Threat Management, Malware, Vulnerability Management

Hacker group claims to have looted $100k via SQL injection attack

A group of hackers, known as TeamBerserk, took credit on Twitter – posting as @TeamBerserk – for using a SQL injection attack to access usernames and passwords for customers of Sebastian, a California-based internet, phone and television service provider, and then leveraging those credentials to steal $100,000 from online accounts.

Within their Friday tweet, the hacker collective posted a link to a 20-minute video that chronicles the attack. The end result is the attacker obtaining a spreadsheet of Sebastian customers' usernames and passwords in plaintext.  

With the list of credentials clearly available, the attacker then takes advantage of what some would consider an internet sin: not using a different password for every website.

The attacker appears to copy and paste Sebastian account credentials into Gmail and is then able to easily access the Google account. From there, the TeamBerserk member does a search for ‘PayPal,' which comes up with some email receipts. The video then cuts away, stating that after they went to the PayPal website, “BANK ACCOUNTS FOUND AND LATER PLUNDERED.”

The next part shows the attacker heading over to the Citibank website. It is the same thing here – the hacker appears to copy and paste different Sebastian credentials into the banking site and easily gains access to financial accounts. The TeamBerserk member even takes it a step further by setting up a transfer of funds, presumably to their own account.

A Sebastian spokeswoman – who did not confirm or deny that the attack took place – told SCMagazine.com that she would have to confer with associates before making comments, but did not return the call before deadline.

Whether real or not, the video is plausible – it should be something of an eye-opener to those who overlook the power of SQL injection attacks, and should be something of a cautionary tale to those who recycle the same password across multiple accounts.

SQL injection typically involves an attacker inputting SQL statements into an entry field that will force the system to execute potentially malicious commands.

A successful SQL injection exploit can read sensitive data from a database, modify that data, execute administration operations on a database or, in some cases, issue commands to an operating system, according to the Open Web Application Security Project (OWASP).

In July, cyber crooks were charged with hacking more than a dozen companies and using SQL injection to steal 160 million card numbers, causing hundreds of millions of dollars in financial losses.

UPDATE: Tom Dominico, marketing and business development manager for Sebastian, told SCMagazine.com, “We are aware of the claims that our system has been compromised. We have checked with our service providers and their records indicate that no such attack has occurred. We take the security of our customer's personal information very seriously and are constantly working to keep them safe from online threats.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.