TimesofMoney/Remit2India Database Hacked Through SQL Injection – HDFC Bank Vulnerable Too

Update – August 4th 2011: TimesofMoney contacted us with an update saying that this breach does not exist and will be sending us a statement regarding the same shortly.

In this day and age of technology, it does not come as a surprise that websites are frequently hacked. Groups like Anonymous and Lulzsec have been creating havoc on the internet, however, there are other cases too where security teams hack several websites to show them how insecure they are.

One of the most common way of hacking websites is by SQL injection. Ironically, MySQL.com was also hacked using an SQL Injection attack a few months back.

Today, zSecure Team has found a vulnerability in a very popular digital payments site called TimesofMoney which provides online remittances, fortified domestic e-payment mechanisms and facilitated remittance solutions of banks. The company is behind products like Remit2India, DirecPay and Times Card.

The zSecure Team claims that there exist a critical SQL Injection Vulnerability in the TimesofMoney website using which an attacker can gain access to the site’s entire database which contains the huge amount of customers confidential information.

This vulnerability may prove to be very critical for the company because TimesofMoney is India’s one of the leaders in e-payment system. Existence of such a critical flaw in company’s web may cause huge to the existing market reputation of the company concerned.

The group also claims that HDFC Bank’s Website is also vulnerable right now:

We discovered alike vulnerability in HDFC Bank’s Website as well and issued them a similar advisory. But even after couple of weeks of sending our advisory to the bank, the said vulnerability is still open for outside attacks. If the said vulnerability doesn’t get fixed by the bank as an earliest then our next post may disclose that concerned vulnerability publically.We hope that both the companies (TimesofMoney and HDFC Bank) will take immediate actions to fix the reported vulnerabilities

TimesofMoney currently has a SQL Injection Vulnerability which is very high. They are currently running the Oracle Database 11g Enterprise Edition. The vulnerability allows hackers to access the database as well as run a database dump. It also has a possibility of shell uploading.

The security team has also posted images about the hack, which can be viewed below.

TimesofMoney Hacked Database 1

TimesofMoney Hacked Database 2

TimesofMoney Hacked Database 3

TimesofMoney Hacked Database 4

The security team have said that no data has been dumped, but the fact that the attackers can access your financial information so easily is enough to make me cringe. I would suggest that you purge information from the relevant sites, till it is fixed. More information on the vulnerability can be found at zSecure website.

Thanks for the tip Christopher

LulzSec Returns, Aims Its Cannons at Rupert Murdoch

The phone hacking scandal that started at the now-defunct British tabloid News of the World, has shaken up Rupert Murdoch’s media empire, News Corporation. Newspapers across the world are hungrily tearing at News Corp and its subsidiaries, because they engaged in illegal and obstructive activities to create the tabloid-worthy news. Can the righteous anger of the Internet be far behind?

Apparently the scandal was enough for our favorite privateers, the LulzSec, to stage a return.


They changed a Times redesign page to look like The Sun with the main story being that of Rupert Murdoch’s death by palladium ingestion. (The site has now been taken down)

Rupert Murdoch, the controversial media mogul, has reportedly been found dead in his garden, police announce.
Murdoch, aged 80, has said to have ingested a large quantity of palladium before stumbling into his famous topiary garden late last night, passing out in the early hours of the morning.
“We found the chemicals sitting beside a kitchen table, recently cooked,” one officer states. “From what we can gather, Murdoch melted and consumed large quantities of it before exiting into his garden.”



To further their claims, LulzSec redirected The Sun‘s .co.uk domain to their Twitter feed. (This has also been shut down, as the domain does not work now.)


How wonderful that these jolly rogers have come back! Rum and grog everywhere…NOT! It seems to me that these hackershave found yet another easy exploit to these newspaper websites, considering that they do not expect much of a security threat. Down the road I see yet another email grabbing mission from LulzSec and a general annoyance for News Corporation.   If there was anything at all that points towards LulzSec’s immature nature, it is this returnto fight injustice.

Interview with a Teenage Hacker

When Keith asked if anyone from the team wanted to interview a self-professed teenage hackerfrom India, I was cynical. Usually script kiddies in India who are also kids in real life suffer from delusions of grandeur along with the need to impress the fellow man his or her importance to India’s Cyber War against (who else?) Pakistan.


minhal mehdiis no different, for he is quite the teenager (but asked me to refrain from revealing his true age in this post) and has been hacking his way into some low security websites for about six months now, along with his friend and seniorNoTty_rAJ.

Minhal claims to hail from Lucknow, the capital of Uttar Pradesh and is [hopefully] a high-schooler with some years of school still left. He also believes hacking is not always a crime, and that it is an art and his passion.

He also has a blog with a single post and twelve comments from his own person about how good his hacking skills are. (Thank you Pallab!)

In his introductory email, minhal claimed to have hacked manywebsites a short list being posted here. His claim to fame, in other words, is hacking one server’s root with an SQL vulnerability.

An abridged chat transcript follows with minimal editing pertaining to minhal’s answers.

Techie-Buzz (TB): What prompted you to start hacking?

minhal: i saw many forign hackers are hacking indian website, feeling of revenge motivated me for hacking. My hacks are payback to forign hackers for hacking indian websites.

TB: Which Indian websites were hacked that motivated you?

minhal: cbi website and thousends of indian websites.

TB: But you’ve mostly hacked low-security websites whose domain registrations have expired by now.

minhal: i’m new in cyber wolrd and trying to do my best for india

TB: What kind of loopholes did you find in these websites?

minhal: shell upload vlun. or SQL vlun. i found XSS in nasa’s website.

TB: So these were from exploit-db or bugtraq, right?

minhal: nah ,, its was my own

TB: So did you hack the NASA website?

minhal: it was president Xss but XSS is too long and boring

LulzSec Hackers Retiring? Group Makes Their “Final Release”

A PasteBin post has popped up, and it claims to be from the now notorious hacking group LulzSec. Within the post is a letter that claims to be the final note from the LulzSec “ship.”

LulzSec, the hacker group which first came to light some 50 days ago, has made big news in the internet and technology world.Some of their hack targets include Sony Pictures, Bethesda Games, and even the Central  Intelligence  Agency and the Federal Bureau of Investigation.

Many have tried to attach themselves or others to the group. They have spawned groups who are claiming to be offsets of their main group. Some have even gone as far to try and connect the 6 person group to the infamous group known as Anonymous.

The supposed ‘final release’ from LulzSec says that the team was a mere 6 members. They take no claim for any new hacks in the notice. What it does contain is a farewell letter to the world. They continue to say that they did everything for laughs.

If you want to read the letter, then take a look at it here. Their twitter account holds tweets that seem to mean the end, and they say that they are not planning to renew their hosting on their website. If that comes true, then we will know they are truly gone. Until that day arrives, we can only hold our breath and wait.

Lulzsec Gathers Some Lulz for Sure but People Need to Act Seriously

Anonymous is dead (or so it seems) after the rift, the crackdown and the leadership issues. A new hacker group LulzSec has taken the Internet by storms recently and it is replacing Anon in media coverage. This is LulzSec and they are like the young rebirth of Anon. Anonymous was a group of seasoned hackers who knew what they were doing and there was an air of maturity about them. LulzSec is a different breed of hackers. They improvise on their targets every day and try to take down internet services on personal request, all for the lulz.
The operations of LulzSec do not carry that aura about them that Anon had. It is more about lulz and less about playing the righteous police that earned Anon some love. The way they tweet about it openly and the way they operate is being frowned upon by many. A recent statement made by them is available here and you should read it to know what they are thinking.

Well if you ask me, this is just a cunning trick to keep people busy and this is simply their method of getting more attention. The LulzSec knows how it is forcing the Government to lay down stringent rules faster that will curb many freedoms people enjoy online.

They have a valid point too. What they are doing is playing the reverse psychology card that will probably bring security through insecurity. People will start taking passwords seriously and service providers will work on finding and fixing loopholes. People will be apprehensive about everything online and the LulzSec is proud to have brought this mayhem upon people.

There’s always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011. This is the lulz lizard era, where we do things just because we find it entertaining. Watching someone’s Facebook picture turn into a penis and seeing their sister’s shocked response is priceless.

Some more of their rants against whitehats go here.

we just don’t give a living fuck at this point – you’ll forget about us in 3 months’ time when there’s a new scandal to gawk at, or a new shiny thing to click on via your 2D light-filled rectangle. People who can make things work better within this rectangle have power over others; the whitehats who charge $10,000 for something we could teach you how to do over the course of a weekend, providing you aren’t mentally disabled.

As for myself, I will remember LulzSec as the bunch of cowboys, that tamed the Internet for quite some time. Call them the good or the bad, but they are in no way ugly. They are making the Internet a safer place and you can see how. You read a thousand blog posts every month giving you advice on password norms but how many did you take seriously until now?

LulzSec Havoc: Change Your Important Passwords Before You Get Hit

The unknown and anonymous group (or single person) LulzSec is creating havoc, not just for companies like Sony, but also for government organizations like CIA and FBI. Most recently, the targets of the group has been common individuals like you and me.

In today’s data dump, LulzSec uploaded 62000 username and passwords for various users. Using this data anyone could login to your email account, , , bank account and more. It is definitely a huge privacy and security issue.

If you go through the Twitter feed of @LulzSec, you will see how the leaked passwords are being used. Some of those updates are really scary, take for example the one below where someone managed to destroy relationships over Facebook using those stolen accounts.

LulzSec Destruction

As you can see from the above screenshot, several users have used those accounts to access Xbox Live, PayPal, Facebook, Twitter, accounts. Some users even withdrew money from PayPal accounts and claimed to ruin relationships. This is definitely sickening.

Gizmodo has written an article to check if your passwords were leaked and find them out, however, don’t sit back happy if you are not one of the people who were not compromised. Regardless of whether or not your data was leaked, take about 15-20 minutes out of your time today and update the passwords for your Facebook, Twitter, Bank accounts and email providers like (, Hotmail, Yahoo) and other important services you use.

Make sure to create a new password for these services and if possible use different passwords on all of them. If you are having trouble with creating strong passwords read our guides on how to create strong passwords and more or use some password creation tools which can help you generate strong passwords

Though you might use hundreds of services, upgrading your passwords for some key services might save you trouble other individuals are going through. As a practice, try and use different passwords for different services and use alternative logins like (login through Twitter or Facebook) wherever you can.

LulzSec Takes Down CIA.gov Website, Forwards Prank Calls to FBI

In a brutal and continuous attack, a hacker group going by the name of LulzSec have been causing havoc in the web world. Earlier this month, LulzSec had taken down high profile sites such as Sony Developer Network and Sony Pictures.

Lulzsec CIA Down

Since then they have hacked several other high profile websites including gaming servers and more. Quite recently, @LulzSec have become quite active on and have been posting details about their exploits and asking users for suggestions for future hack targets.

LulzSec FBI Calls

In a day today, they have managed to bombard the FBI with calls and taken down the CIA website CIA.gov. The group who are behind this are anonymous (not be be confused with the group "Anonymous"), but their exploits are definitely creating quite a flutter within security circles.

This is definitely not the last time we are going to hear about @LulzSec, it is going be a long road ahead…

More updates coming..

LulzSec Breaks Into Sony Developer Network, Leaks Their Source Code

Continuing  their recent streak of break-ins into Sony web properties, the self proclaimed “world’s leaders in high-quality entertainment at your expense” Lulzsec just released a full 54MB archive consisting of Sony Computer Entertainment’s Developer network source code. Lulzsec tweeted their latest accomplishment just under half hour ago.

Sony has been under an ever-increasing spate of attacks and break-ins – the most recent being Sony Brazil, Sony Europe and  Sony Pictures Russia which was one of the most biggest hacks with over a million user names and passwords stolen. With this latest break-in ,16 of Sony’s web properties have been hacked into just under 45 days, giving an average hack rate of an astonishing 2.8 websites hacked per day.

While Lulzsec claims that the archive comprises of the Developer  network source code, a commentator on Hacker News mentions that the archive consists of Website source code rather than the actual PSN code.

The Biggest Data Thefts in the Past Five Years

You must have heard by now that Sony’s PlayStation Network and Qriocity services were compromised severely, and sensitive data belonging pertaining to many as 77 million registered users might have been stolen. The full ramifications of the breach will become obvious only in the days to come. However, Sony might have lost the trust and goodwill of millions of customers forever. The severity of this intrusion is mind bogging, both in scope and scale. However, this is not the biggest incident of online data theft. It’s not even close. DataLossDB.org and PrivacyRights.org tracks all data theft incidents of note. Here are the top fifteen incidents of data theft through hacking* in the past five years (2007-11):

  • 2007
    • 1. T.J. Maxx – In a carefully planned and long drawn out operation, Albert Gonzalez stole sensitive information belonging to more than 100 million customers of T.J. Maxx, an American departmental stores chain. The hack was carried out over a period of 18 months, ending in 2007. As many as 45.6 million credit and debit card numbers were stolen. Unlike other entries in this list, this wasn’t an entirely remote operation. Instead, poorly secured in-store computer kiosks were exploited to gain access to company’s networks.

      Albert Gonzalez

    • 2. TD Ameritrade Holding Corporation – In September 2007, Joe Moglia, the CEO of Ameritrade, an online brokerage company revealed to clients that one of its databases with 6.3 million customer records had been hacked. Ameritrade had fallen victim to a backdoor based network. Although the same database contained extremely sensitive information like Social Security Numbers, they were not taken. Other confidential data such as passwords were not violated either.
  • 2008
    • 3. Hannaford Bros. Supermarket chain – In March 2007, another supermarket chain was compromised. Hannaford lost credit and debit card numbers, expiration dates and PIN numbers of 4.2 million customers. The leak has led to over 1,800 reported incidents of fraud. The culprit was once again Albert Gonzalez. This time around he broke in by using SQL-injection attack.
    • 4. Chilean Ministry of Education – In May 2007, Chilean government servers were hacked, and identity card numbers, names, and addresses of 6 million people were posted on public forums. The hacker claimed that his intention was to highlight the lackluster security infrastructure.
    • 5. RBS WorldPay – Four Russians – Viktor Pleshchuk, Sergei Tsurikov, Oleg Covelin and an unnamed guy known as “Hacker 3″ carried out this attack. The hackers managed to gain personal information of 1.5 million users, including sensitive information like social security numbers of 1.1 million users. This was a highly sophisticated and coordinated attack that led to the theft of $9 million from ATMs through a network of “cashers”.
  • 2009
    • 6. CheckFree Corporation – CheckFree, an online bill payment service, fell victim to a DNS hijacking scheme in December, 2008. However, the incident didn’t come to light until January 2009. The company’s website was redirected to a Ukrainian website that hosted Trojan horses that were designed to steal data from customers. Since, CheckFree lost control of its website, the exact extent of the damage couldn’t be calculated. However, an estimated 5 million consumers might have been affected.
    • Heartland7. Heartland Payment Systems – Heartland is chiefly a payment processor, but it also provides a range of services to other merchants. In the single biggest incident of data theft reported so far, Albert Gonzalez, whose name has already appeared twice in this list, reportedly broke in after managing to successfully install sniffing software on Heartland’s network. The software was installed in early 2008 and went undetected for months. During that period, Heartland was said to be processing about 100 million transactions per month. The estimated number of credit card information harvested is above 130 million.
    • 8. pHpBB – The popular free forum (bulletin board) software was hit hard in February 2009, when an attacker managed to gain access to its entire database through a security bug in (an outdated version of) PHPlist, a third party email application. The intruder managed to scrape 400,000 names, email, address, and hashed passwords.
    • 9. RockYou – A severe SQL-injection flaw in the popular developer of social games allowed at least one hacker to gain access to its complete user list, along with information like userid, and password, which was shockingly enough stored in plain text. The number of affected users was 4.2 million.
    • 10. Network Solutions – The webhosting company Networking Solutions has a particularly poor security track record. Between March 12 and June 8 of 2009, hackers broke through its defenses, and managed to install malware that stole name, address, and credit card numbers of more than 570,000 customers. If that wasn’t bad enough, the very next year, Network Solutions was hacked twice in the space of one week.
  • 2010
    • 11. Triple C Inc. – The Puerto Rico Department of Health was breached in a series of attacks spread out over several years. The breach was finally discovered in September 2010. The hackers are believed to have gained access to health information of 400,000 patients.
    • 12. Gawker – In December 2010, Gawker Media blogs were hacked by a group called Gnosis. Not only did this group go on to give interviews to competitors of Gawker Media, but it also uploaded the entire database of 1.3 million registered users (with usernames and hashed passwords), and confidential staff conversations to a torrent website. The breach prompted many other web services (like Twitter and LinkedIn) to carry out forced password resets for affected members.
  • 2011
    • Heartland13. Epsilon – Epsilon is a leading email marketing service provider that has dozens of tier-1 companies as its client. On March 30, a hacker succeeded in gaining access to a subset of Epsilon clients’ customer data. Data stolen included names and email addresses. Epsilon maintains that only 2% of its customers were affected, and hasn’t disclosed exactly how many records were breached. However, given that the affected clients include big names like CitiGroup, Best Buy, and JPMorgan Chase, this breach might turn out to be the biggest ever.
    • 14. WordPress.com – Earlier this month, the hosted blogging solution owned by Automattic suffered from a low-level break-in to several of its servers. All information on these servers could have been accessed. However, it’s unlikely that financial information was stolen. Passwords were hashed and salted, which should make cracking them almost impossible. Nevertheless, the hacker might have obtained information on as many as 18 million users.
    • 15. Sony – Of course, this is the big breaking news of the week. There’s a lot of things that we still don’t know about this incident. However, Sony has confirmed that the hacker could have accessed all personal information, including password and address. Credit card details (excluding security code) could also have been obtained by the hacker. However, the credit card table was encrypted. According to Sony, the total number of accounts affected is in the range of 77 million. However, many of them are probably inactive or duplicates.

As we continue to increasingly rely on online services, it’s imperative that the vendors we entrust our personal information with take the appropriate precautions to protect that data. The frequency of data thefts is alarming. Every year confidential information on millions of web users are exposed through data breaches. I had earlier called upon the Congress to enforce certain minimum security practices upon all entities that store sensitive data like credit card information. Several members of the Congress are already preparing to introduce legislation that will “provide consumers with additional safeguards to protect against such data breaches”. A consensus needs to emerge in order to reduce the probability of such incidents happening in the future.

* Only data-theft cases that involved hacking have been considered. Data breaches resulting due to insider efforts, or lost assets have not been included.

N.F. Indian Railways Email System Hacked By PCA

India and Pakistan have never been good at relationships either offline and online and this has been apparent with the Indian hackers hacking Pakistani websites and the Pakistani Cyber Army (PCA), as they call themselves hacking several high profile websites like the CBI website and more.

However, it looks like things had calmed down as the PCA offered a Ceasefire on hacking Indian websites. However, it looks like that the war is on again. Some Indian hackers hacked the Pakistani Air Force Backup server and several other servers on the same network and in retaliation the Pakistani Cyber Army has hacked the email system for the Indian Railways.

Indian Railways Email Hacked

In a Press Release sent to us by the PCA from an email address [email protected], which is an email address for the Indian Railway system. In addition to that, they also send us screenshots of the administration panel of Indian Railways email and a screenshot displaying a welcome message for the new email they created (click to enlarge).

Indian Railways Email Admin Panel Hacked

Indian Railways Email Welcome Message

In their message to us the PCA said that they have extracted email addresses and passwords for the Indian Railways and also downloaded confidential emails that existed in the system, however, they did not delete any messages from the servers. The email system they hacked seemed to be the N.F Railways which is also known as the Northeast Frontier Railways.

However, it does not look like any of the Indian Railways servers were compromised at all because the N.F. Railways uses a service called Atmail as their mail solution and it looks like the PCA discovered vulnerabilities in it and exploited them. We have contacted Atmail for more insights into this and as to how they are going to tackle this.

Such kind of things are really not acceptable, however, it does go to show that people can take national enmity to any level including the internet. You can read the entire message sent to us by the PCA below.

Dear All, Answer to Indian hackers for hacking the server of Pakistan Air Force

We are Pakistan Cyber Army (Real PCA is Reality). Many times we told Indian hackers out there from various groups that don’t mess with any Pakistani site or server especially systems from government organizations. We observe another attack on 22nd April 2011 at Pakistan Air Force Server backup server and other 8 machines on the same network. We would like to tell you that Pakistan Cyber Army is looking at each and every move you do on the cyber front of Pakistan. Indian hackers were unable to do anything accept taking screenshot of the server. We told you before that we will smoke your door off but we think you more like to be burned in fire then accept some. Go read some course books else you will lose both your name and this game.

We hacked Indian railway’s email system and download all of the confidential emails as well as email addresses and their passwords. Next time we will attack your more sensitive areas where it will hurt you more. We did not delete anything on the mail system although we thought about it for a while but we are not out to destroy. Never under estimate capabilities of Pakistan and the sons of the land. Your Central bureau of investigation still looking for our clues keep on Looking CBI and use all of your investigation Agencies, keep on searching us in USA, Latvia, China, India and all of the countries listed on the MAP. We are for peace as long as no offensive attacks from your side. We are Nationalist and we are on our mission and that is the retaliation. We can’t stop Indian hackers to hack servers on our side but we can give you the best of answers possible. Your National Informatics Centre team is useless you guys can’t stop us.

We don’t accept your supremacy in Information Technology as well as in any other field. We have the minds to answer your every move. We are for Pakistan and Pakistan Cyber Army Knows its responsibility and we will never shatter the hopes of our Pakistanis. We are sleeping but not dead.

Pakistan Zindabad

Pakistan Cyber Army (Real PCA is Reality) Peace