MCB Targeted by Hackers, Becomes Third Defaced Bank in One Week!

It appears that Pakistan hackers are on fire, and they have decided not to leave any bank. This time it is Muslim Commercial Bank or MCB.

With apparent slogan of defacing Banking websites, hackers claim to be with the aim of securing Pakistani cyber space. They maintain that banks were previously warned about all the security flaws but since banks’ staff don’t seem to be serious with the warnings and hence hackers have no point but to deface their websites.

Tonight, an inner page of Muslim Commercial Bank was defaced by two hackers who want to be called as Dr.Freak and Xploiter. We suspect – due to the names used – that this is the same group who had recently carried out defacements of HBL and ABL.

However, the tone and feel of the message left on MCB’s defaced page doesn’t resemble with previous messages.

It maybe recalled that earlier this week, official websites of Habib Bank and Allied Bank were hacked and defaced. Earlier on, Soneri Bank and Burj Bank were also attacked and defaced by hackers.

Hacker left following message on MCB’s website:

Did not u GOt the lesson after Pknic soneri bank hbl and allied bank. huh secure your sh*ts Secure Pakistan cyber space zindabad xploiter and Dr.Freak.

Here is the link of defaced page: http://mcb.com.pk/psc/cards/iparty/detail.asp?mid=16&type=1&cid=1

Webpage is still defaced, till we last checked before publishing this story. Here’s the screenshot:

MCB

Tech reporter with over 10 years of experience, founder of ProPakistani.PK


  • All these hacks are not necessarily going to result in better security for the sites.
    All these hacks are setting the grounds for a unrealistically tough cyber law.

    When it happens, remember that I told you so.

  • When we vulnerability report these banks they have no time for reply emails.

    This is the first step of security.

  • There is a phenomenon called script kiddies. They are always attention whores.
    @writer:
    In the first sentence, please replace the word “leave” with “spare”. Thanks.

  • Nothing is secure… even google, facebook and paypal get
    security issues. These script kiddies are trying SQL injection
    with a smaller knowledge and if they succeed they claim to be a big hacker
    but actually its a very small attempt. Basic step in hacking. Almost all of the banks use their own infrastructure or their own VPN for Online Banking. Hacking only their main website doesn’t affect their Online Banking System or customer account details. These hacker cannot access that data. All they can change is the front end of the website.

    • As you are claiming, If hacker have smaller knowledge, then it must be shameful for banks who didn’t hired people on merit, so they know what SQL Injection means and how to secure the website from other common attack. Also you are wrong when you say its just public site, it doesn’t matter, if hacker wants he/she can replace add some code behind login/register form to get hold of login info of account holder. Believe me no one will know about this if those defacement pages not added.
      Hackers are quite right on the point that if they will not point out these vulnerabilities then someone else can actually get hold of accounts data and perform some transactions online. If that happens, believe me no bank would even be ready to pay damages to any customers.

      This is fact that banks must pay some attention to the security of their severs/web apps/sites.

  • @Aamir Aatta, Do you suspect or do you personally know them? These guys have their own facebook pages and even pictures on display.

  • I think if you can leak their online banking database then you have already done it :P It’s not like that as you are pretending…
    Defacing Website is something different than getting personal company database for customers… Its always kept on Separate Network and Separate Server’s with Encryption enabled. I m not saying that its impossible but it is not as you are pretending..

    Grow up.
    Hitting a Core Banking System and Defacing a Chindi Site are two different things :P

    • @Make me Popular Hacker Dear are you living in the world of fools? they hacked and dumped the whole database of soneri bank’s online banking system

      • Are you sure that the their online Banking or Accounts were hacked?… As far as i read the threads it was official site. No information for hacking online banking.

        • Soneri Bank’s online bank system was compromised :| a month before by the same Hackers , I just found on google

  • How can you hack the internal employee portal, one of my friend works in Alflah, while he can access his portal he has no access to the internet. The Bank’s database is connected on their on network.

    • actually these are not hackers.. these are crackers using different tools to find vulnerabilities in web pages and exploiting them using SQLi’s which is of very basic level.
      internal systems of large companies are kept safe by providing world class tools and software’s and professionals are hired to maintain them. websites are or different nature and have some natural flaws which can be exploited easily but internal systems are behind the scenes and can’t be compromised easily instead of internal help…:P

      • Well Mr.Bilal You must know there are many types of Sql Injection not only The Basic one which you think , SQLi is even presant in Oracle based databases too and toughest to inject, more over after this attack if attack was easy then what you think hundreds of other script kiddies didn’t tried to Hack these websites? but they can’t ! None of them was Hacked Before .
        Last Thing Hacker Makes tools , Tools doesn’t make you Hacked , These Hackers Belong to PAKbugs ! The most noturious and sophisticated Hacking Group Which stands in Top 10 Black hat Hacking Crew of the World , They Hacked even Google , Microsoft domains too …

        • Its completely depends on someone’s knowledge of development as well as SQL injection. If a hacker knows web development as well then it would be easy for him to predict query. All an SQL injection attacker does is to inject his own query in query which is being executed. It would be quite difficult or might impossible for hacker if the website is developed by an intermediate or advanced developer not by the beginner who turns off the error reporting of SQL queries of language specific errors which help mostly attacker to predict query. So, if errors are not displaying on website i mean completely off then hacker will die at that point in predicting baseless queries and at the end he might leave. The other point is to sanitizing the input which is very important if you have sanitized the inputs no one can inject queries either script kiddies or the Bugs :D

        • I dont underestimate the abelities of hackers but one thing is clear that defacing a site is not a big deal for hacker but mistakes made by developer who fail to anticipate the risks. However hacking is done for good I.e improves things by exploiting flaws.

        • sqli has nothing to do with the database backend, it has 100% to do with how the application server code was written, and how it processes incoming requests.

          wow, you cannot even get that right. shows where you are on the hacking scale from 1 to 10…

  • اللہ کے بندو اگر کچھ کام کا کام کرنا ہے تو یو ٹیوب کھولو ۔۔۔ پاکستانی سٹوڈنٹس کا شدید ترین نقصان ہو رہا ہے۔ اگر کچھ کرنا ہے تو غریب طلبا کے لئے کچھ کرو۔ بنک ہیک کر کے کیا کرو گے

  • No actually what they are hacking is something built to manage the front end of website, just like a CMS. Banks do not host their banking database and website database on same server. Banking server still will be safe even if website server gets hacked. When the account holder wants to login the website redirects him to explicitly developed server, which most probably has its own security infrastructures, which is less likely to be developed by the same developer who developed the web.

    • mera kheyal say allied bank k main page p login portal be bna huwa tha and jab hackers nay server hack kiya to woh login URL ko change kar k phishing method use krtay huwa thousands of accounts ko compromise kr sktay thay … and hoskta hai unho nay Hack kiya be ho ! and next time woh leak karain agr unhain secure na kiya gya to ….
      What you say …

      • I agree but still we don’t know how banks have implemented it. Or that login page is part of the database or not.. it might possible if hacker gained access to their file system too.

  • The hacker needs to learn english. Since you are so good at finding exploits why dont you propose ways to fix the security looholes cyber space kay chachay?…Pakistani awam always part of the problem, not a solution.


  • >