After being out of the spotlight for a while, the hacking group known as Team GhostShell has returned with what appears to be a significant list of websites it claims to have hacked. The Twitter account associated with the group is being updated sporadically with lists of websites supposedly breached.
Reports say that the data dumps reveal compromised account details numbering in the thousands at the lower estimate; however, this number is probably much higher. Information contained in the dumps supposedly includes emails, user names, addresses, telephone numbers, Skype names, dates of birth, and other personally identifiable information. Reports also say that some passwords were salted and hashed, while others were just hashed. Some passwords, however, were apparently stored in plain text. Unsurprisingly, there were several examples of the infamously weak “123456” password found in the data dumps.
Figure. Team GhostShell’s Twitter feed showing list of websites hacked
Team GhostShell last made headlines in 2012 when the group hacked a large number of website databases belonging to a range of organizations, including financial institutions, government agencies, political groups, law enforcement entities, and universities.
From first appearances, the recently released list of hacked websites seems to be random and there is no indication that any particular country or sector is being targeted. The group is more than likely hacking websites that are vulnerable.
In keeping with its previous modus operandi, it is likely that the group compromised the databases by way of SQL injection attacks and poorly configured PHP scripts; however, this has not been confirmed. Previous data dumps from the 2012 hacks revealed that the team used SQLmap, a popular SQL injection tool used by hackers.
Best practices
It may take some time until the true impact of this hacking campaign comes to light, but in the meantime, Symantec advises users to follow these best practices:
For individuals:
- Always use strong passwords and never reuse them across other websites. That way, if one of your passwords does get into the hands of the bad guys, at least you won’t have to worry about other accounts being accessed with the same password.
- Enable two-factor authentication on websites that provide it.
For database admins:
- Keep systems patched and up-to-date. This will make it much more difficult for the bad guys to get in.
- Filter user input. Data entered by users should be filtered for context, for example, an email address should only contain characters normally found in email addresses. This will seriously hamper the bad guys’ attempts at conducting SQL injection attacks.
- Use a web application firewall.
- Limit database privileges by context, i.e. a login field should only have access to the part of the database that contains the login credentials. That way, if an attacker gets access to this area, they won’t be able to access the rest of the database.
Since SQL injection is one of the favorite ways for hackers to break into websites, admins should prioritize beefing up defenses against this type of attack. The folks at OWASP have put together a nice cheat sheet with things that can be done to reduce the likelihood of a successful SQL injection attack.