Book2Park.com, an online parking reservation service for airports across the United States, appears to be the latest victim of the hacker gang that stole more than a 100 million credit and debit cards from Target and Home Depot. Book2park.com is the third online parking service since December 2014 to fall victim to this cybercriminal group.
Last week, a new batch of credit card numbers [dubbed “Denarius“] went up for sale on Rescator[dot]cm, the cybercrime bazaar that earned infamy by selling tens of millions of cards stolen from Target and Home Depot. Multiple banks contacted by this author acquired a handful of cards from this new batch, and each of those financial institutions found the same pattern: All of the cards they bought had been issued to customers who recently made airport parking reservations at Book2Park.com.
Contacted about the apparent breach, Book2park.com owner Anna Infante said she was not aware that hundreds — if not thousands — of her customers cards were for sale online. But she said a technology firm the company contracts with did recently discover and remove malicious files that were somehow planted on Book2park’s Web server.
“We already took action on this, and we are totally on it,” Infante said. “We are taking all further steps in protecting our customers and reporting this to the proper authorities.”
In December, the same hacker gang began selling card accounts stolen from the Web sites of Park ‘N Fly and OneStopParking.com. The card accounts stolen from OneStopParking and Park ‘N Fly sold for prices between $6 and $13, but the cards taken from Book2Park’s site mostly fetch prices ranging from $12 to $18. This may be because most of the cards were issued by European banks, which tend to sell for more (at least on Rescator’s site).
Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.
These e-commerce site hacks are not wholly unlike compromises on consumer/end user PCs. Malware gets planted on the server that watches for visitors to enter sensitive data into order forms. The malware then secretly copies that data from the transaction stream before it can be encrypted (I have no specific knowledge of the malware used, just trying to illustrate a concept in response to several readers who seem to believe that an ecommerce compromise that exposes card data automatically means the merchant is storing card data).
It’s unclear why these crooks are targeting online parking reservation systems. There is no clear connection between the three services hacked by this gang, either in their current or previous hosting infrastructures or Web technologies.
“We already took action on this, and we are totally on it,” Infante said. “We are taking all further steps in protecting our customers and reporting this to the proper authorities.”
lol
Anna Infante, after indicating that “we are totally on it”, proceeded to post a selfie on Instagram and the proper Tweeter update labeled as #totallyonit #wearesecure #sslrocks
Might be a meta-target rule: Frequently used cards across many jurisdictions and at travel hubs, hence are unlikely to be immediately red-flagged for purchase of train tix or airline tix, two near-cash purchases we know scammers like to make.
In my case — two separate actually, couple years apart — it was a couple hundred dollars in Long Island RR passes and a one-way ticket to Brazil for $4K. In both cases is was a leaky back-end of a mom-and-pop retailer which was compromised.
Jeff – I definitely think you’re on to something here and I have never thought about it from that angle.
Brian may want to look into this perspective?
+1
Travelers tend to have better credit lines than non travelers; they’re probably less likely to be actively checking their transactions; their transactions will include vendors whose billing IDs are less familiar; they’re more likely to have charges appear days later instead of immediately; their credit card company was probably already told to expect charges from unusual locations.
Much easier to fit your fraudulent transaction into this set than
Johny Stay At Home. Shops at the same fixed set of merchants; has less disposable income/lower credit limit; the credit card company will be surprised and skeptical of out of area charges; he knows how long it takes merchants to bill his card.
Interesting stuff.
You’d think this guys have all the credit cards by now! Argh!
It seems like a never ending story, these guys won’t stop until they have all they want it seems. The sad thing is that the chance the big guys behind these hacks will be caught doesn’t seem that big.
Airport Parking lot makes sense because the cards are sure to have decent available limits, probably good credit scores and yeah…the “whoda thought?” factor implies low POS security.
The response from the owner indicates a few things I feel:
1. It’s likely a small operation as the tone of message feels like this is the case; a larger operation with a PR / Legal department would sound different and more professional.
2. Based on her reference to a consulting organization there is likely no security professional involved in their operation (and / or) the consulting company is a standard small operation themselves whose specialty is not security.
This brings me to a major issue we face in regards to security on the internet: for most start-ups (especially in the initial phases), security is just not on their road map, and nearly never baked in from the start. By the time they become a more mature operation, it’s really hard to back fill their security problems which tend to grow more acute as their size (and thus attack surface) increase.
At one point I floated the idea of creating a special security framework for start-up organizations with limited resources. In fact I would love to hear everyone’s feedback, (Brian’s included), regarding if you were a small start-up with say only $5,000.00 max to spend on security, how you would spend it.
I’m still game for getting together a group to develop this concept.
Sadly many of the most successful start-ups of today will be the security disasters of tomorrow and likely be covered by Mr. Krebs.
These folks just don’t get it until they are put out of business by a security incident with the culprits laughing all the way to the bank.
I work in the small – mid market and while they are a little concerned its usually not until they get hit by something like cryptowall. Their biggest problem is end users opening and executing attachments or malicious links as well as drive by downloads/exploits due to lack of patching. They need anti-malware that really works, most use SEP or McAfee or the other names that miss everything. If they were to invest in anything it should be a good antimalware product like malwarebytes business endpoint (MBAM and MBAE), a UTM firewall and a hosted WAF. All can be had for $5000 for a 50 employee company.
Some names for the overall service are managed security service, clean pipes, et cetra.
https://en.wikipedia.org/wiki/Managed_security_service
Some names for the overall service are managed security service, clean pipes, et cetra.
https://en.wikipedia.org/wiki/Managed_security_service
As I’ve mentioned before on this site, I’d like to see IDS- IPS-clean pipes at the main lines crossing country borders–block once and be done with it (blocked for 1000 companies and millions of end-users).
The problem is not that there aren’t security tools, best practices or “frameworks” available. The problem is that small businesses either don’t know, don’t care and/or treat developers and IT staff as another cost center. At the end of the day, you still would need these small businesses to implement your solution…and clearly that isn’t happening.
Furthermore, how many of these sites are really just some WordPress/Joomla blog that people are trying to mangle into some e-commerce application because they are too cheap to hire qualified programmers?
This is true. If the trend continues I would expect a number of small businesses to be put out of business by attackers. When your organization is only measured in the millions instead of billions, one good hack might spell the end.
In my consulting experience it took companies losing data to believe they needed to invest in backup solutions, and it may well take several smaller players being hacked-out-of-business for other organizations to see the light.
It’s really sad that it takes this level of pain for people to wake up, and this is also interesting because it might lead to some consolidation as small companies less able (or willing) to defend themselves get felled by attackers.
Security is fascinating to me because it’s really changing the world at a very fast rate.
Great post, Brian. Thanks!
other than all these cards being found at the Rescator site, what links this to Home Depot and Target?
What other link do you need?
saying that multiple companies are victim to the same hacker because their data is all found on Rescator is like saying that the junkyard was the common thief when 3 victims stolen cars all end up there. It’s possible that they were all victims of the same person/group but it’s as likely that 3 different thieves stole 3 cars from different people and all took them to the same junk yard to sell for parts because they all knew that junkyard would sell stolen goods.
in other words, rescator is person and a location capable of potentially stealing the information or as easily just a facilitation point for other hackers to sell/trade data they steal. i’m most curious if there are technical attributes that link these all together which could serve as a means for detection for the rest of us.
make sense?
I think I’m going to buy a prepaid visa card and just go with that from now on
seems to be the safest way
Interesting that no one has been able to really put a reason on the cause of the correlation.
Great article as always.
Thank you.
Why do European cards sell for more than US ones? I would have thought that they would be harder to conduct counterfeit card fraud on as they would need to be used in the US, where they are highly likely to be geo-fenced?
Not sure. Perhaps because they are rarer, or tend to have higher limits. My guess is if they are rarer it is because when they’re stolen they’re typically stolen when European cardholders shop outside of Europe (i.e., in compromised US stores)
If you captured them in the US, then that means their fence at least for the time being has an exception.
One way that banks detect fraud is by identifying common points.
If I’m BoA, and 100 of my customers are impacted by a given fraud source, the odds of me being able to identify the source are pretty high.
If’ I’m a small bank and only 1 card was hit by a certain fraud source, I’m not really going to be able to identify it.
Put slightly differently, if a crook buys 100 BoA cards and uses 2 of them, the other 99 cards now have a timebomb set on them — as soon as the first two cards report fraud to BoA, the other 98 are at risk of being detected as common-point to the fraud for the first 2.
if a crook buys 5 Bank of Aland Plc (Finland) cards, and 5 Evli Bank (Finland) cards, and 5 Aktia Bank cards, and uses 1 of each, then the remaining 4 of each are still likely to be good, because there’s no way Aland, or Evli, or Aktia will be able to identify where the fraud source was for their 1 card.
As someone with PCI background who worked in the parking space, I’m pretty confident their security standing is just awful.
I understand that modern cash registers need LAN connectivity, but why in the heck are all the ones I’ve dealt with accessible from the internet? I worked at a major retailer, and I remember when we were having issues, I’d finagle my way to a command prompt and run a couple of ping tests to check our connectivity. But we were also using a non-split tunnel to the head office (it sucked), so it’s not like the registers needed to be on the internet to get to the servers.
Obviously if someone internal to the company was working with these guys, or if someone happened to go to a register in person and somehow install the software, it wouldn’t help….but seriously. I can see several ways to block stuff like this without compromising your register’s functionality…
I’m not sure how you are defining small business but at the lower end of the scale there are several issues that must be realized before a solution is possible.
1. Cyber security is certainly a serious issue that could ruin a small business.
2. Many, if not most, consider themselves to be too small a target to generate interest. This tends to continue as they grow larger.
3. Most small business owners believe they can rely on their suppliers , e.g. credit card processors, POS systems, ISPs or off the shelf protection software to provide the necessary level of protection.
4. Anything that can’t be sold to a customer is a cost center, including software developers and IT staff.
5. For many small businesses $5,000 is a lot of money, particularly for something you can’t sell to a customer.
In order to solve the issue of cybersecurity a simple and inexpensive solution is required. Unfortunately, too many small business owners will ignore the issue, or won’t be able to afford to adequately address it, until they get hit and are put out of business.
I have worked on dozens of eCommerce investigations, and speaking from experience, usually the attackers don’t need to “plant Malware on the server” per se. The most common form of card siphoning I’ve seen is usually to add one or two lines of code to the legitimate payment page (in php/asp/javascript) and get the cards sent to an attackers email account or server.
This way the attackers are less likely to get detected, as they won’t be adding extra files or processes to the system. You wouldn’t believe the number of devs out there who can’t even spot additions to their own code….
Happy to chat about IR/Forensics/Card compromises anytime – richardwells.co.uk
Re: Brian’s comment about how a site that wasn’t storing card data might get cards stolen…
Having worked with a few credit card processors/merchant services, these companies have standardized interfaces and by necessity publicly available APIs.
On a site that does *Not* store card info, when you click “purchase” after typing in your CC info, the server bundles all the relevant data into a standardized request to the CC processor. That data then vanishes (aside from the fact that a site will usually keep the last four digits of your CC because they need it in the event that they have to issue a refund).
I believe the top 3 or 5 CC processors handle something like 80% or more of the transactions on the net… so if you hack a site and can identify the CC processor, it’s probably fairly easily to set up some sort of “watchdog” script that can identify these standardized calls and snag a copy of the data.
As to this particular site, it’s interesting that their “blog” page is down… depending how that was implemented it might’ve been the attack vector that got the hackers in.