For the second time in as many years, hackers have compromised Verticalscope.com, a Canadian company that manages hundreds of popular Web discussion forums totaling more than 45 million user accounts. Evidence of the breach was discovered just before someone began using that illicit access as a commercial for a new paid search service that indexes consumer information exposed in corporate data breaches.
Toronto-based Verticalscope runs a network of sites that cater to automotive, pets, sports and technology markets. Verticalscope acknowledged in June 2016 that a hacking incident led to the siphoning of 45 million user accounts. Now, it appears the company may have been hit again, this time in a breach involving at least 2.7 million user accounts.
On Thursday, KrebsOnSecurity was contacted by Alex Holden, a security researcher and founder of Hold Security. Holden saw evidence of hackers selling access to Verticalscope.com and to a host of other sites operated by the company.
Holden said at first he suspected someone was merely trying to resell data stolen in the 2016 breach. But that was before he contacted one of the hackers selling the data and was given screen shots indicating that Verticalscope.com and several other properties were in fact compromised with a backdoor known as a “Web shell.”
A backdoor “Web shell” discovered on Verticalscope.com this week.
With a Web shell installed on a site, anyone can remotely administer the site, upload and delete content at will, or dump entire databases of information — such as usernames, passwords, email addresses and Internet addresses associated with each account.
Holden said the intruders obfuscated certain details in the screenshots that gave away exactly where the Web shells were hidden on Verticalscope.com, but that they forgot to blur out a few critical details — allowing him to locate at least two backdoors on Veriticalscope’s Web site. He also was able to do the same with a second screen shot the hackers shared which showed a similar backdoor shell on Toyotanation.com, one of Verticalscope’s most-visited forums.
Reached for comment about the claims, Verticalscope said the company had detected an intrusion on six of its Web sites, including Toyotanation.com.
“The intrusion granted access to each individual website files,” reads a statement shared by Verticalscope. “Out of an abundance of caution, we have removed the file manager, expired all passwords on the 6 websites in question, added the malicious file pattern and attack vector to our detection tools, and taken additional steps to lock down access.”
Verticalscope said the other forums impacted included Jeepforum.com — the company’s second most-popular site; and watchuseek.com, a forum for wristwatch enthusiasts.
Verticalscope admitted a breach in 2016 after their forum users’ data was outed in a blog post on Leakedsource.com, a now-defunct service that sold access to username and password details stolen in some of history’s largest data breaches.
An Internet search on one of the compromised Verticalscope domains leads to a series of now-deleted Pastebin posts suggesting that the individual(s) responsible for this hack may be trying to use it to advertise a legally dicey new online service called LuiDB.
Similar to Leakedsource, LuiDB allows registered users to search for account details associated with any data element compromised in a breach — such as login, password, email, first/last name and Internet address. The first search is free, but viewing results requires purchasing a subscription for between $5 and $400 in Bitcoin.
The various subscription packages sold by LuiDB, payable in Bitcoin.
People who re-use passwords across multiple Web sites tend to be those hardest-hit by these breaches, and by these dodgy password lookup services. It may not seem like a big deal if someone chooses to re-use the same password across a range of sites that don’t ask for or store your personal data, such as discussion forums. The problem is that this encourages poor password habits, and for many folks this eventually results in using that forum password at more important sites that do store sensitive data.
In practice, there’s no reason people should ever re-use the same password. Password managers can help users pick and remember unique, strong passwords for all sites that require a login; all the user needs to do is remember a single “master password” to unlock all the others. Old schoolers like Yours Truly tend to stick to local password managers like Keepass (or even PwdSafe), although many folks I admire in the security industry rely heavily on cloud-based password managers like LastPass and Dashlane.
While few online discussion forums offer two-factor or multi-factor authentication (requiring you to log in using a password and a one-time code, e.g.), a great many services do offer this very effective security measure. Check out twofactorauth.org to see if there are online services you use that could be furthered hardened by turning on two-factor authentication.
Source: KREBS ON SECURITY
Equifax has re-opened a Web site that lets anyone look up the salary history of a large portion of the American workforce using little more than a person’s Social Security number and their date of birth. The big-three credit bureau took the site down just hours after I wrote about it on Oct. 8, and began restoring the site eight days later saying it had added unspecified “security enhancements.”
The Work Number, Equifax’s salary and employment history portal.
At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.
What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).
At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.
Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.
In a story in the financial industry publication National Mortgage News, Equifax said: “As access to the employee portal is restored, individuals must be re-authenticated and establish a unique PIN. Therefore, the data exposed in the cyber incident will not be sufficient to access The Work Number.”
The publication said Equifax declined to answer questions about whether the timing of the portal maintenance or the decision to add new security features were in response to the original Oct. 8 report here, quoting an Equifax spokesman saying the company opted to move up and expand a planned service outage.
“At that time, we also decided to accelerate the implementation of select security enhancements to our platforms which extended the service outage timeframe,” the spokesman said.
I walked through the newer, allegedly more secure portal with a friend and source who worked at a major firm that used The Work Number at some point previously, and at first we couldn’t figure out how to enter his default PIN. A quick search for his employer’s name and “The Work Number” turned up a PDF with instructions stating that the PIN consisted of the last two digits of the employee’s birth year, and the fourth and fifth digit of their SSN.
Part of the new and improved security at The Work Number.
After passing that screen, the only “security enhancements” I saw that my source encountered was a prompt to enter his full name, date of birth, Social Security number, address, phone number and email, followed by the usual retinue of four multiple-guess “knowledge-based authentication” (KBA) questions. I’ve long been a critic of these KBA questions, because the answers usually are available using sites like Zillow and Spokeo, to say nothing of social networking profiles.
Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can glean your salary history by claiming your own account, changing the PIN and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.
I used to think that if you had a security freeze on your credit file at a credit bureau that the bureau would then be unable to ask these KBA questions. I’ve recently worked with several sources who had freezes on their files and yet were still asked these KBA questions. Those individuals may not have all been approved to continue whatever transaction was in progress after answering those questions, but in most cases it shocks folks who have freezes when they even get asked those KBA questions.
However, it seems that each of the cases I’ve seen in which the person had a freeze on their credit file, the applicant was asked only non-financial questions. In other words, they were given questions that one did not necessarily need access to one’s credit card or mortgage statements to answer successfully — such as the names of previous streets resided on or the names of lenders used in the past.
What’s interesting is that these types of questions tend to be easier to answer than, say, ‘What was the amount of your most recent car loan payment?’ That suggests that ID thieves could find people with credit freezes an easier target of services like this one because they face far easier KBA questions after they provide all of the target’s static information (DOB, SSN, etc).
If that sounds ironic or sad, remember that we’re talking about a company whose breach more severely impacted consumers who paid Equifax whatever fees the company is allowed to charge under state laws to freeze the consumer’s credit file.
We all sort of assumed this was the case when Equifax initially disclosed on Sept. 7 that the breach resulted in the theft of SSNs and other data on 143+million people, as well as some 209,000 credit and debit card numbers. But in written notifications recently mailed to victims of the breach, Equifax made it crystal clear that their credit card data was stolen because they once used it at Equifax to request a credit freeze or copy of their credit report.
Part of the notice Equifax mailed this week to a U.S. breach victim.
Does your current or former employer share your salary data with Equifax? If so, were you able to access your salary history via The Work Number site? Sound off in the comments below about any “security enhancements” you encountered along the way.
If you’re still unsure what you should be doing in the wake of the breach at Equifax, see this Q&A.
Source: KREBS ON SECURITY