US company discovered a hack when an attacker spent all the disk space on the server
InfoTrax Systems, a hosting company for MLM applications, has not noticed compromise for several years. Hacking was discovered only after the hacker has spent all disk space – a giant archive file took up almost all the free space on the server.Back in 2016, the company first reported about security problems: an unknown hacker then stole the personal data of about a million InfoTrax Systems users. After this incident, the Federal Trade Commission (FTC) became interested in the company and began its own investigation o f what happened.
As it became known now, according to the FTC, the attacker took advantage of a vulnerability on the InfoTrax Systems website to download malicious code that allowed him to remotely control not only the company’s website, but also the infrastructure of neighboring servers.
“What is worseorse, the attacker has been in contact with InfoTrax servers for almost two years, from May 2014 to March 2016. During this time, he contacted the company’s network at least 17 times”, – reports FTC.
InfoTrax Systems employees failed to notice the intrusion. FTC representatives write that the company simply did not have the proper security systems and solutions to detect unauthorized access and file changes. Hacking became known almost by accident: on March 7, 2016, one of the servers almost ran out of disk space, which the company learned from an automatic message.
Read also: Ransomware attacked a major ASP.NET provider
As it turned out, collecting data from InfoTrax Systems servers, an unknown attacker created an archive file that became so large that the disk almost ran out of space.
“In total, the cracker stole about a million user records from a number of InfoTrax Systems customers. At that time, the company’s servers hosted a total of approximately 11.8 million users, and they were stored openly”, – reports FTC.
As a result, the criminals ended up with social security numbers, information about payment cards and bank accounts, as well as usernames and their passwords.
This week, representatives of the Federal Trade Commission and InfoTrax Systems finally agreed. The company was obliged to introduce certain security measures, including: inventorying and deleting personal information of users when it is no longer needed; regularly check the code of their software and test theirr network; detect malware boots; actively segment the network and implement tools to protect against attacks and to detect unusual activity.