People of all ages look forward to Christmas. Children dream of the gifts they’ll receive on Christmas Day, and those of us who are older savor the thought of spending the holidays in joyous company with friends and family. It is no wonder we have written a song praising Christmas as the most wonderful time of year.
Unfortunately, cyber criminals feel the same way about the holidays. They exploit online shoppers’ longing for a good sale by slamming them with phishing scams laden with “special offers.” And with many retailers entering a holiday security “freeze,” in which popular shopping chains hold off on all but most critical of security updates until January, hackers have a strong incentive to try and breach these companies and make off with millions of customers’ credit card information.
Acknowledging the popularity of Christmas among cyber criminals, we’ve created a three-part series revealing some of the most devastating Christmas hacks that have occurred over the past couple of years. We call this new series “The 12 Hacks of Christmas.”
Hack #1: RockYou Breach (2009)
In December 2009, a hacker penetrated RockYou, a company which develops games and advertisements for social media sites.
The hacker, then operating under the alias of “igigi,” succeeded in stealing the account credentials for all 32.6 million users of the site. All of the information had been stored in clear text, meaning that neither account holders’ usernames nor passwords had been encrypted.
RockYou’s databases were infiltrated as a result of an SQL injection vulnerability, one of the most common security vulnerabilities with respect to web applications today.
Following the breach, the security firm Imperva analyzed the stolen information, portions of which were published online by the hacker. The study revealed that 40 percent of account holders had used a password consisting only of lowercase letters, 30 percent had chosen a password less than six characters in length, and nearly one in 100 had set their password to “123456.”
Hack #2: Fake White House Christmas E-mail (2010)
Two days before Christmas in 2010, attackers sent out an email that spoofed “seasons greetings” from The White House to a number of government employees and contractors.
The text of the email was published on Brian Krebs’ website. It read:
“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.”
The card then prompted users to click on a link, which downloaded a variant of ZeuS malware.
A control server allegedly based in Belarus manually sent out the email to a small number of recipients, which made the attack undetectable by security traps and sensors.
Ultimately, more than 2GB of government documents were stolen in the attack. However, no classified documents were compromised.
Hack #3: NBC Christmas Tree Trojan (2011)
In September 2011, the Script Kiddies, a hacker group well-known for its attacks against prominent companies, including Wal-Mart and USA Today, succeeded in hacking the Twitter account for NBC News, which it used to falsely report a terrorist attack against the Ground Zero site in New York City.
It is believed the hack began when Ryan Osborn, the social media director for NBC, received a strange email from an unknown source urging him to get off Twitter and protect his family during Hurricane Irene. A subsequent email came with an innocent enough attachment: an image of a Christmas tree. However, that file likely installed a keylogger onto Osborn’s computer.
Using his stolen credentials, the hackers posted a series of tweets on NBC News’ Twitter account about a terrorist attack against Ground Zero.
Osborn quickly detected the fake Tweets and had Twitter deactivate the account. NBC then contacted the FBI to investigate the incident.
Hack #4: HostNOC Hack (2011)
Beginning around December 5, 2011, many people began to notice a large number of hacking attempts originating from HostNOC’s IP ranges.
Much of the attacks consisted of SQL injections that targeted both Joomla 1.0 and Joomla 1.5+ components and databases. However, there were also Remote File Inclusion (RFI) attacks, which allow a hacker to load a remote file via the use of a script on a web server.
At the time, there was little known about HostNOC, including what services it offered or even if the company had any contact information.
But some in the industry had already encountered HostNOC. Mikko Hypponen, the Chief Research Officer at security firm F-Secure, first encountered it when it launched a DDoS attack against F-Secure back in 2007. Subsequent analysis of the domain revealed botnet C&C servers, DNS changers, ZeuS servers and a variety of other malicious tools.
In this case, HostNOC stated that there was little that they could do and appeared unwilling to take the actions needed to put a stop to the attacks. It should come as no surprise that this same company went out of business only a couple of years later.
Security Solutions To The Rescue
Tyler Reguly,Manger of Security Research and Development of Tripwire, explains that some of these incidents could have been mitigated with the help of various information security tools:
“Tripwire IP360 ships with an add-on feature named WebApp360, which provides generic web application vulnerability scanning for issues like Cross Site Scripting (XSS) and SQL Injection (SQLi),” said Reguly. “In addition, WebApp360 provides detection for out-dated versions of web applications like WordPress and Joomla and the vulnerabilities they contain.”
Tyler also observes that Tripwire’s File Integrity Monitoring (FIM), could have notified victims of the breaches as they occurred and identified the systems where new files were created and other files were modified.
“With the rise of VPS hosting solutions, it has become much easier for attackers to spool up platforms from which to launch their attacks,” notes Tyler. “They can also quickly cycle through multiple environments across multiple accounts at multiple service providers.”
More Holiday Incidents to Come
If properly deployed, both Tripwire IP360 and Tripwire FIM could have fended off the HostNOC hacks. That is because both solutions offer strong network protection, a level of security which is especially invaluable around the holidays, as Tyler argues: “Instead of waking up to a lump of coal in your stocking, do yourself a favor and make sure that your network is protected. After all, what better Christmas present is there than peace of mind?”
Unfortunately, the security incidents described above are not the only Christmas hacks to have ever occurred. In Parts II and III of our series, we look at some “naughtier” attacks that have occurred in recent years.
Back by popular demand…
Hey, InfoSec Pros! We’re giving away dozens of these awesome ‘Breaching Bad’ T-shirts to some lucky Twitter followers. Make sure to follow us @TripwireInc and RT to be entered for a chance to win! Contest ends Dec. 18, 2014. Click here for Terms & Conditions.