March 17, 2014

Nationwide cosmetics and beauty retailer Sally Beauty today confirmed that hackers had broken into its networks and stolen credit card data from stores. The admission comes nearly two weeks after KrebsOnSecurity first reported that the company had likely been compromised by the same criminal hacking gang that stole 40 million credit and debit cards from Target.

The advertisement run by thieves who stole the Sally Beauty card data.

The advertisement run by thieves who stole the Sally Beauty card data.

Previously, Denton, Texas-based Sally Beauty had confirmed a breach, but said it had no evidence that card data was stolen in the break-in. But in a statement issued Monday morning, the company acknowledged it has now discovered evidence that “fewer than 25,000 records containing card present (track 2) payment card data have been illegally accessed on our systems and we believe have been removed.” Their statement continues:

“As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation. As a result, we will not speculate as to the scope or nature of the data security incident.”

“We take this criminal activity very seriously. We continue to work diligently with Verizon on this investigation and are taking necessary actions and precautions to mitigate and remediate the issues caused by this security incident. In addition, we are working with the United States Secret Service on their preliminary investigation into the matter.”

On Mar. 5, this blog reported that hackers appeared to have broken into Sally Beauty’s network and stolen at least 282,000 cards from the retailer. That conclusion stemmed from purchases made by several banks at an archipelago of fraud sites that have been selling cards stolen in the Target breach. The first new batch of non-Target cards sold by this fraud network — a group of cards marketed under the label “Desert Strike” — all were found by three different financial institutions to have been recently used at Sally Beauty stores nationwide.

In a FAQ that accompanies today’s announcement, Sally Beauty declined to speculate whether data from its online stores was compromised, but stressed that so far the breach is known to involve “card present” data — specifically the data stored on the magnetic strip on the backs of cards. Thieves prize this data because it allows them to create counterfeit cards and use them to go shopping in big box stores for high-priced merchandise, gift cards and other items that can be resold quickly for cash.

In a fascinating and timely development, the main fraud shop that has been selling cards stolen in the Sally Beauty breach — rescator[dot]so — was recently hacked, its entire database of customers’ (read: fraudsters) usernames and passwords dumped online. Then, sometime on Sunday, the site’s homepage was defaced, with a message to this author and to the proprietors of the fraud shop:

The site principally responsible for selling Sally Beauty cards -- as well as millions of cards stolen from Target -- was defaced this weekend.

The site principally responsible for selling Sally Beauty cards — as well as millions of cards stolen from Target — was defaced this weekend.


43 thoughts on “Sally Beauty Confirms Card Data Breach

  1. AJ Hermann

    That sucks for Sally Beauty. But the Rescator hack is awesome.

    Brian, you don’t have to say their name, but do you have a suspicion of who hacked Mr. Selfie (Rescator)?

      1. AJ Hermann

        Will do! BTW, I’m @ScoopDogg7 (AJ The Juice) on Twitter. Thanks for interacting!

    1. Mark Allyn

      I had a dream that I hacked a bad guy site like that and I stole all of their equipment so that I can take the metal and use it in my art and jewelry.

  2. Michael

    Did Sally respond to whey they decided to leave their HIDS in monitor mode only instead of blocking the attacks to prevent the problem. Yet again I am stumped as to why companies want to just watch their systems data being exfilled instead of blocking it in the first place. I am sure Target wishes they would have let their FireEye systems block the malware instead of just logging it.

    1. ChoppedBroccoli

      because sell first, ask questions later (if needed)

    2. TazDoesItAgain

      That would require Target or any other company to
      1- actually care and
      2-actually believe someone would attack them
      3-be willing to pay a commensurate salary for someone with skills and knowledge to protect them

    3. Andrew

      FireEye offers a free trial of their hardware. It is normally installed in “audit-mode” during the trial period to see what it could have blocked.

      1. Michael

        Yep I have used it and it is in monitor mode. But when you pay 100’s of thousands for the full product you need to run it in blocking mode unless you are so in control of your devices that you will never make a mistake and miss something. It takes literally minutes to exfil databases, much quicker than people can respond to the alert.

        1. Andrew

          Agreed. Anyone who has actually vetted the product and paid for it should use its full capability.

  3. Daniel Brandt

    It’s not a direct hack, but rather the nameservers were changed from the original greg.ns.cloudflare.com and rose.ns.cloudflare.com to a different provider, so that you are sent to a different location. If you bypass DNS and use the main Russian IP address that rescator uses for octavian.su, rescator.so, kaddafi.hk, and cheapdumps.so, you will see that the rescator.so page is still intact:

    curl -A ” -o rescatorso.html -m 6 -H Host:rescator.so 109.68.191.127

    The new nameservers now resolve to 80.82.65.21 in Netherlands. Here is the new whois data for rescator.so:

    Whois lookup result for rescator.so.
    [Querying whois.nic.so]
    [whois.nic.so]
    Domain ID:GMOREGISTRY-DO27434
    Domain Name:RESCATOR.SO
    Created On:2013-10-01T07:27:57.0Z
    Last Updated On:2014-03-17T08:05:38.0Z
    Expiration Date:2015-10-01T23:59:59.0Z
    Status:clientTransferProhibited
    Status:clientUpdateProhibited
    Status:clientDeleteProhibited
    Status:serverTransferProhibited
    Registrant ID:WN18968955T
    Registrant Name:Private Registration
    Registrant Organization:rescator.so
    Registrant Street1:Rm.804, Sino Centre, Nathan Road,
    Registrant City:Kln Hong Kong
    Registrant State/Province:Hong Kong
    Registrant Postal Code:582-592
    Registrant Country:HK
    Registrant Phone:+852.23840332
    Registrant FAX:+0.0
    Registrant Email:domreg@247livesupport.biz
    Sponsoring Registrar ID:webnic
    Sponsoring Registrar Organization:Web Commerce Communications Limited
    Sponsoring Registrar Street1:Lot 2-2, Technology Park Malaysia, Bukit Jalil,
    Sponsoring Registrar City:Kuala Lumpur
    Sponsoring Registrar State/Province:Wilayah Persekutuan
    Sponsoring Registrar Postal Code:5700
    Sponsoring Registrar Country:MY
    Sponsoring Registrar Phone:+60.60389966788
    Name Server:NS2.CLOUDNS.NET
    Name Server:NS1.CLOUDNS.NET
    DNSSEC:Unsigned

  4. mobocracy

    Why is Verizon showing up as the clean-up security contractor on these break-ins?

    Do they have a major security contracting business or have they just developed some significant in-house abilities due to their wireline and wireless business?

    1. SeymourB

      As I recall, and I could be wrong, but I believe Verizon acquired a company who provided security services. That was some time ago so now they’re probably just another cubicle-hell division of Verizon.

  5. JCitizen

    The credit card companies might as well re-issue ALL cards after the way things have been going. I suspected they needed to do this immediately after reading about the Target breach here on KOS.

    I dropped one of them simply because they dumped Online Secure Credit Card Numbers. Talk about bad timing for the industry on that one! :/

  6. JATny

    Rescator was hacked!? That is awesome, even a partial hack is good. Why don’t we all just chase him around the internet block? As for Sally, their holier-than-thou attitude is annoying, “we take this very seriously,” so therefore we don’t admit anything to anyone until it is just totally undeniable. Meanwhile, Sally Beauty did not miss a beat on its ads to customers or colorful marketing email blasts. No hint, no warning to customers that there had a sneak thief in the midst, and the “mainstream media” has covered this so thinly, a Sally customer could have missed it completely this past couple of weeks.

  7. Jacko

    Sally: Uh, hello.
    Krebs: Hi, this is Brian Krebs, uh, we spoke a few weeks ago.
    Sally: Oh,uh, yea…., hi.
    Krebs: Well, I just wanted to call to say: “I told you so.”
    Sally: Well, it was only 25000 cards so its not like it was as big as Target or Niemann Marcus.
    Krebs: Okayyy.

  8. TheOreganoRouter.onion.it

    When Sally Beauty states “As a result, we will not speculate as to the scope or nature of the data security incident.” that show a total lack of responsibility for the data breach

  9. Davis

    Thinking that Fireeye would have stopped the Target and Sally attacks if in blocking mode? NOT – Did you ever see the bad kid on the block playing ‘in’ the sandbox?

    1. Michael

      Sally uses Tripwire, not Fireeye and Tripwire did detect the event but was not in blocking mode. Fireeye did detect the event in the Target attack but was in monitor only mode. If you have enough experience with these types of attacks you would know they can block them if companies use them properly.

  10. SigMo

    Sounds liek a pretty good plan to me dude.
    Anon-Works.com

  11. Tweet

    Obviously we don’t live in the times of purse snatchers anymore. My question is how do we protect ourselves without going back to the “only cash” method.

  12. Tweet

    Is PayPal still considered a secure way to shop online?

  13. mbi

    I don’t understand why companies don’t add extra security to credit card information by keeping each element separate in different secure files with an internally generated encrypted id number to match the elements? The card holders name, number and expiration date each separately kept secure would require more work to match up; of course, CSV info should never be kept in a file.

  14. george

    It won’t take long and if they have any real regard for their customers will admit it was far more than 25000 compromised cards, perhaps as many as 282 000 as Brian announced a while ago. What I don’t understand is why this post was filled in “A Little Sunshine” category as well as “Data Breaches”. What is it “sunny” about it ?

    1. Jon Marcus

      @George, I’m pretty sure it’s a reference to the Brandeis quote: “Sunlight is said to be the best of disinfectants.” Think of lifting up a rock to let the sun shine on the creepy-crawlies scuttling for cover.

      1. BrianKrebs Post author

        That’s correct. It’s meant to indicate stories that shine a light on some issue or threat that would rather remain obscured.

  15. david

    Brian, I don’t know how you keep up with all that is going on in security, seems like you’re always in two or three places at once.

    Appreciate all your work.

  16. Cliff

    I read several stories on this breach. One stated that they do not store customer PIN data. But it said customer account data and CVVC data was compromised. Even the older PCI DSS standards clearly state the CVVC data (the 3 digit number on the back of the card) can never be stored, even in encrypted form. So how is the data being lost. The CVVC data can only be used as long as needed to complete the transaction and even then should be transmitted via https. No online site should be requesting the CVVC number if they intend on storing it. That is illegal.

    1. wombat94

      Cliff,

      As I read the press release from Sally, the CCV they are referring to is most likely the CCV1 – the card verification value stored in the magnetic stripe – NOT the CCV2 – the 3-digit value that is printed on the back of the card.

      Their information says that it is a case where card-present transactions were affected… that would indicate that the magstripe data was there, and almost certainly means that the CCV2 would not have been required of the customer.

      Also… both the Target breach and, from limited info about technical details of the Sally breach so far, there is nothing in violation of PCI going on regarding storage of data… these breaches are real-time memory scraping of the data out of the cash register’s memory while the authorization is in progress.

      Finally… it is a small point, but significant… even if they were storing data that is not ILLEGAL. It is in violation of their merchant agreement with the credit card brands, but that is a civil contract issue not a matter of legal vs. illegal.

      1. Anura

        You can store the CVV data for as long as it takes to authorize the card. PCI DSS does not make a distinction between storage methods, so the credit card numbers can be stored in CPU registers, SRAM, DRAM, HDDs, or DVDs without violating PCI DSS, provided the data is erased when the card is processed. If you batch process every day, you are allowed to keep the CVV on persistant storage for an entire day.

  17. Kris

    So those affected won’t know they’re affected until their investigation is complete? Which can be whenever, huh? Well this all sucks. If it started or was known on the 5th why are we just now being informed. Ironically, I went to Sally’s earlier tofu and didn’t know about the breach.

  18. Anura

    had my first near-death experience when I was a child, perhaps two or three. This would be about 1953. It involved me drowning. My memories of it were of seeing my body below me. I remember seeing a bright, warm, loving orb above me. I panicked Dad and Mom below. I didn’t know it was anything to talk about and no one would have believed me. It never was a thing I felt I had to relate.

  19. EG

    Brian,
    Something I don’t understand, why won’t the credit-reporting agencies allow you to put a permanent freeze on your credit? Why renew every 90 days? I’d rather just lock it and forget it. It’s a small hassle in trade for peace of mind. Sometimes I think our banking and credit agencies are in a coma about this topic.

  20. Madeleine

    I was affected by the Sally Beauty breach. I live in Indianapolis, and someone in Flushing, NY used my card # to charge over $1900. !

  21. Mark

    PCI is dead.

    Is it time for the payments networks to pull their collective heads out of the sand?

  22. Algeranon

    Awhile back on a similar article I posted that it seems Walmart is setting up for similar fiascos.
    They are requiting (at the register) the security 3 digit numbers on the back of the card, sometimes your own 4 digit PIN number rather than your signature on the “mag swipe” unit.
    My bank officer states flatly that should not be the case. The signature is the hardest for the evildoers to reproduce.
    I reposted this because I waded back through dozens of articles today (it had replies), and can not find it anymore.

Comments are closed.