The attacker was able to grab thousands of user data sets from various website databases and leaked the data on the Internet. User names, real names, e-mail addresses, phone numbers and passwords, sometimes even bank account information and more – everything publicly available for everyone and only seldom encrypted. According to the hacker, he was also able to retrieve several admin passwords with corresponding host addresses, which he published as well.
Even though the attacker stated “fun” as his main reason to attack the football-related websites earlier, the possible truth came to light yesterday: he published a message, stating that he performs the attacks because football clubs earn huge amounts of money while the economic crisis ruins middle-class people.
This form of digital protest is what we call “Hacktivism” and it is definitely not a trivial offense. G Data has warned against such attacks in the wake of the UEFA EURO 2012 in the G Data preview for 2012.
The victims, along with the unaware users, are several popular top football clubs from Germany, Italy, the Netherlands, Spain, Cyprus and Greece and one national football association in addition to a web presence very closely connected to the UEFA Euro 2012 and a private fan-blog community.
With respect for the victims, we do not yet release any further information about their identity. We are currently contacting the potential victims and are informing them about the matter, providing assistance and advice if needed.
Regarding the used vulnerability:
The information gathered until now leads us to the strong suspicion that the attacker used vulnerabilities to perform SQL injections and CRLF injections to retrieve user information.
What can be done with the data leaked?
The data available has a lot of potential for further fraudulent activities.
- One example: Whoever gets hold of the data knows that the persons in the databases are football-affectionate – therefore, the data might be used in a special targeted spam attack with football content (e.g. emails with subjects like “Your football ticket invoice” and a malicious attachment). Obviously, the data can be used for any other spam campaign as well.
- Another example: Attackers might find a way to pretend to be an employee of the hacked football club, looking at the database, and can contact the victims by phone or mail to talk them into something. Social Engineering is the key word, again.
- Furthermore, the data stored in those leaked documents could possibly be used to access other web services. Many users still use one and the same email-address with one and the same password for various web services, which is no good idea at all!
We’ll keep our eyes open and pursue the incident!