December 12, 2012

TeamGhostShell’s #ProjectWhiteFox Analysis

In a recent public disclosure via TeamGhostShell claimed to have stolen 1.6 million records off public websites such as NASA, FBI and more under a project named “Project White Fox.”

An open letter that TeamGhostShell published states that the campaign is more of an effort to encourage Hacktivism rather than focus on a target like other groups usually do.

By analyzing a partial sample of the data posted, it was clear that most of the data was captured from CMS systems, and that the extraction method was SQL Injection. The reason for that conclusion is the names of CMS systems within the database content that got extracted alongside well identifiable content characteristics, and the output format that is unique to the database attack tool SQLmap, and even though that was the majority, there was a portion of data in simple CSV format.

Some data that was disclosed was private information such as usernames, passwords and contact information.  In some cases, financial data was disclosed.

Looking into the activity in depth, it seems that most of the database dumps that were taken came from closed or open source CMS based web sites with known vulnerabilities.

Naturally, it seems that the targets were chosen out of a list of vulnerable websites based on the mapping of a vulnerability to a CMS based. Then, they used an automated SQL Injection tool to pull out the data.


Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.