Heritage Auction Web Site is down due to Malware Attack

General discussion board about VAMs, but no buy/sell offers
Post Reply
User avatar
PacificWR
Posts: 969
Joined: Mon May 28, 2018 12:17 pm
Location: Kansas Flint Hills
Contact:

Heritage Auction Web Site is down due to Malware Attack

Post by PacificWR » Mon Oct 21, 2019 1:56 am

FYI!

Heritage would like to thank everyone for their patience as we work to restore our website.
We apologize for any inconvenience. We have confirmed that we were a victim of a malware attack. Please be aware that client financial information (e.g. credit card, bank account info, etc.) is maintained by a third-party provider and thus not affected.
We expect to be back online soon.
All currently affected auctions will be extended or rescheduled and we will notify everyone accordingly.
More updates soon.

Please check our Facebook and Twitter pages for the latest information.

DHalladay
Posts: 978
Joined: Wed May 30, 2018 4:38 pm

Re: Heritage Auction Web Site is down due to Malware Attack

Post by DHalladay » Mon Oct 21, 2019 2:10 am

What a nightmare.
When in doubt... don't.

User avatar
CascadeChris
Posts: 1700
Joined: Mon May 28, 2018 10:41 pm

Re: Heritage Auction Web Site is down due to Malware Attack

Post by CascadeChris » Mon Oct 21, 2019 2:49 am

Perfect target for a ransomware attack. Forget holding hospitals hostage for $30k if you can hit someone like HA $$$$$$$$$
Alonzi VW 2.0!

User avatar
messydesk
Site Admin
Posts: 1459
Joined: Mon May 28, 2018 1:57 am

Re: Heritage Auction Web Site is down due to Malware Attack

Post by messydesk » Mon Oct 21, 2019 1:46 pm

While payment information is secured by a third party, I'd be interested to know what sort of countermeasures they use to protect other customer information from malware attacks. If you use Heritage (or Stacks/Bowers, or Great Collections) and have a PO Box, make sure that the PO Box is the shipping address they use. If you don't have a PO Box, consider getting one.
Welcome to the VAMWorld 2.0 discussion boards. R.I.P. old VAMWorld.

User avatar
Longstrider
Posts: 264
Joined: Tue Jul 03, 2018 9:12 pm
Location: Mojave High Desert

Re: Heritage Auction Web Site is down due to Malware Attack

Post by Longstrider » Mon Oct 21, 2019 2:45 pm

It's crazy. I have gotten to the point that I feel anyone that wants my info has it or can get it at will. Thanks..John🐍

Kurt28
Posts: 40
Joined: Sat Jun 02, 2018 4:00 pm

Re: Heritage Auction Web Site is down due to Malware Attack

Post by Kurt28 » Mon Oct 21, 2019 4:45 pm

I thought the bidding at GC was a little higher.
Connection, coincidence or just my imagination?

User avatar
PacificWR
Posts: 969
Joined: Mon May 28, 2018 12:17 pm
Location: Kansas Flint Hills
Contact:

Re: Heritage Auction Web Site is down due to Malware Attack

Post by PacificWR » Mon Oct 21, 2019 6:28 pm

Did a little checking on this and other smaller Auction Houses have also experienced the same type of malware attack. The talk is that this was a coordinated attack (by the hackers) on multiple Auction House’s. All roughly at the same time. The keyword in the Heritage Auction House web site statement is “MALWARE’ attack. Generally, there are two types of attacks by hackers. 1. Malware. 2. Ransomware. A Malware attack will affect systems by stealing passwords, usernames and other information that is stored on their systems. This other information includes user’s email ID’s. So, in short if you have a Heritage Auction House account be on the outlook for strange email’s or activity on your ID. The Ransomware attack is just what the name implies.

User avatar
CascadeChris
Posts: 1700
Joined: Mon May 28, 2018 10:41 pm

Re: Heritage Auction Web Site is down due to Malware Attack

Post by CascadeChris » Mon Oct 21, 2019 6:54 pm

Yeah, but would they say it was ransomware? Methinks the possibility exists that hubris would force them to possibly say it was malware when in fact it's a ransomware attack to save public face and try to limit future ransom attacks becase they know the only option is to pay it. Just my speculative conspiracy mind thinking tho..
Alonzi VW 2.0!

User avatar
alefzero
Posts: 93
Joined: Sat Jun 09, 2018 2:33 pm

Re: Heritage Auction Web Site is down due to Malware Attack

Post by alefzero » Mon Oct 21, 2019 9:34 pm

The very obvious fact that they did not design their system for redundancy and high availability suggests to me that there is a good chance they also had their backups either directly connected or available by network connection. If so, the first thing I would have done in an exploit is mount the backups and wipe them clean, reformatting the partitions. They should have offsite recovery backups.

Regardless of the nature of the exploit and the resources they have to remediate, this has to take considerable time even in the best of situations. Reconstructing the services and content with adequate security requires the effort and testing. When they turn operations back on, it has to be all right and the users need to be comfortable with it and their explanation of what happened, what was compromised, and what was done to assure future safety. Their business model demands trust from their consignors and bidders.

Ransomware? They sure would be a prime target. In that or any other case, due to the volume of business and amount of money involved in their enterprise, assuredly they have federal investigators all over it and probably hired a few excellent grey hats to do the forensics and secure the services and data. One would expect that if bidder and consignor personal or financial data was even possibly compromised, their legal staff would not have allowed them to keep that quiet. Otherwise, there could be a slew of lawsuits if the what they knew and when they knew it is unacceptable.

User avatar
PacificWR
Posts: 969
Joined: Mon May 28, 2018 12:17 pm
Location: Kansas Flint Hills
Contact:

Re: Heritage Auction Web Site is down due to Malware Attack

Post by PacificWR » Mon Oct 21, 2019 10:15 pm

alefzero wrote:
Mon Oct 21, 2019 9:34 pm
The very obvious fact that they did not design their system for redundancy and high availability suggests to me that there is a good chance they also had their backups either directly connected or available by network connection. If so, the first thing I would have done in an exploit is mount the backups and wipe them clean, reformatting the partitions. They should have offsite recovery backups.
Look's like the attack brought them down Friday night. This being day three strongly suggest the attack exposed a huge hole in their firewall. One does have to wonder what their backup plan was.

vamnuke
Posts: 205
Joined: Wed Aug 01, 2018 11:57 pm

Re: Heritage Auction Web Site is down due to Malware Attack

Post by vamnuke » Mon Oct 21, 2019 11:28 pm

:o

User avatar
alefzero
Posts: 93
Joined: Sat Jun 09, 2018 2:33 pm

Re: Heritage Auction Web Site is down due to Malware Attack

Post by alefzero » Tue Oct 22, 2019 1:58 am

PacificWR wrote:
Mon Oct 21, 2019 10:15 pm
alefzero wrote:
Mon Oct 21, 2019 9:34 pm
The very obvious fact that they did not design their system for redundancy and high availability suggests to me that there is a good chance they also had their backups either directly connected or available by network connection. If so, the first thing I would have done in an exploit is mount the backups and wipe them clean, reformatting the partitions. They should have offsite recovery backups.
Look's like the attack brought them down Friday night. This being day three strongly suggest the attack exposed a huge hole in their firewall. One does have to wonder what their backup plan was.
Attacking their firewall is not they way to take them down. They could go after their exploitable services (SQL injection, things like that) or simply somebody connected a compromised system (or a dual-homed one) to the network and had privileged access. But you just never know. Can never tell by the presentation and functionality whether it is secure. Some companies throw money at style sheets and less at security.

Nonetheless, regardless of the situation, this just needs time even in the best of cases. Communication is needed though.

User avatar
CascadeChris
Posts: 1700
Joined: Mon May 28, 2018 10:41 pm

Re: Heritage Auction Web Site is down due to Malware Attack

Post by CascadeChris » Tue Oct 22, 2019 2:23 am

I wonder what this will end up costing them. The aggregate total cost for all revenue losses, employee overtime etc + cost of remediation... and what they'll be shelling out afterwards to fortify their defenses.
Alonzi VW 2.0!

User avatar
PacificWR
Posts: 969
Joined: Mon May 28, 2018 12:17 pm
Location: Kansas Flint Hills
Contact:

Re: Heritage Auction Web Site is down due to Malware Attack

Post by PacificWR » Tue Oct 22, 2019 4:13 am

alefzero wrote:
Tue Oct 22, 2019 1:58 am
PacificWR wrote:
Mon Oct 21, 2019 10:15 pm
alefzero wrote:
Mon Oct 21, 2019 9:34 pm
The very obvious fact that they did not design their system for redundancy and high availability suggests to me that there is a good chance they also had their backups either directly connected or available by network connection. If so, the first thing I would have done in an exploit is mount the backups and wipe them clean, reformatting the partitions. They should have offsite recovery backups.
Look's like the attack brought them down Friday night. This being day three strongly suggest the attack exposed a huge hole in their firewall. One does have to wonder what their backup plan was.
Attacking their firewall is not they way to take them down. They could go after their exploitable services (SQL injection, things like that) or simply somebody connected a compromised system (or a dual-homed one) to the network and had privileged access. But you just never know. Can never tell by the presentation and functionality whether it is secure. Some companies throw money at style sheets and less at security.

Nonetheless, regardless of the situation, this just needs time even in the best of cases. Communication is needed though.
Our corporate firewall is attacked easily over 1,000 times every single day. With an international reach the impact would
be tremendous and would impact a lot of companies including the government. Like you said though there are many different ways to do this. From vulnerable ports, to email, flash drives, plugins and the list goes on. It all depends on the security. The more layers the better

collectinsince65
Posts: 419
Joined: Sat Jan 05, 2019 12:55 am

Re: Heritage Auction Web Site is down due to Malware Attack

Post by collectinsince65 » Tue Oct 22, 2019 9:53 pm

Email received from ha.com
They are getting back online and they have posted an updated auction schedule.
Mike

User avatar
alefzero
Posts: 93
Joined: Sat Jun 09, 2018 2:33 pm

Re: Heritage Auction Web Site is down due to Malware Attack

Post by alefzero » Wed Oct 23, 2019 3:58 am

PacificWR wrote:
Tue Oct 22, 2019 4:13 am
alefzero wrote:
Tue Oct 22, 2019 1:58 am
PacificWR wrote:
Mon Oct 21, 2019 10:15 pm


Look's like the attack brought them down Friday night. This being day three strongly suggest the attack exposed a huge hole in their firewall. One does have to wonder what their backup plan was.
Attacking their firewall is not they way to take them down. They could go after their exploitable services (SQL injection, things like that) or simply somebody connected a compromised system (or a dual-homed one) to the network and had privileged access. But you just never know. Can never tell by the presentation and functionality whether it is secure. Some companies throw money at style sheets and less at security.

Nonetheless, regardless of the situation, this just needs time even in the best of cases. Communication is needed though.
Our corporate firewall is attacked easily over 1,000 times every single day. With an international reach the impact would
be tremendous and would impact a lot of companies including the government. Like you said though there are many different ways to do this. From vulnerable ports, to email, flash drives, plugins and the list goes on. It all depends on the security. The more layers the better
Absolutely. There are a good number of ways to attack and Heritage is a glaring target. They apparently got a it lucky this time and were perhaps more prepared for this than they let on. Honestly, even if they caught it right away and did everything perfectly, they needed to comb over everything and preserve evidence in case there is a legal issue or it comes back at them in the future.

My firewalls and servers get his quite a bit too daily. At one point, I set the web servers' 404 pages to be the FBI Cyber Crime page. So the exploit fishing expeditions would be directed there. There were so many, I got the attention of the FBI thinking I was up to something against them, as the referer page in the env array pointed to the failed page call. Took them a while longer than one might expect to inspect the full transactions.

User avatar
PacificWR
Posts: 969
Joined: Mon May 28, 2018 12:17 pm
Location: Kansas Flint Hills
Contact:

Re: Heritage Auction Web Site is down due to Malware Attack

Post by PacificWR » Wed Oct 23, 2019 4:04 am

alefzero wrote:
Wed Oct 23, 2019 3:58 am
PacificWR wrote:
Tue Oct 22, 2019 4:13 am
alefzero wrote:
Tue Oct 22, 2019 1:58 am


Attacking their firewall is not they way to take them down. They could go after their exploitable services (SQL injection, things like that) or simply somebody connected a compromised system (or a dual-homed one) to the network and had privileged access. But you just never know. Can never tell by the presentation and functionality whether it is secure. Some companies throw money at style sheets and less at security.

Nonetheless, regardless of the situation, this just needs time even in the best of cases. Communication is needed though.
Our corporate firewall is attacked easily over 1,000 times every single day. With an international reach the impact would
be tremendous and would impact a lot of companies including the government. Like you said though there are many different ways to do this. From vulnerable ports, to email, flash drives, plugins and the list goes on. It all depends on the security. The more layers the better
Absolutely. There are a good number of ways to attack and Heritage is a glaring target. They apparently got a it lucky this time and were perhaps more prepared for this than they let on. Honestly, even if they caught it right away and did everything perfectly, they needed to comb over everything and preserve evidence in case there is a legal issue or it comes back at them in the future.

My firewalls and servers get his quite a bit too daily. At one point, I set the web servers' 404 pages to be the FBI Cyber Crime page. So the exploit fishing expeditions would be directed there. There were so many, I got the attention of the FBI thinking I was up to something against them, as the referer page in the env array pointed to the failed page call. Took them a while longer than one might expect to inspect the full transactions.
One has to wonder about their back-up plan. Bet revisions are in the works.

I really like what you did by pointing the web servers 404 pages to be the FBI Cyber Crime page. That is good one.

Post Reply