Maserati promo leads to extortion charges
Technorati Tag: Security Breach
Date Reported:
9/23/08
Organization:
Fiat S.p.A (The Fiat Group)
Contractor/Consultant/Branch:
Maserati S.p.A.
Maserati North America Inc.
Location:
Solana Beach, California
Victims:
"potential customers"
Number Affected:
"more than 2,600"*
*unsubstantiated claim
Types of Data:
"name and contact information"
Breach Description:
"September 23, 2008 (Computerworld) A resident of Solana Beach, Calif., has been charged with stealing customer data from luxury car seller Maserati North America Inc. and then trying to extort money from the company by threatening to publicly disclose the details of the system intrusion."
Reference URL:
San Diego Union-Tribune
Computerworld
Bay City Television
Report Credit:
San Diego Union Tribune
Response:
From the online sources cited above:
A Solana Beach man accused of trying to extort money out of Maserati North America by manipulating the carmaker's Web site is facing five felony counts, according to an indictment unsealed Monday.
[Evan] See what happens to people (or should happen to people) that make poor choices? It doesn't help your cause if you are an idiot (read on).
Bruce Mengler, 60, was arrested by FBI agents on Friday.
The indictment charging him with four counts of extortion and one count of computer intrusion was unsealed at his arraignment before Magistrate Nita Stormes at the downtown federal courthouse.
According to court documents, Maserati North America mailed fliers earlier this year to potential customers, inviting them to test-drive Maserati vehicles and receive gift certificates redeemable at Omaha Steaks in return.
[Evan] Everybody knows how people with money love to eat steaks!
The flier directed the recipient to visit MNA's Web site and enter their unique Personal Identification Number printed on the flier in order to receive the gift certificate.
Upon entering a valid PIN, each customer was asked to update his or her name and contact information.
Beginning on or about March 9, Mengler launched a "brute force attack" against MNA's Web site that identified valid PINs and downloaded associated customer data, the indictment alleges.
[Evan] It appears that the "brute force attack" went unnoticed by MNA. Is it safe to assume that MNA does not employ adequate monitoring, such as that gained by (effectively) using network and host-based intrusion detection/prevention? Brute force attacks, or in this case password/PIN guessing attacks are generally very noisy and easy to detect as they occur.
Mengler then sent a series of e-mails to MNA, threatening to publicize the security breach unless MNA satisfied his demands for payment
Specifically, the indictment alleges that Mengler manually and by means of an automated program used PINs that were not assigned to him to log into MNA's Web site.
When Mengler successfully identified a valid PIN, he used a program to download the associated customer data to his computer system, causing a loss to the MNA of more than $5,000, according to the indictment.
[Evan] I was actually surprised to read that MNA only claims "more than $5,000" in losses. I would think that the company could have easily used a larger figure.
The indictment further alleges that beginning on March 11 and continuing for more than two weeks, MNA received a series of threatening e-mails from the defendant, which included the names, addresses and PINs of four San Diego-area customers.
Officials said the threats were made in a series of emails sent from “”.
[Evan] Like breaking into a web site to steal names and addresses isn't stupid enough, now Mr. Mengler is going to use email sent through the same email address he has used in other public forums to extort money! (See: Google Search for ""
Mengler told them that he had "mined" the Web site
"Would you like this lack of security & privacy to become public knowledge?" Mengler is alleged to have asked in his e-mail. "If you would like to buy my silence, make me an offer I can't refuse."
[Evan] How about we offer you free housing, free TV, free exercise equipment, free close personal relationships, free meals, free library, etc.? It's called prison.
In other e-mails, Mengler threatened to "blast" the information that he had obtained to media organizations around the country if he wasn't paid off and wondered whether the company's "brain dead web implementation" had been corrected.
[Evan] OK, the web site implementation might be slightly "brain dead" from an information security standpoint. Actually, many web site implementations are. Who is really the "brain dead"? Mr. Mengler the nitwit "hacker", MNA with their web site, or both? I vote for both, but if this were a competition, I think Mr. Mengler takes the cake.
He boasted that he had more than 2,600 customer records and threatened to make them available to Maserati's competitors.
"What dollar amount is each name worth to Maserati to not be released to the public?" Mengler asked in one of his messages
[Evan] Well, let's see here. You have names and addresses of people who wanted free steak. Names and addresses are semi-public and everybody wants free steak! Note: if you want to extort money from someone, make sure you have something valuable to bargain with.
MNA reported the computer intrusion and threatening communications to law enforcement and cooperated fully with an investigation conducted by the Cybercrime Squad of the San Diego Division of the FBI.
Mengler will be back in court on Oct. 31.
Commentary:
My take is that MNA (and many other companies) must do a much better job of securing their websites, including routers, switches, firewalls, servers, IDS/IPS, web applications and web databases to name a few. Then companies should regularly test, audit, and improve these infrastructures. Employing trusted third-party consultants adds to the subjectivity of the testing/audits and improves the credibility of the results.
Mr. Mengler at 60 years old must not have gained much wisdom over the years, or if he has, he certainly didn't show it in this debacle. I suppose I should mention that this is the United States, and Mr. Mengler is innocent until proven guilty.
Past Breaches:
Unknown
Date Reported:9/23/08
Organization:
Fiat S.p.A (The Fiat Group)
Contractor/Consultant/Branch:
Maserati S.p.A.
Maserati North America Inc.
Location:
Solana Beach, California
Victims:
"potential customers"
Number Affected:
"more than 2,600"*
*unsubstantiated claim
Types of Data:
"name and contact information"
Breach Description:
"September 23, 2008 (Computerworld) A resident of Solana Beach, Calif., has been charged with stealing customer data from luxury car seller Maserati North America Inc. and then trying to extort money from the company by threatening to publicly disclose the details of the system intrusion."
Reference URL:
San Diego Union-Tribune
Computerworld
Bay City Television
Report Credit:
San Diego Union Tribune
Response:
From the online sources cited above:
A Solana Beach man accused of trying to extort money out of Maserati North America by manipulating the carmaker's Web site is facing five felony counts, according to an indictment unsealed Monday.
[Evan] See what happens to people (or should happen to people) that make poor choices? It doesn't help your cause if you are an idiot (read on).
Bruce Mengler, 60, was arrested by FBI agents on Friday.
The indictment charging him with four counts of extortion and one count of computer intrusion was unsealed at his arraignment before Magistrate Nita Stormes at the downtown federal courthouse.
According to court documents, Maserati North America mailed fliers earlier this year to potential customers, inviting them to test-drive Maserati vehicles and receive gift certificates redeemable at Omaha Steaks in return.
[Evan] Everybody knows how people with money love to eat steaks!
The flier directed the recipient to visit MNA's Web site and enter their unique Personal Identification Number printed on the flier in order to receive the gift certificate.
Upon entering a valid PIN, each customer was asked to update his or her name and contact information.
Beginning on or about March 9, Mengler launched a "brute force attack" against MNA's Web site that identified valid PINs and downloaded associated customer data, the indictment alleges.
[Evan] It appears that the "brute force attack" went unnoticed by MNA. Is it safe to assume that MNA does not employ adequate monitoring, such as that gained by (effectively) using network and host-based intrusion detection/prevention? Brute force attacks, or in this case password/PIN guessing attacks are generally very noisy and easy to detect as they occur.
Mengler then sent a series of e-mails to MNA, threatening to publicize the security breach unless MNA satisfied his demands for payment
Specifically, the indictment alleges that Mengler manually and by means of an automated program used PINs that were not assigned to him to log into MNA's Web site.
When Mengler successfully identified a valid PIN, he used a program to download the associated customer data to his computer system, causing a loss to the MNA of more than $5,000, according to the indictment.
[Evan] I was actually surprised to read that MNA only claims "more than $5,000" in losses. I would think that the company could have easily used a larger figure.
The indictment further alleges that beginning on March 11 and continuing for more than two weeks, MNA received a series of threatening e-mails from the defendant, which included the names, addresses and PINs of four San Diego-area customers.
Officials said the threats were made in a series of emails sent from “”.
[Evan] Like breaking into a web site to steal names and addresses isn't stupid enough, now Mr. Mengler is going to use email sent through the same email address he has used in other public forums to extort money! (See: Google Search for ""
Mengler told them that he had "mined" the Web site
"Would you like this lack of security & privacy to become public knowledge?" Mengler is alleged to have asked in his e-mail. "If you would like to buy my silence, make me an offer I can't refuse."
[Evan] How about we offer you free housing, free TV, free exercise equipment, free close personal relationships, free meals, free library, etc.? It's called prison.
In other e-mails, Mengler threatened to "blast" the information that he had obtained to media organizations around the country if he wasn't paid off and wondered whether the company's "brain dead web implementation" had been corrected.
[Evan] OK, the web site implementation might be slightly "brain dead" from an information security standpoint. Actually, many web site implementations are. Who is really the "brain dead"? Mr. Mengler the nitwit "hacker", MNA with their web site, or both? I vote for both, but if this were a competition, I think Mr. Mengler takes the cake.
He boasted that he had more than 2,600 customer records and threatened to make them available to Maserati's competitors.
"What dollar amount is each name worth to Maserati to not be released to the public?" Mengler asked in one of his messages
[Evan] Well, let's see here. You have names and addresses of people who wanted free steak. Names and addresses are semi-public and everybody wants free steak! Note: if you want to extort money from someone, make sure you have something valuable to bargain with.
MNA reported the computer intrusion and threatening communications to law enforcement and cooperated fully with an investigation conducted by the Cybercrime Squad of the San Diego Division of the FBI.
Mengler will be back in court on Oct. 31.
Commentary:
My take is that MNA (and many other companies) must do a much better job of securing their websites, including routers, switches, firewalls, servers, IDS/IPS, web applications and web databases to name a few. Then companies should regularly test, audit, and improve these infrastructures. Employing trusted third-party consultants adds to the subjectivity of the testing/audits and improves the credibility of the results.
Mr. Mengler at 60 years old must not have gained much wisdom over the years, or if he has, he certainly didn't show it in this debacle. I suppose I should mention that this is the United States, and Mr. Mengler is innocent until proven guilty.
Past Breaches:
Unknown
Posts Atom 1.0
Mr. Mengler deserves to be listed in "News of the Wierd" under their "dumbest criminals" category. Fools like this guy pay my rent (I am a criminal defense attorney) before my taxes have to start paying for his room and board.
Reply to this