I’m just sitting here contemplating the past 24 hours events. I’m feeling very uneasy about the recent attack on MyBB.com. Apparently the registrar and host of MyBB.com was socially engineered into changing information. Whois information and DNS was changed so the domain redirected to the criminals site. They personally named me as part of the reason for the attack. It’s that last part that I feel mostly uneasy about.
I’ve enjoyed using MyBB on all my forums for years. I’ve donated to the MyBB project and even assisted with acquiring the MyBB domain name. Of course I also run MyBBCentral.com which is my own MyBB support site for my plugin releases. So I feel a kinship with the project. In some ways their fate and mine are tied together. So when I learned that MyBB.com was stolen my heart sank a bit. And when I learned that I was personally named as the reason…well I just felt very sad that a project I loved was effected because of me.
MyBB.com is still offline but a holder page is up and Chris B. the founder claims to have it all back and he’s running a full security audit. That’s good news.
The penetration was a simple one. Call up customer service, ramble off some fake info, and maybe even provide a fax/email with a fake ID. Then get them to change something important like email contact and bingo…you’re in. From there you can start getting into the server control panel or the registrar with PW resets and take it all over. No real hacking or computer skills. Just plain old fraud and lying. The attackers claimed to have obtained a dump of the database. Chris of MyBB states they never gained actual server access. I don’t see the benefit of a dump for them since MyBB doesn’t take CC payments and it’s basically just a free open source project. So I have to assume this was all just to get some attention as they won’t really profit from this fiasco.
Recently this same group had done the same thing against WHMCS and released a large customer database. They also have recovered fully but the scar left from the attack will probably not heal for some time. Interesting to note that I personally have zero affiliation with WHMCS. I don’t use it at all. I’m sure some empty reason was given by the criminals for the attack. I have yet to see one but I’m sure it’s around somewhere. The criminal was arrested and questioned. If we’re lucky he’ll get prosecuted to the fullest extent of the law.
What’s been done by this group is not elite. It’s not fantastic. It’s simple fraud meant to damage innocent and legitimate companies. And the group are not hacktivists either. They have no real mission beyond their personal exploits and recognition. There is no noble cause they are striving for. Their whole anti-SOPA rhetoric is obviously mush since MyBB.com was also against SOPA. They are not hacktivists. They are cyber-terrorists. Their symbolism of Hitler is evidence of that. They will do whatever they can to get noticed.
Unfortunately for them they’ve been noticed by the FBI. Already one member was arrested and questioned which means more are sure to follow. We can only hope the end of their terrorism is over but I have a bad feeling it’s not and that other targets are being viewed by them. I have no doubt that eventually they’ll be prosecuted but will others recognize them as criminals or heroes? I’m fearful people will be inspired by these actions when they should instead be ashamed.
So what good can come from all this? Where is that silver lining? I’m not seeing it. I would hope more companies take more precautions when it comes to their customer service in phone calls but I don’t see that happening soon. Seems to me that the questions they ask to verify identity are always generic info that at this point almost anyone can obtain. Like your last 4 of your SS or your address. Online you often have security questions and answers but offline when you make a call they don’t ask you these. User data should never be changed by customer service without strong verification of identity. More so than just a few questions on the phone. I’m hoping that in 3-5 years offline security is taken more seriously. If there is a silver lining in any of this it’s that what this group has done is only going to be the beginning of havoc we can potentially witness.
No matter what measures you’ve taken to be secured online you can’t overcome the policies and stupidity of a company’s customer service. Is that the lesson they want us to learn?