The International Council of Electronic Commerce Consultants (EC-Council), an organization that provides training and certifications for security professionals, has finally shared some more details about how their website was defaced in February.
They confirmed that the defacement was the result of a DNS poisoning attack, as their domain registrar was compromised.
“As the attack happened over the weekend, EC-Council’s security team had challenges reaching the appropriate domain registrar personnel to address the situation. As a result, the hacker was able to maintain control of the registrar’s system and the EC-Council domain during this time period,” they noted in a statement posted on Wednesday on their site.
“The domain registrar in question was unable to secure their servers to a level desired by EC-Council and during this period, the domain registrar was exposed at least 2 more times.”
But, that was not all, as the same attacker managed to do additional damage.
“EC-Council uses a cloud service provider for enterprise email. Once the domain privilege was attained, the hacker then issued a password reset request to the email service provider. This circumvented EC-Council’s best practices of using complex passwords and 2-factor authentication,” they explained.
“With administrative access to the email service provider, the hacker was able to compromise a small number of email accounts before the EC-Council security team was able to respond to the breach. This resulted in unauthorized access to messages in those specific email boxes for a short duration of time. The potentially compromised accounts represent approximately 2% of their customer base.”
Unfortunately, the organization can’t as of yet confirm that any data in these accounts was compromised, but they are assuming that it has and are warning affected users to assume the same and protect themselves accordingly. They did say that no credit card data was compromised.
In the meantime, they say, they have implemented a few changes that should help prevent future incidents like this one: they have “transferred their domain to another registrar, changed policies on management of personal information, improved existing data retention policies, introduced two-factor authentication for member portals, and improved security procedures and systems,” and that is just the beginning.
They finally said that they are cooperating with law enforcement agencies across 3 continents in the hopes that the individual behind the hack is caught and prosecuted.
They keep saying the attacker is one, which seems to imply they know precisely who it is.