Scam artists have been using hacked accounts from retailer Kohls.com to order high-priced, bulky merchandise that is then shipped to the victim’s home. While the crooks don’t get the stolen merchandise, the unauthorized purchases rack up valuable credits called “Kohl’s cash” that the thieves quickly redeem at Kohl’s locations for items that can be resold for cash or returned for gift cards.
KrebsOnSecurity reader Suzanne Perry, a self-professed “shopaholic” from Gilbert, Penn., said she recently received an email from Kohls.com stating that the email address on her account had been changed. Recognizing this as a common indicator of a compromised account, Perry said she immediately went to Kohls.com — which confirmed her fears that her password had been changed.
On a whim, Perry said she attempted to log in with the “updated” email address (the one the thief used) along with her existing password. Happily, the thieves had been too lazy to change the password.
“Once I was logged in, I checked my order history to determine if any fraudulent orders were placed in the 20 minutes since I received the notification,” she said. “I wasn’t that surprised to see two online orders, totaling almost $700 each, but I was very surprised to see they were being shipped to my house and not some address I never heard of.”
Perry said she then contacted Kohl’s and gave them the two order numbers and the fraudulent email address.
“I explained what happened, and they were very helpful in canceling the orders, updating my email address, and resetting my password,” she said. “I told them I couldn’t understand why someone would hack into my account just to have a bunch of stuff shipped to my own address. I was trying to figure out what the criminal would possibly have to gain from the effort, but the service representative informed me that is actually a very common occurrence for them.”
Turns out, the criminal wasn’t after the merchandise at all. Rather, the purpose of changing her email address was to drain the account’s stored Kohl’s cash, a form of rebate that Kohl’s offers customers — currently $10 for every $50 spent at the store. The two fraudulent orders yielded $220 in Kohls cash total, which is emailed once the order is confirmed (hence the need to change the victim’s email address).
“Since the orders were being shipped to me, even though they were above the threshold for what my typical online spending behavior is, no red flags were raised on their end,” Perry said.
More interestingly, virtually all of the merchandise the thieves ordered to build up the account’s Kohl’s cash balance were bulky items: Three baby cribs, a stroller system and car seat, and a baby bath tub, among other items. Perry said Kohl’s told her that the thieves do this because they know bulky items usually take longer to return, and since Kohl’s revokes Kohl’s cash credits earned on items that are later returned, the thieves can spend the stolen Kohl’s credits as long as the owner of the hijacked account doesn’t return the fraudulently ordered items.
“The representative told me when these types of fraudulent transactions occur, the victim usually is unaware of it until the items arrive at their house,” Perry said of her conversation with the Kohl’s representative. “Since the items ordered tend to be large, it generally takes longer for a customer to be able to bring them back for a refund. Had I not questioned the email address change, the items would have shipped to me and the $220 in Kohl’s cash would have been long spent by the criminal before I had the opportunity to take the items back and rectify the situation.”
Perry said she was shocked by the scam’s complexity and sheer gumption.
“The people behind this are clearly making every effort to not only defraud an account, but also to inconvenience the affected customer as much as possible,” she said. “I think Kohl’s handled the situation well over all; the email notification of an account change is more than I get from some other online shopping sites, and they were able to cancel the Kohl’s cash. Still, I’m a bit surprised they aren’t doing anything to promote awareness among their customer base.”
Reached for comment about the apparent fraud trend, Kohl’s spokesperson Jen Johnson said the company “is aware of a limited number of cases where fraudsters have obtained login information from outside sources to make purchases to earn Kohl’s Cash.”
“We are always working to protect our customer shopping experience and will continue to look at ways to make it more difficult for fraudsters in the future,” Johnson wrote in an emailed statement. “Customer service is a top priority for Kohl’s and, as always, we will work with any customer who has had a less than optimal experience. As a best practice, we would encourage customers to regularly change their passwords and to not use the same password for multiple accounts.”
This type of fraud usually stems from customers picking weak passwords, or re-using the same password at multiple sites. However, Perry said she’s still mystified how the thieves were able to get hold of her password, which she said was an 11-character, three-word phrase that she didn’t use on any other site.
It’s unclear how much is lost annually to points and rewards fraud, but the industry is ripe for the picking: Loyalty program experts at Colloquy.com estimated in 2011 that some 2.6 billion loyalty memberships generated $48 billion in rewarded points and miles.
Have you experienced similar fraud at merchants that offer rewards points or cash? Sound off in the comments below.
I don’t doubt the bulky item angle, but by choosing expensive baby items you also by definition render previous shopping history datums moot.
^data is the plural of datum
The same thing happened to my Amazon account yesterday (2/11/16).
A hacker (confirmed by Amazon Customer Service) was able to gain access to my account. Which in itself is a mystery being my password is ridiculously difficult + I’ve worked in the data security field for over 20 years and know better.
The hacker was somehow able to get a refund on a purchase completed (shipped and received) weeks ago, apply it back to the gift card and order a computer component shipping via freight forwarder.
At 4:30 I received confirmation of the refund
At 4:35 I received confirmation of the order
At 4:45 I received confirmation my password was changed.
I was on the phone with Amazon at 4:50 – 6:30 yesterday in order to get my account at least locked.
I know I wasn’t the only one to get hit this past week and in the same manner. Change your passwords, re-check your gift card balance(s), use two-factor if available and cross your fingers.
> hacker was somehow able to get a refund on a purchase completed
Something relevant I noticed in my recent AMZ returns – anyone with access to the account may request a return online, and print a shipping label. Once the label is scanned at UPS the refund may be processed.
Scammer with access to an account just has to request the return, print the label, slap it on a box, and drop it in a UPS box. When the pickup is made, they’ll get the balance refunded to do with as they please.
For legit orders this practice is fine because they know AMZ can / will track fraudulent returns back to them.
@csasvrv: Did you have two-factor authentication on your AMZ account?
If your answer is yes, then there’s a major flaw somewhere, as it should be extremely difficult for someone to hack your password AND intercept your one-time code. (Did someone say keylogger?)
(And if your answer is no: for someone who has worked in the industry for years, don’t you know better? Will you add two-factor now?)
Having worked for Kohls IT years past, and seeing the small team and closet in which their Security departments worked at the time, this doesn’t surprise me. Their corporate culture didn’t reward IT success or value security. It was a political CYA environment. After the skimmers in the checkout line issue, I wouldn’t trust Kohls with any order processing other than with cash.
That explains my recent frustration with Kohl’s stores being unable to look up kohls.com order numbers to process returns. The store indicated that they need the paper packing slip in order to identify the return (which has a receipt number that I suspect is what they are looking for).
While this was an inconvenience for me (and I cannot understand why the store systems can’t locate online orders via order number), this could complicate matters for victims of the fraud scheme that Brian wrote about. If some of the larger items are drop shipped directly from the manufacturer, do they even contain the proper packing slip to enable an in-store return? Or must the larger items be returned via snail mail?
I can’t stand their website, all the scripts all over the page and pop ups. The fact its not a secure page, and even when you get redirected to the login page, its just another popup, and its not a even green lockbox, just grey (supplying no owner information) which is always iffy to me.
Here is something interesting they do though, the login name and password are case sensitive, if you type the correct information but the wrong case, they put you through to another page asking for personal information, last name, 4 digits of social, DOB… etc…..and keep looping it saying you got it wrong even if you type it right. I thought oh no, someone stole the account and changed the info, or I just got duped and they just suckered this info from me!!!! but I think kohls actually does this on purpose in case i’m a fraud.(I hope!) because after going back and actually putting in the login and passwd with correct case it then took me to the “secret question” and i was like phew. (after reading this article i’m nervous now though)
Because I was trying to login to the charge card yesterday, but the kohls site kept failing with weird http errors, there is also some fake kohls pages i went to by accident. One even supposedly had a customer service rep chat box popping up on me from “kohls”!. haha it was total bs! I kept closing the browser and loading the page again cause, I was totally freaking out!
I Wonder if they got this lady through a MITM attack or a fake page. I was telling my mother how I’m more afraid of that happening to my kohls account, then any other after last night, so its pretty ironic to see this article today. I’m gonna link this to her because she probably thought i was being paranoid! hahah.
I think it’s pretty safe to say by now that this is the case across the board. As we heard about Home Depot and their being in the business of selling hammers, retailers are not in business for security, especially cyber-security.
Unfortunately, it’s only going to get worse and we just have to hope that some day it gets better.
So how DID the scammers get her 11 character three word phrase password? Does Kohls allow unlimited PW guessing without lock-out? Was the authentication DB hacked and the PWs broken off-line? (Inquiring minds want to know.)
My guess would be unlimited passwords attempts and a simple dictionary attack (read more: https://en.wikipedia.org/wiki/Dictionary_attack)
Dictionary attacks are why you should use multiple symbols, letters, and numbers as opposed to phrases containing multiple words. Although a password such as $1FaGtuv9F34 could still be hacked with a brute force attack, it would take more time to crack than a three word phrase such as “ThreeBlindMice”
I think you need to keep in mind the user could have coughed up her credentials another way such as logging in on a public computer, her own personal computer was compromised. Kohls may not be the one to blame here but Kohls having email alerts available avoided a lot of pain for this user.
Brian – Please post on FB too.
Aye, I keep forgetting. thanks.
Interesting but what is the source of the money to buy the $1.5k items in the first place? Why no red flags there?
Good question!!
Probably the creditcard or store card assigned to that account.
I believe the source is the victim’s credit card, which may be stored in their kohls.com profile. Seems like Kohl’s could ask customers to re-type the CC # or security code for transactions over a certain dollar amount to combat this.
In addition to asking security questions they can 1) screen large orders that follow shortly after email changes and 2) add a 30 delay (or more) for rewards point availability.
Lastly, if a customer contacts them about a fraudulent order that arrives, they should place an immediate hold on any points associated with the order.
Strangely enough, every in-store purchase I’ve executed that generates Kohl’s cash is time-delayed. It prevents the customer from cashing in until a period a week or two after the current sale window expires.
Probably stolen CC numbers, or the victim saved payment info in their account — a practice we should all probably abandon.
Yes, I believe it was stored payment info. meant to say so in the story.
I dunno man, that kohls page is pretty sketchy. I would rather they redirect you to another page, instead of the login being a popup page. This means if they do have some bad element on their main page it can easily keylog.
you can go straight to the page with credit.kohls.com but alot of people are not going to realize to do this, and just go to the main site first.
Also i accidentally went to some fake pages yesterday that freaked me out when mistyping. And if the kohls site is never a green https lockbox anyways, harder for people to realize the difference between a grey lockbox https and a wrong sitename.
Or just a fake kohls page can redirect you to the real credit.kohls.com page, and keylog ya that way? won’t even look weird since its just a popup..
Apparently a bad flash element, a xss exploit, some js exploit we don’t know about could do it.
Though I did just get hit for two kohls.com charges on my bank credit card which I have never used at kohls or kohls.com.
My name is Hesse rot child so no problem my friends are too
Wut
An 11 character, 3 word, passphrase might sound strong, but on average, each word has only 3 letters (plus the two spaces). If a dictionary attack is used to combine common words or word combinations this can fall to brute force.
It would be better to increase the complexity by exchanging one or two characters for a symbol or unusual capitalization. i.e. “the big dog” -> “tHe big d*g”.
My thoughts exactly. Very simple techniques they teach you in any cybersecurity 101 course.
Because a dictionary can’t use l33t spellings :rolleyes:
For those who don’t get sarcasm:
If the system is vulnerable to a dictionary attack, it is just as vulnerable to an attack using a larger dictionary.
Maybe someone can enlighten me here, but I don’t think your analysis on the password strength is entirely accurate, Brad. You say:
“An 11 character, 3 word, passphrase might sound strong, but on average, each word has only 3 letters (plus the two spaces). If a dictionary attack is used to combine common words or word combinations this can fall to brute force.”
There’s a lot of assumption built into this statement. First, 11 characters may not be strong if the password was “abcde123456,” but 11 characters in general is pretty good and would require significantly more permutations to crack. Second, we don’t know what three “words” her password actually was; it could have been “bif zel vut,” which would not exactly be in any dictionary. Nor would the attacker know if her password was three words, or two words, or four words. Moreover, we don’t know if she used spaces, or some other combination (e.g., “bif.zel,vut”
Then:
“It would be better to increase the complexity by exchanging one or two characters for a symbol or unusual capitalization. i.e. ‘the big dog’ -> ‘tHe big d*g’.”
This is all well and good, but I question the utility of passwords that are not easily remembered by the user, nor are even very likely to be used by your average user. A password that hits all the complexity points WITHOUT using common substitutions (e.g., 3 for “e”, etc.) is itself a security risk if you have to tape it to your machine, or write it down in a text file on your compromised computer because you couldn’t remember it.
I agree what Matt from CT above implies. If the Kohl’s system itself was susceptible to a brute-force attack, that means Kohl’s failed here, not Suzanne’s. 11-character password, which actually is a pretty good length and would have required a longer amount of time to crack (unless, as above, it were abcde123456).
All this said, we still don’t know how Suzanne’s password was compromised. But I think we shouldn’t simply chalk it up to it being a poor one.
Disclaimer: I am not a cryptologist, and base some of what I say on this:
http://xkcd.com/936/
What I don’t understand is the cost-benefit return on this scam. Given all the effort to (a) scam the account (b) get the rewards (c) turn in those rewards for item (d) resell those items on open market at discount….
why not just get a job? Seems to me minimum wage must pay better.
Daniel,
If you extrapolate this over a large number of accounts, you are talking about hundreds of thousands of dollars, if not into the millions eventually. This is a very lucrative scam.
My thoughts exactly. A lot of work considering how many other frauds are easier and pay more.
The kill chain on this scam can be shorter and easier for the bad guy. Once they have access to the account, it would take seconds to select and order the bulky items, the CC would process, and he’d have the reward points in a few more seconds/minutes. If he then skips conversion, and rather sells the rewards as rewards, he gets his payout faster, and the purchaser of the rewards is now left holding the bag if the rewards as canceled.
With all of that in mind, honest people should never buy rewards from an untrusted source, and maybe the stores should hold rewards in escrow for a period of time that would allow for the detection of the fraud before its possible to spend the rewards.
So glad I canceled my kohls account years ago, due to their inability to send me a bill, but their great willingness to charge me late fees for a bill never received, while refusing to accept payment in store without a copy of the bill. Madness!
Daniel, professional shoplifters or Hackers actually make more money a week then I do. Which is not chicken feed. Minimum wage to them is a joke dude. Not to be rude but what world do you live in lol
The source of the money is the registered Kohl’s card which is attached to the account. It’s tired to the account, so there’s no need to enter the number again.
Didn’t read all the comments so not sure if someone already mentioned this but when the person takes those items back for credit and Kohl’s cash has been spent that amount is deducted from the credit they give you. So… you’re out $220
I am reviewing the Kohl’s return policy and it appears that you are correct:
“± Did you already spend your Kohl’s Cash?
If you have already used your Kohl’s Cash®, you will get a refund in the form of your original payment, and the amount of the Kohl’s Cash® will be deducted from your return amount.”
Yes, but it wasn’t related to this..
I don’t have them store my card number. So, I guess if/when I buy something online from them I’ll just have to enter my card. Better safe than sorry….
Heard IRS was hacked again… ????
According to them yep:
“Based on our review, we identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN. The incident, involving an automated bot, occurred last month, and the IRS continues to closely monitor the web application.”
This is a perfect example of why sites should _never_ keep a customer’s credit card information. Without the “we’ll save you 30 seconds of time entering your CC information” (low benefit vs. risk) feature, this kind of scam wouldn’t work. All this “sign up for 1-click purchasing” is just plain stupid, from a security point of view (unless they employ some good multi-factor authentication)!
A person should always look at the risk vs. benefit. E.G., for me, this means I’ve never signed up for on-line banking. If I wasn’t retired, I might … but then I’d use the “live CD” approach.
People are ‘silly’ (nicest I can be) about online security. Bank I work for went to multi factor authentication and they’re all having a cow and telling us to fix this error. They would rather allow cookies than receive email, text or call.
Hessee rot child case ell anyways my friend is zio means lion
Since I never shop there (because they don’t really sell things I’m all that interested in or interested in getting from them….kinda like Radio Shack); this isn’t so much an issue for me. It’s good to know though.
Similar thing happen to me on a Discover card on my cash back rewards. Used to purchase emailed gift certificates and no fraudulent charges at all. It took a full billing cycle to find out they did it.
This is easy fraud to eliminate. All they need to do is put anti bot protection such as NoMoreCaptchas on the user login or payment section. If it’s a human then eDNA can knock them out of the network. Pretty simple.
So easy to stop all of this by requiring OTP text message codes to authorize changing an email.
Website authentication should never be sufficient to authorize privileged actions like modifying authentication or notification credentials, or for changing identity or payment info.
That is where 2FA or a second privileged password come in, and where almost all websites totally fail on security. Passwords are not the golden hammer of securing accounts. Users need more than one access control point for more than accessing the website.
It’s a shame that something this obvious is missed by even password managers.
This seems like a damned lot of work. Why not go to work for some big national bank and steal money from the inside? The payoff is better, you can sit inside an air-conditioned office wearing a suit and tie, and if you ever get caught, the criminal penalties are far less than if you’d walked in the bank via the front door with a gun and tried to pull a bank heist.
hello –
this happened to me with newegg.com. I received two PS4 system at my door. I had to call newegg first, then my CC company to figure out what happened. could not figure out why they shipped to me, thought maybe they were going to grab them from my porch? anyways, returned both items and received a new CC.
an aside, I work with my states criminal information center. deputy director just told me hackers created perfectly reproduced fake state website pages and stole over 200 employees log in creditials. deputy was amazed how perfect the fake pages were.
Shayne
Anyone can create a near duplicate website with hardly any effort. All they really need is the front page and login pop up box or login landing page.
99% of the links will remain the same as the real site. The only thing that changes is where the logon credentials go.
Seems easy enough to fix….just postpone the Kohls Cash for 45 days. Once again proving that for American corporations, security is an afterthought. Oh well, it keeps me in a job.
Like Brian alluded to, this is bigger the you think. It may not just be a Kohl’s problem.
Fake websites, and redirections in a secure environment. That’s iffy. Incorrectly colored secure screens. Even more iffy. Spoofing on secure screens? Backdoors penetrated? Now this is sounding interesting. Something else is in the problem, yea, khols, yea, the server net, yea, the register, yeah, ,,aha, got it. Not illegal because under $500. Okay. No police involvement. Got it. And Kohl’s won’t complain, they won’t reach the loss limit for the day, etc. So, the only one left is the poorer victium. And the police are unable to help because of ?
Seems like the simple solution is for Kohl’s to not issue the Kohl’s Cash until after the items have been delivered.
They typically already have a delay for at least Kohl’s cash from in-store purchases of about 1-2 weeks, so doing the same thing on-line would seem to be logical.
What could be more secure than a common 3 word phrase? Maybe it was “Ive been hacked”
A lot of times, I let my Kohl’s Cash go unused, because there’s nothing more that I want to buy, in the very limited amount of time customers are offered to spend their “Kohl’s Cash.” There’s also a minimum $ order you must place in order to get free shipping.
An easy fix for Kohl’s change the Kohl’s cash from when the order is placed to when it is paid. Since neither the crook or customer is going to pay for the merchandise and quickly return it no Kohl’s cash is created. Most credit card companies don’t issue rewards anyway until the bill is paid.
Exactly, Michael!
Brian,
Do you have any additional detail on how credentials were compromised in this instance?
1) Persistent XSS on site – MitM the creds and redirect
2) Phishing emails to direct users to bad login page – MitM the creds and redirect
3) Compromise of credentials db – weak/no salt, weak hash algorithm and hybrid/dictionary or rainbow table the hashes? – offline crack
4) Other??
I do not buy an 11 character password was cracked against an online system since it would be quite slow and SHOULD be rate limited or at least CAPTCHA’d after a few failed attempts. I think a lot of these responses are thinking about offline cracking.
Thanks for this great blog Brian, it’s always nice to have something to use in order to scare the living sh!t out of my family members.
Keep up the good work!
Interestingly enough, the exact scenario happened to my wife’s Kohl’s account this past weekend, although the delivery address was changed from our own to some other location (perhaps this culprit was attempting to abscond with the merchandise as well?).
I suspect social engineering via Kohl’s Customer Service as, in addition to the purchase, rewards, and shipping emails, she also received a “Tell us about your recent call to Kohls.com Customer Service” email asking for feedback on the recent phone call she made to Kohl’s this past Saturday. However, as you have probably already guessed, she made no such call.
I just wanted to add this additional bit of information to help shine a light on a possible way the culprit got into her account.
Keep up the great work Brian. I enjoy your posts (especially the depth of detail you include) and visit your site regularly.
Can anyone fill me in?
So who is actually paying for the bulky order, at the time of ordering? with what?
Kohl’s account owner. Kohl’s stores credit card information to account.
Kohls can create one more security to verify with verification code when new email update requested. Kohl’s has to send verification code to old email address.