Data gathered from several financial institutions and at least one underground cybercrime shop suggest that thieves have stolen credit and debit card data from Bebe Stores Inc., a nationwide chain of some 200 women’s clothing stores.
Earlier this week, KrebsOnSecurity began hearing from different banks about a pattern of fraudulent charges on customer credit cards that all had one thing in common: the cards were recently used at Bebe (pronounced “bee bee”) locations across the country.
This author reached out to Bebe via email and phone early Wednesday. Officials from Bebe Stores have not yet responded to requests for comment.
On Wednesday, this author heard from an East Coast bank which had purchased several of its customers cards that were being sold on a relatively new cybercrime shop called (goodshop[dot]bz]). The bank acquired cards from a batch that Goodshop released on Dec. 1, called “Happy Winter Update.” The prices from that Happy Winter batch range from $10 to $27 per card.
The bank found that all of the cards had been used at Bebe Stores in the United States between Nov. 18 and Nov. 28. It is not clear if the breach at Bebe stores is ongoing, or if it extends prior to mid-November 2014.
There is no data to suggest that the apparent card breach at Bebe extends to the company’s online store. The items for sale at Goodshop are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).
The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Home Depot, Target, Neiman Marcus, Michaels and other break-ins first detailed on this blog were all powered by malware that thieves planted on point-of-sale systems.