{"id":14304,"date":"2019-01-11T11:10:02","date_gmt":"2019-01-11T19:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/01\/11\/news-8056\/"},"modified":"2019-01-11T11:10:02","modified_gmt":"2019-01-11T19:10:02","slug":"news-8056","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/01\/11\/news-8056\/","title":{"rendered":"Luas data ransom: the hacker who cried wolf?"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Fri, 11 Jan 2019 18:00:00 +0000<\/strong><\/p>\n

In a terrible start to the year for Irish tram firm Luas, their site was compromised<\/a>\u00a0a week ago and adorned with a stark ransom warning:<\/p>\n

\"hacked<\/a><\/p>\n

Click to enlarge<\/p>\n

\n

You are hacked. Some time ago I wrote that you have serious security holes.<\/em><\/p>\n

You didn\u2019t reply.<\/em><\/p>\n

The next time someone talks to you, press the reply button.<\/em><\/p>\n

You must pay one bitcoin in five days. Otherwise I will publish all data and send emails to your users.<\/em><\/p>\n<\/blockquote>\n

The message came with a Bitcoin address, and the defacement was quickly taken down.<\/p>\n

Real threat or a blast of bluster?<\/h3>\n

Many observers questioned the legitimacy of this ransom threat.\u00a0<\/span>One Bitcoin is currently around 3,100 Euros. Luas aren\u2019t exactly short of cash<\/a>, so it wouldn\u2019t be an issue for them to pay (not that we\u2019d advise it). The general feeling was that either 3,100 Euros was a large sum of money to the attacker, or they just wanted the company to address the problem facing them without fuss.<\/p>\n

As soon as the hack was announced, nervous customers wondered exactly what might be dumped into the ether should the ransom go unpaid. Names and addresses? Emails? Perhaps even payment data? However, this is where the hacker\u2019s version of events starts to unravel. I\u2019m not personally familiar with the website in question, and it\u2019s currently still down, so I looked on Internet Archive.<\/p>\n

A trip down memory lane<\/h3>\n

The site doesn\u2019t appear to have any form of registration or login; it seems to be more of an information portal<\/a>. Additionally, the one section that references payment\u2014\u201cPay your standard fare notice\u201d\u2014leads to the payments site<\/a>, which Luas pointed out hadn\u2019t been compromised<\/a>. The site read as follows:<\/p>\n

\n

The Luas website is undergoing restoration following a cyber-attack.<\/em><\/p>\n

We wish to advise customers that the Tax Saver and Standard Fare Notice sites have NOT been compromised.<\/em><\/p>\n<\/blockquote>\n

It\u2019s worth noting the payments section hasn\u2019t been taken offline, either.<\/p>\n

The hacker who cried wolf?<\/h3>\n

We waited with baited breath as the ransom timer ticked down. Would we see a large blast of customer data popping up online? Or would the whole thing fall flat? If essential information such as logins and payment data hadn\u2019t been grabbed, what exactly were we talking about here? Basic website metrics such as visitor stats or website referrers? What could this attacker possibly have grabbed while achieving what appears to have been a perfectly standard webpage defacement in all other respects?<\/p>\n

The answer is, of course, \u201cNobody knows.\u201d<\/p>\n

The deadline has come, gone, and is now on vacation somewhere. Occasionally, it lets you know the weather is lovely and reminds you to put the bins out.<\/p>\n

Absolutely none of which helps anybody who suspects they may have been caught up in this. Even more slightly surreal is the fact Luas said they\u2019d contact anyone<\/a> they thought may be affected, but there\u2019s zero example of said contact on social media that I can find.<\/p>\n

\n

Customers: An update on the Luas cyberattack.<\/em><\/p>\n

Luas technicians are still investigating it and are working to restore the site.<\/em><\/p>\n

Luas has contacted the Commissioner for Data Protection and we have in accordance with best practice contacted everyone whose information may have been compromised.<\/em><\/p>\n<\/blockquote>\n

This is absolutely not what normally happens, and at this point I\u2019d usually be linking to a deluge of \u201cyou got me\u201d posts. That\u2019s the theory. The reality, currently, is nothing but a wave of silence.<\/p>\n

This number is no longer available<\/h3>\n

Our suspicion here is that nothing customer related was taken and it was all a ransom-themed bluff to either grab some Bitcoin cash or attention, or perhaps both. If you\u2019ve used any Luas site for any type of registration or payment, you\u2019re probably fine.<\/p>\n

Unless the site compromiser had a sudden change of heart, they were going to dump the data in public fashion instead of some hidden underground forum, but it hasn\u2019t happened. People may call them \u201cunderground,\u201d but the reality is data dumps don\u2019t remain private for long.<\/p>\n

No further updates are forthcoming from Luas, so it doesn\u2019t appear they\u2019ve been told their number is up either. All in all, we\u2019d say cross some fingers and hope everything is coming up Milhouse.<\/p>\n

While I try to remember if things coming up Milhouse is good or bad, here\u2019s what you can do if you\u2019re still worried you may be affected.<\/p>\n

Data dump fallout tips<\/h3>\n

This isn\u2019t just good advice for the Luas attack, but for any potential breach situation.<\/p>\n

If you\u2019re on Twitter, simply follow haveibeenpwned<\/a>, a service maintained by security pro Troy Hunt. It will usually be one of the first places you\u2019ll hear about any breach where data has been taken. After that, head over to the haveibeenpwned website<\/a> and check if your emails have been included in any attacks. If they have, you\u2019ll see a short summary of when it happened and what was taken. Note that you won\u2019t see the stolen data.<\/p>\n

Finally, you can register for alerts when any new breaches are added.<\/p>\n

There\u2019s really no need to go spelunking into the murky pools of hacker forums, looking in vain for a breach you may be on. Rest assured that if it\u2019s happened, you\u2019ll find out eventually\u2014one way or another. At that point, it\u2019s a case of changing your logins and applying whatever security steps are required to fix things up. Ransoms are always a major issue, whether from threats or infection files<\/a>. If this story has any additional developments, we will of course update this post as to what anyone affected should do next.<\/p>\n

The post Luas data ransom: the hacker who cried wolf?<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Christopher Boyd| Date: Fri, 11 Jan 2019 18:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Irish tram firm Luas were recently compromised and told to pay 1 Bitcoin, or risk user data being fired into the void. The deadline for paying the ransom has now passed: So what happens next? And is anyone out there really at risk?<\/p>\n

Categories: <\/p>\n