushpostuk.jpg

    3. Re:Oh come on... by Nick+Ives · · Score: 2

      Not if the "zero day attacks" are in the bespoke code for your website. Then you'd be in the situation of getting whoever wrote your code to to sort their mess out, which for a relatively small firm like Lush would probably mean dragging back in whatever lowest bidder contractor they used.

      --
      Nick
    4. Re:Oh come on... by jimicus · · Score: 2

      Lush isn't an IT firm, they're a cosmetics firm.

      I would be astonished if their IT staff are in-house - there's a very strong chance they outsource it all.

    5. Re:Oh come on... by internewt · · Score: 3, Insightful

      Maybe their admin password was 'password'

      It was worse than that.... it looks like up until very recently they could well have had their site on a Windows 2000 machine. 2000 was the best version of Windows that MS ever made, but it still had some chronic shortcomings that make it totally unsuitable for most internet-facing tasks.

      http://toolbar.netcraft.com/site_report?url=http://www.lush.co.uk

      Of course it is all too easy to just flame Windows, but even (especially) the MS fans will agree that using IIS5 in at least 2007 is not a clever thing to have been doing.

      But lets be honest, the way that site is slinging about the word "hacker" it is clear they do not have any kind of top-notch IT... or even any clue about computers - they probably accepted what the industry told them as 100% truths, and then think that somehow some person is doing fucking magic or something to get into their server. Considering how keen they seem to be to shirk responsibility for the break ins (their list of suspect beliefs, for example), they truly do not recognise their own ignorance. The BBC miss the point too, and just go along with the hacker rhetoric as well.

      --
      Car analogies break down.
    6. Re:Oh come on... by drinkypoo · · Score: 4, Interesting

      Noxious fumes from heavily scented products? Have you actually smelled their products? It's probably the only thing in Macy's that won't make my airway tighten up instantly. I have asthma and that toxic bullshit that is in most body products makes me react immediately, whether I can actually smell it or not; and so much the worse if I can smell it, since my body has been trained to associate the toxic reaction with the artificial smell.

      My lady has Lush products and they are both less scented and less noxious than virtually anything else on the market. Stop with your FUD.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Oh come on... by catmistake · · Score: 2

      2000 was the best version of Windows that MS ever made

      Still... it's a dubious honor.

      IMHO, Windows Servers have a purpose... to help administrate lots of Wndows Desktops with Active-Directory, and, of course, Exchange. When running Exchange, you need a couple or three compentant administrators, that do nothing else, who are constantly on top of things... because it doesn't run by itself.

      Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].

      BAD METAPHORE TIME: Hardcore Microsoft-loyalist Windows Admins saw the movie first, and insist it was better than the book. The rest of us actually appreciate literature.

      --
      The Admin and the Engineer
    8. Re:Oh come on... by jimicus · · Score: 3, Insightful

      Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].

      ... perfectly correct, provided the server is administered competently.

      This means you run an up to date version of Windows and IIS, you lock everything down so tightly you can barely do anything with the damn thing, you make sure any extra things you need to install for your application are kept up to date (and ideally don't run any with a history of serious security issues), you keep it in a DMZ, you run a separate server configured identically in a test environment so you can test patches as soon as they become available with a view to rolling them out ASAP, your firewall offers application-layer security which you have learned how to configure properly and have done so and you're regularly ensuring the integrity of your site.

      And if you don't have the time to maintain solid security for the important parts (such as card transactions), don't even try. There's plenty of card processors on the market that can do all that for you, and your systems never need to even see a card number.

      I would argue that if you can't do all this (or at least understand what I'm talking about), you have no business running a public website which processes transactions in the first place.

      The thing is, I would argue that a huge number of Windows admins (possibly 80% or more) are not even equipped to recognise their own shortcomings, much less do all of this.

  2. My opposite experience by cappp · · Score: 5, Funny

    Weird. My ex always sent me off to increase my "online activities" whenever I made "continued attempts to enter".

    1. Re:My opposite experience by MichaelSmith · · Score: 3, Insightful

      'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

      Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

      --
      http://michaelsmith.id.au
    2. Re:My opposite experience by Anonymous Coward · · Score: 2, Interesting

      'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

      Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

      MySQL? Looks like the port is open. Running 5.0.91 by the looks of it too.

      And they wonder why they were hacked.

  3. "We'd like to offer you a job..." by mangu · · Score: 2

    "...if your salary weren't way above what us cheapskates are willing to pay!"

    Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

    1. Re:"We'd like to offer you a job..." by 1s44c · · Score: 2

      "...if your salary weren't way above what us cheapskates are willing to pay!"

      Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

      No doubt there is some truth is that. However the smart guys work for the challenge not the money. I know plenty of rich crap people and plenty of smart non-so-rich people.

  4. Re:Every generation... by jonbryce · · Score: 3, Informative

    They were doing it to steal credit card details. There are reports in the comments sections of various newspapers that they were using the cards to buy Telefonica O2 pay as you go credits. Presumably they then use these to phone premium rate numbers and cash out that way.

  5. Re:Netcraft says.... by BeanThere · · Score: 3, Informative

    Wrong, if you check their 'what's that site running' history you'll see that they only switched to Apache yesterday. Before that, they were on IIS 5 on, FFS, Windows 2000, which is a sign that they were probably running on outdated poorly managed systems. The fact that the attack attempts "continue" is probably meaningless as whatever they were, they are almost certainly failing now, but the attempts will still show up in the logs which will make any naive IT administrator nervous.

  6. Re:Every generation... by coolmadsi · · Score: 2, Insightful

    Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed?

    I wouldn't really call them evil. They notified all their online customers that their details may have been compromised and to take precautions (my girlfriend was one of them), as opposed to keeping it quiet, not telling anyone, and hope everything blows over.

    My girlfriends often tells me how ethical they are as a company, they stopped using plastic packaging for their products wherever possible, and allow customers to return empty pots back to them for a discount on their next purchase (and they then re-use the pots). As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.

  7. Re:Netcraft says.... by Nick+Ives · · Score: 2

    Yea, every computer on the internet is under constant attack. Like a lot of people, I've moved my SSH daemon to a non standard port out of annoyance with my secure log filling up with common username / password login attempts from botnets.

    If you're presenting a service to the world on a standard port, botnets will always be trying to robohack you.

    I'm not too sure of that Netcraft report though as Lush appear from their statements to have been with their current hosts since at least October last year, so they could've moved from Win2k more recently than three and a half years ago.

    --
    Nick
  8. Re:Smelly by ettlz · · Score: 4, Funny

    Ha! I cannot stand them and never understand why so many 16-19 year olds go crazy over a bar of soap..

    Oh, it's only a phase. It normally ends once they go to university.

  9. Mobile Operators and Police don't help by Ian.Waring · · Score: 4, Informative

    My wife is a Lush customer, ordered online in the time period described and did have 2 £15 charges (total just north of $40) for prepay mobile phone credit debited from her account. She spotted that virtually immediately; however, her bank just wanted to snail mail post a claim form to her to get her money back, and O2 (the mobile phone company providing the goods from the fraudulent two transactions) said it was an industry agreed procedure to wait until the bank got in touch with them before they'd do anything. So, bottom line, the thieves have 5 days to use the credit they stole, when O2 could have invalided the transaction immediately and/or aimed some trace to the person using that mobile handset. About as much use as a cow on stilts. We need a Bill Bratton methinks. Follow the money, get to the source.

  10. Re:Morals ... by poity · · Score: 2

    I don't get it, how is charging premium prices a breach of morals? Do they have a soap monopoly?

    --
    your thin skin doesn't make me a troll
  11. Re:Color me nonplussed by cdrguru · · Score: 2

    Your credit card will be compromised. It is a fact of life.

    Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people. Credit card companies do not prosecute - ever. So, even if someone is caught they aren't going to do any time.

    Magnify the opportunity and reward 1000 times for a credit card database.

    I do not know of anyone ever that had to pay for their credit card being used fraudulently. Generally I get a phone call asking if some purchase was mine and when the answer is no it is removed from the bill and a new card is mailed out. Period. Nothing else.

    I don't undersand what all the fuss is about. Yes, you will get a new credit card number periodically. So?

  12. Re:I always thought... by jimicus · · Score: 2

    It does not, however, forbid taking the details in the first place. Which means that it'd be easy enough to slip a few lines into the shopping cart script that forward card details for every transaction to some hacker.

    Which would explain why they're only worried about customers who bought stuff in the last couple of months.