Talk2M Incident Report
The eWON commercial website www.ewon.biz has been attacked. A corrupted eCatcherSetup.exe file has been placed into the CMS (Content Management System) of www.ewon.biz website and eCatcher download hyperlinks have been rerouted to this corrupted file. The corrupted eCatcherSetup.exe contains a “Trojan” virus which can impact the Talk2M account access security.
The Talk2M Database and infrastructure -all components- are not impacted. Indeed, Talk2M is hosted on a different location and hosting company with higher security level.
Around 250 downloads have been performed with this corrupted eCatcher setup file, creating a potential security issue for the related TalK2M accounts (<1% of total TalK2M account).
During the installation of the corrupted eCatcherSetup.exe, a first warning dialog box showed that the source file was published by an UNTRUSTED publisher. Then the real eCatcher setup was executed displaying the signed by trusted publisher ACTL(holding company of eWON SA).
During the first phase of the setup, the trojan virus was installed (named Tmproviderxxx.dll). The virus tried to access the encrypted eCatcher login/password information stored on your computer.
We currently have no indication that there has been unauthorized activity on any Talk2M account.
Immediate corrective action
As security, integrity and reliability of our Talk2M cloud infrastructure is our first and foremost priority, we have decided to take the following proactive immediate action:
A new eCatcher 4.1 (which can be downloaded here) has been built with the capability of ERASING the virus during the setup phase.
An emailing will be sent on Jan 30th, forcing the upgrade of eCatcher 4 to eCatcher 4.1
Even if all passwords are encrypted, reset all password of Talk2M accounts passwords where an eCatcher 4 has performed a connection. This will force user to modify their password (by using the forgot password procedure for eCatcher 3.X or using the expiration method for eCatcher 4.1).
eCatcher 3.x users on Talk2M accounts where an eCatcher 4 has never performed a connection are not concerned by this incident.
An official claim to the Federal Computer Crime Unit has been posted with all technical detailed information for further investigations.
The CMS of the commercial eWON website has been audited and new firewall settings have been implemented.