A hacker claims to have penetrated the Wall Street Journal’s site.
The attacker is offering to sell both databases full of user information and the credentials necessary to control the WSJ’s purportedly breached server.
Calling himself “w0rm” on Twitter, the attacker posted screenshots to the site to substantiate his claims against not only the WSJ but also against Vice (both now no longer available).
The screenshots appeared to display user credentials extracted from stolen databases.
W0rm, (who could be the representative of a collective of Russian malicious hackers) is offering to sell stolen databases from both publications for one Bitcoin (BTC) apiece ($621, £365).
The WSJ reported on Tuesday that its publisher, Dow Jones & Co, has taken the systems – which are used to house news graphics – offline, in an effort to isolate any possible attacks.
No damage or tampering had yet been detected as of Tuesday night, but the media outlet’s review was still ongoing.
The attack was brought to the newspaper’s attention by Andrew Komarov, chief executive of IntelCrawler, who says that the credentials w0rm is selling would allow a buyer to modify articles, add new content, insert malicious content in any page, add new users, delete users and more.
Komarov said that IntelCrawler has confirmed the vulnerability:
We confirmed there is the opportunity to get access to any database on the wsj.com server, a list of over 20 databases hosted on this server.
It’s being reported that the attacker exploited an SQL injection vulnerability.
Although the screenshots show records returned from a database, that in and of itself doesn’t explain how they were obtained – only that they were.
The tweet about the WSJ appears to show the command line interface for a database client accessing a database, but again, even if we take it to mean that the attacker(s) gained access to the WSJ database, it tells us nothing about how he broke in.
In fact, all we can confidently assume is simply that the screenshots were taken on a Mac and posted on Twitter, Naked Security’s Paul Ducklin tells me.
SQL injection is, though, an obvious candidate for how w0rm got in.
Databases are valuable and hence aren’t typically accessible to the outside world directly, but public-facing websites are often plugged into those otherwise difficult-to-reach databases.
SQL injection attacks get at the database via the website.
It’s a common form of attack, possibly the easiest way to get at a vulnerable database from the outside, but it’s also very easy to defend against, Naked Security’s Mark Stockley says.
He recommends that any website code that accesses databases should use parameterised queries to ensure that the database treats user inputs as data rather than code.
At any rate, this is the second time that the WSJ has been picked on in a week.
Malicious hackers broke into the media outlet’s Facebook page on Sunday, soon after the shocking Malaysia Airlines plane crash, to post bogus news alerts about the US’s Air Force One possibly crashing over Russian airspace.
W0rm previously used the handle “Rev0lver”, Komarov said, and is the founder of Worm.in, a market for trading vulnerabilities.
Whatever the attacker calls himself, he’s been busy.
w0rm on 12 July tweeted a screenshot showing what looked like contents of the CNET database.
CNET confirmed that multiple servers were breached and that the attacker(s) stole 1 million emails, usernames and encrypted passwords.
W0rm’s modus operandi was the same for that attack: he tweeted that he would sell the database for one Bitcoin.
CNET reported that w0rm – whom they identified as being a representative for a group of Russian hackers – said in a Twitter conversation that the group offered to sell the database to gain attention and “nothing more”, and had no plans to decrypt the passwords or to complete the sale of the database.
Following the CNET breach, w0rm had the cheek to try to sell a “good protection system” to the victim:
#cnet i have good protection system for u ping me
We don’t take candy from strangers, and we don’t buy “protection” from those who just punched us in the gut.
If you’re a registered user of WSJ.com, you better change your password.
Also, change that password if you use it on other sites, too, though heaven knows you shouldn’t be reusing passwords!