We are receiving reports from many users of the popular JoomDonation platform that they received a very scary email from someone that supposedly hacked into JoomDonation. The emails went to the proper account registered in there and contained the full names, so it looks like JoomDonation did in fact got breached.
This is the full email:
How the hell are you? No need to ask, I’m fine!
I’m the one who has hacked all of your sites, emails, accounts etc. that has been using JoomDonation.com site/components. Scaring? Hell Yea
About 15 months ago, I was able to penetrate into several Joomla sites. One of these luckies was JoomDonation.com After a while I realised that their crappy components were used by other Joomla developers too so I injected my shells into JoomDonation.com components. As per result, I’ve a list of 300000+ Joomla users+emails and you’re just one of them, lucky thing
Yea Yea I know you all have scanners, firewalls, admin tools etc installed on your server/site but you what? F*ck em all. They’re just noob tools. Think about, I’ve injected my own shells into 10000+ Joomla sites and none of you or your magic tools have been awared of.
WARNING: You have 5 days to clean up your sites then my bot will start putting your sites down. If your site was not so valuable for me, removing the components would be enough. If so, then I will most probably blackmail you soon
Want an advice from a hacker? Don’t use any script from Thailand/Vietnam developers, their code is so crappy Try Indian quality.
This email was sent to all JoomDonation.com users. We’ll meet again if you have accounts registered to other Joomla developers
Our research team is trying to confirm if any of the downloads from JoomDonation contains backdoor and we will post more details on what we find.
The JoomDonation developer has confirmed their environment has been compromised, but believes the issues to be specific to their server:
I believe this is not security issues in our components/extensions. Someone hacked our server (we are using bluehost VPS server for hosting our website) somehow and uses the email systems to send this spam emails to all of you.
They want to destroy our business (and they mentioned India somehow in the email). Just the quick update from us, we will provide more information when we found something !
We are really sorry for this trouble
The concern here is two fold:
- How did the attackers penetrate JoomDonation? If they leveraged a 0-Day, then it’s likely the attacker can in fact penetrate other environments configured the same.
- How is the attacker contacting JoomDonation users? This leads you to believe that there has been some level of data breach and user PII information has been compromised.
In the mean time, we highly recommend disabling this extension from your site. I would also highly recommend to put it behind a Website Firewall (WAF) with all hardening options enabled to minimize the chances of a compromise in case the extension has a 0-day vulnerability or backdoor.