The U.K.’s largest fishing retailer, Angling Direct, experienced a system breach on Nov. 5 that resulted in their domain being redirected to Pornhub. The jokes almost wrote themselves, but days later the site is still down and the extent of the damage to the company’s bottom line is remains unclear — which is objectively much less hilarious.
Also not punny: The adversaries took to the company’s social media to mount a phishing campaign.
Apparently, the attackers obtained login credentials for its Twitter and other social-media accounts, since the hackers were able to alert them, and their customers, to the breach through a Nov. 7 tweet from the Angling Direct feed.
First, the @anglingdirect Twitter feed announced (falsely) that the fishing gear seller was sold to MindGeek, the company behind Pornhub, adding that Angling Direct customers were entitled to a free subscription to the adult site.
https://twitter.com/anglingdirect/status/1457478807829549063
“Your data has already been transferred and PornHub [sic] premium will be available for your account for a period of one year,” the tweet said. “Register with our email and you’ll automatically be assigned with premium.”
Free Porn Seems Phishy
Followers of the Angling Direct account figured out quickly that the company had been breached.
A few minutes later the hackers sent another tweet announcing their takeover, but the message didn’t make any specific demands for ransom, so what they want in return for the stolen data is unclear.
https://twitter.com/anglingdirect/status/1457484735245135875
“We will return the information and access to you,” the attacker, identifying themselves as MASTER, tweeted. “Otherwise, we will automatically remove from our system in 31 days.”
Besides inspiring armies of Twitter punsters to take their shot with phishing, lures, bait, dangling v. Angling and so many more, the breach forced the London Stock Exchange-traded company to put out an official statement on Nov. 8 acknowledging the incident. It’s unclear exactly what kind of an attack it was.
“This unauthorized activity shut down the company’s websites and these remain inactive,” the Angling Direct statement read. “Some of the company’s social-media accounts have also been compromised. The Board has appointed external cybersecurity specialists whose investigations are underway to establish what happened. Work continues round the clock to bring the websites back online, while our 39 retail stores across the U.K. have remained open and continue to trade.”
As of early Nov. 9, the main site was still down. Later, an Angling Direct spokesperson told Threatpost, “Just to follow up here – we can confirm after engaging with our advisers and providers we have managed to take back control of our website. The rollout will take some time to flow through in all areas but the process is underway.”
Angling Direct said in its statement that both law enforcement and regulators have been alerted to the breach and potential exposure of personal data.
“We are mindful of our obligations regarding data; it is too soon yet to make any determination around the impact this incident has had on personal data, but we will inform any individuals in line with our regulatory obligations should there be a need to do so,” the statement said. “Importantly, the company does not hold any customer financial data as our website transactions are handled by third parties.”
Angling Direct’s stock price has dropped since the compromise, priced on Nov. 4 at 69.89 GDP (British Pound Sterling), according to the London Stock Exchange and as of Nov. 9, days into the breach, the stock is trading at 61.74 GDP.
Threatpost reached out to the email address provided by the apparent attackers, who did not respond to Threatpost’s request for comment.
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.