Default View

WHID 2010-160: Hackers crack e-mail server of Russian Federal Protection Service (gov.ru)

Tue, 24 Aug 2010 11:12:19 -0400

Entry Title: WHID 2010-160: Hackers crack e-mail server of Russian Federal Protection Service (gov.ru)
WHID ID: WHID 2010-160
Date Occured: August 23, 2010
Outcome: Leakage of Information
Incident Description: Email server of one of Federal Protection Service (FPS) departments was attacked. As a result, for several hours every Internet user was allowed to access FPS e-mail archive.
Successful attack was conducted because of available outbound access and also because of administrators failure – they did not modify default settings, including passwords for accounts used to access the system with administrative privileges.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Russia
Attacked System Technology: Dozor
Reference: http://www.securitylab.ru/news/397019.php

WHID 2010-159: 500 000 websites hacked, including Apple

Wed, 18 Aug 2010 21:23:33 -0400

Entry Title: WHID 2010-159: 500 000 websites hacked, including Apple
WHID ID: WHID 2010-159
Date Occured: August 17, 2010
Outcome: Worm
Incident Description: As reported by The Register IT news portal, a number of smaller websites have been hacked using an SQL injection attack method that attempts to obfuscate links to malware infected pages. The hack apparently also affected two Apple websites that are used to promote its iTunes podcasts.
Other than the Apple sites, the news service says that at least 538 000 “mom-and-pop” websites have been victimized by the hack, in addition to 500 000 more that appear quite similar but lead to different domains.
The attack takes advantage of web-based application vulnerabilities, which often do not differentiate between legitimate search queries and intentional attacks via malicious code.
The Register reported that the malware-infected links have been removed from the Apple pages since Google last indexed its search page earlier this month.
The attack underlines the need for companies to go the extra mile and secure external web-facing applications said Rob Horton, the operational director of security testing consultant NCC Group.
Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.infosecurity-us.com/view/11870/500-000-websites-hacked-including-apple/

WHID 2010-158: National Space Agency of the Republic of Kazakhstan was hacked

Thu, 22 Jul 2010 08:51:50 -0400

Entry Title: WHID 2010-158: National Space Agency of the Republic of Kazakhstan was hacked
WHID ID: WHID 2010-158
Date Occured: July 18, 2010
Outcome: Death
Incident Description: On the 18th of July the hack-world.org group using an SQL Injection attack obtained access to the administration section of the National Space Agency of the Republic of Kazakhstan. Obtaining access to the administration system of the site was facilitated by the fact that administrators used weak passwords that allowed local recovery using MD5 hash. Currently, the site is under reconstruction.
Attack Source Geography: Russia
Attacked Entity Field: Government
Attacked Entity Geography: Kazahtan
Reference: http://habrahabr.ru/blogs/infosecurity/99736/

WHID 2010-157: Facebook Full Disclosure

Wed, 21 Jul 2010 16:15:59 -0400

Entry Title: WHID 2010-157: Facebook Full Disclosure
WHID ID: WHID 2010-157
Date Occured: July 20, 2010
Outcome: Disclosure Only
Incident Description: apps.facebook.com website hacked via SQL Injection.
Attack Source Geography:
Attacked Entity Field: Internet
Attacked Entity Geography:
Reference: http://sla.ckers.org/forum/read.php?16,35138,35138#msg-35138

WHID 2010-156: The Russian Railways tickets site was hacked

Wed, 21 Jul 2010 14:07:23 -0400

Entry Title: WHID 2010-156: The Russian Railways tickets site was hacked
WHID ID: WHID 2010-156
Date Occured: July 21, 2010
Outcome: Defacement
Incident Description: Unknown attackers hack the official site of "Russian Railways" company. As a result, web pages were replaced by hackers’ messages. The site was temporary blocked; now it is resumed but some pages are still unavailable, "Buying Train Tickets" web page is among them (ticket.rzd.ru). No details about personal data leakage is now available.
Attack Source Geography:
Attacked Entity Field: Transport
Attacked Entity Geography: Russia
Reference: http://www.uinc.ru/news/sn14165.html

WHID 2010-155: S. Korean Gov't Websites Hit by Hacker Attacks

Fri, 09 Jul 2010 14:02:57 -0400

Entry Title: WHID 2010-155: S. Korean Gov't Websites Hit by Hacker Attacks
WHID ID: 2010-155
Date Occured: July 7, 2010
Outcome: Downtime
Incident Description: Official websites of South Korean government agencies, including the presidential office and the foreign ministry, came under hacker attacks Wednesday, a national telecom regulator said.
According to the state-run Korean Communications Commission ( KCC), the websites of government agencies, such as the presidential office Cheong Wa Dae, the Ministry of Foreign Affairs and Trade, and private firms, including the leading Internet search engine Naver, Nonghyup Bank and the Korean Exchange Bank, were hit by the so-called distributed denial-of-service (DDoS) attacks from around local time 6:00 p.m. (0900 GMT) Wednesday.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: South Korea
Reference: http://english.cri.cn/6966/2010/07/07/1461s581567.htm

WHID 2010-154: Justin Bieber My World Tour Contest Hacked

Fri, 09 Jul 2010 13:37:22 -0400

Entry Title: WHID 2010-154: Justin Bieber My World Tour Contest Hacked
WHID ID: 2010-154
Date Occured: July 2, 2010
Outcome: Disinformation
Incident Description: That was but a preliminary skirmish – they’ve come up with a much more damaging plan – to send Bieber to North Korea. Foolish, foolish Bieber has started a competition for countries to vote for him to come and tour them. Called the Justin Bieber My World Tour Contest, it has now been thoroughly highjacked by Anonymous – at the time of writing, North Korea is in second place by only a few thousand votes. Unless the current leader Israel can get its act together, it should be overtaken by lunchtime.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Reference: http://blogs.independent.co.uk/2010/07/02/the-plot-to-send-justin-bieber-to-north-korea/

WHID 2010-153: App Store, Hacked.

Fri, 09 Jul 2010 13:33:05 -0400

Entry Title: WHID 2010-153: App Store, Hacked.
WHID ID: 2010-153
Date Occured: July 4, 2010
Outcome: Monetary Loss
Incident Description: This article began with details of one specific app developer hacking iTunes users accounts and purchasing their own apps using those accounts – making it to the top of the iTunes charts. As the story has developed it appears to be far more widespread than just that one particular developer and his apps…the Apple App store is filled with App Farms being used to steal. We’ve put together a complete list of all the facts and updates to this story here which we high recommend you read instead of this article. Apple has also now released a statement about the matter.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Reference: http://thenextweb.com/apple/2010/07/04/app-store-hacked/

WHID 2010-152: The Pirate Bay hacked

Fri, 09 Jul 2010 09:41:37 -0400

Entry Title: WHID 2010-152: The Pirate Bay hacked
WHID ID: 2010-152
Date Occured: July 5, 2010
Outcome: Disclosure Only
Incident Description: According to an advisory posted on the web site of Argentinian group of security researchers, they were able to obtain access to the Pirate Bay’s administration panel, by discovering multiple SQL injections, leading to the exposure of emails, MD5 hashes for passwords, and the IP address for any particular Pirate Bay user.
Attack Source Geography: Argentina
Attacked Entity Field: Internet
Attacked Entity Geography: Sweden
Reference: KrebsOnSecurity.com

WHID 2010-151: YouTube Hacked

Wed, 07 Jul 2010 23:06:17 -0400

Entry Title: WHID 2010-151: YouTube Hacked
WHID ID: 2010-151
Date Occured: July 4, 2010
Outcome: Defacement
Incident Description: Today, members of the Internet communities 4chan and other enterprising computer whizzes hacked YouTube using a vulnerability in the site’s comment system. While the hack was used on a variety of videos, striking music videos featuring teen pop idol Justin Bieber was the most popular activity.
Twitter lit up with complaints about the problem, Google support got some concerned posts on its forum, and we received tips in our inbox. The event caused quite a Sunday-morning stir.
The bug allowed users to inject HTML (the code that most websites are built with) that could be executed on the site, whereas HTML within comments is supposed to be restricted. The hackers did everything from force pop-up messages to appear over the site declaring that it had been hacked to redirecting Bieber video pages to sites hosting pornography and malware.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Reference: http://www.acunetix.com/blog/web-security-zone/articles/dangerous-xss-vulnerability-found-on-youtube-the-vulnerability-explained/

WHID 2010-150: At least four Armenian websites were attacked by Azerbaijani hackers

Wed, 07 Jul 2010 22:51:12 -0400

Entry Title: WHID 2010-150: At least four Armenian websites were attacked by Azerbaijani hackers
WHID ID: 2010-150
Date Occured: July 3, 2010
Outcome: Defacement
Incident Description: At least four Armenian websites were attacked by Azerbaijani hackers during a week.
On July 2, the websites of Henaran.am press club (Henaran.am) and Armenia's Sambo Federation (sambo.am) were hacked to place Azerbaijan's flag and references to Azerbaijani media on them. Meanwhile, the websites' operation has already been resumed.
Besides, on June 29, hackers attacked Azdagir.am site of announcements again to place the Azerbaijani flag on it, as well as information on the January 20, 1990, events in Baku. On June 30, the owner of psyarmenia.com website told PanARMENIAN.Net that the site on psychology was hacked and a poster on "Armenian terror" was placed on it. Currently, the two websites do not operate.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Armenia
Reference: http://www.panarmenian.net/eng/it_telecom/news/50897/At_least_four_Armenian_websites_were_attacked_by_Azerbaijani_hackers

WHID 2010-149: Identity Stolen Through X-Box Live

Wed, 07 Jul 2010 22:45:29 -0400

Entry Title: WHID 2010-149: Identity Stolen Through X-Box Live
WHID ID: 2010-149
Date Occured: July 3, 2010
Outcome: Monetary Loss
Incident Description: Rosalinda Gonzalez's bought the X-Box 360 console for her sons. They enjoy playing the video games and using the live service where they can connect with players from around the world.
In order to purchase the monthly live membership, Gonzalez entered her credit card information to her son's online profile. It is suppose to be kept private but Gonzalez says her son's profile was hacked by a computer whiz.
The man changed her son's password, stole game points and started making purchases using her credit card information. She says her boys actually spoke to the hacker through X-Box live. The man admitted to stealing other people's personal information too.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Reference: http://www.krgv.com/content/news/story/Identity-Stolen-Through-X-Box-Live/vKZIV1Rboki6lngI78Qf_w.cspx

WHID 2010-148: AsSeenOnTV SQL injection into corporate web server exposed credit card information of customers

Tue, 29 Jun 2010 14:23:56 -0400

Entry Title: WHID 2010-148: AsSeenOnTV SQL injection into corporate web server exposed credit card information of customers
WHID ID: 2010-148
Date Occured: June 29, 2010
Outcome: Planting of Malware
Incident Description: AsSeenOnTV website hacked via SQL Injection and planted malware.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Reference: http://datalossdb.org/incidents/2953

WHID 2010-147: Biggest blog company Skyblog hacked 32,000,000 accounts stolen

Tue, 29 Jun 2010 14:17:00 -0400

Entry Title: WHID 2010-147: Biggest blog company Skyblog hacked 32,000,000 accounts stolen
WHID ID: 2010-147
Date Occured: May 19, 2010
Outcome: Leakage of Information
Incident Description: Earlier this week, IT staff Skyrock / Skyblog audit its servers, an old classic that can trace bugs and small technical malfunctions. Except this time, the "bug" seems to be much more serious. A filenamed "hello"and some scripts are discovered on a server. Neither one, nor two, the alert is triggered. A more complete audit is implemented. It is then discovered that an intrusion has been orchestrated from a backdoor downloaded via a service misconfigured (Waka) "Download". From this facility, malicious, or the pirates have certainly got their hands on more than 32 million accounts skyblogueurs. It seems that the intruder will be difficult to trace. He crushed the logs after its passage. A ip appears, however, it resulted in a proxy, based in England. The drafting of ZATAZ.COM could know the exact date of the intrusion.
Attack Source Geography:
Attacked Entity Field: Blogs
Attacked Entity Geography: France
Reference: http://datalossdb.org/incidents/2948

WHID 2010-146: Hacking ring busted over test scores

Tue, 29 Jun 2010 14:07:03 -0400

Entry Title: WHID 2010-146: Hacking ring busted over test scores
WHID ID: 2010-146
Date Occured: June 29, 2010
Outcome: Disinformation
Incident Description: Police in Jinan, Shandong Province arrested several members of a ring that hacked into education websites to change test scores and forge credentials for cash.
Attack Source Geography: China
Attacked Entity Field: Education
Attacked Entity Geography: China
Reference: http://english.people.com.cn/90001/90776/90882/7044956.html

WHID 2010-145: Hacker tries to manipulate Maine's legislative website

Tue, 29 Jun 2010 14:01:39 -0400

Entry Title: WHID 2010-145: Hacker tries to manipulate Maine's legislative website
WHID ID: 2010-145
Date Occured: June 29, 2010
Outcome: Planting of Malware
Incident Description: The state's online database of legislative activity has been taken offline because of an attempt by an unknown hacker to manipulate the website's coding.
On Thursday, the Legislature's information technology officials shut down the website's bill status function, which allows users to follow legislation such as roll calls, committee votes, amendments and fiscal notes.
The manipulated code inserted the addresses of extraneous websites that could have exposed users' computers to harm if they clicked on the links, said Scott Clark, director of information technology for the Legislature.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Maine
Reference: http://www.pressherald.com/news/hacker-tries-to-manipulate-legislative-website-_2010-06-29.html

WHID 2010-144: Hackers Steal $465,000 from Escrow Firm

Tue, 29 Jun 2010 13:58:33 -0400

Entry Title: WHID 2010-144: Hackers Steal $465,000 from Escrow Firm
WHID ID: 2010-144
Date Occured: June 29, 2010
Outcome: Monetary Loss
Incident Description: A total of $465,000 was recently stolen from California-based Village View Escrow via 26 consecutive wire transfers.
"Owner Michelle Marisco said her financial institution at the time -- Professional Business Bank of Pasadena, Calif. -- normally notified her by e-mail each time a new wire was sent out of the company’s escrow account," writes Krebs on Security's Brian Krebs. "But the attackers apparently disabled that feature before initiating the fraudulent wires."
"Marisco said that a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice," Krebs writes. "Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on Marisco’s computer, and on the PC belonging to her assistant -- the second person needed to approve transfers."
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: California
Reference: http://www.esecurityplanet.com/headlines/article.php/3890291/article.htm

WHID 2010-143: Whirlpool Repeatedly Hit by DDoS Attacks

Tue, 29 Jun 2010 13:42:23 -0400

Entry Title: WHID 2010-143: Whirlpool Repeatedly Hit by DDoS Attacks
WHID ID: 2010-143
Date Occured: June 29, 2010
Outcome: Downtime
Incident Description: Australian broadband news website Whirlpool.net.au was the target of several Distributed Denial of Service (DDoS) attacks this morning. The hosting provider moved quickly to mitigate, but attackers evaded the restrictions, causing an aggregated downtime of around ten hours.
Whirlpool.net.au is one of the most trafficked Australian websites, housing a community of over 350,000 registered users. It was started twelve years ago as a place to discuss Internet broadband services in the country, but has since evolved into a full-blown news website covering the telecommunications industry.
"Bulletproof received monitoring alerts of packet loss at 12:45 am. We identified it as a classic denial-of-service attack being targeted at Whirlpool. We immediately blocked Whirlpool IP addresses to observe it better and then we were able to track down that it was originating from Denmark and the United States," Lorenzo Modesto, chief operating officer at Bulletproof Networks, the company hosting Whirlpool, commented for ZDNet Australia.
Attack Source Geography: Denmark
Attacked Entity Field: Media
Attacked Entity Geography: Australia
Reference: http://news.softpedia.com/news/Whirlpool-Repeatedly-Hit-by-DDoS-Attacks-145629.shtml

WHID 2010-142: Hackers vandalise 200 web sites, cripple 150

Mon, 28 Jun 2010 14:25:26 -0400

Entry Title: WHID 2010-142: Hackers vandalise 200 web sites, cripple 150
WHID ID: 2010-142
Date Occured: June 28, 2010
Outcome: Downtime
Incident Description: The web sites of more than a whopping 200 Australian organisations were hijacked and vandalised in a spate of hacks last week.
In the largest single attack, a hacker gained administrative access to the Direct Admin server management system used by a hosting provider, who Computerworld Australia will not name, and suspended 159 accounts rendering their web sites inaccessible to the public.
The suspension notification page was then defaced with the hackers’ moniker and religious propaganda.
The hack was launched through a flaw created after an automatic patch of the admin system failed to complete.
Attack Source Geography:
Attacked Entity Field: Hosting Providers
Attacked Entity Geography: Australia
Reference: http://www.computerworld.com.au/article/351360/hackers_vandalise_200_web_sites_cripple_150/

WHID 2010-141: Virginia Right! Under Fire Yesterday With DDOS Attack

Mon, 28 Jun 2010 13:57:11 -0400

Entry Title: WHID 2010-141: Virginia Right! Under Fire Yesterday With DDOS Attack
WHID ID: 2010-141
Date Occured: June 27, 2010
Outcome: Downtime
Incident Description: Sorry for the outage yesterday between 8:00 AM and 7:00 PM. Virginia Right! was under attack with a Distributed Denial of Service. Part of the problem in resolving the issue is the fact that Virginia Right! is on a shared hosting server with many hosts using the same IP address. The first thing that has to be determined is which domain is under attack. They do this by temporarily assigning a static IP address to each site hosted on the server (as opposed to all of us sharing the same address). When they were done, everyone came back up except – Virginia Right!. So the attacks were specifically directed at us!
Attack Source Geography:
Attacked Entity Field: Blogs
Attacked Entity Geography: Virginia, USA
Reference: http://beforeitsnews.com/news/87/162/Virginia_Right_Under_Fire_Yesterday_With_DDOS_Attack.html

WHID 2010-140: Hackers fleece online poker players

Mon, 28 Jun 2010 13:47:09 -0400

Entry Title: WHID 2010-140: Hackers fleece online poker players
WHID ID: 2010-140
Date Occured: June 28, 2010
Outcome: Monetary Loss
Incident Description: Police arrested 33 hackers who used a “distribution of denial of service” program to cheat online poker players out of 55 million won ($45,265) from last November through May.
The hackers, led by 30-year-old Yu and 29-year-old Kim, were booked without detention on charges of gaining illegal profits.
The Cyber Terror Response Center in Gyeonggi said the gang used a DDOS attack to infect 11,000 computers at 700 PC rooms across the country.
Police said Yu bought the “Netbot Attacker” program from a Chinese hacker last November, then sold copies online to Kim and others. The gang broke into the administrative systems of the PC rooms and installed the virus in their computers to allow them to see the hands of poker opponents.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: Korea
Reference: http://joongangdaily.joins.com/article/view.asp?aid=2922391

WHID 2010-139: Twitter XSS Vulnerability Possibly Exploited by Turkish Hackers

Mon, 28 Jun 2010 13:32:57 -0400

Entry Title: WHID 2010-139: Twitter XSS Vulnerability Possibly Exploited by Turkish Hackers
WHID ID: 2010-139
Date Occured: June 28, 2010
Outcome: Defacement
Incident Description: Dimitris Pagkalos, one of the founders of the XSSed, a project that maintains an archive of XSS flaws and raises awareness about this type of Web vulnerability, notes that Twitter's security team promptly addressed the bug. However, he suggests the vulnerability might have been used in an earlier attack that made a rogue status reading "Hacked By Turkish Hackers" appear on almost one thousand Twitter profiles.
Attack Source Geography: Turkey
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Twitter
Reference: http://news.softpedia.com/news/Twitter-XSS-Vulnerability-Possibly-Exploited-by-Turkish-Hackers-145594.shtml

WHID 2010-138: Personal data accessed on Blue Cross website

Thu, 24 Jun 2010 18:57:42 -0400

Entry Title: WHID 2010-138: Personal data accessed on Blue Cross website
WHID ID: 2010-138
Date Occured: June 23, 2010
Outcome: Leakage of Information
Incident Description: In a written statement, Anthem Blue Cross explained how the breach occurred:
"The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again."
Attack Source Geography:
Attacked Entity Field: Health
Attacked Entity Geography:
Reference: http://www.ocregister.com/articles/information-254735-security-anthem.html

WHID 2010-137: Persistent XSS on Twitter.com

Thu, 24 Jun 2010 13:07:41 -0400

Entry Title: WHID 2010-137: Persistent XSS on Twitter.com
WHID ID: 2010-137
Date Occured: June 24, 2010
Outcome: Defacement
Incident Description: Twitter user 0wn3d_5ys has demonstrated a persistent cross site scripting (XSS) vulnerability on Twitter he found on June 21st using his own Twitter account (visit at your own risk) that appears to be due to a lack of input validation of the application name field when accepting new requests for Twitter applications. Visiting his account on Twitter results in a pair of classic cross site scripting alert boxes, then your browser is manipulated, finally you enter the matrix (see below), and get messages from the researcher who found the vulnerability.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Twitter
Reference: http://praetorianprefect.com/archives/2010/06/persistent-xss-on-twitter-com/

WHID 2010-136: Hotel account hacked, card info stolen

Thu, 24 Jun 2010 13:03:00 -0400

Entry Title: WHID 2010-136: Hotel account hacked, card info stolen
WHID ID: 2010-136
Date Occured: June 23, 2010
Outcome: Credit Card Leakage
Incident Description: Dozens of Driskill Hotel customers' credit card information has been stolen. Hackers in Europe were able to break into the hotel's parent company's website and steal the information. There are more than 700 victims nationwide.
Attack Source Geography:
Attacked Entity Field: Hospitality
Attacked Entity Geography: Austin, TX
Reference: http://www.kxan.com/dpp/news/hotel-account-hacked,-card-info-stolen

WHID 2010-135: Another round of Asprox SQL injection attacks

Thu, 24 Jun 2010 13:00:14 -0400

Entry Title: WHID 2010-135: Another round of Asprox SQL injection attacks
WHID ID: 2010-135
Date Occured: June 23, 2010
Outcome: Planting of Malware
Incident Description: Earlier this month, we reported on a new variant of Asprox malware which was being spammed out by the Pushdo botnet. At that time, the Asprox executables we analyzed were purely sending spam. However, a few days after our post, we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks.
Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.m86security.com/labs/i/Another-round-of-Asprox-SQL-injection-attacks,trace.1366~.asp

WHID 2010-134: Major hack of Israeli Twitter accounts

Tue, 22 Jun 2010 23:49:57 -0400

Entry Title: WHID 2010-134: Major hack of Israeli Twitter accounts
WHID ID: 2010-134
Date Occured: June 22, 2010
Outcome: Defacement
Incident Description: According to Mikko Hyponnen, chief research officer with F-Secure, more than 1000 accounts on the microblogging social networking service were hacked within the space of 12 hours, each of them broadcasting the message: "Hacked by Turkish Hackers."
In a security blog posting made last night, Hyponnen said that, although the exploit mechanism is unclear, most of the compromised accounts "seem to seem to belong to Israeli Twitter users."
Attack Source Geography: Turkey
Attacked Entity Field: Web 2.0
Attacked Entity Geography: Israel
Attacked System Technology: Twitter
Reference: http://www.infosecurity-magazine.com/view/10426/major-hack-of-israeli-twitter-accounts-/

WHID 2010-133: Druknet websites hacked

Mon, 21 Jun 2010 20:19:03 -0400

Entry Title: WHID 2010-133: Druknet websites hacked
WHID ID: 2010-133
Date Occured: June 19, 2010
Outcome: Defacement
Incident Description: Local internet service provider (ISP) Druknet is currently recovering, after 50 of its websites were hacked early yesterday.
Users trying to access certain websites hosted by the ISP were greeted with a blank home page and a message that said the website had been hacked.
Although some of the hacked websites were back online by afternoon, many websites were still down as of last night. Druknet’s web server, on which the websites are stored, was also taken offline periodically throughout yesterday.
The hacker or hackers had exploited websites designed, using free open sourced content management systems (CMS), like Word Press, according to Druknet.
Attack Source Geography:
Attacked Entity Field: Hosting Providers
Attacked Entity Geography: Bhutan
Attacked System Technology: WordPress
Reference: http://www.kuenselonline.com/modules.php?name=News&file=article&sid=15822

WHID 2010-132: Another Opposition Website Shut Down by Hackers

Mon, 21 Jun 2010 20:04:56 -0400

Entry Title: WHID 2010-132: Another Opposition Website Shut Down by Hackers
WHID ID: 2010-132
Date Occured: June 19, 2010
Outcome: Downtime
Incident Description: The popular Burmese Web site photayokeking.org, edited by a Burmese army deserter, was recently attacked, leaving it inaccessible and out of operation.
According to one of the editors, who goes by the name Photayoke, the Web site came under major attacks on May 27 and June 11, following three smaller attacks.
On June 11, the server provider sent an email to the Web site's owners stating that a major distributed denial-of-service attack (DDoS) had been focused on their data center.
Attack Source Geography: Burma
Attacked Entity Field: News
Attacked Entity Geography: Burma
Reference: http://www.irrawaddy.org/article.php?art_id=18759

WHID 2010-131: DoS attack stuffs Turkey's internet censors

Fri, 18 Jun 2010 16:20:55 -0400

Entry Title: WHID 2010-131: DoS attack stuffs Turkey's internet censors
WHID ID: 2010-131
Date Occured: June 18, 2010
Outcome: Downtime
Incident Description: Access to the internet in Turkey is becoming increasingly ragged, as growing state censorship collides with retaliation by anti-censorship hackers, leading to difficulties both in viewing sites and applying key online functions.
Since early this morning the websites of the Ministry of Transportation, the Information and Communication Technologies Authority and the Telecommunications Communication Presidency have been inaccessible. These three state bodies are responsible for internet censorship and have been the principal actors behind attempts to block access to YouTube and Google-related services in Turkey.
A number of theories abound, with favourites the state authorities’ websites have either been hacked or subject to a serious denial of service attack by hackers unhappy at the censorship.
Writing for the CyberLaw UK Blog, Dr Yaman Akdeniz, Associate Professor at the Faculty of Law, Istanbul Bilgi University, now writes that it has been confirmed as a denial of service attack coordinated by a group of hackers to protest against internet censorship in Turkey, and that the attack lasted 10 hours.
Attack Source Geography: Turkey
Attacked Entity Field: Government
Attacked Entity Geography: Turkey
Reference: http://www.theregister.co.uk/2010/06/18/turkey_dos_attack/

WHID 2010-130: Google Trends Hacked With Racial Slur (Again!)

Thu, 17 Jun 2010 18:07:43 -0400

Entry Title: WHID 2010-130: Google Trends Hacked With Racial Slur (Again!)
WHID ID: 2010-130
Date Occured: June 17, 2010
Outcome: Disinformation
Incident Description: Google Trends is a powerful tool that many media companies (us included) rely upon for a sense of what new topics people are searching for at any given time -- at least, when it's not getting hacked with racial slurs, which is exactly what happened early this morning.
At around 9 a.m. Eastern, instead of the normal list of the hottest new search terms of the hour, visitors to the Google Trends website were greeted with the phrase "lol n------".
Attack Source Geography:
Attacked Entity Field: Search Engine
Attacked Entity Geography: San Jose, California
Attacked System Technology: Google
Reference: http://www.politicsdaily.com/2010/06/17/google-trends-hacked-with-racial-slur-again/

WHID 2010-129: Hackers Seize Top Tory’s Facebook, Blog & Twitter Accounts

Thu, 17 Jun 2010 17:26:28 -0400

Entry Title: WHID 2010-129: Hackers Seize Top Tory’s Facebook, Blog & Twitter Accounts
WHID ID: 2010-129
Date Occured: June 17, 2010
Outcome: Disinformation
Incident Description: hackers have stolen the account details of Therese Coffey, Tory candidate for Suffolk Coastal (UK Parliament constituency), London Spin can exclusively reveal. The attackers bombarded social media users with sexually explicit messages and comments after gaining access to her Blog, Facebook and Twitter account details.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: London, England
Reference: http://www.londonspinonline.com/2010/06/exclusive-hackers-seize-top-torys.html

WHID 2010-128: Microsoft Sues Alleged Spammer For Circumventing Filters

Thu, 17 Jun 2010 17:22:41 -0400

Entry Title: WHID 2010-128: Microsoft Sues Alleged Spammer For Circumventing Filters
WHID ID: 2010-128
Date Occured: June 16, 2010
Outcome: Spam
Incident Description: Microsoft has sued Connecticut resident Boris Mizhen for allegedly gaming Hotmail's spam filters and sending unwanted emails to consumers. Mizhen, who previously settled a separate spam lawsuit brought by Microsoft, allegedly got around the company's anti-spam system by creating millions of new email accounts and then arranging for those accounts to classify his messages as "not spam," according to the lawsuit.
"Defendants developed and executed an elaborate scheme to circumvent Microsoft's Hotmail spam filters to disseminate a large quantity of spam email advertisements to Microsoft's Hotmail users," the company alleges in its complaint, filed last week in federal district court in Seattle.
The complaint details how Mizhen and his affiliates allegedly manipulated the statistics that Microsoft's anti-spam system relies on by creating millions of new email accounts and then moving up to 200,000 of their own messages a day from "junk" files into inboxes.
Attack Source Geography: Connecticut, USA
Attacked Entity Field: Information Services
Attacked Entity Geography: Washington, USA
Attacked System Technology: Hotmail
Reference: http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=130320

WHID 2010-127: Israeli hacker hits IHH website

Thu, 17 Jun 2010 17:14:20 -0400

Entry Title: WHID 2010-127: Israeli hacker hits IHH website
WHID ID: 2010-127
Date Occured: June 17, 2010
Outcome: Monetary Loss
Incident Description: An Israeli hacker managed to break into the website of Turkish IHH group, which organized the Gaza flotilla, disabling the organization's fundraising mechanism for a few hours.

The 30-year-old hacker from Holon, who wished to remain anonymous, said he was concerned with Israel's poor PR efforts and decided to make a contribution of his own.

"The real war today is online. I spent an entire week exploring the site, a few hours each night, until I succeeded," he said.

The hacker added that he was surprised to learn that IHH received some 9,000 euros in donations every hour via the website. The group is planning to send a second flotilla to Gaza next month.
Attack Source Geography: Israel
Attacked Entity Field: Politics
Attacked Entity Geography: Turkey
Reference: http://www.ynetnews.com/articles/0,7340,L-3906872,00.html

WHID 2010-126: Website breached by hacker through SQL injection - exposing personal information of customers

Thu, 17 Jun 2010 14:21:05 -0400

Entry Title: WHID 2010-126: Website breached by hacker through SQL injection - exposing personal information of customers
WHID ID: 2010-126
Date Occured: March 24, 2010
Outcome: Credit Card Leakage
Incident Description: New Hampshire breach notification: HBDirect.com - Website hacked through SQL injection - exposing credit cards of customers from December 1, 2009 to February 10, 2010. 19 NH residents affected.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: New Hampshire, USA
Reference: http://datalossdb.org/primary_sources/2548

WHID 2010-125: Eastern European banks under attack by next-gen crime app

Wed, 16 Jun 2010 22:20:31 -0400

Entry Title: WHID 2010-125: Eastern European banks under attack by next-gen crime app
WHID ID: 2010-125
Date Occured: June 16, 2010
Outcome: Monetary Loss
Incident Description: Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions' authentication system and then hits it with a denial-of-service attack.
The attacks are being carried out with the help of a top-to-bottom revision of BlackEnergy, a popular hack-by-numbers toolkit that until recently was used primarily to launch DDoS, or distributed denial-of-service, attacks. Eastern European criminal gangs are using the expanded capabilities of BlackEnergy 2 to siphon funds out of electronic bank accounts and then assault the financial institutions with more data than they can handle, said Joe Stewart, a researcher with security firm SecureWorks' Counter Threat Unit.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: Russia
Reference: http://www.theregister.co.uk/2010/06/16/blackenergy2_ddos_attacks/

WHID 2010-124: Riyad Bank Website Gets Hacked

Wed, 16 Jun 2010 22:08:03 -0400

Entry Title: WHID 2010-124: Riyad Bank Website Gets Hacked
WHID ID: 2010-124
Date Occured: June 14, 2010
Outcome: Defacement
Incident Description: Saudi bank Riyad Bank has been hacked by a group of hackers who posted a message demanding to end the service of the Mayor of Al Madina province in Saudi Arabia. Al Madina is the second holiest city in Islam, and the burial place of the Prophet Muhammad peace be upon him and it is the capital of the first Islamic state established by the Prophet and his companions after early Muslims migrated from oppression imposed by their people in Mecca around 1400 years ago.
The hacker/s only managed to hack the homepage of the site as the internal pages seems intact, the hackers displayed a message on the bank’s homepage apologizing to the bank and saying “we are hacking you to deliver a message to the king of Saudi Arabia.” They asked him to fire the Mayer.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: Saudi Arabia
Reference: http://arabcrunch.com/2010/06/riyad-bank-website-gets-hacked.html

WHID 2010-123: Botnet hijacks web servers for DDoS campaign

Tue, 15 Jun 2010 20:30:26 -0400

Entry Title: WHID 2010-123: Botnet hijacks web servers for DDoS campaign
WHID ID: 2010-123
Date Occured: May 13, 2010
Outcome: Botnet Participation
Incident Description: Researchers at Imperva have discovered an 'experimental' botnet that uses around 300 hijacked web servers to launch high-bandwidth DDoS attacks.
The servers are all believed to be open to an unspecified security vulnerability that allows the attacker, who calls him or herself 'Exeman', to infect them with a tiny, 40-line PHP script. This includes a simple GUI from which the attacker can return at a later date to enter in the IP, port and duration numbers for the attack that is to be launched.
Attack Source Geography:
Attacked Entity Field: Service Providers
Attacked Entity Geography: Netherlands
Reference: http://www.computerworld.com.au/article/346342/botnet_hijacks_web_servers_ddos_campaign/

WHID 2010-122: Attack of WordPress Blogs on Rackspace

Tue, 15 Jun 2010 20:06:30 -0400

Entry Title: WHID 2010-122: Attack of WordPress Blogs on Rackspace
WHID ID: 2010-122
Date Occured: June 15, 2010
Outcome: Planting of Malware
Incident Description: If you follow our blog, you probably noticed that these last few months have been specially hard for hosting companies. Lots of them got hacked, bringing down thousands of sites with them. Now we are hearing reports of a mass hack of WordPress blogs hosted on Rackspace.
What is going on?
The attackers were able to get access to Rackspace databases and infect the sites through there. They created a new admin user on many Worpress sites, giving them full access to the WordPress admin panel.
With that access they were able to inject malware, and as we saw before they used that to inject SEO spam to the sites.
One of the posts in that thread also suggests that the attack vector is a vulnerable version (2.11.3) of phpMyAdmin used by RackSpace Cloud. If this is true, hackers must have targeted an XSRF attack at one of RackSpace admins with mySql root permissions to gain access to the whole database (probably created one more admin user). At this point, RackSpace has upgraded their phpMyAdmin nodes. Hope, they also found any changes in the database done by those hackers.
Attack Source Geography:
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Reference: http://blog.sucuri.net/2010/06/mass-attack-of-wordpress-blogs-on-rackspace.html

WHID 2010-121: Second round of GoDaddy sites hacked

Tue, 15 Jun 2010 19:45:27 -0400

Entry Title: WHID 2010-121: Second round of GoDaddy sites hacked
WHID ID: 2010-121
Date Occured: May 1, 2010
Outcome: Planting of Malware
Incident Description: It seems that a second round of attacks are happening today at GoDaddy and infecting all kind of sites (Joomla, Wordress,etc). Looking at the modification dates on the files, they all happened May 1st (today) during the morning from 1 to 3/4 am.
All of them had the following javascript added to their pages:
script src= http://kdjkfjskdfjlskdjf.com/kp.php
Which looks very similar to the attacks from the last few weeks, but this time using kp.php instead of js.php. Also, many sites that were not infected during the previous batch got hacked now.
Attack Source Geography:
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Attacked System Technology: WordPress
Reference: http://blog.sucuri.net/2010/05/second-round-of-godaddy-sites-hacked.html

WHID 2010-120: Colombian government sites hacked (and spreading malware)

Tue, 15 Jun 2010 17:57:55 -0400

Entry Title: WHID 2010-120: Colombian government sites hacked (and spreading malware)
WHID ID: 2010-120
Date Occured: June 2011
Outcome: Planting of Malware
Incident Description: You would expect that a security-related web site would be secure, no? What about an official web site from a Government? Should that be safe? What about a government web site about security? Shouldn’t that be ultra super secure? (yes, I am joking )
That’s not always the case… At Sucuri Security we have two main goals: Monitor your visible Internet presence (via DNS, site content changes, whois, blacklisting status, etc), and to also monitor what is not visible (or easily accessible). So we run multiple honey pots, we monitor IRC chats used by botnets and attackers, multiple forums, etc. All with the goal to protect our clients and notify them if we see any issue in the “underground”.
With this work, we get to see a lot of sites being exploited and attacked. Most of them are small sites, but sometimes we see big companies, .govs and many .edus in there.
One of those government web sites are from Colombia. And they are not a normal .gov site, they are about security and about cyber crimes.
They have two web sites that are currently hacked: http://www.delitosinformaticos.gov.co (related to solving cyber crimes) and
http://www.frentesdeseguridad.gov.co (related to security in general). We tried to contact them and got no replies. We would wait a little more to publish it, but since clem1 mentioned them on our post about Georgia government sites hacked, I think it is time to use full-disclosure to get them fixed.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Colombia
Reference: http://blog.sucuri.net/2010/02/colombia-government-sites-hacked-and-spreading-malware.html

WHID 2010-119: Georgia government sites hacked (and spreading malware)

Tue, 15 Jun 2010 17:53:37 -0400

Entry Title: WHID 2010-119: Georgia government sites hacked (and spreading malware)
WHID ID: 2010-119
Date Occured: February 15, 2010
Outcome: Planting of Malware
Incident Description: *UPDATE: A few hours after this post, they removed the malware from justice.gov.ge and other sites. I am glad we had some effect.
You know, you would think that after all the attacks that Georgia suffered in 2008 they would be more careful about the security of their sites.
Well, not really. Even after I sent a bunch of emails to all their addresses that I could find and requested on twitter for contacts in the .ge government, nobody replied and they are still hacked, spreading malware and attacking other systems.
It doesn’t look like it is being caused by the Russians or anything like that. And the attackers this time didn’t defaced their web page. They just added some malware and scripts to attack others.
How do I know? We run multiple honeypots to detect web-based attacks and malware. And guess who started attacking us?
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: imereti, GE
Reference: http://blog.sucuri.net/2010/02/georgia-government-sites-hacked-and-spreading-malware.html

WHID 2010-118: Two Korean govt. websites attacked by hackers

Mon, 14 Jun 2010 13:33:34 -0400

Entry Title: WHID 2010-118: Two Korean govt. websites attacked by hackers
WHID ID: 2010-118
Date Occured: June 12, 2010
Incident Description: Two South Korean government Web sites were attacked again Saturday by hackers traced to China, but there was no major damage, the home ministry said.
The sites of the Ministry of Justice and the Korea Culture and Information Service were hit by a massive number of access attempts in what is knowns as distributed denial-of-service (DDoS) attacks from 247 China-based Internet servers, according to the Ministry of Public Administration and Security.
Attack Source Geography: China
Attacked Entity Field: Government
Attacked Entity Geography: South Korea
Reference: http://english.yonhapnews.co.kr/techscience/2010/06/12/73/0601000000AEN20100612002100315F.HTML

WHID 2010-117: Turkish Hacker Hijacks .CO.IL MSN and Hotmail Domains

Fri, 11 Jun 2010 20:33:01 -0400

Entry Title: WHID 2010-117: Turkish Hacker Hijacks .CO.IL MSN and Hotmail Domains
WHID ID: 2010-117
Date Occured: June 10, 2010
Outcome: Defacement
Incident Description: A Turkish hacker has managed to hijack msn.co.il and hotmail.co.il, two domains belonging to Microsoft, and use them to post a pro-Palestinian message. The name servers and administrative email address for the domains have been changed.
Users who accessed hotmail.co.il and msn.co.il earlier today were greeted by a page displaying the image of a child wearing the Palestinian flag as a cape and a message reading, "Free Palestine. Hi to greatest [expletive] of the world (i mean all the Jews). u think one day u will own all the world eh? Lol that makes me laugh. that makes all the world laugh. u are just insects. make muslims angrier and just sit and watch what will happen to you." The attacker signs the messsage as TurkGuvenligi Tayfa ("from Turkey with love") and sends greetings to Pakbugs, a notorious group of hackers and defacers.
It appears that the two Microsoft domains, which normally redirect users to login.live.com and il.msn.com, respectively, had their name server information altered. The new ns1.dollar2host.com and ns2.dollar2host.com name servers, which belong to a private Web hosting company, replaced the usual ns1.msft.net and ns2.msft.net that Microsoft used for its domains.
Attack Source Geography: Turkey
Attacked Entity Field: Information Services
Attacked Entity Geography:
Reference: http://news.softpedia.com/news/Turkish-Hacker-Hijacks-CO-IL-MSN-and-Hotmail-Domains-144299.shtml

WHID 2010-116: Hackers: Data Breach Exposed iPad Owners' Personal Info

Fri, 11 Jun 2010 20:21:47 -0400

Entry Title: WHID 2010-116: Hackers: Data Breach Exposed iPad Owners' Personal Info
WHID ID: 2010-116
Date Occured: June 9, 2010
Outcome: Leakage of Information
Incident Description: A security flaw in AT&T's network exposed the e-mail addresses of more than 100,000 owners of Apple's 3G iPad, according to a report published by Gawker today.
Calling it the "most exclusive e-mail list on the planet," Gawker said the list of exposed owners included New York Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and other powerful figures in finance, media and politics.
The security hole was uncovered by Goatse Security, a group known among security experts as hackers who enjoy pulling Web pranks, Gawker reported. Still, the group previously has uncovered flaws in browsers Firefox and Safari, Gawker said.
When contacted by ABCNews.com, a man who asked to be named as a Goatse employee confirmed Gawker's report.
"It's absolutely real," he said, adding that the group gave the Gawker reporter their data set and he was able to verify the information.
The employee said someone in his organization learned that when given an iPad owners' unique identification number, a program on AT&T's website would return the e-mail address connected to that account.
Once the hole was uncovered, he said, the group was able to write a script that would automatically predict ID numbers and return the associated e-mail addresses.
In about six hours, he said, the group was able to scrape information for about 114,000 iPad 3G owners, but he did not say how many iPad owners could have been affected in total.
Attack Source Geography:
Attacked Entity Field: Information Services
Attacked Entity Geography: USA
Reference: http://abcnews.go.com/print?id=10871229

WHID 2010-115: Mass hack plants malware on thousands of webpages

Fri, 11 Jun 2010 19:31:21 -0400

Entry Title: WHID 2010-115: Mass hack plants malware on thousands of webpages
WHID ID: 2010-115
Date Occured: June 9, 2010
Outcome: Planting of Malware
Incident Description: More than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirected visitors to a website that attempted to install malware on their machines.
The mass compromise appears to have affected sites running a banner-ads module on top of Microsoft's Internet Information Services using ASP.net, said David Dede, head of malware research at Sucuri, a website monitoring firm. The sites were infected using SQL injection exploits, which allow attackers to tamper with a server's database by typing commands into search boxes and other user-input fields. The hackers used the exploit to plant iframes in the compromised sites that redirected visitors to robint.us. Malicious javascript on that site attempted to infect end users with malware dubbed Mal/Behav-290 according to anti-virus firm Sophos.
Attack Source Geography: China
Attacked Entity Geography: USA
Reference: http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/

WHID 2010-114: Seven held in Andhra for hacking passport software

Fri, 04 Jun 2010 16:39:50 -0400

Entry Title: WHID 2010-114: Seven held in Andhra for hacking passport software
WHID ID: 2010-114
Date Occured: June 4, 2010
Outcome: Extortion
Incident Description: Seven people were arrested in Andhra Pradesh for hacking the online passport application software of the Hyderabad regional passport office, police said Friday.
Police Commissioner A.K. Khan told reporters that seven people, among them five passport agents, were arrested and a search was on for two other agents involved in the racket.
The passport office releases online slots for confirmed dates of appointments to the applicants for obtaining passports under 'Tatkal' scheme through its website www.passport.gov.in.
Every day these slots were visible to the users only for a few minutes till the slots released by the passport authorities were exhausted.
The accused hacked the website, blocked the online slots and were selling the same to the applicants for huge sums, police said.
Attack Source Geography: India
Attacked Entity Field: Government
Attacked Entity Geography: India
Reference: http://sify.com/news/seven-held-in-andhra-for-hacking-passport-software-news-national-kger4bcghcf.html

WHID 2010-113: Facebook plugs email address indexing bug

Fri, 04 Jun 2010 16:32:19 -0400

Entry Title: WHID 2010-113: Facebook plugs email address indexing bug
WHID ID: 2010-113
Date Occured: June 4, 2010
Outcome: Leakage of Information
Incident Description: Incident-prone social network monolith Facebook has plugged yet another security leak, this time involving the indexing by search engines of email addresses not listed on Facebook. Thousands of email addresses submitted using Facebook's "Find a friend" feature that were not tied to a Facebook account wound up getting indexed by Google, according to Blogger Cory Watilo, who was among those affected.
"One obvious problem is that spammers can easily scrape this data and add easily legitimate address to their lists, many of whom might not give their addresses to Facebook for a reason," Watilo writes. The issue sparked a lively discussion thread on Hacker News. Facebook changed its robot.txt file to prevent the search engine from indexing the relevant "opt out of emails from Facebook" page so that email address data can no longer be harvested by spammers or other miscreants.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Facebook
Reference: http://www.theregister.co.uk/2010/06/04/facebook_email_indexing_snafu/

WHID 2010-112: Turkish Cyber Hackers Strike at Israel

Thu, 03 Jun 2010 16:00:05 -0400

Entry Title: WHID 2010-112: Turkish Cyber Hackers Strike at Israel
WHID ID: 2010-112
Date Occured: June 2, 2010
Outcome: Defacement
Incident Description: The unofficial Likudnik website was targeted by angry Turkish hackers who were apparently less than pleased with the IDF Navy commando operation which prevented the terrorists on board from breaking the Gaza embargo on Hamas-controlled Gaza.
Attack Source Geography: Turkey
Attacked Entity Field: Government
Attacked Entity Geography: Israel
Reference: http://www.theyeshivaworld.com/news/Israeli+News/60651/Turkish-Cyber-Hackers-Strike-at-Israel.html

WHID 2010-111: Thieves steal virtual furniture from unsuspecting Hotel Habbo players

Thu, 03 Jun 2010 15:44:13 -0400

Entry Title: WHID 2010-111: Thieves steal virtual furniture from unsuspecting Hotel Habbo players
WHID ID: 2010-111
Date Occured: June 2, 2010
Outcome: Monetary Loss
Incident Description: Finnish police are searching for thieves who stole 1,000 Euros (about $1,200 U.S.) worth of virtual furniture and other items from the virtual world Habbo Hotel. The thieves allegedly used phishing scams to the capture usernames and passwords from Habbo Hotel users, who contacted Finnish police after they noticed that their virtual goods missing.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: Finland
Reference: http://www.gamezebo.com/news/2010/06/02/thieves-steal-virtual-furniture-unsuspecting-hotel-habbo-players

WHID 2010-110: Local restaurant's computer hacked, customers' card numbers stolen

Thu, 17 Jun 2010 14:24:50 -0400

Entry Title: WHID 2010-110: Local restaurant's computer hacked, customers' card numbers stolen
WHID ID: 2010-110
Date Occured: May 22, 2010
Outcome: Credit Card Leakage
Incident Description: The computer system at a local Mexican restaurant was hacked, and investigators believe thieves made off with the credit card numbers of hundreds of customers. "They know that it was a breach, and they know that the breach came from Russia, that's for sure," explained Blanca Aldaco. "So, we are working with our I.T. guy. They're definitely looking into. Hopefully, they can figure out what the IP address is."
The U.S. Secret Service and the San Antonio Police Department's Fraud Unit is also investigating. Neither would comment, but News 4 WOAI learned they are trying to track down the overseas hacker. The restaurant's owner said they have now changed the way they do business. "We are no longer on the internet when it comes to credit card authorizations," Blanca Aldaco told News 4 WOAI.
Attack Source Geography: Russia
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Reference: http://www.woai.com/news/local/story/Local-restaurants-computer-hacked-customers-card/NSwj0Mpf5keeSXLOfsGvCw.cspx

WHID 2010-109: Viral clickjacking 'Like' worm hits Facebook users

Tue, 01 Jun 2010 16:07:36 -0400

Entry Title: WHID 2010-109: Viral clickjacking 'Like' worm hits Facebook users
WHID ID: 2010-109
Date Occured: May 31, 2010
Outcome: Worm
Incident Description: Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook this holiday weekend.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Facebook
Reference: http://www.sophos.com/blogs/gc/g/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/

WHID 2010-108: Cyber Thieves Rob Treasury Credit Union

Fri, 28 May 2010 13:23:43 -0400

Entry Title: WHID 2010-108: Cyber Thieves Rob Treasury Credit Union
WHID ID: 2010-108
Date Occured: May 20, 2010
Outcome: Monetary Loss
Incident Description: Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned.
According to Melgar, the perpetrators who set up the bogus transactions had previously stolen a bank employee’s online login credentials after infecting the employee’s Microsoft Windows computer with a Trojan horse program. Melgar said investigators have not yet determined which particular strain of malware had infected the PC, adding that the bank’s installation of Symantec’s Norton Antivirus failed to detect the infection prior to the unauthorized transfers.
Attack Source Geography: Ukraine
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://krebsonsecurity.com/2010/05/cyber-thieves-rob-treasury-credit-union/

WHID 2010-107: Hackers Take Over BP Twitter Feed

Thu, 27 May 2010 17:58:19 -0400

Entry Title: WHID 2010-107: Hackers Take Over BP Twitter Feed
WHID ID: 2010-107
Date Occured: May 27, 2010
Outcome: Disinformation
Incident Description: BP's Twitter account looked to have fallen victim to hackers early Thursday, with a post referencing a fictional character from a popular fake BP microblog page.
Followers to the genuine account were told: "Terry is now in charge of operation Top Kill, work will recommence after we find a XXL wetsuit. #bpcares #oilspill."
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Twitter
Reference: http://www.foxnews.com/scitech/2010/05/27/hackers-bp-twitter-feed/

WHID 2010-106: AMC website vulnerable to hackers

Thu, 27 May 2010 13:58:49 -0400

Entry Title: WHID 2010-106: AMC website vulnerable to hackers
WHID ID: 2010-106
Date Occured: May 27, 2010
Outcome: Leakage of Information
Incident Description: With a weak network security, the website http:// www.egovamc.com. has several chinks in its armour and is a ready invitation for hackers. The issue has been brought to notice of senior AMC officials and only recently they effected a few cosmetic security patch-ups for their website.
“We have reported the bugs in the website and problems with database management system and coding. We had earlier told the systems department of the AMC about a system that can be exploited with username and password as simple ‘0’. The vulnerability has been fixed by now but there are bigger challenges,” said Sunny Vaghela, a city-based cyber crime expert.
He said that if the website is vulnerable , it means that the hacker can get access to the control panel of the site, look into the contents such as tendering details, property tax details , building plans and allocation of funds, access to which is restricted to only senior-level civic officials.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: India
Reference: http://timesofindia.indiatimes.com/articleshow/5979202.cms

WHID 2010-105: Poll removed due to widespread ballot stuffing and hacking

Wed, 26 May 2010 13:10:41 -0400

Entry Title: WHID 2010-105: Poll removed due to widespread ballot stuffing and hacking
WHID ID: 2010-105
Date Occured: May 25, 2010
Outcome: Fraud
Incident Description: Dear users, yesterday we began a poll about the controversial immigration bill SB 1070 asking users what was their sentiment on the bill. It spread virally and was shared on facebook over 500 times and viewed over 10,000 times.
Unfortunately all the of attention has made it the target of some unscrupulous individuals. Around 3:00pm Tuesday afternoon we noticed that an individual was voting in the poll once every 10 seconds, and did this activity for nearly 2 hours.
Upon checking the logs we realized there were multiple users engaging in this sort of behavior from multiple vectors forcing us to remove the poll entirely. In terms of a long term solution, it seems inevitable that we will adopt a system that requires a KVOA.com user account in order to vote in a poll, but that modification cannot be patched in on the fly and would require a few days work.
Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: USA
Reference: http://www.kvoa.com/news/poll-removed-due-to-widespread-ballot-stuffing-and-hacking/

WHID 2010-104: Code Security: MidAmerican Energy's top priority after SQL injection attacks

Tue, 25 May 2010 21:09:22 -0400

Entry Title: WHID 2010-104: Code Security: MidAmerican Energy's top priority after SQL injection attacks
WHID ID: 2010-104
Date Occured: May 21, 2010
Outcome: Leakage of Information
Incident Description: "Last May we had an incident where one of our web pages was exploited through an SQL injection flaw," Kerber said. "It was a wake-up call that we had vulnerabilities people could find out about."
Attack Source Geography:
Attacked Entity Field: Energy
Attacked Entity Geography: USA
Reference: http://www.csoonline.com/article/594613/Code_Security_MidAmerican_Energy_s_top_priority_after_SQL_injection_attacks

WHID 2010-103: SEO SPAM network - Details of the wp-includes infection

Tue, 25 May 2010 17:18:46 -0400

Entry Title: WHID 2010-103: SEO SPAM network - Details of the wp-includes infection
WHID ID: 2010-103
Date Occured: May 25, 2010
Outcome: Link Spam
Incident Description: We have been digging lately in a large SEO SPAM network which is using thousands of compromised sites to increase their page rankings and spread malware. They are similar to the one we reported earlier affecting lean.mit.edu, but this time they seem focused only on Wordpress web sites
Attack method
All the sites infected are using the latest Wordpress version and had a PHP script injected inside their wp-includes directory. The script name is random and it does two things:
1-For a search engine, it shows a bunch of keywords (cialis, viagra, movie downloads, etc)
2-For a normal user coming from Google, they are redirected to a web site with malware or to another site for more spam.
Attack Source Geography:
Attacked Entity Field: Education
Attacked Entity Geography: USA
Attacked System Technology: WordPress
Reference: http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html

WHID 2010-102: Denver's website hacked twice in one week

Tue, 25 May 2010 17:10:11 -0400

Entry Title: WHID 2010-102: Denver's website hacked twice in one week
WHID ID: 2010-102
Date Occured: May 25, 2010
Outcome: Defacement
Incident Description: The city and county of Denver website was pulled down Monday night after it was hacked, the second such attack in a week.
Eric Brown, a spokesman for the mayor's office, said he didn't know what time the site was breached and when it might be restored.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://www.denverpost.com/news/ci_15155519

WHID 2010-94: Hacker steals 22,000 e-mail address, demands Astley tune

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-94: Hacker steals 22,000 e-mail address, demands Astley tune
WHID ID: 2010-94
Date Occured: May 19, 2010
Outcome: Leakage of Information
Incident Description: Dutch hacker Darkc0ke hijacked a radio station database containing 22,000 e-mail addresses and threatened to publish them unless the station play Rick Astley's "Never Gonna Give You Up," a variation of an Internet meme known as "rickrolling."
"It was a joke," Darkc0ke said via e-mail. "They didn't play the song. Why can't they do someone a favor, just for once?" Darkc0ke said he cracked the database using a basic SQL injection to exploit a security vulnerability. The hacker is known for breaking into databases. Last year, he stole a database containing 46,000 e-mail addresses from the Dutch magazine Autoweek.
Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: Netherlands
Reference: http://news.idg.no/cw/art.cfm?id=B143BFED-1A64-6A71-CE6E57CCCFC37786

WHID 2010-98: Man charged with attacking O'Reilly, Coulter websites

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-98: Man charged with attacking O'Reilly, Coulter websites
WHID ID: 2010-98
Date Occured: May 19, 2010
Outcome: Downtime
Incident Description: A former college student has been charged with using the school's computer network to control a botnet and launch distributed denial-of-service (DDoS) attacks against conservative websites belonging to Bill O'Reilly, Ann Coulter and Rudy Giuliani.
Attack Source Geography: USA
Attacked Entity Field: Media
Attacked Entity Geography: USA
Reference: http://www.scmagazineus.com/man-charged-with-attacking-oreilly-coulter-websites/article/170524/

WHID 2010-99: Got an iTunes account? That's music to a cyber fraudster's ears

Mon, 24 May 2010 14:30:16 -0400

Entry Title: WHID 2010-99: Got an iTunes account? That's music to a cyber fraudster's ears
WHID ID: 2010-99
Date Occured: May 22, 2010
Outcome: Session Hijacking
Incident Description: Up to 125million people worldwide have accounts set up on the site.
But computer security experts say hackers are easily hijacking accounts by pretending they are a customer who has forgotten their password.
As with many websites, iTunes tells users to select a socalled 'security question' from a list of options when they first set up their account.
These are fairly basic and include 'what is your mother's maiden name?' and 'where did you spend your honeymoon?'.
Customers who have forgotten their passwords are prompted with the question they first selected when they set up their profile - as long as they give the correct answer, they can access the account.
Security analysts claim this is leaving the website wide open to fraud.
Hackers simply pretend they are a customer who has forgotten their password and can easily work out the answer to the personal question using information that users have posted on social-networking websites such as Facebook and Twitter.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Reference: http://www.dailymail.co.uk/news/article-1280354/Got-iTunes-account-Thats-music-cyber-fraudsters-ears.html

WHID 2010-97: Microsoft files two lawsuits for "click laundering"

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-97: Microsoft files two lawsuits for "click laundering"
WHID ID: 2010-97
Date Occured: May 20, 2010
Outcome: Fraud
Incident Description: Microsoft this week filed two lawsuits in federal court in Seattle against alleged perpetrators of a new, technologically advanced form of online advertising click fraud being dubbed "click laundering."
According to Microsoft, click fraud is an online advertising scam that occurs when a person or computer program imitates a legitimate user and clicks on an online ad for the purpose of generating a fraudulent “charge-per-click,” without having any interest in the ad.
Click laundering, meanwhile, is a more advanced form of click fraud designed to outwit fraud detection systems by hiding the origin of fake clicks.
Attack Source Geography:
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Reference: http://www.scmagazineus.com/microsoft-files-two-lawsuits-for-click-laundering/article/170621/

WHID 2010-95: Fraud Bazaar Carders.cc Hacked

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-95: Fraud Bazaar Carders.cc Hacked
WHID ID: 2010-95
Date Occured: May 18, 2010
Outcome: Leakage of Information
Incident Description: Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.
Attack Source Geography:
Attacked Entity Field: Hacking
Attacked Entity Geography: Germany
Reference: http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/

WHID 2010-100: Chinaz.com compromised

Tue, 25 May 2010 16:33:04 -0400

Entry Title: WHID 2010-100: Chinaz.com compromised
WHID ID: 2010-100
Date Occured: May 25, 2010
Outcome: Planting of Malware
Incident Description: Websense Security Labs™ ThreatSeeker™ Network has discovered that the speed testing site of chinaz.com has been compromised.
This payload contains two parts: ap.js, and the obfuscation code in the script tag. When combined, we get the entire exploit code. After analyzing this, we noticed that it is used to target the IE vulnerability (MS10-018), which downloads an executable file named dn.exe. This has a good detection rate by most AV vendors; however dn.exe will download and execute remote files and send local information to a remote server. The process disguises itself as an AV component while at the same time suspending the AV software. At present, a bug in the malicious code fails to get the MAC address correctly and as of this alert the site is still infected.
Attack Source Geography:
Attacked Entity Field: Information Services
Attacked Entity Geography: China
Reference: http://community.websense.com/blogs/securitylabs/archive/2010/05/25/chinaz-com-compromised.aspx

WHID 2010-101: 37 million passwords stolen on the site of Skyrock?

Tue, 25 May 2010 16:50:25 -0400

Entry Title: WHID 2010-101: 37 million passwords stolen on the site of Skyrock?
WHID ID: 2010-101
Date Occured: May 21, 2010
Outcome: Leakage of Information
Incident Description: A hacker broke the huge database site which had registered 36.7 million Internet users, raising fears of massive consequences. The Site Skyrock has sent a message to its internet users the message of the team to its Internet Skyrock
According Zataz, the hacker would be introduced through a security hole in the platform Waka , launched last week in partnership with the government . This ” backdoor “, which allowed anyone to edit the content of pages, had been quickly corrected.
For its part, Skyrock believes that “at this stage, we cannot determine whether the application Waka was concerned.”
Still, the hacker could have access to the huge database Skyrock.com, claiming “36.7 million active members in February 25. However, the head of security at the site revealed Monde.fr than Skyrock, passwords are stored in “plain” , that is to say they are not encrypted and protected.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: France
Reference: http://whitehatfirm.com/news/37-million-passwords-stolen-on-the-site-of-skyrock/2629.html

WHID 2010-96: Facebook scrambles to close CSRF hole exposing private data

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-96: Facebook scrambles to close CSRF hole exposing private data
WHID ID: 2010-96
Date Occured: May 19, 2010
Outcome: Leakage of Information
Incident Description: Facebook engineers are finishing a patch for a critical vulnerability that exposed user birthdays and other sensitive data even when they were designated as private, a security researcher said Wednesday.
At time of writing, much of the CSRF (cross-site request forgery) bug appeared to have been patched, Keith said. However, as noted earlier by IDG News, attackers still could exploit the flaw to control a user's "like" functions, which are used to endorse ads and other types of content.
The flaw involved a piece of code Facebook engineers dubbed "post_form_id," which is used to ensure that commands can be issued only by browsers that have previously logged into the website. Keith discovered a simple way to bypass the security token: by omitting it altogether, Facebook servers no longer attempted to validate browsers.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Facebook
Reference: http://www.theregister.co.uk/2010/05/19/facebook_private_data_leak/

WHID 2010-93: Huge 'sexiest video ever' attack hits Facebook

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-93: Huge 'sexiest video ever' attack hits Facebook
WHID ID: 2010-93
Date Occured: May 18, 2010
Outcome: Planting of Malware
Incident Description: A huge attack by a rogue Facebook application last weekend infected users' PCs with popup-spewing adware, a security researcher said Monday.
On Saturday, AVG Technologies received more than 300,000 reports of the malicious Facebook app, said Roger Thompson, AVG's chief research officer. AVG came up with its tally by counting the number of reports from its LinkScanner software, a free browser add-on that detects potentially poisoned pages.
"It was stunning, really, the number," said Thompson in an interview via instant message late Monday. "And stunning that it was not viral or wormy [but that] Facebook did it all by itself."
The volume of reports on Saturday's rogue Facebook software was highest during the nine-hour period between midnight and 9 a.m. Eastern, with spikes of approximately 40,000 per hour coming at 7 a.m. and noon. For the day, AVG received more than 300,000 reports, triple that of AVG's second-most-reported piece of spyware.
According to Thompson, Facebook eradicated the rogue application about 15 hours after the attack started. Facebook's only acknowledgment of the attack came on its security page, where a "Tip of the Week" Monday morning read: "Don't click on suspicious-looking links, even if they've been sent or posted by friends."
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Facebook
Reference: http://www.computerworld.com/s/article/9176905/Huge_sexiest_video_ever_attack_hits_Facebook

WHID 2010-76: Website hacked, election officials say

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-76: Website hacked, election officials say
WHID ID: 2010-76
Date Occured: May 5, 2010
Outcome: Downtime
Incident Description: Local elections officials say their website was hacked as they tried to communicate the results of the Tuesday, May 4, primary election — crashing the site several times and delaying the announcement of vote tallies.
“We have crashed three servers, and in examining those servers, there are two unidentified sites that are deliberately diverting traffic,” said Butler County Board of Elections Director Betty McGary as her frenzied staff struggled to post election results.
“Our servers are under attack, we feel,” McGary said, stressing that the problem pertained only to transmitting totals to the public, not accurately counting the votes.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://www.middletownjournal.com/news/election/website-hacked-election-officials-say-687529.html

WHID 2010-92: SQL Injection attack used in breach of 168,000 Netherlands travelers

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-92: SQL Injection attack used in breach of 168,000 Netherlands travelers
WHID ID: 2010-92
Date Occured: May 18, 2010
Outcome: Leakage of Information
Incident Description: An attacker has discovered a serious flaw in a website set up to encourage the use of smart cards for public transportation in the Netherlands, resulting in the leakage of personal information of more than 168,000 travelers.
The website offered a coupon for a free trip using the OV smart card system and was set up to promote the new system which is being slowly rolled out throughout the region. According to Webwerld, a tech publication based in the Netherlands, the names, addresses and telephone numbers of individuals who signed up were publicly available as a result of the flaw.
Information about the flaw was exposed by an anonymous hacker who gave the magazine a video demonstrating the error using a SQL injection attack. The hacker told the magazine that he made the flaw publicly available because there is no excuse for simple website mistakes. The website has since been taken offline.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Netherlands
Reference: http://itknowledgeexchange.techtarget.com/security-bytes/sql-injection-attack-used-in-breach-of-168000-netherlands-travelers/

WHID 2010-88: phpnuke.org has been compromised

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-88: phpnuke.org has been compromised
WHID ID: 2010-88
Date Occured: May 7, 2010
Outcome: Planting of Malware
Incident Description: Websense® Security Labs™ ThreatSeeker™ Network has discovered that the popular Web site, phpnuke.org, has been compromised.

PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks.

The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page.
Attack Source Geography:
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Attacked System Technology: PHPNuke
Reference: http://community.websense.com/blogs/securitylabs/archive/2010/05/07/phpnuke-org-has-been-compromised.aspx

WHID 2010-78: Butler County Election Website Hacked

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-78: Butler County Election Website Hacked
WHID ID: 2010-78
Date Occured: May 5, 2010
Outcome: Downtime
Incident Description: The Butler County Sheriff will investigate an alleged hacking incident that brought down election computers in that county last night, and slowed the reporting of votes.
The Board of Election tells our partners at the Journal News that the problem affected the reporting of vote totals, not the counting of votes itself.
The BOE says three services crashed during the incident and two unidentified sites were deliberately diverting traffic from the website. The BOE believes the attack was deliberate.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://www.local12.com/news/local/story/Butler-County-Election-Website-Hacked/zsQw7iXCgkuoDeMvyY3dGA.cspx

WHID 2010-65: NewsBusters Knocked Offline

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-65: NewsBusters Knocked Offline
WHID ID: 2010-65
Date Occured: April 9, 2010
Outcome: Downtime
Incident Description: A deliberate brute force attack, a criminal act, knocked NewsBusters offline since late Friday morning. More information to come, but now we’re back and we thank you for bearing with us as our tech team worked studiously to restore the site.
Read more: http://newsbusters.org/?q=blogs/nb-staff/2010/04/10/newsbusters-back-here-s-some-what-you-ve-missed#ixzz0kuulCcnh
Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: USA
Reference: http://newsbusters.org/?q=blogs/nb-staff/2010/04/10/newsbusters-back-here-s-some-what-you-ve-missed

WHID 2010-71: Fire Alarm Company Burned by e-Banking Fraud

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-71: Fire Alarm Company Burned by e-Banking Fraud
WHID ID: 2010-71
Date Occured: April 7, 2010
Outcome: Monetary Loss
Incident Description: A fire alarm company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and drained its payroll account.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Cost: $110,000.00
Reference: http://krebsonsecurity.com/2010/04/fire-alarm-company-burned-by-e-banking-fraud/

WHID 2010-62: Computer Crooks Steal $100,000 from Ill. Town

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-62: Computer Crooks Steal $100,000 from Ill. Town
WHID ID: 2010-62
Date Occured: March 11, 2010
Outcome: Monetary Loss
Incident Description: A rash of home foreclosures and abandoned dwellings had already taken its toll on the tax revenue for the Village of Summit, a town of 10,000 just outside Chicago. Then, in March, computer crooks broke into the town’s online bank account, making off with nearly $100,000. According to Rivera, the theft took place Mar. 11, when her assistant went to log in to the town’s account at Bridgeview Bank. When the assistant submitted the credentials to the bank’s site, she was redirected to a page telling her that the bank’s site was experiencing technical difficulties. What she couldn’t have known was that the thieves were stalling her so that they could use the credentials she’d supplied to create their own interactive session with the town’s bank account.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: Illinois, USA
Reference: http://www.krebsonsecurity.com/2010/04/computer-crooks-steal-100000-from-ill-town/

WHID 2010-82: Victorian councils, libraries taught security in hack

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-82: Victorian councils, libraries taught security in hack
WHID ID: 2010-82
Date Occured: May 3, 2010
Outcome: Defacement
Incident Description: A hacker has busted the security of eight Victorian Government websites in a string of minor attacks on Sunday.
Purportedly hailing from an Indonesian hacking group, the hacker made unobtrusive defacements by inserting a text document into the homepages of six local council sites and two libraries.
Attack Source Geography: Indonesia
Attacked Entity Field: Government
Attacked Entity Geography: Australia
Reference: http://www.networkworld.com/news/2010/050310-victorian-councils-libraries-taught-security.html

WHID 2010-83: High-profile tech blog is hacked

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-83: High-profile tech blog is hacked
WHID ID: 2010-83
Date Occured: January 26, 2010
Outcome: Defacement
Incident Description: High-profile technology blog TechCrunch has been taken offline by hackers.
A message on the site said that it had been "compromised by a security exploit" but did not specify any further details.
"We're working to identify the exploit and will bring the site back online shortly," the message read.
The site went down at around 0620 GMT and was replaced by various messages including a link to a site directing people towards adult material.
Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography:
Reference: http://news.bbc.co.uk/2/hi/technology/8480306.stm

WHID 2010-72: Blippy users’ credit card numbers found on Google

Mon, 24 May 2010 20:58:00 -0400

Entry Title: WHID 2010-72: Blippy users’ credit card numbers found on Google
WHID ID: 2010-72
Date Occured: April 23, 2010
Outcome: Leakage of Information
Incident Description: Yesterday was a big day for social-oversharing site Blippy, which lets members automatically post their purchases to the Internet. The company announced $11.2 million in funding and was profiled in The New York Times.
Overnight, at least one Internet power user figured out a way to search for Blippy members’ credit card numbers on Google. A fairly obvious search for “from card” this morning returned 127 results that included full credit card numbers.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Reference: http://venturebeat.com/2010/04/23/blippy-credit-card-citibank/

WHID 2010-66: Ads to blame for malware in Facebook's FarmTown?

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-66: Ads to blame for malware in Facebook's FarmTown?
WHID ID: 2010-66
Date Occured: April 12, 2010
Outcome: Planting of Malware
Incident Description: The 9.6 million players of the Facebook game FarmTown are being warned about fake security warnings popping up that are designed to mislead people into paying for antivirus protection they don't need.
"We are aware and have reported to the developers that many of our players have encountered the malware/spyware while on the FarmTown Site," the moderator of a user forum for FarmTown maker SlashKey warned over the weekend. "We believe at this time that it is harmless to your computer and a result of one or more of the ads on the site, but you should NOT follow any links to any software claiming to 'clean your system.'"
Sophos' Graham Cluley said it appeared that third-party advertising displayed underneath the FarmTown playing window is to blame.
"In all likelihood, hackers have managed to poison some of the adverts that are being served to FarmTown by the outside advert provider," Cluley wrote on his blog.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Facebook
Reference: http://news.cnet.com/8301-27080_3-20002267-245.html

WHID 2010-70: Armenian websites attacked Turkish hackers

Mon, 24 May 2010 20:58:56 -0400

Entry Title: WHID 2010-70: Armenian websites attacked Turkish hackers
WHID ID: 2010-70
Date Occured: April 12, 2010
Outcome: Downtime
Incident Description: Turkish hackers have attacked several Armenian websites ahead of annual commemorative remembrances of the Armenian Genocide.
On April 12th, more than 250 sites were impacted when cyber terrorists attacked a server hosting sites including www.ArmeniaChat.com, www.ArmeniaSearch.com according to the owner of the sites (who wishes to remain anonymous), ANCA Communications Director Elizabeth Chouljian told PanARMENIAN.Net
The attackers also took down www.armenian.com, which is the website for Armenian Directory Yellow pages. Attackers attempted to hack into a second server which hosts www.ArmGate.com but were unsuccessful. All the websites attacked were offline for a period of two days due to the damage caused by the attack.
Attack Source Geography: Turkey
Attacked Entity Field: Government
Attacked Entity Geography: Armenia
Reference: http://www.panarmenian.net/eng/it_telecom/news/47183/

WHID 2010-89: Breaking News: WordPress Hacked with Zettapetta on DreamHost

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-89: Breaking News: WordPress Hacked with Zettapetta on DreamHost
WHID ID: 2010-89
Date Occured: May 6, 2010
Outcome: Planting of Malware
Incident Description: Early this morning, we received reports that WordPress blogs were hacked on Linux shared-hosting at DreamHost, as well as other hosting companies. This is dangerous scareware which tries to install a virus on your visitor's computer.
WordPress, Zencart and other php-based platforms were hit. Our earliest hacked site report is of 5/6/2010 @ 9:17am.
This malware was just detected and is not showing up on website malware scanners yet. We have notified sucuri.net of this latest infection so that they can immediately update their malware detections systems.
Attack Source Geography:
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Reference: http://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/

WHID 2010-67: Apache.org hit by targeted XSS attack, passwords compromised

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-67: Apache.org hit by targeted XSS attack, passwords compromised
WHID ID: 2010-67
Date Occured: April 9, 2010
Outcome: Session Hijacking
Incident Description: On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:
ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]
Tinyurl is a URL redirection and shortening tool. This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.
Attack Source Geography:
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Reference: http://blogs.zdnet.com/security/?p=6123&tag=nl.e539

WHID 2010-63: Police cuff 70 eBay fraud suspects

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-63: Police cuff 70 eBay fraud suspects
WHID ID: 2010-63
Date Occured: April 6, 2010
Outcome: Fraud
Incident Description: Romanian police have arrested 70 suspected cybercrooks, thought to be members of three gangs which allegedly used compromised eBay accounts to run scams.
The alleged fraudsters obtained login credentials using phishing scams before using these trusted profiles to tout auctions for non-existent luxury goods (luxury cars, Rolex watches and even a recreational aircraft). Buyers handed over the loot but never received any goods in return.
Attack Source Geography: Romania
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Attacked System Technology: eBay
Reference: http://www.theregister.co.uk/2010/04/07/romania_cybercrime_bust/

WHID 2010-81: Network Solutions customers hit by mass hack attack

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-81: Network Solutions customers hit by mass hack attack
WHID ID: 2010-81
Date Occured: April 19, 2010
Outcome: Planting of Malware
Incident Description: Network Solutions' security team is battling a mysterious attack that has silently infected a "huge" number of the websites it hosts with malicious code.
The mass compromise affects sites running WordPress, Joomla, and plain-vanilla HTML, according to reports here and here from Securi Security and Stop Malvertising. Many of the infected sites include encoded javascript that secretly attempts to install malware on visitors' computers.
Attack Source Geography:
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Attacked System Technology: WordPress
Reference: http://www.theregister.co.uk/2010/04/19/network_solutions_mass_hack/

WHID 2010-91: Twitter software bug forces followers

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-91: Twitter software bug forces followers
WHID ID: 2010-91
Date Occured: May 10, 2010
Outcome: Disinformation
Incident Description: Twitter users had a big shock on Monday when they checked into the micro-blogging service. Their follower and following numbers were at 0, meaning they were suddenly very unpopular or something was seriously wrong with the site.
It was the latter, of course. To kill a bug that allowed a user to force other users to follow him or her, Twitter temporarily reset all follower/following counts to zero, according to the Twitter Status blog. Everything was back to normal by 11 a.m. Pacific.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Twitter
Reference: http://www.pcworld.com/article/195962/

WHID 2010-87: Facebook hacker jailed after falsely accusing boyfriend of rape

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-87: Facebook hacker jailed after falsely accusing boyfriend of rape
WHID ID: 2010-87
Date Occured: May 6, 2010
Outcome: Disinformation
Incident Description: A young mother who had accused her ex-boyfriend of rape hacked into his Facebook site to post a threat to herself to bolster her fakery.

Zoe Williams was described as "really wicked" by the judge, who jailed her for four months.
A court heard she tried to set up her ex-boyfriend partner after accused him of raping her several times after the end of their five-year relationship in 2007.
Attack Source Geography: USA
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Facebook
Reference: http://www.telegraph.co.uk/technology/facebook/7685381/Facebook-hacker-jailed-after-falsely-accusing-boyfriend-of-rape.html

WHID 2010-85: Facebook flaw exposes live chats

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-85: Facebook flaw exposes live chats
WHID ID: 2010-85
Date Occured: May 6, 2010
Outcome: Leakage of Information
Incident Description: Facebook has again come under fire for not doing enough to protect personal information after a security flaw allowed users to eavesdrop on private chat sessions.
The flaw also allowed Facebook members to view other people's pending friend requests.
The social networking site, which has more than 400 million active users, was forced to suspend the live chat function until engineers were able to fix the problem.
The flaw was in the Facebook feature that allows users to view their own privacy settings and could be easily exploited to view others' private information, according to TechCrunch blogger Steve O'Hear, who alerted the social networking site.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Facebook
Reference: http://www.infosecurity-magazine.com/view/9245/facebook-flaw-exposes-live-chats/

WHID 2010-75: Russian-born hacker selling 1.5m Facebook usernames

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-75: Russian-born hacker selling 1.5m Facebook usernames
WHID ID: 2010-75
Date Occured: April 24, 2010
Outcome: Session Hijacking
Incident Description: A RUSSIAN-born hacker is attempting to sell Facebook IDs for as little as $25 per 100 usernames, social-media blog Mashable reports, citing researchers at VeriSign's iDefense.
The hacker, who calls himself Kirllos, has obtained 1.5 million Facebook IDs, or one for every 300 people who use the social networking website.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Facebook
Reference: http://www.news.com.au/technology/russian-born-hacker-selling-15m-facebook-usernames/story-e6frfro0-1225857706897

WHID 2010-79: Italian expert: the attack of Romanian hackers against La Stampa and Corriere newspapers was the most relevant in the last eight years

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-79: Italian expert: the attack of Romanian hackers against La Stampa and Corriere newspapers was the most relevant in the last eight years
WHID ID: 2010-79
Date Occured: April 30, 2010
Outcome: Defacement
Incident Description: On April 30, a group of hackers, who sign as "Romanian National Security" attacked three of the most important media sites in Italy: La Stampa, Corriere della Sera and RAI. The Romanian hackers left a message inviting Italian journalists to avoid confusions between Romanians and gypsies.
The same group attacked in the last month the sites of the Daily Telegraph and Le Monde. However, unlike the British and French media, the Italian mass media did not mention the attack. Our HotNews.ro corresponded to Italy interviewed Italin Matteo Cavallini, responsible for IT security in the Commerce Ministry. He was one of the first Italians to raise the awareness about the attack of the Romanians hackers.
Attack Source Geography: Romania
Attacked Entity Field: Media
Attacked Entity Geography: Italy
Reference: http://english.hotnews.ro/stiri-regional_europe-7212366-italian-expert-the-attack-romanian-hackers-against-stampa-and-corriere-newspapers-was-the-most-relevant-the-last-eight-years.htm

WHID 2010-77: Kilpatrick's site down, spokesman suspects hackers

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-77: Kilpatrick's site down, spokesman suspects hackers
WHID ID: 2010-77
Date Occured: May 5, 2010
Outcome: Downtime
Incident Description: The New York City-based spokesman for Kwame Kilpatrick complained this afternoon that www.friendsofkwame.com is not working properly, and he suspects hackers.
Mike Paul said he is investigating the matter seriously and will pursue prosecution if the site he is promoting on Kwame Kilpatrick’s behalf indeed has been tampered with by outsiders.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://www.freep.com/article/20100505/NEWS01/100505073/1322/Kilpatricks-site-down-spokesman-suspects-hackers

WHID 2010-69: Walmart web site hacked and hosting spam

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-69: Walmart web site hacked and hosting spam
WHID ID: 2010-69
Date Occured: April 15, 2010
Outcome: Link Spam
Incident Description: One of Walmart official web sites, www.walmartcommunity.com (for their Community Action Network) has SPAM links. The attackers probably injected the spam in one of their templates files. After a bit of search, we found all of them inside the footer.php
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Attacked System Technology: WordPress
Reference: http://blog.sucuri.net/2010/04/walmart-web-site-hacked-and-hosting.html

WHID 2010-61: How Chinese Hackers Exploit Twitter, Google and Yahoo

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-61: How Chinese Hackers Exploit Twitter, Google and Yahoo
WHID ID: 2010-61
Date Occured: April 6, 2010
Outcome: Leakage of Information
Incident Description: A stunning new report issued last night by a team of U.S. and Canadian researchers highlights a critical development in the world of cyber crime: the use of popular services like Twitter, Google (GOOG) and Yahoo (YHOO) to camouflage and carry out infiltrations at the highest level of international government and business.
Attack Source Geography: China
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Reference: http://blogs.bnet.com/business-news/?p=856

WHID 2010-64: Hundreds of Wordpress Blogs Hit by ‘Networkads.net’ Hack

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-64: Hundreds of Wordpress Blogs Hit by ‘Networkads.net’ Hack
WHID ID: 2010-64
Date Occured: April 9, 2010
Outcome: Planting of Malware
Incident Description: A large number of bloggers using Wordpress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software.
According to multiple postings on the Wordpress user forum and other blogs, the attack doesn’t modify or create files, but rather appears to inject a Web address — “networkads.net/grep” — directly into the target site’s database, so that any attempts to access the hacked site redirects the visitor to networkads.net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the Wordpress interface.
It’s not clear yet whether the point of compromise is a Wordpress vulnerability (users of the latest, patched version appear to be most affected), a malicious Wordpress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider.
Attack Source Geography:
Attacked Entity Field: Blogs
Attacked Entity Geography:
Attacked System Technology: WordPress
Reference: http://krebsonsecurity.com/2010/04/hundreds-of-wordpress-blogs-hit-by-networkads-net-hack/

WHID 2010-90: Facebook Board Member's Account Compromised

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-90: Facebook Board Member's Account Compromised
WHID ID: 2010-90
Date Occured: May 10, 2010
Outcome: Phishing
Incident Description: A Facebook message sent out on Saturday from the account of company board member Jim Breyer to over 2,300 "friends" turns out to have been too good to be true.
The message, an invitation to an event at which attendees would be given a "Facebook phone number," was a phishing attack, designed to capture information from recipients.
The incident underscores the risk of supplying Facebook with data that might be better kept private.
Facebook's appeal to cybercriminals arises from the high level of trust that users extend to Facebook messages, which are generally presumed to come from friends.
Compromising someone's Facebook account also provides immediate access to a pool of new potential victims: the friends of the person whose account has been hacked.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Facebook
Reference: http://www.informationweek.com/news/software/showArticle.jhtml?articleID=224701441

WHID 2010-74: Another Zimbabwe news website attacked by hackers

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-74: Another Zimbabwe news website attacked by hackers
WHID ID: 2010-74
Date Occured: April 24, 2010
Outcome: Downtime
Incident Description: London(ZimEye) Another Zimbabwe news website, the ZimDiaspora has been hacked by online criminals. As at Saturday, the website was no longer functioning and one of the editors speaking to ZimEye Saturday said that neither he nor the Hosting company were able to restore the site at the moment.
Despite the hosting company’s apparent desperation Saturday, ZimEye was able to trace the notorious hackers to a location in the Indonesian town of Bandug. The hackers specialise in hacking websites made by the Joomlah software on which the Zimdiaspora is built. They have also declared it openly that this is their field of speciality.
Attack Source Geography: Indonesia
Attacked Entity Field: Media
Attacked Entity Geography: Zimbabwe
Attacked System Technology: Joomla
Reference: http://www.zimeye.org/?p=16521

WHID 2010-80: Hacked US Treasury websites serve visitors malware

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-80: Hacked US Treasury websites serve visitors malware
WHID ID: 2010-80
Date Occured: May 3, 2010
Outcome: Planting of Malware
Incident Description: Updated Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned on Monday.
The infection buries an invisible iframe in bep.treas.gov, moneyfactory.gov, and bep.gov that invokes malicious scripts from grepad.com, Roger Thompson, chief research officer of AVG Technologies, told The Register. The code was discovered late Sunday night and was active at time of writing, about 12 hours later.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://www.theregister.co.uk/2010/05/03/treasury_websites_attack/

WHID 2010-68: Daily Telegraph website hacked

Mon, 24 May 2010 20:59:27 -0400

Entry Title: WHID 2010-68: Daily Telegraph website hacked
WHID ID: 2010-68
Date Occured: April 15, 2010
Outcome: Defacement
Incident Description: Part of the Daily Telegraph's website has been hacked, apparently by people in Romania who were aggrieved at its identification of "gypsies" and "Romanians".
Its "Short Breaks" and Wine And Dine sections were both hacked, with the Short Breaks site still up at 12.55pm today, with a picture of a Romanian flag claiming to be for the "Romanian National Security", some comments in Romanian and the remark in English at the bottom that "Guess what, gypsies aren't romanians, morons." It also links to a Russian site which plays an MP3 called The Lonely Shepherd.
Sunbelt Software, which first noticed the hack, said that it had alerted the Telegraph when it noticed the hack.
The method used to hack into the site is not known.
Attack Source Geography: Romania
Attacked Entity Field: Media
Attacked Entity Geography: United Kingdom
Reference: http://www.guardian.co.uk/media/2010/apr/15/daily-telegraph-hacking

WHID 2010-73: Report: Music insider site source of leaked songs

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-73: Report: Music insider site source of leaked songs
WHID ID: 2010-73
Date Occured: April 23, 2010
Outcome: Monetary Loss
Incident Description: As if the record industry hasn't tasted enough bitter irony lately, a bunch of album leaks over the weekend apparently came from a service used by music labels to share files with radio stations, media, and other trusted insiders.
According to a post on AbsolutePunk, somebody signed up for an account with Play MPE under false pretenses, claiming to be an Australian music critic. Then this person--apparently a teenage boy--figured out how to access music he wasn't entitled to, including upcoming releases by The Black Keys, Macy Gray, Hole, The Gaslight Anthem, and many other artists.
The AbsolutePunk story referred to this kid as a hacker, but looking at his self-described exploits, that term might be a little too strong. It's not as if he did any sophisticated DRM cracking. Rather, he noticed that that the URL in the Web-based download file had the characters "songid=" followed by a bunch of numbers. By changing the numbers, he was apparently able to to get other song downloads that he wasn't supposed to see.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Reference: http://news.cnet.com/8301-13526_3-20003331-27.html

WHID 2010-86: China State News Agency Web Site Hit With Malware

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-86: China State News Agency Web Site Hit With Malware
WHID ID: 2010-86
Date Occured: May 6, 2010
Outcome: Planting of Malware
Incident Description: A section of the Web site for China's state-run Xinhua news agency was found to be distributing malware last month, according to a Google malware scanning service that is still labeling the site as potentially harmful.
The "news center" section of the Xinhua's Web site, which displays a feed of the agency's stories, was found to have one scripting exploit and one Trojan on it during a scan, according to a Google Safe Browsing diagnostic page. No suspicious content was found on the site during a scan about ten days later, but the section of Xinhua's Web site is still being labeled potentially harmful in Google search results.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: China
Reference: http://news.yahoo.com/s/pcworld/20100506/tc_pcworld/chinastatenewsagencywebsitehitwithmalware

WHID 2010-84: PHP Website XSS Defacement

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-84: PHP Website XSS Defacement
WHID ID: 2010-84
Date Occured: May 2, 2010
Outcome: Defacement
Incident Description: Cross-site scripting , html injection and redirect on bugs.php.net and phpbuilder.com
Screenshots and proof of concept
Redirect from php site to google POC and XSS
Sample xss alert on phpbuilder.com
And now what about http://doc.php.net/phd/ar/phd/ ?
Attack Source Geography:
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Reference: http://security-sh3ll.blogspot.com/2010/05/php-website-xss-defacement.html

WHID 2010-60: CNN redirect exploited by scammers

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-60: CNN redirect exploited by scammers
WHID ID: 2010-60
Date Occured: April 6, 2010
Outcome: Link Spam
Incident Description: SPAMMERs use an Open Redirection vuln in a CNN ad site. The clever touch was providing a link that exploits redirect functionality supported by CNN’s ad servers. The link is structured as follows:
http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cP–XW
Clicking on the link sends a request to CNN which instructs the browser to send a second request to the redirect URL – in this case the shortened http:/bit.ly/cP—XW. The host site would not be aware of the misuse – the spammer is simply abusing legitimate ad-serving functionality.
This technique provides several advantages to the spammer:
1) The URL from cnn.com might give the impression that there was a genuine CNN-worthy story to be found
2) The reputable site name would allay fears of anything malicious lurking at the end of the click.
3) Most URL filtering solutions would not block the initial request to cnn.com (although reputable solutions would have been updated in real time about the follow on link which would be blocked)
Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: USA
Reference: http://blog.commtouch.com/cafe/email-security-news/cnn-redirect-exploited-by-scammers/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+CommtouchCafe+(Commtouch+Café)

WHID 2009-49: RockYou Hack: From Bad To Worse

Wed, 16 Jun 2010 14:12:18 -0400

Entry Title: WHID 2009-49: RockYou Hack: From Bad To Worse
WHID ID: 2009-49
Date Occured: December 14, 2009
Outcome: Leakage of Information
Incident Description: Earlier today news spread that social application site RockYou had suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers. RockYou have yet to inform users of the breach, and their blog is eerily silent – but the details of the security breach are going from bad to worse.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Reference: http://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/

WHID 2010-57: Web security under attack from ads in prominent advertising programs

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-57: Web security under attack from ads in prominent advertising programs
WHID ID: 2010-57
Date Occured: March 31, 2010
Outcome: Planting of Malware
Incident Description: Advertisement programs operated by Google, Yahoo and Fox were recently found to deliver malware, according to CNET. Avast, the Czech Republic-based web security company, discovered the malware and stated that this particular strain target holes in popular web browsers such as Firefox and Internet Explorer.
Yahoo's Yield Manager and Fox FirmServe manage nearly 50 percent of all online ads. Google's program DoubleClick was found to contain some malvertisements, but not to the extent of Yield Manager or FirmServe. Other advertising platforms like Facebook and MySpace have also experienced similar problems in recent months.
Attack Source Geography:
Attacked Entity Field: Information Services
Attacked Entity Geography: USA
Reference: http://www.mxlogic.com/securitynews/web-security/web-security-under-attack-from-ads-in-prominent-advertising-programs651.cfm

WHID 2010-32: Crooks Crank Up Volume of E-Banking Attacks

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-32: Crooks Crank Up Volume of E-Banking Attacks
WHID ID: 2010-32
Date Occured: February 23, 2010
Outcome: Monetary Loss
Incident Description: Computer crooks stole more than $200,000 from an auto body shop in Ohio last month in a brazen online robbery. The attack is yet another example of how thieves are using malicious software to bypass bank security technologies that are often touted as strong deterrents to this type of fraud.
Story outlines Banking Trojan types of activity which intercepted the one-time passcode and then redirected the real user to a fake maintenance page.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: Ohio, USA
Reference: http://www.krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/

WHID 2010-7: Hacker attacks Ceridian; data from 27,000 at risk

Mon, 24 May 2010 21:16:11 -0400

Entry Title: WHID 2010-7: Hacker attacks Ceridian; data from 27,000 at risk
WHID ID: 2010-7
Date Occured: January 20, 2010
Outcome: Leakage of Information
Incident Description: A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide. The attack was against the Powerpay payroll system.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: Minnesota, USA
Number of Records: 27,000
Reference: http://www.startribune.com/business/83505102.html?elr=KArksUUUU

WHID 2010-15: Villar website 'hacked'

Mon, 24 May 2010 21:15:24 -0400

Entry Title: WHID 2010-15: Villar website 'hacked'
WHID ID: 2010-15
Date Occured: March 19, 2010
Outcome: Defacement
Incident Description: The rivalry between Senators Manny Villar and Benigno "Noynoy" Aquino has gone beyond the campaign trail as the official website of the Nacionalista Party presidential bet supposedly got hacked by an Aquino supporter Monday. At about 10 a.m., Villar's official website www.mannyvillar.co.ph contained a blog entry titled "Hacked by Kris Aquino." The entry, which was written in "swardspeak", took jabs at Villar's marketing strategy and ended up coaxing its readers to vote for Aquino instead.
Attack Source Geography: Phillipines
Attacked Entity Field: Politics
Attacked Entity Geography: Phillipines
Reference: http://www.abs-cbnnews.com/lifestyle/03/22/10/villar-website-hacked

WHID 2010-56: Facebook Flub Leaks Private E-Mail Addresses

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-56: Facebook Flub Leaks Private E-Mail Addresses
WHID ID: 2010-56
Date Occured: March 31, 2010
Outcome: Leakage of Information
Incident Description: Private e-mail addresses that many Facebook users wanted to keep hidden were revealed publicly last night on a multitude of Facebook profiles, Gawker reports. The glitch lasted about 30 minutes before Facebook sealed the gap.
It might be that Facebook's recently proposed changes to its privacy settings could be to blame for the hiccup. PC World writer Paul Suarez reported that "One of those changes [to Facebook's Privacy Policy and Statement of Rights and Responsibilities] would make it possible for Facebook to send your name, photo, friend list, and any public information about you and your friends to preapproved third-party Web sites." A slight tweak to broadcasting profile information could have resulted in this embarrassing flub.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Reference: http://www.cio.com/article/589021/Facebook_Flub_Leaks_Private_E_Mail_Addresses

WHID 2010-45: Online Thieves Take $205,000 Bite Out of Missouri Dental Practice

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-45: Online Thieves Take $205,000 Bite Out of Missouri Dental Practice
WHID ID: 2010-45
Date Occured: March 30, 2010
Outcome: Monetary Loss
Incident Description: Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online.
Smile Zone is still investigating how the thieves compromised the account. But in case after case I’ve reported on involving this type of fraud, the attackers hacked the victim’s computer networks using a Trojan horse program known as Zeus or Zbot, which allows the criminals to tunnel back through the victim’s PC in order to log into the target account without raising red flags or additional security mechanisms.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: Missouri, USA
Cost: $205,000.00
Reference: http://www.krebsonsecurity.com/2010/03/online-thieves-take-205000-bite-out-of-missouri-dental-practice/

WHID 2010-31: Organized Crooks Hit Ark. Utility

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-31: Organized Crooks Hit Ark. Utility
WHID ID: 2010-31
Date Occured: March 4, 2010
Outcome: Monetary Loss
Incident Description: In a separate incident on March 4, organized crooks stole roughly $130,000 from North Garland County Regional Water District, a public, nonprofit utility in Hot Springs, Ark. Again, thieves somehow broke into the utility’s online bank account and set up unauthorized transfers to more than a dozen individuals around the country that were not affiliated with the district.
Manager Bill Reinhardt said the district is still investigating how the thieves gained access to its accounts, and that it had notified the FBI about the breach. Reinhardt said the district has so far worked with its bank to reverse about half of the fraudulent transfers.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: Arkansas, USA
Reference: http://www.krebsonsecurity.com/2010/03/organized-crooks-hit-nj-town-arizona-utility/#more-1918

WHID 2010-33: N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-33: N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss
WHID ID: 2010-33
Date Occured: February 15, 2010
Outcome: Monetary Loss
Incident Description: A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.
Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer.
Later, McCarthy’s friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash.
Karen McCarthy said TDBank has dug in its heels and is now saying it has no responsibility for the loss.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: NY, USA
Reference: http://www.krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/

WHID 2010-14: Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-14: Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies
WHID ID: 2010-14
Date Occured: March 19, 2010
Outcome: Downtime
Incident Description: A very interesting cyberwarfare story involving US government/military on both sides. By early 2008, top U.S. military officials had become convinced that extremists planning attacks on American forces in Iraq were making use of a Web site set up by the Saudi government and the CIA to uncover terrorist plots in the kingdom. Elite U.S. military computer specialists, over the objections of the CIA, mounted a cyberattack that dismantled the online forum.
Attack Source Geography: USA
Attacked Entity Field: Government
Attacked Entity Geography: Saudi Arabia
Reference: http://www.washingtonpost.com/wp-dyn/content/article/2010/03/18/AR2010031805464.html

WHID 2010-8: Cross-site scripting vulnerabilities see two political websites hacked

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-8: Cross-site scripting vulnerabilities see two political websites hacked
WHID ID: 2010-8
Date Occured: January 5, 2010
Outcome: Defacement
Incident Description: A report on BBC News said that visitors to Spain's EU presidency website were greeted by an image of comedy character Mr Bean instead of the Spanish Prime Minister Jose Luis Rodriguez Zapatero. The government said that the site - www.eu2010.es - had not been attacked and that a hacker had taken a screenshot of the homepage to make a photo montage using a cross-site scripting (XSS) vulnerability. Visitors found an image of Mr Bean complete with a benign smile and the words ‘Hi there'.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Spain
Reference: http://www.scmagazineuk.com/cross-site-scripting-vulnerabilities-see-two-political-websites-hacked/article/160597/

WHID 2010-47: Court papers: JC Penney was hacking victim

Thu, 17 Jun 2010 14:25:23 -0400

Entry Title: WHID 2010-47: Court papers: JC Penney was hacking victim
WHID ID: 2010-47
Date Occured: October 23, 2007
Outcome: Credit Card Leakage
Incident Description: JC Penney Co. was one of the victims of notorious computer hacker Albert Gonzalez, according to unsealed documents made available on Monday by a federal judge in Boston.
Penney, which during Gonzalez' trial had asked the U.S. District Court for the District of Massachusetts to bar the government from disclosing its identity, was revealed in the documents to be the company that had been known throughout the trial as "Company A."
ICQ chat logs confirm SQL Injection was used - http://datalossdb.org/system/jcp_attachment.pdf
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography:
Reference: http://www.msnbc.msn.com/id/36088614/ns/technology_and_science-security/

WHID 2010-55: Drudge Report accused of serving malware, again

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-55: Drudge Report accused of serving malware, again
WHID ID: 2010-55
Date Occured: March 9, 2010
Outcome: Planting of Malware
Incident Description: For the second time in less than six months, visitors to the Drudge Report say they got malware in addition to the Web site's usual sensational headlines.
Matt Drudge denied that his site was infecting visitors, however it's likely that the malware is coming from ads delivered by a third-party ad network and not the site itself.
Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: USA
Reference: http://news.cnet.com/8301-27080_3-10466044-245.html

WHID 2009-48: XSS Embedded iFrames

Wed, 16 Jun 2010 14:12:23 -0400

Entry Title: WHID 2009-48: XSS Embedded iFrames
WHID ID: 2009-48
Date Occured: December 14, 2009
Outcome: Planting of Malware
Incident Description: Today we saw a variety of pages being advertised that have search.htm and other pages vulnerable to cross-site scripting (XSS) being used to inject an iframe to a malicious webpage redirector. To an unknowing user following such an advertisement, they would believe that they were just visiting the intended host site unaware that the iframe was also redirecting them to malicious content.
Attack Source Geography:
Attacked Entity Field: Information Services
Attacked Entity Geography:
Reference: http://research.zscaler.com/2009/12/xss-embedded-iframes.html

WHID 2010-16: The Game's Email Hacked, Monthly Expenses List Leaked

Mon, 24 May 2010 21:14:35 -0400

Entry Title: WHID 2010-16: The Game's Email Hacked, Monthly Expenses List Leaked
WHID ID: 2010-16
Date Occured: March 22, 2010
Outcome: Leakage of Information
Incident Description: Hackers don't discriminate. The biggest targets these days seem to be celebrities. The latest is rapper The Game, whose GMAIL account was reportedly hacked into recently. According to TheBoomBox.com, the rapper didn't have too many interesting things going on in his email. At least, nothing revealed just yet.
The only thing of interest leaked was a detailed list of his monthly expenses, which total roughly $52,000.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Attacked System Technology: GMail
Reference: http://www.ballerstatus.com/2010/03/22/the-games-email-hacked-monthly-expense-list-leaked/

WHID 2010-30: Organized Crooks Hit NJ Town

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-30: Organized Crooks Hit NJ Town
WHID ID: 2010-30
Date Occured: March 19, 2010
Outcome: Monetary Loss
Incident Description: The Federal Bureau of Investigation and the Atlantic County Prosecutor's Office are helping Egg Harbor Township police investigate what township police said was an "outside intrusion into a municipal banking account"that was to blame for missing municipal funds."
In a statement, the township police also warned the public that computer criminals have become more sophisticated.
"Emails can appear to originate from your bank, or other legitimate location, and when opened can cause great financial damage," the department wrote. "Use extra care with your email and where you may send/enter any personal information."
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: New Jersey, USA
Reference: http://www.pressofatlanticcity.com/news/top_three/article_35e425d8-32f2-11df-a24f-001cc4c03286.html

WHID 2010-44: Baidu hacked by Iranian Cyber Army

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-44: Baidu hacked by Iranian Cyber Army
WHID ID: 2010-44
Date Occured: January 12, 2010
Outcome: Downtime
Incident Description: The attack, which took place overnight, saw a message from the Iranian Cyber Army appear on the Baidu home page. It featured a picture of the Iranian flag, and a message written in Farsi.
Here’s how Baidu alleges the hacker got access to one of the world’s most popular web sites domain name account in under an hour:
1. Hacker starts online chat session with Register.com representative, claiming to be an agent of Baidu.
2. Register.com representative asks hacker to provide verification information. Hacker provides invalid information, but Register.com goes ahead and e-mails a security code to the email address it has on file for Baidu anyway.
3. The hacker doesn’t have access to that e-mail address, so he/she relays a bogus security code to the Register.com representative via chat. Baidu claims the representative didn’t bother to compare the code to the actual one.
4. Hacker asks Register.com representative to change email address on file to antiwahabi2008@gmail.com, and representative does.
5. Hacker now uses “forgot password” link at Register.com to request the username and password to the account. Hacker can then log in and change the name servers.
Attack Source Geography: Iran
Attacked Entity Field: Internet
Attacked Entity Geography: China
Reference: http://www.telegraph.co.uk/technology/news/6974129/Baidu-hacked-by-Iranian-Cyber-Army.html

WHID 2010-6: Cyber hacker hits Paula Dockery's campaign site

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-6: Cyber hacker hits Paula Dockery's campaign site
WHID ID: 2010-6
Date Occured: January 20, 2010
Outcome: Downtime
Incident Description: Attacker(s) conducted a DDoS attack against the Florida Candidate for Governor Paula Dockery's website. In essence, what is happening is someone is sending approximately 40,000 requests per second to the website/server, then immediately closing them… It is the equivalent of 2.4 million people a minute browsing to the site and closing it immediately. In essence this saturates the number of connections available to legitimate people trying to get to the server, causing them to time-out when they visit the site. In security terms it is called a Denial of Service Attack (DoS).
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Florida, USA
Reference: http://blogs.tampabay.com/buzz/2010/01/cyber-hacker-hits-paula-dockerys-campaign-site.html

WHID 2010-2: Hacker Disables More Than 100 Cars Remotely

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-2: Hacker Disables More Than 100 Cars Remotely
WHID ID: 2010-2
Date Occured: March 17, 2010
Outcome: Data Loss
Incident Description: Hundreds of cars would not start and/or had their horn honking when a former employee at Texas Auto Center used previous passwords to log into a system called Webtech Plus whic is used as an alternative to repossessing vehicles that haven’t been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a car’s ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The hacker destroyed account records and then started to disable cars/force the horn to honk continuously.
Read More http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/#ixzz0iYvPwUVj
Attack Source Geography: Texas, USA
Attacked Entity Field: Automotive
Attacked Entity Geography: Austin TX, USA
Reference: http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/

WHID 2010-40: TCS Website Hacked, Domain Name Up For Sale

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-40: TCS Website Hacked, Domain Name Up For Sale
WHID ID: 2010-40
Date Occured: February 8, 2010
Outcome: Defacement
Incident Description: Indian software giant Tata Consultancy Services Ltd. (TCS) has witnessed the hijacking of its official website www.tcs.com. The hackers not only attacked the website but also allegedly changed its domain name and put it up for sale!
Attack Source Geography:
Attacked Entity Field: Technology
Attacked Entity Geography: India
Reference: http://www.techtree.com/India/News/TCS_Website_Hacked_Domain_Name_Up_For_Sale/551-109190-643.html

WHID 2010-34: Over 120 000 Sanoma User Credentials Stolen

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-34: Over 120 000 Sanoma User Credentials Stolen
WHID ID: 2010-34
Date Occured: March 23, 2010
Outcome: Leakage of Information
Incident Description: Not exactly a startup news per se, but a healthy reminder to all those working with user credentials in their online services. One of the largest, if not the largest, online identity thefts has just occured in Finland. The service to be breached was Älypää, a Sanoma bought gaming site. The sad part is that while an identity breach of this magnitude is always bad – this has been made worse by Sanoma actually storing the passwords in plain text, making them usable anywhere.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: Finland
Reference: http://www.arcticstartup.com/2010/03/23/over-120-000-sanoma-user-credentials-stolen/?ref=rc

WHID 2010-17: Govt websites hacked

Mon, 24 May 2010 21:13:33 -0400

Entry Title: WHID 2010-17: Govt websites hacked
WHID ID: 2010-17
Date Occured: March 20, 2010
Outcome: Defacement
Incident Description: Bangladesh government websites, operating out of the Prime Minister's Office, were attacked on Saturday by hackers purporting to be "Indian" .
bdnews24.com, at around 2.30am, found that 19 out of 64 district web portals had been hacked by "MIL INDIAN HACKER", threatening "cyber war" in retaliation to any terrorist attack by Pakistan on Indian soil "via Bangladesh".
Most of the sites were fixed around 16 hours later, said officials, who in some cases had first been notified of the cyber attack by bdnews24.com's online report.
The hacked portals displayed a poster on opening, which said: 28 DIFFERENT STATES, 28 DIFFERENT LANGUAGES BUT ONE WORD JAI HIND!'
Attack Source Geography: India
Attacked Entity Field: Government
Attacked Entity Geography: Bangladesh, India
Reference: http://bdnews24.com/details.php?id=156315&cid=2

WHID 2010-29: Conservatives embarrassed as hackers exploit loophole on anti-union website

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-29: Conservatives embarrassed as hackers exploit loophole on anti-union website
WHID ID: 2010-29
Date Occured: March 23, 2010
Outcome: Defacement
Incident Description: It was hoped that visitors to the website - http://cash-gordon.com – would use popular social networking websites such as Twitter and Facebook to spread the word about Gordon Brown’s union links.
One of its features displayed any message posted on Twitter if it included the term “#cashgordon”, no matter what else it said.
By writing Twitter messages containing the “#cashgordon” and their own piece of web code, they were able to redirect visitors to any other site on the internet.
Anyone who tried to access the Cash Gordon website for more than an hour was sent elsewhere, such as to the Labour Party’s site or to hardcore pornography pages.
Attack Source Geography:
Attacked Entity Field: Politics
Attacked Entity Geography: United Kingdom
Reference: http://www.telegraph.co.uk/technology/twitter/7499228/Conservatives-embarrassed-as-hackers-exploit-loophole-on-anti-union-website.html

WHID 2010-9: Pakistani cyber crime website hit by hacker who is able to access database

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-9: Pakistani cyber crime website hit by hacker who is able to access database
WHID ID: 2010-9
Date Occured: January 11, 2010
Outcome: Defacement
Incident Description: Details of a political website, the Pakistani National Response Center for Cyber Crimes, part of the Federal Investigation Authority, being hacked has been reported when a sensitive site was hit by a hacker who managed to gain access to the email database.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Pakistan
Reference: http://www.scmagazineuk.com/pakistani-cyber-crime-website-hit-by-hacker-who-is-able-to-access-database/article/160969/

WHID 2010-25: Flawed Security Exposes Vital Software to Hackers

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-25: Flawed Security Exposes Vital Software to Hackers
WHID ID: 2010-25
Date Occured: March 5, 2010
Outcome: Leakage of Information
Incident Description: McAfee, a leading maker of Internet security software, warned this week that software systems used by many companies to store and manage their intellectual property are being actively targeted by hackers and are in need of significantly increased security focus.
McAfee took issue with Perforce’s implementation of access controls. For instance, using the Web interface, someone who manages to access one user account could access those of other users by manipulating the associated URL, or Web address, it said. Perforce responded that, if customers choose the systems most restrictive mode, that situation isn’t possible.
Attack Source Geography:
Attacked Entity Field: Technology
Attacked Entity Geography:
Reference: http://bits.blogs.nytimes.com/2010/03/05/flawed-security-exposes-vital-software-to-hackers/

WHID 2010-3: Feds Crack Hackers' Stock Manipulation Cybercrime

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-3: Feds Crack Hackers' Stock Manipulation Cybercrime
WHID ID: 2010-3
Date Occured: March 16, 2010
Outcome: Monetary Loss
Incident Description: Hackers, working for BroCo Investments (a one-trader operation based in St. Petersburg, Russia) used stolen online brokerage credentials to initiate a pump-and-dump scheme. Within minutes of making the unauthorized transactions, the SEC claims BroCo then sold shares of these same stocks held in its own account at the artificially inflated prices, netting the hackers more than $250,000 in profits.
From a defensive perspective, the online brokerage accounts should be doing more to authenticate users and validate transactions. The challenging part is that these types of defensive mechanisms may actually interfere with many of the automated bot programs that investors use to monitor and execute trades. Online trading fraud is not going to go away anytime soon.
Read More on SEC filing - http://www.wired.com/images_blogs/threatlevel/2010/03/brocosec.pdf
Attack Source Geography: St. Petersburg, Russia
Attacked Entity Field: Finance
Attacked Entity Geography:
Cost: $600,000.00
Reference: http://www.esecurityplanet.com/news/article.php/3871176/Feds-Crack-Hackers-Stock-Manipulation-Cybercrime.htm

WHID 2010-49: Hackers pluck 8,300 customer logins from bank server

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-49: Hackers pluck 8,300 customer logins from bank server
WHID ID: 2010-49
Date Occured: January 12, 2010
Outcome: Leakage of Information
Incident Description: Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system.
The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18, according to a release (PDF) issued Monday. It was discovered on December 24 during an internal security review. In all, credentials for 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB's total customer base.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: NY, USA
Number of Records: 8,300
Reference: http://www.theregister.co.uk/2010/01/12/bank_server_breached/

WHID 2010-41: NineMSN compromised

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-41: NineMSN compromised
WHID ID: 2010-41
Date Occured: February 17, 2010
Outcome: Planting of Malware
Incident Description: Microsoft's Ninemsn, one of the most visited portals in Australia (Alexa rank 573), was compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections.
Attack Source Geography:
Attacked Entity Field: Internet
Attacked Entity Geography: Australia
Reference: http://www.itwire.com/business-it-news/security/36912-ninemsn-compromised

WHID 2010-35: CISO Witnesses Hack Like No Other

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-35: CISO Witnesses Hack Like No Other
WHID ID: 2010-35
Date Occured: March 3, 2010
Outcome: Loss of Sales
Incident Description: Here's what Maley told attendees to an RSA Conference panel on state cybersecurity on Wednesday:
"We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams. It was encrypted traffic, and we were trying to figure out what the heck is going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know."
Authorities eventually discovered that the hacker who used a proxy server in Russia to mask his identity owned a driving school in Philadelphia, and exploited a vulnerability in the driving test scheduling system to allow the scheduling of more tests than the allotted time slots. It could take upward of six weeks to schedule a driving test in Philadelphia. Said Maley:
"What he was doing was saying (to potential customers), "You go over across the street, to John's driver training, and it's going to take you six to eight weeks to get your test. We can get you in tomorrow."
Attack Source Geography: PA, USA
Attacked Entity Field: Government
Attacked Entity Geography: PA, USA
Reference: http://blogs.bankinfosecurity.com/posts.php?postID=469

WHID 2010-13: Australian Government websites blitzed by DDoS attack

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-13: Australian Government websites blitzed by DDoS attack
WHID ID: 2010-13
Date Occured: February 10, 2010
Outcome: Downtime
Incident Description: The websites of Senator Stephen Conroy and the Australian Parliament House were inaccessible this morning after the 'Anonymous' group of hackers claimed credit for a Distributed Denial of Service (DDoS) attack on Australian Government web sites.
Attack Source Geography:
Attacked Entity Field: Politics
Attacked Entity Geography: Australia
Reference: http://www.securecomputing.net.au/News/166860,australian-government-websites-blitzed-by-ddos-attack.aspx

WHID 2010-5: City of Albertville's web site hacked

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-5: City of Albertville's web site hacked
WHID ID: 2010-5
Date Occured: March 18, 2010
Outcome: Defacement
Incident Description: The website of the Mayor of Albertsville, AL was defaced with profanity.
Attack Source Geography: Alabama, USA
Attacked Entity Field: Politics
Attacked Entity Geography: Alabama, USA
Reference: http://www.waff.com/Global/story.asp?S=12166330

WHID 2009-50: Iranian hacker attack: What will it cost Twitter?

Wed, 16 Jun 2010 14:12:13 -0400

Entry Title: WHID 2009-50: Iranian hacker attack: What will it cost Twitter?
WHID ID: 2009-50
Date Occured: December 17, 2009
Outcome: Defacement
Incident Description: A new attack by hackers Dec. 17 redirected Twitter users to a page from a previously unknown group called the Iranian Cyber Army. Most computer attacks are relatively straightforward denial-of-service attacks, where computers overwhelm a website with data to bring it down. Thursday night's attack against Twitter was more serious because the hackers gained access to part of Twitter's network and were able to redirect users to a page with a photo of a flag with Farsi script. Near the top of the page ran a bold red headline in English: "This site has been hacked by Iranian Cyber Army."
Hackers for several days have attacked the websites of opponents of Iran's regime and posted the same image. The opponents have used social-media sites like Twitter to organize street protests this year.
Attack Source Geography: Iran
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Reference: http://www.csmonitor.com/Money/2009/1218/Iranian-hacker-attack-What-will-it-cost-Twitter

WHID 2010-23: Beware: Malware Attacks Facebook, B-Ball & Gossip Sites

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-23: Beware: Malware Attacks Facebook, B-Ball & Gossip Sites
WHID ID: 2010-23
Date Occured: March 19, 2010
Outcome: Planting of Malware
Incident Description: At a time when college basketball fans are going wild, cybercriminals are actively pursuing opportunities for scams. Basketball fans go online to fill out bracket selections, and when they do, hackers are also playing their own game of spamdexing, i.e. manipulating search results to promote sites, according to James Duldulao, a security researcher at McAfee. In this case, he explained, cybercriminals are spamdexing malware-infected sites.
This week, the top results for terms like "ncaa bracket" and "march madness predictions" were poisoned. McAfee reports that five out of the first 10 hot searches on Google Trends are being promoted by a network Relevant Products/Services of legitimate sites that were hacked to serve malware. One site had an embedded Flash file that downloads malware from another site and installs it without user interaction Relevant Products/Services.
Attack Source Geography:
Attacked Entity Field: Information Services
Attacked Entity Geography:
Reference: http://www.toptechnews.com/story.xhtml?story_id=11000CA733W8&full_skip=1

WHID 2010-18: Hackers crash Aussie charity websites

Mon, 24 May 2010 21:13:07 -0400

Entry Title: WHID 2010-18: Hackers crash Aussie charity websites
WHID ID: 2010-18
Date Occured: March 22, 2010
Outcome: Downtime
Incident Description: The internet services of two Australian autism support organisations have been crashed by computer hackers and a third may also have fallen victim, raising fears of a targeted attack to coincide with autism month.
Austism Spectrum Australia (ASPECT), the country's autism service provider, is losing hundreds of dollars in online donations each day after its website was hit by hackers early on Sunday.
Attack Source Geography: USA
Attacked Entity Field: Health
Attacked Entity Geography: Australia
Reference: http://www.stuff.co.nz/technology/3486923/Hackers-crash-Aussie-charity-websites

WHID 2010-39: Tesda Website hacked again; users directed to Smartmatic

Mon, 24 May 2010 21:10:45 -0400

Entry Title: WHID 2010-39: Tesda Website hacked again; users directed to Smartmatic
WHID ID: 2010-39
Date Occured: January 11, 2010
Outcome: Defacement
Incident Description: Even before its administrators could fix the problem, the website of the Technical Education and Skills Development Authority was hacked again early Monday, this time redirecting visitors to the website of Smartmatic, the contractor tasked to implement the automated elections this May. A check of the hacked TESDA website's homepage showed the hackers left instructions for the site to redirect to Smartmatic's website in 20 seconds.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Phillipines
Reference: http://www.gmanews.tv/story/181244/tesda-website-hacked-again-users-redirected-to-smartmatic

WHID 2010-48: Hackers brute force their way into galeton.com website containing names, credit card numbers

Thu, 17 Jun 2010 14:25:18 -0400

Entry Title: WHID 2010-48: Hackers brute force their way into galeton.com website containing names, credit card numbers
WHID ID: 2010-48
Date Occured: February 8, 2010
Outcome: Credit Card Leakage
Incident Description: Hackers used brute force to log into web accounts of users at www.galeton.com.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography:
Reference: http://datalossdb.org/incidents/2692-hackers-brute-force-their-way-into-website-containing-names-credit-card-numbers

WHID 2009-47: Morrison says 'new baby' story a hoax by web hacker

Wed, 16 Jun 2010 14:12:28 -0400

Entry Title: WHID 2009-47: Morrison says 'new baby' story a hoax by web hacker
WHID ID: 2009-47
Date Occured: December 29, 2009
Outcome: Disinformation
Incident Description: A hoax, posted by a hacker on Van Morrison's website, falsely claimed the singer (64) had a baby with a woman called Gigi Lee.
But the reclusive singer issued a statement on New Year's Eve saying he is happily married to former model Michelle Rocca.
The earlier reports were carried by news organisations worldwide after a Los Angeles based public relations consultant, who has represented Morrison in the past, apparently confirmed the claim on Tuesday.
However, the statement issued by Van Morrison said: "I have asked my management team to carry out an immediate investigation into a hacking attack which took place on my website on December 29th last.
"This is the second occasion on which the website has been hacked into during the last three months. In this most recent incident, claims were made relating to my personal life in a "statement'' purporting to come from me.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Reference: http://www.independent.ie/national-news/morrison-says-new-baby-story-a-hoax-by-web-hacker-1996333.html

WHID 2010-4: Shopping website hacked with malware

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-4: Shopping website hacked with malware
WHID ID: 2010-4
Date Occured: March 19, 2010
Outcome: Planting of Malware
Incident Description: Australian retailer DealsDirect.com.au started serving malware to clients through a compromised partner advertising system. It seems that end users were made aware of malware due to Google Safe Browsing plugins in Google Chrome, Firefox and Internet Explorer browsers as they were alerted with the "This site may harm your computer" warning. It is a shame that web sites themselves aren't doing better at analyzing outbound data they are serving to ensure that it is not malicious.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: Australia
Reference: http://news.ninemsn.com.au/technology/1029568/shopping-website-hacked-with-malware

WHID 2010-28: Bank sues victim of $800,000 cybertheft

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-28: Bank sues victim of $800,000 cybertheft
WHID ID: 2010-28
Date Occured: January 26, 2010
Outcome: Monetary Loss
Incident Description: A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.
The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.
In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.
Attack Source Geography: Romania
Attacked Entity Field: Finance
Attacked Entity Geography: TX, USA
Reference: http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft

WHID 2010-36: Durex condom orders leak on web – customer (update 1)

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-36: Durex condom orders leak on web – customer (update 1)
WHID ID: 2010-36
Date Occured: March 22, 2010
Outcome: Leakage of Information
Incident Description: Last week, this site received a lead about a security problem involving the web site of a Durex product. On March 5, a customer reportedly discovered that anyone could view his and other customers’ orders on the kohinoorpassion.com web site by simply inserting a different order ID number in the url without any login required. Names, addresses, phone numbers, and type of products ordered were all there for ready viewing.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: India
Reference: http://www.databreaches.net/?p=10726

WHID 2010-19: Hacked personal data originating from China

Mon, 24 May 2010 21:12:35 -0400

Entry Title: WHID 2010-19: Hacked personal data originating from China
WHID ID: 2010-19
Date Occured: March 22, 2010
Outcome: Leakage of Information
Incident Description: According to police, Chinese hackers have been targeting Web sites of Korean department stores and other frequently visited sites. The hackers offer the Korean information for sale on the Internet. Last September, a used-car trading Web site and the Internet home page for a car navigation manufacturer were victims of Chinese hackers who stole names and residential registration numbers of 910,000 online members. Hackers can use the stolen registration numbers to become members of certain Web sites that send spam messages, or sell the numbers to other hackers.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: Korea
Reference: http://joongangdaily.joins.com/article/view.asp?aid=2918142

WHID 2010-24: Singapore's biggest forum, Hardwarezone Forums, gets hacked (friendly)

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-24: Singapore's biggest forum, Hardwarezone Forums, gets hacked (friendly)
WHID ID: 2010-24
Date Occured: March 18, 2010
Outcome: Defacement
Incident Description: Yesterday, at 8pm past, a member "gameboyz" discovered pretty quickly that he could inject HTML code into the Tag Board Chat, and posted a script which changed the contents of the page where the tagboard would appear, with a message below, when one accessed certain sections of the site.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: Singapore

WHID 2010-46: Microsoft's Larry "Major Nelson" Hryb has online account hijacked through Xbox.com as part of underground group's publicity bid.

Mon, 24 May 2010 21:04:51 -0400

Entry Title: WHID 2010-46: Microsoft's Larry "Major Nelson" Hryb has online account hijacked through Xbox.com as part of underground group's publicity bid.
WHID ID: 2010-46
Date Occured: March 29, 2010
Outcome: Leakage of Information
Incident Description: Xbox Live director of programming Larry Hryb has for some time now been the face of Microsoft's online platform for the Xbox 360, thanks in large part to his Major Nelson persona. Unfortunately, Xbox Live's figurehead saw his gamertag defaced over the weekend after a hacker was able to log into Hryb's account.
Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Reference: http://www.gamespot.com/news/6254330.html

WHID 2010-10: FBI, police ID Boulder synagogue Web site hacker

Mon, 24 May 2010 21:15:39 -0400

Entry Title: WHID 2010-10: FBI, police ID Boulder synagogue Web site hacker
WHID ID: 2010-10
Date Occured: January 2, 2010
Outcome: Defacement
Incident Description: Boulder police and the FBI announced Friday that they have identified the individual who hacked into the Web sites of two Boulder synagogues and the Boulder Rabbinic Council last week and defaced them with anti-Semitic messages.
Attack Source Geography:
Attacked Entity Field: Religious
Attacked Entity Geography: Boulder, CO
Reference: http://www.dailycamera.com/ci_14150610?source=most_emailed#axzz0ieLUTxxC

WHID 2010-43: Sleuths Trace Digital Clues to Predict iPad Sales

Mon, 24 May 2010 21:09:13 -0400

Entry Title: WHID 2010-43: Sleuths Trace Digital Clues to Predict iPad Sales
WHID ID: 2010-43
Date Occured: March 19, 2010
Outcome: Leakage of Information
Incident Description: To get the ball rolling on the iPad estimate, Mr. Tello asked participants on a private message board for Apple watchers, AAPL Sanity, to share the order number that the Apple Store assigns to each online purchase and includes on the order's email confirmation.
The first order submitted, from a user named Joe, had an eight-digit order number 68,715,XXX (the last three digits have been excised) at 8:30 a.m. Eastern time on March 12, the first day iPad orders could be placed. Another order placed five days later, by a user named Israel, was numbered 68,937,XXX. That is a difference of about 222,000.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography:
Reference: http://online.wsj.com/article/SB10001424052748704207504575130351672451186.html

WHID 2010-22: Hackers target SDP leaders

Mon, 24 May 2010 21:11:26 -0400

Entry Title: WHID 2010-22: Hackers target SDP leaders
WHID ID: 2010-22
Date Occured: March 21, 2010
Outcome: Defacement
Incident Description: At least two leading figures in the opposition Social Democratic Party were attacked by computer hackers during the weekend.
On Sunday, the web pages of the party’s Parliamentary group chairman Eero Heinäluoma were hacked, and on Saturday evening it was the turn of the party’s chairwoman Jutta Urpilainen.

Strange pictures and text had appeared on Heinäluoma’s page www.heinaluoma.net on Sunday, and shortly before 4 p.m. his web page was no longer accessible.
On Saturday evening, Urpilainen’s page had been targeted with obscene messages and child pornography.
The pages crashed at about 10:00 p.m.
Attack Source Geography:
Attacked Entity Field: Politics
Attacked Entity Geography: Finland
Reference: http://www.hs.fi/english/article/Hackers+target+SDP+leaders+/1135254873196

WHID 2009-51: Hacker Hits RBS WorldPay Systems Database

Wed, 16 Jun 2010 14:09:34 -0400

Entry Title: WHID 2009-51: Hacker Hits RBS WorldPay Systems Database
WHID ID: 2009-51
Date Occured: September 11, 2009
Outcome: Leakage of Information
Incident Description: A Romanian hacker well-known for discovering SQL injection vulnerabilities in high-profile Websites has struck again -- this time on RBS WorldPay's site, where he says he hit the jackpot, the company's database.
The hacker, who goes by "Unu," says he accessed RBS WorldPay's database via a SQL injection flaw in one of its Web applications. RBS WorldPay maintains Unu accessed a test database that didn't carry any live data, and that no merchant or cardholder data accounts were compromised. The company has since taken down the pages.
Attack Source Geography: Romania
Attacked Entity Field: Finance
Attacked Entity Geography: Georgia, USA
Reference: http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=220000005

WHID 2010-54: MyPilotStore.com hack results in false charges on customers’ cards

Thu, 17 Jun 2010 14:25:00 -0400

Entry Title: WHID 2010-54: MyPilotStore.com hack results in false charges on customers’ cards
WHID ID: 2010-54
Date Occured: February 18, 2010
Outcome: Credit Card Leakage
Incident Description: On February 18, MyPlane, dba MyPilotStore.com, discovered that their database containing their customers’ names, addresses, telephone numbers, e-mail addresses, and credit card information had been hacked. According to the firm, some customers received a “nominal fake charge to their credit card by a company not associated with us.”
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography:
Reference: http://www.databreaches.net/?p=10990

WHID 2010-51: Woman worms into D.C. taxpayer accounts

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-51: Woman worms into D.C. taxpayer accounts
WHID ID: 2010-51
Date Occured: February 5, 2010
Outcome: Leakage of Information
Incident Description: A mentally ill woman exploited a loophole in D.C. tax office online systems to gain unauthorized access to taxpayer accounts, establish herself as the owner of dozens of businesses and file returns on their behalf. The FR-500 forms were not submitted for review before processing, BDO found, and no verification checks were performed. The loophole was a glitch, OTR explained. The agency's Integrated Tax System was supposed to deny ownership changes requested through the FR-500 function, but "faulty logic" allowed the updates automatically. Umansky said a fix is now in place and "that can't happen again."
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: Washington DC, USA
Reference: http://www.washingtonexaminer.com/local/Woman-worms-into-D_C_-taxpayer-accounts-83589257.html

WHID 2010-59: Orange Regional Website Hacked

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-59: Orange Regional Website Hacked
WHID ID: 2010-59
Date Occured: February 9, 2010
Outcome: Leakage of Information
Incident Description: A Lebanese hacker claims to have hacked Orange's regional website in Cote d'Ivoire (Ivory Coast) through SQL injection. The attack allegedly gave him access to the website's administration interface and information on almost 60,000 customers.
Attack Source Geography: Lebanon
Attacked Entity Field: Information Services
Attacked Entity Geography: Ivory Coast
Number of Records: 60,000
Reference: http://news.softpedia.com/news/Orange-Regional-Website-Hacked-134467.shtml

WHID 2010-1: Hacker Breaks Into 49 House Sites, Insults Obama

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-1: Hacker Breaks Into 49 House Sites, Insults Obama
WHID ID: 2010-1
Date Occured: February 1, 2010
Outcome: Defacement
Incident Description: A hacker broke into 49 House Web sites of both political parties after President Obama's State of the Union address. The websites were all managed by a private vendor -- GovTrends of Alexandria, Va. The article mentions that "GovTrends let its guard down while performing an update, allowing the hacker to penetrate sites of individual members and committees overnight" which leads to WHID's Misconfiguration Attack Method designation.
Interesting note - 18 House sites managed by GovTrends were defaced last August.
Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://www.toptechnews.com/news/Hacker-Breaks-Into-49-House-Sites/story.xhtml?story_id=00100041BAO7

WHID 2010-27: Poughkeepsie, N.Y., slams bank for $378,000 online theft

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-27: Poughkeepsie, N.Y., slams bank for $378,000 online theft
WHID ID: 2010-27
Date Occured: February 8, 2010
Outcome: Monetary Loss
Incident Description: The theft of $378,000 from the town of Poughkeepsie, N.Y., is prompting questions about the responsibility of banks to protect customer accounts from online criminals.
In a statement last week, a Poughkeepsie town official revealed that thieves had broken into the town's TD Bank NA account and transferred $378,000 to accounts in the Ukraine.
Attack Source Geography: Ukraine
Attacked Entity Field: Finance
Attacked Entity Geography: NY, USA
Reference: http://www.computerworld.com/s/article/9153598/Poughkeepsie_N.Y._slams_bank_for_378_000_online_theft

WHID 2010-50: Shared-password vulnerability may have exposed personal information in online account management system

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-50: Shared-password vulnerability may have exposed personal information in online account management system
WHID ID: 2010-50
Date Occured: January 14, 2010
Outcome: Leakage of Information
Incident Description: Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers.
In a disclosure letter (PDF) sent to the attorney general of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August. The company was planning to issue notification to the affected customers on Jan. 6, the letter says.
The letter does not give technical details about the breach, but it indicates the unidentified source sent FINRA a username and password to the portfolio management system.
Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Number of Records: 1,200,000
Reference: http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034

WHID 2010-58: China journalist club shuts website after attack

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-58: China journalist club shuts website after attack
WHID ID: 2010-58
Date Occured: April 1, 2010
Outcome: Downtime
Incident Description: The Foreign Correspondents Club of China said on Friday it had shut its website after a burst of hacker attacks, days after attacks on the Yahoo email accounts of some foreign journalists covering China were discovered.
"We do not know who is behind the attacks or what their motivation is," the club's board said in an emailed statement explaining it had decided to shut down temporarily the site after two days of "persistent" attacks.
The club has traced the online assault to IP addresses in both China and the U.S., but added that these machines could have been taken over by hackers in other locations.
The hacking was the latest of several recent incidents that have brought to light the Internet vulnerabilities of people or groups whose work may raise hackles in China.
Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: China
Reference: http://www.reuters.com/assets/print?aid=USTOE63101R20100402

WHID 2010-20: Jewish Community Assistance Group Website Hacked

Mon, 24 May 2010 21:11:53 -0400

Entry Title: WHID 2010-20: Jewish Community Assistance Group Website Hacked
WHID ID: 2010-20
Date Occured: March 21, 2010
Outcome: Defacement
Incident Description: The internet website of the Keren Kehilot organization was hacked Sunday morning by a gang of Muslim hackers, apparently from Turkey.
Attack Source Geography:
Attacked Entity Field: Religious
Attacked Entity Geography: Israel
Reference: http://www.israelnationalnews.com/News/Flash.aspx/182976

WHID 2010-37: ING Shareholder Data Exposed on Website

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-37: ING Shareholder Data Exposed on Website
WHID ID: 2010-37
Date Occured: January 25, 2010
Outcome: Leakage of Information
Incident Description: On January 25, an ING customer discovered that she could access client information on the ingfunds.com web site and notified her stockbroker. In investigating the situation, ING discovered that since August 2008, a file containing the names, addresses, Social Security numbers, and account numbers of 106 ING shareholders had been available on the web through a search engine. The company notified the New Hampshire Attorney General on February 3 that 17 residents of the state were affected.
Attack Source Geography: New Hampshire, USA
Attacked Entity Field: Finance
Attacked Entity Geography:
Reference: http://doj.nh.gov/consumer/pdf/ing.pdf

WHID 2010-11: U.S. Military Equipment Website Hacked

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-11: U.S. Military Equipment Website Hacked
WHID ID: 2010-11
Date Occured: January 13, 2010
Outcome: Leakage of Information
Incident Description: A Lebanese hacker is taking credit for a security breach on the PEO Soldier Army website. By exploiting an SQL injection vulnerability, he allegedly obtained full access to the underlying database and the information contained within.
Attack Source Geography: Lebanon
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://news.softpedia.com/news/U-S-Military-Equipment-Website-Hacked-131947.shtml

WHID 2010-53: Google says Vietnam political blogs hacked

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-53: Google says Vietnam political blogs hacked
WHID ID: 2010-53
Date Occured: March 31, 2010
Outcome: Downtime
Incident Description: Internet giant Google says Vietnamese computer users have been spied on and political blogs hacked in attacks which a leading web security firm suspects are linked to the Vietnamese government.
The incidents recall cyber attacks in China that Google in January said had struck it and other unidentified firms in an apparent bid to hack into the email accounts of Chinese human rights activists.
"These infected machines have been used both to spy on their owners as well as participate in distributed denial of service attacks against blogs containing messages of political dissent," said Neel Mehta of Google's security team in the firm's Online Security Blog.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: Vietnam
Reference: http://news.yahoo.com/s/afp/20100331/tc_afp/vietnammediainternetrightsgooglemcafee&a=Technology%20News&x=1

WHID 2010-12: Army Website Compromised Through SQL Injection

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-12: Army Website Compromised Through SQL Injection
WHID ID: 2010-12
Date Occured: January 9, 2010
Outcome: Leakage of Information
Incident Description: A Romanian grey hat hacker has disclosed an SQL inject (SQLi) vulnerability on a website belonging to the United States Army, which leads to full database compromise. The website, called Army Housing OneStop, is used to provide information about military housing facilities to soldiers.
Attack Source Geography: Romania
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://news.softpedia.com/news/Army-Website-Compromised-Through-SQL-Injection-131649.shtml

WHID 2010-52: 3000 Small Dog Electronics customers' credit card details compromised

Thu, 17 Jun 2010 14:25:14 -0400

Entry Title: WHID 2010-52: 3000 Small Dog Electronics customers' credit card details compromised
WHID ID: 2010-52
Date Occured: February 18, 2010
Outcome: Credit Card Leakage
Incident Description: lectronics retailer Small Dog Electronics has suffered from a systems breach that left 3000 customers' credit card details compromised.
The data theft, which left the credit card details exposed from late December to almost the end of January, used a security hole in the in-house web application that had been developed to manage Smalldog's ecommerce system.
Don Mayer, CEO of Small Dog Electronics, explained that the company is PCI compliant, and that it had been subjected to a penetration test by a third party, which he would not name. The flaw in the code has now been rectified, and Small Dog is investigating the issue with the pen tester, added Mayer, who did not know what language the ecommerce system had been written in.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Number of Records: 3,000
Reference: http://www.infosecurity-us.com/view/7411/3000-small-dog-electronics-customers-credit-card-details-compromised/

WHID 2010-26: Russia Arrests Alleged Mastermind of RBS WorldPay Hack

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-26: Russia Arrests Alleged Mastermind of RBS WorldPay Hack
WHID ID: 2010-26
Outcome: Monetary Loss
Incident Description: A fascinating story about a group of hackers who broke into the RBS WorldPay DBs through SQL Injection. Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay. The hackers compromised RBS WorldPay’s database encryption to raise the amount of funds available on the compromised cards, and boost their daily withdrawal limits. In some case, the hackers raised the limits to $500,000. According to the indictment, Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access. Pleschuk allegedly developed the method for reverse engineering the encrypted PINs. Once the hackers raised the account limits, they provided an army of cashers with 44 cards programmed with the account details. On November 8 that year, the cashers simultaneously hit more than 2,000 ATMs, netting about $9.5 million in less than 12 hours.
The story did not specify the exact vulnerabilities exploited to manipulate the DB however the Indictment PDF (in the reference) lists actual SQL commands sent to the DBs (pages 10-11).
If you then cross-reference this story with WHID entry 2009-51 where the Romania Hacker Unu released SQL Injection vulns in RBS WorldPay web applications, it seems most plausible that these Russian Hackers used similar vulnerabilities.
Attack Source Geography: Russia
Attacked Entity Field: Finance
Attacked Entity Geography: Georgia, USA
Reference: http://www.wired.com/threatlevel/2010/03/alleged-rbs-hacker-arrested

WHID 2010-42: Frenchman Arrested After Hacking Into Obama's Twitter Accounts

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-42: Frenchman Arrested After Hacking Into Obama's Twitter Accounts
WHID ID: 2010-42
Date Occured: March 25, 2010
Outcome: Leakage of Information
Incident Description: A Frenchman will face trial after hacking into Twitter accounts, including that of U.S President Barack Obama, a French prosecutor said.
The 24-year-old man from central France was arrested on Tuesday and could face up to two years in prison in France for fraudulent access to a computer system. The arrest followed a joint operation between the Federal Bureau of Investigation and the French police, according to French state prosecutor Jean-Yves Coquillat.
The man, whose name hasn't been release, is charged with having hacked into the Twitter Inc. social-networking accounts of famous people. He did this in April 2009 after posing as a site administrator, said Mr. Coquillat. As well as Mr. Obama's account, he hacked into that of singer Britney Spears, he said.
Attack Source Geography: France
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Twitter
Reference: http://online.wsj.com/article/SB10001424052748704094104575143391819054502.html

WHID 2010-38: Cross-Site Scripting through Flash in Gmail Based Services

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-38: Cross-Site Scripting through Flash in Gmail Based Services
WHID ID: 2010-38
Date Occured: March 22, 2010
Outcome: Leakage of Information
Incident Description: IBM Security Researcher outlines the XSS vuln he found that exploits a Flash upload file movie by passing Javascript within external parameters.
Attack Source Geography:
Attacked Entity Field: Information Services
Attacked Entity Geography:
Reference: http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html

WHID 2010-21: Wiseguys Tickets charged with hacking into Ticketmaster, LiveNation to illegally grab best seats

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2010-21: Wiseguys Tickets charged with hacking into Ticketmaster, LiveNation to illegally grab best seats
WHID ID: 2010-21
Date Occured: March 1, 2010
Outcome: Loss of Sales
Incident Description: This entry is related to WHID 2008-48 (http://www.xiom.com/whid-2008-48) however it expands beyond only TicketMaster to include LiveNation.
Prosecutors said the men hired a hacker in Bulgaria to program a way around the "CAPTCHA" technology that requires ticket buyers to read and retype two distorted random words to prove they are people, not a computer program. In a spectacular irony, the defendents managed to take a process meant to distinguish between a human and a machine - and automate it. The indictment said they even programmed their bots to make mistakes so they would appear to be human ticket buyers. When the bots swarmed a Web site, they were able to fill out the CAPTCHA fields in a twinkling, beating any real human buyers.
Read more: http://www.nydailynews.com/news/ny_crime/2010/03/01/2010-03-01_wiseguys_tickets_charged_with_hacking_into_ticketmaster_livenation_to_illegally_.html?page=1#ixzz0iumX65AV
Attack Source Geography: Bulgaria
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Reference: http://www.nydailynews.com/news/ny_crime/2010/03/01/2010-03-01_wiseguys_tickets_charged_with_hacking_into_ticketmaster_livenation_to_illegally_.html

WHID 2009-46: Clickjacking Attack Hit Facebook

Wed, 16 Jun 2010 14:13:01 -0400

Entry Title: WHID 2009-46: Clickjacking Attack Hit Facebook
WHID ID: 2009-46
Date Occured: December 23, 2009
Outcome: Worm
Incident Description: The Facebook clickjacking assault appeared as a comment posted to the account of a user along with a photograph, which enticed him to hit it. On clicking the link, it led the user to a web-page, which pretended to be a CAPTCHA test. It also prompted him to hit a blue colored button namely "Share" embedded in the Facebook web-page.
But on clicking it, the victim was diverted to a YouTube video appeared on his Facebook account. Consequently, the victim and his contacts were infected. Krzysztof Kotowicz, a freelance security researcher, states that presently the attack is effective merely in Chrome and Firefox Web-browsers, as reported by Help Net Security on December 22, 2009.
Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Reference: http://www.spamfighter.com/News-13684-Clickjacking-Attack-Hit-Facebook.htm

WHID 2007-23: Office of Nation's Top Spy Inadvertently Reveals Key to Classified National Intel Budget

Wed, 16 Jun 2010 15:58:32 -0400

Entry Title: WHID 2007-23: Office of Nation's Top Spy Inadvertently Reveals Key to Classified National Intel Budget
WHID ID: 2007-23
Date Occured: June 12, 2007
Outcome: Leakage of Information
Incident Description:

A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.

This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.

Additional information:

Office of Nation's Top Spy Inadvertently Reveals Key to Classified National Intel Budget [The Spy Who Billed Me, Jun 3 2007]

Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA

WHID 2007-24: Hackers access personal info on faculty members at Univ. of Virginia

Wed, 16 Jun 2010 15:57:55 -0400

Entry Title: WHID 2007-24: Hackers access personal info on faculty members at Univ. of Virginia
WHID ID: 2007-24
Date Occured: June 12, 2007
Outcome: Leakage of Information
Incident Description:

An undisclosed vulnerability in a web application at the University of Virginia allowed hackers to access names, social security numbers and birth dates of faculty members from May 2005 until April of 2007. Approximately 5700 records where stolen in 54 distinct break-ins.

Additional information:

Hackers access personal info on faculty members at Univ. of Virginia [Computer World, Jun 11 2007]

Two Universities Hit By Security Breaches [Information Week, Jun 11 2007]

U.Va. Faculty Names, SSN Security Breach [Univ. of Va., Jun 8 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2007-25: University of Iowa Molecular and Cellular Biology Program Security Incident

Wed, 16 Jun 2010 15:57:27 -0400

Entry Title: WHID 2007-25: University of Iowa Molecular and Cellular Biology Program Security Incident
WHID ID: 2007-25
Date Occured: June 12, 2007
Outcome: Leakage of Information
Incident Description:

Approximately 1100 students and faculty members' personal information records which includes social security numbers were exposed by a vulnerable web application at the Molecular and Cellular Biology program at the University of Iowa. The report suggests that the application was actually compromised.

Additional information:

UI Notifies Graduate Program Students, Faculty About Security Breach [Univ. Of Iowa, May 19 2007]

Two Universities Hit By Security Breaches [Information Week, Jun 11 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2007-26: $1,000,000 CNBC stock trading contest hacked

Wed, 16 Jun 2010 15:56:58 -0400

Entry Title: WHID 2007-26: $1,000,000 CNBC stock trading contest hacked
WHID ID: 2007-26
Date Occured: June 12, 2007
Outcome: Disinformation
Incident Description:

The CNBC stock trading reality TV show was even more real than contenders thought it would be. It seems that players learned to cheat the game by opening a browser form to by a stock before closing and issuing the transaction, at the set price, only after closing, when more information is already available.

The interesting anecdote is that the person who discovered the issue has used a different, but also questionable technique of maintaining a very large number of portfolios automatically managed by automated programs using the fact that the game allowed a user to have any number of portfolios but only the best one is counted. Kosher, but stinks.

This story remind an older story about a predictable delay in a poker game that enabled gamblers to beat the house.

Additional information:

$1,000,000 CNBC stock trading contest hacked [ Jeremiah Grossman, Jun 11 2007]

CNBC's Easy Money [Business Week, Jun 7 2007]

Attacked Entity Field: Media
Attacked Entity Geography: USA

WHID 2007-27: Files From Google On the Streets

Wed, 16 Jun 2010 15:55:41 -0400

Entry Title: WHID 2007-27: Files From Google On the Streets
WHID ID: 2007-27
Date Occured: June 12, 2007
Outcome: Leakage of Information
Incident Description:

Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.

Additional information:

Breaking News: Files From Google On the Streets [The Hacker Webzine, May 30 2007]

Attacked Entity Field: Internet
Attacked Entity Geography: USA

WHID 2007-22: Hacking of CM's website: Interpol's help sought

Wed, 16 Jun 2010 15:58:56 -0400

Entry Title: WHID 2007-22: Hacking of CM's website: Interpol's help sought
WHID ID: 2007-22
Date Occured: June 12, 2007
Outcome: Defacement
Incident Description:

The web site of the chief minister of Kerala (an Indian State) was hacked and defaced. The local police has contacted the Interpol to help in finding who is behind the web site hacking.

Additional information:

Hacking of CM's website: Interpol's help sought [NewindPress, Jun 10 2007]

Attacked Entity Field: Government
Attacked Entity Geography: India

WHID 2007-21: Belgian Defense Ministry site defaced by Turks

Wed, 16 Jun 2010 15:58:58 -0400

Entry Title: WHID 2007-21: Belgian Defense Ministry site defaced by Turks
WHID ID: 2007-21
Date Occured: May 17, 2007
Outcome: Defacement
Incident Description:

The site of the Belgian Defense Ministry was defaced by Turks who protested a pro-Kurdish remarks by the Belgian government.

Additional information:

Belgian defense ministry web site remains off line after weekend hacking [Associated Press, Jan 15 2007]

Attack Source Geography: Turkey
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: Belgium

WHID 2007-28: US Embassy probes hacking of online visa appointment system

Wed, 16 Jun 2010 16:05:00 -0400

Entry Title: WHID 2007-28: US Embassy probes hacking of online visa appointment system
WHID ID: 2007-28
Date Occured: June 17, 2007
Outcome: Disinformation
Incident Description:

If you live in a country from which you need a Visa to get to the states, you knew this would happen. The US online Visa appointment system is very open. Indeed too open. Someone in Jamaica took advantage of this to pre-allocate appointments.

While this might be classified as a business process design flaw, isn't security also about this?

Additional information:

US Embassy probes hacking of online visa appointment system [RJR 94FM, Jun 13 2007]

Attacked Entity Field: Government

WHID 2007-29: Teen arrested for hacking Belgian police website

Wed, 16 Jun 2010 15:53:25 -0400

Entry Title: WHID 2007-29: Teen arrested for hacking Belgian police website
WHID ID: 2007-29
Date Occured: June 26, 2007
Outcome: Defacement
Incident Description:

As you may know, defacement usually do not find their way to WHID, especially if the method used is not known. However, since in this case the victim was the Belgian police, I though it is worth including.

Additional information:

Teen arrested for hacking Belgian police website [Physorg.org, Jun 25 2007]

Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: Belgium

WHID 2007-20: Pirate Bay breach leaks database

Wed, 16 Jun 2010 15:59:06 -0400

Entry Title: WHID 2007-20: Pirate Bay breach leaks database
WHID ID: 2007-20
Date Occured: May 14, 2007
Outcome: Leakage of Information
Incident Description:

Private Bay is a BitTorrent information exchange blog site. Hackers used an SQL Injection vulnerability in the web site to steal 1.6 million users and passwords of the site. At least the passwords where hashed, which means that the hacker would need a cracking software and only the lame passwords will be found.
This incident highlights the Web authentication problem. Just think how many of those users use the same username and password in many other sites.

Additional information:

Pirate Bay breach leaks database [Security Focus, May 14 2007]

User data stolen but not unsecured [Private Bay, May 11 2007]

Pirate Bay says stolen database safe [The Inquierer, May 14 2007]

Attacked Entity Field: Internet
Attacked Entity Geography: Sweden

WHID 2007-19: Hacker accessed data at University of Missouri

Wed, 16 Jun 2010 15:59:34 -0400

Entry Title: WHID 2007-19: Hacker accessed data at University of Missouri
WHID ID: 2007-19
Date Occured: May 9, 2007
Outcome: Leakage of Information
Incident Description:

A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.

Additional information:

Hacker accessed data at University of Missouri [MSNBC, May 8 2007]

One-at-a-time hacker grabs 22,000 IDs from Univ. of Missouri [Computerworld, May 9 2007]

May 2007 Security Incident [University of Missouri, May 8 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2007-30: Microsoft UK site defaced

Wed, 16 Jun 2010 15:53:14 -0400

Entry Title: WHID 2007-30: Microsoft UK site defaced
WHID ID: 2007-30
Date Occured: July 1, 2007
Outcome: Defacement
Incident Description:

Yet another defacement, but with a very high profile target, and a detailed description of the attack which took advantage of an SQL injection vulnerability. The report even includes a video recording of the attack.

Additional information:

Microsoft.co.uk Succumbs to SQL Injection Attack [PC world, Jun 29 2007]

Microsoft Defaced, again! [Zone-H, Jun 27 2007]

Video Recording of the Attack [Hacker, Jun 27 2007]

Attacked Entity Field: Technology
Attacked Entity Geography: UK

WHID 2007-31: Hackers Make Off With Personal Info On Applicants At UC Davis

Wed, 16 Jun 2010 15:53:13 -0400

Entry Title: WHID 2007-31: Hackers Make Off With Personal Info On Applicants At UC Davis
WHID ID: 2007-31
Date Occured: July 1, 2007
Outcome: Leakage of Information
Incident Description:

Somebody snitched names, social security number and birth dates of approximately 1500 students at the vet school of UC Davis. Indication is that the web application used by the students was as fault. The school's web site described the incident as a result of "the computer attacker being able to manipulate a university computing application to accept unauthorized commands". A disgruntled cow?

Additional information:

Hackers Make Off With Personal Info On Applicants At UC Davis [Information Week, Jun 28 2007]

UC David Vet School Web Site [UC Davis, Jun 28 2007]

WHID 2007-18: Microsoft.com defaced

Wed, 16 Jun 2010 15:59:41 -0400

Entry Title: WHID 2007-18: Microsoft.com defaced
WHID ID: 2007-18
Date Occured: May 6, 2007
Outcome: Defacement
Incident Description:

This incredible story from our friends at Zone-H shed light on one of those defacement attacks, which usually go unexplained. This time an infamous Saudi-Arabian hacker abused SQL injection vulnerability in Internet Explorer Administration Kit web site. And guess what type of SQL injection: A login form SQL injection!

Additional information:

Microsoft.com defaced [zone-H, May 3 2007]

Attack Source Geography: Saudi Arabia
Attacked Entity Field: Technology
Attacked Entity Geography: USA

WHID 2007-32: XSS vulnerability on various German online banking sites

Wed, 16 Jun 2010 15:52:43 -0400

Entry Title: WHID 2007-32: XSS vulnerability on various German online banking sites
WHID ID: 2007-32
Date Occured: July 1, 2007
Outcome: Leakage of Information
Incident Description:

I seldom add disclosures anymore to WHID, even less XSS disclosures, but since this time they were discovered in banking sites, I thought it was worth it. After all, too many times people think that application vulnerabilities are found only at less "serious" or less "important" web sites where no real damage can occur.

Additional information:

XSS vulnerability on various german online banking sites [Full Disclosure, May 17 2007]

Attacked Entity Field: Finance
Attacked Entity Geography: Germany

WHID 2007-33: THAILAND: ICT Ministry website sabotaged by hacker

Wed, 16 Jun 2010 15:52:26 -0400

Entry Title: WHID 2007-33: THAILAND: ICT Ministry website sabotaged by hacker
WHID ID: 2007-33
Date Occured: July 22, 2007
Outcome: Defacement
Incident Description:

While defacements are usually not the bread and butter of this database, when it hits an important government site, especially of a ministry in charge of information technology, it is worth mentioning it.

Additional information:

THAILAND: ICT Ministry website sabotaged by hacker [Bangkok Times, Jul 20 2007]

Cached Version [Bangkok Times (Google Cache), Jul 20 2008]

Attacked Entity Field: Government
Attacked Entity Geography: Thailand

WHID 2007-17: Big Brother's big bother

Wed, 16 Jun 2010 16:02:43 -0400

Entry Title: WHID 2007-17: Big Brother's big bother
WHID ID: 2007-17
Date Occured: April 26, 2007
Outcome: Leakage of Information
Incident Description:

The site of "Big Brother", a reality show in Australia issued duplicate session IDs to different users since the session ID pool was exhausted. Naturally, the 2nd person to get the same session ID got to see all the details of the 1st one!

Additional information:

Porn and privacy: Big Brother's big bother [The Age, Apr 23 2007]

Attacked Entity Field: Media
Attacked Entity Geography: Australia

WHID 2007-34: Fox News leaks secret files

Wed, 16 Jun 2010 15:52:08 -0400

Entry Title: WHID 2007-34: Fox News leaks secret files
WHID ID: 2007-34
Date Occured: July 25, 2007
Outcome: Leakage of Information
Incident Description:

Fox News left non public files on a directory accessible to everyone on their web server.

Additional information:

Foxnews File Disclosure [The Hacker Webzine, Jul 23 2007]

Fox News leaks secret files [The Inquierer, Jul 24 2007]

Attacked Entity Field: Media
Attacked Entity Geography: USA

WHID 2007-16: USDA admits data breach, thousands of social security numbers revealed

Wed, 16 Jun 2010 16:03:09 -0400

Entry Title: WHID 2007-16: USDA admits data breach, thousands of social security numbers revealed
WHID ID: 2007-16
Date Occured: April 23, 2007
Outcome: Leakage of Information
Incident Description:

Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.

Additional information:

USDA admits data breach, thousands of social security numbers revealed [Axcess News, Apr 23 2007]

Attacked Entity Field: Government
Attacked Entity Geography: USA

WHID 2007-35: Data lapse involved 51,000 at a hospital

Wed, 16 Jun 2010 15:51:50 -0400

Entry Title: WHID 2007-35: Data lapse involved 51,000 at a hospital
WHID ID: 2007-35
Date Occured: July 30, 2007
Outcome: Leakage of Information
Incident Description:

In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.

Additional information:

Data lapse involved 51,000, St. Vincent says [Indy Star, Jul 25 2007]

Attacked Entity Field: Health
Attacked Entity Geography: USA

WHID 2007-36: Server hacked through holes in Confixx management software

Wed, 16 Jun 2010 15:51:36 -0400

Entry Title: WHID 2007-36: Server hacked through holes in Confixx management software
WHID ID: 2007-36
Date Occured: August 12, 2007
Outcome: Downtime
Incident Description:

A command injection vulnerability at 1&1, a large German hosting provider, lead to denial of service and possible home page modification at 30 servers and up to 1700 web sites.

Additional information:

Server hacked through holes in Confixx management software [Heise Security, Aug 1 2007]

Attacked Entity Field: Service Providers
Attacked Entity Geography: Germany
Attacked System Technology: Confixx

WHID 2007-73: Brokerage Firm Fined $375,000 for Unsecured Data

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2007-73: Brokerage Firm Fined $375,000 for Unsecured Data
WHID ID: 2007-73
Date Occured: December 26, 2007
Outcome: Monetary Loss
Incident Description: Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme.
The hackers used a SQL injection attack to obtain access to the company’s database on Dec. 25 and 26, 2007.
Attack Source Geography: Latvia
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Cost: $375,000.00
Reference: http://www.wired.com/threatlevel/2010/04/brokerage-firm-fined

WHID 2008-52: The Hannaford Breach

Wed, 16 Jun 2010 14:37:14 -0400

Entry Title: WHID 2008-52: The Hannaford Breach
WHID ID: 2008-52
Date Occured: March 17, 2008
Outcome: Monetary Loss
Incident Description:

While the Hannaford Breach which resulted in 4.2 stolen credit cards and 1800 known fraud cases may not be a web hack, a Computer World article mentioned that the company's web site was off line following the breach. Even if the breach itself was not a result of web site issues, such issues where probably found in the security review to follow the Breach making the incident a worthy addition to WHID.

Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2007-15: High School Hackers Cancel School With Fake Snow Day

Wed, 16 Jun 2010 16:03:39 -0400

Entry Title: WHID 2007-15: High School Hackers Cancel School With Fake Snow Day
WHID ID: 2007-15
Date Occured: April 5, 2007
Outcome: Disinformation
Incident Description:

Two girls modified a schools home page by adding a note that school was closed due to a snow storm. The attack was probably done using a rouge admin accounts.

Additional information:

High School Hackers Cancel School With Fake Snow Day [http://www.firstcoastnews.com/news/strange/news-article.aspx?storyid=75657, Feb 9 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2007-37: United Nations VS SQL Injections

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-37: United Nations VS SQL Injections
WHID ID: 2007-37
Date Occured: August 13, 2007
Outcome: Defacement
Incident Description:

Defacements are usually beyond the scope of the Web Hacking Incidents Database. We only publish those that stand out, and this one certainly stands out.

The site of the United Nations was broken into and defaced using a pretty basic SQL injection technique, and the referenced article has all the details

Additional information:

United Nations VS SQL Injections [Hackademix, Aug 12 2007]

UN's website breached by hackers [BBC, Aug 13 2007]

Attacked Entity Field: Government
Attacked Entity Geography: United Nations

WHID 2007-14: Your Free MacWorld Expo Platinum Pass

Wed, 16 Jun 2010 16:04:05 -0400

Entry Title: WHID 2007-14: Your Free MacWorld Expo Platinum Pass
WHID ID: 2007-14
Date Occured: April 2, 2007
Outcome: Loss of Sales
Incident Description:

A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.

Additional information:

Macworld crack offers VIP passes, hacker says [CNet, Jan 12 2007]

Your Free MacWorld Expo Platinum Pass (valued at $1,695) [Grutz, Jan 11 2007]

Attacked Entity Field: Technology
Attacked Entity Geography: USA

WHID 2006-47: Santa brought to Zone-H a brand new defacement

Wed, 16 Jun 2010 16:08:50 -0400

Entry Title: WHID 2006-47: Santa brought to Zone-H a brand new defacement
WHID ID: 2006-47
Date Occured: April 2, 2007
Outcome: Defacement
Incident Description:

Zone-h is one of the best (well, the best, not just one of them) web sites to follow if you interested in what the bad guys do. Their account of how their own web site was defaced is a classic. And no, it was not their fault. The incident shows how a seemingly minor vulnerability in a major web site (a hotmail XSS bug), can be used to deface another, unrelated site in a very elaborate and targeted attack.

Additional information:

Santa brought to Zone-H a brand new defacement [Zone-H, Dec 22 2006]

WHID 2007-13: Hackers hit Georgia Tech and steal personal info

Wed, 16 Jun 2010 16:04:55 -0400

Entry Title: WHID 2007-13: Hackers hit Georgia Tech and steal personal info
WHID ID: 2007-13
Date Occured: April 2, 2007
Outcome: Leakage of Information
Incident Description:

The personal information of about 3,000 current and former Georgia Tech employees may have been compromised. The informatoin included names, addresses, Social Security numbers and other sensitive information, including about 400 state purchasing card numbers.

Additional information:

Hackers hit Georgia Tech and steal personal info [Atlanta Business Chronicle, Feb 21 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2007-12: SQL injection at knorr.de login page

Thu, 17 Jun 2010 18:23:06 -0400

Entry Title: WHID 2007-12: SQL injection at knorr.de login page
WHID ID: 2007-12
Date Occured: April 2, 2007
Outcome: Leakage of Information
Incident Description:

While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.

Additional information:

Knorr.de SQL Injection and XSS Vulnerabilities [Sebastian Bauer, Mar 2 2007]

Attacked Entity Field: Retail
Attacked Entity Geography: Germany

WHID 2007-38: Gentoo takes server offline due to security vulnerabilities

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-38: Gentoo takes server offline due to security vulnerabilities
WHID ID: 2007-38
Date Occured: August 30, 2007
Outcome: Downtime
Incident Description:

This gem is very interesting since it happened on Gentoo servers. It therefore combines transparency into the incident that only an open source project can offer with the importance and resource of a large one. As a result we have a detailed report about the vulnerability, exploit attempts and event people shouting at each other during the patching process.
What can we learn from this? That no server is secure, and that patching is hard.

Additional information:

Bugzilla Bug 187971 - Gentoo Website Command Injection Issue [Gentoo, Aug 7 2007]

Analysis and Timeline of the Nuthatch exploitation attempts [Gentoo, ]

Log of all usages of the exploit [Gentoo, ]

Gentoo cuts key parts of itself from net for its own good [The Register, Aug 17 2007]

Attacked Entity Field: Technology

WHID 2006-46: Hacker Redirects Bank Customers To Phony Site

Wed, 16 Jun 2010 16:44:12 -0400

Entry Title: WHID 2006-46: Hacker Redirects Bank Customers To Phony Site
WHID ID: 2006-46
Date Occured: March 30, 2007
Outcome: Phishing
Incident Description:

A small credit union web site was hacked and the traffic redirected to a pharming site. About 180 users where redirected, out of which 12 where tricked into providing their personal information to the attackers. $500 are known to have been stolen from one of the victims.

Additional information:

Hacker Redirects Bank Customers To Phony Site [The Kensas City Channel, Nov 27 2006]

WHID 2007-39: Hacker sabotages Peru president's Web site

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-39: Hacker sabotages Peru president's Web site
WHID ID: 2007-39
Date Occured: August 30, 2007
Outcome: Defacement
Incident Description:

Defacements seem to start dominating this list. Alas, they are the most obvious web site hacks out there. While not every defacement is reported in the Web Hacking Incidents Database, key ones are. I included this one since the attacked web site is significant, and since it emphasizes what is becoming a major goal of attacking: politics and international affairs.
As a side note, this incident is also interesting because it was repeated after discovered and presumably fixed, which goes a long way to show how much effort there is in protecting web sites and how difficult it cab be.

Additional information:

Hacker sabotages Peru president's Web site [Middle East Times, Jul 26 2007]

Attacked Entity Field: Politics
Attacked Entity Geography: Peru

WHID 2006-45: Man arrested for hacking Internet shopping malls

Wed, 16 Jun 2010 16:46:41 -0400

Entry Title: WHID 2006-45: Man arrested for hacking Internet shopping malls
WHID ID: 2006-45
Date Occured: March 30, 2007
Outcome: Monetary Loss
Incident Description:

A Korean shopping system was vulnerable to hidden field manipulation and a determined hacker purchased $6000 worth of merchandize at 45 stores for much less.

Additional information:

Man arrested for hacking Internet shopping malls [The Hankyorea, Dec 17 2006]

WHID 2007-40: County's Web site hacked; no data lost

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-40: County's Web site hacked; no data lost
WHID ID: 2007-40
Date Occured: September 2, 2007
Outcome: Defacement
Incident Description:

Defacements seem to dominate the list recently, probably because they reach everywhere. Two important conclusions from this particular one are that patch management is a key problem and that it is a problem mainly at government sites across the world.

Additional information:

County's Web site hacked; no data lost [Journal Gazetter, Aug 28 2007]

Attacked Entity Field: Government
Attacked Entity Geography: USA

WHID 2007-41: Hackers hit New Zealand Herald website

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-41: Hackers hit New Zealand Herald website
WHID ID: 2007-41
Date Occured: September 2, 2007
Outcome: Defacement
Incident Description:

Still defacement but this time with a twist. This was a genuine XSS rewriting attack, and was carried out by well known people as a stunt. No information is provided on how the XSS vector found its way to the victim computers.

Additional information:

Hackers hit New Zealand Herald website [Stuff, Aug 29 2007]

Attacked Entity Field: Media

WHID 2007-11: Nokia defaced by XSS

Wed, 16 Jun 2010 16:05:26 -0400

Entry Title: WHID 2007-11: Nokia defaced by XSS
WHID ID: 2007-11
Date Occured: March 30, 2007
Outcome: Defacement
Incident Description:

Nokia's Canadian Web Site was defaced using an XSS attack.

Additional information:

Nokia website hacked [Mad4mobilephones, Jan 29 2007]

Attacked Entity Field: Technology
Attacked Entity Geography: Canada

WHID 2007-42: Bank of India seriously compromised

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-42: Bank of India seriously compromised
WHID ID: 2007-42
Date Occured: September 3, 2007
Outcome: Planting of Malware
Incident Description:

This very serious hacking incident provides insight into a lot
of the failures information security in general and web application
security particularly beyond the simple fact that the web site of the
largest state owned bank in India was invisibly defaced with Trojan
inflicting code.

Firstly, the entire discussion in the references is about the
Trojan payload, with no word about the vulnerability that led to the
defacement. Actually a reviewer on the SiteAdvisor report gives the
green mark to the web site after the Trojan is removed, without
requiring any information about the actual problem.

Secondly, most trust systems, including SiteAdvisor,
completely fail to detect the breach. Which makes me think about those
trust models: they check that the site was not breached, while they
should check that the site is not vulnerable. I guess the reason is
that their primary goal is to detect intentionally malicious sites and
not breaches is normative sites, but others use them to assess the
level of security of the later.

Additional information:

Breaking: Bank of India seriously compromised [Sunblet Blog, Sep 2 2007]

McAfee SiteAdvisor [McAfee, ]

Attacked Entity Field: Finance
Attacked Entity Geography: India

WHID 2007-43: Hacker attacks the Ministry for Housing website as Spanish mortgages come under the international spotlight

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-43: Hacker attacks the Ministry for Housing website as Spanish mortgages come under the international spotlight
WHID ID: 2007-43
Date Occured: September 3, 2007
Outcome: Defacement
Incident Description:

Yet another defacement, and as usual in the political arena.
However, this one is worth a note as the attack is very targeted, while
usually such political defacements are carried quote randomly against
sites loosely related to the opponent and usually has little to do with
the actual message the attackers want to convey. In this case the
defacement seems to be a direct response to the hot debate about
housing prices in Spain.

Additional information:

Hacker attacks the Ministry for Housing website as Spanish mortgages come under the international spotlight [Typically Spanish, Aug 30 2007]

Attacked Entity Field: Government
Attacked Entity Geography: Spain

WHID 2007-10: Super Bowl Site Hacked with Trojan, Key logger

Wed, 16 Jun 2010 16:05:40 -0400

Entry Title: WHID 2007-10: Super Bowl Site Hacked with Trojan, Key logger
WHID ID: 2007-10
Date Occured: March 30, 2007
Outcome: Planting of Malware
Incident Description:

Hackers penetrated the Dolphins stadium web site just days before the Super Bowl was held there and modified the home page to include a Trojan inflecting script.

Additional information:

Hacker installs malicious code on Dolphin Stadium website [CBS/AP, Feb 2 2007]

Malicious Website: Super Bowl XLI / Dolphin Stadium [WebSense, Feb 2 2007]

Super Bowl Dolphin Stadium Website Trojan [eSet, Feb 2 2007]

Chinese servers host malicious cursor attacks [Security Focus, Mar 30 2007]

Attacked Entity Field: Sports
Attacked Entity Geography: USA

WHID 2007-09: Former Fruit of the Loom workers' identities compromised

Wed, 16 Jun 2010 16:06:01 -0400

Entry Title: WHID 2007-09: Former Fruit of the Loom workers' identities compromised
WHID ID: 2007-09
Date Occured: March 29, 2007
Outcome: Leakage of Information
Incident Description:

Names and social security numbers of former employees of Fruit of the Loom where available for download from the company's web site.

Additional information:

Former Fruit of the Loom workers' identities compromised [The Northwest Georgian, Feb 23 2007]

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users Out

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users Out
WHID ID: 2007-44
Date Occured: October 10, 2007
Outcome: Downtime
Incident Description:

A hacker exploited a leftover admin function on eBay to block users and close sales.

Additional information:

Hacker Breaks Into eBay Server, Locks Users Out [PC World, Oct 8 2007]

eBay Explains Security Hole Used by Hacker [Action Bytes, Oct 9 2007]

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2007-45: XSS flaw makes PM say: "I want to suck your blood"

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-45: XSS flaw makes PM say: "I want to suck your blood"
WHID ID: 2007-45
Date Occured: October 10, 2007
Outcome: Defacement
Incident Description:

Using XSS on the sites of both Australian major political parties a security researcher nicknamed Bsoric caused the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"

Additional information:

XSS flaw makes PM say: "I want to suck your blood" [Builder.AU, Oct 9 2007]

Attacked Entity Field: Politics
Attacked Entity Geography: Australia

WHID 2007-08: WordPress Backdoor

Wed, 16 Jun 2010 16:06:39 -0400

Entry Title: WHID 2007-08: WordPress Backdoor
WHID ID: 2007-08
Date Occured: March 29, 2007
Outcome: Planting of Malware
Incident Description:

Backdoor was planted in a new official release of WordPress, the most popular blogging software in the world. It was available for download for a few days before the backdoor was located.

Additional information:

WodPress dangerous, Upgrade [, Mar 2 2007]

Intruder adds back door to WordPress blog software [News.com, Mar 6 2007]

Attacked System Technology: WordPress

WHID 2007-46: School Web site breached? Personal info of Pembroke workers, volunteers accessible for months

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-46: School Web site breached? Personal info of Pembroke workers, volunteers accessible for months
WHID ID: 2007-46
Date Occured: October 11, 2007
Outcome: Leakage of Information
Incident Description:

Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.

Additional information:

School Web site breached? Personal info of Pembroke workers, volunteers accessible for months [Patriot Ledger, Oct 11 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2007-47: Commerce Bank, a US regional bank, hacked

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-47: Commerce Bank, a US regional bank, hacked
WHID ID: 2007-47
Date Occured: October 12, 2007
Outcome: Leakage of Information
Incident Description:

3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.

Additional information:

US regional bank hacked [The Register, ]

Customer information compromised at bank [Columbia Tribune, Oct 10 2007]

Attacked Entity Field: Finance
Attacked Entity Geography: USA

WHID 2007-07: Westerly Hospital data breach affects 2,000

Wed, 16 Jun 2010 16:06:46 -0400

Entry Title: WHID 2007-07: Westerly Hospital data breach affects 2,000
WHID ID: 2007-07
Date Occured: March 29, 2007
Outcome: Leakage of Information
Incident Description:

Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.

The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.

Additional information:

Westerly Hospital data breach affects 2,000 [Providence Business News, Mar 2 2007]

Patient Data Incident [, Mar 5 2007]

Attacked Entity Field: Health
Attacked Entity Geography: USA

WHID 2007-48: MSU investigating hacking incident

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-48: MSU investigating hacking incident
WHID ID: 2007-48
Date Occured: October 17, 2007
Outcome: Leakage of Information
Incident Description:

Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach.

Additional information:

MSU investigating hacking incident [Montana's News Station, Oct 16 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2007-49: Hackers Block Sale of Colorado Rockies World Series Tickets

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-49: Hackers Block Sale of Colorado Rockies World Series Tickets
WHID ID: 2007-49
Date Occured: October 25, 2007
Outcome: Loss of Sales
Incident Description:

The site of the Rockies was taken down by a denial of service preventing fans from buying tickets for the World Series games.

Like any DDoS attack, it is very hard to know if it was an application layer or network layer attack, but since this attack had a very significant financial impact by crippling a web site, we think it deserve a place in WHID.

Additional information:

Hackers Block Sale of Colorado Rockies World Series Tickets [Associated Content, Oct 24 2007]

Attacked Entity Field: Sports
Attacked Entity Geography: USA

WHID 2007-06: Hackers swipe seed company's customers' data

Wed, 16 Jun 2010 16:07:25 -0400

Entry Title: WHID 2007-06: Hackers swipe seed company's customers' data
WHID ID: 2007-06
Date Occured: March 29, 2007
Outcome: Monetary Loss
Incident Description:

11,500 credit card numbers have been stolen from the web site of Johnny's Selected Seeds a small ($13M in revenue per annum) on line vendor of seeds in Main. 20 of these are known to have been abused. As usual, the hack was discovered because of fraudulent use of stolen credit cards rather than security measures used protect the web site.

The direct cost of the breach, informing customers, researching the incident and upgrading the protection of the web site cost the company tens of thousands of dollars.

Additional information:

Hackers swipe seed company's customers' data [Kennebec Journal, Mar 3 2007]

Maine Seed Company Website Hacked: Demonstrates SMB Vulnerability & Questions Hacker Safe Seals [Realtime IT compliance, Mar 3 2007]

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2007-05: Hacking John McCain

Wed, 16 Jun 2010 16:07:38 -0400

Entry Title: WHID 2007-05: Hacking John McCain
WHID ID: 2007-05
Date Occured: March 29, 2007
Outcome: Defacement
Incident Description:

An open source developer virtually defaced John McCain's MySpace page. He did not have to commit any crime, because the page pulled an image directly from the open source developer's site.

Additional information:

Hacking John McCain [, Mar 27 2007]

Oops! John McCain's MySpace page gets pranked [CNet, Mar 27 2007]

Attacked Entity Field: Politics
Attacked Entity Geography: USA

WHID 2007-04: College glitch avails student information to public

Wed, 16 Jun 2010 16:07:54 -0400

Entry Title: WHID 2007-04: College glitch avails student information to public
WHID ID: 2007-04
Date Occured: March 27, 2007
Outcome: Leakage of Information
Incident Description:

A student at a community college in Sacramento who was "Googling" himself last month found his name, among 2000 others, in a file accidentally left by school staff online and picked by Google crawler.

Additional information:

College glitch avails student information to public [The Arizona Republic, Mar 10 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2007-03: UI put staff data on Web

Wed, 16 Jun 2010 16:08:03 -0400

Entry Title: WHID 2007-03: UI put staff data on Web
WHID ID: 2007-03
Date Occured: March 26, 2007
Outcome: Leakage of Information
Incident Description:

Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused.

Additional information:

UI put staff data on Web [Spokesman Review, Mar 10 2007]

[Vandal Identity Resource Center, ]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2008-51: TrendMicro web site hit

Wed, 16 Jun 2010 14:37:38 -0400

Entry Title: WHID 2008-51: TrendMicro web site hit
WHID ID: 2008-51
Date Occured: March 15, 2008
Outcome: Leakage of Information
Incident Description:

The infamous SQL injection bot has hit TrendMicro, worrying considering the fact that TrendMicro is there to protect us from malware. Unfortunately it seems that web security is still underrated outside of a small group of experts, even though it fast becomes the modern day equivalent of the now declining viruses and worms.

Attacked Entity Field: Technology
Attacked Entity Geography: Japan

WHID 2007-01: Credit Card Information stolen from Indiana's Web Site

Wed, 16 Jun 2010 16:08:18 -0400

Entry Title: WHID 2007-01: Credit Card Information stolen from Indiana's Web Site
WHID ID: 2007-01
Date Occured: March 26, 2007
Outcome: Leakage of Information
Incident Description:

On January 3, a hacker broke into Indiana's government web site and made off with personal information for 71,000 health care aides who obtained certifications from the state, as well as 5,600 credit card numbers from people who had paid the state through the IN.gov web site.

While officials in Indiana tried to write it off as a harmless prank played by a teenager, the U.S. Department of Justice has also been investigating the case, and they believe the same hacker is responsible for attempts on other state government web sites.

Additional information:

Hacker Suspected Of Multistate Break-In Spree [Information Week, Mar 23 2007]

Hacker Accesses Credit Card Info On State Web Site [The Indy Channel, Feb 9 2007]

State Notifies 71,000 Workers Of Web Site Breach [The Indy Channel, Mar 21 2007]

State: Web Site Breach May Have Been Prank [The Indy Channel, Mar 22 2007]

Attacked Entity Field: Government
Attacked Entity Geography: USA

WHID 2006-42: Netscape.com hacked

Wed, 16 Jun 2010 17:06:16 -0400

Entry Title: WHID 2006-42: Netscape.com hacked
WHID ID: 2006-42
Date Occured: July 27, 2006
Outcome: Defacement
Incident Description:

Most XSS vulnerabilities are benign. In many cases they are hardly exploitable. In this case Netscape's new digg like shared news site was hacked using a persistent XSS attack, so every viewer of the site was attacked, luckily only to show funny dialog boxes.

Additional information:

Netscape.com hacked [F-Secure, Jul 26 2006]

Netscape.com hit with cross-site scripting attack [Search Security, Jul 26 2006]

AOL Fixes Netscape.com XSS Hack [Beta News, Jul 26 2006]

Netscape Hacked, Professor Denies Sexiness Claims [SecurityPro News, Jul 26 2006]

NetScape.com - JavaScript Exploit Embaressment [Threadwatch.org, Jul 26 2006]

WHID 2007-50: Art.com says hacker accessed names, credit cards

Thu, 17 Jun 2010 18:22:57 -0400

Entry Title: WHID 2007-50: Art.com says hacker accessed names, credit cards
WHID ID: 2007-50
Date Occured: October 29, 2007
Outcome: Credit Card Leakage
Incident Description:

A hacker gained access to names and encrypted credit card numbers of Arts.com. While the reason is not known, since the information is known to belong to online shoppers who made transactions from July to September we assume it was a web site breach.

Additional information:

Art.com says hacker accessed names, credit cards [MarketWatch, Oct 28 2007]

Attacked Entity Field: Retail
Attacked Entity Geography: Global

WHID 2006-41: Making money with MySpace bulletin system!

Wed, 16 Jun 2010 18:13:47 -0400

Entry Title: WHID 2006-41: Making money with MySpace bulletin system!
WHID ID: 2006-41
Date Occured: July 24, 2006
Outcome: Worm
Incident Description:

A bug in MySpace allowed a single click on an incoming bulletin by a person to forward it to all his contacts, making spreading a worm (or any content for that matter) too easy.

Additional information:

Making money with Myspace bulletin system! [, Jun 16 2006]

WHID 2007-51: 570 Scarborough & Tweed customers' personal information accessed by SQL injection

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-51: 570 Scarborough & Tweed customers' personal information accessed by SQL injection
WHID ID: 2007-51
Date Occured: November 4, 2007
Outcome: Leakage of Information
Incident Description:

The web servers of Scarborough & Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers' names, addresses, telephone numbers, account numbers, and credit card numbers.

Additional information:

570 Scarborough & Tweed customers' personal information accessed by SQL injection [PogoWasRight.Org, Nov 3 2007]

Scarborough & Tweed [State of New Hampshire, Oct 26 2007]

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2006-40: Data Mining MySpace Bulletins

Wed, 16 Jun 2010 18:17:21 -0400

Entry Title: WHID 2006-40: Data Mining MySpace Bulletins
WHID ID: 2006-40
Date Occured: July 24, 2006
Outcome: Leakage of Information
Incident Description:

MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.

Additional information:

Data Mining Myspace Bulletins [Full Disclosure Mailing List, Jun 30 2006]

WHID 2006-39: Another Google XSS

Wed, 16 Jun 2010 18:18:53 -0400

Entry Title: WHID 2006-39: Another Google XSS
WHID ID: 2006-39
Date Occured: July 24, 2006
Outcome: Leakage of Information
Incident Description:

An XSS vulnerability in the feature allowing adding an arbitrary RSS to personal web pages. Since this page resides on the main www.google.com host, the executed JavaScript can access any Google resource.

Additional information:

Google Fixes XSS Security Problem [Google Blogoscoped, Jul 6 2006]

Cross Site Scripting Vulnerability in Google [ha.ckers, Jul 4 2006]

Google fixes security flaw in Reader [News.com, Jul 5 2006]

WHID 2007-52: Hacker halts Rivkin auction of 37 watches

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-52: Hacker halts Rivkin auction of 37 watches
WHID ID: 2007-52
Date Occured: November 5, 2007
Outcome: Downtime
Incident Description:

Seems that the there is a new trend to disrupt on line bidding using denial of service attacks. In this case, an auction for 37 very expensive watches was halted 20 minutes before the end as the site crashed, in what official sources describe as a hacker attack that did not result in a site compromise.

Additional information:

Hacker halts Rivkin auction of 37 watches [Herald Sun, Nov 5 2007]

Attacked Entity Field: Retail
Attacked Entity Geography: Australia

WHID 2007-53: Google's Advanced Search Operators Abused by Spammers

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-53: Google's Advanced Search Operators Abused by Spammers
WHID ID: 2007-53
Date Occured: November 7, 2007
Outcome: Link Spam
Incident Description:

While most WHID entries are about web site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them to include a honest looking URL in their e-mail, this way bypassing spam filters and observant users.

Symantec response team found actively used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to the first result of a search. All the spammer is left with is finding a query for which his site would pop up first on Google.

This method has another advantage over a redirection page, as the final target is specified by a search string and not by a URL, bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.

Additional information:

Google's Advanced Search Operators Abused by Spammers [Symantec Response Team, Nov 2 2007]

Attacked Entity Field: Internet
Attacked Entity Geography: Global

WHID 2006-38: Convenience or just bad design?

Wed, 16 Jun 2010 18:19:56 -0400

Entry Title: WHID 2006-38: Convenience or just bad design?
WHID ID: 2006-38
Date Occured: July 24, 2006
Outcome: Leakage of Information
Incident Description:

Altiris seems to have designed their servers so that it is easy to both access their customers upload as well as find out their e-mail addresses.

Additional information:

Convenience or just bad design? [WebAppSec, Jul 12 2006]

WHID 2007-54: Mistake Left Constables Open To ID theft

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-54: Mistake Left Constables Open To ID theft
WHID ID: 2007-54
Date Occured: November 7, 2007
Outcome: Leakage of Information
Incident Description:

An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.

While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.

Additional information:

Mistake left constables open to ID theft -- Clerk of Courts posted Social Security numbers online [York Dispatch, Sep 17 2007]

Cache Comes Back to Bite York County Constables [The Breach Blog, Sep 18 2007]

Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: UK

WHID 2007-55: Malicious Code Infects Chinese Security Site

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-55: Malicious Code Infects Chinese Security Site
WHID ID: 2007-55
Date Occured: November 7, 2007
Outcome: Planting of Malware
Incident Description:

Defacement are a dime a dozen this days, and are not normally reported by WHID. Even invisible defacements in which sites are changed in order to infect their clients with malicious code are becoming too common. But this time it is the site of a security organization, and not just any one, but China's internet security organization. So in the light of the hot debate about china as the source of all hacking, we think that this story has a value.

Additional information:

Malicious Code Infects Chinese Security Site [PC World, Oct 3 2007]

Attacked Entity Field: Media
Attacked Entity Geography: China

WHID 2007-87: 7-Eleven Hack From Russia Led to ATM Looting in New York

Wed, 16 Jun 2010 15:18:59 -0400

Entry Title: WHID 2007-87: 7-Eleven Hack From Russia Led to ATM Looting in New York
WHID ID: 2007-87
Date Occured: September 2007
Outcome: Monetary Loss
Incident Description: In his most-recent plea agreement, filed in court Monday, confessed hacker Albert Gonzalez admitted conspiring in the 7-Eleven breach and fingered two Russian associates as the direct culprits. The Russians are identified as “Hacker 1″ and “Hacker 2″ in Gonzalez’s plea agreement, and as “Grigg” and “Annex” in an earlier document inadvertently made public by his attorney.
The Russians, evidently using an SQL injection vulnerability, “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.”
Read More http://www.wired.com/threatlevel/2009/12/seven-eleven/#ixzz0iehheEY7
Attack Source Geography: Russia
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Cost: $2,000,000.00
Reference: http://www.wired.com/threatlevel/2009/12/seven-eleven/

WHID 2007-56: TJMaxx XSS Vulnerability

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-56: TJMaxx XSS Vulnerability
WHID ID: 2007-56
Date Occured: November 7, 2007
Outcome: Leakage of Information
Incident Description:

A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.

Additional information:

TJMaxx XSS Vulnerability [RObert Hansen (Rsnake), Sep 23 2007]

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2006-37: MySpace Hack Spreading

Wed, 16 Jun 2010 18:20:34 -0400

Entry Title: WHID 2006-37: MySpace Hack Spreading
WHID ID: 2006-37
Date Occured: July 24, 2006
Outcome: Worm
Incident Description:

MySpace seems to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file. It is also interesting as it seems to combine the popular political defacement trend with high level application layer exploit.

Additional information:

Myspace Hack spreading like wildfire: SPAIRLKAIFS [Chase and Sam page, Jul 16 2006]

How the myspace SWF hack worked [Unknown, Jul 16 2006]

Political hacking hits MySpace [SC Magazine, Jul 17 2006]

Attacked Entity Field: Web 2.0

WHID 2006-35: Yahoo mail XSS in CSS expression keyword

Wed, 16 Jun 2010 18:22:23 -0400

Entry Title: WHID 2006-35: Yahoo mail XSS in CSS expression keyword
WHID ID: 2006-35
Date Occured: May 9, 2006
Outcome: Leakage of Information
Incident Description:

Yahoo mail does not filter properly the CSS "expression" keyword when it includes a comment that is encoded.

Additional information:

Yahoo! Mail XSS Vulnerability [Cheng Peng Su, Apr 21 2006]

WHID 2006-36: PayPal Flaw Gets Accidental Two-Year Reprieve?

Wed, 16 Jun 2010 18:21:33 -0400

Entry Title: WHID 2006-36: PayPal Flaw Gets Accidental Two-Year Reprieve?
WHID ID: 2006-36
Date Occured: July 24, 2006
Outcome: Phishing
Incident Description:

While XSS vulnerabilities in public web sites are found daily, this one is of special interest. It was found in one of the sites most targeted by Phishers, it is exploitable for Phishing and was exploited. On top of that, it seems to have been discovered and reported to PayPal already two years ago but ignored due to a communication failure.

Additional information:

PayPal Security Flaw allows Identity Theft [Netcraft, Jun 16 2006]

PayPal XSS Exploit available for two years? [Netcraft, Jul 20 2006]

PayPal fixes phishing hole [News.com, Jun 16 2006]

Responsible Disclosure? - Paypal vulnerable for two years [Computer World, Jul 20 2006]

WHID 2007-57: New Zealand's Government Web Sites Attacked And Information Stolen

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-57: New Zealand's Government Web Sites Attacked And Information Stolen
WHID ID: 2007-57
Date Occured: November 7, 2007
Outcome: Leakage of Information
Incident Description:

An attack on New Zealand government web sites required New Zealand Prime Minister, Helen Clark to comment and ensure the public that no confidential information was stolen. However official sources in New Zealand confirm attacks were carried out by unnamed, but known, foreign governments on New Zealand government web site that resulted in stealing of information.

Additional information:

No classified data lost in cyber attacks - Clark [The New Zealand Herald, Sep 11 2007]

Attacked Entity Field: Government
Attacked Entity Geography: New Zealand

WHID 2006-34: XSS Exploit at sms.ac

Wed, 16 Jun 2010 18:22:53 -0400

Entry Title: WHID 2006-34: XSS Exploit at sms.ac
WHID ID: 2006-34
Date Occured: May 9, 2006
Outcome: Leakage of Information
Incident Description:

This community site allows including scripts in multiple locations including ones personal profile thus enabling XSS.

Additional information:

XSS Exploit at sms.ac [Addict3D, Jan 3 2006]

WHID 2006-33: Alexadex.com players.py XSS Exploit

Wed, 16 Jun 2010 18:23:48 -0400

Entry Title: WHID 2006-33: Alexadex.com players.py XSS Exploit
WHID ID: 2006-33
Date Occured: May 9, 2006
Outcome: Disclosure Only
Incident Description:

Alexadex is an online investment game. There is an XSS vulnerability in the group adding functionality.

Additional information:

Alexadex.com players.py XSS Exploit [Bugtraq, May 5 2006]

WHID 2007-58: Internet Retailer Publisher Victim of Customer File Hack

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-58: Internet Retailer Publisher Victim of Customer File Hack
WHID ID: 2007-58
Date Occured: November 7, 2007
Outcome: Leakage of Information
Incident Description:

Vertical Web Media, publisher of Internet Retailer magazine, suffered a security http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_se... and credit card information of readers had been stolen. The Irony is that Internet Retailed magazine is covering the risks of e-commerce.

While the actual technique used is not known, signs are that it was a web hack as it was done by a distributed network of bots all over the world and since the information stolen belonged to customers who paid online.

The information stolen includes names, addresses, e-mail addresses, phone numbers, credit card account numbers and card expiration dates. The Number_of_Records stolen is unknown.

Additional information:

Internet Retailer Publisher Victim Of Customer File Hack [NBC.com, Sep 18 2007]

Attacked Entity Field: Media
Attacked Entity Geography: USA

WHID 2008-50: The Indian government acknowledges hacking incidents

Wed, 16 Jun 2010 14:39:29 -0400

Entry Title: WHID 2008-50: The Indian government acknowledges hacking incidents
WHID ID: 2008-50
Date Occured: February 29, 2008
Outcome: Leakage of Information
Incident Description:

An official Indian government response to a question in the Indian parliament, the Minister of State for Communications and Information Technology discusses hacking incidents which occurred between 2005 and 2008 in a large number of Indian government agencies. The interesting information is the list of agencies affected:

Ministry of Railways,

Air Cargo Customs (Mumbai),

Forward markets Commission,

National Institute of Health and Family Welfare,

National Institute of Social Defence,

Department of Administrative Reforms and Public Grievances,

Wireless Planning & Coordination Wing,

Bharat Sanchar Nigam Limited,

Telecom Regulatory Authority of India,

Department of Information Technology and

Anthropological Survey of India.

Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: India

WHID 2006-32: libero.it XSS vulnerability - HTML injection

Wed, 16 Jun 2010 18:24:39 -0400

Entry Title: WHID 2006-32: libero.it XSS vulnerability - HTML injection
WHID ID: 2006-32
Date Occured: May 9, 2006
Outcome: Disclosure Only
Incident Description:

Libero.it is a Web portal of big Italian ISP offering dial-up, Broadband and talk services. A script on it's customer service pages which enabled a connection speed test is vulnerable to XSS.

Additional information:

libero.it XSS vulnerability - HTML injection [Bugtraq (Posted by Davide Denicolo), May 2 2006]

WHID 2007-59: Hackers jack Monster.com, infect job hunters

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-59: Hackers jack Monster.com, infect job hunters
WHID ID: 2007-59
Date Occured: November 21, 2007
Outcome: Planting of Malware
Incident Description:

A Crimeware iframe tag on a site is not news anymore. On Monster.com it is.

Additional information:

Hackers jack Monster.com, infect job hunters [Computer World, Nov 20 2007]

Attacked Entity Field: Internet
Attacked Entity Geography: USA

WHID 2007-60: The blog of a Cambridge University security team hacked

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-60: The blog of a Cambridge University security team hacked
WHID ID: 2007-60
Date Occured: December 19, 2007
Outcome: Downtime
Incident Description:

This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.

I am sure that the guys at Light Blue Touchpaper have the expertise to protect their WordPress installation, but they dont have the time. They made the compromise between ease of management of their web site and its security. Actually my personal blog might be just as vulnerable, since as I write this I am very much not paying attention to its security.

Apart from, or actually because of the fact that the victims are security experts, this story is noteworthy due to two additional twists in the plot:

Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.

The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.

Additional information:

Upgrade and new theme [Light Blue Touchpaper Blog, Oct 27 2007]

Google as a password cracker [Light Blue Touchpaper Blog, Nov 16 2007]

Forgotten your password? Google can find it for you. Unfortunately [Technology Guardian, Nov 23 2007]

Wordpress cookie authentication vulnerability [Light Blue Touchpaper Blog, Nov 20 2007]

Attacked Entity Field: Education
Attacked Entity Geography: UK
Attacked System Technology: WordPress

WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked
WHID ID: 2007-61
Date Occured: December 19, 2007
Outcome: Link Spam
Incident Description:

Whether comment spam by itself is an application failure or a necessary evil for site allowing rich comments is an open question. However it is reported that in this case vulnerability in WordPress allowed the spammers to actually penetrate the site and modify pages and not just abuse comments.

Additional information:

Another inconvenient truth: Al Gore's Web site hacked [PC World, Nov 26 2007]

Blog Link Spam Claims Another Victim: Al Gore [Wired, Nov 27 2007]

Attacked Entity Field: Politics
Attacked Entity Geography: USA
Attacked System Technology: WordPress

WHID 2007-62: A security flaw in Passport Canada's website

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-62: A security flaw in Passport Canada's website
WHID ID: 2007-62
Date Occured: December 19, 2007
Outcome: Monetary Loss
Incident Description:

The Web site of the Canadian passports authority enables users to access others' record by modifying a value of a parameter in the URI.

Additional information:

Passport applicant finds massive privacy breach [The Globe and Mail, Dec 4 2007]

Passport Canada strengthens online security following breach [CBC, Dec 4 2007]

Attacked Entity Field: Government
Attacked Entity Geography: Canada

WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German subsidiary

Thu, 17 Jun 2010 18:22:28 -0400

Entry Title: WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German subsidiary
WHID ID: 2007-63
Date Occured: December 19, 2007
Outcome: Credit Card Leakage
Incident Description:

An unidentified group had stolen credit card numbers and billing addresses of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of Ticketmaster. Some 66,000 customers who purchased tickets with a credit card from the Kartenhaus.de web site between October 24, 2006 and September 30, 2007 were affected.

Additional information:

Theft of credit card data affects tens of thousands of Kartenhaus customers [Heise, Oct 5 2007]

Attacked Entity Field: Retail
Attacked Entity Geography: Germany

WHID 2006-31: URL Bug On 1ASPHost and DomainDLX Hosting Services

Wed, 16 Jun 2010 18:25:05 -0400

Entry Title: WHID 2006-31: URL Bug On 1ASPHost and DomainDLX Hosting Services
WHID ID: 2006-31
Date Occured: May 9, 2006
Outcome: Disclosure Only
Incident Description:

A researcher found that the login error page on this sites can be injected.

Additional information:

URL Bug On 1ASPHost and DomainDLX Hosting Services [Bugtraq, Jun 6 2006]

WHID 2006-30: National Secret Agency of Slovak Republic Hacked

Wed, 16 Jun 2010 18:26:51 -0400

Entry Title: WHID 2006-30: National Secret Agency of Slovak Republic Hacked
WHID ID: 2006-30
Date Occured: April 30, 2006
Outcome: Leakage of Information
Incident Description:

A hacker successfully abuse a vulnerability in Horde to penetrate a site owned by the National Security Agency of the Slovak Republic

Additional information:

Narodny Bezpecnostny Urad pwn3d (Slovak with Code Snippets [Blackhole.sk, Apr 25 2006]

National Secret Agency of Slovak Republic [Incidents Mailing List, Apr 26 2006]

WHID 2006-28: Tlen.PL e-mail XSS vulnerability

Wed, 16 Jun 2010 18:28:05 -0400

Entry Title: WHID 2006-28: Tlen.PL e-mail XSS vulnerability
WHID ID: 2006-28
Date Occured: April 20, 2006
Outcome: Disclosure Only
Incident Description:

Tlen.PL is a popular Polish IM system provided by o2.pl, which includes e-mail accounts. The e-mail client is web based with a browser embedded in the communicator software. Certain webmail servers do not validate e-mail subject for HTML tags, allowing attacker to inject script code.

Additional information:

Tlen.PL e-mail XSS vulnerability [Tomasz Koperski, ]

WHID 2007-64: Information about Duke's Students and Applicants Stolen

Wed, 16 Jun 2010 15:50:56 -0400

Entry Title: WHID 2007-64: Information about Duke's Students and Applicants Stolen
WHID ID: 2007-64
Date Occured: December 19, 2007
Outcome: Leakage of Information
Incident Description:

The personal data of nearly 1,400 prospective Duke Law School students may have been stolen by a hacker from two separate databases, one including the prospective students' data and another filled with requests for information about the school.

Additional information:

Hacker may have stolen Duke students' data [UPI, Dec 5 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2009-7: China's Yeepay.com Suffers Internet Payment Hacker Attack

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-7: China's Yeepay.com Suffers Internet Payment Hacker Attack
WHID ID: 2009-7
Date Occured: January 19, 2009
Outcome: Downtime
Incident Description:

China retail news reports that Yeepay, a Chinese online payments provider suffered a major denial of service attack. The story seems to be big in China, but hardly made it to the west.

Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: China

WHID 2007-65: Facebook suing a porn site over automated access

Wed, 16 Jun 2010 15:37:13 -0400

Entry Title: WHID 2007-65: Facebook suing a porn site over automated access
WHID ID: 2007-65
Date Occured: December 19, 2007
Outcome: Leakage of Information
Incident Description:

Use of robots and automated software against a web site, as long as it is not done in order to break into the site, falls into a grey area. While hard to classify as an unlawful act, it is usually harmful to the site owner and possibly to the site users. Apart from using valuable resources, such an automated access may breach the site's usage license of public information and might also indicate unlawful activity such as using a botnet. Many times it is hard to know if such a blast of requests is a denial of service attack, brute force password cracking or just a search engine crawler.

Going forward we are going to add such incidents to WHID if there is a reason to believe that they are not friendly, even if the actual goal of the attack cannot be easily classified. The Facebook case at hand is a perfect example: while the details are not clear, the fact that Facebook filed a law suit implies that there is fire behind the smoke.

Additional information:

Facebook vs. John Doe [US District Court, San Jose, CA, Oct 23 2007]

Facebook sues Canadian smut firm over hacking [The Register, Dec 17 2007]

Facebook suing Ontario porn firm [The Star, Dec 16 2007]

Attacked Entity Field: Internet

WHID 2006-27: SQL Injection in incredibleindia.org

Wed, 16 Jun 2010 18:28:32 -0400

Entry Title: WHID 2006-27: SQL Injection in incredibleindia.org
WHID ID: 2006-27
Date Occured: April 20, 2006
Outcome: Disclosure Only
Incident Description:

www.incredibleindia.org is official Indian government tourism website.

The researcher has found that the parameter PageID in the page ms_Page.asp is vulnerable to SQL injection. He further tested that SQL error messages enable standard probing methods for finding out the number of columns and their type work.

Additional information:

SQL Injection in incredibleindia.org [Susam Pal, Apr 16 2006]

WHID 2009-45: Vaserv Hacked and Owner Commits Suicide Over Data Loss

Wed, 16 Jun 2010 14:13:35 -0400

Entry Title: WHID 2009-45: Vaserv Hacked and Owner Commits Suicide Over Data Loss
WHID ID: 2009-45
Date Occured: June 10, 2009
Outcome: Data Loss
Incident Description:

This must be the worse incident reported by the Web Hacking Incident Database.

We all know that web security is highly important but neglected. We tell frightening stories but listners think they are only "FUD": fear, uncertainty and doubt, used to sell products and services. I hope that the VAServ incident will serve to warn that those are not fairytale stories. Even so, I wish this one would not have happened.

In this story, like most calamities, it seems that the laymen suffer: small entrepreneurs & upstart companies who lost everything in a hacking incident. One of them even lost his life.

Vaserv web site reporting recovery status, June 10^th:
22:19 vz47uk restored
22:21 vz46uk data loss
22:42 Please allow upto 2 hours for a ticket response as currently we have 200+ active tickets
23:02 vz67uk data loss
23:20 vz50uk data restored
23:23 vz51uk data loss
00:03 FsckVPS server26 and server27 are still being worked on, but data *appears* to be intact

It all started on Sunday, June 7^th: someone broke into the web servers of VAServ, a tiny UK based hosting company. The hackers ruined many of VAServ virtual servers. Some of them lost were for ever as the snippet from VAServ home page, serving as an emergency bulletin board, shows.

As tiny as VAServ is, probably no more than 3 people, in today's virtual and flat world they could serve tens of thousands of low cost web sites, many of them now lost for ever. Behind each one of these web sites there is a story of someone who worked hard, whether on a hobby or a small business and is now left with nothing. A comment made on one of the blog entries about the incident reads:

"yeah thanks for ruining my life for the last 2 years i had built up my site spending alot of money and giving up my job for nothing.........what am i going to tell the wife?"

Just think about tens of thousand of such stories. Daniel Voyce, a web developer using VAServ for all of his clients, told the Register:

"Since last night, I've had probably 40 phone calls from clients saying 'Why is my website down, It's making me look bad."

But this domino effect ruining so many small businesses had another even more devastating angle. Just days before the hack, someone posted on milw0rm a long list of yet unpatched vulnerabilities in Kloxo, a virtual machine management software. The list certainly looks comprehensive enough to enable anyone to penetrate a site using Kloxo, which VAServ where, leading VAServ and others to believe that LxLabs, the Bangalorian software company behind Kloxo is the culprit. Somebody claiming to be the hacker commented to the inquistir blog, claiming that weak password at VAServ where to blame for the hack, which Rus Foster from VAServ denied.

We may never know who is right and who is wrong. LxLabs, just like Vaserv, is a tiny company using the Internet to look big. However one area that suffers a lot in small companies, is their security. It is never important enough to invest resource in security in such a lean and mean operations.

But tiny giants have another weakness: it all falls on the shoulders of too few people. In the case of LxLabs, on KT Ligesh the CEO. Ligesh committed suicide just a day after the hack for which his company was blamed. While already a troubled person, one cannot escape the thought that the hacking incident was the last straw.

Attack Source Geography:
Attacked Entity Field: Service Providers
Attacked Entity Geography:
Reference: http://www.inquisitr.com/25617/update-new-information-on-the-vaserv-hack-that-wiped-100k-sites/

WHID 2006-26: Yahoo XSS used for phishing

Wed, 16 Jun 2010 18:28:56 -0400

Entry Title: WHID 2006-26: Yahoo XSS used for phishing
WHID ID: 2006-26
Date Occured: April 18, 2006
Outcome: Phishing
Incident Description:

An XSS vulnerability in Yahoo Mail is actively exploited for targeted phishing.

Additional information:

Alert - Yahoo! Webmail XSS [Cesar Cerrudo, Argeniss, Apr 17 2006]

Alert - Yahoo! Mail XSS vulnerability [Cesar Cerrudo, Argeniss, Apr 28 2006]

WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site

Wed, 16 Jun 2010 15:32:45 -0400

Entry Title: WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site
WHID ID: 2007-66
Date Occured: December 19, 2007
Outcome: Planting of Malware
Incident Description:

To iframe or not to iframe, this is the question. As malware becomes more popular, the number of incidents, mostly insignificant, in which malware was planted on a hacked site is rising and WHID is not the right place to list all of them. We currently report such incidents if the hacked site is of interest or if the Attack_Method is known.

Additional information:

Hacker Conquer French Embassy In Libya Webiste [Portalit, Dec 14 2007]

Attacked Entity Field: Government

WHID 2007-67: The Day My Web Site Was Hacked

Wed, 16 Jun 2010 15:31:00 -0400

Entry Title: WHID 2007-67: The Day My Web Site Was Hacked
WHID ID: 2007-67
Date Occured: December 19, 2007
Outcome: Link Spam
Incident Description:

In an incident very similar to the Al Gore Hack, the personal blog of IT journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the breach and its origins.

Additional information:

The day my web site was hacked [IT Week, Dec 17 2007]

Attacked Entity Field: Media
Attacked Entity Geography: UK
Attacked System Technology: WordPress

WHID 2009-43: Web Mail Company to Pay Prize After CEO Hacked

Wed, 16 Jun 2010 14:13:43 -0400

Entry Title: WHID 2009-43: Web Mail Company to Pay Prize After CEO Hacked
WHID ID: 2009-43
Date Occured: June 10, 2009
Outcome: Monetary Loss
Incident Description: What does a challenge to break an web mail system and get $10,000, broken within minutes prove? Is it a lesson in vanity? Or about the state of web security? Or about security in general. Probably all.
The most obvious observatoins is that offering $10,000 for anyone who can break your site and being broken within an hour shows that you don't know what you taking about. Maybe it would be a lesson to all security vendors to not believe their own marketing verbiage. A quick browse of the bugtraq vulnerability archives will show how insecure and easy to evade security products can be.
However, judging from the number and seriousness of the incidents reported on the web hacking incidents database, StrongWebmail is not alone and far stronger companies suffers severe incidents, making web applications the weakest link in an organizations information security.
Lastly, we should always remember that there is never perfect security. By making systems more secure we are just raising the price required to attack them and lowering the damage of such an attack, but never. As the old joke goes: the only secure system is one without users.
Attack Source Geography:
Attacked Entity Field: Internet
Attacked Entity Geography: USA
Reference: http://www.strongwebmail.com/secure/email/contests/hack/tc

WHID 2007-69: The Orkut XSS Worm

Wed, 16 Jun 2010 15:30:35 -0400

Entry Title: WHID 2007-69: The Orkut XSS Worm
WHID ID: 2007-69
Date Occured: December 19, 2007
Outcome: Worm
Incident Description:

A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.

Additional information:

The Orkut XSS Worm [GNU Citizen, Dec 19 2007]

Orkut XSS [Sounds From The Dungeon, Dec 19 2007]

Orkut XSS worm in the wild [CGI Security, Dec 19 2007]

Orkut Worm Code (and why was Google so slow to respond?) [TechnoSocial, Dec 19 2007]

Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA

WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection

Wed, 16 Jun 2010 15:30:25 -0400

Entry Title: WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
WHID ID: 2007-70
Date Occured: December 20, 2007
Outcome: Defacement
Incident Description:

Just like WHID 2007-60, this hack is probably a representative of many other incidents. The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your soul" on the Web site of the police department in Tucson, Arizona. Only unlike regular defacement, this time it is not the front page but rather the news section that was modified.

As many you know, the news section is one of the few database driven parts in many mostly static sites, as it allows the site owner to add news without requiring a web designer. Therefore it came as no surprise that the attack was identified by a public source as an SQL injection attack.

Additional information:

Indonesian hacker touches souls by bringing down police web site [The Register, Dec 20 2007]

Attack Source Geography: Indonesia
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA

WHID 2007-71: Hacker uses Social Security numbers from Ohio court site

Thu, 17 Jun 2010 18:25:45 -0400

Entry Title: WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
WHID ID: 2007-71
Date Occured: December 22, 2007
Outcome: Leakage of Information
Incident Description:

The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.

The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts.

Additional information:

Hacker uses Social Security numbers from Ohio court site [Ohio.com/AP, Dec 22 2007]

Feds take over municipal court Web hacking probe [Columbus Dispatch, Dec 20 2007]

Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA

WHID 2008-53: 'SQL by Design' leaks Thousands of SSNs at an Oklahoma Gov site

Wed, 16 Jun 2010 14:37:07 -0400

Entry Title: WHID 2008-53: 'SQL by Design' leaks Thousands of SSNs at an Oklahoma Gov site
WHID ID: 2008-53
Date Occured: April 14, 2008
Outcome: Leakage of Information
Incident Description:

Alex Papadimoulis hits again with a report on leakage of information on Oklahoma's Department of Corrections web site. The detailed report is very interesting and highlights one of the worse types of SQL injection out there: remote SQL by design.

A unique form of SQL injection, or even just a close sibling, remote SQL by design is a vulnerability in which the web application accepts SQL statements from the client in the normal course of operation. The SQL statement might be used in a hidden field, or generated on the fly by a client side script. In any case, it is extremely difficult to prevent alteration of the SQL statement by a user in such applications, making the applications highly vulnerable.

To find for yourself how common is this vulnerability, just Google for SELECT, FROM and WHERE in the URL. Amazing.

Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: USA

WHID 2008-32: Yahoo HotJobs XSS

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-32: Yahoo HotJobs XSS
WHID ID: 2008-32
Date Occured: October 26, 2008
Outcome: Session Hijacking
Incident Description:

Netcraft reported an ongoing exploit of XSS vulnerability in Yahoo HotJobs site. The attackers have been using an obfuscated JavaScript to steal session cookies of victims, which were in turn sent to a server in the US.

The stolen cookie was a yahoo-wide cookie and therefore by stealing it the hackers could gain control of every service accessible to the victim within Yahoo, including Yahoo! Mail.

Netcraft identified the issue by observing irregular activity by its toolbar users and Yahoo! fixed the vulnerability short after, on Oct 28th.

Attack Source Geography: USA
Attacked Entity Field: Internet
Attacked Entity Geography: USA
Reference: http://news.netcraft.com/archives/2008/10/26/ongoing_phishing_attack_exposes_yahoo_accounts.html

WHID 2007-72: David Airey domains hijacked

Wed, 16 Jun 2010 15:29:02 -0400

Entry Title: WHID 2007-72: David Airey domains hijacked
WHID ID: 2007-72
Date Occured: December 30, 2007
Outcome: Fraud
Incident Description:

Update (Dec 30th 2008)

It seems that the original report was not accurate and it was not a CSRF vulnerablity that was exploited. The mistake is reported by the victim in an imaginary discussion with Google blog post (Search the page for XSRF) and by Google. Google hints that it was a phishing attack, but David Airey is not convinced.

Many times we dismiss seemingly minor vulnerabilities in major web sites. Most notably, "yet another" XSS or CSRF vulnerability in a well known service is not considered news anymore. However the following story proves that no matter what, such vulnerabilities cannot be ignored.

The attack is simple, the result pretty frightening. An attacker, presumably Iranian, stole the domain name of David Airey, a graphic artist and a known blogger. The attack was very well timed with David's leaving to a long vacation. The goal was to extort money in order to return the domain. In David's case there is a happy end, as the attention he got helped him receive his blog back, with some loss in traffic, search engine ranking and time. But other victims of the attacker who steal domains for living may not be as fortunate.

Additional information:

When fixing is not enough [Securiteam, Dec 28 2007]

WARNING: Google's Gmail security failure leaves my business sabotaged [David Airey, Dec 24 2007]

Google GMail E-mail Hijack Technique [GNUcitizen, Sep 25 2007]

Collective effort restores David Airey.com [David Airey, Dec 27 2007]

Attack Source Geography: Iran
Attacked Entity Field: Media
Attacked Entity Geography: UK

WHID 2008-33: Chinese hacker jailed for false quake alarm

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-33: Chinese hacker jailed for false quake alarm
WHID ID: 2008-33
Date Occured: May 29, 2008
Outcome: Disinformation
Incident Description:

A Chinese student penetrated the Shaanxi Provincial Seismic Bureau's web site and planted a false warning on an earth quake expected the following night reports The Australian.

The false warning created panic, especially since it was made shortly after the devastating earth quake hitting China just a few weeks earlier. The faked warning drew 767 page views within 10 minutes, the bureaus phones became immediately very busy.

As expected in China, authorities were far from forgiving, and the student was jailed for 18 months.

Attack Source Geography: China
Attacked Entity Field: Government
Attacked Entity Geography: China

WHID 2009-42: Puerto Rico sites redirected in a DNS attack

Wed, 16 Jun 2010 14:13:43 -0400

Entry Title: WHID 2009-42: Puerto Rico sites redirected in a DNS attack
WHID ID: 2009-42
Date Occured: April 27, 2009
Outcome: Defacement
Incident Description: Attacking web sites by going to the source, targeting DNS servers rather than the web sites themselves shows both the boldness of hackers as well as the fragility of the Internet.
While not new, DNS hijacking attacks took an important turn this year showing how much we rely on the web and now little we care for its protection. In the past DNS hijacking required complete control over the DNS server. In recent years most applications are controlled through a web interface, including DNS servers. Earlier this year attackers found an XSS vulnerability in a common DNS platform to hijack unused DNS entries for phishing
But this was only a small prelude to the real thing. CNet reports that this time hackers took over an entire TLD (Top Level Domain, or country) DNS server using SQL injection, virtually defacing the Puerto Rican site of companies such as Google and Microsoft.
The amazing story unfolds in the comments to CNet story, which outlines a mischievous professor and slow authorities who let him privatize and monetize on domain registration in Puerto Rico without any control.
The question we are left with is whether other countries and geographies different? Or even other industries for that matter?
Attack Source Geography:
Attacked Entity Field: Internet
Attacked Entity Geography: US
Reference: http://news.cnet.com/8301-1009_3-10228436-83.html

WHID 2008-34: Adobe hit by malware

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-34: Adobe hit by malware
WHID ID: 2008-34
Date Occured: October 17, 2008
Outcome: Planting of Malware
Incident Description:

Adobe joins the long list of sites hit by Asprox, a botnet using SQL injection attacks to plant malware. Internet News reports that Sophos has discovered malwares on Adobe Vlog it and Serious Magic sites.

Attacked Entity Field: Technology
Attacked Entity Geography: USA

WHID 2007-74: Web host breach may have exposed passwords for 6,000 clients

Wed, 16 Jun 2010 15:28:05 -0400

Entry Title: WHID 2007-74: Web host breach may have exposed passwords for 6,000 clients
WHID ID: 2007-74
Date Occured: January 1, 2008
Outcome: Leakage of Information
Incident Description:

A known vulnerability in the helpdesk software used by hosting provider Layered Technologies resulted in leakage of information, including names, addresses, phone numbers and email addresses of up to 6,000 of the company's clients.

Additional information:

Web host breach may have exposed passwords for 6,000 clients [The Register, Sep 19 2007]

Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Attacked System Technology: Cerberus Helpdesk

WHID 2006-25: Everyone.net XSS

Wed, 16 Jun 2010 18:29:25 -0400

Entry Title: WHID 2006-25: Everyone.net XSS
WHID ID: 2006-25
Date Occured: April 12, 2006
Outcome: Disclosure Only
Incident Description:

Everyone.net login script (loginuser.pl) is prone to a cross site scripting attack in the variable loginName.

Additional information:

Everyone.net XSS [Simo Ben Youssef, Feb 12 2006]

WHID 2008-35: Business Week site hit by malware

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-35: Business Week site hit by malware
WHID ID: 2008-35
Date Occured: September 15, 2008
Outcome: Planting of Malware
Incident Description:

Business Week is the latest victim of Asprox, a botnet using SQL injection attacks to plant malware. Internet News reports that Sophos has discovered malwares on a large number of pages on the magazines web site. A Google safe browsing report, which checks how many pages on a web site, if any, are infected with malware picked at 214 out of 2,157 pages on the site, just shy of 10%.

Attacked Entity Field: Information Services
Attacked Entity Geography: USA

WHID 2009-41: Malware in Advertizing at Digital Spy

Wed, 16 Jun 2010 14:13:59 -0400

Entry Title: WHID 2009-41: Malware in Advertizing at Digital Spy
WHID ID: 2009-41
Date Occured: June 2, 2009
Outcome: Planting of Malware
Incident Description: The register reports that Digital Spy, a high profile UK gossip site carried banner inflicting ads. Digital Spy has acknowledged the issue and said it promptly addressed it, however details on the source of the malicious banners is still not availalbe.
Malware distribution through ad programs is a borderline phenomenon. While there is no question that malware distribucion is malicious, and in most geographies illegal, in many cases the site owners are not technically responsible for the content of the ads they serve as the ad content comes directly from a 3rd party. The question whether they are legally responsible is open.
Another issue is defining a malware. Many times ads are used to entice users to download and install programs that are questionable. a rootkit installed through a known browser vulnerability is a malware, however the distinction between adware and malware is many time blurred and depends on:
The ratio between benefit to the user and benefit to the software distributor,
The clarity in which the benefit to the software distributor is explained to the user, and lastly:
The legality of this benefit
Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: UK
Reference: http://www.theregister.co.uk/2009/06/02/digital_spy_malware/

WHID 2007-75: PlusNet blames itself for webmail spamfest

Wed, 16 Jun 2010 15:27:43 -0400

Entry Title: WHID 2007-75: PlusNet blames itself for webmail spamfest
WHID ID: 2007-75
Date Occured: January 1, 2008
Outcome: Leakage of Information
Incident Description:

Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites.

This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.

Additional information:

PlusNet blames itself for webmail spamfest [News Story, May 24 2007]

Web mail Incident Report [PlusNet, May 23 2008]

Attacked Entity Field: Service Providers
Attacked Entity Geography: UK

WHID 2009-6: InfoGov switch hosting due to lack of security

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-6: InfoGov switch hosting due to lack of security
WHID ID: 2009-6
Date Occured: January 16, 2009
Outcome: Planting of Malware
Incident Description:

This gem is taken out of a press release issued by a hosting provider. According to the press release, InfoGov, a UK provider of risk management solutions, switched hosting its sites to a new provider because the previous one did not provide adequate solution to an SQL injection attack that penetrated the site and inflicted Malware on InfoGov customers.

Probably yet another fallout from the on going Asprox attack, this incident is interesting as it emphasises the responsibility that customers expect service providers to take in protecting from web based attacks.

Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: UK

WHID 2007-76: A large web hosting firm inflicted by mass malware installation

Wed, 16 Jun 2010 15:27:00 -0400

Entry Title: WHID 2007-76: A large web hosting firm inflicted by mass malware installation
WHID ID: 2007-76
Date Occured: January 1, 2008
Outcome: Planting of Malware
Incident Description:

The Washington Post ran a story about a large scale infiltration to IPower, a major hosting provider. According to the story and the following comments, it seems that the problem is plunging IPower for a long time without being resolved. Put in perspective the PlusNet incident which was serious but swiftly handled and publicly acknowledged by the company.

Actually the problem is so dominant that a recent StopBadware report lists Ipower as by far the most Malware infected hosting company. Reports mention that the problem started as early as mid 2006.

The root cause of the breach here is mentioned as being a vulnerability in either Apache, PHP or cPanel. I have selected the third as being more probably until further evidence materialize.

Additional information:

Cyber Crooks Hijack Activities of Large Web-Hosting Firm [Washington Post, May 23 2007]

StopBadware.org Identifies Companies Hosting Large Numbers of Websites That Can Infect Internet Users With Badware [StopBadware, May 4 2007]

Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Attacked System Technology: cPanel

WHID 2009-5: School data hacked, grades altered

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-5: School data hacked, grades altered
WHID ID: 2009-5
Date Occured: January 15, 2009
Outcome: Disinformation
Incident Description:

This story about student hacking a Pottsville, PA school online system and changing grades demonstrated again that password stealing is by far the most common method in which web sites are hacked.

While it is usually not considered a vulnerability in the application itself, I think that application that expose administrative or high privileges interface to the web should include authentication beyond a simple password. A school grading system is one example. The Twitter administrative interface hacked last week is another example.

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2007-77: HostGator: cPanel Security Hole Exploited in Mass Hack

Wed, 16 Jun 2010 15:26:18 -0400

Entry Title: WHID 2007-77: HostGator: cPanel Security Hole Exploited in Mass Hack
WHID ID: 2007-77
Date Occured: January 1, 2008
Outcome: Planting of Malware
Incident Description:

Hackers exploited an unknown cPanel vulnerability to break into HostGator servers and plant malware on hosted sites.

Additional information:

HostGator: cPanel Security Hole Exploited in Mass Hack [NetCraft, Sep 23 2007]

Hacked HostGator Sites Distribute IE Exploit [NetCraft, Sep 22 2008]

Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Attacked System Technology: cPanel

WHID 2006-24: Hotmail XSS (2)

Wed, 16 Jun 2010 18:29:47 -0400

Entry Title: WHID 2006-24: Hotmail XSS (2)
WHID ID: 2006-24
Date Occured: April 12, 2006
Outcome: Disclosure Only
Incident Description:

The $a variable in Hotmail's inbox is vulnerable to cross site scripting vulnerability. Exploit requires the victim to open the email message.

Additional information:

Hotmail Cross Site Scripting [Simo Ben Youssef, Feb 20 2006]

WHID 2009-40: SQL injection Hits Sensitive US Army servers

Wed, 16 Jun 2010 14:14:05 -0400

Entry Title: WHID 2009-40: SQL injection Hits Sensitive US Army servers
WHID ID: 2009-40
Date Occured: January 26, 2009
Outcome: Defacement
Incident Description: Information Week reports that a well known Turkish hacker penetrated two sensitive US army servers, one at McAlester Ammunition Plant in McAlester, Okla., and the other at the U.S. Army Corps of Engineers' Transatlantic Center in Winchester, Va. The hacks are the currently under criminal investigation by Defense Department officials.
The breaches where not publicly disclosed and the level of exposure is therefore not known. It is known however that web site visitors where redirected to a site protesting against climate change.
The Register speculates that the attack method was SQL injection.
Attack Source Geography: Turkey
Attacked Entity Field: Government
Attacked Entity Geography: USA
Reference: http://www.informationweek.com/news/government/federal/showArticle.jhtml?articleID=217700619

WHID 2007-78: A Brazilian banking site allows users to views receipts intended for others

Wed, 16 Jun 2010 15:24:46 -0400

Entry Title: WHID 2007-78: A Brazilian banking site allows users to views receipts intended for others
WHID ID: 2007-78
Date Occured: January 1, 2008
Outcome: Leakage of Information
Incident Description:

IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.

Reported by Alexandre Sieira

Additional information:

Unibanco tem brecha em sistema de comprovantes de transa??es online [IDG Now (Google Translate), Jan 29 2007]

Attacked Entity Field: Finance
Attacked Entity Geography: Brazil

WHID 2009-4: Twitter Personal Info CSRF

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-4: Twitter Personal Info CSRF
WHID ID: 2009-4
Date Occured: January 7, 2009
Outcome: Leakage of Information
Incident Description:

Gareth Heyes (and others) reported an interesting vulnerability in Twitter last week. While his post included a proof of concept code, it does not qualify as a hack only a vulnerability disclosure and the Web Hacking Incident Database does not list vulnerabilities.

Luckily Giorgio Maone decided to create his own proof of concept, run it himself and provide us with the result, enabling me to label this as a hack

By exploiting a CSRF bug in twitter (or maybe a feature?) site owners can get twitter profiles of their visitors. For Twitter this is a second this year and now the comprise 50% of the web incidents for 2009. Is this going to be the year of Web 2.0 security?

Attack Source Geography: Italy
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA

WHID 2007-79: Infamous Russian malware gang used SQL injection to penetrate US government sites

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2007-79: Infamous Russian malware gang used SQL injection to penetrate US government sites
WHID ID: 2007-79
Date Occured: January 1, 2008
Incident Description:

RBN was a big story. It was a hackers group that could work relatively freely in Russia due to rumors connections in high windows. This way it could allow safe hosting for malware. For getting people to the malware they penetrated web sites around the world, and the references article mentioned SQL injection as the method they infiltrated more high profile sites such as US government sites.

Additional information:

Infamous Russian malware gang vanishes [News.com, Nov 9 2008]

US Gov sites Hacked with SQL Injection [Bill Pennington, Nov 9 2008]

Attack Source Geography: Russia
Attacked Entity Field: Government

WHID 2008-49: ValueClick weak decryption and vulnerability to SQL injection

Wed, 16 Jun 2010 14:40:05 -0400

Entry Title: WHID 2008-49: ValueClick weak decryption and vulnerability to SQL injection
WHID ID: 2008-49
Date Occured: March 17, 2008
Outcome: Monetary Loss
Incident Description:

As a side story to ValueClick indictment of deceptive marketing by the FTC, the FTC investigation also found SQL injection vulnerabilities and lack of sufficient encryption of sensitive customer information. These findings contributed to the $2.9 million fine the FTC levied on ValueClick as well as to the company being dumped from managing eBay's affiliate program.

Attacked Entity Field: Marketing
Attacked Entity Geography: USA

WHID 2007-80: Vodafone blocks website after hacking

Wed, 16 Jun 2010 15:21:21 -0400

Entry Title: WHID 2007-80: Vodafone blocks website after hacking
WHID ID: 2007-80
Date Occured: January 1, 2008
Outcome: Defacement
Incident Description:

Yet another defacement, but this time at a very major telecommunication provider in India. These are the guys in charge of our network after all!

Additional information:

Vodafone blocks website after hacking [Times of India, Nov 7 2007]

Attacked Entity Field: Service Providers
Attacked Entity Geography: India

WHID 2006-23: ICQ search vulnerable to XSS

Wed, 16 Jun 2010 18:30:18 -0400

Entry Title: WHID 2006-23: ICQ search vulnerable to XSS
WHID ID: 2006-23
Date Occured: April 12, 2006
Outcome: Disclosure Only
Incident Description:

ICQ.com search script (search_result.php) is vulnerable to cross-site scripting attacks. This problem is due to a failure
in the application to properly sanitize user input, the input can be passed to the vulnerable script in 2 variables
(gender and home_country_code).

Additional information:

ICQ Cross Site Scripting [Simo Ben Youssef, Jan 10 2006]

WHID 2006-22: SQL injection in a banking application

Wed, 16 Jun 2010 18:30:49 -0400

Entry Title: WHID 2006-22: SQL injection in a banking application
WHID ID: 2006-22
Date Occured: April 12, 2006
Outcome: Disclosure Only
Incident Description:

A CIO of a bank in Singapore reports that many application layer vulnerabilities, including SQL injection, where discovered in a banking application they purchased before it was put into production.

Additional information:

Pulled in All Directions [CIO Asia, Jan 1 2006]

WHID 2007-81: MSNBC Turkish site caught serving malware

Wed, 16 Jun 2010 15:20:54 -0400

Entry Title: WHID 2007-81: MSNBC Turkish site caught serving malware
WHID ID: 2007-81
Date Occured: January 1, 2008
Outcome: Planting of Malware
Incident Description:

Another Malware defacement, but this time at a very prominent web site: MSNBC Turkish edition. There are indications that this is an application layer attack.

Additional information:

MSNBC Turkish site caught serving malware [Zdnet, Nov 7 2007]

Malicious Website / Malicious Code: MSNBC's Turkish site compromise [WebSense, Nov 7 2007]

yl18.net mass defacement [SANS ISC, Nov 6 2007]

Attacked Entity Field: Media
Attacked Entity Geography: Turkey

WHID 2008-48: TicketMaster Fighting Hackers Line Bypassing

Wed, 16 Jun 2010 14:41:14 -0400

Entry Title: WHID 2008-48: TicketMaster Fighting Hackers Line Bypassing
WHID ID: 2008-48
Date Occured: March 9, 2008
Outcome: Extortion
Incident Description:

Update (April 19^th 2009) - A recent article in the Vancouver Sun further discuss the issue. While there are no new technical details, the discussion that follows the article is illuminating

Insufficient anti-automation is fast becoming a major, if not the major threat to web application. The reason is that it can be very profitable for the hacker, and on the other hand it is far from a simple vulnerability just requiring a quick fix.

TicketMaster on going combat with hackers line bypassing to buy event tickets to resell them for a high price is a very good example of the issue. In this specific example the hackers demonstrate that Captcha, a method of blocking automated programs by presenting a challenge supposedly difficult for a computer software, is not sufficient.

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2008-01: Information stolen from geeks.com (Updated)

Wed, 16 Jun 2010 15:16:34 -0400

Entry Title: WHID 2008-01: Information stolen from geeks.com (Updated)
WHID ID: 2008-01
Date Occured: January 8, 2008
Outcome: Leakage of Information
Incident Description:

Update (Feb 8^th 2009) - The company has reached a settlement with the FTC. Not a breathtaking achievement in the effort to make business care about web application security, yet a step in this direction. The report also identifies the attack as an SQL injection attack.

Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV).

The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment....

And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.

Additional information:

Update: 'Hacker safe' Web site gets hit by hacker [Copmuter World, Jan 7 2008]

'Hacker Safe' Geeks.com Hacked [Information Week, Jan 7 2008]

Geeks.com Website Hacked, Customer Data Stolen [Consumerist, ]

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2009-39: Uno is back: 245,000 records stolen from Orange France using SQL injection

Wed, 16 Jun 2010 14:14:12 -0400

Entry Title: WHID 2009-39: Uno is back: 245,000 records stolen from Orange France using SQL injection
WHID ID: 2009-39
Date Occured: May 26, 2009
Outcome: Leakage of Information
Incident Description: After focusing earlier this year on Anti-Virus vendors, Uno, the Romanian Hacker is now back and reports in his blog that an Orange France web site dedicated to photo management is vulnerable to SQL injection and that he was able to access 245,000 records from the web site.
Attack Source Geography: Romania
Attacked Entity Field: Service Providers
Attacked Entity Geography: France
Number of Records: 245,000
Reference: http://www.hackersblog.org/2009/05/25/orange-is-so-cool/

WHID 2007-82: An SQL injection Mass Robot

Thu, 17 Jun 2010 18:28:26 -0400

Entry Title: WHID 2007-82: An SQL injection Mass Robot
WHID ID: 2007-82
Date Occured: January 8, 2008
Outcome: Planting of Malware
Incident Description:

An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code.

As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a Cacti vulnerability: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users.

A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.

Additional information:

70,000 Web Pages Hacked By Database Attack [Information Week, Jan 8 2008]

Realplayer Vulnerability [SANS Internet Storm Center, Jan 4 2008]

Massive embedded exploit web site attack underway [Heise, Jan 8 2008]

SQL Injection Attack Infects Thousands of Websites [Ryan Barnett, Jan 8 2008]

Mass exploits with SQL Injection [SANS, Jan 9 2008]

Attack Source Geography: China

WHID 2008-47: The Federal Suppliers Guide validates login credential in JavaScript

Wed, 16 Jun 2010 14:44:09 -0400

Entry Title: WHID 2008-47: The Federal Suppliers Guide validates login credential in JavaScript
WHID ID: 2008-47
Date Occured: February 29, 2008
Outcome: Monetary Loss
Incident Description:

Alex Papadimoulis tells in a brilliantly humoristic way about the lack of security of the Federal Suppliers Guide's web site. The guide, is presumably limited to federal procurement agents only, but at the time of writing the credential checking was done on the client in JavaScript and for a single global user name and password.

Beyond making a mockery of the claim that the guide was limited to federal agents only, it also seemed to be a marketing method as it limits the potential advertisers from checking who is in the guide. After getting in Alex contacted some of the advertisers to find out that none of them got any value from the guide. Alex did not join, and I wonder how much Alex's report lowered the Federal Suppliers Guide earning.

Attack Source Geography: USA
Attacked Entity Field: Marketing
Attacked Entity Geography: USA

WHID 2008-02: Italian Bank's XSS Opportunity Seized by Fraudsters

Wed, 16 Jun 2010 15:16:03 -0400

Entry Title: WHID 2008-02: Italian Bank's XSS Opportunity Seized by Fraudsters
WHID ID: 2008-02
Date Occured: January 9, 2008
Outcome: Phishing
Incident Description:

It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.

Additional information:

Italian Bank's XSS Opportunity Seized by Fraudsters [NetCraft, Jan 8 2008]

Attacked Entity Field: Finance
Attacked Entity Geography: Italy

WHID 2006-21: Sourceforge.net XSS (1)

Wed, 16 Jun 2010 18:31:10 -0400

Entry Title: WHID 2006-21: Sourceforge.net XSS (1)
WHID ID: 2006-21
Date Occured: April 12, 2006
Outcome: Disclosure Only
Incident Description:

Sourceforge download pages are vulnerable to XSS

Additional information:

Sourceforge XSS [Bugtraq, Feb 24 2006]

WHID 2009-38: Time's Poll For Most Influencial Hacked

Wed, 16 Jun 2010 14:14:14 -0400

Entry Title: WHID 2009-38: Time's Poll For Most Influencial Hacked
WHID ID: 2009-38
Date Occured: April 15, 2009
Outcome: Link Spam
Incident Description:

Polls are easy target for automation abuse. You can usually participate anonymously and the poll operator has an interest in drawing as many participants as possible, but as demonstrated by previous incidents such loose security enables hackers to distort the results.

This time a hacker succeeded in manipulating Time's poll for most influential people in 2009.

Such poll are probably always distorted by automated programs, with every stakeholder running his own robot to promote a cause. The current time poll status Shawn above includes mostly known people, though the standings do seem skewed. Is it just that our view of the world is different than others, or have Muslims around the world become avid Time readers? The top rated person, "moot", which none of you heard about until now, proves that it is all about automation.

This specific poll distortion reported by Paul Lamere is unique since a group of hackers called 4chan, led by "moot", took the time to fight Time's humble attempts to mitigate automation. Among the measures and countermeasures that 4chan and Time exchanged are:

4chan distributed the simple get URL required to vote for moot through legitimate web sites and comment spamming. Such a link can easily be executed automatically by a web site user without his awareness using CSRF techniques.

Using a typical CSRF counter measure, Time added a salted and hashed key to ensure that the poll was submitted from its own poll form. However the key was authentication on the client by Time's poll Flash application enabling 4chan to easily find it out and overcome the issue.

The Time voting mechanism did not even check that the ranking in the vote was legal, so a link to vote down "moot" competitors in the list was also used until Time fixed the issue. Voting down is key to winning such a poll as 4chan competitors are not at rest running their own sophisticated campaigns.

Lastly 4chan developed sophisticated robots to auto-vote. Those robots overcome Time's anti-automation protections: since each user is allowed to vote just once in every 13 seconds, the robots uses open proxies to vote faster. Since time only prevents voting for the same person from the same IP, the robots used the extra 12 seconds available for each source IP to vote down competitors. The system also reports to a central server allowing monitoring of the voting rate!

However this specific hack is ever more interesting. At one point 4chan where bored with just running moot for presidency, so they decided to use their sophisticated machine to do a more elaborate work. They decided to fix all first 21 nominees so that their initials would spell "Marblecake Also the Game". And as Paul Lamere's screenshot proves, they made it.

Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: USA
Reference: http://www.theregister.co.uk/2009/04/17/time_top_100_hack/

WHID 2006-48: SQL Injection Used to Steal Information from "Life is Good"

Thu, 17 Jun 2010 18:24:19 -0400

Entry Title: WHID 2006-48: SQL Injection Used to Steal Information from "Life is Good"
WHID ID: 2006-48
Date Occured: January 19, 2008
Outcome: Credit Card Leakage
Incident Description:

Update (Jan 26^th 2009) - an SC magazine article sheds more light on the incident revealing that there was actually a breach, apparently using SQL injection, which resulted in leakage of 10,000 credit card numbers

An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good".

The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.

Additional information:

Online Retailer Settles Charges That It Left Consumer Data Open To Hackers [Information Week, Jan 18 2008]

FTC Wags Finger At Site For Weak Consumer Data Security [Storefront Backtack, Jan 18 2008]

n the Matter of Life is good, Inc., a corporation, and Life is good Retail, Inc., a corporation. FTC Matter No. 072-3046 [Federal Trade Commission, Jan 17 2008]

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2006-20: Sourceforge.net XSS (2)

Wed, 16 Jun 2010 18:31:39 -0400

Entry Title: WHID 2006-20: Sourceforge.net XSS (2)
WHID ID: 2006-20
Date Occured: April 10, 2006
Outcome: Disclosure Only
Incident Description:

Sourceforge forums search is vulnerable to XSS

Additional information:

Sourceforge.net XSS [Vulnerability Development, Apr 9 2006]

WHID 2008-04: RIAA web site cleared

Wed, 16 Jun 2010 15:15:24 -0400

Entry Title: WHID 2008-04: RIAA web site cleared
WHID ID: 2008-04
Date Occured: January 22, 2008
Outcome: Defacement
Incident Description:

The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.

Additional information:

RIAA wiped off the net [The Register, Jan 21 2008]

This link runs a slooow SQL query on the RIAA's server. Don't click it; that would be wrong [Reddit, Jan 20 2008]

RIAA Website Wiped Clean by "Hackers" [Torrent Freak, Jan 20 2008]

Attacked Entity Field: Entertainment

WHID 2006-19: Google XSS

Wed, 16 Jun 2010 18:32:14 -0400

Entry Title: WHID 2006-19: Google XSS
WHID ID: 2006-19
Date Occured: April 10, 2006
Outcome: Disclosure Only
Incident Description:

Yet another Google XSS. This time it seems to hit Arabic variant of the main search site. It seems that the actual language selector parameter enables the attack.

Additional information:

Google XSS (1) [Bugtraq, Apr 10 2006]

Google XSS (2) [Bugrtaq, Apr 10 2006]

WHID 2009-37: Twitter XSS/CSRF worm series (Updated)

Wed, 16 Jun 2010 14:14:28 -0400

Entry Title: WHID 2009-37: Twitter XSS/CSRF worm series (Updated)
WHID ID: 2009-37
Date Occured: April 11, 2009
Outcome: Worm
Incident Description:

Update (Apr 19^th 2009) - The initial Mooney Twitter worm has evolved into a series of 5 worms at the time of writing, each exploiting a different vulnerability in Twitter. The latest one specifically focuses on twitter accounts who have a high number of followers thus targeting celebrities such as Ashton Kutcher and Oprah Winfrey according to Graham Cluley from Sophos.

The hack seems to have paid of to Mikeyy Mooney who was hired to as security consultant following the incident.

Twitter is in the spotlights again. Mikeyy Mooney, the 17-year-old creator of StalkDaily.com, a Twitter alternative, admitted to hacking his giant competitor by implementing a worm that propagated itself through twitter making every affected user tweet about StalkDaily. Mikeyy certainly got the advertising and page views he was looking for.

Mikeyy's worm is a good example of how CSRF and XSS can be combined to create a strong blended attack, in this case a propagating worm. A Web 2.0 community generated site such as twitter is often vulnerable to stored XSS . This often implies that a user can update his own profile with malicious code and as a result others who view his content get hit. Without any other vulnerability to complicate things, you are safe as long as your friends are trustworthy.

However, if the site is also vulnerable to CSRF, the XSS exploit can include in addition to the payload also the original XSS inflicting code run under the attacked users credential, modifying his content and therefore hiting his own friends, which hit their own friends and so on.

You can find the technical details of the attack on Damon Cortesi's blog. You may also be interested in the full XSS payload.

Attack Source Geography: USA
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Reference: http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/

WHID 2009-3: Google Trends Falls Victim to a Stunt

Wed, 16 Jun 2010 18:50:03 -0400

Entry Title: WHID 2009-3: Google Trends Falls Victim to a Stunt
WHID ID: 2009-3
Date Occured: January 6, 2009
Outcome: Disinformation
Incident Description:

Someone, and not for the 1st time, succeeded in manipulating Google Trends, a Google service listing popular search terms. In this case the New York Time reports that a symbol at presumably denoting 9/11 reached number 2 in the list of hot Trends (see picture right).

While this may be nothing more than a joke, the capability to create a trend can have a huge and sometimes devastating effect. After all in recent months the future of big financial institutes was determined by the rumor mill.

On the technical side, insufficient anti-automation controls have been one of the more obscure and hardest to fix vulnerabilities in web applications. Starting with the Lexis-Nexis incident (WHID 2005-65), many incidents where waved off as nothing more than an automated client. However, as the incidents pile it becomes clear that it is the responsibility of the site owner to mitigate such harmful automation attacks.

Attacked Entity Field: Internet
Attacked Entity Geography: USA

WHID 2008-05: Drive-by Pharming in the Wild

Wed, 16 Jun 2010 15:14:35 -0400

Entry Title: WHID 2008-05: Drive-by Pharming in the Wild
WHID ID: 2008-05
Date Occured: January 28, 2008
Outcome: Phishing
Incident Description:

Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.

Additional information:

Drive-by Pharming in the Wild [Symantec, Jan 22 2008]

Symantec reports first active attack on a DSL router [Heise, Jan 24 2008]

Client Side Web Server Hacking [WHID Blog, Jan 28 2008]

Attacked Entity Field: Finance
Attacked Entity Geography: Mexico
Attacked System Technology: DSL Router

WHID 2006-18: Myspace.com - Intricate Script Injection Vulnerability

Wed, 16 Jun 2010 18:33:49 -0400

Entry Title: WHID 2006-18: Myspace.com - Intricate Script Injection Vulnerability
WHID ID: 2006-18
Date Occured: April 10, 2006
Outcome: Disclosure Only
Incident Description:

Forget putting <script> tags in input field. This high tech vulnerability exploits the code handling online/offline flags by inserting a malicious online/offline flag. Awesome.

Additional information:

Myspace.com - Intricate Script Injection Vulnerability [Justin Lavoie, Apr 5 2006]

WHID 2009-36: Hackers steal Austalian and NZ Shell customer info (Updated)

Wed, 16 Jun 2010 14:14:36 -0400

Entry Title: WHID 2009-36: Hackers steal Austalian and NZ Shell customer info (Updated)
WHID ID: 2009-36
Date Occured: February 17, 2009
Outcome: Leakage of Information
Incident Description:

Update (Apr 19^th 2009) - (Presumably) the hacker posted a comment to this story with some details. He says that the Number_of_Records leaking was much higher: 17,000 Aussies and 7,000 Kiwis. The rest we did not understand and hope that either he or any of you can clarify.

WHID 2008-06: Hackers Take Down Pennsylvania Government

Wed, 16 Jun 2010 15:12:52 -0400

Entry Title: WHID 2008-06: Hackers Take Down Pennsylvania Government
WHID ID: 2008-06
Date Occured: January 28, 2008
Outcome: Defacement
Incident Description:

Additional information:

Hackers Take Down Pennsylvania Government [Linux Journal, Jan 10 2008]

Hackers Force Pa. to Shut State Web Site [AP, Jan 4 2008]

Pennsylvania State Disconnects from Internet Over Chinese Hacker Phearz [Geeks Are Sexy, Jan 9 2008]

Officials say no data was compromised by hackers [Post Gazette, Jan 6 2008]

Attacked Entity Field: Government
Attacked Entity Geography: USA

WHID 2008-46: CheckFree customers redirected to fraudsters sites

Wed, 16 Jun 2010 14:46:00 -0400

Entry Title: WHID 2008-46: CheckFree customers redirected to fraudsters sites
WHID ID: 2008-46
Date Occured: December 2, 2008
Outcome: Phishing
Incident Description:

In an attack with an alarming similarity to the COX incident (WHID 2008-45), but with a far greater potential damage, hackers changes the DNS records for CheckFree, the largest bill payment service in the USA. Customers where redirected to servers in the Ukraine, which attempted to install a password login software on their computers.

The change was done using correct credentials to login to the administrative web site of Network Solutions, CheckFree domain registrar. It is yet unknown how the hackers got the credentials. Since Phishing attacks against domain registrars including Network Solutions have started to surface recently, a good guess is that it was through a Phishing attack.

According to CheckFree report to the authorities, it estimates that around 160,000 customers where expoesed to the attack, and informed 5 million potential victims who may have been among this group.

Additional information:

The Washington Post's analysis of the incident

Attack Source Geography: Ukraine
Attacked Entity Field: Finance
Attacked Entity Geography: USA

WHID 2008-07: Another Free MacWorld Platinum Pass? Yes in 2008!

Wed, 16 Jun 2010 15:12:20 -0400

Entry Title: WHID 2008-07: Another Free MacWorld Platinum Pass? Yes in 2008!
WHID ID: 2008-07
Date Occured: January 28, 2008
Outcome: Monetary Loss
Incident Description:

Kurt already got his free MacWorld pass last year (WHID 2007-14), but it seems that nothing changes year after year and he was able to pull a similar trick this year. As the codes that allow customers to get the passes where hashed but stored on the client browser, Kurt was able to crack them.

Additional information:

Another Free MacWorld Platinum Pass? Yes in 2008! [Kurt Grutzmacher, Jan 14 2008]

Attacked Entity Field: Technology
Attacked Entity Geography: USA

WHID 2006-17: Mass defacement using XSS at Israblog

Wed, 16 Jun 2010 18:34:21 -0400

Entry Title: WHID 2006-17: Mass defacement using XSS at Israblog
WHID ID: 2006-17
Date Occured: April 10, 2006
Outcome: Defacement
Incident Description:

Israblog is a large Israeli blogging site. A hacker used XSS to hijack bloggers sessions and deface them. The defacing was used to inform the world that Israblog lead developer is a bad programmer.

Additional information:

Large Scale Breakin to Israblog [NRG (Hebrew), Apr 5 2006]

WHID 2007-83: More Social Security numbers leaked at Montana State University

Wed, 16 Jun 2010 15:20:46 -0400

Entry Title: WHID 2007-83: More Social Security numbers leaked at Montana State University
WHID ID: 2007-83
Date Occured: January 28, 2008
Outcome: Leakage of Information
Incident Description:

Again a Microsoft Excel file was left on a University's web site for anyone to view.

Additional information:

More Social Security numbers leaked at MSU [Montana's News Station, Nov 7 2007]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2006-16: AstraTel customer call records leaked

Wed, 16 Jun 2010 18:35:22 -0400

Entry Title: WHID 2006-16: AstraTel customer call records leaked
WHID ID: 2006-16
Date Occured: April 10, 2006
Outcome: Leakage of Information
Incident Description:

A security hole in Sydney internet provider Astratel's LiveBilling online account management system has seriously compromised its customers' privacy.

The service redirected users to a different server and propagated the user information in a hidden field without re-authenticating.

Additional information:

Privacy breach at ISP [Australian IT, Mar 31 2006]

AstraTel customer call records leaked [Public Forum, Mar 31 2006]

WHID 2009-2: Twitter accounts of the famous hacked (Updated)

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-2: Twitter accounts of the famous hacked (Updated)
WHID ID: 2009-2
Date Occured: January 5, 2009
Outcome: Defacement
Incident Description:

Update (Jan 11^th 2009) - The hacker bragged about the hack and revealed that it was a brute force dictionary attack against an administrator account. Twitter does not block repetitive login failures therefore enabling brute force attacks. We are still leaving the incident classification "insufficient authentication" in addition to brute force as we feel an administration interface should have additional authentication mechanism and not just a password.

Twitter announced that a hacker broke into 33 accounts including Obama's now inactive twitter. The hack is a result of a flaw in a web based support tool used by twitter, which where evidently accessible externally without proper authorization.

It is important to note that this incident is not related to Twitter phishing attack which occurred on the previous weekend.

This incident highlights the issue of public facing administration interfaces, which often combine strong functionality with lesser attention to quality and therefore security. As organizations virtualize, those interfaces become available over the Internet, often without sufficient protection.

You can read some of the funny things that the hacker published in different twitters on Read Write Web.

Additional information:

CNet

Media Bistro

Attack Source Geography: USA
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Attacked System Technology: Administration Tool
Items Leaked: Password
Number of Records: 33

WHID 2008-08: Hacker steals Davidson Cos. clients' data

Wed, 16 Jun 2010 15:11:45 -0400

Entry Title: WHID 2008-08: Hacker steals Davidson Cos. clients' data
WHID ID: 2008-08
Date Occured: February 4, 2008
Outcome: Leakage of Information
Incident Description:

A computer hacker broke into the database of D.A. Davidson, a local Montana financial services firm and stole their entire customers' database: 226,000 records including names and social security numbers. Attack_Method is not known, but it seems very much like a web hack.

Additional information:

Hacker steals Davidson Cos. clients' data [Great Falls Tribune, Feb 4 2008]

Davidson Companies Informs Clients of Network Intrusion Resulting in Illegal Access to Personal Data [Davidson Companies, Jan 30 2008]

Davidson Co.'s security breach reminds that personal data isn't as safe as we'd like [Great Falls Tribune, Feb 11 2008]

Attacked Entity Field: Finance
Attacked Entity Geography: USA

WHID 2009-35: Former US Senator Donors Information Leaks

Wed, 16 Jun 2010 14:14:37 -0400

Entry Title: WHID 2009-35: Former US Senator Donors Information Leaks
WHID ID: 2009-35
Date Occured: March 11, 2009
Outcome: Leakage of Information
Incident Description:

Norm Coleman, a former senator from Minnesota, is going through a legal battle to try to win back his seat in the senate. If the way he manages his web site security and the crises it created are an indicator, I am not sure that he has a place there.

The Coleman team called in the US Secret Service to investigate the leak in which sensitive information about more than 4700 donors was published on Wikileaks, a web site devoted to such exposures. Coleman himself called the incident "an obviously an attack on my campaign".

However the Minnesota Independent reveals that the information was exposed for anyone to view on the senator's web site since at least January 28^th. Hardly an attack. At the time the site was suffering performance issues and in a debate about the cause somebody commented to an Independent about the an exposed database, which the Independent was fast to report on. Moreover, Wikileaks took the trouble to inform the people in the list that their information leaked, while it took the Senator team over a month to react.

Attack Source Geography:
Attacked Entity Field: Politics
Attacked Entity Geography: USA
Number of Records: 4,700
Reference: http://minnesotaindependent.com/28711/breaking-colemans-unsecured-donorbase-to-be-revealed-on-wikileaks

WHID 2008-09: Hacking Stage 6

Wed, 16 Jun 2010 15:11:17 -0400

Entry Title: WHID 2008-09: Hacking Stage 6
WHID ID: 2008-09
Date Occured: February 10, 2008
Outcome: Leakage of Information
Incident Description:

Sensitive information about people who created an account on the site leaked and was published through IRC.

Additional information:

Stage 6 - Hacking [Wikipedia, Feb 9 2008]

Attacked Entity Field: Entertainment
Attacked Entity Geography: USA

WHID 2009-34: Romanian Hacker Moves On To The Telegraph

Wed, 16 Jun 2010 14:14:40 -0400

Entry Title: WHID 2009-34: Romanian Hacker Moves On To The Telegraph
WHID ID: 2009-34
Date Occured: March 6, 2009
Outcome: Leakage of Information
Incident Description:

Another week, another hack by the HackerBlog, and when it targets an important web site and the impact is severe it is worthy of WHID. This time the Romanian hacker used blind SQL injection to penetrate to the web site of the Telegraph, a leading English daily paper.

Among his findings is a table including 700,000 e-mails, which would be a gold mine for spammers.

The Telegraph response was published on their official blog.

Attack Source Geography: Romania
Attacked Entity Field: Media
Attacked Entity Geography: UK
Reference: http://www.hackersblog.org/2009/03/06/telegraphcouk-hacked-sql-injection/

WHID 2006-15: eBay contains a cross-site scripting vulnerability

Wed, 16 Jun 2010 18:35:49 -0400

Entry Title: WHID 2006-15: eBay contains a cross-site scripting vulnerability
WHID ID: 2006-15
Date Occured: April 4, 2006
Outcome: Disclosure Only
Incident Description:

eBay contains a cross-site scripting vulnerability. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description which creates a cross-site scripting vulnerability in the eBay website

Additional information:

eBay contains a cross-site scripting vulnerability [Addict3D, Apr 4 2006]

Phishers set hidden traps on eBay [CNet, Mar 31 2006]

WHID 2007-84: Soccer league's online shoppers get kicked by security breach

Wed, 16 Jun 2010 15:20:31 -0400

Entry Title: WHID 2007-84: Soccer league's online shoppers get kicked by security breach
WHID ID: 2007-84
Date Occured: February 10, 2008
Outcome: Leakage of Information
Incident Description:

It is already February, and we still add 2007 incidents. If
you wonder why, it is because organizations such as MLS only now find
out that they were hacked last year! Sometime between January and
August of 2007, names, addresses, credit and debit card data, and
passwords of an unknown number of people, including 169 New Hampshire
residents were stolen from the site.

Why New Hampshire? Because the company has to report to the
authorities there about the incidents, but only specify the number of
individuals from this state affected. Why only New Hampshire? Since
regulations and bills requiring disclosures exist in many states, one
would expect that the company would have to provide such a testimonial
in many states. This incident is another good example of the size of
the hidden part of the iceberg.

Additional information:

Soccer league's online shoppers get kicked by security breach [Computer World, Feb 8 2008]

MLSgear.com Notification to NH DOJ [New Hampshire DOJ, Feb 1 2008]

Attacked Entity Field: Sports
Attacked Entity Geography: USA

WHID 2008-45: Comcast domain hijacked

Wed, 16 Jun 2010 14:46:58 -0400

Entry Title: WHID 2008-45: Comcast domain hijacked
WHID ID: 2008-45
Date Occured: January 5, 2009
Outcome: Defacement
Incident Description:

Recently the domain names has been the focus on hacking activity. Hackers found that hijacking a domain is as effective if not more than attacking the web site itself.

Are domain hacking a case of web hacking? should they be included in WHID? in this case it seems, according to the Wired report that the hack itself involved attacking the domains registrar's (Network Solutions) web interface.

However, we believe that the resulting "virtual" defacement of the web site by redirecting users to a fraudulent web site is still a web hack, even if the DNS hijacking is not web related.

The defaced site, as logged by the register was:

Attacked Entity Field: Internet
Attacked Entity Geography: USA

WHID 2008-10: Chinese hacker steals user information on 18 Million online shoppers at Auction.co.kr

Wed, 16 Jun 2010 15:10:51 -0400

Entry Title: WHID 2008-10: Chinese hacker steals user information on 18 Million online shoppers at Auction.co.kr
WHID ID: 2008-10
Date Occured: February 12, 2008
Outcome: Leakage of Information
Incident Description:

Update (January 5th 2009)

We where informed by sources at eBay the Korean sites parent company that the issue was not CRSF or seesion hijacking. The Attack_Method was not disclosed.

A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.

The attack description is vague but can be best described as session hijacking.

This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.

More Information:

The Dark Visitor

Attacked Entity Field: Retail
Attacked Entity Geography: Korea

WHID 2009-33: eBay Fraud Abuses Zero Day XSS

Wed, 16 Jun 2010 14:14:46 -0400

Entry Title: WHID 2009-33: eBay Fraud Abuses Zero Day XSS
WHID ID: 2009-33
Date Occured: March 4, 2009
Outcome: Monetary Loss
Incident Description:

A zero day XSS vector enables hackers to include in an eBay offer an arbitrary code which is executed by both FireFox and IE. As a result they were able to spoof the content of the offer, so that the user saw different information than the details known to eBay.

A very detailed technical explanation of the vulnerability is included in a FireFox community discussions on whether the issue is a browser or a web site issue. As usual, the truth is somewhere in the middle. The FireFox team selected to correct the issue discovered in FireFox. Microsoft claimed that the issue exploited in IE, which is reported to be a CSS expression issue, is not feature and not a bug and the vulnerable web site should be fixed.

Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=481558

WHID 2008-11: Hacker breaks into Ecuador's presidential website

Wed, 16 Jun 2010 15:09:41 -0400

Entry Title: WHID 2008-11: Hacker breaks into Ecuador's presidential website
WHID ID: 2008-11
Date Occured: February 12, 2008
Outcome: Defacement
Incident Description:

Was it defaced or not? In this extraordinary incident, a hacker broke to the web site of the Ecuadorian president and said nice things about him. So nice in fact that the presidential office had to apologize in front of the opposition leader. Was it a hack or an over enthusiastic marketing person?

Additional information:

Hacker breaks into Ecuador's presidential website [Thaindian News, Feb 11 2008]

Attacked Entity Field: Government
Attacked Entity Geography: Ecuador

WHID 2008-44: Balkan cyber wars

Wed, 16 Jun 2010 14:47:48 -0400

Entry Title: WHID 2008-44: Balkan cyber wars
WHID ID: 2008-44
Date Occured: April 1, 2008
Outcome: Downtime
Incident Description:

The interesting report in ZDnet about the cyber war around Kosovo is unique in describing the process. According to the report hacker groups on each side share information in order to make attacks more efficient. Some collect vulnerable web sites, while others use automatic defacement tools to attack.

On the positive side, the report states that at the time of writing, there is a ceasefire and parties are negotiating. Is there room for cyber peace along side cyber war?

Attacked Entity Field: Various

WHID 2008-60: Miley Cyrus Pictures Leaked Due to a Web Hack (Updated)

Wed, 16 Jun 2010 14:27:32 -0400

Entry Title: WHID 2008-60: Miley Cyrus Pictures Leaked Due to a Web Hack (Updated)
WHID ID: 2008-60
Date Occured: October 20, 2008
Outcome: Leakage of Information
Incident Description:

Update (April 19th 2009) - E!News provides additional interesting details about Josh Holly, the hacker who carried out the attack. They actually took the trouble to go to Holly's hometown and and ask people about him,providing an interesting insight into the celebs hacking phenomena.

Celebs are fast becoming a prime hacking target. Miley Cyrus already made her debut at WHID when her Twitter account was raided. But it seems that this was not her first cyber incident for her. As reported by Wired, late last year a hacker named Josh Holly published private photos of Ms. Cyrus stolen from her G-mail account.

The hack was a relatively sophisticated one and a very good example of the risks of Web 2.0. Holly penetrated a MySpace administrator using social engineering. Using the account he gained access to a list of passwords which MySpace stored in an unencrypted form. Unbelievable. Since most of us use the same password for multiple services, Holly used Cyrus' MySpace password on her G-mail account gaining access and retrieving the photographs.

In a related but yet unconfirmed story Holly claims to have used the MySpace administrative account for an advertising scam by which he gained $50,000.

Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography:

WHID 2008-12: Greek ministry websites hit by hacker intrusion

Wed, 16 Jun 2010 15:09:02 -0400

Entry Title: WHID 2008-12: Greek ministry websites hit by hacker intrusion
WHID ID: 2008-12
Date Occured: February 17, 2008
Outcome: Defacement
Incident Description:

This is yet another case of defacement of a governmental web site. It is amazing to note it is nearly never the large commercial and financial web sites that are defaced. It is either small mom and dad shops or government and political web sites. Don't you get the feeling the government IT is run like a mom and dad shop? Do you wonder if it is only the IT part that is run that way?

Additional information:

Ministry websites hit by hacker intrusion [Kathimerini, Jan 31 2008]

Attacked Entity Field: Government
Attacked Entity Geography: Greece

WHID 2008-43: Russian nuclear power web sites attacked amid accident rumors

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2008-43: Russian nuclear power web sites attacked amid accident rumors
WHID ID: 2008-43
Date Occured: January 5, 2009
Incident Description:

Novosti, the Russian news agency reports that in what seems to be a planned dual head attack to break panic by spreading a rumor about a nuclear accident near St. Petersburg.

At the same time that e-mails spreading the rumor where distributed, hackers blocked access to web sites enabling the public to check for themselves the status of the nuclear power pland intensifying the panic.

Attacked Entity Field: Government
Attacked Entity Geography: Russia

WHID 2006-14: Forgotten password clues create hacker risk

Wed, 16 Jun 2010 18:36:52 -0400

Entry Title: WHID 2006-14: Forgotten password clues create hacker risk
WHID ID: 2006-14
Date Occured: April 4, 2006
Outcome: Disclosure Only
Incident Description:

A UK Security Consulting firm reports that 54 UK sites that it has surveyed have flaws in the "forgotten password" feature.

Additional information:

Forgotten password clues create hacker risk [The Register, Mar 20 2006]

WHID 2007-85: IndiaTimes.com Visitors Risk High Exposure To Malware

Wed, 16 Jun 2010 15:19:24 -0400

Entry Title: WHID 2007-85: IndiaTimes.com Visitors Risk High Exposure To Malware
WHID ID: 2007-85
Date Occured: February 17, 2008
Outcome: Planting of Malware
Incident Description:

The web site of a leading Indian newspaper is swamped with malware. A recent survey by WebSense cites by the Register found that of the sites hosing malware, 51% where legitimate sites that have been broken into. This is a major shift in the threat landscape, since keeping to web sites that you know is no longer a good protection strategy. Anecdotally undermining WebSense own web site classification technology as a security solution.

Additional information:

IndiaTimes.com Visitors Risk High Exposure To Malware [Information Week, Nov 9 2007]

Attacked Entity Field: Media
Attacked Entity Geography: India

WHID 2009-32: 750 Twitter Accounts Hacked

Wed, 16 Jun 2010 14:14:50 -0400

Entry Title: WHID 2009-32: 750 Twitter Accounts Hacked
WHID ID: 2009-32
Date Occured: March 10, 2009
Outcome: Link Spam
Incident Description:

Twitter reports in a blog entry that 750 accounts were hacked. The hacker posted messages linking to a porn webcam. While Twitter did not disclose how the attack was carried out, the suggested remediation hints that the account passwords were guessed, probably using a brute force attack.

Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Items Leaked: Password
Number of Records: 750

WHID 2008-54: Hacker Redirects Obama's site to Hillary Clinton's

Wed, 16 Jun 2010 14:37:04 -0400

Entry Title: WHID 2008-54: Hacker Redirects Obama's site to Hillary Clinton's
WHID ID: 2008-54
Date Occured: April 18, 2008
Outcome: Defacement
Incident Description:

Netcraft reports that a hacker managed to redirect traffic from Barak Obama's web site to Hillary Clinton's site during the primaries held between the two.The culprit, an XSS bug in the Obama's site community blogs section, highlights the danger of user contributed content to web sites.

An interesting side story is that Oliver Friedrichs from Symantec was quoted in a Computer World article only a week earlier saying that presidential campaign web sites are "clueless" about security. Was this a prophecy of or the trigger for the hack?

Additional technical information can be found on XSSed.

Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography: USA

WHID 2008-59: Spotify Streaming Music Service Hacked and Millions of Records Leaked

Wed, 16 Jun 2010 14:29:17 -0400

Entry Title: WHID 2008-59: Spotify Streaming Music Service Hacked and Millions of Records Leaked
WHID ID: 2008-59
Date Occured: December 19, 2008
Outcome: Leakage of Information
Incident Description:

This time we may need to remove the word "web" leaving this incident classified only as "application security". Spotify is a new music streaming radio like service from Sweden. A weakness in Spotify streaming protocols enables hackers to gain access to users' encrypted passwords, email address, birth date, gender, postal code and billing receipt.

An interesting aspect of this incident is that while the vulnerability has been discovered and fix on December 19^th, the fact that it was actually exploited was discovered only in March 2009. Many times companies report that a vulnerability was found on there site, but they are not aware of any exploit of the vulnerability. As this incident shows, even if the company is not aware, there is a chance that the vulnerability was exploited.

Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: Sweden

WHID 2009-31: Double Clickjacking Worm on Twitter

Wed, 16 Jun 2010 14:15:07 -0400

Entry Title: WHID 2009-31: Double Clickjacking Worm on Twitter
WHID ID: 2009-31
Date Occured: February 12, 2009
Outcome: Defacement
Incident Description:

Twitter is certainly bypassing Facebook as the most popular site out there, at least when it comes to security incidents.This time somebody decided abuse Twitter to demonstrate Clickjacking, an attack that RSname and Jeremiah Grossman re-christened in the OWASP conference in New York in September.

A well placed button labeled "don't click" make people click on it actually sending a Twitter message. Sunlight labs have a very interesting report showing the rate of propagation of the worm.

Cnet reports the worm spread on Feb 12^th in two pulses. After the Twitter people closed the loophole the 1st time, somebody bypassed the patch to restart the worm spread out.

Chriss Shiflett provides a very good technical analysis of the worm.

Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: US

WHID 2007-86: Mac Blogs defaced using XSS

Wed, 16 Jun 2010 15:19:06 -0400

Entry Title: WHID 2007-86: Mac Blogs defaced using XSS
WHID ID: 2007-86
Date Occured: February 17, 2008
Outcome: Defacement
Incident Description:

The standard disclaimer that we do not cover each and every defacement is relevant to this entry as well. So why do we include the defacement incident this time? First and foremost, it is known to be an XSS abusing a WordPress zero day bug. Secondly, it is a targeted attack aiming to deface only Mac related web sites. Usually targeted defacement attacks are carried out against political targets. Did attacking apple become a political issue? Was Apple transformed into a nation overnight? Well certainly into a cult.

Additional information:

Mac sites are being hacked by blackhat XSS hackers [XSSworm, Nov 23 2007]

Hacker defaces temples to OS X [The Register, Nov 27 2007]

Attacked Entity Field: Technology
Attacked Entity Geography: Global
Attacked System Technology: WordPress

WHID 2008-55: Hackers hijack bitchy fashion blog

Wed, 16 Jun 2010 14:36:55 -0400

Entry Title: WHID 2008-55: Hackers hijack bitchy fashion blog
WHID ID: 2008-55
Date Occured: April 23, 2008
Outcome: Defacement
Incident Description:

It might have been a random hack, but the pornographic pictures splashed on an insider fashion industry blog where quickly blamed on the fashion icons and magazines offended by the blog.

Attacked Entity Field: Media
Attacked Entity Geography: USA

WHID 2008-13: Harvard site hacked and leaked on BitTorrent

Wed, 16 Jun 2010 15:05:49 -0400

Entry Title: WHID 2008-13: Harvard site hacked and leaked on BitTorrent
WHID ID: 2008-13
Date Occured: February 20, 2008
Outcome: Leakage of Information
Incident Description:

Additional information:

Harvard Site Hacked and Leaked on BitTorrent [TorrentFreak, Feb 18 2008]

Harvard Web Site Hack is a Cautionary Tale [Virtualization News Desk, Feb 19 2008]

Harvard Joomla site hacked: things to learn? [James Walker, Feb 19 2008]

Harvard Web site hacked; database on file-sharing site [Computer World, Feb 18 2008]

Harvard grad school site hacked, files distributed on BitTorrent network [SC Magazine, Feb 19 2008]

Attacked Entity Field: Education
Attacked Entity Geography: USA
Attacked System Technology: Joomla

WHID 2009-1: Gaza conflict cyber war

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-1: Gaza conflict cyber war
WHID ID: 2009-1
Date Occured: January 5, 2009
Outcome: Downtime
Incident Description: Update (Jan 13, 2009) - Ynet, an Israeli paper, reports that many of the sites defaced where actually DNS hijacked following a break-in to the servers of DomainTheNet, an Israeli registrar. And just like other recent DNS hijacking incidents, the fault was lack of sufficient authentications and the hackers got hold of passwords to the administration system.
Update (Jan 10, 2009) - Zone-H reports that in addition to Israeli sites, Turkish hackers are also targetting USA and Nato web sites using SQL injection.
The war in Gaza, like most modern wars, moved immediately to cyberspace. Islamic and Arab groups all over the world are using the Internet to retaliate against Israeli web sites. Some of the reported incidents are:
Israeli bank site hacked by an Islamic group
Hundreds of Israeli web sites hacked in 'Propaganda War'
Like every war, this one is not one sided. Interestingly enough, since this is a war between a country and a Guerrilla organization, and the cyber war which focus on mostly on conquering the minds of people is shaped similarly. The Israeli cyber war activity is mostly funneled through legal channels rather than hacking, as described by Wired.
However, unlike the physical war in which only the Israeli military is conducting, in cyberspace Israelis join by themselves the hacking war. Artuz 7, an Israeli media site, reports that a group of students released a tool that perform distributed denial of service attacks against Hamas web sites. The students site itself provides news alerts about the cyber war between Israel and the Hamas.
Editor's notes: (1) As a policy, we decided to report each such conflict as a single incident, unless some hack is especiallly of interest. The author of this incident is Israeli.
Attack Source Geography:
Attacked Entity Field: Various
Attacked Entity Geography:
Reference: http://www.ynetnews.com/articles/0,7340,L-3649281,00.html

WHID 2009-30: Sage SaaS Withdrawn Due to Security Flaws

Wed, 16 Jun 2010 14:15:52 -0400

Entry Title: WHID 2009-30: Sage SaaS Withdrawn Due to Security Flaws
WHID ID: 2009-30
Date Occured: January 21, 2009
Outcome: Monetary Loss
Incident Description:

While we have no public record of an exploit in this case, it seems that the mare discovery of vulnerabilities in sage new SaaS (software as a service) offering created so much damage to classify it as an incident.

Sage is the leading provider of accounting software in the UK and it was about to launch a trendy small business SaaS offering. However as ZDnet reports, serious security flaws were discovered in the public beta and the company has to call off the launch. Who discovered the issues? naturally the competition. Duane Jackson, the CEO of a tiny rival company reported them on his blog.

More than anything, the incident shows how difficult it is for developers to migrate from desktop software to a web based offering. This is a whole new ball game, and security is one of the more difficult issues to adjust to. On the other hand it also shows that on line services are much more exposed to scrutiny, which may result in better security down the line.

As for the technical details, the reports found that the following issues in the application:

Password displayed in clear text and sent in the request line.

Remember me is on by default on any login.

Access to management sections of the site and other users data.

Attack Source Geography:
Attacked Entity Field: Technology
Attacked Entity Geography: UK
Attacked System Technology: Sage

WHID 2009-29: FBI & Secret Service warn of a sophisticated HSM attack

Wed, 16 Jun 2010 14:15:53 -0400

Entry Title: WHID 2009-29: FBI & Secret Service warn of a sophisticated HSM attack
WHID ID: 2009-29
Date Occured: February 25, 2009
Outcome: Monetary Loss
Incident Description:

A very interesting report by the FBI together with the US Secret service outlines a scheme exploiting SQL injection to steal credit card information from financial institutes. The attack involves directly attacking HSMs, the banks key vaults in charge of verifying ATM PINs in order to brute force PIN numbers.

The report is unique in describing an attack on financial services. Such attacks are know to happen but are seldom reported, certainly not with the amount of details in this report. However, the report does not indicate which incident it is based on. Is the close proximity of the report release to the Heartland incident just a coincidence?

Getting to this report took some effort and the only non blogshpere copy we found is on the Visa web site. If you know anything about this incident, please help us complete the information by leaving a comment on contacting us.

Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography: USA

WHID 2008-14: Hacker takes over Dallas police Web site

Wed, 16 Jun 2010 15:05:03 -0400

Entry Title: WHID 2008-14: Hacker takes over Dallas police Web site
WHID ID: 2008-14
Date Occured: February 21, 2008
Outcome: Defacement
Incident Description:

### Dallas say the department shut down its Internet presence after a hacker took over its Web site and filled it with anti-American rants.

The vandalized Web pages included a doctored photograph showing American troops watching over four people lined up against a wall.

Each of the four prisoners had lines leading away from their faces to individual head shots of President George W. Bush, Vice President Dick Cheney, Secretary of State Condoleezza Rice and Sen. John McCain

Additional information:

Hacker defaces Dallas police Web site [United Press, Feb 19 2008]

Dallas Police Web Site Hacked, Defaced [Fox (AP), Feb 19 2008]

Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA

WHID 2009-8: Wired.com Image Viewer Hacked to Create Phony Steve Jobs Health Story

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-8: Wired.com Image Viewer Hacked to Create Phony Steve Jobs Health Story
WHID ID: 2009-8
Date Occured: January 22, 2009
Outcome: Disinformation
Incident Description:

John Abell from Wired magazine often writes about Apple's CEO health. However, this report about Job suffering a cardiac arrest, was neither his nor true. The culprit was Wired public image viewing utility which lets people upload am image and than presented the image as part of the Wired web site, banner and domain included.

This is a wonderful example of a web application design flaw. There was nothing wrong with the code, however the design of the feature enabled it to be abused.

Further information:

Abell's own report on the incident

Attacked Entity Field: Media
Attacked Entity Geography: USA

WHID 2009-28: Serious Leakage on Mac clone Maker's site

Wed, 16 Jun 2010 14:15:57 -0400

Entry Title: WHID 2009-28: Serious Leakage on Mac clone Maker's site
WHID ID: 2009-28
Date Occured: February 11, 2009
Outcome: Leakage of Information
Incident Description:

The Register reports that the online shop of Psystar, a maker of Mac compatible equipment is heavily leaking technical information that can be expoited to hack the site.

Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2007-87: Hacker uses Insider information to gain on the stock exhange

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: February 21, 2008
Incident Description:

###

Additional information:

It pays to be a hacker [Jeremiah Grossman, Feb 19 2008]

Make Big Profits Illegally (and Maybe Keep Them, Too) [New York Times (free subscription required), Feb 15 2008]

Hacker holds onto ill-gotten gains thanks to US courts [The Register, Feb 17 2008]

Attacked Entity Field: Health

WHID 2007-87: Hacker uses Insider information to gain on the stock exhange

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: February 21, 2008
Incident Description:

###

Additional information:

It pays to be a hacker [Jeremiah Grossman, Feb 19 2008]

Make Big Profits Illegally (and Maybe Keep Them, Too) [New York Times (free subscription required), Feb 15 2008]

Hacker holds onto ill-gotten gains thanks to US courts [The Register, Feb 17 2008]

Attack Source Geography: Ukrain
Attacked Entity Field: Health

WHID 2007-87: Hacker uses Insider information to gain on the stock exhange

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: February 21, 2008
Incident Description:

###

Additional information:

It pays to be a hacker [Jeremiah Grossman, Feb 19 2008]

Make Big Profits Illegally (and Maybe Keep Them, Too) [New York Times (free subscription required), Feb 15 2008]

Hacker holds onto ill-gotten gains thanks to US courts [The Register, Feb 17 2008]

Attacked Entity Field: Health
Attacked Entity Geography: USA

WHID 2007-87: Hacker uses Insider information to gain on the stock exhange

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: February 21, 2008
Incident Description:

###

Additional information:

It pays to be a hacker [Jeremiah Grossman, Feb 19 2008]

Make Big Profits Illegally (and Maybe Keep Them, Too) [New York Times (free subscription required), Feb 15 2008]

Hacker holds onto ill-gotten gains thanks to US courts [The Register, Feb 17 2008]

Attacked Entity Field: Health

WHID 2008-42: Chinese hackers steal 9 million items of personal information from South Koreans

Wed, 16 Jun 2010 14:47:56 -0400

Entry Title: WHID 2008-42: Chinese hackers steal 9 million items of personal information from South Koreans
WHID ID: 2008-42
Date Occured: December 30, 2008
Outcome: Leakage of Information
Incident Description:

The Dark Visitor, a Chinese hacking insider site, and the Korean Chuson reports that a Chinese hacker used a commercially available SQL injection tool called HDMI to penetrate a large number of South Korean sites and still 9 million personal information items, which he than sold for approximately $15,000 to South Koreans for them to abuse.

Attack Source Geography: China
Attacked Entity Field: Various
Attacked Entity Geography: South Korea

WHID 2007-87: Hacker uses Insider information to gain on the stock exhange

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: February 21, 2008
Incident Description:

###

Additional information:

It pays to be a hacker [Jeremiah Grossman, Feb 19 2008]

Make Big Profits Illegally (and Maybe Keep Them, Too) [New York Times (free subscription required), Feb 15 2008]

Hacker holds onto ill-gotten gains thanks to US courts [The Register, Feb 17 2008]

Attacked Entity Field: Health

WHID 2007-87: Hacker uses Insider information to gain on the stock exhange

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: February 21, 2008
Incident Description:

###

Additional information:

It pays to be a hacker [Jeremiah Grossman, Feb 19 2008]

Make Big Profits Illegally (and Maybe Keep Them, Too) [New York Times (free subscription required), Feb 15 2008]

Hacker holds onto ill-gotten gains thanks to US courts [The Register, Feb 17 2008]

Attacked Entity Field: Health

WHID 2008-15: ValueClick to Pay $2.9 Million to Settle FTC Charges

Wed, 16 Jun 2010 15:03:38 -0400

Entry Title: WHID 2008-15: ValueClick to Pay $2.9 Million to Settle FTC Charges
WHID ID: 2008-15
Date Occured: March 24, 2008
Outcome: Monetary Loss
Incident Description:

In this case SQL injection was not the root cause, but rather the justification. Just as Al Capone was arrested at the end of the day for tax evasion, ValueClick, which seems to infuriate the FTC over many nasty commercial misdeeds, was caught at the end of the day for SQL injection, presumably left open against the company written security policy.

The FTC settlement cost ValueClick a record amount of $2.9 million dollars, plus 20 years of rigorous security procedures that will probably cost as much if not more. On top of that, eBay, a major partner, left ValueClick as a result.

Additional information:

ValueClick to Pay $2.9 Million to Settle FTC Charges [Federal Trade Commision, Mar 17 2008]

eBay dumps ValueClick [The Register, Mar 17 2008]

Attacked Entity Field: Marketing
Attacked Entity Geography: USA

WHID 2009-9: MetaFilter suffers an SQL injection attack

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-9: MetaFilter suffers an SQL injection attack
WHID ID: 2009-9
Date Occured: January 24, 2009
Outcome: Planting of Malware
Incident Description:

MetaFilter philosophy is that social norms and peer pressure, referred to as "self-policing", will ensure the quality of the content of the site. However is seems that this philosophy does not extend to hackers who abuse the site's software to plant Malware affecting MetaFilter users.

Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA

WHID 2008-16: Turkish PM supporters hack hacker's Web site

Wed, 16 Jun 2010 15:03:25 -0400

Entry Title: WHID 2008-16: Turkish PM supporters hack hacker's Web site
WHID ID: 2008-16
Date Occured: May 11, 2008
Outcome: Defacement
Incident Description:

In a twist on the classical defacement incident, supporters of the Turkish PM defaced, as a retaliation, the web site of hackers who just recently defaced the PM web site. A disturbing question is whether this is a juvenile mischief or was the act planned and executed by PM supporters. Did the political spin reached web site hacking?

Additional information:

Erdogan supporters hack hacker's Web site [Turkish Daily News, May 9 2008]

Attacked Entity Field: Politics
Attacked Entity Geography: Turkey

WHID 2009-27: Panasonic Products for Cheap

Wed, 16 Jun 2010 14:16:19 -0400

Entry Title: WHID 2009-27: Panasonic Products for Cheap
WHID ID: 2009-27
Date Occured: February 14, 2009
Outcome: Monetary Loss
Incident Description:

A report suggests that the UK retail site of the electronic equipment giant Panasonic was hacked and prices of products where set to pennies. Since the incident followed a layoff of 15,000 employees, it is assumed to be a disgruntled employees doing.

Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: UK

WHID 2008-41: A Joomla first day exploit

Wed, 16 Jun 2010 14:51:18 -0400

Entry Title: WHID 2008-41: A Joomla first day exploit
WHID ID: 2008-41
Date Occured: August 12, 2008
Outcome: Defacement
Incident Description:

Joomla is a widely used open source content management system. Many administrators reports that a vulnerability announced August 12^th was immediately exploited by hackers to attack Joomla based web sites. Another report shows a specific site that was defaced by exploiting the same vulnerability.

This incident shows the importance of timely patching, but also brings back the age old debate around publication of vulnerabilities by researchers. Does it contribute to software security or just helps the hackers?

Attack Source Geography:
Attacked Entity Field: Various
Attacked Entity Geography:
Attacked System Technology: Joomla

WHID 2009-26: F-Secure Joins The Breached AV Vendors Club

Wed, 16 Jun 2010 14:16:22 -0400

Entry Title: WHID 2009-26: F-Secure Joins The Breached AV Vendors Club
WHID ID: 2009-26
Date Occured: February 11, 2009
Outcome: Leakage of Information
Incident Description:

It wasn't surprising that after attacking a Kaspereski and a BitDefender web sites, Uno, the Romanian hacker, would continue to strike anti-virus vendors. This time he found a vulnerability in the web site of Finish AV vendor F-Secure. Somewhat less severe than the others, the vulnerability enabled the hacker only to access virus statistics.

As usual, the marketing department response is amazing, mentioning that "the problem with its site was due to a bug in a Web application and not related to an unpatched system". Does that make it better?

Frankly, I don't envy the marketing department role. The company, any company for that matter, is spending too little on web application security, sites are taken down daily, and the marketing people are send to fend off the public. They must have a thick skin to survive in marketing.

Attack Source Geography: Romania
Attacked Entity Field: Technology
Attacked Entity Geography: Finland

WHID 2009-10: MacRumorsLive feed hack

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-10: MacRumorsLive feed hack
WHID ID: 2009-10
Date Occured: January 7, 2009
Outcome: Disinformation
Incident Description:

It seems that if the worse thing that can happen to hackers is a real accident to Apple's CEO Steve Jobs. The number of hacks devoted to informing us about his fictitious accidents is just overwhelming. In this case AnantaSec reports a hack into Mac Rumors feed that was possible simply because a file with the administrator password was laying around accessible to anyone due to an administration error.

Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography: USA

WHID 2008-17: Hackers' posts on epilepsy forum cause migraines, seizures

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-17: Hackers' posts on epilepsy forum cause migraines, seizures
WHID ID: 2008-17
Date Occured: May 11, 2008
Outcome: Planting of Malware
Incident Description:

Up to now we never registered at WHID an incident that caused physical pain on its victims. Unfortunately, there is always a first. In an attack which gives a whole new dimension to the term "malicious",hackers recently injected to the Epilepsy Foundation's Web site hundreds of pictures and links to pages with rapidly flashing images.

The breach caused severe migraines and near-seizure reactions in some site visitors who viewed the images. People with photosensitive epilepsy can get seizures when they're exposed to flickering images, a response also caused by some video games and cartoons.

The Attack_Method is only described as an exploit of a security hole in the foundation's publishing software. However, the attack looks very much like a variation of the popular iframe injection SQL bots, used for malice rather than profit, hinting that this was an SQL injection attack.

Additional information:

Hackers' posts on epilepsy forum cause migraines, seizures [AP, May 7 2008]

Attacked Entity Field: Health
Attacked Entity Geography: USA

WHID 2008-40: Olympics news sites hit with attacks

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-40: Olympics news sites hit with attacks
WHID ID: 2008-40
Date Occured: August 12, 2008
Outcome: Planting of Malware
Incident Description:

Like many Asprox bot SQL injection attacks, the one on NDTV.com, a New Delhi TV station's web site has its unique aspects.

First, the attack came at absolutely the wrong time, just when all eyes (and mouse clicks) where turned to the Olympic games in Beijing, the NDTV web site which carried real time information from the games was hacked, greatly extending the infection rate.

In addition, the information was syndicated from a French news agency. While apparently the agency did not have anything to do with the hack, the did catch some fire over the incident as some experts suggested it should help its customers to protect their systems.

More information:

SC Magazine, Aug 12th 2008

Graham Cluley's blog entry, Aug 11th 2008

Attacked Entity Field: Information Services
Attacked Entity Geography: India

WHID 2008-56: Soulja Boy Myspace Hacked

Wed, 16 Jun 2010 14:36:23 -0400

Entry Title: WHID 2008-56: Soulja Boy Myspace Hacked
WHID ID: 2008-56
Date Occured: September 1, 2008
Outcome: Extortion
Incident Description:

This is a first time a hacking report is a video flick. If, like me, you find it hard to understand, you can read a written summary on this Kiwi site. I guess that their readers also needed a translation of the speech in the video to English.

In a nutshell, hackers defaced Soulja Boy's MySpace page and published his e-mail and YouTube passwords on the net. They demanded $2,500 to give him his web presence back. For an artist that grew our of the Internet this presence is naturally very important, however he is now important enough that his record label was able to contact the different sites to get him his web properties back without paying the money.

In this case I have decided to categorize the attacked entity as Soulja Boy and not MySpace or YouTube, as I used to do in the past. The fact that the attack was against Soulja Boy properties around the web makes him, rather than any technology platform, the attack target.

Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography:

WHID 2009-11: Lil Kim Facebook Hacked

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-11: Lil Kim Facebook Hacked
WHID ID: 2009-11
Date Occured: January 26, 2009
Outcome: Disinformation
Incident Description:

I am not sure why rappers web presence is so often hacked. They might be the first generation of artists to use the web, brightly combining great Internet skills with technophobia which leads to basic operational errors. Or it might be the underground nature of the artists that (mis)manage their web presence by themselves.

Lil Kim is joining Soulja Boy in being cyber abuse, or so she claims, saying that a blog entry calling Naturi Naughton, the actress who portrays her in a new film, “tasteless and talentless.”, is a fake.

Attacked Entity Field: Entertainment
Attacked Entity Geography: USA

WHID 2008-18: Winzipices SQL bot

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-18: Winzipices SQL bot
WHID ID: 2008-18
Date Occured: May 11, 2008
Outcome: Planting of Malware
Incident Description:

Another member of the wave of SQL injection bots injecting malware inflicting code to web sites.

Additional information:

SQL Injection Worm on the Loose [SANS Internet Storm Center, May 7 2008]

New SQL Injection Attacks and New Malware: winzipices.cn [ShadowServer, May 7 2008]

WHID 2009-25: Zone-H defaced

Wed, 16 Jun 2010 14:17:29 -0400

Entry Title: WHID 2009-25: Zone-H defaced
WHID ID: 2009-25
Date Occured: February 13, 2009
Outcome: Defacement
Incident Description:

Whenever a defacement appears in WHID we need to explain why. After all isn't Zone-H a better repository of simple defacement. Well, yes, but according to this report by The Register this time it was Zone-H which was defaced. The defaced site seen on the right, is available here. I am sure it is just a matter of time before we add a WHID defacement to WHID...

The Register article is interesting due to another perspective: when discussing the future of Zone-H, John Leyden writes:

But in an age where SQL injection assaults against legitimate sites are used to run drive-by download attacks without leaving any obvious signs of attack, perhaps the recording of blatant web graffiti attacks is no longer as relevant as it once was

We at the Web Hacking Incident Database try to provide the answer for this new age. I hope we help.

Attack Source Geography:
Attacked Entity Field: Media
Attacked Entity Geography:

WHID 2008-19: OSU breach raises fears of ID theft

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-19: OSU breach raises fears of ID theft
WHID ID: 2008-19
Date Occured: May 19, 2008
Outcome: Leakage of Information
Incident Description:

At the Oklahoma State Universitiy (OSU) a security breach has exposed the names, addresses and Social Security numbers of 70,000 students, faculty and staff who bought parking and transit services permits in the past six years. The university failed to report the incident to affected individuals for two months after it was detected.

Additional information:

OSU breach raises fears of ID theft [cr80 News, May 16 2008]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2009-24: New Phishing Attacks Combine Wildcard DNS and XSS

Wed, 16 Jun 2010 14:17:29 -0400

Entry Title: WHID 2009-24: New Phishing Attacks Combine Wildcard DNS and XSS
WHID ID: 2009-24
Date Occured: February 10, 2009
Outcome: Phishing
Incident Description:

Netcraft, one of the leading authorities on phising research, reports a Phishing scam that involves XSS.

The scam exploits an XSS vulnerability in iRedirector, a software used to map sub-domains into paths on the site, in order to hijack domains and use them as Phishing targets. Since iRedirector enables virtually any sub domain to be defined, the attacker can now create an endless number of combinations of domain names built to fool users and web filters alike.

Attack Source Geography:
Attacked Entity Field: Various
Attacked Entity Geography: Various
Attacked System Technology: iRedorector

WHID 2009-23: Miley Cyrus Twitter Account Hit By Sex-Obsessed Hacker

Wed, 16 Jun 2010 14:17:29 -0400

Entry Title: WHID 2009-23: Miley Cyrus Twitter Account Hit By Sex-Obsessed Hacker
WHID ID: 2009-23
Date Occured: February 17, 2009
Outcome: Leakage of Information
Incident Description:

It is Twitter again, it is a celebrity again. Why don't they keep their password to themselves. This incident is even uglier as the attacker posted obscene content on the Twitter account of the 16 years old actress Miley Cyrus. This is not the first attack targeting Miley Cyrus. As reported by WHID, her personal G-mail account was hacked last year and personal pictures were stolen and published online.

We assume that he just guessed the password. Was it a trivial one? did he find a way to brute force it? Or was it something entirely different like yet another Twitter CSRF bug? time will tell.

Attack Source Geography:
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA

WHID 2008-20: XSS Worm At Justin.tv Affects 2525 Profiles

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-20: XSS Worm At Justin.tv Affects 2525 Profiles
WHID ID: 2008-20
Date Occured: July 16, 2008
Outcome: Worm
Incident Description:

A proof of concept XSS worm crawled justin.tv, a popular lifecasting platform. The warm succeeded in planting a self replicating code on 2525 accounts in less than 24 hours before the vulnerability was fixed.

Additional information:

XSS Worm At Justin.tv Affects 2525 Profiles [CyberInsecure, Jul 15 2008]

Attacked Entity Field: Web 2.0

WHID 2008-39: Hacker compromises a south african political party web site

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-39: Hacker compromises a south african political party web site
WHID ID: 2008-39
Date Occured: August 7, 2008
Outcome: Planting of Malware
Incident Description:

The South African Democratic Alliance party's web site seems like another random victim of the Asprox family of bots. This specific incident demonstrates several issues:

Aprox successfully attacks organizations that should really know better.

While most known cases of Asprox attacks result in planting of malware on the web site, since this is easily detected by malware search services, the very brutal injection used by Asprox probably takes down more sites than it infects with malware.

According to one comment, the site used an outdated version of WordPress, stressing again the problem with not upgrading in a timely manner, especially open source software.

More information:

Mail & Guardian, Aug 15th 2008

Attack Source Geography: Russia
Attacked Entity Field: Government
Attacked Entity Geography: South Africa
Attacked System Technology: WordPress

WHID 2008-38: DNSChanger Trojans v4.0

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-38: DNSChanger Trojans v4.0
WHID ID: 2008-38
Date Occured: December 4, 2008
Outcome: Fraud
Incident Description:

The DNSchanger Trojan uses different methods to manipulate the DNS lookup of the victim. One of the most malicious techniques is using CSRF to attack the ADSL or cable router and modify its DNS tables.

More Information:

McAfee: DNSChanger Trojans v4.0, Dec 4th 2008

Attacked Entity Field: Various

WHID 2008-21: Information about organ and tissue donors open to all

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-21: Information about organ and tissue donors open to all
WHID ID: 2008-21
Date Occured: July 20, 2008
Outcome: Leakage of Information
Incident Description:

The Agency for Health Care Administration (AHCA) Florida's database of organ and tissue donor registry was open to the public due to an unspecified software glitch. Personal details of 55,000 people, including name, address, date of birth, driver license number and social security number where exposed.

Additional information:

AHCA Incident Faq [AHCA, ]

AHCA Incident PR [AHCA, Jul 7 2008]

Breach in Fla. donor registry may have exposed IDs [Associated Press, Jul 7 2008]

Attacked Entity Field: Government
Attacked Entity Geography: USA

WHID 2009-12: Embassy of India in Spain found serving remote malware through iFrame attack

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-12: Embassy of India in Spain found serving remote malware through iFrame attack
WHID ID: 2009-12
Date Occured: January 26, 2009
Outcome: Planting of Malware
Incident Description:

Ismael Valenzuela sent us a story about yet another malware through iFrame serving site. This time it is an official one, belonging to the Indian government official branch in Spain - it's embassy.

We can hardly include every malware service site in WHID, after all there are hundred of thousands, if not millions, of those. Why pick on the Indian embassy in Spain? One good reason is that we finally got in an input from a reader and wanted to honor the event and include the incident. But there is another more important reason.

First, hacked embassy sites are becoming a major issue which points to a much larger issue: cyber crime is endangering the Internet as we know it. While we come to rely on the web to provide us with all the information and services that we need, we do not have the tools to make it a safe place, and embassy web sites are a good example.

Practically the only way to provide sufficient security to a web site is not to have it in the first place. Instead small organizations must rely on the services of huge brokers, such as Amazon, eBay or Google sites. However not everyone can use this services. Embassies are a good example as they need to be "doubly localized" for both the originating and target countries which makes it nearly impossible to create a uniform service for them. Therefore even embassies of larger countries need to create small home made and insecure web sites, as they need to adjust their site content, language and site look to the local community served.

Thechnical analysis of the planted malware was done by Trend Micro.

Attack Source Geography:
Attacked Entity Field: Government
Attacked Entity Geography:

WHID 2009-22: Federal Travel Booking Site Spreads Malware (Updated)

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-22: Federal Travel Booking Site Spreads Malware (Updated)
WHID ID: 2009-22
Date Occured: February 11, 2009
Outcome: Planting of Malware
Incident Description:

Updated (Feb 22^nd 2009) - the Washington Post updates that the hack exploited a problem with the default configuration of the authentication module used for authenticating remote administrators. As a result we categorized this incident under "insufficient authentication" and "misconfiguration".

Whenever we include a site inflicted with malware in WHID we need to explain why this one is worthy of WHID, after hundreds of thousands of web sites are planted with malware annually.

The Washington Post report about govtrip.com spreading malware is unique because this is an official US General Services Administration (GSA) web site and many US federal departments employees are required to reserve travel through it. In addition, the site is run by a major defense contractor, Northrop Grumman, who you would think would know better. How secure are their defense projects when it comes to application security?

Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2008-22: Hacker changes news releases on sheriff's Web site

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-22: Hacker changes news releases on sheriff's Web site
WHID ID: 2008-22
Date Occured: July 21, 2008
Outcome: Defacement
Incident Description:

A targeted defacement that modified two specific press releases to ridicule the local government.

Additional information:

Nosy hacker alters sheriff's news releases [The Daily Bulletin, Jun 22 2008]

Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA

WHID 2009-21: This Time Uno is after the Herald Tribute

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-21: This Time Uno is after the Herald Tribute
WHID ID: 2009-21
Date Occured: February 17, 2009
Outcome: Leakage of Information
Incident Description:

I must admit that Uno, the Romanian hacker behind a series of intrusions in recent days is a bit of a cheat for the Web Hacking Incident Database. We usually do not report vulnerabilities that where not exploited. While we understand their importance, they do not fall under the criteria set for WHID. For now we list them in a separate page, waiting for a place to be files in.

Uno presents a dilemma: he finds a vulnerability, exploits it to a limit and publish the results. Therefore the incident does not have a sizable outcome and not damage is done, but nevertheless it is interesting. We are not the only one to note that. Kasperski stressed the point the no data was actually compromised in their response to the event. So should we add it to WHID as an incident? should we skip it as just a vulnerability? for now we put them in.

So what is Uno's mischeif this time? This time it is the International Herald Tribune Uno is after. The impact of this attack, if carried out by a malicious hacker might have been profound as it seems that Uno got access to user name and passwords of editors and contributors, posibily enabling a malicious hacker to publish information on their behalf on this very prestigious newspaper.

Attack Source Geography: Romania
Attacked Entity Field: Media
Attacked Entity Geography: USA

WHID 2008-23: Sony PlayStation

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-23: Sony PlayStation
WHID ID: 2008-23
Date Occured: July 21, 2008
Outcome: Planting of Malware
Incident Description:

Yet another iframe injection in a very prominent web site, proving yet again that nobody is immune.

Additional information:

Sony PlayStation

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2009-20: BitDefender joins Kasperski on the Breached side

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-20: BitDefender joins Kasperski on the Breached side
WHID ID: 2009-20
Date Occured: February 9, 2009
Outcome: Leakage of Information
Incident Description:

Uno, the Romanian hacker responsible for penetrating the Kasperski web site, reported repeating the trick also on the web site of the Polish distributor of BitDefender, another anti-virus software vendor.

Attack Source Geography: Romania
Attacked Entity Field: Technology
Attacked Entity Geography:

WHID 2008-57: Craigslist's Battle Against Spammers

Wed, 16 Jun 2010 14:31:17 -0400

Entry Title: WHID 2008-57: Craigslist's Battle Against Spammers
WHID ID: 2008-57
Date Occured: May 22, 2008
Outcome: Link Spam
Incident Description:

Insufficient Anti-Automation is fat becoming the #1 threat to web sites. Since Captcha has been proved practically useless, especially when there is a financial gain from automating access to the site, sites are pretty much defenceless against harmful automation. Techdirt's story about Craigslist losing the battle against automation tool is a very good example of this serious problem.

Read the comments, they are enlightening. As usual, one of the problem when spam is involved is defining if and what is a wrong doing and what is a valid action. Some commenters say that Craigslist has become useless due to the spam, while others say that Craiglist is the worst censors on the Internet not letting small time businesses work. Other argue about whether this is a crime or not. 132 comments, and they keep coming 8 months after the article has been published.

Attack Source Geography:
Attacked Entity Field: Information Services
Attacked Entity Geography:

WHID 2008-58: New Orkut Worm in Brazil

Wed, 16 Jun 2010 14:30:01 -0400

Entry Title: WHID 2008-58: New Orkut Worm in Brazil
WHID ID: 2008-58
Date Occured: October 4, 2008
Outcome: Planting of Malware
Incident Description:

XSSed reports another XSS worm in Orkut. Since Orkut is big in Brazil, it is quite natural that a Brazilian group created the worm.

I have used this occasion to sort out worms reporting in WHID.

A worm is now considered an Attack_Method rather than an outcome. If nothing else, the outcome of a worm is "planting of malware": itself.

I have added a "Web 2.0" organization type as many of the XSS worms infect Web 2.0 sites.

Attack Source Geography: Brazil
Attacked Entity Field: Web 2.0
Attacked Entity Geography:

WHID 2007-89: The big TJX hack

Thu, 17 Jun 2010 18:22:11 -0400

Entry Title: WHID 2007-89: The big TJX hack
WHID ID: 2007-89
Date Occured: December 29, 2008
Outcome: Credit Card Leakage
Incident Description:

Update (January 12^th 2009) An Ukrainian hacker who who was a member of the TJX hack ring was sentenced to 30 years in jail by a Turkish court. According to investigation papers Maksym Yastremskiy made approximately 11 million dollars from the hack!

The TJX breach is one of most publicized hacking incident in recent years. However, until now it was not part of the Web Hacking Incidents Database. And for a good reason: early report described the hack as a war driving hack, in which the attackers drive around and find a wireless network not properly secured.

However new information from the trial of the identity theft ring leader Albert Gonzalez, reveals that in order to penetrate TJX data center from the captured end points, the hackers employed different techniques including password sniffing and SQL injection. The later justifies getting the TJX incident for the 1st time into WHID.

Additional information:

Network World, June 8th 2008

Attacked Entity Field: Retail
Attacked Entity Geography: USA

WHID 2009-19: Kaspersky site breached using SQL injection, sensitive data exposed (Updated)

Thu, 17 Jun 2010 18:26:15 -0400

Entry Title: WHID 2009-19: Kaspersky site breached using SQL injection, sensitive data exposed (Updated)
WHID ID: 2008-19
Date Occured: February 7, 2009
Outcome: Leakage of Information
Incident Description:

Update (Feb 22^nd 2009) - We were probably not the only ones not satisfied with Kasperski official press release on the subject. An interesting report on Kasperski viruslist blog by a person on the investigating team provides answers: the data was neither secured well nor the hacker incapable. The hacker made a mistake in his attack vector and decided to pursue no further. The data was available for any hacker who was really after it.

I must tkae my hat off to Kasperski for this frank analysis, which is very uncommon to companies who were breached and can really help to highlight the importance of application security.

Update (Feb 13^th 2009) - Kasperski hired David Litchfield, a well known database security expert, to analyze the incident. In their response, Ksaperski point that no sensitive data was actually compromised to the event. The report points that the hacker and others following his hints did try to access sensitive data but did not succeed. The carefully worded report does leave many questions open:

Was the data secured well, or were the hackers who tried to access it just not capable?

Was no data vulnerable or just "sensitive data" and if so what is the data that was exposed?

Did the investigation go back to check that no one hacked the system prior to the published incident, potentially abusing it and avoiding publication?

A researcher found and exploited a serious SQL injection vulnerability in US web site of Kasperski, an anti-virus software vendor, exposing the full customers database. Well, the full database actually as the list of tables exposed proves. Apparently, the vulnerability existed for some time and the researched informed Kasperski about it to no avail before making it public.

This is another example of how fatal is SQL injection. SQL Injection is considered one of the more well understood attack vectors, easy to find during a security review, and therefore easy to get rid of. However one of its variants, blind SQL injection, can appear everywhere in the application and not just in key pages managing sensitive information and expose the entire database, making a review and fix of the application from it much harder.

Attack Source Geography: Romania
Attacked Entity Field: Technology
Attacked Entity Geography:

WHID 2008-24: SQL attacks lob onto ATP Web site

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-24: SQL attacks lob onto ATP Web site
WHID ID: 2008-24
Date Occured: July 21, 2008
Outcome: Planting of Malware
Incident Description:

Not a day goes by without yet another prominenent web site hacked by an SQL injection attack planting Malware.

Additional information:

SQL attacks lob onto tennis association Web site [Network World, Jul 4 2008]

Attacked Entity Field: Sports
Attacked Entity Geography: Global

WHID 2009-13: Wikipedia Biography Hacking

Thu, 17 Jun 2010 18:27:19 -0400

Entry Title: WHID 2009-13: Wikipedia Biography Hacking
WHID ID: 2009-13
Date Occured: January 27, 2009
Outcome: Disinformation
Incident Description:

This incident might have not gotten into the Web Hacking Incident Database a year ago. However a heated discussion on the Web Application Security Consortium threat classification project reminded me that content spoofing is a potent attack vector by itself, actually one of the most dangerous there.

Wiki is one of those platforms that by design allow content be changed. It is its philosophy, and Wikipedia is the premier wiki out there. It is not a surprise that it is a prime target to content spoofing, as the story about the unexpected demise of two US senators during Obama's inauguration.

You can read more about the unique security philosophy of Wikis in my recent article and presentation about the subject.

Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA

WHID 2008-25: BusinessWeek website attacked and hosts malware

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-25: BusinessWeek website attacked and hosts malware
WHID ID: 2008-25
Date Occured: September 20, 2008
Outcome: Planting of Malware
Incident Description:

Another site hit by the SQL injection bot

Additional information:

BusinessWeek website attacked and hosts malware [Net-Security, Sep 15 2008]

Attacked Entity Field: Information Services
Attacked Entity Geography: USA

WHID 2009-18: phpBB web site hacked using LFI

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-18: phpBB web site hacked using LFI
WHID ID: 2009-18
Date Occured: February 1, 2009
Outcome: Leakage of Information
Incident Description:

phpBB was known for years as one of the most insecure software packages out there. It is responsible for one for one of the 1st application layer worm, Santy back in 2004. How ironic is that its own web site was seriously breached due to a vulnerability in another software package used...

The culprit was an LFI (Local File Inclusion) vulnerability in PHPlist, an application for managing newsletters which enables the hacker to grab phpBB users list. Another researcher claims that this is not an LFI but a super-globals-overwrite, which is still used to include files.

However, phpBB is not entirely off the hook, as the phpBB team admits. The stolen files included only hashed passwords, however phpBB 2 hash was unsalted and the hackers successfully brute forced 28,000 passwords. While phpBB 3, which is used on the phpBB site uses better password hashing, the upgrade procedure did not upgrade existing users waiting for their 1st login to upgrade. Anyone who did not log-in to the web site since the upgrade still had weakly hashed password in the database.

A very detailed report of the incident by the hacker shed light on how such hacks are carried out, including what the hacker went after and his exploitation techniques . The hacker found the exploit on milw0rm, a well known exploit repository, showing that public disclosure of vulnerabilities has its price, especially when it precedes the release if the patch.

A copy of the report in case the original disappears can be found here.

Attack Source Geography:
Attacked Entity Field: Technology
Attacked Entity Geography:
Items Leaked: Password
Number of Records: 28,000

WHID 2008-37: Pakistani hacker attacks Indian Rail site, threatens cyber war on India

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-37: Pakistani hacker attacks Indian Rail site, threatens cyber war on India
WHID ID: 2008-37
Date Occured: December 24, 2008
Outcome: Planting of Malware
Incident Description:

The web site of the Indian Eastern Railway company was hacked. The hacker planted malware on the site and added a message to the home page declaring a cyber war on Indian Cyberspace.

Additional Information:

The Financial Express, Dec 25th 2008

Attack Source Geography: Pakistan
Attacked Entity Field: Government
Attacked Entity Geography: India

WHID 2008-26: Palin's private e-mail hacked, posted to Net

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-26: Palin's private e-mail hacked, posted to Net
WHID ID: 2008-26
Date Occured: September 20, 2008
Outcome: Leakage of Information
Incident Description:

The activist group called "anonymous," best known for its jousts with the Church of Scientology, has apparently hacked into the private Yahoo e-mail account of Alaska Gov. Sarah Palin, the Republican candidate for vice president.

Contents of that account, including two sample e-mails, an index of messages and Palin family photos, have been posted by the whistle blower site Wikileaks, which contends that they constitute evidence that Palin has improperly used her private e-mail to shield government business from public scrutiny, an issue that had already been raised by others.

Update (Oct 8)

David Kernell, the 20-year-old Tennessee college student was indicted with the hack. The most interesting aspect of the identity of the hacker is that his father Mike Kernell is a longtime Democratic state representative from Memphis

Additional information:

VP contender Sarah Palin hacked [Wiki Leaks, Sep 16 2008]

Palin's private e-mail hacked, posted to 'Net [Network Wold, Sep 17 2008]

Student Indicted in Palin E-Mail Hack [Internet News, Oct 8 2008)

Court indictment document, Oct 7 2008

Attacked Entity Field: Politics
Attacked Entity Geography: USA

WHID 2009-14: My.BarackObama.com Infects Visitors With Trojan

Wed, 16 Jun 2010 15:05:03 -0400

Entry Title: WHID 2009-14: My.BarackObama.com Infects Visitors With Trojan
WHID ID: 2008-14
Date Occured: January 27, 2009
Outcome: Planting of Malware
Incident Description:

Websense reports that my.barackobama.com, an open blogging service which is part of Obama's campaign web site has been used to point users to malware infecting content.

The scam is a good example of the dangers of Web 2.0 user generated content and mashups. There was no malicious code on the Obama's site, however an allowed HTML code looking like a YouTube embedded flick pointed to an external site which carried the malware.

Attacked Entity Field: Government
Attacked Entity Geography: USA

WHID 2007-88: Police Academy in India Hosting a Phishing Site

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2007-88: Police Academy in India Hosting a Phishing Site
WHID ID: 2007-88
Date Occured: September 20, 2008
Incident Description:

The SVP National Police Academy in Hyderabad, India has had some sort of compromise on their website resulting in a Bank of America phishing site operating on one of their servers.

Attacked Entity Field: Government
Attacked Entity Geography: India

WHID 2009-17: Passwords are optional at SpeedDate

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-17: Passwords are optional at SpeedDate
WHID ID: 2009-17
Date Occured: February 3, 2009
Outcome: Leakage of Information
Incident Description:

TechCrunch reports that for a short period of time, SpeedDate, an online dating service did not require a password. If you knew someone's user name you could login. Talking about "lack of sufficient authentication controls..."

Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA

WHID 2008-27: U.K's Crime Reduction Portal Hosting Phishing Pages

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-27: U.K's Crime Reduction Portal Hosting Phishing Pages
WHID ID: 2008-27
Date Occured: September 20, 2008
Outcome: Phishing
Incident Description:

Poste Italiane seems to have relocated to a brand new location online, in this case the U.K's Crime Reduction Portal which is currently hosting a phishing page.

Additional information:

U.K's Crime Reduction Portal Hosting Phishing Pages [Dancho Danchev, Jun 2 2008]

Attacked Entity Field: Government
Attacked Entity Geography: UK

WHID 2008-36: RBS WorldPay Data Breach Hits 1.5 Million (Updated)

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-36: RBS WorldPay Data Breach Hits 1.5 Million (Updated)
WHID ID: 2008-36
Date Occured: November 10, 2008
Outcome: Leakage of Information
Incident Description:

Update (Feb 4^th 2009): While RBS reported that just 100 cards where abused in the incident, the news now surfaced, that those cards where heavily abused as the hacker managed to lift the withdrawal limit and distribute the card copies around the world so that in total 9 million dollars where withdrawn from them in a matter of hours before they where blocked. At least, as the saying goes, losing a $100 is your problem; losing a million is the banks.

The Royal Bank of Scotland (RBS) confirmed that a hacker perform a "sophisticated cyber intrusion" on RBS WorldPay Unit web site. 1.5 Million credit card numbers and 1.1 million social security numbers may have been stolen.

At this time the only abuse known is a fraudulent use of about a 100 reloadable cards, which are used by companies to pay their employees.

Additional information:

Company press release, December 23rd 2008

Internet News, December 24th 2008

Attacked Entity Field: Finance
Attacked Entity Geography: USA

WHID 2008-28: Confidential data on thousands of students exposed by test preparatory firm

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-28: Confidential data on thousands of students exposed by test preparatory firm
WHID ID: 2008-28
Date Occured: September 20, 2008
Outcome: Leakage of Information
Incident Description:

While moving to a new hosting provider, a system by Princeton Review used by student to prepare for a state assessment program exposed due to misconfiguration approximately 34,000 students from 2^nd to 10^th grade. The information included names, Florida ID (which is nearly identical to the US social security number) and the students exam report.

The information was available for available online from late June to early August.

Additional information:

Competitor Tells Paper, Not Rival, About Security Flaw [Security Pro News, Aug 19 2008]

Student Files Are Exposed on Web Site [New York Times, Aug 18 2008]

Attacked Entity Field: Education
Attacked Entity Geography: USA

WHID 2008-31: Hacker takes $50,000 a few cents at a time

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-31: Hacker takes $50,000 a few cents at a time
WHID ID: 2008-31
Date Occured: September 20, 2008
Outcome: Monetary Loss
Incident Description:

Californian Michael Largent used an automated script to open 58,000 such accounts, collecting many thousands of the small payments used to verify credit cards when openning accounts.

Additional information:

Hacker takes $50,000 a few cents at a time [PC Pro, May 28 2008]

Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits' [Wired, May 27 2008]

Secret Service search warrant affidavit [Secret Service, May 7 2008]

Attacked Entity Field: Internet
Attacked Entity Geography: USA

WHID 2009-15: Kanye West has been Hacked

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-15: Kanye West has been Hacked
WHID ID: 2009-15
Date Occured: January 23, 2009
Outcome: Disinformation
Incident Description:

Celebrities web presence hacking is topping 2009 incidents list, and rappers seem to lead. However this report in the Ampersand, like the Lil Kim story from the same week,is somewhat questionable. In both cases it seem that uncomfortable content was blamed on hacking.

West's story is somewhat ironic as he used his blog to remind users of the untruthfulness of his web presence.

When reviewing all the rappers incidents, my conclusion is that they are more susceptible to content spoofing because it is much easier for hackers to imitate their language and style.

Attack Source Geography:
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA

WHID 2009-16: Primary schools hit by smut hack

Wed, 16 Jun 2010 14:23:05 -0400

Entry Title: WHID 2009-16: Primary schools hit by smut hack
WHID ID: 2009-16
Date Occured: January 30, 2009
Outcome: Defacement
Incident Description:

Not all defacement are created equal. I have a second grader who has just started to use her school's web site so this defacement of 20 primary school web sites with porn hit me deep inside. We do so much to screen our young ones from the sleazy world outside, and getting it in the school's web site is just unimaginable. Just thinking about the questions I would be asked if my daughter would get such pages.

The incident also highlights the total breakup of cyber security. The incident is blamed on an unpatched version of Moodle, an open source on-line education software. The naive way ot thinking would be that schools don't have the budgets to protect their applications or even to upgrade them. However, as this incident shows, proper security is fundamental and a substantial part of the budget should be allocated to it, even it means we spend less on the application features. We need to move slower but ensure security. After all, what is the value of an educational system that shows porn?

Another insight is that real time controls for protecting web applications are essential. You need a WAF. While the specific vulnerability exploited is unknown, Installing ModSecurity would have probably prevented the exploit.

Attack Source Geography:
Attacked Entity Field: Education
Attacked Entity Geography: UK
Attacked System Technology: Moodle

WHID 2008-29: Sunwear hacks metasploit.com?

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-29: Sunwear hacks metasploit.com?
WHID ID: 2008-29
Date Occured: September 20, 2008
Outcome: Defacement
Incident Description:

someone hacked a machine on the same subnet and was ARP spoofing the gateway. The metasploit.com machines were not compromised, but all HTTP requests coming into the ISP network were passed through a MITM defacer that inserted that HTML. Once I as able to set a static ARP entry and notify the ISP, the problem was resolved. So, to make things clear, the metasploit.com servers were not hacked, the ISP

Attacked Entity Field: Internet

WHID 2008-30: Security breach hits DivShare, unauthorized access to its database

Wed, 16 Jun 2010 15:02:19 -0400

Entry Title: WHID 2008-30: Security breach hits DivShare, unauthorized access to its database
WHID ID: 2008-30
Date Occured: September 20, 2008
Outcome: Leakage of Information
Incident Description:

The popular document and media sharing service DivShare, suffered a security breach that allowed a malicious user to access their database, which included user e-mail addresses and other basic profile information.

Additional information:

Security breach hits DivShare, unauthorized access to its database [Zdnet, Jun 19 2008]

Attacked Entity Field: Information Services

WHID 2006-13: Hackers Tap Banks' Web Sites In Unique Phishing Attack

Wed, 16 Jun 2010 18:38:09 -0400

Entry Title: WHID 2006-13: Hackers Tap Banks' Web Sites In Unique Phishing Attack
WHID ID: 2006-13
Date Occured: April 4, 2006
Outcome: Phishing
Incident Description:

In this very interesting attack a hacker broke into the informational web sites of several smaller banks in Florida. He than changed the link on the informational pages that points to the outsourced transactional web site to point to his own phishing site.
While the vulnerability that enabled the hacker to penetrate the informational sites is not known, this is a very interesting example of a targeted web attack. It highlights the importance of protecting every web site and not just the core business logic.

Additional information:

Hackers Tap Banks' Web Sites In Unique Phishing Attack [TechWeb, Mar 29 2006]

Banks pull plug on Web sites [Tallahassee Democrat, Mar 17 2006]

Hackers create a new scam [Tallahassee Democrat, Mar 18 2006]

A New Phishing Variation [John S. Quarterman, Mar 24 2006]

WHID 2005-47: SEC Vs. The Estonian Spiders

Wed, 16 Jun 2010 19:10:44 -0400

Entry Title: WHID 2005-47: SEC Vs. The Estonian Spiders
WHID ID: 2005-47
Date Occured: November 8, 2005
Outcome: Leakage of Information
Incident Description:

Business wire allowed access to non published press releases.

Additional information:

SEC Vs. The Estonian Spiders [Web Pro News, Nov 2 2005]

WHID 2000-2: IKEA exposes customer information on catalog site

Thu, 17 Jun 2010 18:25:45 -0400

Entry Title: WHID 2000-2: IKEA exposes customer information on catalog site
WHID ID: 2000-2
Outcome: Leakage of Information
Incident Description: Error message revealed a database file location, which could be downloaded.
Attack Source Geography:
Attacked Entity Field: Retail
Attacked Entity Geography:
Reference: http://news.com.com/2100-1017-245372.html?legacy=cnet

WHID 2000-3: Gaffe at Amazon leaves email addresses exposed

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2000-3: Gaffe at Amazon leaves email addresses exposed
WHID ID: 2000-3
Incident Description: E-mail addresses of other customers displayed by mistake, no hacking was required
Attack Source Geography:
Attacked Entity Geography: USA
Reference: http://news.com.com/2100-1017-245387.html?legacy=cnet

WHID 2005-44: Xoops web site hacked

Wed, 16 Jun 2010 19:12:44 -0400

Entry Title: WHID 2005-44: Xoops web site hacked
WHID ID: 2005-44
Date Occured: November 8, 2005
Outcome: Leakage of Information
Incident Description:

Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.

Additional information:

Xoops web site hacked [Vendor Web Site, Oct 28 2005]

WHID 2000-5: Eve.com exposes customers order information

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2000-5: Eve.com exposes customers order information
WHID ID: 2000-5
Incident Description: View other customers orders by changing a sequential number within a URL parameter
Attack Source Geography:
Attacked Entity Geography:
Reference: http://news.com.com/2100-1017-245700.html?legacy=cnet

WHID 2005-11: Samy XSS Worm Hits MySpace

Wed, 16 Jun 2010 19:57:41 -0400

Entry Title: WHID 2005-11: Samy XSS Worm Hits MySpace
WHID ID: 2005-11
Date Occured: November 8, 2005
Outcome: Worm
Incident Description:

The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.

Additional information:

My Lunch With Samy [ha.ckers, Mar 10 2007]

MySpace XSS worm writer notes [bindshell, Apr 10 2005]

MySpace XSS worm source [bindshell, Apr 10 2005]

MySpace XSS virus development [bindshell, Apr 10 2005]

Cross-Site Scripting Worm Hits MySpace [Beta News, Apr 10 2005]

Attacked Entity Field: Web 2.0

WHID 2001-1: Travelocity exposes customer information

Wed, 16 Jun 2010 20:51:42 -0400

Entry Title: WHID 2001-1: Travelocity exposes customer information
WHID ID: 2001-1
Outcome: Disclosure Only
Incident Description: Sensitive files were left in a publicly accessible directory of a new web server install
Attack Source Geography:
Attacked Entity Geography:
Reference: http://news.com.com/2100-1017-251344.html?legacy=cnet

WHID 2001-2: Computer E-Retailer Exposes Credit Card Numbers

Wed, 16 Jun 2010 20:51:17 -0400

Entry Title: WHID 2001-2: Computer E-Retailer Exposes Credit Card Numbers
WHID ID: 2001-2
Outcome: Disclosure Only
Incident Description: View other orders by changing a sequential parameter number. Security was provided by client side JavaScript
Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.extremetech.com/article2/0,3973,103782,00.asp

WHID 2005-40: Defacement of several Novell websites

Wed, 16 Jun 2010 19:15:46 -0400

Entry Title: WHID 2005-40: Defacement of several Novell websites
WHID ID: 2005-40
Date Occured: November 8, 2005
Outcome: Defacement
Incident Description:

Script upload due to a scoop known vulnerability

Additional information:

Defacement of several Novell websites [Mailing list post, Oct 4 2005]

WHID 2001-3: Persistent XSS in Hotmail

Wed, 16 Jun 2010 20:50:43 -0400

Entry Title: WHID 2001-3: Persistent XSS in Hotmail
WHID ID: 2001-3
Outcome: Disclosure Only
Incident Description: Persistent XSS HTML Injection inside an HTML email message to hotmail
Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.usatoday.com/tech/news/2001-08-31-hotmail-security.htm

WHID 2001-5: Privacy hole found in Verizon Wireless Web site

Wed, 16 Jun 2010 20:49:49 -0400

Entry Title: WHID 2001-5: Privacy hole found in Verizon Wireless Web site
WHID ID: 2001-5
Date Occured: September 6, 2001
Outcome: Disclosure Only
Incident Description: The privacy hole affected users who logged on to the Verizon Wireless Web site and used the My Account feature to view or change their cell phone billing and account information. The Web site address for the feature assigns session identifications sequentially as each user logs in which allows for forceful browsing.
Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.html

WHID 2005-39: Promotional Firefox community site hacked (again)

Wed, 16 Jun 2010 19:16:53 -0400

Entry Title: WHID 2005-39: Promotional Firefox community site hacked (again)
WHID ID: 2005-39
Date Occured: November 8, 2005
Outcome: Leakage of Information
Incident Description:

Exploited unpatched Twiki

Additional information:

Promotional Firefox community site hacked (again) [ARStechnica, Oct 4 2005]

SpreadFirefox.com Community Website Hacked Once Again [ARStechnica, Oct 4 2005]

WHID 2001-6: XSS at Microsoft Passport

Wed, 16 Jun 2010 20:49:22 -0400

Entry Title: WHID 2001-6: XSS at Microsoft Passport
WHID ID: 2001-6
Outcome: Disclosure Only
Incident Description:
Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.pcworld.com/news/article/0,aid,69543,00.asp

WHID 2005-37: A 12 years old hacked an online game and stole game items

Wed, 16 Jun 2010 19:22:26 -0400

Entry Title: WHID 2005-37: A 12 years old hacked an online game and stole game items
WHID ID: 2005-37
Date Occured: September 12, 2005
Outcome: Information Warfare
Incident Description:

A 12 years old guess login information of a woman and abused her account, stealing game items from her.

Additional information:

Boy, 12, referred to child guidance center for hacking into online game site [Manchini Daily News, Sep 7 2005]

WHID 2002-1: Flawed authentication at BN.com exposes personal information

Wed, 16 Jun 2010 20:48:14 -0400

Entry Title: WHID 2002-1: Flawed authentication at BN.com exposes personal information
WHID ID: 2002-1
Outcome: Leakage of Information
Incident Description:

Opening an account with a discontinued e-mail address exposes all the information of the discontinues account

Additional information:

BN.com: The Hole Story [Wired, Jul 19 2002]

BarnesAndNoble.com Security Flaw [Personal Web Page, Jul 9 2002]

Barnes & Noble.com Fined for Customer Data Leak [Datamation, Apr 30 2004]

WHID 2003-1: FTD.com hole leaks personal information

Wed, 16 Jun 2010 20:38:37 -0400

Entry Title: WHID 2003-1: FTD.com hole leaks personal information
WHID ID: 2003-1
Outcome: Leakage of Information
Incident Description:

View other customers information by modifying a cookie

Additional information:

FTD.com hole leaks personal information [CNet, Feb 13 2003]

WHID 2005-38: Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers

Wed, 16 Jun 2010 19:20:10 -0400

Entry Title: WHID 2005-38: Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers
WHID ID: 2005-38
Date Occured: September 12, 2005
Outcome: Extortion
Incident Description:

Teen convicted of threatening an ISP with DOS attack, among other computer hacking activities

Additional information:

Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers [Press Release, Sep 8 2005]

WHID 2003-3: User passwords could be stolid in Microsoft's Passport service

Wed, 16 Jun 2010 20:36:37 -0400

Entry Title: WHID 2003-3: User passwords could be stolid in Microsoft's Passport service
WHID ID: 2003-3
Outcome: Disclosure Only
Incident Description:

Additional information:

Microsoft faces huge fine over security [Zdnet, May 9 2003]

Microsoft Patches .NET Passport Hole [AnyNetwork, May 8 2003]

WHID 2003-4: SQL injection on Guess site triggers an FTC inquiry

Wed, 16 Jun 2010 20:34:27 -0400

Entry Title: WHID 2003-4: SQL injection on Guess site triggers an FTC inquiry
WHID ID: 2003-4
Outcome: Disclosure Only
Incident Description:

Additional information:

Guess Settles FTC Security Charges [FTC Web Site, Jun 18 2003]

WHID 2003-5: Car shoppers' credit details exposed in bulk

Wed, 16 Jun 2010 20:34:04 -0400

Entry Title: WHID 2003-5: Car shoppers' credit details exposed in bulk
WHID ID: 2003-5
Outcome: Leakage of Information
Incident Description:

User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.

Additional information:

Car shoppers' credit details exposed in bulk [Security Focus, Sep 25 2003]

WHID 2005-36: Predictable delay in an online poker game enabled users to beat the casino

Wed, 16 Jun 2010 19:25:32 -0400

Entry Title: WHID 2005-36: Predictable delay in an online poker game enabled users to beat the casino
WHID ID: 2005-36
Date Occured: September 4, 2005
Outcome: Monetary Loss
Incident Description:

A player of an online game discovered that considerable delay hinted on the cards the dealer holds.

Additional information:

Online Games Are Written By Humans [Personal , Aug 29 2005]

WHID 2003-7: Victoria's Secret reveals far too much

Wed, 16 Jun 2010 20:32:39 -0400

Entry Title: WHID 2003-7: Victoria's Secret reveals far too much
WHID ID: 2003-7
Outcome: Disclosure Only
Incident Description:

View other customers orders by changing a sequential number within a URL parameter

Additional information:

Victoria's Secret Reveals Too Much [CBS News, Oct 22 2003]

Victoria's Secret reveals far too much [iAfrica, Oct 24 2003]

WHID 2005-35: Stanford University web sites defaced using XMLRPC bug

Wed, 16 Jun 2010 19:26:15 -0400

Entry Title: WHID 2005-35: Stanford University web sites defaced using XMLRPC bug
WHID ID: 2005-35
Date Occured: August 23, 2005
Outcome: Defacement
Incident Description:

Sites where defaced by utilizing an issue in an XMLRPC library used by PHP

Additional information:

Brazilian defacers hack hundreds of Stanford University web sites [Zone-H, Aug 21 2005]

WHID 2004-2: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - Saks

Wed, 16 Jun 2010 20:29:11 -0400

Entry Title: WHID 2004-2: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - Saks
WHID ID: 2004-2
Date Occured: August 4, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

Biggest Web Problem Isn't About Privacy, It's Sloppy Security [Wallstreet Journal (Archive Copy), Jan 26 2004]

Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.cs.umass.edu/~kevinfu/news/wsj-gomes1.txt

WHID 2005-34: Man logs into dabs.com misc customer account

Wed, 16 Jun 2010 19:28:47 -0400

Entry Title: WHID 2005-34: Man logs into dabs.com misc customer account
WHID ID: 2005-34
Date Occured: August 22, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

Man logs into dabs.com customer account shocker [channel register, Aug 18 2005]

WHID 2004-1: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - OpenTable

Wed, 16 Jun 2010 20:30:11 -0400

Entry Title: WHID 2004-1: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - OpenTable
WHID ID: 2004-1
Date Occured: August 4, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

Biggest Web Problem Isn't About Privacy, It's Sloppy Security [Wallstreet Journal (Archive Copy), Jan 26 2004]

WHID 2004-7: More Scary Tales Involving Big Holes In Web-Site Security - University Sub Service

Wed, 16 Jun 2010 20:25:47 -0400

Entry Title: WHID 2004-7: More Scary Tales Involving Big Holes In Web-Site Security - University Sub Service
WHID ID: 2004-7
Date Occured: August 4, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

More Scary Tales Involving Big Holes In Web-Site Security [Wallstreet Journal (Archive Copy), Feb 2 2004]

Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.cs.umass.edu/~kevinfu/news/wsj-gomes2.txt

WHID 2004-4: More Scary Tales Involving Big Holes In Web-Site Security - Kohl's

Wed, 16 Jun 2010 20:26:50 -0400

Entry Title: WHID 2004-4: More Scary Tales Involving Big Holes In Web-Site Security - Kohl's
WHID ID: 2004-4
Date Occured: August 4, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

More Scary Tales Involving Big Holes In Web-Site Security [Wallstreet Journal (Archive Copy), Feb 2 2004]

WHID 2004-3: More Scary Tales Involving Big Holes In Web-Site Security - Iomega

Wed, 16 Jun 2010 20:27:18 -0400

Entry Title: WHID 2004-3: More Scary Tales Involving Big Holes In Web-Site Security - Iomega
WHID ID: 2004-3
Date Occured: August 4, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

More Scary Tales Involving Big Holes In Web [Wallstreet Journal (Archive Copy), Feb 2 2004]

WHID 2005-27: Phishers hack eBay

Wed, 16 Jun 2010 19:39:25 -0400

Entry Title: WHID 2005-27: Phishers hack eBay
WHID ID: 2005-27
Date Occured: August 8, 2005
Outcome: Phishing
Incident Description:

A bug in an eBay site allowed Phishers to redirect users to their own servers after feeling details at the genuine eBay site

Additional information:

Phishers hack eBay [MacWorld, Aug 2 2005]

WHID 2004-5: More Scary Tales Involving Big Holes In Web-Site Security - Gateway

Wed, 16 Jun 2010 20:24:59 -0400

Entry Title: WHID 2004-5: More Scary Tales Involving Big Holes In Web-Site Security - Gateway
WHID ID: 2004-5
Date Occured: August 4, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

More Scary Tales Involving Big Holes In Web-Site Security [Wallstreet Journal (Archive Copy), Feb 2 2004]

WHID 2005-31: Hacker forced new planet discovery out of the closet

Wed, 16 Jun 2010 19:33:01 -0400

Entry Title: WHID 2005-31: Hacker forced new planet discovery out of the closet
WHID ID: 2005-31
Date Occured: August 4, 2005
Outcome: Extortion
Incident Description:

Additional information:

Hacker forced new planet discovery out of the closet [The Inquierer, Aug 1 2005]

WHID 2004-6: More Scary Tales Involving Big Holes In Web-Site Security - Tiffany

Wed, 16 Jun 2010 20:24:11 -0400

Entry Title: WHID 2004-6: More Scary Tales Involving Big Holes In Web-Site Security - Tiffany
WHID ID: 2004-6
Date Occured: August 4, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

More Scary Tales Involving Big Holes In Web-Site Security [Wallstreet Journal (Archive Copy), Feb 2 2004]

WHID 2005-30: Blogger Developers Network Blog Cracked

Wed, 16 Jun 2010 19:34:49 -0400

Entry Title: WHID 2005-30: Blogger Developers Network Blog Cracked
WHID ID: 2005-30
Date Occured: August 4, 2005
Outcome: Defacement
Incident Description:

Official answer from Blogger was that this was not the result of a hack attempt but of a subtle bug that occurred because our Developer's Network blog is a special case [it's got two names, 'code.blogger.com' and 'code.blogspot.com'].

Additional information:

Blogger Developers Network Blog Cracked [, Jul 31 2005]

WHID 2005-65: LexisNexis Data Breach

Wed, 16 Jun 2010 18:52:35 -0400

Entry Title: WHID 2005-65: LexisNexis Data Breach
WHID ID: 2005-65
Date Occured: February 17, 2008
Outcome: Leakage of Information
Incident Description:

The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.

In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.

As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.

Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.

Additional information:

Arrests Made in '05 LexisNexis Data Breach [Washington Post, Jun 30 2006]

LexisNexis Data Breach Bigger Than Estimated [Washington Post, Apr 13 2008]

Security Breach at LexisNexis Now Appears Larger [New York Times, Apr 13 2008]

Attacked Entity Field: Information Services
Attacked Entity Geography: USA

WHID 2004-9: Billing and personal information leakage due to lack of authentication on a phone company web site

Wed, 16 Jun 2010 20:18:54 -0400

Entry Title: WHID 2004-9: Billing and personal information leakage due to lack of authentication on a phone company web site
WHID ID: 2004-9
Outcome: Leakage of Information
Incident Description:

A billing information system required only phone number and zip code to pull up account details

Additional information:

A security tale: From vulnerability discovery to disaster [Search Security, Jun 14 2004]

WHID 2005-25: No Charges Filed Yet Against South Charlotte Computer Hacker

Wed, 16 Jun 2010 19:41:21 -0400

Entry Title: WHID 2005-25: No Charges Filed Yet Against South Charlotte Computer Hacker
WHID ID: 2005-25
Date Occured: July 31, 2005
Outcome: Leakage of Information
Incident Description:

A man hacked into a competing web site

Additional information:

No Charges Filed Yet Against South Charlotte Computer Hacker [WSOC-TV, Jul 26 2005]

WHID 2004-10: SQL Injection and XSS on presidential campaign web sites

Wed, 16 Jun 2010 20:18:15 -0400

Entry Title: WHID 2004-10: SQL Injection and XSS on presidential campaign web sites
WHID ID: 2004-10
Outcome: Disclosure Only
Incident Description:

C:UsersOfer ShezafDocuments

Additional information:

Campaign Sites Lack Security [Wired, Jun 30 2004]

WHID 2005-24: Firefox marketing site hacked

Wed, 16 Jun 2010 19:44:09 -0400

Entry Title: WHID 2005-24: Firefox marketing site hacked
WHID ID: 2005-24
Date Occured: July 15, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

Firefox marketing site hacked [Zdnet, Jul 15 2005]

Firefox marketing site hacked [C-Net, Jul 15 2005]

Promotional firefox community site hacked [ars technica, Jul 15 2005]

SpreadFirefox Site Hacked, Data Leaked [eWeek, Jul 15 2005]

Spread Firefox Downtime [Spread Firefox, Jul 15 2005]

Mozilla marketing site hacked [Network World, Jul 15 2005]

Mon, 19 Jul 2010 20:35:07 -0400

Attacked Entity Field: Government
Reference:

WHID 2004-12: XSS in Gmail

Wed, 16 Jun 2010 20:17:13 -0400

Entry Title: WHID 2004-12: XSS in Gmail
WHID ID: 2004-12
Date Occured: July 11, 2005
Outcome: Disclosure Only
Incident Description:

An XSS was found in G-Mail

Additional information:

Gmail accounts 'wide open to exploit' - report [The Register, Oct 29 2004]

NetLife Exclusive: Security hole found in Gmail [Nana NetLife, Oct 27 2004]

WHID 2003-8: SQL Injection in PetCo.com leads to FTC investigation

Wed, 16 Jun 2010 20:32:07 -0400

Entry Title: WHID 2003-8: SQL Injection in PetCo.com leads to FTC investigation
WHID ID: 2003-8
Outcome: Disclosure Only
Incident Description:

Additional information:

Petco settles charge it left customer data exposed [Infoeworld, Nov 17 2004]

Petco settles with FTC over cyber security gaffe [Security Focus, Nov 17 2004]

FTC investigates PetCo.com security hole [Security Focus, Dec 5 2003]

WHID 2005-23: Chinese hacker held in Web data theft

Wed, 16 Jun 2010 19:45:08 -0400

Entry Title: WHID 2005-23: Chinese hacker held in Web data theft
WHID ID: 2005-23
Date Occured: July 11, 2005
Outcome: Leakage of Information
Incident Description:

The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition.

Additional information:

Chinese hacker held in Web data theft [Asahi Shimbun, Jul 7 2005]

WHID 2005-22: MS UK defaced in hacking attack

Wed, 16 Jun 2010 19:45:50 -0400

Entry Title: WHID 2005-22: MS UK defaced in hacking attack
WHID ID: 2005-22
Date Occured: July 11, 2005
Outcome: Defacement
Incident Description:

Microsoft UK site defaced due to server misconfiguration

Additional information:

MS UK defaced in hacking attack [The Register, Jul 6 2005]

MS UK Zone-H defacements archive [Zone-H, Jul 6 2005]

WHID 2004-16: Lycos Free Email XSS

Wed, 16 Jun 2010 20:14:22 -0400

Entry Title: WHID 2004-16: Lycos Free Email XSS
WHID ID: 2004-16
Date Occured: July 11, 2005
Outcome: Disclosure Only
Incident Description:

An XSS was found in Lycos Web Mail

Additional information:

Lycos Free Email Cross-Site Scripting Vulnerability [SecriTeam, Dec 27 2004]

WHID 2005-3: Misconfiguration issues in paid wireless access and billing applications

Wed, 16 Jun 2010 20:10:26 -0400

Entry Title: WHID 2005-3: Misconfiguration issues in paid wireless access and billing applications
WHID ID: 2005-3
Outcome: Leakage of Information
Incident Description:

Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords

Additional information:

Think Discovers Critical Flaws in U.S. Transportation Security [Vulnerabiliy Publisher's Site, Feb 1 2005]

WHID 2005-18: Hacker hits Duke system

Wed, 16 Jun 2010 19:51:29 -0400

Entry Title: WHID 2005-18: Hacker hits Duke system
WHID ID: 2005-18
Outcome: Leakage of Information
Incident Description:

Additional information:

Hacker hits Duke system [The News Observer, Jun 5 2005]

WHID 2005-1: Gmail Bug Exposes E-mails messages of other users

Wed, 16 Jun 2010 20:11:36 -0400

Entry Title: WHID 2005-1: Gmail Bug Exposes E-mails messages of other users
WHID ID: 2005-1
Date Occured: July 11, 2005
Outcome: Disclosure Only
Incident Description:

Parameter tampering enabled exposing sensitive information in G-Mail

Additional information:

Gmail Bug Exposes E-mails to Hackers [Beta News, Jan 12 2005]

Gmail Messages Are Vulnerable To Interception [Slash.Dot, Jan 12 2005]

WHID 2005-2: Froogle XSS

Wed, 16 Jun 2010 20:10:53 -0400

Entry Title: WHID 2005-2: Froogle XSS
WHID ID: 2005-2
Date Occured: July 11, 2005
Outcome: Disclosure Only
Incident Description:

An XSS was found in Froogle

Additional information:

Google plugs brace of GMail security flaws [The Register, Jan 14 2005]

Google Plugs Cookie-Theft Data Leak [eWeek, Jan 14 2005]

Froogle XSS [Packet Storm, ]

WHID 2005-16: MSN site hacked in South Korea

Wed, 16 Jun 2010 19:53:20 -0400

Entry Title: WHID 2005-16: MSN site hacked in South Korea
WHID ID: 2005-16
Outcome: Session Hijacking
Incident Description:

The web site was modified to include password stealing code

Additional information:

Microsoft admits MSN site hacked in South Korea [USA Today, Jun 2 2005]

MSN Site Hacking Went Undetected for Days [ABC News, Jun 3 2005]

WHID 2005-6: Tampering with parameters allows access to others account data on PayMaxx Inc. site

Wed, 16 Jun 2010 20:06:48 -0400

Entry Title: WHID 2005-6: Tampering with parameters allows access to others account data on PayMaxx Inc. site
WHID ID: 2005-6
Outcome: Leakage of Information
Incident Description:

Parameter tampering enabled jumping into someone else's account data on PayMaxx Inc. site

Additional information:

Payroll site closes on security worries [CNet, Feb 23 2005]

Think Finds Flaw Revealing Up To 100,000 Social Security Numbers [Vulnerabiliy Publisher's Site, Feb 23 2005]

WHID 2005-12: Insufficient authentication on Arbela mutual insurance allowed access to private data

Wed, 16 Jun 2010 19:56:45 -0400

Entry Title: WHID 2005-12: Insufficient authentication on Arbela mutual insurance allowed access to private data
WHID ID: 2005-12
Outcome: Disclosure Only
Incident Description:

Extranet system accessible to the public

Additional information:

Insurer's website breach reveals data on drivers [The Boston Globe, May 5 2005]

WHID 2005-14: XSS on Microsoft Xbox site allowed phishing

Wed, 16 Jun 2010 19:54:13 -0400

Entry Title: WHID 2005-14: XSS on Microsoft Xbox site allowed phishing
WHID ID: 2005-14
Date Occured: November 8, 2005
Outcome: Phishing
Incident Description:

Additional information:

Microsoft plugs phishing hole in Xbox site [news.com, May 25 2005]

WHID 2005-13: Hacker attacked weak point on Kakaku.com's Web Site

Wed, 16 Jun 2010 19:55:04 -0400

Entry Title: WHID 2005-13: Hacker attacked weak point on Kakaku.com's Web Site
WHID ID: 2005-13
Outcome: Downtime
Incident Description:

Additional information:

Web sites get costly lesson in security [Asahi (Japan), May 18 2005]

Hacker attacked weak point on Kakaku.com's Web Site [Asahi (Japan), May 25 2005]

WHID 2005-15: Unprotected information on the University of Chicago web site

Wed, 16 Jun 2010 19:53:54 -0400

Entry Title: WHID 2005-15: Unprotected information on the University of Chicago web site
WHID ID: 2005-15
Outcome: Leakage of Information
Incident Description:

Files containing sensitive information left unprotected on the web server

Additional information:

University of Chicago [Victim's Site, May 30 2005]

Private records discovered on server [Chicago Maroon, May 27 2005]

WHID 2005-10: Indian SATs results leaking

Wed, 16 Jun 2010 19:58:33 -0400

Entry Title: WHID 2005-10: Indian SATs results leaking
WHID ID: 2005-10
Date Occured: November 8, 2005
Outcome: Disclosure Only
Incident Description:

Additional information:

Indian SATs results leaking [Blog talkback, Mar 10 2005]

WHID 2005-17: Leakage of information due to XSS in Hotmail

Wed, 16 Jun 2010 19:52:07 -0400

Entry Title: WHID 2005-17: Leakage of information due to XSS in Hotmail
WHID ID: 2005-17
Outcome: Disclosure Only
Incident Description:

Additional information:

Microsoft fixes Hotmail hack [VUnet, Jun 9 2005]

Hotmail users exposed to cookie snaffling exploit [The Registrer, Jun 8 2005]

MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes [PC Magazine, Jun 7 2005]

MSN flaw put Hotmail accounts at risk [CNet, Jun 6 2005]

Hacking hotmail, by Alex de Vries [Personal Web Page, Jun 4 2005]

WHID 2005-19: Privacy Fears due to insufficient authentication on CVS drugstore chain web site

Wed, 16 Jun 2010 19:50:17 -0400

Entry Title: WHID 2005-19: Privacy Fears due to insufficient authentication on CVS drugstore chain web site
WHID ID: 2005-19
Outcome: Disclosure Only
Incident Description:

Additional information:

Privacy Fears Prompt CVS To Turn Off Online Service [Computer World, Jun 27 2005]

WHID 2005-7: Hacker Tips Off B-School Applicants

Wed, 16 Jun 2010 20:05:26 -0400

Entry Title: WHID 2005-7: Hacker Tips Off B-School Applicants
WHID ID: 2005-7
Outcome: Leakage of Information
Incident Description:

Parameter tampering to jump into someone else's account data

Additional information:

Hacker Tips Off B-School Applicants [The Crimson, Mar 3 2005]

HBS/ApplyYourself Admit Status snafu [Personal Blog, Mar 2 2005]

WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data

Wed, 16 Jun 2010 19:47:50 -0400

Entry Title: WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data
WHID ID: 2005-21
Outcome: Disclosure Only
Incident Description:

A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.

Additional information:

Man charged with accessing USC student data [Security Focus, Apr 20 2006]

Flawed USC admissions site allowed access to applicant data [Security Focus, Jul 5 2005]

WHID 2005-26: NISCC reveals SAP R/3 security flaw

Wed, 16 Jun 2010 19:40:00 -0400

Entry Title: WHID 2005-26: NISCC reveals SAP R/3 security flaw
WHID ID: 2005-26
Date Occured: July 31, 2005
Outcome: Disclosure Only
Incident Description:

Additional information:

NISCC reveals SAP R/3 security flaw [Computer Weekly, Jul 28 2005]

WHID 2005-29: Security issues in interactive hotel TVs

Wed, 16 Jun 2010 19:36:22 -0400

Entry Title: WHID 2005-29: Security issues in interactive hotel TVs
WHID ID: 2005-29
Date Occured: July 31, 2005
Outcome: Disclosure Only
Incident Description:

While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society

Additional information:

A Hacker Games the Hotel [Wired, Jul 30 2005]

WHID 2005-8: eBay Redirect Becomes Phishing Tool

Wed, 16 Jun 2010 20:02:08 -0400

Entry Title: WHID 2005-8: eBay Redirect Becomes Phishing Tool
WHID ID: 2005-8
Outcome: Phishing
Incident Description:

Additional information:

eBay Redirect Becomes Phishing Tool [Beta News, Mar 3 2005]

WHID 2005-32: Weak password recovery on Citrix's site

Wed, 16 Jun 2010 19:31:21 -0400

Entry Title: WHID 2005-32: Weak password recovery on Citrix's site
WHID ID: 2005-32
Date Occured: August 8, 2005
Outcome: Disclosure Only
Incident Description:

Weak password recovery procedure at Citrix

Additional information:

Example of the worst passwd recovery interface [WebAppSec mailing list, Aug 3 2005]

WHID 2005-9: Undisclosed application security issue on Cisco's site forces global passwords reset

Wed, 16 Jun 2010 20:01:40 -0400

Entry Title: WHID 2005-9: Undisclosed application security issue on Cisco's site forces global passwords reset
WHID ID: 2005-9
Date Occured: April 8, 2005
Outcome: Disclosure Only
Incident Description:

An undisclosed application security issue on Cisco web site required resetting passwords for all registered users.

Additional information:

Cisco.com passwords reset after Web site exposure [Computer World, Mar 8 2005]

Cisco Web Site Breached by Hackers [Beta News, Mar 8 2005]

Cisco warns customers of site breach [Cnet, Mar 8 2005]

Cisco Connection Online Compromised? [TaoSecurity Blog, Mar 8 2005]

Cisco Web Portal Password Security Compromised [eWeek, Mar 8 2005]

WHID 2005-33: Insufficient authorization on Verizon's MyAccount feature

Wed, 16 Jun 2010 19:29:28 -0400

Entry Title: WHID 2005-33: Insufficient authorization on Verizon's MyAccount feature
WHID ID: 2005-33
Date Occured: August 22, 2005
Outcome: Disclosure Only
Incident Description:

A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle

Additional information:

Glitch on Verizon Wireless Web Site Left Data at Risk [Washington Post, Aug 12 2005]

WHID 2005-5: Paris Hilton's T-Mobile online account hacked

Wed, 16 Jun 2010 20:08:19 -0400

Entry Title: WHID 2005-5: Paris Hilton's T-Mobile online account hacked
WHID ID: 2005-5
Date Occured: July 11, 2005
Outcome: Leakage of Information
Incident Description:

Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic

Additional information:

Paris Hilton Hack Started With Old-Fashioned Con [Washington Post, May 19 2005]

Paris Hilton: Victim of T-Mobile's Web Flaws? [PCWorld, Mar 1 2005]

Known Hole Aided T-Mobile Breach [Wired.com, Feb 28 2005]

How Paris Got Hacked? [O'Reilly Network, Feb 22 2005]

WHID 2005-41: XSS on Google's AdWords enables phishing

Wed, 16 Jun 2010 19:14:26 -0400

Entry Title: WHID 2005-41: XSS on Google's AdWords enables phishing
WHID ID: 2005-41
Date Occured: November 10, 2005
Outcome: Disclosure Only
Incident Description:

Additional information:

Google fixes Web site security bug [News.com, Oct 10 2005]

WHID 2005-42: Default password in a common application used by schools

Wed, 16 Jun 2010 19:13:55 -0400

Entry Title: WHID 2005-42: Default password in a common application used by schools
WHID ID: 2005-42
Date Occured: November 10, 2005
Outcome: Leakage of Information
Incident Description:

The software has a default password for teachers, enabling anyone to access the system with teachers privileges.

Additional information:

Software glitch reveals private data for thousands of state's students

S.F. administrators close program to update passwords [Sfgate, Oct 21 2005]

WHID 2004-15: New Variant of Santy Worm Spreads

Wed, 16 Jun 2010 20:15:07 -0400

Entry Title: WHID 2004-15: New Variant of Santy Worm Spreads
WHID ID: 2004-15
Date Occured: December 25, 2004
Outcome: Worm
Incident Description:

phpBB worm

Additional information:

PHP Scripts Automated Arbitrary File Inclusion [Vulnerabiliy Publisher's Site, Dec 25 2004]

New Variant of Santy Worm Spreads [PC World, Dec 27 2004]

Santy.E worm poses threat to sites badly coded in PHP [Computer World, Dec 27 2004]

Attacked Entity Field: Various
Attacked System Technology: phpBB

WHID 2005-43: XSS in Yahoo's Web mail enables phishing

Wed, 16 Jun 2010 19:13:09 -0400

Entry Title: WHID 2005-43: XSS in Yahoo's Web mail enables phishing
WHID ID: 2005-43
Date Occured: November 10, 2005
Outcome: Disclosure Only
Incident Description:

XSS in Yahoo mail, Allows phishing

Additional information:

Yahoo fixes Web mail security flaw [News.com, Oct 21 2005]

WHID 2004-14: Santy worm defaces websites using PHP bug

Wed, 16 Jun 2010 20:16:04 -0400

Entry Title: WHID 2004-14: Santy worm defaces websites using PHP bug
WHID ID: 2004-14
Date Occured: December 22, 2004
Outcome: Worm
Incident Description:

Worm used Google to locate sites vulnerable to OS

Additional information:

Santy worm makes unwelcome visit [BBC, Dec 22 2004]

Santy worm defaces websites using php bug [Sans Storm Center, Dec 21 2004]

Attack Source Geography: Various
Attacked Entity Field: Various
Attacked System Technology: phpBB

WHID 2005-48: Insufficient authorization on Papa John's Pizza chain web site

Wed, 16 Jun 2010 19:08:37 -0400

Entry Title: WHID 2005-48: Insufficient authorization on Papa John's Pizza chain web site
WHID ID: 2005-48
Date Occured: November 10, 2005
Outcome: Leakage of Information
Incident Description:

Additional information:

Zero Day Pizza Party - Yo Noid Advisory #00001 ["Full Disclosure" Mailing List, Nov 7 2005]

Pizza chain caught without fully baked security [Cnet, Nov 7 2005]

WHID 2004-13: SunTrust site XSS vulnerability exploited by for phishing

Wed, 16 Jun 2010 20:16:40 -0400

Entry Title: WHID 2004-13: SunTrust site XSS vulnerability exploited by for phishing
WHID ID: 2004-13
Date Occured: November 8, 2005
Outcome: Phishing
Incident Description:

Phishing based on XSS (Same vulnerability but a different attack that the similar September 2004 attack)

Additional information:

Do Online Banks Facilitate Fraud? [The Motley Fool, Dec 8 2004]

SunTrust site exploited by fraudsters [NetCraft, Dec 6 2004]

WHID 2005-64: Woman scammed QVC for $400,000+ in Internet glitch

Wed, 16 Jun 2010 18:53:39 -0400

Entry Title: WHID 2005-64: Woman scammed QVC for $400,000+ in Internet glitch
WHID ID: 2005-64
Date Occured: November 20, 2007
Outcome: Monetary Loss
Incident Description:

A woman exploited a bug in QVC shopping network web site to get, without paying, more than 1800 items worth $412,000 items from the March to November 2005. The glitch enabled her to cancel orders she placed at a specific time and still get the product.

Additional information:

Woman scammed QVC for $400,000+ in Internet glitch [TG Daily, Oct 30 2007]

N.C. woman admits 400G scam of QVC [Phily.com, Oct 26 2007]

Attacked Entity Geography: USA

WHID 2004-11: Phishers Manipulate SunTrust Site to Steal Data

Wed, 16 Jun 2010 20:17:37 -0400

Entry Title: WHID 2004-11: Phishers Manipulate SunTrust Site to Steal Data
WHID ID: 2004-11
Outcome: Phishing
Incident Description:

Phishing based on XSS

Additional information:

Phishers Manipulate SunTrust Site to Steal Data [NetCraft, Sep 28 2004]

Attacked Entity Field: Finance
Attacked Entity Geography: USA

WHID 2004-18: Security flaw exposed in Cahoot bank accounts

Wed, 16 Jun 2010 20:13:01 -0400

Entry Title: WHID 2004-18: Security flaw exposed in Cahoot bank accounts
WHID ID: 2004-18
Date Occured: October 25, 2007
Outcome: Disclosure Only
Incident Description:

Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.

The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.

We somehow missed this story so it finds its way to WHID only now in late 2007.

Additional information:

Security flaw exposed in Cahoot bank accounts [Silicon.com, Oct 5 2004]

Leader: Not another security scare [Silicon.com, Oct 5 2004]

Cahoot hit by web security scare [BBC, Oct 5 2004]

WHID 2005-63: Web designer sentenced for hacking competitor's site

Wed, 16 Jun 2010 18:55:30 -0400

Entry Title: WHID 2005-63: Web designer sentenced for hacking competitor's site
WHID ID: 2005-63
Date Occured: August 14, 2007
Outcome: Leakage of Information
Incident Description:

While lacking in technical details, this story is certainly juicy. It demonstrates well the business use of web site hacking. The downside is that the hacker got only a minimal punishment, which unless the incident itself is overrated in the media, is a very bad sign on how courts view computer crime.

Additional information:

Web designer sentenced for hacking competitor's site [CNet, Aug 14 2007]

WHID 2004-8: Broadcast TV announcements changed by hacking the stations web site

Wed, 16 Jun 2010 20:20:34 -0400

Entry Title: WHID 2004-8: Broadcast TV announcements changed by hacking the stations web site
WHID ID: 2004-8
Outcome: Disinformation
Incident Description:

Previously moderated weather announcements could be changed by the user

Additional information:

Pranksters bedevil TV weather announcment system [Security Focus, Mar 4 2004]

WHID 2005-62: Guidance Software

Wed, 16 Jun 2010 18:56:09 -0400

Entry Title: WHID 2005-62: Guidance Software
WHID ID: 2005-62
Date Occured: April 18, 2007
Outcome: Leakage of Information
Incident Description:

3,800 customer credit-card numbers were stolen in the attack on Guidance Software web site. This incident is made more severe since Guidance software is a provider of software for investigating security breaches and many of its clients are security and law enforcement agencies, some of them known to be affected.

As usual in such cases the actual way in which the information was stolen was not disclosed. A federal trade commission report on the incident, published only in 2007, revealed that the incident was a result on an SQL injection attack on Guidance servers. In a settlement with the FTC, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.

Additional information:

United States Of America Federal Trade Commission In The Matter Of Guidance Software, Inc. [Federal Trade Commission, Apr 1 2007]

Guidance Software Investigating Stolen Data [Internet News, Dec 20 2005]

FTC Approves Final Guidance Settlement [Internet News, Apr 3 2007]

WHID 2003-9: Defenses lacking at social network sites

Wed, 16 Jun 2010 20:31:33 -0400

Entry Title: WHID 2003-9: Defenses lacking at social network sites
WHID ID: 2003-9
Outcome: Disclosure Only
Incident Description:

Additional information:

Defenses lacking at social network sites [Security Focus, Dec 31 2003]

WHID 2004-17: The CardSystems breach was an SQL Injection hack (Updated)

Wed, 16 Jun 2010 20:13:27 -0400

Entry Title: WHID 2004-17: The CardSystems breach was an SQL Injection hack (Updated)
WHID ID: 2004-17
Date Occured: April 20, 2006
Outcome: Credit Card Leakage
Incident Description:

Update (May 27th 2009) - The CardSystems incident is refusing to die. Merrick Back is now suing Savvis for certifying CardSystems as CISP compliant while it systems where wide open. CISP is a VISA program for certifying credit card processing systems which existed prior to PCI DSS.

The actual damage to an organization of an attack is rarely disclosed, and coverage focuses on the Number_of_Records stolen. In the court documents Merrick reveals that its own damage from the CardSystems incident was $16,000,000! The money was paid to card holders to compensate for losses and for legal fees and fines.

The case is also interesting as it put to test the liability of the certifying entity (in this case Savvis) resulting from assessing. The results may have profound influence on the PCI QSA market and therefore PCI itself. David Navetta posts an excellent legal analysis of the potential implications of the lawsuit.

This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.

But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.

Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.

This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.

Additional information:

Cleaning up after a hack job: CardSystems' Christensen [Information Security (mirror), Apr 14 2006]

FTC complain In the Matter of CardSystems Solutions [FTC, ]

Midrange CardSystems Wiki [Midrange, ]

CardSystems was a Web Application Hack [Cesar Cerrudo, Argeniss, Apr 18 2006]

CardSystems Exposes 40 Million Identities [Bruce Schneier, Jun 23 2005]

Attack Source Geography:
Attacked Entity Field: Finance
Attacked Entity Geography:
Items Leaked: Credit Card Number
Number of Records: 40,000,000

WHID 2002-4: Tower Records settles charges over hack attacks

Wed, 16 Jun 2010 20:39:46 -0400

Entry Title: WHID 2002-4: Tower Records settles charges over hack attacks
WHID ID: 2002-4
Outcome: Leakage of Information
Incident Description:

View other customers orders by changing a guessable number within a URL parameter

Additional information:

Tower Records settles charges over hack attacks [Security Focus, Apr 21 2004]

Tower Records site exposes data [CNet, Dec 5 2002]

WHID 2005-61: Gmail session management bug

Wed, 16 Jun 2010 18:56:54 -0400

Entry Title: WHID 2005-61: Gmail session management bug
WHID ID: 2005-61
Date Occured: April 12, 2006
Outcome: Disclosure Only
Incident Description:

A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim.

Additional information:

Gmail bug [elhacker.net, Oct 18 2005]

Google Downplays Gmail Security Fix [eWeek, Oct 18 2005]

WHID 1999-1: eBay downplays security hole

Mon, 24 May 2010 13:29:40 -0400

Entry Title: WHID 1999-1: eBay downplays security hole
WHID ID: 1999-1
Date Occured: April 4, 2006
Incident Description: A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.
Attack Source Geography:
Attacked Entity Geography: USA
Reference: http://packetstormsecurity.org/9904-exploits/ebayla.txt

WHID 2002-2: Advogato XSS virus account

Wed, 16 Jun 2010 20:41:57 -0400

Entry Title: WHID 2002-2: Advogato XSS virus account
WHID ID: 2002-2
Date Occured: July 11, 2005
Outcome: Worm
Incident Description:

Additional information:

Advogato xss virus account [Bindshell, Sep 21 2002]

WHID 2003-2: UT Austin hack yields personal info on thousands

Wed, 16 Jun 2010 20:38:09 -0400

Entry Title: WHID 2003-2: UT Austin hack yields personal info on thousands
WHID ID: 2003-2
Date Occured: April 4, 2006
Outcome: Leakage of Information
Incident Description:

While an old incident, further research into it suggest that it was a web hack. While the initial reports talk about a database break in, a report in the Register identify the database as txClass, which is a web based system.
55,200 social security numbers where stolen, though the hacker claimed that he did not perform the act for profit. He was caught and sentenced to 5 years probation.

Additional information:

Data Theft Incident Response [UofT, Sep 7 2005]

Student owns up to Texas Uni cyber-heist [The Register, Mar 18 2003]

UT Austin hack yields personal info on thousands [Computer World, Mar 6 2003]

Hackers steal names, Social Security numbers from University of Texas database [Security Focus, Mar 6 2006]

WHID 2006-5: Hotmail XSS (1)

Wed, 16 Jun 2010 18:45:43 -0400

Entry Title: WHID 2006-5: Hotmail XSS (1)
WHID ID: 2006-5
Date Occured: March 29, 2006
Outcome: Disclosure Only
Incident Description:

Hotmail's filtering engine insufficiently filters JavaScript scripts. It is possible to write JavaScript in the BGCOLOR attribute of the BODY tag, using CSS. This leads to execution when the email is viewed. JavaScript must be Unicode encoded in order to fool the filter. This encoding is recognized with IE >= 6

Additional information:

Microsoft MSN Hotmail : Cross-Site Scripting Vulnerability [Bugtraq Archives, Mar 23 2006]

WHID 2006-12: Music Web Site: Breach Exposed Accounts

Wed, 16 Jun 2010 18:38:59 -0400

Entry Title: WHID 2006-12: Music Web Site: Breach Exposed Accounts
WHID ID: 2006-12
Date Occured: March 22, 2006
Outcome: Leakage of Information
Incident Description:

A musical instrument and sound gear Web site that advertises its relationship with artists such as Dave Matthews, Carlos Santana and Mary J. Blige was breached and notified some customers that their credit card information may have been stolen.

Additional information:

Music Web Site: Breach Exposed Accounts [AP, Mar 16 2006]

WHID 2006-6: Hacker breaks into Buffalo sports site

Wed, 16 Jun 2010 18:45:22 -0400

Entry Title: WHID 2006-6: Hacker breaks into Buffalo sports site
WHID ID: 2006-6
Date Occured: March 22, 2006
Outcome: Leakage of Information
Incident Description:

A site of a minor league baseball team was hacked and personal details of fans was stolen.

Additional information:

Hacker breaks into Buffalo sports site [NBC, Mar 15 2006]

Hacker gains access to Bisons fans' Web data [The Buffalow News, Mar 14 2006]

WHID 2001-4: Hacked Web site damaged PCs in Japan

Wed, 16 Jun 2010 20:50:25 -0400

Entry Title: WHID 2001-4: Hacked Web site damaged PCs in Japan
WHID ID: 2001-4
Outcome: Planting of Malware
Incident Description: Users who visited the Price Lotto site using Microsoft's IE (Internet Explorer) 4.x and 5.x, automatically downloaded malicious JavaScript that was programmed to alter the software configuration of their PCs.
Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.infoworld.com/articles/hn/xml/01/08/21/010821hnjapmal.html?&_ref=1024727153

WHID 2006-7: Google Reader "preview" and "lens" script improper feed validation

Wed, 16 Jun 2010 18:44:26 -0400

Entry Title: WHID 2006-7: Google Reader "preview" and "lens" script improper feed validation
WHID ID: 2006-7
Date Occured: March 5, 2006
Outcome: Disclosure Only
Incident Description:

Google reader allows redirection so sites can fool users to subscribe to malicious content.

Additional information:

Google Reader "preview" and "lens" script improper feed validation [Full Disclosure, Feb 22 2006]

WHID 2006-10: NUJP website defacement seen not related to political crisis

Wed, 16 Jun 2010 18:39:58 -0400

Entry Title: WHID 2006-10: NUJP website defacement seen not related to political crisis
WHID ID: 2006-10
Date Occured: March 5, 2006
Outcome: Defacement
Incident Description:

A mass defacement of a Philippine hosting service was carried our using SQL injection. It accidentally also defaced the site of the National Union of Journalists of the Philippines, which led some to believe that it was a targeted political attack.

Additional information:

NUJP website defacement seen not related to political crisis [inq7, Mar 2 2006]

WHID 2000-6: Inforeading.com defacement using command injection

Mon, 24 May 2010 13:29:40 -0400

Entry Title: WHID 2000-6: Inforeading.com defacement using command injection
WHID ID: 2000-6
Incident Description: Executing local commands using URL parameters
Attack Source Geography:
Attacked Entity Geography:
Reference: http://www.inforeading.com/library/infoarticles/InfoReading/logs/deface/02.txt

WHID 2006-11: Teenager claims to find code flaw in Gmail

Wed, 16 Jun 2010 18:39:35 -0400

Entry Title: WHID 2006-11: Teenager claims to find code flaw in Gmail
WHID ID: 2006-11
Date Occured: March 5, 2006
Outcome: Disclosure Only
Incident Description:

A 14 years old claims to have discovered an XSS flaw in Google's Gmail. Comments have been mixed, and Google did not comment, so either the flaw was fixed pretty fast, or did not exits.

Additional information:

Teenager claims to find code flaw in Gmail [Network World, Feb 3 2006]

Vulnerability in Gmail [Ph3rny's Blog, ]

Google fixes 'minor' Gmail flaw [ZDnet, Feb 2 2006]

WHID 2006-8: ICQmail.com - Mail2World.com XSS vulnerability

Wed, 16 Jun 2010 18:43:28 -0400

Entry Title: WHID 2006-8: ICQmail.com - Mail2World.com XSS vulnerability
WHID ID: 2006-8
Date Occured: March 5, 2006
Outcome: Disclosure Only
Incident Description:

Links sent to a user as part of the mail content are not properly sanitized, so a user receiving such mail and activating a link would be affected.

Additional information:

Advisory: ICQmail.com & Mail2World.com (ms_inbox.asp Current_folder) XSS vulnerability [NukedX, Feb 25 2006]

Attack Source Geography:
Attacked Entity Geography:

WHID 2000-4: Sensitive files left unprotected on Western Union's Web

Mon, 24 May 2010 13:54:42 -0400

Entry Title: WHID 2000-4: Sensitive files left unprotected on Western Union's Web
WHID ID: 2000-4
Incident Description: Sensitive files were left in a publicly accessible directory during a maintenance window
Attack Source Geography:
Attacked Entity Geography: USA
Reference: http://news.com.com/2100-1023-245525.html?legacy=cnet

WHID 2006-9: EBay XSS

Wed, 16 Jun 2010 18:44:42 -0400

Entry Title: WHID 2006-9: EBay XSS
WHID ID: 2006-9
Date Occured: March 3, 2006
Outcome: Disinformation
Incident Description:

Unlike other XSS cases, this was discovered due to actual abuse on a specific auction at EBay.

Additional information:

Ebay XSS [Full Disclosure, Feb 28 2006]

Attack Source Geography:
Attacked Entity Geography:

Mon, 23 Aug 2010 13:08:55 -0400

Date Occured: January 1, 2009 - August 23, 2010
Reference:

WHID 2005-28: Phishers Steal Trust from eBay Sign In Pages

Wed, 16 Jun 2010 19:37:41 -0400

Entry Title: WHID 2005-28: Phishers Steal Trust from eBay Sign In Pages
WHID ID: 2005-28
Outcome: Phishing
Incident Description:

Additional information:

Phishers Steal Trust from eBay Sign In Pages [Netcraft, Jul 29 2005]

Mon, 23 Aug 2010 13:08:04 -0400

Reference:

WHID 2002-3: Reuters accused of hacking

Wed, 16 Jun 2010 20:40:29 -0400

Entry Title: WHID 2002-3: Reuters accused of hacking
WHID ID: 2002-3
Outcome: Leakage of Information
Incident Description:

A company put its earnings report on site before its official release, but did not linked to it. Reuters found the document and published it.

Additional information:

Reuters accused of hacking [Cnet, Nov 29 2002]

WHID 2005-4: An Israeli debate site vulnerable to XSS

Wed, 16 Jun 2010 20:09:00 -0400

Entry Title: WHID 2005-4: An Israeli debate site vulnerable to XSS
WHID ID: 2005-4
Outcome: Disclosure Only
Incident Description:

An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies.

Additional information:

Identity theft in Hyde Park [nrg.co.il, Feb 16 2005]

WHID 2005-49: Google Base launched with security hole

Wed, 16 Jun 2010 19:06:41 -0400

Entry Title: WHID 2005-49: Google Base launched with security hole
WHID ID: 2005-49
Date Occured: February 28, 2006
Outcome: Disclosure Only
Incident Description:

XSS in Google Base search function

Additional information:

Google Base launched with security hole [PC World, Nov 21 2005]

More Google security failures [Jibbering.com, Nov 16 2005]

WHID 2005-50: XSS on Yahoo Mail

Wed, 16 Jun 2010 19:05:49 -0400

Entry Title: WHID 2005-50: XSS on Yahoo Mail
WHID ID: 2005-50
Date Occured: February 28, 2006
Outcome: Disclosure Only
Incident Description:

Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud.

Additional information:

XSS on Yahoo Mail [Bugtraq, Nov 23 2005]

XSS on Yahoo Mail [Bugtraq, Nov 23 2005]