TalkTalk Website Hacked, 4 Million Customer Records Stolen
TalkTalk, the U.K.-based telecommunications company, admitted on October 22 that it suffered its third major cyber attack in the last 12 months, resulting in data theft of 4 million customers. TalkTalk representatives stated that the majority of stolen customer data was unencrypted and included names and addresses, dates of birth, email addresses, telephone numbers, account information, credit card data, and bank details.
Multiple press outlets credited the attack to Islamic hackers using Distributed Denial of Service (DDoS) attacks to overwhelm the company’s website. A DDoS attack would need to have been used as part of a broader attack strategy, as it alone would not have allowed the attackers to steal any information. Independent verification of the incident and perpetrators revealed that an unknown hacker collective using the handle “Th3 W3b 0f H4r4m” posted a sample of TalkTalk’s customers’ records on Pastebin.
Following this recent incident, TalkTalk customers will be hard pressed to believe company claims that their website and databases are secure and protected from further exploitation.
Analysis of Tinba Banking Trojan Family
The Tinba banking Trojan family, also known as Tiny Banker, Zusy or Hunter, has been in existence since 2012 and was named by CSIS group researcher Peter Kruse due to its small size (20 KB). The family was updated and integrated into five Exploit Kits (Angler, Blackhole, HanJuan, Nuclear and RIG) and in late 2014 configured with anti-analysis techniques. The family is on its fourth version.
The family became known to the cyber security community in 2012 when attackers leveraged it in a campaign targeting banks in Turkey. During this campaign, Tinba was delivered by the Blackhole Exploit Kit (EK) and was capable of a Man in The Browser attack and web injections.
Tinba has a wide variety of country and financial institution targets. In mid-2014, the source was leaked leading to version two and three. Attackers expanded their scope in late 2014 and mid-2015 to include European commercial banks, insurance, and dating website customers.
Known Country Targets Include:
- Turkey (2012)
- Czech bank customers (September 2014)
- Italy (May 2015)
- Germany (May 2015)
- Netherlands (May 2015)
- Poland (May 2015)
- Romania (v3, July 2015)
Top 20 IP Addresses
|126.96.36.199 – NEW||188.8.131.52 – NEW|
|184.108.40.206 – NEW||220.127.116.11 – NEW|
|18.104.22.168 – NEW||22.214.171.124 – NEW|
|126.96.36.199 – NEW||188.8.131.52 – NEW|
|184.108.40.206 – NEW||220.127.116.11 – NEW|
|18.104.22.168 – NEW||22.214.171.124 – NEW|
|126.96.36.199 – NEW||188.8.131.52 – NEW|
|184.108.40.206 – NEW||220.127.116.11 – NEW|
|18.104.22.168 – NEW||22.214.171.124 – NEW|
|126.96.36.199 – NEW||188.8.131.52 – NEW|