+1 (284) 340 0466/7
freshmango@freshmango.com
Customer Support Portal
Fresh Mango darkFresh Mango dark
Product was added to your cart

Basket

Mossack Fonseca

Website Security: Mossack Fonseca’s Achilles Heel

In the wake of any anonymous data leak, rumours abound as to the source and method of penetration (or subversion) of the company’s security systems.  Was it a disgruntled employee?  A state funded incursion to point all eyes at tax avoidance?  Commercial espionage by a competitor?

According to various sources online, it appears that the truth may be far more pedestrian: they simply didn’t have their house in order when it came to Cyber Security.

Simple WordPress Exploit

wordpress-securityAs recently as this month, Mossack Fonseca’s website was still using a WordPress plugin known to have multiple security vulnerabilities – their copy hadn’t been updated in three years.

The software in question was ‘Revolution Slider‘, an incredibly popular ‘plugin’ that was the means by which well over 100,000 websites were compromised in 2014.

Due to the Revolution Slider vulnerability, hacking the Mossack Fonseca website’s Achilles heel would have been a simple and well-documented hack.

It is believed that by compromising the website, hackers were then able to access the WordPress database (also relatively simple) and extract information stored in the website database that pertained to the main email server. This gave them a foot in the door.

Vulnerable Customer Portal

drupal-logo-vectorAs well as their website, Mossack Fonseca had a customer portal that gave access to large amounts of sensitive customer data.

Similar to web applications, their customer portal was built on top of a framework – in this case, ‘Drupal’ – an often-used framework for complex websites.

Unfortunately, the Drupal framework – like the Revolution Slider – was seriously out of date, using a version (7.23) with known and published vulnerabilities.

Additionally, a text file (called ‘CHANGELOG.txt’) containing version information about Drupal was left in place, giving hackers an exact reference for the type of exploits they could expect to find in the code.

A Common Problem

This situation is all too common because once websites are built, companies seldom want to update the coding behind what people see (or pay for it to be updated).

A key service offered by Fresh Mango to combat this is monthly health checks for websites (and also for servers/PCs), customers that opt for these services know that they are minimizing their attack surface, preventing them from being the ‘soft target’.

Summary

Unfortunately, as Mossack Fonseca have discovered, dealing with their website vulnerabilities now has very much been ‘Closing the door when the horse has bolted’ (AKA too little, too late) – in their case, the hack began in 2014 and ran a lengthy course.  The processed data didn’t hit the world’s press until all communications with the anonymous source had ceased and all traces of those communications had been destroyed.  Even if they had updated their website a year ago, the leak would still have occurred which highlights just how important it is that security efforts are an ongoing,

There are multiple tools available for scanning WordPress, Drupal and similarly built websites for vulnerabilities. To see how straightforward it is, we recommend downloading and using Kali, a free open-source security tool.

Previous Post “DROWN” Security Vulnerability Next Post Highly professional service
Menu