Surely you mean...
"One or more completely feckless scumbags neglected to update the Make-A-Wish foundation's international website allowing it to be compromised by 6 month old "Drupalgeddon 2" exploit."
One or more completely feckless scumbags have loaded the Make-A-Wish foundation's international website with crypto-mining malware scripts. Researchers with Trustwave say the (now clean) WorldWish.org site was compromised via a Drupal exploit and seeded with malicious JavaScript that enlisted the CPU cycles of visitor's …
Drupalgeddon 1 and 2 *really* sucked.
In addition to the fact that there will always be some first victims, no matter how itchy your upgrade trigger finger ... Drupal does not have any easy one click updating (not that that is always a safe thing to do anyway, but it *guarantees* that updates are non-trivial).
Then there was the sequel ... it's hard enough to get your client to do something - and quickly - about a security exploit, when it's a non-trivial upgrade. But to have to come back just a few weeks later ... "um, yeah, you remember that Drupalgeddon thing a couple weeks ago? Ahem, um, well ... "
No, I don't think the Make a Wish server operators are feckless scumbags. Most likely it's just some poor schlub either volunteering or maybe it was made by a consultant years ago and nobody is really maintaining it properly [until NOW, that is]. Or maybe their staff IT guy is underpaid and you get what you pay for.
I would think that a charity would be more focused on, er, the charity part. SOME charities that have a huge overhead of administration might have NO excuse, but according to one web site, 'Make a Wish' gives out around 75% to 'actual charity' with about 10% in administration and 15% in fund raising (my numbers are rounded, yeah). So I'm guessing that a *bit* more needed to be put into IT but those are the approximated numbers, so there ya go.
So yeah 'benefit of the doubt' until some audit/investigation proves otherwise.
icon, because it fits
There's a lot of moralising going on in this article as though the attacker in question specifically singled this site out knowing full-well it was a charity for seriously ill children when in reality it's likely the entire thing was largely automated. The only thing they'd really care about is that it's vulnerable and it has high traffic.
This is quite literally one of those 'think of the children' type articles you normally make fun of. Quite disappointing really.
It may not be a "think of the children" article, but it still appears naive from the author to suggest that a scumbag who makes a living planting malware on misconfigured websites would think twice before infecting a charity site. Do we really expect these guys to have any moral sense at all?
"stealing from a charity, particularly one involving children, is just perverse."
more accurately, those who give to what appears to be a legit and reputable charity. People who give money to charity are therefore being perceived as "marks" for exploitation and fraud, in this case higher electricity bills in order to fund some miscreant's bitcoin wallet.
icon - using it anyway, even if it's just for some lame attempt at comedy
Or does this article feel a bit more Daily Mail than El Reg?
> The time of year might also have had something to do with the filth choosing Make-A-Wish as their target
To be honest I'm not used to hearing "the filth" in a context that doesn't mean the Old Bill. In any case, doesn't feel very El Reg, and reads more like a Daily Mail outrage piece.
I reset my password after maybe 5 years of lurking to back this up.
I read el reg pretty much daily but I don't come here to read this daily mail style crap.
I went through the article and took this from it:
1. sysadmin for make a wish hasn't patched a 5 month old bug.
2. most likely some script found the ip as vulnerable.
3. malware distributors do not have a magic blacklist of addresses to skip by which may belong to charities.
I think I already knew about 2 & 3, which makes this article about a sysadmin having not patched a server. Really interesting reading... Thanks for taking my time.
It's not clear what exactly motivated the utter scum to chose to compromise the website of a charity that performs acts of kindness for seriously ill
That assumes they paid any attention to the content on the site in the first place and the actual script placement was done by a human not an automated attack.
I do not see any reason for either one of these conjectures to be justified. Most of the work today is done by automated bots and even if there is insertion of javascript by hand it is done by a pay-by-hour "mechanized turk" in some 3rd world country which is neither likely to read the site nor understand its mission.
"It's not clear what exactly motivated the utter scum to chose to compromise the website of a charity that performs acts of kindness for seriously ill children"
I don't think the malware script cares what sort of website it is infecting.
Also, in my experience, big multinational charities tend not to care about anything other than their director's massive salaries.
The 2017 accounts confirm DavCrav's figures on turnover. Note it's a scan so not searchable which makes fact finding a touch harder (so perhaps intentional?).
It's worth noting PDF p27 (p25 of the doc) shows 2 people (of 66 staff in 2017 - PDF p28, doc p26) earning £80k-£90k (presumably CEO and someone else), with three more earning £60k-£70k; plus £15k of pension payments for all 5. Not at the higher end as some of the biggest UK charities tend to pay their CEOs around £140k but not shabby by Charity standards so they can't really claim there wasn't enough in the pot to pay for a decent BOFH to keep the hackerz at bay.
Total salary expenditure is £1,916,767, so with 66 employees the average salary is ~£30k. Excluding the five execs (2*£85k + 3*£65k) gives an average salary for the workers of ~£25,500
"The Chief Information Officer earns $246,821; and the VP earns $263,972"
well, $250k-ish for a CEO or VP is kinda small, actually, compared to the rest of the industries out there. It has to do with what kinds of decisions that someone in this position can make, and how much they can benefit [or harm] the organization. You get what you pay for.
Seriously, though, complaining about that just sounds like 'wage envy'.
Another reason that cryptocurrency is just another way to get everyone to infect everybody's computer with malware to generate fake useless currency with real resources like electricity.
Cryptocurrency is just a sad pathetic excuse for coders to code malware and attack people's computers for profit.
The electricity that is wasted on a currency that ironically needs electricity to operate is immense and the little bit of chump change you get out of it isn't going to buy you anything.
This is why cryptocurrency chumps are rolling out malware attack after malware attack and infecting all of their relatives computers so that they can go to the local Bitcoin cash in or whatever it's called and by drugs or other black-market material.
If it was up to me I would ban all forms of cryptocurrency and you bet that all viruses malware spyware and other forms of attacks would go down by 50%.
Cryptocurrency isn't the future. The future is actually where we use real resources like the real electricity that's generated with resources like coal natural gas wind hydroelectric and not waste them in some stupid attempt to prove that a software-based currency looks kind of cool.
All forms of currency are evil especially cryptocurrency because if you look at all the cryptocurrency millionaires they have their hands dipped into criminality and malware.
Using a block and chain software for anything is pathetic considering that it costs real electricity which is generated with real resources that are really being wasted by all these internet nerds trying to steal from every vulnerable computer they can get their hands on.
It's also sad because of these greedy idiots the prices of graphics cards CPUs and other computer materials go up because they're no longer used for playing games watching Netflix businesses or casual browsing they are used to fund cryptocurrency for the black market.