Connex Melbourne SMS Service Hacked (Update 5)

Myself and Jeremy have just received the following SMS from the Connex Melbourne SMS Service (run by Platypus World). It looks like they’ve been hacked.. :-(

ALLAHU AKBR FROM CONNEX! our inspectorS Love Killing people – If you see one coming, run. Want to bomb a train? they will gladly help! See youin hell!

Not a good SMS message to get from your train company in the current climate..

Update 1: A Muslim friend of mine tells me that the message doesn’t make sense, Allah hu Akbar (God is great) is not the sort of thing that people say to each other.

Update 2: Looks like quite a few others got it too..

Update 3: I wonder if they also got hold of the phone records, or whether all they figured out was just how to feed a random message into their SMS everyone workflow..

Update 4: Last night (22:39 AEST) another Connex SMS message arrived, this time apparently legitimate, saying:

A hoax message was sent tonight to some users. Connex apologises and is investigating with the police.

There is a news story on the ABC this morning saying:

Around 10,000 people who have signed up to a timetable update system received a threatening message last night, after hackers broke into the system. [...] Connex spokesman Andrew Cassidy has apologised for the incident and has reassured subscribers that their personal information is safe.

They are trying to reassure people that their details are safe:

“As far as we can see, the individual was able to get in, type this message and get it sent [and] had no other access to information stored in that database.”

The question is, then, how did the attacker get in ? Well, it seems like it was that age old problem..

Connex says passwords to the system have been changed to prevent further incidents.

My guess is it’s either people picking easy to guess passwords or (increasingly likely these days) a Windows system getting attacked by a virus or trojan and having a keylogger installed.

Update 5: It appears that the company that runs the SMS service for Connex are running their public facing systems on Windows, so it’s probably not that surprising that this hack happened. :-(

Strangely enough this hack hasn’t made it onto their making news page.

Update 6: Just found an alternative rendering of the quote from the Connex spokesman:

“All they were able to do was to hack in and act as though they were a staff member doing a remote access to send a message to subscribes.”

Oh, so that’s all they could do..