Ata Hakcil led the team of white hat hackers from WizCase in identifying a major data leak on online trading broker FBS’ websites.
The data from FBS.com and FBS.eu comprised millions of confidential records including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more.
Were such detailed personally identifiable information (PII) to fall in the wrong hands, it could have been used in the execution of a wide range of cyber threats. The data leak was unearthed as part of WizCase’s ongoing research project that randomly scans for unsecured servers and seeks to establish who are the owners of these servers. We notified FBS of the breach so they could take appropriate action to secure the data. They got back to us a few days later and secured the server within 30 minutes.
What’s Going On
Forex, a portmanteau of foreign currency and exchange, is the process of converting one currency into another for a wide range of reasons including finance, commerce, trading and tourism. The forex trading market averages more than US$5 trillion in daily trading volume. Forex trading may be dominated by banks and global financial services but, thanks to the Internet, the average person can today dabble directly in forex, securities and commodities trading.
In the rush toward online trading though, users have entrusted terabytes of confidential data to online forex trading platforms. With financial transactions being at the core of forex trading, the nature of user data held in these trading databases is highly sensitive. This has made online trading sites a lucrative target for cybercriminals.
FBS, a major online forex trading site, left an unsecured ElasticSearch server containing almost 20TB of data and over 16 billion records. Despite containing very sensitive financial data, the server was left open without any password protection or encryption. The WizCase team found that the FBS information was accessible to anyone. The breach is a danger to both FBS and its customers. User information on online trading platforms should be well secured to prevent similar data leaks.
Who is FBS
Founded in 2009, FBS is an international online forex broker with more than 400,000 partners and 16 million traders spanning over 190 countries. It is one of the most popular online trading brokers in the world. The FBS app for the Android OS has been downloaded more than one million times on Google Play Store as of January 2021.
So large is the number of traders on FBS that every 20 seconds, an FBS client submits a request to withdraw their profit. An official trading partner of soccer giants FC Barcelona, FBS clients rake in half a billion dollars in profit each year. While FBS operates worldwide through its platforms FBS.com and FBS.eu, the company’s primary offices are in Belize and in Limassol, Cyprus.
What Was Leaked?
Nearly 20TB of data was leaked comprising more than 16 billion records. Millions of FBS users spread across the world were affected. Leaked information included the following:
PIIs such as
- Names and surnames
- Email addresses
- Phone numbers
- Billing addresses
- Time zone
- IP addresses
- Passport numbers
- Mobile device models
- Operating system
- Email sent to FBS users
- Social media IDs including GoogleIDs and FacebookIDs
- Files uploaded by users for verification including personal photos, national ID cards, drivers licenses, birth certificates, bank account statements, utility bills and unredacted credit cards
User ID and Credit Card Photo Uploads
User details such as
- FBS user ID
- FBS account creation date
- Unencrypted passwords encoded in base64
- Password reset links
- Login history
- Loyalty data including loyalty level, level points, prize points, total money deposited, active days, active clients, points earned and points spent
A German User’s Account
An Australian User’s Account
Plain Text (base64) Passwords
Financial details such as
- User transaction details including deposited money, currency, payment system, transaction IDs, account IDs, transaction dates, number of times money was deposited, last deposit amount, last deposit date, total deposit, credit, balance, last month’s balance, interest rate, taxes, equity and margin free. Some of the transactions are really large.
A $500,000 Transaction
Each data set would on its own provide valuable information for an attacker but combining all of them makes the threat much more formidable.
What Does This Mean for FBS and Its Users?
The primary threats for FBS and its users include the following:
1. Identity Theft and Fraud
The personal identifiable information (PII) exposed by the leak could be used in fraudulent authentication across other platforms. The names, email addresses, physical address, passport numbers, driver’s license numbers, national ID numbers, phone numbers, social media IDs, credit cards, photos, financial records, and more could allow bad actors to impersonate the owner.
2. Scams, Phishing and Malware
Leaked contact information may be used to launch scam, phishing and malware attacks against FBS users. The data could be the basis for establishing trust in order to encourage clicks, malware downloads and the availing of more confidential information. Armed with the sensitive authentic data, a cybercriminal will sound more credible when they request for information over the phone or email.
3. Credit Card Fraud
To complete a card payment, FBS asks users to upload a photo of both sides of their credit/debit card. With the images accessible to bad actors, it is not difficult for the information to be used to commit credit card fraud.
With email addresses, physical addresses, social media IDs and financial records accessible, bad actors could target for extortion users who move relatively large amounts.
5. Personal Safety
With cyber criminals having access to not just your financial transactions on FBS but also your physical address and phone number, you or your home could be the target of a robbery or burglary. Your transactions may give criminals a hint of your financial status.
6. Business Espionage
With FBS user email addresses and phone numbers readily accessible, competitors could extract this information and use it to target and lure users to their own online trading platforms. Stolen source code and information on the site’s structure also makes it easier for third parties to clone the FBS website then make minor adjustments in accordance to their needs.
7. Account Takeover
The leak exposed password reset links. With access to such sensitive information, an attacker could easily take over the account of any FBS user as long as they knew the user’s email address. Also, with the plaintext password (encoded in base64) and knowing that many people reuse passwords across platforms, cybercriminals could attempt to use the password on other platforms and take over.
This list does not cover all the risks users and organizations are exposed to from the FBS breach. Cybercriminals are continuously exploring new ways of using confidential information for nefarious ends.
[출처 : SecurityAffairs/ 3.24.]