Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Cosmetic Retailer Lush Targeted By Hackers

Posted by timothy on from the people-are-bad dept.

Tasha26 writes "Cosmetic retailer Lush stopped its online activities on Jan 21 due to hacking activities. Their website is still down due to 'continuing attempts to re-enter,' and Lush is thinking of spinning a small PayPal outlet as a temporary solution. The company is urging customers who placed an order between Oct 2010 and Jan 2011 to contact their banks for advice on compromised credit card details. The company even posted a message addressed to the hacker, saying, 'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'"

11 of 109 comments (clear)

  1. Oh come on... by samcan · · Score: 3, Interesting

    It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

    1. Re:Oh come on... by rtfa-troll · · Score: 5, Insightful

      A "top notch" IT team will have

      • offline backups
      • the ability to restore quickly
      • the ability to expand capacity quickly
      • the ability to do almost immediate updates*
      • basic forensic ability to work out what's going on

      Sure, your system may be compromised. Sure; the first replacement system may be compromised again. During the compromise of the second you should get enough logs that the third (or at worst fifth time) you come back, all the zero day attacks the attacker is using have gone.

      Anyone can lose a few hours of outage. To be down for a day and have to start begging for mercy is not a sign that their IT "skills are formidable"

      * at the cost of a short term outage;

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    2. Re:Oh come on... by internewt · · Score: 3, Insightful

      Maybe their admin password was 'password'

      It was worse than that.... it looks like up until very recently they could well have had their site on a Windows 2000 machine. 2000 was the best version of Windows that MS ever made, but it still had some chronic shortcomings that make it totally unsuitable for most internet-facing tasks.

      http://toolbar.netcraft.com/site_report?url=http://www.lush.co.uk

      Of course it is all too easy to just flame Windows, but even (especially) the MS fans will agree that using IIS5 in at least 2007 is not a clever thing to have been doing.

      But lets be honest, the way that site is slinging about the word "hacker" it is clear they do not have any kind of top-notch IT... or even any clue about computers - they probably accepted what the industry told them as 100% truths, and then think that somehow some person is doing fucking magic or something to get into their server. Considering how keen they seem to be to shirk responsibility for the break ins (their list of suspect beliefs, for example), they truly do not recognise their own ignorance. The BBC miss the point too, and just go along with the hacker rhetoric as well.

      --
      Car analogies break down.
    3. Re:Oh come on... by drinkypoo · · Score: 4, Interesting

      Noxious fumes from heavily scented products? Have you actually smelled their products? It's probably the only thing in Macy's that won't make my airway tighten up instantly. I have asthma and that toxic bullshit that is in most body products makes me react immediately, whether I can actually smell it or not; and so much the worse if I can smell it, since my body has been trained to associate the toxic reaction with the artificial smell.

      My lady has Lush products and they are both less scented and less noxious than virtually anything else on the market. Stop with your FUD.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Oh come on... by jimicus · · Score: 3, Insightful

      Any IT professional that insists running Internet-facing web servers on Windows is just as good as anything else is ____________________________ [I can't say it... please, responders, fill in the blank].

      ... perfectly correct, provided the server is administered competently.

      This means you run an up to date version of Windows and IIS, you lock everything down so tightly you can barely do anything with the damn thing, you make sure any extra things you need to install for your application are kept up to date (and ideally don't run any with a history of serious security issues), you keep it in a DMZ, you run a separate server configured identically in a test environment so you can test patches as soon as they become available with a view to rolling them out ASAP, your firewall offers application-layer security which you have learned how to configure properly and have done so and you're regularly ensuring the integrity of your site.

      And if you don't have the time to maintain solid security for the important parts (such as card transactions), don't even try. There's plenty of card processors on the market that can do all that for you, and your systems never need to even see a card number.

      I would argue that if you can't do all this (or at least understand what I'm talking about), you have no business running a public website which processes transactions in the first place.

      The thing is, I would argue that a huge number of Windows admins (possibly 80% or more) are not even equipped to recognise their own shortcomings, much less do all of this.

  2. My opposite experience by cappp · · Score: 5, Funny

    Weird. My ex always sent me off to increase my "online activities" whenever I made "continued attempts to enter".

    1. Re:My opposite experience by MichaelSmith · · Score: 3, Insightful

      'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

      Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

      --
      http://michaelsmith.id.au
  3. Re:Every generation... by jonbryce · · Score: 3, Informative

    They were doing it to steal credit card details. There are reports in the comments sections of various newspapers that they were using the cards to buy Telefonica O2 pay as you go credits. Presumably they then use these to phone premium rate numbers and cash out that way.

  4. Re:Netcraft says.... by BeanThere · · Score: 3, Informative

    Wrong, if you check their 'what's that site running' history you'll see that they only switched to Apache yesterday. Before that, they were on IIS 5 on, FFS, Windows 2000, which is a sign that they were probably running on outdated poorly managed systems. The fact that the attack attempts "continue" is probably meaningless as whatever they were, they are almost certainly failing now, but the attempts will still show up in the logs which will make any naive IT administrator nervous.

  5. Re:Smelly by ettlz · · Score: 4, Funny

    Ha! I cannot stand them and never understand why so many 16-19 year olds go crazy over a bar of soap..

    Oh, it's only a phase. It normally ends once they go to university.

  6. Mobile Operators and Police don't help by Ian.Waring · · Score: 4, Informative

    My wife is a Lush customer, ordered online in the time period described and did have 2 £15 charges (total just north of $40) for prepay mobile phone credit debited from her account. She spotted that virtually immediately; however, her bank just wanted to snail mail post a claim form to her to get her money back, and O2 (the mobile phone company providing the goods from the fraudulent two transactions) said it was an industry agreed procedure to wait until the bank got in touch with them before they'd do anything. So, bottom line, the thieves have 5 days to use the credit they stole, when O2 could have invalided the transaction immediately and/or aimed some trace to the person using that mobile handset. About as much use as a cow on stilts. We need a Bill Bratton methinks. Follow the money, get to the source.