WHID 2009-36: Hackers steal Austalian and NZ Shell customer info (Updated)

Share/Save

Update (Apr 19th 2009) - (Presumably) the hacker posted a comment to this story with some details. He says that the number of records leaking was much higher: 17,000 Aussies and 7,000 Kiwis. The rest we did not understand and hope that either he or any of you can clarify.

Read more...

Leakage of information from an energy company is usually associated with gas stations fraud such as installing a stealth credit card reader at the pump. However, a report suggests that an incident in which information about 4500 Australian and 1400 Kiwis leaked was a result of a glitch in a web based application for applying for a Shell fuel card. The information obtained included company names, address details, email addresses and some bank account details.
Attack Method: 
Unknown
Data Item: 
Bank Account Number
Address
e-mail
Company Name
Incident Outcome: 
Leakage of Information

3 comments

by Anonymous on 19 April 2009 - 10:03am

First I mailed to Shell.com to contact about the bug of the Shell Online Application for customers
In fact there is NOT any bug on the Shell Online Applcations but the site/URL for applying shell fuel card is NOT secured. It's very easy for hackers to attack by REVERSE LOCAL

And the true is about 17,000 AU Bank Info and 7,000 NZ Info

not only 6,000 as Shell manager talked

by Ofer Shezaf on 19 April 2009 - 10:58pm

Any disclosure of an incident is important, and information from the hacker is more than welcomed. However, I am not sure I followed everything:

  • How is the site/URL for applying for a fuel card different than what Shell reported?
  • What is "REVERSE LOCAL"?

The part about the numbers being under reported by Shell I understood loud and clear.

by Anonymous on 20 April 2009 - 9:46pm

+ First these are images screenshot from Shell Card Application Online, I don't know if they are exactly for Shell Card Apllication or NOT?
http://img518.imageshack.us/img518/406/screenshot063ok9.jpg
http://img3.imageshack.us/img3/4291/screenshot064pr9.jpg
http://img27.imageshack.us/img27/5636/screenshot065sl3.jpg

And the URL/Link for Shell Card Form is not FROM shell.com.au but was hosted on a different server (from AU server).
+ And the link for Shell Card Form at that time was:
http://ccsweb.com.au/Shell/OnlineRegistrationAU_diabled/registration.asp...
http://ccsweb.com.au/Shell/OnlineRegistrationNZ_diabled/registration.asp...
+ But after contacting to Shell.com, they first changed the link to:
http://ccsweb.com.au/MovedCode_sjkhdfjkfvzuxhovnweaqwfs/Shell/OnlineRegi...
and
http://ccsweb.com.au/MovedCode_sjkhdfjkfvzuxhovnweaqwfs/Shell/OnlineRegi...

then at last Shell moved the site to another host

+ The attacking method is REVERSE LOCAL means:
First i found bug on site ajscollections.com.au and I attacked ajscollections.com.au (that got SQL Injection and Shell Upload Bug/Vul). Then I reversed the domain ajscollections.com.au with Domaintools.com and found that many domains are being hosted on this server (included ccsweb.com.au, that hosted Shell Card Form for AU and NZ)

+ After that, I contacted to Shell.com about this and require Shell.com to have some actions to solve this Risk but they didn't reply anything.

All i talked and wrote here I know clearly that I broke the Internet Rules for Identification Thief BUT I am NOT stealer, or I didn't steal info from Shell Card Custimers Info (that why I contacted to Shell.com)