June 15, 2020

Has a hacker stolen more than 3 million Verizon customer records?

verizon-logo(LiveHacking.Com) –  There seems to be some confusion about the activities of a hacker known as TibitXimer who claims to have stolen at least 3 million customer records from Verizon. Having stolen the data the hacker posted around 10 per cent of them online citing Verizon’s indifference to fixing a security flaw which the hacker had reported to the cellular giant.

The confusion has arisen over the validity of his claims because of several subsequent events. First Verizon spokesperson Alberto Canal has told ZDNet that the company has examined the posted data and can confirm that it is not customer data from Verizon Wireless. Second the posted data has now disappeared from Pastebin where is was originally published. And thirdly, the hacker’s Twitter account has been deleted.

In the original post to Pastebin (which is at the time of writing still available in Google’s cache) TibitXimer said “here is a database with a few hundred thousand customer records from Verizon Wireless! It includes serial numbers, names, addresses, date they became a customer, password to their account, phone numbers, etc…” There was also a link to a text file with the alleged stolen data.

When Verizon debunked the claims the hacker tweeted that the data probably belongs to Verizon FiOS fiber customer and not Verizon Wireless cellular customers. However that tweet along with his entire Twitter account has now gone.

It is thought that TibitXimer downloaded more than 3 million customer entries from Verizon’s database however the exact number of records is unknown as the 3 million figure is just an estimate based on the size of one record and the size of all the files. The hack is alleged to have occurred on July 12 and the hacker is said to have gained root access to a server holding the customer data. However Verizon have said that “Many of the details surrounding this incident are incorrect and exaggerated. No Verizon systems were breached, no root access was gained, and this incident impacted a fraction of the number of individuals being reported.”

So with deleted Twitter accounts, missing data and denials from Verizon it is hard to be sure what has actually happened. If it is true then this is a massive security breach for one of the USA’s largest carriers.

Internet Explorer Protected Mode is NOT Protected

Security researchers at Verizon found a way to carry out stealthy drive-by exploits even when victims are using recent versions of Internet Explorer in Protected Mode.

In a white paper published by Verizon, the attack requires the intruder to have an exploit for a zero-day security news at livehacking.comvulnerability that’s not patched. The attack works only against machines that have the Local Intranet Zone enabled, as is the default for domain-joined workstations.

Protected Mode, which was introduced in version 7 of IE helps to protect users from attack by running the Internet Explorer process with greatly restricted privileges. With reference to Microsoft website, Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user’s machine or to install malicious code.

However, the Verizon researchers are able to bypass the measure that requires no interaction on the part of the victim. “The attack combines the facts that sockets are not subject to Mandatory Integrity Control and that sites in the Local Intranet Zone are rendered with Protected Mode disabled,” the paper states.

“The new malicious web page will be rendered in the Local Intranet Zone and the rendering process will now be executing at medium integrity. By exploiting the same vulnerability a second time, arbitrary code execution can now be achieved as the same user at medium integrity. This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode.”

Download Verizon white paper here.