ANACONDA, Mont. — Visitors to Southwest Montana Community FCU's web site over the weekend got a disturbing welcome — a black screen bearing an ISIS logo and the words "Hacked By Islamic State (ISIS)."
According to Tom Dedman, CEO at the $101 million-asset credit union outside of Butte, Mont., a member spotted the alleged ISIS hack at about noon on Saturday and reported it to the credit union. CU officials reached out to Member Driven Technologies (MDT), the CUSO that hosts its site, and within 15 minutes the web page was taken down.
The hack only affected the marketing arm of SWMC's site, since online banking, bill pay and other areas of sensitive information are kept in different locations on different servers.
Despite the quick response from MDT, Dedman said about a dozen members reported having seen the hacked site, but the attack has made international news, since several other businesses across the country were similarly hacked, including bars and restaurants, a zoo, a church and more.
"Obviously we've got folks calling us today and asking questions," Dedman told CU Journal in an interview. "Naturally they're concerned and they should be asking these questions. Our response is that this is very similar in nature to having your car get egged or having someone spray graffiti on the side of the building.... We're still waiting on the final forensic reports from the first get-go, [but] it looks like this is just a defacement issue."
Authorities quoted in other reports — including NBC News and local Montana publications — have questioned whether ISIS was actually behind the attack and if it might be a domestic hacker or some other hoax.
Whoever was behind the attack, the CU reached out to NCUA as well as authorities. The regulator, along with MDT, is "following the protocols as if it were a full compromise," said Dedman.
NCUA in turn reached out to the FBI, and the CU has been urged to contact both the FBI and Department of Homeland Security, if only for information-sharing purposes.
The site was back online by about 9:00 p.m. CST on Sunday night.
Why a CU and What Can the Community Do?
So why would ISIS hack a small credit union on the outskirts of Montana's fifth-largest city?
Dedman believes the hackers went after anything they could get at, which might help explain the wide variety of businesses targeted.
He explained that the CU's web site is designed and driven by WordPress, and "inside of that there are hundreds of different little plug-ins that designers can put in to do different things. We were using a plugin... called FancyBox, [and] there was a vulnerability in that plug-in that allowed them to inject these images onto our web page."
According to Dedman, the FancyBox vulnerability was announced in February, but "we weren't monitoring the software that actually was used to design the site and stays in the background on the site.... That's where our 'gotcha' was."
Dedman said SWMC FCU's security protocols are still valid, in part because of successful data siloing and ensuring that sensitive member data is kept separate from other components of the web site. But while the end result probably could have been a whole lot worse for his credit union, there's a lesson here for the entire credit union community.
While CUs keep a close eye on core systems, data processing and other member-centric elements of their business, many don't know near enough about the inner workings of their own web sites — and Dedman included himself in that group.
"We need, as an industry, to have a better understanding of what drives our web sites," he said. It was this background development phase that totally didn't come to mind to me that we would need to be worried about, because from my viewpoint, when I look at it, it's all content. But this stuff in the background that delivers the content needs to be monitored and kept track of as well."
That means working with web design firms that understand and are familiar with financial institutions and the threats they face, and not just using any contractor or local shop that can get the job done.
"We all have web sites, and we need to know a little bit more about the core systems that are driving that site," he said. "Not where they sit, but the programs that are actually delivering the pages. The ball got dropped for us, and I don't know if it's necessarily us, the people that developed it or the people that host it, but someone should be taking care of that. Credit unions that have an IT staff as part of their scenario are taking care of it, but in cases where credit unions are outsourcing IT, they need to take into consideration who's monitoring the software driving their site. That's my takeaway."
