Mobile Phone Reseller Faces Data Breach

This week we hear about Carphone Warhouse's data breach, and a looming threat for business traveler's computers while being used in a hotel.


Mobile Phone Reseller Faces Data Breach 

On August 8, 2015 Carphone Warehouse reported the possible compromise of customers’ personal information as a result of a cyber attack that occurred on August 5. Initial reports indicate that personal information including name, address, email address, date of birth and bank details of up to 2.4 million customers may have been accessed. Additionally, encrypted credit card information of up to 90,000 customers may have been compromised.

The part of the company affected operates the websites,, and  It also provides services to iD Mobile, TalkTalk Mobile, Talk Mobile, and to certain customers of Carphone Warehouse.

At least one online media report suggests that the data theft took place during a DDOS attack. The three websites sit at a common IP Address and share that address with approximately 70 other domain names. Though not confirmed, it is quite possible that this was the source of the vulnerability.

To minimize impact, customers have been advised via email and the Carphone Warehouse website to change passwords and monitor financial accounts for suspicious activity. However, consumers have been discussing the inability to access the affected websites and take remediation steps due to account lockdown and website availability.

 References: Carphone Warehouse Website | Telegraph | BBC

Mitigation Strategies:

  • Intrusion Detection System (IDS) signatures to detect the malware attempting specifically observed call back information.
  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Netflow traffic may also reveal large data transfers and data leakage


Darkhotel Group Leverages Hacking Team Exploit

Those who regularly use hotel and other free Wi-Fi networks should take note of current malicious behavior in this area. The aptly named “Darkhotel” group recently took advantage of material made available by the “Hacking Team” compromise. 

“Darkhotel” installs malware onto business travelers’ computers by hacking hotel Wi-Fi networks. The bad actor, believed to be Korean, has also used P2P torrents and highly-customized spear phishing to deliver malware to victims. At the beginning of July, the group started leveraging a zero-day whose existence came to light following the breach suffered by the Italian spyware company “Hacking Team.”

Recent techniques involve innocuous email attachments containing .rar files, and in turn, contain .scr and .jpg files. These files appear harmless but are initiating hidden activity and installing backdoor and downloader malware in the background. The group seems to be targeting new victims from North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique, Germany, and in the United States within certain industry sectors. 

References: Security Week | CSO Online | Wired

Mitigation Strategies:

  • Log Review is needed to review system logs daily for malicious activity.
  • Threat Manager provides the method to detect malicious activity on the network.

Top 20 IP Addresses – NEW – NEW – NEW – NEW – NEW – NEW – NEW – NEW – NEW – NEW – NEW – NEW – NEW – NEW – NEW