WHMCS Data Compromised By Good Old Social Engineering

← Back to Stories (view on slashdot.org)

WHMCS Data Compromised By Good Old Social Engineering

Posted by Unknown on Tuesday May 22, 2012 @01:18AM from the the-classics-never-get-old dept.

howhardcanitbetocrea writes "WHMCS has had 500,000 records leaked, credit cards included, by hackers calling themselves UGNazis. Apparently UGNazis succeeded in obtaining login details from the billing software's host by using social engineering. UGNazis accuse WHMCS of knowingly offering services to fraudsters. After almost 24 hours UGNazis still seem to have control of WHMCS twitter account @whmcs and is regularly updating their exploits. These tweets are also feeding into WHMCS software."

22 of 87 comments (clear)

Min score:

Reason:

Sort:

In case you wonder who or what WHMCS is... by clickety6 · 2012-05-22 01:21 · Score: 5, Informative

""WHMCS is an all-in-one client management, billing & support solution for online businesses. " For some reason, their website is currently down..

--
----------------------------------- My Other Sig Is Hilarious -----------------------------------
1. Re:In case you wonder who or what WHMCS is... by Mathinker · 2012-05-22 01:33 · Score: 4, Funny
  
  > ""WHMCS was an all-in-one client management, billing & support solution for online businesses.
  FTFY
Passwords Are Safe, But ... by WrongSizeGlass · 2012-05-22 01:24 · Score: 2

the passwords are “stored in hash format” so they’re safe, but the credit card information may be at risk, along with the contents of all the recently submitted tickets.
How do companies repeatedly let this happen? Encrypt that shit!
1. Re:Passwords Are Safe, But ... by P-niiice · 2012-05-22 01:30 · Score: 3, Insightful
  
  It was social engineering. Encryption cannot help with human gullibility.
2. Re:Passwords Are Safe, But ... by WrongSizeGlass · 2012-05-22 01:35 · Score: 3
  
  It was social engineering. Encryption cannot help with human gullibility.
  But encryption can protect sensitive data if security is ever breached.
3. Re:Passwords Are Safe, But ... by bmo · 2012-05-22 01:44 · Score: 5, Informative
  
  >But encryption can protect sensitive data if security is ever breached.
  Encryption only works until you give the key away for a candy bar in a social engineering scheme.
  Then all bets are off.
  --
  BMO
4. Re:Passwords Are Safe, But ... by ifrag · 2012-05-22 01:44 · Score: 2
  
  But encryption can protect sensitive data if security is ever breached.
  Unless the security "breached" also includes the information for performing decryption. In which case it didn't protect anything.
  
  --
  Fear is the mind killer.
5. Re:Passwords Are Safe, But ... by Maximum+Prophet · 2012-05-22 01:48 · Score: 2
  
  It was social engineering. Encryption cannot help with human gullibility.
  Yes, it can. If you data is unencrypted anyone can give it out. You use encryption along with policy so that only those that need to know can get the information. For really sensitive information, you make sure that multiple people have to each add their password before the information is allowed to be accessed.
  
  You can also use encryption to insure that machine 'A' can talk to machine 'B' using large certs, but no human has direct access.
  
  --
  All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
6. Re:Passwords Are Safe, But ... by bmo · 2012-05-22 01:54 · Score: 4, Interesting
  
  Replying to myself so others may read a story I am referring to in case they missed it back in 2004.
  http://news.bbc.co.uk/2/hi/technology/3639679.stm
  And it still applies today.
  --
  BMO
7. Re:Passwords Are Safe, But ... by GlennC · 2012-05-22 02:58 · Score: 2
  
  Written on a Post-It note stuck under the keyboard.
  DUH!!!
  
  --
  Go on, citizen, stamp the vote card. R or D, your choice.
8. Re:Passwords Are Safe, But ... by bmo · 2012-05-22 03:12 · Score: 2
  
  For $7000 in Y2K dollars, you can forge documents and a search warrant and walk right in to a datacenter, pretending you're the feds and walk out with the machines themselves. While this is a crime, you are committing a crime in the first place anyway by deciding to go after the data, so I don't see this as a barrier for those who don't give a shit.
  --
  BMO
9. Re:Passwords Are Safe, But ... by hey! · 2012-05-22 03:19 · Score: 3, Insightful
  
  It was also lousy but unfortunately common business practices.
  Suppose you're a company that handles billing and payments for clients. One of your clients asks you for the credit card information for all of *his* clients. This scenario shows why you should be very reluctant to give that data to him. And for all you know, *he's* going to use it to commit identity fraud, or sell it on the black market.
  Not disclosing this information inconveniences the customer slightly, but it also protects him.
  When you receive sensitive private information from someone, you should not use it or transfer it to any third parties except as necessary to fulfill the purpose for which you received it, *even if* you are just a middleman between the buyer, the vendor, and the vendor's bank. Get the money transferred into the customer's account and the order to the customer's order fulfillment people and your job is done.
  These problems come from not *thinking*. End user sends you data, you automatically store it without thinking, whether you need it or not. Customer asks you for that data, and you automatically give it to him without thinking. A service agreement should be concluded between you and your customer establishing what the customer is going to do with that data, and when and how the data will be provided. You shouldn't just give him data that is not necessarily *his* by right just because he asks for it.
  The underlying problem is that companies operate as if the privacy and security of their end-users is none of their concern.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I guess by slashmydots · 2012-05-22 01:25 · Score: 2

Hmmm 24 hours of criminals posting tweets detrimental to your business on their own account which is displayed in their own software. I guess everyone over at WHMCS must be on vacation...OR ARE COMPLETE MORONS! Maybe they forgot their security question though, lol.
salty... salty... by vlm · 2012-05-22 01:33 · Score: 2

the passwords are “stored in hash format” so they’re safe
Assuming their programmers know what a salt is (maybe they do, maybe they don't, he's not saying), and/or their users are not using passwords typically seen in a dictionary attack (yeah right)

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
1. Re:salty... salty... by Tanktalus · 2012-05-22 01:46 · Score: 2
  
  And you're assuming that the passwords are valuable enough to spend sufficient CPU cycles to attempt to crack. If they can find some important users, maybe their passwords are valuable enough to try. I would guess that most users are likely not valuable enough to attempt.
2. Re:salty... salty... by Anonymous Coward · 2012-05-22 02:10 · Score: 2, Informative
  
  the passwords are “stored in hash format” so they’re safe
  Assuming their programmers know what a salt is (maybe they do, maybe they don't, he's not saying), and/or their users are not using passwords typically seen in a dictionary attack (yeah right)
  A salt isn't some magic pixie dust that makes hashes more secure: you also have to use them correctly. If the code is something like
  $salt = 'n1c3tryh4x0r$';
  $hash = SHA1($salt . $password);
  Then it's not very useful. If on the other hand it's something like
  $salt = base64(arc4random() . arc4random());
  $hash = $salt . '$' . HMAC_sha1($salt, $password);
  Then one would have much less to worry about.
WHMCS is Hosted by Hostgator by Anonymous Coward · 2012-05-22 01:46 · Score: 4, Informative

As a former employee, posting this as anonymous for obvious reasons; however, the below information is freely available if you know where to look.
WHMCS is hosted by Hostgator on a dedicated server. This can be found by:
% dig NS whmcs.com +short | head -1 | xargs dig +short | xargs whois
# http://whois.arin.net/rest/nets;q=50.116.115.104?showDetails=true&showARIN=false&ext=netref2
HGBLOCK = Hostgator IP block, the Arin address is Hostgator's main office, and websitewelcome.com is Hostgator's generic domain they use for reseller server's hostnames/nameservers.
It's easy by Stargoat · 2012-05-22 01:47 · Score: 2

Amateurs target systems, professionals target people. The weakest part of any IT system is the users. We know all this. For example, Mondays have the most downtime, as they are associated with changes made over the week. A user that installs a gotoassist to 'help' the IT department. Etc etc.

--
Hoist Number One and Number Six.
Official announcement by Solozerk · 2012-05-22 01:48 · Score: 5, Informative

The official post on this from WHMCS is interesting: http://blog.whmcs.com/?t=47660
They're saying that the intruders managed to obtain credentials from their web hosting company, which allowed them to access the (I assume) dedicated servers rented by WHMCS.

Putting aside the fact that they're storing CC data on a third party server, what the blog post does not explain is how exactly this would amount to a total compromise of those accounts, as the server passwords should not even be known by the hosting company, and in any case this data should have been encrypted. It would also be interesting to know how they went from that to accessing the company's twitter account - my guess would be that the same password was used on twitter as on their servers.

So basically: no encryption, relying on an insecure third party to store critical data, and possibly the same password being used for a major hosting server and their twitter account. I, for one, would not rely on this company to handle billing & support for my customers.
Forum Discussion From Industry Peeps by Anonymous Coward · 2012-05-22 02:02 · Score: 2, Interesting

For discussions on this from people within the hosting industry, see http://www.webhostingtalk.com/showthread.php?t=1156920 ... interesting read.
There was no hacking!! by rudy_wayne · 2012-05-22 02:14 · Score: 4, Informative

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.
This means that there was no actual hacking of our server. They were ultimately given the access details.
Yes, they didn't break in, YOU FUCKING LET THEM IN, because that really makes a difference.
Anyone? by Cute+Fuzzy+Bunny · 2012-05-22 02:55 · Score: 3, Funny

I was just wondering what WHCMCHSHCHSC stood for, but the article never mentions it and neither did the front page of the company's web site.
So aside from having security issues, somewhere along the line someone forgot that not everyone knows what WHCSMSHC XVIII stands for.