Craftbrewer Hoax!
- Thread starter alcoadam
- Start date
Help Support Australia & New Zealand Homebrewing Forum:
bum
Not entitled to an opinion
- Joined
- 19/2/09
- Messages
- 11,585
- Reaction score
- 911
This is a phishing scam. They have access to whatever information tight-arsed homebrewers have willingly given them. Probably a tonne.
Yeah sure if you gave them those details via the phishing link....but I am talking specifically about the access they have to the craftbrewer.com.au database, which they very well may have access to considering they were able to modify the front page of the site. If they can modify a site page, chances are they have access to the customer database, which Ross has said only contains customer info, not banking details as that is handled by a 3rd party.
kymba
what?
- Joined
- 14/10/06
- Messages
- 725
- Reaction score
- 11
yeah this is what i meant too - if they have the passwords and login details, what other infos do they have access to?
This thread is yesterday's news. Poor Ross is obviously hassled out enough that his business is being used as the front face a phishing scam, but I truly believe that the impact on customers will be minimal, unless someone out there is incredibly stupid. All they would have gotten was e-mail addresses, that's it. The magic to these scams is that they trick you into giving them your details directly. And if you fell for this one, there's every chance you have been a victim of this sort of thing in the past. There are hundreds that your spam filter would trash each month before you even see them. The only difference with this one is that its your chosen vendor. Next week it might be an email from your bank.
mwd
Awful Ale Apprentice
- Joined
- 25/7/08
- Messages
- 2,513
- Reaction score
- 84
If they have access to the database then they have your sign in name and password + your name and postal address and possibly your telephone number. You should be concerned if you use the same login and password for other sites.
If they had access to the passwords, why on earth would they bother with developing and emailing a group phishing scam ? It would be more logical notto alarm the potential victims, and silently gather information without your knowledge that something is amiss. If they had passwords...... Which they don't...... Because they are phishing !
Everything is going to be OK, brewers.
bum
Not entitled to an opinion
- Joined
- 19/2/09
- Messages
- 11,585
- Reaction score
- 911
This will effectively be true. However they may actually have the encrypted passwords but can't do anything with them. If you clicked the link they will certainly have asked you for your password and you may very well have given it to them.
vortex
Well-Known Member
- Joined
- 25/10/11
- Messages
- 412
- Reaction score
- 19
Ross himself said they may have had access to the passwords stored in the database - and by extension that would include all other information in the same database. If he or his IT guys don't know for sure, it's best to assume it's been stolen, given the nature of what has occurred. I'm not sure if the modifications took place with XSS or via a local modification; I was hoping Ross could confirm this via his IT guys. If it was via XSS, it's entirely possible they have no personal details from the site, at all.
Their end goal is financial gain, probably from selling the valid credit card details they have gained from the dodgy site (hopefully very few!), or by using these details to buy things. But, if they did download all of the personal details from CB's database (CB store no CC details), who's to say they're not going to either A) sell those off too, or B) use them for spear-phishing against it's own customers?
They obviously intended to go undetected - it was only through their own poor English skills that they got spotted (and real quickly, too).
Unless - as Ross indicated earlier in the thread - the attack is a personal one designed to discredit and harm his company.
I don't know what all the fuss is about anyway, if someone uses the same (or related) password for inherently insecure and trivial purposes (routiene logins to online shops, forums etc) as they do for important things (online Banking, PayPal etc) they should expect to have problems when something like this occurs - which happens often enough for any sensible Internet user to be concerned. It's just the same as if you plaster real/personal details publicly all over the place (Facebook/other social networking).
adryargument
Well-Known Member
- Joined
- 27/1/11
- Messages
- 878
- Reaction score
- 84
Bah,
All these dramas - cant believe CB website is down.
Tempted to start the drive to brisbane - need more kegs!
All these dramas - cant believe CB website is down.
Tempted to start the drive to brisbane - need more kegs!
vortex
Well-Known Member
- Joined
- 25/10/11
- Messages
- 412
- Reaction score
- 19
I only skimmed over that previously; but I'm sure that will ultimately backfire on the attacker(s). Personally my missus and I have shopped with CB a few times over the past 12 months and will be again in the future once this mess is cleaned up. I'm guessing ditto for just about everyone else, too.
If he knows the person(s) involved, hopefully he can successfully press charges against them, as what they have done is illegal.
The passwords are actually only encrypted in Plesk v11 and even then it is very poorly done - if you have access to the server, you have access to the encryption key, which means you can easily decrypt the passwords. The other method employed by Plesk v11 is a hashed password....but once again this is useless as its per server, not per user, which means if you have access to the server you can decrypt the passwords very easily.
Finally, it looks like this server had some vulnerbailities - it could be that Plesk was a version older than v11, in which case passwords are stored in PLAIN TEXT.
So either way, people thinking that the passwords are secure are fooling themselves when it comes to Plesk.
I'd be interested to know if the attack used the unpatched IIS6 vulnerability or a vulnerability in Plesk. Either way, if this is a managed host, the provider has a lot of explaining to do
The passwords dont bother me too much, its the emails, address and phone numbers that bother me more
Finally, it looks like this server had some vulnerbailities - it could be that Plesk was a version older than v11, in which case passwords are stored in PLAIN TEXT.
So either way, people thinking that the passwords are secure are fooling themselves when it comes to Plesk.
I'd be interested to know if the attack used the unpatched IIS6 vulnerability or a vulnerability in Plesk. Either way, if this is a managed host, the provider has a lot of explaining to do
The passwords dont bother me too much, its the emails, address and phone numbers that bother me more
vortex
Well-Known Member
- Joined
- 25/10/11
- Messages
- 412
- Reaction score
- 19
Assuming his host was using it, Plesk passwords would be entirely separate to the users passwords stored in the Craft Brewer database, which is the real concern here. Any hashing/encryption on the passwords would have nothing to do with Plesk.
Under the impression customer info is stored within Plesk when utilising the online store features, not a seperate database? It all depends on the manner in which the site was deployed...using Plesk Web Precense Builder or not. I imagine it was all built using Plesk tools as the host now shows the default Plesk web page when viewing craftbrewer
