MCB Targeted by Hackers, Becomes Third Defaced Bank in One Week!

It appears that Pakistan hackers are on fire, and they have decided not to leave any bank. This time it is Muslim Commercial Bank or MCB.

With apparent slogan of defacing Banking websites, hackers claim to be with the aim of securing Pakistani cyber space. They maintain that banks were previously warned about all the security flaws but since banks’ staff don’t seem to be serious with the warnings and hence hackers have no point but to deface their websites.

Tonight, an inner page of Muslim Commercial Bank was defaced by two hackers who want to be called as Dr.Freak and Xploiter. We suspect – due to the names used – that this is the same group who had recently carried out defacements of HBL and ABL.

However, the tone and feel of the message left on MCB’s defaced page doesn’t resemble with previous messages.

It maybe recalled that earlier this week, official websites of Habib Bank and Allied Bank were hacked and defaced. Earlier on, Soneri Bank and Burj Bank were also attacked and defaced by hackers.

Hacker left following message on MCB’s website:

Did not u GOt the lesson after Pknic soneri bank hbl and allied bank. huh secure your sh*ts Secure Pakistan cyber space zindabad xploiter and Dr.Freak.

Here is the link of defaced page: http://mcb.com.pk/psc/cards/iparty/detail.asp?mid=16&type=1&cid=1

Webpage is still defaced, till we last checked before publishing this story. Here’s the screenshot:

MCB

Tech reporter with over 10 years of experience, founder of ProPakistani.PK


  • FzH

    I am loving this person as he is working for betterment of pakistan cyber space

    • Salman Abbas

      Good on him for not phishing innocent users.

  • maverick_bm

    “Did not you got the lesson” sola baras ki bali umr aur doctor ki grammar ko salaam!

    • Sulaiman

      its their style of showing their inner feelings :P who cares if the english language is not perfect atleast you hv understood thier thoughts mr.

      • maverick_bm

        What!?. Lol. That’s even funnier than the “did you not got the lesson”.

        • rummykhan

          i think u need to see their skills and intentions.. maverick

  • Shahid Saleem

    All these hacks are not necessarily going to result in better security for the sites.
    All these hacks are setting the grounds for a unrealistically tough cyber law.

    When it happens, remember that I told you so.

    • Ali Salman

      @Admin, mark his words :

      • Khurram ShahzAd

        Yeah admin mark the words of Ali Salman too, Hez right :-)

  • D33jy

    When we vulnerability report these banks they have no time for reply emails.

    This is the first step of security.

  • Hugo

    There is a phenomenon called script kiddies. They are always attention whores.
    @writer:
    In the first sentence, please replace the word “leave” with “spare”. Thanks.

  • Informer

    Nothing is secure… even google, facebook and paypal get
    security issues. These script kiddies are trying SQL injection
    with a smaller knowledge and if they succeed they claim to be a big hacker
    but actually its a very small attempt. Basic step in hacking. Almost all of the banks use their own infrastructure or their own VPN for Online Banking. Hacking only their main website doesn’t affect their Online Banking System or customer account details. These hacker cannot access that data. All they can change is the front end of the website.

    • Escobar Pablo

      We have our own way Step#1 Leak and Deface main site , Step#2 Hack there internal employees portal ect , Step#3 We will hit there online Banking server like we hit before , Step#5 if they don’t pay attention toward security we will leak online banking database online (Y)
      http://www.thehackerspost.com/2013/03/soneri-bank-online-website-hacked-by.html

    • Khurram ShahzAd

      As you are claiming, If hacker have smaller knowledge, then it must be shameful for banks who didn’t hired people on merit, so they know what SQL Injection means and how to secure the website from other common attack. Also you are wrong when you say its just public site, it doesn’t matter, if hacker wants he/she can replace add some code behind login/register form to get hold of login info of account holder. Believe me no one will know about this if those defacement pages not added.
      Hackers are quite right on the point that if they will not point out these vulnerabilities then someone else can actually get hold of accounts data and perform some transactions online. If that happens, believe me no bank would even be ready to pay damages to any customers.

      This is fact that banks must pay some attention to the security of their severs/web apps/sites.

    • Jan

      informer is rite 101%

  • Maria Irshad

    Facebook/ Real Assignment Services- Your Reliable Assignment Helpmate

  • Ali Salman

    @Aamir Aatta, Do you suspect or do you personally know them? These guys have their own facebook pages and even pictures on display.

  • Make me Popular Hacker

    I think if you can leak their online banking database then you have already done it :P It’s not like that as you are pretending…
    Defacing Website is something different than getting personal company database for customers… Its always kept on Separate Network and Separate Server’s with Encryption enabled. I m not saying that its impossible but it is not as you are pretending..

    Grow up.
    Hitting a Core Banking System and Defacing a Chindi Site are two different things :P

    • I’m Jealoused Bcz I can’t Hac

      @Make me Popular Hacker Dear are you living in the world of fools? they hacked and dumped the whole database of soneri bank’s online banking system

      • Informer

        Are you sure that the their online Banking or Accounts were hacked?… As far as i read the threads it was official site. No information for hacking online banking.

        • shehzad Ali Rauf

          Soneri Bank’s online bank system was compromised :| a month before by the same Hackers , I just found on google

  • Informer

    How can you hack the internal employee portal, one of my friend works in Alflah, while he can access his portal he has no access to the internet. The Bank’s database is connected on their on network.

    • Informer

      *own network

    • Informer

      *on their own network

    • Bilal Iqbal

      actually these are not hackers.. these are crackers using different tools to find vulnerabilities in web pages and exploiting them using SQLi’s which is of very basic level.
      internal systems of large companies are kept safe by providing world class tools and software’s and professionals are hired to maintain them. websites are or different nature and have some natural flaws which can be exploited easily but internal systems are behind the scenes and can’t be compromised easily instead of internal help…:P

      • Muhammad Azam

        Well Mr.Bilal You must know there are many types of Sql Injection not only The Basic one which you think , SQLi is even presant in Oracle based databases too and toughest to inject, more over after this attack if attack was easy then what you think hundreds of other script kiddies didn’t tried to Hack these websites? but they can’t ! None of them was Hacked Before .
        Last Thing Hacker Makes tools , Tools doesn’t make you Hacked , These Hackers Belong to PAKbugs ! The most noturious and sophisticated Hacking Group Which stands in Top 10 Black hat Hacking Crew of the World , They Hacked even Google , Microsoft domains too …

        • Informer

          Its completely depends on someone’s knowledge of development as well as SQL injection. If a hacker knows web development as well then it would be easy for him to predict query. All an SQL injection attacker does is to inject his own query in query which is being executed. It would be quite difficult or might impossible for hacker if the website is developed by an intermediate or advanced developer not by the beginner who turns off the error reporting of SQL queries of language specific errors which help mostly attacker to predict query. So, if errors are not displaying on website i mean completely off then hacker will die at that point in predicting baseless queries and at the end he might leave. The other point is to sanitizing the input which is very important if you have sanitized the inputs no one can inject queries either script kiddies or the Bugs :D

        • bilal

          I dont underestimate the abelities of hackers but one thing is clear that defacing a site is not a big deal for hacker but mistakes made by developer who fail to anticipate the risks. However hacking is done for good I.e improves things by exploiting flaws.

        • Shahid Saleem

          sqli has nothing to do with the database backend, it has 100% to do with how the application server code was written, and how it processes incoming requests.

          wow, you cannot even get that right. shows where you are on the hacking scale from 1 to 10…

  • مولیٰ بس

    اللہ کے بندو اگر کچھ کام کا کام کرنا ہے تو یو ٹیوب کھولو ۔۔۔ پاکستانی سٹوڈنٹس کا شدید ترین نقصان ہو رہا ہے۔ اگر کچھ کرنا ہے تو غریب طلبا کے لئے کچھ کرو۔ بنک ہیک کر کے کیا کرو گے

    • Jan

      yar tum but majboor lag rhy ho, r majboor log hamesha such khty hen.

  • uzair

    yeh khud hack akrkay boltay hayn ham thek kardengay aur paisay lete hayn :D

  • Informer

    No actually what they are hacking is something built to manage the front end of website, just like a CMS. Banks do not host their banking database and website database on same server. Banking server still will be safe even if website server gets hacked. When the account holder wants to login the website redirects him to explicitly developed server, which most probably has its own security infrastructures, which is less likely to be developed by the same developer who developed the web.

    • Hamza zafar

      mera kheyal say allied bank k main page p login portal be bna huwa tha and jab hackers nay server hack kiya to woh login URL ko change kar k phishing method use krtay huwa thousands of accounts ko compromise kr sktay thay … and hoskta hai unho nay Hack kiya be ho ! and next time woh leak karain agr unhain secure na kiya gya to ….
      What you say …

      • Informer

        I agree but still we don’t know how banks have implemented it. Or that login page is part of the database or not.. it might possible if hacker gained access to their file system too.

  • Dissolution0fEternity

    The hacker needs to learn english. Since you are so good at finding exploits why dont you propose ways to fix the security looholes cyber space kay chachay?…Pakistani awam always part of the problem, not a solution.

  • Full Name Goes Here

    Wait for a moment kid, daddy is coming!

  • پتہ نہیں

    Where is Step # 4 ? :P