Sterling Auctions Site Up *DO NOT BID at this time*
 

Hello,

Sterling was getting ready to launch today only to wake up to the site being down. I have been informed that it will probably be Monday before it is back up. It appears to affected all the Simple Auction sites. Hopefully it is up sooner, until then I will keep you updated.

Thanks and Happy Holidays,

Lee Behrens
320-219-1372

Saco
 

I haven't been able to get into the Saco River site this morning.

Goldin and VSA are also down.

Probably bleed off of the Russian hack. Seriously.

Simple Auction Announcement
 

Last night around 11:30 we were the victim of a Ransomware attack. Unfortunately we will be down for a few days as the firm we have hired to handle this works things out. Our sincere apologies for this and we are working as hard as we can to rectify this. Thanks

Bob Freedman
CEO, SimpleAuctionSite

Oh wow....

Who knew Putin was in to sports card collecting? :D

hahaha, well thats why I said "bleed out". I think he was perturb on all the Miracle on Ice items going up for auction lately.

Could have been Finland then

I get this same error on all of these auction sites:

"The page cannot be displayed because an internal server error has occurred."

Brockelman Auctions
Sports Cards Plus
Goodwin & Co.
Touchdown Treasures
Mears Online Auctions
Sterling Sports Auctions
Love of the Game Auctions
BST Auctions

Has anyone heard an explanation why it is taking four days for Simple Auction Site to get back online, especially with some auction houses who use that platform currently running auctions? Also, a bigger question: Has Simple Auction Site updated collectors who are registered for auctions on their platform whether personal information was compromised?

** I posted before noticing that Bob Freedman, Simple Auction Site CEO, posted in this thread. Bob, any insight as to whether your security breach might have compromised registered bidders' info? Was this attack related to any of the previous problems your clients, specifically Goldin Auctions, suffered this year?

I received this email this morning:

12/19/2020 Update SimpleAuctionSite Server Outage

Valued Simple Auction Site Customer,

I wanted to give you an update as to where we are currently. We have hired a professional team to handle this situation. The companies name is Spear Tip, and they are experts in handling these types of situations. They have made contact with the hackers, and have paid the initial ransom. We are awaiting the hackers' reply to unencrypt their servers. Once they give us the key to unencrypt the data, we will start the process which could take anywhere from a few hours to a few days.

As always, we appreciate your patience and understanding as we go through this difficult time.

Best Regards,

Bob Freedman
CEO, Simple Auction Site

Kevin,
Did Bob mention anything about personal information being compromised?
Thank you,
Phil

Thanks Kevin. Your post and that email pretty much addresses my concerns.

So, a ransomware issue.

Is this normal ? Can someone explain if this is how these situations are usually handled ?

Nothing was mentioned in the email that I received.

C'mon Bob don't pay the ransom! Go out and get Liam Neeson & Harrison Ford, they'll deal with the hackers the right way.

One of the top posts of 2020!https://uploads.tapatalk-cdn.com/202...ae9f809229.jpg

Sent from my SAMSUNG-SM-G930A using Tapatalk

This affects a lot of AH I deal with, so I'm wondering what personal info was exposed if any, like payment method info.

Since they've taken control of Simple's servers I think it would be smart to assume data has been compromised.

There is little personal data at risk for most of AH's affected.

When you register, you provide your name, address, email and phone. No financial info or any kind(credit card or bank account info) nor SS #.

AH's taking Paypal and Credit cards might have another issue, if they have data on their server, more likely it's on the payment processors side and quite secure.

I think the jist here was to hold Simple hostage and not gain benefit from the users info, otherwise they would have stayed quiet and milked the data for a long time.

I understand what you're saying Scott, my point was to err on the side of caution, not that anything definitively happened.

MeiGray is part of this as well.

Additionally, if user IDs are tied to their personal information and large purchases, this could help further identify "high value" targets. Don't cast off PII so easily.

I think Scott's assessment makes sense. If they were stealing personal financial information, they wouldn't say anything. They would try to be completely covert about that.

Well if it's ransomware it means someone has control of their servers. That means they have control of ALL info. So if they keep credit card info on file, it's in there. I don't believe they encrypt passwords, so there's that too. If you use the same passwords for important things such as credit cards, banking, etc., you might want to make some changes. I know some are joking on this thread, but this is serious. ALL of SA customers (auction houses) have been compromised.

I'm also wondering if info related to sales tax exemption for resellers might be on those servers. Application for tax exemption might include SSN.

Apologies
 

Net54 Members, the threat actors have encrypted our servers and the firm we have hired to negotiate with the threat actors have told us that the threat actors usually do not steal the data in these instances but anything is possible, We have Cyber insurance and we have been told that a full forensic analysis will be done once the key to the encryption has been delivered (we have paid the ransom and are awaiting the keys but we have been told that the threat actors usually do not work on the weekends). I wish I had more answers and understandings of why this has happened and when it will end. We will get answers to you as quickly as possible and thank you for your patience and support

My business site does not provide access to payment info. That is handled through my merchant and even I do not see payment info beyond last four. Though refunds are possible, no money can be withdrawn beyond the initial approved transaction. Name, addresses, email and phone numbers are accessible.

...

Except that most of the time the guys who steal the info aren't stealing it to use it but rather to sell it.

What auctions use simple auctions?
“the threat actors do not work on weekends”—really? This is a nine to five job? Better hope that they have not taken off for a Christmas vacation.
Once you pay a ransom to unlock your site what is to prevent these people from not turning it back on and simply asking for more money? What can you do to safeguard your site from ransom ware and why wasn’t it done before?

Right. These are thieves. They have a primary target and probably a secondary one as well. A car thief might be after the McLaren, but if there's a briefcase with money on the front seat, he'll take that too.

As someone who has consulted for companies that have been the victims of ransomware, here’s my experience (and these are my experiences only - I have no knowledge of the exact variant of ransomware that hit simple auction):

One customer paid the ransom, and the decryption key was never supplied. The threat actor simply stole the money and then disappeared.

Our other costumers simply restored from backup and ignored the threat actor.

In all cases, a forensic investigation was undertaken to determine both the mechanism of intrusion and the extent of data exfiltration. If data were indeed stolen, notifications were made to those individuals affected. There are laws (GDPR in europe and CCPA in California, to name two) which require the users of the affected platform to be notified if their PII has been stolen.

Also, Some new variants of ransomware do indeed steal data and threaten to release said data if the ransom is not paid.

My heart goes out to Bob at simple auction - this is a shitty situation.

I got hit with a crude version of this stuff several years ago. Nasty bug on a state gov't web site. I elected to wipe my hard drive and start over with a back-up. I lost a bit of data and some time and some IT costs but did not pay the extortion demand.

So what can Simple Auctions do? There should be back-ups kept elsewhere so that when the one is locked the data can be restored with only a small disruption and loss. The back-ups should run frequently, at least daily. Or the data can be stored on a cloud-based app which makes this sort of attack meaningless, more or less. If they had a single server with no back-ups, shame on them.

Also stop downloading porn.

In simple terms, what is the exposure to bidders of auction houses that use the Simple Auction service?

As mentioned before, what auction houses use the Simple Auction platform?

There are several auction services that are probably similar to Simple Auctions, so the assumption here is that any one of them could have had this happen to them.

True, and the smartest thing to do is bring everything down when you realize one of the sites has been hacked.

Apparently it has impacted email accounts for Simple AH clients as well. I have not been able to send or receive emails at my two brockelmanauctions.com email accounts. Anyone needing to contact me can PM me here, until they are restored.

Scott

Up until recently - Ransomware HAS NOT also attempted to steal the data. Best "guesstimates" currently put it at a 1 in 10 chance that the attackers are interested in stealing data.

I m involved with Information Security as a profession and in my experience - the attackers are really only interested in getting paid (usually thru Bitcoin as it is almost impossible to trace). Additionally, In almost ALL cases - once the payment is made the victim WILL receive instructions on how to recover their data.

In my opinion - there are many more $$ and much less chance of getting caught by doing what they do best - extorting cash from their victims.

https://blog.emsisoft.com/en/36569/t...an-one-in-ten/

A well designed security posture can nearly eliminate Ransomware Breach but can get quite expensive and smaller companies struggle with trying to provide adequate security against ALL Internet perils.

What is to prevent the Ransom Wear people from extorting money indefinitely??

Yea - that's the problem. You have to get to a point where you can actually prevent these from getting in. Here again - Lot's of $$.

I believe that in Sterling's case the issue was on the Simple Auction provider (cloud?) side and not on the Sterling Side. So not only do you have to protect yourself - you have to be reasonably sure that the companies you do business with are also protecting themselves.

+1000

Seems like Simple Auctions just played the role of SolarWinds if you've been following that story.

Yep - Entire last week has consisted of me reassuring the State of Texas that we are unaffected by the Solar Winds Breach.

Note that the Solar Winds deal was an actual "Stealth Hack" for the specific purpose of stealing information (and I think we have just discovered the tip of the iceberg on it)

Ransomware - Not stealthy at all - It's in your face - pay me or face the consequences

This is a ridiculous assumption. True, any website or platform can be compromised. But to assume that because one auction service is "similar" to Simple Auctions that auction service is just as vulnerable is missing the point. If the people running auction platforms do things like implement proper security, have proper monitoring software and upgrade their software when they see red flags (as Simple Auctions saw throughout 2020) then it's not a case of "this could happen to anyone."

Ive been in contact with a few of the AH's and it seems they will be up and running this afternoon.

It was mentioned on the other board that it might be illegal currently to pay ransomware extortion. So not sure if this opens up the site to federal issues.

Reply
 

Only if the hackers are on the OFAC list which these people are not. We have received the key to unencrypt the files but it will take a long time to unencrypt all of the machines and nodes etc...

Bob

Good point. The analogy doesn't go especially far.

Never heard of that.

Yes, it's very normal.

I believe Goldins is down as well. Must be those pesky Ruskies again. For us dedicated collectors, this is tatamount to War.

Ship them all of your junk wax all at once!!@

Thanks; glad you're tracking it.

I'll be very interested to see the analysis of the vector of attack used by the hackers, which auctions sites were affected and what types of personal data was potentially exposed.

Hopefully Bob will provide clarity about what happened and which sites were affected.

Whether the hackers use thst information, or not, is immaterial. Customers should have the opportunity to manage their risks from the attack.

Personally, I can't condone paying the ransom. If someone steals the keys to my front door, I'm not going to pay them to get the keys back. I'm going to call the locksmith and move on.

If a appropriate backups existed, then there should have been no need to pay any ransom. I'll be reconsidering my patronage of any AH using SimpleAuctionSite as a result.

I too am in IT. I’ve said this before on this board. If I do the forget my password thing, I’ve had emails sent to me with my password in it. Not the way it’s supposed to be handled and I get very leery about that auction house and cloud provider when that happens.

Theoretically, all the hackers should be able to get from an auction site would be your contact info and purchase history. Your credit card and password info SHOULD be stored in encrypted format. If it's not, the auction host should be put out of business. Period.

As for restoring from backups, it's not always that simple. Yes, you would hope you can restore from a clean backup but that's not always possible.

Anyone hearing an update on the timing of auction open?

Ive received a number of emails from different AH who have delayed opening from yesterday afternoon until it appears Wednesday now.

That's not the right analogy. It's more like the hackers called the locksmith and changed the locks, and they have the only key to your house.

Bill

those hacker normally demand $50k bitcoin as far as I know.

Monday

The latest update is Wednesday for the sites that have auctions running, and the rest follow after they are up. Not sure how long it will all take but that is what information we are getting.

Lee

National Card Investors
 

Simple Auction runs my site as well. I had an auction end last Wednesday and the site went down Friday. I was able to email all of my invoices to all winning bidders before it went down. I sent out direct emails to each winning bidder that had not paid to to let them know what was going on. I had to type in their emails from their printed invoices. Now if they choose they can pay by check as the ability to pay through PayPal is down with the site down. All of the customer information as far as I know (name, address, email, phone) is stored on a separate I Contact account. I am patiently waiting for my site and auction site to come back up. Jeff Weisenberg

Jeff, thanks for the info. When a dealer bids in your auctions and is eligible to forego paying sales tax, how do you handle their request for a sales tax exemption? Specifically, do you request their SSN, and is that info stored on the servers that were hit, or, would the application with SSN have been emailed back to you on an email account that was hit?

An appropriate ransom and far better than thermonuclear war.

So Weds has come and gone and many Sites still down:

SCP
MEARS
Sterling
Goldin

If the hackers don't work on weekends maybe they take the holiday season off, too.

That's a good point, they may even be using up their vacation days if it's "use 'em or lose 'em".

So these Sites may be down until a week from Monday.

A few more to add to the list. I'm sure there are others but thee are ones I have saved

LOTG
Collect Auctions
Sirius

Brockelman Auctions
Kevin Savage Cards
National Card Investors

This was my thoughts exactly. They probably took these 2 weeks off for Christmas and New Years to be with their families.


Sent from my iPhone using Tapatalk

According to bobfreedman in post #49, they have the decryption keys and are waiting for the decryption process to complete. But that assumes a couple of things:

1. The decryption works without issue and important files weren't corrupted in the process
2. The hackers haven't added any backdoors or embedded any other hacks


A forensic analysis of the restored machines will be necessary to double check everything. Thiat takes time. Presumably at thst point each AH needs to review they're own setup.

I hope a that point we get full transparency about what personal data was exposed.

Hey on the positive side if we ever want to buy a car.....or a place in Russia they will already have our info on file. So we got that going for us.

Just for the record. I know many Russian people, and they are nice, honest, intelligent, funny people like everyone else.

For most countries, don't mistake the politicians/government or criminals for the regular citizens. Especially in a borderline-dictatorship such as Russia.

VSA update
 

I just got this update from VSA:

VSA Auction *UPDATE on Re-Start* For Auction That Was Paused last Thursday Evening

Targeted Re-Start for Wednesday 12/30 at 9:00 PM CST/10:00 PM EST (Assuming There Are No Unforeseen Setbacks)

Our auction host, Simple Auction Site, has notified us as well as the other 150+ auction sites this afternoon that they are continuing to work through all the issues and are in the final stage of getting us all up and running again but, as it turns out, they had to go in to each website and manually apply "fixes" to each one individually. That has slowed the process a bit but they are working towards bringing us up as quickly and safely as possible. It's been a tedious process but the team at Simple Auction has been working diligently around the clock (even through the holiday) to get all the sites back online while maintaining security. We happened to be one of the most affected sites given we were in the midst of an auction and in the 30 minute countdown phase so ours will be given priority. Shortly after the site goes live, we will confirm the functionality and immediately schedule the re-start time. Assuming there are no unforeseen setbacks, we are now targeting the re-start for Wednesday 12/30 at 9:00 PM CST/10:00 PM EST. The re-start time will be highlighted on the top banner across each auction page and all bidders & consignors will be notified immediately via e-mail/phone/text once the site is live.

** Due to the fact that this outage occurred after we had already entered into the extended bidding session, bidders will still be allowed to bid on the lots that they had previously placed a bid on prior to 11:00pm CST once we resume the auction. To be clear, if you had NOT placed a bid prior to 11:00pm CST on the individual lot, you won't be able to place a bid on on that lot when the auction resumes. You will be able to access your account once the site is restored to view the lots you are still eligible to bid on. We sincerely apologize for this inconvenience and greatly appreciate your patience and understanding. **

Sterling appears to be open, but I got an error message when I tried to place a bid

Still errors out -

Compilation Error
Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

Compiler Error Message: CS1056: Unexpected character ''

Source Error:


Line 1: )%
Áú"Ù®ý-)zewγÿÚÓ’BÑ
q™Â 
Line 2: 0ùû§zB÷'*GlÈòÛçäFí´M³’Ú´ºxìU]Qh¬–ÂMŒÉf³>—ÿ-d—ÇÛíü�&Pý)DEïÖ…3Å6÷Ùˆ„ÄÆèƒã<†ÕýÙ©šaZžkHñËTzY𿱉Óûüe�Ð�UÛq Ì�#T%8ƒÑ�¹U'ÌcZ‚'þ·y‚VÝÿ“„g&¶”6Ï`–u�|ßÚ-×vL
ŽuUŠ/*ûAÔTwBb!Ù ªzì—Ÿ±í²¦Mý‘úxû'¤D:¶½Ø¡ÆE�?û5Ù&Ûó�60„½´Öü 3Uh—zÊ膉$—ê%éM™ç\íED‰¥î®—øV¸?Sž�Èää+4å=k#‹.<ã-:FµÚ#‰@f¡…GGt:Ç–¯‰œG�
Line 3: lÁMrÁ7
,"�”ìÚùŠ$Iì”*RdŒtétûÕ¡U€jùkì³P˜O<·ò? ³N*$ÝkW=sbAbÎ&ÍÅ…Ÿåä³ÐÑ€JȪû+zº/ÍËUnœ2ªk5¤ÊãÍ"V,âîû˜(b¿�O£ân´4‘VÀtŒ>£ä*Âtå*I�Å]~ØI;�ŒAAx³ÌdŒ¬d–™™EŠ›LW˜Æfרö—Çæex<›#)F&R^@>ñÕÿ.?R
„› µª–x=C]!wu™À€žlØÎ’«O+„ž\悸¬-Š¯{§OòI¨~_¶}*µ¥%xÿƒ�Áç 'ëu¶Ï§HÃÿêøÔ¾çÿðï„´x£ÒŽÖVK¢Öb?$›†l·ýpòIÏ7FV3òÌ ¥•*«²9´—Å£t ´ãÄÛñåTFÇ€du%


Source File: \\iisfiles\f_wwwroot\sterlingsportsauctions.com\ww wroot\AgreeToTerms.aspx.cs Line: 1