Sterling Auctions Site Up *DO NOT BID at this time*

[Mark17]

This affects a lot of AH I deal with, so I'm wondering what personal info was exposed if any, like payment method info.

[Aquarian Sports Cards]

Since they've taken control of Simple's servers I think it would be smart to assume data has been compromised.

[sb1]

There is little personal data at risk for most of AH's affected.

When you register, you provide your name, address, email and phone. No financial info or any kind(credit card or bank account info) nor SS #.

AH's taking Paypal and Credit cards might have another issue, if they have data on their server, more likely it's on the payment processors side and quite secure.

I think the jist here was to hold Simple hostage and not gain benefit from the users info, otherwise they would have stayed quiet and milked the data for a long time.

[Aquarian Sports Cards]

I understand what you're saying Scott, my point was to err on the side of caution, not that anything definitively happened.

[Throttlesteer]

MeiGray is part of this as well.

Additionally, if user IDs are tied to their personal information and large purchases, this could help further identify "high value" targets. Don't cast off PII so easily.

[drcy]

I think Scott's assessment makes sense. If they were stealing personal financial information, they wouldn't say anything. They would try to be completely covert about that.

Quote:

Originally Posted by sb1

There is little personal data at risk for most of AH's affected.

When you register, you provide your name, address, email and phone. No financial info or any kind(credit card or bank account info) nor SS #.

AH's taking Paypal and Credit cards might have another issue, if they have data on their server, more likely it's on the payment processors side and quite secure.

I think the jist here was to hold Simple hostage and not gain benefit from the users info, otherwise they would have stayed quiet and milked the data for a long time.

[Golfguy]

Well if it's ransomware it means someone has control of their servers. That means they have control of ALL info. So if they keep credit card info on file, it's in there. I don't believe they encrypt passwords, so there's that too. If you use the same passwords for important things such as credit cards, banking, etc., you might want to make some changes. I know some are joking on this thread, but this is serious. ALL of SA customers (auction houses) have been compromised.

[Mark17]

Quote:

Originally Posted by Golfguy

Well if it's ransomware it means someone has control of their servers. That means they have control of ALL info. So if they keep credit card info on file, it's in there. I don't believe they encrypt passwords, so there's that too. If you use the same passwords for important things such as credit cards, banking, etc., you might want to make some changes. I know some are joking on this thread, but this is serious. ALL of SA customers (auction houses) have been compromised.

I'm also wondering if info related to sales tax exemption for resellers might be on those servers. Application for tax exemption might include SSN.

[Exhibitman]

[toledo_mudhen]

Quote:

Originally Posted by Golfguy

Well if it's ransomware it means someone has control of their servers. That means they have control of ALL info. So if they keep credit card info on file, it's in there. I don't believe they encrypt passwords, so there's that too. If you use the same passwords for important things such as credit cards, banking, etc., you might want to make some changes. I know some are joking on this thread, but this is serious. ALL of SA customers (auction houses) have been compromised.

Up until recently - Ransomware HAS NOT also attempted to steal the data. Best "guesstimates" currently put it at a 1 in 10 chance that the attackers are interested in stealing data.

I m involved with Information Security as a profession and in my experience - the attackers are really only interested in getting paid (usually thru Bitcoin as it is almost impossible to trace). Additionally, In almost ALL cases - once the payment is made the victim WILL receive instructions on how to recover their data.

In my opinion - there are many more $$ and much less chance of getting caught by doing what they do best - extorting cash from their victims.

https://blog.emsisoft.com/en/36569/t...an-one-in-ten/

A well designed security posture can nearly eliminate Ransomware Breach but can get quite expensive and smaller companies struggle with trying to provide adequate security against ALL Internet perils.

[bobbyw8469]

Quote:

Originally Posted by toledo_mudhen

Up until recently - Ransomware HAS NOT also attempted to steal the data. Best "guesstimates" currently put it at a 1 in 10 chance that the attackers are interested in stealing data.

I m involved with Information Security as a profession and in my experience - the attackers are really only interested in getting paid (usually thru Bitcoin as it is almost impossible to trace). Additionally, In almost ALL cases - once the payment is made the victim WILL receive instructions on how to recover their data.

In my opinion - there are many more $$ and much less chance of getting caught by doing what they do best - extorting cash from their victims.

https://blog.emsisoft.com/en/36569/t...an-one-in-ten/

A well designed security posture can nearly eliminate Ransomware Breach but can get quite expensive and smaller companies struggle with trying to provide adequate security against ALL Internet perils.

What is to prevent the Ransom Wear people from extorting money indefinitely??

[Aquarian Sports Cards]

Quote:

Originally Posted by drcy

I think Scott's assessment makes sense. If they were stealing personal financial information, they wouldn't say anything. They would try to be completely covert about that.

Except that most of the time the guys who steal the info aren't stealing it to use it but rather to sell it.

[oldjudge]

What auctions use simple auctions?
“the threat actors do not work on weekends”—really? This is a nine to five job? Better hope that they have not taken off for a Christmas vacation.
Once you pay a ransom to unlock your site what is to prevent these people from not turning it back on and simply asking for more money? What can you do to safeguard your site from ransom ware and why wasn’t it done before?

[Exhibitman]

Quote:

Originally Posted by oldjudge

What auctions use simple auctions?
“the threat actors do not work on weekends”—really? This is a nine to five job? Better hope that they have not taken off for a Christmas vacation.
Once you pay a ransom to unlock your site what is to prevent these people from not turning it back on and simply asking for more money? What can you do to safeguard your site from ransom ware and why wasn’t it done before?

I got hit with a crude version of this stuff several years ago. Nasty bug on a state gov't web site. I elected to wipe my hard drive and start over with a back-up. I lost a bit of data and some time and some IT costs but did not pay the extortion demand.

So what can Simple Auctions do? There should be back-ups kept elsewhere so that when the one is locked the data can be restored with only a small disruption and loss. The back-ups should run frequently, at least daily. Or the data can be stored on a cloud-based app which makes this sort of attack meaningless, more or less. If they had a single server with no back-ups, shame on them.

Also stop downloading porn.

[Mark17]

Quote:

Originally Posted by Aquarian Sports Cards

Except that most of the time the guys who steal the info aren't stealing it to use it but rather to sell it.

Right. These are thieves. They have a primary target and probably a secondary one as well. A car thief might be after the McLaren, but if there's a briefcase with money on the front seat, he'll take that too.

[arcadekrazy]

As someone who has consulted for companies that have been the victims of ransomware, here’s my experience (and these are my experiences only - I have no knowledge of the exact variant of ransomware that hit simple auction):

One customer paid the ransom, and the decryption key was never supplied. The threat actor simply stole the money and then disappeared.

Our other costumers simply restored from backup and ignored the threat actor.

In all cases, a forensic investigation was undertaken to determine both the mechanism of intrusion and the extent of data exfiltration. If data were indeed stolen, notifications were made to those individuals affected. There are laws (GDPR in europe and CCPA in California, to name two) which require the users of the affected platform to be notified if their PII has been stolen.

Also, Some new variants of ransomware do indeed steal data and threaten to release said data if the ransom is not paid.

My heart goes out to Bob at simple auction - this is a shitty situation.