So I have this project going on for a while now where I’m trying to track a script kiddie that has been using sqlmap to hack literally hundreds of websites for about half a year now. He then proceeds to publish the information about the sites he has broken into, and while doing so shows a lot of signs of inexperience in the field. I don’t want to go too deep into the details of this little project in fear of alerting the person in question. But I do want to talk shortly about an incident that happened recently that is directly related to this project, that shows what can happen when security is not taken seriously.
A few days ago I checked on the list of websites that the guy has hacked. I noticed that he had added a bunch of new sites to his list and stated on some of them that he had only checked the database names and a list of tables in them. He had, according to what he said, not extracted any other sensitive information. Reading this, I proceeded to quickly contact the affected websites (I always do this, but sometimes I do it faster if I think that the data on the servers haven’t been touched yet) in hope of preventing any further damage. I have a template that I use for all contact with sites in this project, and I have even been reported for spamming by one of the company. Ungrateful as it may sound, I understand their reaction.
Among the sites I contacted, one was especially quick to reply to my E-mail. Stating that this incident had nothing to do with them and did not affect their website or business. I was surprised at first and thought that I might have made some error in contacting them and perhaps had contacted the wrong company. After double and triple checking, I decided to reply to the E-mail and ask if the website (including the link to the affected website) was indeed their website. It should be noted that if their websites address was “verylegitimatewebsite.tld”, then the contact address I was sending my E-mails to, was “firstname.lastname@example.org”.
This is how I think a lot of people see IT-security consultants these days when we try to tell people that security needs to be taken more seriously.
After a while the person on the other end responded that the site indeed belonged to them.
I’m not sure what brought on the first reply that it had nothing to do with them, but it became clear to me that this person had no idea what I was talking about and didn’t really seem to care either. I wrote a bit more detailed response more directed towards this specific website (instead of just generally direct them to the list of affected sites like I usually do to save time) to try to explain the situation and what all this could lead to, damages etc. I have so far not gotten a response, but I am still eagerly waiting for it.
During the conversation we had over E-mail, their user database was stolen and information regarding it was published.
Take it seriously folks.