Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Today’s post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions.
Last Tuesday’s story looked at two victims; the jam and jelly maker Smucker’s, and SecurePay, a credit card processor based in Georgia. Most of the companies contacted for this story did not respond to requests for comment. The few business listed that did respond had remarkably similar stories to tell about the ordeal of trying to keep their businesses up and running in the face of such intrusions. Each of them learned important lessons that any small online business would be wise to heed going forward.
The two companies that agreed to talk with me were both lighting firms, and both first learned of their site compromises after the credit card firm Discover alerted their card processors to a pattern of fraudulent activity on cards that were recently used at the stores.
Elightbulbs.com, a Maple Grove, Minn. based company that sells lighting products, was among those listed in the ColdFusion botnet panel. Elightbulbs.com Vice President Paul McLellan said he first learned of the breach on Nov. 7, 2013 from his company’s processor — Heartland Payment Systems.
McLellan said the unpatched ColdFusion vulnerabilities on the company’s site was certainly a glaring oversight. But he said he’s frustrated that his company was paying a third-party security compliance firm upwards of $6,000 a year to test Elightbulbs.com for vulnerabilities and that the firm also missed the ColdFusion flaws.
“Shortly before we were told by Heartland, we paid $6,000 a year for a company to brutalize our server, for protection and peace of mind,” McLellan said. “Turns out this flaw had existed for two years and they never saw it.
McLellan said the company received a visit from the FBI last year, and the agent said the group responsible for hitting Elightbulbs had compromised much more high-profile targets.
“The FBI investigator said, ‘Hey, don’t beat yourself up. We’ve got credit card processors and government institutions that run ColdFusion who were breached, this is small potatoes’,” McLellan said. “That was a small consolation.”
Ultimately, elightbulbs.com opted to remove the target from its back by outsourcing the processing of credit cards on its site to authorize.net, a third-party processing firm that specializes in securing e-commerce transactions.
“Myself and my IT director made a pact that we’re never going to back to charging cards on our server, that we were going to take the site out of the equation,” McLellan said. “At first I thought it would turn away customers, but people don’t seem to mind the extra step. And for me, I get to sleep at night knowing I’m protecting my customers data. Personally, I’ll never go back to taking [credit cards] on the site. It’s hard enough running a small business, and I don’t want credit card theft being one of the things I have to constantly worry about.”
Kichlerlightinglights.com was another lighting store ensnared by the ColdFusion botnet. Company owner Gary Fitterman said the breach cost his company a tremendous amount of money and time.
“It was like being attacked by terrorists,” Fitterman said. “When we learned what had happened, we immediately went into a frenzy, spent a ton of money to get [forensics experts] in to take a look.”
In the end, Fitterman and his team also opted to outsource the credit card processing to a third party, deciding it wasn’t worth the risk of continuing to handle it in-house.
“Now we can just concentrate on making our business grow, rather than always playing catch-up to make sure we have latest and greatest,” Fitterman said. “It’s not worth the risk. I don’t think there’s that much information out there to make small businesses like me aware of everything you should be aware of before this happens to you.”
Also among the four dozen or so sites enslaved in the ColdFusion botnet was the Web storefront for LaCie, a hardware company that specializes in external hard drives.
Clive Over, director of corporate communications for LaCie owner Seagate, said the company has investigated the incident and has so far found no indication that any customer data was compromised in the attack.
“This week, the Company received information indicating a server hosting LaCie.com may have been maliciously targeted and possibly breached at some point during calendar 2013,” Over said in an emailed statement. “Privacy and security is of utmost importance to the Company, and we therefore took immediate action to investigate this matter as soon as we became aware of it. The Company has conducted a preliminary investigation and, at this time, we are not aware that company or third party information was improperly accessed. The Company is currently working closely with third party experts to do a deeper forensic analysis.”
Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.
Update, 12:15 p.m. ET: The Guardian reported today about another apparent victim of ColdFusion fail: the carmaker Citroen.