On November 11, news about the massive data exposure of the clients of Orvis, a 163-year-old retailer, made headlines. Some of the company’s login credentials were posted on pastebin.com and could be used to gain access to Orvis’s databases. With over 80 retail stores, 10 outlets, and hundreds of independent dealers worldwide, we believe potential attackers could get their hands on millions of customer data. Here’s what we know about the case so far:

• The usernames and passwords that Orvis used for different products and services were posted on pastebin.com in plaintext on two separate dates—October 4 and October 22.
• Orvis claimed that the document containing the sensitive information was only accessible for a day and was removed immediately after discovery.
• The company also claimed that a majority of the exposed login credentials were already expired.
• An employee or a trusted partner could be responsible for the data leak.
• The only clue that the company and its investigators found about the incident was that the document was labeled “VT Technical Services.”

Overall, this data leak shows that one person in a company with ill intentions can weaken even a robust security infrastructure. In this post, we take a look at the available clue “VT Technical Services” and conduct some deeper analysis.

The Investigation of a Potential Clue

Typing “VT Technical Services” on different search engines led to a variety of results. The terms are, after all, quite generic and may refer to different companies based in a place that uses VT as an acronym (like Vermont or elsewhere) and offers technology-related services. We even came across a construction company based overseas with a profile for the name “VT Technical Services Ltd” as well as various professional profiles on which variants of the search terms are referred to as their employer.

As such, this clue points to various directions, most of which aren’t even probably connected to the data leak in question. We did, however, find a website possibly worth investigating further. Since we couldn’t confirm the domain’s direct connection to the unfortunate events affecting Orvis, however, we preferred not to disclose the name publicly.

That said, pulling out portions of its WHOIS record using WHOIS Search showed the following contact details:

The information on the record is redacted through a domain privacy service provider established in Panama, therefore replacing the registrant’s actual data. Keeping details private isn’t automatically a telltale sign of cybercrime, even though one can easily imagine why cybercriminals may feel particularly induced to do so.

Another interesting fact gathered from the WHOIS record is the domain age. The registration happened only a few months before the Orvis breach. Again, this alone doesn’t imply a connection with the incident though it’s an interesting coincidence as it’s common practice for cybercriminals to register domain names only a few weeks or months before proceeding with an attack.

Upon visiting the site hosted on the domain analyzed, we found that the company, which appears to offer IT security services, claims to be based in both the U.S. and Africa. On the other hand, its social media profile showed its principal place of business was Africa. While this company may operate internationally (though at a young age) or decided to relocate or rebrand itself, its owners may be attempting to appear U.S.-based to cater and mislead other companies in that country—a questionable business practice.

* * *

All in all, the clue from the Orvis.com data breach, “VT Technical Services,” might only be a starting point for investigators. Through the investigation of WHOIS records, among other sources of information, the hint may help them build context and narrow down their list of suspects.