This Week: Weebly, Indian Banks, and CyberMaryland

Next: This Week: Verizon and Turkey React To Stolen...
Previous: This Week: Halloween on the Dark Web
Weebly users watching the news unfold.
October 21, 2016

The Terbium Analyst Team is on the front-line of combatting dark web myths and legends. Whether it's a threat report, white paper, or blog post, the Analyst Team's job is to know things and speak intelligently about them. Other interests include weightlifting, chocolate, and accumulating obscure dark web trivia to amuse and confuse our co-workers.

This week, two major breaches came to light. Credentials for a popular web hosting platform, Weebly, appeared online. In India, banks suffered from one of the largest financial breaches ever seen in the country. Meanwhile, Terbium Labs’ CEO Danny Rogers spoke on a panel at this year’s CyberMaryland event.

Weebly Wobbly

Weebly, one of the most popular web-hosting platforms in the world, suffered a significant breach, exposing over 43 million users’ credentials. According to journalists and blogs who received samples of the data, the breach contains usernames, email addresses, passwords, and IP addresses.

Fortunately, Weebly used a strong hashing protocol for its users’ passwords, minimizing the damage of the breach (receiving a 7.5/10 score from LeakedSource, the data breach blog which was first alerted to the hack).

The company was unaware of the breach before they were notified by third parties, but responded responsibly. They quickly issued a public statement to their users and inquiring journalists, confirming the details of what they knew – no credit card information or client sites had been improperly accessed.  

The implications of this breach are greater than just Weebly, as it serves as the backbone for tens of millions of other sites. Many sites created using the Weebly model have their own customer bases and sensitive data to protect.

There seems to be a rise in attacks on cloud and hosting service providers; the news of Weebly’s breach comes against the backdrop of the breach that compromised 58 million accounts from Modern Business Solutions, a database hosting company.

Targeting a business is often fruitful, but targeting businesses where other businesses store their data can be a gold-mine.

Breach Don’t Kill My Vibe

Major Indian banks announced one of the largest breaches to ever hit the country. These banks are now in the process of reissuing credit cards and asking users to change their PINs after as many as 3.2 million individuals had their debit card information stolen. Of the affected cards, 2.6 million cards come from Visa and Mastercard.

Banks, including State Bank of India, HDFC Bank, ICI Bank, YES Bank, and Axis Bank, discovered the breach after numerous reports surfaced of Indian users’ cards being charged in China and the United States. The banks believe the breach originated with of Hitachi Payment Systems (a company that provides ATMs, POS systems, and banking channel products). As a result, banks are telling their customers to only use ATM machines from their personal bank (if unaffected) to prevent further loss.

Instantaneous breach discovery helps reduce remediation times and can potentially stop a hemorrhaging leak. 19 banks across India lost 13 million rupees, or US $194,800 in the breach. Although users could not knowingly protect themselves in this breach, organizations bear the responsibility of protecting their users’ information – something they failed to do here.

One More Thing: CyberMaryland and the Dark Web

We recently participated in the CyberMaryland Threat Intelligence Forum, which turned out to be a rather educational experience. It turns out, so much of the broader information security community doesn’t really know that much about the dark web! Many have read about it in the media, most have at least heard of Tor, but so many information security practitioners don’t really understand what it is, what’s on it (and what’s not), and what they should be doing to monitor it!

Despite our attempts to counter them, the myths remain omnipresent - that the dark web is bigger than the broader internet, that it’s entirely used for criminal activities, that it’s only controlled by a few people and impossible to access, etc., etc. At the conference, as at all of the conferences we attend, we tried to educate the attendees and provide honest assessments designed to separate fact from fiction. You can even see one of our recent efforts along these lines here.

We’re going to continue to educate the broader information security community about the dark web and work to dispel the pervasive myths at various events in the coming months. Check out our Events page to find out where you can learn more about the dark web.

RELATED ARTICLES
analysis October 08, 2018
The Nine Lives of a Stolen Payment Card

For financial institutions, simply cancelling and issuing a new card will only prevent fraudulent charges on that specific payment card—a canceled card does nothing to stop future fraudulent activity stemming from other compromised cardholder...

analysis October 02, 2018
The Truth About Dark Web Pricing

Asking how much data costs on the dark web is a good question, but the line of inquiry should not end there. In our research of the dark web, Terbium Labs not only examines...