Only a week after breaching the Washington Military Department’s website (mi.wa.gov), the Underground Nazi Hacktivist Group (UGNazi) has hit WHMCS, a provider of online billing services. According to Forbes, the hacktivists were able to swipe and leak more than half a million customer records by impersonating staff and duping the web host into giving them WHMCS account access details. The leaked records included both user credit card information and passwords. The hackers then deleted all the files on the company’s servers post-attack. The group’s reason for the hit? They claimed there were websites that were using WHMCS for scams.
To add to the UGNazi’s hack, WHMCS was also hit with a distributed denial-of-service (DDoS) attack by an outside source. The Underground Nazi Hacktivist Group is known for launching such attacks on United States government sites, like their April hit on the CIA and the Department of Justice in protest of the Cyber Intelligence Sharing and Protection Act (CISPA). It is unclear whether the DDoS committed against WHMCS was the work of UGNazi.
Via InfoWorld, Matt Pugh, the lead developer at WHMCS, tries to assure readers that the recent hack wasn’t the result of a lapse in security on the server or the billing service’s part, but rather due to weak hosting infrastructure at HostGator.
An IT Lesson
Though they may not feel like they are susceptible to a hacktivist attack, IT pros at midsize businesses can still learn from the WHMCS debaucle. While the billing company had encrypted customer credentials and stored passwords in hash format, apparently the encryption wasn’t Payment Card Industry (PCI) compliant. All businesses, no matter what the size, that process or transmit credit card information are required to be PCI compliant. According to the PCI FAQ page, an SSI certificate isn’t enough to keep customer’s cardholder data safe. PCI-compliant businesses are given a network scan to see if their operating systems and service providers have any vulnerabilities that could be exploited by hackers. If your business deals with credit card information and isn’t PCI compliant, it’s time to become so.
The hack also demonstrates the importance of having a strong web hosting infrastructure. Companies that can’t host their own sites need to make sure that whatever third-party hosting site they choose has excellent service and support. No doubt, no IT pro in the know will be running to HostGator anytime soon. Although the web hosting site has been previously touted, this latest attack may make enterprise think twice about working with them.
That said, those IT pros who’ve chosen to host their own sites need to really make sure they have the security chops to keep data safe from backdoor hacks and DDoS attacks that could cripple their servers.