New-style ransomware locks out your customers - demands money to let them log back in

Status
Not open for further replies.

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
A boutique Swiss security outfit recently wrote about a sneaky new sort of ransomware.

It's an intriguing story.

The crooks, it seems, decided to take it out on company X by means of extortion: encrypt customer data, and then offer the decryption key for a price.

There are several unsubtle way to do this, such as:

  • Hack into the network, shut down the network facing part of the webservers, scramble everything you can find, and make your demand.
  • Compromise the webservers with an exploit kit, foist ransomware on everyone who logs in, and extort money piecemeal from every customer.
  • Foist ransomware on everyone who logs in, and tell them to get the company to pay.
And so on: you can probably think of your own ways in which crooks could attack (and thinking of them is not some kind of "security sin" – understanding your enemy helps you predict and prevent possible problems).

In this case, however, the crooks took a surprisingly low-key, annoyingly simple, and hard-to-spot approach.

Take over the login database
X was using phpBB for its online customer forum.

So the crooks broke in and hacked the PHP code that dealt with the user database.

Basically, the database engine itself was slightly modified so that user login data was scrambled with a key held by the crooks when it was saved, but quietly decrypted when it was read out.

On the surface, everything was hunky-dory, but the raw data underneath was shredded cabbage.

The key was never actually stored on the hacked server, but was instead fetched into memory at startup time from a dodgy remote server operated by the crooks:

php-500.png


Come the day, apparently after about two months, and the crooks removed the decryption key from their dodgy server.

So, even though the vast majority of the forum data was intact, and accessible, and archivable, and online...

...customers couldn't log in, because their usernames had suddenly changed from JIMMY to FKOVWH3Z7LUV.

Worse, of course, their password hashes were scrambled too.

So who knows what password could possibly produce the required hash and unlock each account?

So customers started calling up to say, "We can't log in."

Read more: https://nakedsecurity.sophos.com/20...tomers-demands-money-to-let-them-log-back-in/
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top