2

We have a small business website that has been compromised. They are somehow getting customers order details and contacting them requesting their credit card details. We have had our web team and a third party IT company looking into it and we can't find out where the breach is.

There seems to be no suspicious access on the database, and none of the website code seems to have been altered.

There are also no new admin users and no unexpected logins from existing user profiles in the logs. We have changed all passwords we can think of but they still seem to be able to get the order details. This guy had the same problem back in April (exactly the same, even the same name used Lucy Whetton) but he hasn't posted what the solution was.

Email phishing scam asking customers for card details

Does anyone have any ideas?

By the way, we have and are contacting all customers immediately to tell them not to respond to these phishing emails.

PeteS
  • 21
  • 2
  • 1
    First off how do you know the emails are actually sent by your server ? Anyone can pretend to be sending from "admin@yourserver.com", that doesn't mean the mail actually came from there. – André Borie Aug 28 '15 at 19:19
  • 1
    In the example you provide, the phisher doesn't provide any order details. Is there any information contained in the phishing emails you are seeing that "authenticates" the email, such as order details? How does your stack collect order details, and what touchpoints does it have to any external systems? Does order information ever get emailed to anyone? Do you use any third party email marketing services? – Jesse K Aug 28 '15 at 19:28
  • Have you looked at your email server? You mention the db and the website, but all the details one would need would be found in emails. – schroeder Aug 28 '15 at 19:39
  • 1
    the phishing emails aren't being sent from our server, they are being sent from a gmail account that we don't own (set up by the hacker). The subject line of the email that is sent contains the order number and they reference each customer by name. The phishing email is sent to the customer about 1-2 hours after the order is placed. – PeteS Aug 28 '15 at 20:10
  • Sorry, forgot to mention the standard website notification emails are sent through Amazon SES and we have checked the sending logs but can't see anything suspicious there. It doesn't look like they have placed code to email themselves the order details. – PeteS Aug 28 '15 at 20:12
  • You had guys look at it which had all the (few) details you provide here and had also access to the code of your site and to the log files, which we don't have. How could we do better than them with having much less information? There is obviously an information leak somewhere but all we could do are wild guesses and therefore I propose to close the question because it is too broad. – Steffen Ullrich Aug 28 '15 at 20:42
  • @PeteS If someone gained access to your email server, they wouldn't need to send from that server, merely to see what was sent. You'd have to look at logins to the email server, not the sending logs. – schroeder Aug 28 '15 at 23:11
  • Can you prove that they have access to *all* your order details / emails, or just a subset? – Nic Barker Aug 29 '15 at 02:53
  • 1
    @SteffenUllrich Thank you for your constructive comment, very helpful! As mentioned in my question, another user had EXACTLY the same hack, even down to the name used to sign the phishing emails. Therefore I was asking in the hope that perhaps one of you experts on stack exchange might have encountered this before and could tell me how they did it in your experience, this could help me narrow down where the breach is. Just because you don't know the answer, doesn't mean the question is bad!! – PeteS Aug 29 '15 at 21:49
  • "There seems to be no suspicious access on the database" -> how did you verify it? – Nicola Miotto Aug 30 '15 at 07:48

3 Answers3

2

If you can't find the entry point of the hackers, and a "third party IT company" can't find it either, consider hiring a professional security firm to investigate the attack.

This is not an appropriate forum for product or company recommendations, so please don't ask specifically "who" to hire.

I have found that people who present at security conferences often work for reputable security firms, so you could start your searches there. Many places have regional conferences which might be better suited to offer you local assistance; there are national conferences, and even international conferences, all of which would provide access to many professionals.

Another approach is to contact your local law enforcement. While they likely won't have the resources or ability to investigate the hack directly, they may put you in contact with a national law enforcement agency who might have more resources; they might also offer the names of reputable security investigators you could hire.

John Deters
  • 33,897
  • 3
  • 58
  • 112
  • Isn't this going a bit over the top when the most probable story is probably already known now? February the editor posts [an alarming message](https://blog.x-cart.com/5-1-11-released.html) requiring all users to update their software, begin of April the issue is published on the [CVE database](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0951) (although with no technical details), mid-april [another SE user](http://security.stackexchange.com/questions/85999/email-phishing-scam-asking-customers-for-card-details) claims to be victim of the same issue... – WhiteWinterWolf Aug 29 '15 at 10:42
  • @WhiteWinterWolf, that's why I started the answer with "If you can't find the entry point of the hackers..." , which is what the original question asked about. – John Deters Aug 31 '15 at 18:55
2

What troubles me is that you mention there was another user affected by an attacker using the very same name "Lucy Whetton".

Are you by any chance using some standard well-known eCommerce website solution (or a custom one relying on some common framework)? Have you applied the latest available updates?

My guess is that the group behind this pseudonym knows of a security flaw affecting the web application you are using, and is scanning the web to find websites still using a vulnerable version.

In case of doubt, if you already had the latest updates available applied, you should get in touch with the software editor.

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
  • Yes we are using a system called X-Cart and to be quite frank, it is an older version which did not have all of the patches applied. I'm 99.9% certain that's how they got in, and we are of course going to patch the site. The fact that the same name was used with the other user, made me think that maybe this was a common hack that someone out there had come across and could help me pinpoint how they are reading order details. If they are already in the system somewhere, applying patches won't help. As a last resort, we will simply rebuild the site on a fresh version (fully up-to-date!). – PeteS Aug 29 '15 at 09:56
  • 1
    Updating will most likely close the main door which would otherwise allowed them to come in again. Usually, when you see [such kind of announcement](https://blog.x-cart.com/5-1-11-released.html) from an editor company, this means that not updating will most likely bring you in hot water. However, you are true that there is still a possibility that, while having an access, they left a backdoor hidden somewhere else on your system. This lead you toward the next step of [How do I deal with a compromised server?](https://security.stackexchange.com/q/39231/32746). – WhiteWinterWolf Aug 29 '15 at 10:18
  • The website has now been fully patched. I still don't know if they are still inside somewhere but I guess I just have to wait and see. – PeteS Aug 29 '15 at 15:24
0

One of the things left to do would be too lookup for known security flaws on the XCart version you currently have. You mentioned that that is the e-commerce manager you are using and that you didn't update it to the latest version. Now, I am not sure which version you still use, but try to make a Google search to see if there are any disclosed exploits for it. By having a look myself I found, for instance, an SQL Injection vulnerability that could well be the cause of the problem. In those cases you wouldn't see new users, malicious code and so on, but simply "legitimate" SQL queries to you DB.

Nicola Miotto
  • 682
  • 6
  • 10
  • The exploit you are linking dates back from 2010. As stated in another comment (see below John Deters post), there is another flaw allowing "unauthorized disclosure of information" corrected by the editor in February, partially published in the beginning of April, and according to the search engines all reported "Lucy Whetton" phishing began in the middle of April. There is a very higher probability that the OP was victim of this one. – WhiteWinterWolf Aug 30 '15 at 08:12
  • I know it was old, I just wanted to provide an example. Moreover, the author of the question didn't provide any detail about the version in use. The answer was more about suggesting to perform a research on the currently disclosed vulnerabilities. In any case, the flaw published in April looks more likely to be the issue indeed. – Nicola Miotto Aug 30 '15 at 08:23