Someone by the name of Andri Cyber4rt attempted to hack our online billing system this morning at cloudpockets.com. They were unsuccessful, but it cost us two hours of assessment, troubleshooting, and changing passwords to our critical systems. We are putting this information up to show you want a hack looks like and the steps we took to work through it.
At about 3am I received the following troubling email. Our billing system notifies us for any changes that occur, normally mundane changes to people’s addresses or phone numbers or email addresses. We get lots of emails, most of which are nothing serious, but without notifications turned on we would not have been aware of this cyber4rt hack attempt.
Client ID: 242 – go Team has requested to change his/her details as indicated below:
First Name: ‘go’ to ‘Andri’
Last Name: ‘Team’ to ‘Cyber4rt’
Company Name: ‘ testing ‘ to ‘ DMASTERPIECE ‘
Address 1: ‘dm’ to ‘AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)’
Address 2: ‘dm’ to ‘AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)’
Postcode: ‘404403’ to ‘dm’
Default Payment Method: ” to ”
If you are unhappy with any of the changes, you need to login and revert them – this is the only record of the old details.
This change request was submitted from spo-rbr3.dizinc.com (126.96.36.199)
The part to notice is the Address 1 and 2. Those are obviously not addresses. In fact they are SQL statements and are basicly asking; “select all usernames and passwords from “tbladmins” and show me them”. Cyber4rt is trying to get full access to our system.
Steps To Mitigation
The first thing we did was change the administrator password to the billing system, and all other access passwords.
We then changed passwords on all the systems that our billing system talks to, and started research on this hacking attempt.
We also ran full antivirus/antimalware scans on our computers.
Lessons to Learn
- Keep your software up-to-date. If our billing software was more than a year old this hacking attempt might have been successful. Most software updates these days are security updates. Make sure you apply them.
- Turn on notifications. If you don’t get notifications you can’t catch anomalies. I personally get about 250 emails a day from various systems. It’s your way to keep your finger on the heartbeat of your systems. It’s also your way to monitor after something like this to make sure nothing else is happening.
- Document your systems. Know where to go quickly to change the passwords for critical systems. During a hacking attempt is not the time you want to be trying to find the login page for your partner systems.
- Keep calm, follow the steps. Write down the steps to follow for a security breach. When adrenaline kicks in you may not be thinking clearly and remember all the details.
- Stay vigilant. Make sure you are on alert, watching for any signs of a compromise for a good period of time after a hacking attempt. The sooner you catch something the better.
- Change passwords frequently. Changing passwords is a pain, but for your critical systems it must be done. We will be changing ours more frequently now.
We were fortunate, this Andri Cyber4rt hacker got nothing. Many companies larger than us have been hit with major hacking and infiltration, having customer records have been stolen and have created huge problems both internally and from the customer perspective. We’re grateful this hack was not successful, for ourselves and our customers.
What about you? Have you ever been hacked? Was this article helpful?