Easy integration and CardConnect
June 6, 2017Does having your picture on a credit card help?
June 20, 2017When a criminal hacker goes after a system they tend to go after the softest targets available like schools or small businesses. Sometimes it is just for fun and sometimes it is to steal someone’s information. Other times they will lock the system and ransom it back to the rightful owner for a price. Its called ransomware and it’s becoming far too common.
One instance happened in November 2016 to the San Francisco Municipal Transportation Agency (SFMTA). A hacker locked all of the screens of the fare terminals and demanded 100 Bitcoins (about $73,000) or all of their data would be lost. The agency lost potentially half a million dollars as customers were able to ride for free for the remainder of the day on the subway and light rail so this was a devastating attack financially even before any ransom could be paid.
A security researcher decided to find out a little bit about the person responsible if they could. They were able to gain access to the email address that was provided in the message by guessing the secret question which allowed them to reset the password. It was found that the email address was just a backup for the main email address and they moved on to get into that one as well. It was easy as the hacker used the same secret question to protect it.
From the emails it was found that this was not the first time this person tried this. The hacker had extorted another US business around the same time and was believed to be responsible for several more (it was connected to yet another account linked to other ransomware attacks that the researched was not able to hack). The hacker constantly changed bitcoin wallets for security reasons so they were conscious of their own security. Another piece of information was gleaned, the agency was not targeted. The hacker was only exploiting a vulnerability in Oracle’s security system discovered over a year previous. Oracle had issued a patch in November 2015 and the criminal hacker just happened to find SFMTA which had not installed the patch to fix the vulnerability. One other thing found in the email was information about the server used to launch the attack. The server address was in Iran and the phone number attached to the account was a Russian number. The notes were in Farsi, the language used in Iran and the name associated with it is a common name in Iran, Ali Reza, or a descendant of the Prophet Muhammad. While this will not lead to the arrest of those responsible any information that can be gleaned is important.
So what did SFMTA do? Their IT team restored their systems with backup data and were back up and running the next morning. No ransom paid and hopefully they updated their systems. There are three things that we can take out of this. First is that backing up your data properly and securely is not only good business sense it can also save you a lot of money and hastle. Second, when a patch is issued to fix a security flaw install it as soon as possible. Last is that answering a secret question truthfully and using the same secret question can easily lead to any online account being hacked.