Hot wheels web site hacked?

My son wanted to on-line play games at www.hotwheels.com but I got complauns that it does not work. I checked what got wrong, and I saw this:

hwerror

It seems that www.hotwheels.com it got forwarded to http://fi.hotwheels.com/install.php?profile=default page what shows the management console of the web site. I tried to mail the web site wemaster e-mail ([email protected]) but that address did not work.The Hot Wheels brand is owned by Mattel, so I tried to contact them. Finding right contact from web site was hard, and I finally sent the report to their press contact and asking for comment on this thing. I waited for 12 hours, and when the problem stil persist and I decided to publish this finding on this blog.

Fact: A large web site stil has their main web page forwarding their users to their internal management console! I see this as a huge potential security problem (I did not try how much I could do with that console because I did not want to be acused of hacking their site).

Still waiting for comments from Mattel I update if I receive more information on this.

 

26 Comments

  1. Tomi Engdahl says:

    It seems that the problem is somewhat related to country where you come from:
    From Finland I get what I described on article,
    From english speakinc counry I get forwarded to
    http://www.hotwheels.com/en-gb/index.html
    where everything works.

    There has been already two days since I mailed to Mattel, and no answer. It seems that they are not very interested in that their services have problems…

    Reply
  2. Tomi Engdahl says:

    Hot wheels site works well at URL http://www.hotwheels.com/en-gb/index.html

    But when http://www.hotweels.com is accessed from Finland, the problem still persists….

    Reply
  3. Tomi Engdahl says:

    Trying to get this information to Mattel and getting them to react to it in any way is complete disaster.
    I have sent several e-mails, used twitter etc… They do not seem to get that anything is wrong.

    Reply
  4. Tomi Engdahl says:

    This is not how companies should handle the people that try to inform them on the findings that look like potential serious security issues on their services!

    Reply
  5. Tomi Engdahl says:

    Something happened when you try to contact high enough on organization (=mail to CEO).

    Now users from Finland don’t get this admin screen anymore.
    The page does not work at all anymore from Finland – stil some problem in redirecting now – but somewhat better.

    English page at http://www.hotwheels.com/en-gb/index.html works.

    Reply
  6. Tomi Engdahl says:

    Mattel Names Sinclair Permanent CEO
    Mattel chairman has been interim CEO since January; Dickson named operating chief
    http://www.wsj.com/articles/mattel-to-make-christopher-sinclair-permanent-ceo-1428000588

    Mattel Inc. named Christopher Sinclair as its permanent chief executive, selecting a longtime board member to steer the toy maker through the early stages of a turnaround.

    The appointments come at a difficult time for the toy maker, which is losing ground to rivals as its sales and profit slide.

    Mattel’s creative department has been slowed by layers of bureaucracy,

    Shares of Mattel have lost 44% of their value in the past 12 months.

    Reply
  7. Tomi Engdahl says:

    http://fi.hotwheels.com/ still giving

    “This webpage has a redirect loop
    ERR_TOO_MANY_REDIRECTS”

    Reply
  8. Tomi Engdahl says:

    Because I have not heard anything back from Mattel from any of my reports, may I conclude that Mattel does not seem to care on the data security and their brand on-line presence?
    At least it seems that they have some problems in reacting to security reports sent to them – or is this silence intentional planned operation practice?

    And should I be worried on this development then?

    Is Mattel’s Hello Barbie a Privacy Threat to Your Child?
    http://idt911.com/education/blog/is-mattels-hello-barbie-a-privacy-threat-to-your-child

    Mattel Inc.’s new talking doll, Hello Barbie, connects to the Interent and relies on speech-recognition software to communicate with children. Critics say that poses serious privacy threats to children and families, as outlined in this BloombergBusinesss story.

    Hello Barbie’s Critics See Talking Doll as Privacy Threat
    http://www.bloomberg.com/news/articles/2015-03-25/hello-barbie-s-critics-see-talking-doll-as-privacy-threat

    Reply
  9. Tomi Engdahl says:

    Story continues and http://www.hotwheels.com/ is still down for people in Finland:

    I got some reply from [email protected]
    NORSTAR (http://norstar.eu/) is distributor in the Nordic countries within toys and licensed products for children.
    They represent Hot Wheels and other Mattel products in Finland and other countries.

    They said that Mattel head office for European operations is Mattel UK and they gave this contact
    address:
    http://service.mattel.com/uk/EmailContact.aspx

    I sent note there some few days go. They have not replied anything to this or fixed anything…

    This all keeps me wondering does Mattel care at all on their on-line operations and on-line security issues at all….

    It seems that all around the reaction seems to be that’s not my business – ignore.

    Reply
  10. Tomi Engdahl says:

    It seems that it takes more than month for a toy maker not to fix a pretty simila URL issue on their site (http://www.hotwheels.com/)… So magazines are way faster in this.

    After Twitter falls for a URL trick, Gannett fixes a company-wide glitch
    http://www.cjr.org/united_states_project/obligatory_joke_url_here.php

    How long does it take a major newspaper chain to fix a very public glitch in its CMS?

    About a day and a half, apparently—at least, based on what we saw from the Gannett websites this week.

    Reply
  11. Tomi Engdahl says:

    How Did Chinese Phishers Get $3M From Mattel? They Asked
    https://www.pymnts.com/news/security-and-risk/2016/how-did-chinese-phishers-get-3m-from-mattel-they-asked/

    https://apnews.com/f50ded283c41465d9bdfe0f393732ce1
    Mar. 29, 2016

    WENZHOU, China (AP) — The email seemed unremarkable: a routine request by Mattel Inc.’s chief executive for a new vendor payment to China.

    It was well-timed, arriving on Thursday, April 30, during a tumultuous period for the Los-Angeles based maker of Barbie dolls. Barbie was bombing, particularly overseas, and the CEO, Christopher Sinclair, had officially taken over only that month. Mattel had fired his predecessor.

    The finance executive who got the note was naturally eager to please her new boss. She double-checked protocol. Fund transfers required approval from two high-ranking managers. She qualified and so did the CEO, according to a person familiar with the investigation who spoke on condition of anonymity because he was not authorized to speak about the matter. He declined to reveal the finance executive’s name.

    Satisfied, the executive wired over $3 million to the Bank of Wenzhou, in China.

    Hours later, she mentioned the payment to Sinclair.

    But he hadn’t made any such request.

    Reply
  12. Tomi Engdahl says:

    How Did Chinese Phishers Get $3M From Mattel? They Asked
    https://www.pymnts.com/news/security-and-risk/2016/how-did-chinese-phishers-get-3m-from-mattel-they-asked/

    Associated Press has broken news of an incident that began April 30, 2015 — a month after Mattel’s then-new CEO Christopher Sinclair had taken over the top spot in the organization. The story goes that an anonymous financial executive received an email from Sinclair requesting clearance for a $3 million wire transfer to a bank in China to settle the bill for a vendor’s services. Mattel’s corporate policy on funding transfers requires approval from two executive-level managers, which the presence of the unnamed financial exec and Sinclair’s email imposter seemed to satisfy.

    According to IT security firm Beazley, incidents of ransomware in 2016 alone are expected to top the figures from the past two years combined, and 2015 sent 60 percent more data breaches to the company’s breach response services unit than 2014.

    Mattel wasn’t hit by anything near as sophisticated as a ransomware attack, but that’s just the point: The more companies myopically focus on the perceived high-tech threats, the easier it’ll be for thieves like this to socially engineer their way right through corporations’ front doors.

    Hiding Mattel’s actions of simply handing over millions of dollars under the umbrella of a general rise in cybercrime is giving the toymaker and other corporations lax on IT security a big pass.

    Reply
  13. Tomi Engdahl says:

    Why Mattel Inc. Stock Fell 12% in 2015
    The toy retailer trailed the broader market and its competitor, Hasbro, last year.
    https://www.fool.com/investing/general/2016/01/12/why-mattel-inc-stock-fell-12-in-2015.aspx

    Barbie’s back! And so is Mattel
    http://money.cnn.com/2015/12/22/investing/mattel-barbie-toys-hasbro/index.html

    Since bottoming out for the year on October 2, Mattel (MAT) is up

    The company, under newish CEO Chris Sinclair, made a concerted effort to do more marketing for core brands like Barbie, Hot Wheels, Fisher-Price and Thomas & Friends ahead of Christmas.

    Reply
  14. Tomi Engdahl says:

    Friday, October 16, 2015, 4:04 PM, EST
    http://business.nasdaq.com/marketinsite/2015/Market-Intelligence-Desk-Equity-Market-Insight-October-2015.html

    Mattel is the best performer on the S&P 500, adding 5% to its price on the heels of positive commentary by their CEO on their quarterly earnings call.

    Reply
  15. Tomi Engdahl says:

    Real story: five year old gets accidentially into management console of US stock company web site, on some regions users will get into console instead of web site, it gets week to get message thriugh to them that something is wrong and during that time the company stock value took one billion dollar drop.

    Reply
  16. Tomi Engdahl says:

    How HOT WHEELS Beat Out MATCHBOX
    https://www.youtube.com/watch?v=A_Aw1auPWe0

    There is no more popular toy in the automotive world than Hot Wheels. Most of us at Donut were introduced to cars through Hot Wheels, and most still collect them to this day. Much like us there are millions of people that are obsessed with Hot Wheels and have incredible collections. How exactly did Mattel create the biggest selling toy in the world? How did it best companies like Matchbox? And how did a failed guitar design save Hot Wheels from losing to the competition?

    Reply
  17. Tomi Engdahl says:

    Mattel ransomware hackers toy with wrong company
    https://www.cybertalk.org/2020/11/09/mattel-ransomware-hackers-toy-with-wrong-company/

    Mattel Inc., the company that produces Hot Wheels, Batman action figures and Barbie dolls, recently experienced a ransomware attack. No sensitive data was lost. The company managed to independently overcome the attack. It’s a rare success story.

    Mattel reports that it has suffered “no material impact to operations or financial condition.” Typically, ransomware attacks lead to business downtime and flurry of frustrating financial costs.

    Straightforward emergency response protocols enabled to company to contain the infection. Mattel’s system’s were down for a brief window, but such an encumbrance amidst a ransomware attack is akin to escaping a car crash with just a few scratches to the paint.

    Cyber criminals first targeted Mattel in 2015. That attack involved a spear phishing campaign and an accidental transfer of over $3 million. Since then, Mattel has worked to increase its cyber security measures and protocols.

    How Did Chinese Phishers Get $3M From Mattel? They Asked
    https://www.pymnts.com/news/security-and-risk/2016/how-did-chinese-phishers-get-3m-from-mattel-they-asked/

    The media is obsessed with the word “hacker.” It’s become something of a digital boogeyman, conjuring up images of hooded teenagers bent over keyboards in rooms full of computers and their constituent parts. When one of their elusive number strikes at the corporate world, their skills are discussed in nonspecific and vaguely threatening terms — they bypass, they slip through, they disable security systems.

    So, why is it that these super-skilled cyberthieves didn’t even break out their passcode generators when they stole $3 million from Mattel? Where were all the corporate firewalls when the hackers asked and received the money they never should’ve been sent?

    That has to be haunting the halls of toymaker Mattel’s headquarters now that Associated Press has broken news of an incident that began April 30, 2015 — a month after Mattel’s then-new CEO Christopher Sinclair had taken over the top spot in the organization. The story goes that an anonymous financial executive received an email from Sinclair requesting clearance for a $3 million wire transfer to a bank in China to settle the bill for a vendor’s services. Mattel’s corporate policy on funding transfers requires approval from two executive-level managers, which the presence of the unnamed financial exec and Sinclair’s email imposter seemed to satisfy.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*