The Dutch police recently arrested a developer for crimes he committed by writing a website backdoor into e-commerce sites he created and using credentials retained after the engagement concluded. This backdoor provided the malicious insider with sufficient access to perpetrate a number of crimes by leveraging 20,000 users’ credentials.

The Crime

The developer was contracted to create e-commerce sites for his clients. As part of his development process, he placed a website backdoor into his code. He also took advantage of continued administrative access to websites when his clients neglected to revoke his credentials.

According to the Dutch police, the developer captured usernames and passwords through the backdoor and other script he had written. In instances where a client failed to remove his administrative access, he could log in and copy data without relying on the website backdoor. The developer then used these credentials to access user accounts on the websites. Password reuse allowed him to access email and social media accounts as well.

What’s Behind the Website Backdoor?

The developer was counting on the majority of users to exhibit poor online hygiene. He was able to breach social media and other external accounts because many customers reused login credentials across multiple services.

In addition, his clients apparently failed to conduct code reviews to determine functionality and identify points of leakage, which may have identified the backdoor scripts. Furthermore, clients who neglected to revoke the developer’s access upon completion or termination made themselves unnecessarily vulnerable. Anyone with access to his credentials could have breached the environment.

This rogue insider used the stolen credentials to make internet purchases, according to reports. He also leveraged OAuth to break into other accounts associated with the social networking accounts he had breached.

Information garnered from the social networks enabled the cybercriminal to launch social engineering schemes, which created various points of entry into his targets. He also used the data to commit identity theft, which enabled him to open multiple accounts on online gambling sites.

Protect Your Golden Keys

Website project managers must have a firm handle on who has access to back-end and customer data. Website developers, by and large, are an honest group of professionals who take great pride in their work. The case described above drives home the point that organizations should trust but verify the work of all contractors.

A scan of the e-commerce site could have uncovered the malicious code. Even a simple review of the code might have helped the project manager identify the script that permitted the website backdoor. At the very least, ensuring that any third-party credentials were revoked upon completion of the task would have made it more difficult for the malicious insider to steal data.

Access control is paramount. Access to the company’s assets must stop when the contracted work concludes. Furthermore, all e-commerce sites should require two-factor authentication and advise users to create unique user ID/password combinations. Users must protect those social network and email credentials like the golden keys they are.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…