Crowdfunding Website has 15 GB of Donation Records Compromised

This week, we hear about the hack of crowdfunding site Patreon and the discovery of a large scale Japanese malvertising campaign.

Breach

Patreon Crowdfunding Website Hack Compromises 15 GB of Donation Records

Patreon Crowdfunding, a San Francisco-based company that connects artists with funders, experienced a breach on September 28, 2015. The breach resulted in approximately 15 gigabytes of lost data associated with more than two million donors. According to CEO Jack Conte, no credit card data was compromised but tax ID and social security numbers were. Although the breach exposed millions of user accounts, Patreon enlists the use of the bcrypt encryption capability that nullifies access to the users’ password details.

According to open-source reporting, the breach most likely occurred as a result of an SQL injection vulnerability caused by human error that exposed an application debug version.

The case demonstrates a key factor in all businesses—human error still prevails as a predominant cause of breaches like Patreon’s. Even with a highly advanced intrusion detection system and services and 24x7 security monitoring, it only takes a simple technical oversight to expose a business to potential legal, financial and public relations headaches.  

References: Patreon Hacked, Gigabytes of Data and Code Leaked | Hacked Patreon Data Spills Out Onto the Web | The Patreon Hack: 14 Gigabytes of Trolling

Mitigation Strategies:

  • Always review the basics of third party software’s technical documentation to ensure that your company does not expose itself
  • Network traffic analysis to detect data exfiltration
  • 24x7 Security Monitoring to provide anomaly detection
  • Log management could detect any suspicious user account activity
  • Log management could detect external IP information from the attacker if logs are configured

Malware

Japanese Sites Hit by Large Malvertising Campaign

Nearly 500,000 users have been exposed in a malvertising campaign targeting users in Japan. The hackers copied banners from legitimate ads, making them indistinguishable from real ones. The malicious ads appeared on sites that were tailored to Japanese users, like Japanese-language news sites and blogs. The ads appeared on approximately 3,000 websites in three separate instances of attacks, reaching peaks on September 7, September 13, and September 23. 

The malicious ads delivered the Angler Exploit Kit (AEK), exploiting Internet Explorer vulnerability CVE-2015-2419 and Adobe Flash Vulnerability CVE-2015-5560. Both vulnerabilities were patched this summer. The attack payload was an info stealer Trojan known as TSPY_ROVNIX.YPOB (aka Rovnix).  

A well-planed attack is always hard to detect; ensuring that browsers and third party software is up-to-date is key to mitigating potential compromise. 

Reference:  'Malvertising' on the rise as cybercriminals use Internet ads to infect computers

Mitigation Strategies:

Top 20 IP Addresses

174.99.3.191 - NEW 213.246.49.97 - NEW
158.85.253.245 - NEW 191.237.78.65 - NEW
118.98.104.21 - NEW 118.238.227.101 - NEW
37.61.201.161 - NEW 152.115.70.227 - NEW
174.36.80.49 - NEW 54.217.247.24 - NEW
91.142.253.133 - NEW 148.247.67.22 - NEW
82.208.46.148 - NEW 84.245.33.104 - NEW
89.38.209.57 - NEW 117.21.173.36
66.51.32.9 - NEW 104.45.154.97 - NEW
66.76.174.2 - NEW 202.124.109.87 - NEW