The FBI has arrested hacker “Cosmo”, according to a report by Eduard Kovacs of Softpedia. Cosmo is alleged to be the leader of four-man hacktivist group UGNazi, which took control of the web site of major payment services provider WHMCS just over a week ago.
Previously, UGNazi had been known primarily for distributed denial-of-service (DDoS) attacks carried out using its own botnet. Earlier this month, for example, it briefly took down the US Department of Education web site. UGNazi received even more attention when, on 21 May, it hacked into servers belonging to UK billing company WHMCS and copied private internal information, which it posted online two days later. The stolen data included a MySQL dump of the company’s customer database containing nearly 130,000 records, and data from the main server. The hackers gained access to WHMCS’ Twitter account and infiltrated the user forum. The group also carried out DDoS attacks to take down the WHMCS domain for several hours.
The UGNazi hackers reportedly used basic social engineering techniques to gain access to the WHMCS domain. One of the hackers, probably Cosmo, phoned WHMCS’s hosting company claiming to be the company’s CEO and correctly answered the security question. They were then given full access to the company’s main server.
WHMCS provides payment systems for small to medium-sized web sites. At the time of the intrusion, the customer database contained just under 13,000 credit card numbers, which were encrypted using a symmetrical AES algorithm. Passwords were salted, which should have made them harder to decrypt – but since the salt was recorded directly after the password, not impossible.
Following the attack, the hackers spent several days taunting WHMCS. They posted tweets in the name of the company and rewrote some company blog and forum postings. In a statement on PasteBin, UGNazi stated that its motivation for the hack was simply to open the eyes of WHMCS users.
The group’s US-based web site is now offline – having been, according to a tweet by Cosmo, seized by the FBI. Members of the group have told Kovacs that they are confident that the FBI will not be able to prove anything in relation to Cosmo. A fifth member left the group shortly before the attack on WHMCS. According to Softpedia, another member of the group hasn’t been online “for the past couple of days”.
WHMCS has now reset all passwords for its customer area and warned its customers to be vigilant for ongoing consequences of the hack. Yesterday the company was forced to inform its customers of a further security concern, when a programmer informed WHMCS of a vulnerability in its payment processing system, for which the company released an immediate patch.