The alleged hacking of prominent online payment gateway CCAvenue.com has set the airwaves abuzz with speculation over the veracity of the hacker’s claims, as well as the possibility that CCAvenue is attempting to cover up the breach. We have undertaken to objectively list the facts in the case thus far, in as much as we have been able to verify them. Although CCAvenue has not responded to our queries, it appears that there is sufficient information now in the public domain indicating that the claimed CCAvenue hack might never have happened at all.
On May 4, 2011, a hacker with the handle d3hydr8 claimed to have hacked CCAvenue.com, using a hidden SQL injection attack. The company's CEO, Vishwas Patel, has denied these claims on an online news portal, and posted an official denial on the CCAvenue Website. The hacker claims to have gained access to account credentials, including CCAvenue administrative accounts with access to CCAvenue’s SQL databases. The hacker posted a full disclosure of the compromise on www.hackerregiment.com. The details of the hack have since surfaced at several other security sites.
The hack report however suffers from several inconsistencies. To begin with, the date of the hack on the reports posted across the Websites differs. This refers to the timestamp for the SQL dump, which, in the case of the copy of the report in sSecIN’s possession, is December 4, 2010. Other reports put the date as May 3. The hacker has originally claimed May 5, 15:15 as the date and time of the hack. This is a major discrepancy, and puts a question mark on the veracity of the hack claims.
Secondly, it is hard to believe that a payment gateway of the standing of CCAvenue would store any account credentials in plain text. However, even were this to be the case, the nature of the data revealed is inconclusive.
The account information table posted by the hacker includes several cell phone numbers, which we have independently confirmed to be numbers of CCAvenue employees. The list of user accounts therefore seems genuine, including, it would seem, Patel’s own account and password. Having established that the accounts belong to employees, the credentials are ostensibly for internal use. On the face of it, there is no doubt that there has been a leak of the company’s internal schema and employee account information. However, whether the extracted data is from a live database or a dummy one is anybody’s guess right now.
Another bone of contention is the date of the server upgrade. It has been suggested that Patel’s claims that the Apache server was upgraded to 2.2.17 five months ago are false. This aspect can be checked via Internet security services firm Netcraft. While it is true that the Netcraft website shows the last updated/last changed date as May 5, 2011, this refers only to the updating of CCAvenue’s server version in their database. Netcraft only retrieves and updates the version when queried. This indicates that a query was made regarding CCAvenue’s server version on May 5th, and is not indicative of an update/change. We have it on authority that the update to Apache 2.2.17 took place sometime in January 2011. As such, given the nature of the attack, the version of the server has no bearing.
Further, as pointed out earlier, if passwords and confidential client information are encrypted, as CCAvenue claims they are, hashed passwords cannot be retrieved in plain text. There is no evidence suggesting that the merchant database has been so breached, and the information therein, compromised.
So was CCAvenue hacked? At this point, we feel it is best to be circumspect and wait for forensic reports to give conclusive evidence. While the compromise appears to be genuine prima facie, a closer look at the evidence at this juncture might suggest an inside job. In fact the date of Saturday, December 4, 2010 on the logs is indicative of a dump taken at a much earlier date than that claimed by the hacker. All that the hacker has in possession to prove his claims are table lists that could have been leaked by any employee having access to the database. Thus, there is no concrete evidence of an intrusion at this point.
Vishwas Patel declined to comment on any of our queries until a thorough investigation of the matter is complete. Until then, watch this space.