Other


20
Dec 13

Cards Stolen in Target Breach Flood Underground Markets

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

targetgoboom

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the "base" name, this "Dumps" shop sells only cards stolen in the Target breach.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Continue reading →


18
Dec 13

Sources: Target Investigating Data Breach

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

target

Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

Original story;

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.

Continue reading →


18
Dec 13

The Biggest Skimmers of All: Fake ATMs

This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top of a legitimate, existing cash machine.

On Saturday, Nov. 23, a customer at a Bank of Brazil branch in Curitiba, Brazil approached the cash machine pictured below, dipped his ATM card in the machine’s slot, and entered his PIN, hoping to get a printed statement of his bank balance.

A completely fake ATM discovered in Brazil, designed to sit directly on top of the real cash machine.

A completely fake ATM discovered in Brazil, designed to sit directly on top of the real cash machine.

When the transaction failed, the customer became suspicious and discovered that this ATM wasn’t a cash machine at all, but a complete fake designed to be seated directly on top of the real cash machine. Here’s what the legitimate ATM that was underneath looked like.

The real ATM.

The real ATM underneath.

When the cops arrived, they pulled the fake ATM off the real cash machine. Here is the fake ATM, set down on the floor.

FakeATMfloor

Continue reading →


7
Aug 13

$1.5 million Cyberheist Ruins Escrow Firm

A $1.5 million cyberheist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds.

casholeThe heist began in December 2012 with a roughly $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.

This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.

Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.

Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut it down.

Up until the past few weeks, the firm’s remaining funds have been tied up in a conservatorship established by the state, effectively barring the company’s owners from accessing any of its money. In early July, the state appointed a receiver to help wind up the company’s finances.

The court-appointed receiver – Peter A. Davidson of Ervin Cohen & Jessup LLP in Beverly Hills — said he and the company are contemplating their options for recovering more of the lost funds from the bank — Irvine, Calif. based First Foundation.

“We’re exploring what choices we have to recover funds for those who had escrows and are owed money,” Davidson said. “We filed a claim with the insurance company and we’re looking at our options for possibly dealing with the bank.”

Davidson said the bank’s business customer logins were protected by a username, password and a dynamic token code, but that the one-time token wasn’t working at the time of the fraud.

First Foundation did not respond to requests for comment.

Efficient’s co-owner Daniel J. Crenshaw said the bank produced a report shortly after the heist concluding that the missing funds were stolen not in a cyberheist but instead embezzled by an employee of Efficient Services. Crenshaw said the bank later backed away from that claim, after the state appointed a local forensics expert to examine the controller’s computer; sure enough, they discovered that the system had been compromised by a remote access Trojan prior to the heist.

Continue reading →


4
Mar 13

KrebsOnSecurity Wins Awards

I recently returned from San Francisco, which last week hosted the annual RSA Security conference. I had the pleasure of moderating a panel discussion on Raising the Costs of Compromise with some very smart guys, and also shared a stage with several security authors who were recognized for their contributions to infosec media.

Bruce Schneier, Jack Daniel & Krebs. Image: Alan Shimel.

Bruce Schneier, Jack Daniel & Krebs. Image: Alan Shimel.

Krebsonsecurity.com was honored with the “Blog That Best Represents the Industry,” award at the RSA Security Blogger Meetup. This was the third year in a row that judges bestowed that honor on this blog. Krebsonsecurity.com also won the award for “Most Educational Security Blog.”

Paul Dotcom won for “Best Security Podcast”; J4VV4D’s Blog earned the “Most Entertaining Security Blog” award; Sophos’s Naked Security Blog took home the “Best Corporate Security Blog” prize; and the “Single Best Blog Post or Podcast of the Year” went to Forbes’ Andy Greenberg, for Meet the Hackers Who Sell Spies the Tools to Crack Your PC (And Get Paid Six-Figure Fees). Finally, security blogger Jack Daniel was the latest greybeard inducted into the Security Bloggers Hall of Fame (Bruce Schneier and I shared that honor last year, which is why we’re both pictured on stage flanking Jack in this shot from last week).

Yours truly also was named one of 10 winners of the SANS Institute‘s “Top Cyber Security Journalist” award. I am truly honored for the recognition, and want to thank all the loyal readers of this blog for their constant encouragement and support.


28
Jan 13

Big Bank Mules Target Small Bank Businesses

A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.

I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.

The attack on Niles Nursing Inc. provides a textbook example. On Monday, Dec. 17, 2012, computer crooks logged into the company’s online banking accounts using the controller’s credentials and tunneling their connection through his hacked PC. At the beginning of the heist, the miscreants added 11 money mules to Niles’ payroll, sending them automated clearing house (ACH) payments totaling more than $58,000, asking each mule to withdraw their transfers in cash and wire the money to individuals in Ukraine and Russia.

nilesmulespartNiles’ financial institution — Ft. Lauderdale, Fla. based Optimum Bank — evidently saw nothing suspicious about 11 new employees scattered across five states being added to its customer’s payroll overnight. From the bank’s perspective, the user submitting the payroll batch logged in to the account with the proper credentials and with the same PC that was typically used to administer the account. The thieves would put through another two fraudulent payment batches over next two days (the bank blocked the last batch on the 19th).

In total, the attackers appear to have recruited at least two dozen money mules to help haul the stolen loot. All but two of the mules used or opened accounts at four out of five of the nation’s top U.S. banks, including Bank of America, Chase, Citibank, and Wells Fargo. No doubt these institutions together account for a huge percentage of the retail banking accounts in America today, but interviews with mules recruited by this crime gang indicate that they were instructed to open accounts at these institutions if they did not already have them.

ANALYSIS

I’ve spoken at numerous financial industry conferences over the past three years to talk about these cyberheists, and one question I am almost always asked is, “Is it safer for businesses to bank at larger institutions?” This is a tricky question to answer because banking online remains a legally and financially risky affair for any business, regardless of which bank it uses. Businesses do not enjoy the same fraud protections as consumers; if a Trojan lets the bad guys siphon an organization’s online accounts, that victim organization is legally responsible for the loss. The financial institution may decide to reimburse the victim for some or all of the costs of the fraud, but that is entirely up to the bank.

What’s more, it is likely that fewer cyberheists involving customers of Top 5 banks ever see the light of day, principally because the larger banks are in a better financial position to assume responsibility for some or all of the loss (provided, of course, that the victim in return agrees not to sue the bank or disclose the breach publicly).

I prefer to answer the question as if I were a modern cyberthief in charge of selecting targets. The organized crooks behind these attacks blast out tens of millions of booby-trapped emails daily, and undoubtedly have thousands of stolen online banking credentials to use at any one time. There are more than 7,000 financial institutions in the United States…should I choose a target at one of the top 10 banks? These institutions hold a majority of the financial industry’s assets, and they’re accustomed to moving huge sums of money around each day.

On the other hand, their potential for fraud is almost certainly orders of magnitude greater than at smaller institutions. That would suggest that it may be easier for these larger institutions to justify antifraud expenditures. That incentive to enact antifraud protections is even greater because these institutions have huge numbers of retail customers, a channel in which they legally eat the loss from unauthorized account activity.

Continue reading →


8
Jan 13

Adobe, Microsoft Ship Critical Security Updates

Adobe and Microsoft today separately issued updates to fix critical security vulnerabilities in their products. Adobe pushed out fixes for security issues in Acrobat, Adobe Reader and its Flash Player plugin. Microsoft released seven patches addressing at least a dozen security holes in Windows and other software, although it failed to issue an official patch for a dangerous flaw in its Internet Explorer Web browser that attackers are now actively exploiting.

Two of the patches that Microsoft issued today earned a “critical” rating, signifying that these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. Microsoft called special attention to two critical bugs in its XML Core Services component; the company said it is likely that malware or miscreants will figure out a way to exploit these flaws in active attacks sometime within the next 30 days.

Unfortunately, Microsoft did not offer an official fix for a critical Windows flaw that malware and miscreants are already exploiting. In late December, Microsoft acknowledged that attackers were using a previously undocumented security hole in Internet Explorer versions 6 through 8 to break into Windows PCs. Microsoft later issued a stopgap “FixIt” tool to help lessen the vulnerability on affected systems, but researchers last week demonstrated that the FixIt tool only blocked some methods of attacking the flaw, leaving other ways unguarded. Meanwhile, a working copy of the exploit has been folded into Metasploit, a free penetration testing tool.

Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, said the zero-day IE vulnerability affects 90% of the IE install base at this time.

“Microsoft is not providing a patch today, though they have provided a Fix-It for the issue,” Kandek wrote in a blog post. “The vulnerability should be tracked closely, as a large percentage of enterprises still run the affected versions.”

Users who wish to continue browsing the Web with IE should upgrade to IE9 if possible (IE10 on Windows 8 also is not vulnerable). Users still on Windows XP will not be able to update to IE9, but may be able to derive some protection from the FixIt tool and by using Microsoft’s EMET tool. XP users may be better off, however, browsing with Firefox or Chrome with some type of script blocking and/or sandbox in place. More information on how to use EMET and script blocking options is available in my Tools for a Safer PC primer. More details about today’s updates from Microsoft can be found at the Microsoft Security Response Center blog and in the security bulletin summaries for each patch.

The Adobe Flash patch fixes at least one critical vulnerability in the media player plugin. Updates are available for all supported versions of Flash, including for Windows, Mac, Linux and Android. See the chart below for the latest version number broken down by operating system.

Continue reading →


2
Jan 13

Does Your Alarm Have a Default Duress Code?

Sometimes it takes a security scare to help improve your overall security posture. Case in point: Over the holidays, I learned that our alarm system — one of the most widely used home security systems in America — contains a default code that disables the alarm. Although entering this code simultaneously alerts the police that an intruder is in the house, it also could give thieves just enough time to get away with your valuables without alerting the neighbors.

Safewatch Pro3000

Safewatch Pro3000

Over the holidays, I lost my keychain. On said chain was a very expensive key fob for unlocking and starting our car, the keys to our front door, and a remote control that arms and disarms the alarm system. For several days, the wife and I searched frantically and repeatedly for the keys. Needless to say, I didn’t leave the house the whole time. In the hopes of perhaps disabling the alarm keyfob myself, I downloaded the user manual for my alarm system (a Safewatch Pro 3000), but I could not figure out a way to complete the process.

After of the fourth day of failing to locate the missing keys, we decided it was time to call a locksmith and ADT, our alarm company. The ADT technician arrived promptly and was extremely fast, courteous and helpful. But he said he couldn’t remove the fob without plugging in an external keyboard that he had on hand.

As he worked, I asked him about a feature of the alarm system that I’d read about in the manual: A duress code. Simply put, a duress code is a secondary, covert signal designed to be entered on the alarm keypad in the event that an attacker or robber ambushes you at home and forces you to disarm the system. A duress code will appear to disarm the system, but it will also send a silent panic alert to the ADT monitoring station that a potentially hostile intruder has entered the home.

I asked the technician how difficult it would be to set up a duress code for my system. He informed me that there was already one programmed into my unit, and that ADT technicians routinely set all systems like mine with the same default duress code: 2-5-8-0, the four digits that run straight down the middle of the keypad. Continue reading →


28
Dec 12

Happy 3rd Birthday KrebsOnSecurity.com!

It’s difficult to believe I’ve been doing this solo thing for so long, but as a thoughtful reader just reminded me, Dec. 29 marks the third anniversary of the KrebsOnSecurity.com blog!

3rdThis past year, KrebsOnSecurity featured nearly 200 blog posts, entries that have generated some 5,700 reader comments. Reader feedback and comments add tremendous value to this site, and are frequently the source of inspiration for future blog posts. Thank you for sharing your knowledge and experience with the rest of us!

Readers sometimes ask why I am not writing about the latest report or story-du-jour. The short answer is that this is precisely why I remain an independent investigative reporter: To be able to focus on subjects and topics that few others are examining, and to do original reporting. That will continue to be my goal going into 2013.

Some readers have been especially generous: So far this year KrebsOnSecurity.com has received more than 40 donations via the PayPal Donate! button in the sidebar. Several readers (particularly Aleksey and Alek) have been extremely generous with their time in helping with professional translations of certain Russian texts.

My work in 2012 involved numerous public speaking engagements, including talks and/or keynotes in Halifax, Qatar, Alabama, California, Connecticut, Illinois, New Hampshire, New York, Oregon and Pennsylvania.

I look forward to continuing my investigative reporting on cybercrime, cybersecurity, and the underground economy. Most of all, I look forward to your continued readership and support. Thank you, Happy Holidays, and a very Happy New Year to all.


13
Nov 12

Microsoft Patches 19 Security Holes

Microsoft today issued six software updates to fix at least 19 security holes in Windows and other Microsoft products. Thirteen of those vulnerabilities earned a “critical” rating, which means miscreants or malicious code could leverage them to break into vulnerable systems without any help from users.

Of note in these patches is a critical update for Internet Explorer 9 that fixes three flaws in IE (these bugs do not exist in older versions of IE, according to Microsoft). Other critical updates address extremely dangerous flaws in core Windows components, such as the Windows shell and Windows Kernel; these vulnerabilities are present in nearly all supported versions of Windows.

All of the critical updates earned the most dire marks on Microsoft’s “exploitability index,” which tries assess the likelihood that attackers will devise remote code execution attacks and denial of service exploits within 30 days of a security bulletin release.

Also included among the critical patches is an update for Microsoft’s .NET Framework. I mention this one separately because in the few times I’ve had troubles after applying Windows security updates, a .NET Framework patch has always been part of the mix. My update this time around went fine (albeit a tad slowly) on a Windows 7 system, but if you experience any issues applying these patches, please leave a note in the comments section below.

Other vulnerabilities addressed in today’s update batch include flaws in Microsoft Excel and Microsoft Internet Information Services (IIS). A summary of the bulletins released today is available at this link. Wolfgang Kandek, chief technology officer at Qualys, has put together a readable blog post with some additional thoughts on the severity and relative urgency of today’s patches.

Update, 8:34 p.m.. ET: Several readers have pointed my attention to problems with a non-security update released with today’s batch: KB2750841. According to this thread, KB2750841 seems to be causing issues for users of OpenDNS. This workaround from OpenDNS forum user “gotroot” appears to have worked for most users experiencing problems.