Hackers breach WHMCS via social engineering

WHMCS, the company behind the popular commercial billing and automation software program used by many web hosting firms, has had its web server hacked on Monday.

Hacker group UGNazi (“Underground Nazi”) was apparently behind the attack, which was executed via a clever social engineering trick.

The attackers contacted WHMCS’s hosting firm, correctly answered security verification questions, and thus gained access to the company’s client account. Once in, they changed the contact email address and requested the hosting company to send them the admin login credentials.

“This means that there was no actual hacking of our server. They were ultimately given the access details,” it was pointed out in a post on the firm’s blog. “This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.”

According to the Register, the hackers have misused the access to exfiltrate the contents of the firm’s database, than deleted it and consequently crippled the website.

They also managed to compromise the firm’s Twitter account, and have used it to spread links to a number of Pastebin posts containing links to the stolen data: some 500K records that also contain credit card data.

The credit card information has been encrypted, but apparently still may be at risk, as it is believed that the key to decrypt it has also been compromised during the breach.

The reason behind the attack was explained by the group via a Twitter message: “Many websites use WHMCS for scams. You ignored our warnings. We spoke louder. We are watching; and will continue to be watching. #UGNazi”

WHMCS’s site is now back online.