Book2Park.com, an online parking reservation service for airports across the United States, appears to be the latest victim of the hacker gang that stole more than a 100 million credit and debit cards from Target and Home Depot. Book2park.com is the third online parking service since December 2014 to fall victim to this cybercriminal group.
Last week, a new batch of credit card numbers [dubbed “Denarius“] went up for sale on Rescator[dot]cm, the cybercrime bazaar that earned infamy by selling tens of millions of cards stolen from Target and Home Depot. Multiple banks contacted by this author acquired a handful of cards from this new batch, and each of those financial institutions found the same pattern: All of the cards they bought had been issued to customers who recently made airport parking reservations at Book2Park.com.
Contacted about the apparent breach, Book2park.com owner Anna Infante said she was not aware that hundreds — if not thousands — of her customers cards were for sale online. But she said a technology firm the company contracts with did recently discover and remove malicious files that were somehow planted on Book2park’s Web server.
“We already took action on this, and we are totally on it,” Infante said. “We are taking all further steps in protecting our customers and reporting this to the proper authorities.”
In December, the same hacker gang began selling card accounts stolen from the Web sites of Park ‘N Fly and OneStopParking.com. The card accounts stolen from OneStopParking and Park ‘N Fly sold for prices between $6 and $13, but the cards taken from Book2Park’s site mostly fetch prices ranging from $12 to $18. This may be because most of the cards were issued by European banks, which tend to sell for more (at least on Rescator’s site).
Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.
These e-commerce site hacks are not wholly unlike compromises on consumer/end user PCs. Malware gets planted on the server that watches for visitors to enter sensitive data into order forms. The malware then secretly copies that data from the transaction stream before it can be encrypted (I have no specific knowledge of the malware used, just trying to illustrate a concept in response to several readers who seem to believe that an ecommerce compromise that exposes card data automatically means the merchant is storing card data).
It’s unclear why these crooks are targeting online parking reservation systems. There is no clear connection between the three services hacked by this gang, either in their current or previous hosting infrastructures or Web technologies.