Other


17
Apr 14

3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

michaelsThe disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.” Continue reading →


16
Apr 14

Critical Java Update Plugs 37 Security Holes

Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all).

javamessThe latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 55. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 5 (Java 8 doesn’t work on Windows XP).

According to Oracle, at least four of the 37 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 10.0 — the most severe possible. According to Oracle, vulnerabilities with a 10.0 CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system. Continue reading →


15
Apr 14

Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time. Continue reading →


14
Apr 14

Crimeware Helps File Fraudulent Tax Returns

Many companies believe that if they protect their intellectual property and customers’ information, they’ve done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees.

Last month, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W2 forms for all employees.

The control panel for a tax fraud botnet involving more than a half dozen victim organizations.

An obfuscated look at the he control panel for a tax fraud operation involving more than a half dozen victim organizations.

According to the control panel seen by this reporter, the scammers in charge of this scheme have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.

The control panel includes a menu listing every employee’s W2 form, including all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number. Each fake return was apparently filed using the e-filing service provided by H&R Block, a major tax preparation and filing company. H&R Block did not return calls seeking comment for this story.

The "drops" page of this tax  fraud operation lists the nicknames of the co-conspirators who agreed to "cash out" funds on the prepaid cards generated by the bogus returns -- minus a small commission.

The “drops” page of this tax fraud operation lists the nicknames of the co-conspirators who agreed to “cash out” funds on the prepaid cards generated by the bogus returns — minus a small commission.

Fraudulent returns listed in the miscreants’ control panel that were successfully filed produced a specific five-digit tax filing Personal Identification Number (PIN) apparently generated by H&R Block’s online filing system. An examination of the panel suggests that successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Alex Holden, chief information security officer at Hold Security, said although tax fraud is nothing new, automating the exploitation of human resource systems for mass tax fraud is an innovation.

“The depth of this specific operation permits them to act as a malicious middle-man and tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims maybe exploited not only for 2013 tax year but also down the road,  and perhaps subject of higher scrutiny by IRS — not to mention potential financial losses. Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.” Continue reading →


10
Apr 14

Heartbleed Bug: What Can You Do?

In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet’s Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator’s credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.

For this reason, I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable: Continue reading →


5
Apr 14

Fact-Checking Experian’s Talking Points

In the wake of long-overdue media attention to revelations that a business unit of credit bureau Experian sold consumer personal data directly to an online service that catered to identity thieves, Experian is rightfully trying to explain its side of the story by releasing a series of talking points. This blog post is an attempt to add more context and fact-checking to those talking points.

Experian has posted several articles on its Web properties that lament the existence of “inaccurate information about Experian circulating in news outlets and other Web sites.”

“It’s no surprise that cybercrime and data breaches are hot topics for media and bloggers these days,” wrote Gerry Tschopp, senior vice president of public affairs at Experian. “Unfortunately, because of all the attention paid to these topics, we’ve seen some inaccurate information about Experian circulating in news outlets and other Web sites. I want to take a moment to clarify the facts and events.”

I’ve read this clarification closely, and it seems that Experian’s latest talking points deserve some clarification and fact-checking of their own. Below are Experian’s assertions of the facts (in bold), followed by some supplemental information glossed over by said statements of fact.

-No Experian database was accessed. The data in question have at all relevant times been owned and maintained, not by Experian, but by a company called US Info Search.

As all of my stories on this incident have explicitly stated, the government has said the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including the proprietor of the identity theft service).

For its part, US Info Search says Experian’s explanation of the events is based on false statements and misrepresentations, and that the proprietor of the ID theft service paid Experian for his access using large cash payments sent to Experian via wire from Singapore.

“Experian provided access to records via a gateway that used multiple data sources and the suspect never had access to our service,” US Info Search CEO Marc Martin said in a written statement. “We, like many others, provide data to Experian, who in turn sold data to customers they approved and monitored. Our agreement with Court Ventures and subsequently Experian was to provide information that was being used for identity verification and fraud prevention.

-Further, Experian’s only involvement was that it purchased the assets of a company, Court Ventures, that provided access to US Info Search’s data to Court Ventures’ customers. Under that contract, customers of Court Ventures, including the criminal in this case, could access US Info Search’s data. This was not an Experian database, and specifically, this was not a credit database.

Experian has a duty to conduct “due diligence” on companies it wishes to acquire, because it knows that in purchasing a company it will acquire all of the company’s assets — including whatever debts, liabilities or poor decisions the previous owners may have incurred that end up creating problems down the road. Experian wants to blame everyone else, but by its own admission, Experian didn’t conduct proper due diligence on Court Ventures before acquiring the company. Addressing a U.S. Senate committee last December, Experian’s senior vice president of government policy, Tony Hadley, allowed that “during the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident. We were a victim, and scammed by this person.”

Also, if it wasn’t clear by now, Experian’s PR mantra on this crisis has been that “no Experian database was accessed,” in this fraud. But this mantra draws attention away from the real victim: Consumers whose information was sold by Experian’s company directly to an identity theft service. A critical question to ask to this line of thinking is: Why does it matter whose database it is, if it contains personal info and Experian profited from its sale?  Continue reading →


11
Mar 14

KrebsOnSecurity.com Wins Awards

mlaIn February, this blog and its author were recognized for three separate awards. At the RSA Security conference in San Francisco, KrebsOnSecurity.com was voted the “Most Educational Security Blog” at the Security Bloggers Meetup (for the second year in a row). The judges at the meetup also gave KrebsOnSecurity.com the honor of the “Best Blog Post of the Year,” for my reporting on the Adobe breach.

Separately, I am honored to have received the Mary Litynsky Award for Protecting the Online Community, a lifetime achievement recognition given by the Messaging, Malware and Mobile Anti-Abuse Working Group. M3AAWG’s announcement about the award is here. Past recipients of this award are listed here.


25
Feb 14

Card Backlog Extends Pain from Target Breach

Last week’s story about steeply falling prices on credit and debit card data stolen from Target mentioned several reasons why many banks may not have already reissued all of their cards impacted by the breach. But it left out one other key reason: A huge backlog of orders at companies that manufacture credit and debit cards on behalf of financial institutions.

carddominoesTurns out, while the crooks responsible for monetizing the Target breach seem to have had little trouble counterfeiting stolen cards, the process by which banks obtain legitimate replacement cards for their customers is not always quite so speedy.

I recently spoke with a gentleman who heads up security at a small federal credit union, and this individual said his institution ended up printing their own cards in-house after being told by their financial services provider that their order for some 2,000 new customer cards compromised in the Target breach would have to get behind a backlog of more than 2 million existing orders from other banks.

The credit union in question issues Visa-branded cards to its customers, but the actual physical cards are produced by Fiserv, a Brookfield, Wisc. financial services firm that also handles the online banking portals for a huge number of small to mid-sized financial institutions nationwide. In addition to servicing this credit union, Fiserv also prints cards for some of the biggest banks in the world, including Bank of America and Chase.

Shortly after the holidays, the credit union began alerting affected customers, notifying them that the institution would soon be reissuing cards. But when it actually went to place the order for the new cards, the institution was told it would have to get in line.

“They informed us that there was a backlog of 2 million cards, and said basically, ‘We’ll get to you when we get to you’,” the credit union source told KrebsOnSecurity.

Murray Walton, chief risk officer at Fiserv, acknowledged that the company has experienced extraordinarily high demand for new cards in the wake of the Target breach, but that Fiserv is quickly whittling down its existing backlog of orders.

“A large breach injects additional demand into a system that is already operating at near-peak capacity at year-end,” Walton said. “As a result, producers face the challenge of juggling existing contractual commitments with this incremental demand, and turn to mandatory overtime and staff augmentation to get the most out of their equipment and infrastructure.   We believe we are managing this situation as well as possible, and are beginning to see our cycle times (order to delivery) diminish compared to a few weeks ago.  Meanwhile, we note that fraud prevention is a multi-faceted challenge, and card reissue is only one arrow in the quiver.  Alert consumers and behind-the-scenes fraud management programs are also essential.”

Faced with mounting customer service requests from account holders who’d been told to expect new cards, the credit union decided to take matters into its own hands.

“We have the capability to print out the cards ourselves at a local branch, so some of our software developers wrote some scripts to export the customer data and we had two people who ended up burning the midnight oil for several days making these cards by hand.”


29
Dec 13

Happy 4th Birthday, KrebsOnSecurity.com!

Dec. 29 marks the 4th anniversary of KrebsOnSecurity.com! Below are a few highlights from this past year, and a taste of what readers can look forward to here in 2014.

targets4

If there was an important data breach in 2013, chances are that news of it first broke on this blog. Among KrebsOnSecurity’s biggest scoops this year were stories about breaches at Adobe, Bit9, Experian, LexisNexis, Target and The Washington Post.

Some of these stories are ongoing and will unfurl reluctantly but gradually throughout 2014. Look for a more thorough explanation of what really happened when Experian sold more than a year’s worth of consumer credit data directly to an underground service marketed to identity thieves, for example. And of course, we will almost certainly learn more about the “how” and “who” of the massive attack on Target.

The audience for this blog has grown tremendously in the past year. The site now attracts between 10,000 and 15,000 visitors per day. For the first time in its existence, KrebsOnSecuirty is on track to exceed more than 1 million pageviews this month (fittingly, this should come to pass sometime today).

That growth would not have been possible without you, dear loyal readers. 2013 featured more blog posts and more in-depth investigations than perhaps any other year, but the real value in this site comes from the community that has sprung up around it. Readers submitted more than 10,000 comments this past year. More than two dozen of you also supported this site directly via the PayPal or Bitcoin donation links in the blog sidebar. Whichever way you supported this site in 2013, a hearty THANK YOU for your contribution and encouragement.


22
Dec 13

Non-US Cards Used At Target Fetch Premium

An underground service that is selling credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.

On Dec. 20, this blog published a story about the “card shop” rescator[dot]la. That piece explained how two different banks — a small, community bank and a large, top-10 bank — had bought back their customers’ stolen cards from the fraud service and discovered that all of the purchased cards had been used at Target during the breach timeframe. The shop was selling data stolen from the magnetic stripe of each card, which thieves can re-encode onto new, counterfeit cards and use to go shopping in bricks-and-mortar stores for items than can easily be fenced or resold.

As I wrote in that story, a key feature of this particular shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle” (also an island in the Caribbean long associated with pirates). The small bank similarly found that all of the cards it purchased from the card shop also bore the Tortuga base name, and all had been used at Target.

Cards stolen from non-US customers who shopped at Target are sold under the "Barbarossa" base.

Cards stolen from non-US customers who shopped at Target are sold under the “Barbarossa” base.

On Friday, the proprietor of this card shop announced the availability of a new base — “Barbarossa” — which consists of more than 330,000 debit and credit cards issued by banks in Europe, Asia, Latin America and Canada [side note: one Russian expert I spoke with said Barbarossa was probably a reference to Operation Barbarossa, the code name for Germany's invasion of the Soviet Union during World War II].

According to one large bank in the U.S. that purchased a sampling of cards across several countries — all of the cards in the Barbarossa base also were used at Target during the breach timeframe.

As with cards sold under the Tortuga base, debit and credit cards for sale as part of the Barbarossa base list the country of origin for the issuing bank, and then directly underneath include the state, city and ZIP code of the Target store from which the card numbers were stolen.

When I first became aware that this card shop was selling only cards stolen from Target stores, I noticed a discussion on a related crime forum wherein customers of this shop seemed very enthusiastic about this ZIP code feature. I couldn’t figure out what the big deal was: I’d assumed the state, city and ZIP described the bank that issued the card.

Later, I learned from a fraud expert that this feature is included because it allows customers of the shop to buy cards issued to cardholders that live nearby. This lets crooks who want to use the cards for in-store fraud avoid any knee-jerk fraud defenses in which a financial institution might block transactions that occur outside the legitimate cardholder’s immediate geographic region.

Non-U.S. cards used at Target generally fetch higher prices than U.S. cards, between $67 and $100 apiece.

Non-U.S. cards used at Target generally fetch higher prices than U.S. cards, between $67 and $100 apiece.

The cards for sale in the Barbarossa base vary widely in price from $23.62 per card to as high as $135 per card. The prices seem to be influenced by a number of factors, including the issuing bank, the type of card (debit or credit), how soon the card expires, and whether the card bears a special notation that often indicates a higher credit limit, such as a Platinum card.

Continue reading →