How a hacker took over a business via changing the government records of the company

The absence of authentication mechanisms on some online platforms can pose serious problems for your users. Experts from an ethical hacking course detail how an entrepreneur from Volusia County, Florida, was the victim of a fraud variant due to the few security measures on a government website.

Blair Burk, owner of Medical Facilities Construction Group, a company that builds and provides maintenance service to medical practices, claims that a hacker entered his company’s state records, modifying the information and removing his name from these records. “This man came in and said he was the president of my company. I can’t even understand what happened,” the victim says.

However, the company’s profile in the Florida Division of Corporations, in charge of the official registration of local companies, mentions that the owner is an individual named Nicolas Carioti, originally from South Florida. Apparently, someone hacked the official records, stored in Sunbiz.org: “I never thought anyone could just get into the system and change this information,” Burk adds.  

This is itself a very serious thing, although experts from the ethical hacking course mention that the worst was missing. After consulting with the platform managers, Burk discovered that their information was not protected with passwords or some other authentication requirement, so any user could change their official corporate records: “It’s something that’s allowed, there’s nothing that can prevent it. If you ask those responsible, they say they’re sorry, but that only lawmakers can change the situation.”

Burk only received a government alert via his email informing him of the change in corporate records. The employer fears that the individual who modified this information will try to make a profit at the expense of his company, such as applying for a bank loan, drafting a contract, or some other variant of bank fraud.

Tommy Orndorf, expert in an ethical hacking course, analyzed what happened to Burk, mentioning that it is possible to make changes to these profiles without the use of passwords or any other form of verification: “These platforms must have some verification mechanism, not use only an email,” the specialist says.

La imagen tiene un atributo ALT vacío; su nombre de archivo es florida20082020.jpg

Upon consultation, the Florida Division of Corporations mentioned that Burke’s complaint had already been addressed and the flaws on its website were corrected. However, the affected user is still afraid that someone might infiltrate these records: “It took me three days to fix this and I don’t want to go through a similar situation again,” Burke concludes.