Security Breach Thoughts
Posted: Fri Jun 07, 2013 10:31 pm
Hey Guys,
I've been thinking over this issue we are having at my work now for many months and we are as yet to find a potential reason for the cause so hopefully someone here can get the juices flowing on ideas on how to proceed.
My company has an email marketing platform that clients use for sending out their monthly newsletters etc. We use Power MTA for mailing out and as a result we have a fairly good reputation for being able to get email to a location and report back simple things like click rates etc.
Probably about a year ago, one of our accounts was hacked and spear phishing campaigns were sent out. The campaign was the typical american greetings or paypal dodgy ones with links and content trying to snare people to give away personal details as they do. This turned out to be the first in a string of attacks both to us plus about 10 other digital marketing platforms so we aren't alone.
After all this we restricted our client administrator logins to Australia only which quelled the issue for a long time however now they have started again and have just hit one of our bigger clients. Cyber crime ain't cool but unfortunately, our product is also filled with legacy code and has some potential issues should they be exploited, however, I have added loggin to every single php file that is hit logging every request (GET or POST) to try and see how these people are getting admin passwords.
They are just logging in after 1 attempt. They just seem to have a valid users username and password and login in one attempt. There is no brute force attempts or anything like that which makes it difficult to work out how it's happening. We run a LAMP stack and our servers are unaccessible unless on a VPN same with our MYSQL servers so it is unlikely that it is the issue. We also can block individual ip addresses after attacks which we do when we see what ip they are coming in from.
I know we could look at introducing a physical code card and renew that every month or so however does anyone at all have some thoughts or have experienced such uissues and have an idea of steps to take?
This is obviously not a heap of info but i'm happy to provide more specific info if asked for. Much appreciated.
Wes
I've been thinking over this issue we are having at my work now for many months and we are as yet to find a potential reason for the cause so hopefully someone here can get the juices flowing on ideas on how to proceed.
My company has an email marketing platform that clients use for sending out their monthly newsletters etc. We use Power MTA for mailing out and as a result we have a fairly good reputation for being able to get email to a location and report back simple things like click rates etc.
Probably about a year ago, one of our accounts was hacked and spear phishing campaigns were sent out. The campaign was the typical american greetings or paypal dodgy ones with links and content trying to snare people to give away personal details as they do. This turned out to be the first in a string of attacks both to us plus about 10 other digital marketing platforms so we aren't alone.
After all this we restricted our client administrator logins to Australia only which quelled the issue for a long time however now they have started again and have just hit one of our bigger clients. Cyber crime ain't cool but unfortunately, our product is also filled with legacy code and has some potential issues should they be exploited, however, I have added loggin to every single php file that is hit logging every request (GET or POST) to try and see how these people are getting admin passwords.
They are just logging in after 1 attempt. They just seem to have a valid users username and password and login in one attempt. There is no brute force attempts or anything like that which makes it difficult to work out how it's happening. We run a LAMP stack and our servers are unaccessible unless on a VPN same with our MYSQL servers so it is unlikely that it is the issue. We also can block individual ip addresses after attacks which we do when we see what ip they are coming in from.
I know we could look at introducing a physical code card and renew that every month or so however does anyone at all have some thoughts or have experienced such uissues and have an idea of steps to take?
This is obviously not a heap of info but i'm happy to provide more specific info if asked for. Much appreciated.
Wes