18
Aug 16

Malware Infected All Eddie Bauer Stores in U.S., Canada

Clothing store chain Eddie Bauer said today it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach. The acknowledgement comes nearly six weeks after KrebsOnSecurity first notified the clothier about a possible intrusion at stores nationwide.

ebstoreOn July 5, 2016, KrebsOnSecurity reached out to Bellevue, Wash., based Eddie Bauer after hearing from several sources who work in fighting fraud at U.S. financial institutions. All of those sources said they’d identified a pattern of fraud on customer cards that had just one thing in common: They were all recently used at some of Eddie Bauer’s 350+ locations in the U.S. The sources said the fraud appeared to stretch back to at least January 2016.

A spokesperson for Eddie Bauer at the time said the company was grateful for the outreach but that it hadn’t heard any fraud complaints from banks or from the credit card associations.

Earlier today, however, an outside public relations firm circled back on behalf of Eddie Bauer. That person told me Eddie Bauer — working with the FBI and an outside computer forensics firm — had detected and removed card-stealing malware from cash registers at all of its locations in the United States and Canada.

The retailer says it believes the malware was capable of capturing credit and debit card numbers from customer transactions made at all 350 Eddie Bauer stores in the United States and Canada between January 2, 2016 to July 17, 2016. The company emphasized that this breach did not impact purchases made at the company’s online store eddiebauer.com.

“While not all transactions during this period were affected, out of an abundance of caution, Eddie Bauer is offering identity protection services to all customers who made purchases or returns during this period,” the company said in a press release issued directly after the markets closed in the U.S. today.

Given the volume of point-0f-sale malware attacks on retailers and hospitality firms in recent months, it would be nice if each one of these breach disclosures didn’t look and sound exactly the same. For example, in addition to offering customers the predictable and irrelevant credit monitoring services topped with bland assurances that the “security of our customers’ information is a top priority,” breached entities could offer the cyber defenders of the world just a few details about the attack tools and online staging grounds the intruders used.

That way, other companies could use the information to find out if they are similarly victimized and to stop the bleeding of customer card data as quickly as possible. Eddie Bauer’s spokespeople say the company has no intention of publishing these so-called “indicators of compromise,” but emphasized that Eddie Bauer worked closely with the FBI and outside security experts.

For more on the importance of IOCs in helping to detect and ultimately stymie cybercrime, check out last Saturday’s story about IOCs released by Visa in connection with the recent intrusion at Oracle’s MICROS point-of-sale unit. And for the record, I have no information connecting this breach or any other recent POS malware attack with the breach at Oracle’s MICROS unit. If that changes, hopefully you’ll read about it here first.

Tags:

83 comments

  1. “…during the first six months of January…” Can you clarify?

    • I believe it was a mis-type. See further down in article: Eddie Bauer stores in the United States and Canada between January 2, 2016 to July 17, 2016.

  2. Maybe good to start a scorecard/spreadsheet of all the hacked companies, with the dates you told them and the date they admitted the hack.

  3. Maybe I’m being too optimistic, but I would hope Eddie Bauer is sharing details with the Retail & Commercial Services ISAC. Those can be great avenues to share breach details with those who need to know.

    • The minute the FBI helped them remove the malware, eddiebauer’s knowledge of the indicators became a competitive edge. Maybe if the banks and card companies made sharing these markers and any other intelligence learned as a condition to be able to use their systems…

      • FBI should be sharing the indicators with all of the ISACs. I know we receive many via the E-ISAC. Typically they are 3-4 months old, but we store plenty of logs so we can search back for IOCs.

  4. The malware is so entrenched it altered the fabric of time.

  5. Anyone know if they were chip and sig or still on mag strip readers?

    • Dags — EB told me they completed chip rollout in 2014 for Canada and in July 2016 for United States stores.

      • Brian,

        Would the malware be able to read the info on chip and pin cards too or is that irrelevant? In general, would P2PE prevent these breaches in the future?

        Thx.

        Re info sharing: EB probably receives and participates in a threat intel cooperation program with government and industry. If national security/critical intel isn’t involved, i agree though, this info would prevent future breaches if the Krebs of the world could access it quickly. Something needs to change.

        • InfoSec Amateur

          Kevin Sherry,
          P2PE – where the card data is encrypted by hardware at the reader, and never seen until either the switch, or the processor itself – would prevent RAM scraping as we know it today.

          EMV does not protect the credit card number or expiration. It does use a dynamic card verification value (that should be one time use, and impossible to predict, when done right). RAM scrapers will still see the card number and ex date, but they dynamic CVV is useless to them. Its not the same as a static CVV on the mag stripe, for which they could use to clone your card. RAM scraping EMV transactions means you can use the data to commit card not present fraud, but you can’t clone a magstripe to use in store.

          • To commit CNP fraud though, you usually need the CVV2 printed on the back of the card. That can’t be compromised through a card read – it’s different to the CVV on the mag stripe, and different to the eCCV (which changes anyway, as you’ve pointed out).

            • Infosec Amateur

              Vog,
              I agree the CVV2 is needed for a lot of CNP transactions, but aren’t there still merchants out there accepting CNP transactions who don’t use a CVV2? There is also phishing (if you have other data like email) to get the Cvv2.

              I guess my point is: would you agree RAM scraping of EMV transactions is still profitable for card thieves (excluding they will get some magstripe transactions too until we all covert), and thus EMV alone will not solve the problem.

              • If merchants are accepting transactions without the CVV2, that’s just very poor implementation on their part – the standard supports better security and they should be using it.

                Implementation failings notwithstanding, scraped EMV transaction data is useless to card thieves. EMV does solve that problem – it just can’t solve everyone else’s problems as well.

                • InfoSec Amateur

                  “EMV does solve the problem” – not being flippant, but please confirm exactly what problem its solving.

                  I don’t think its solving the safeguarding of sensitive information like PANs and Ex dates. We can disagree about how far that info gets you, but EMV doesn’t protect it from RAM scraping. I agree, it makes it very hard to carry out card present payment fraud.

                  Also, doesn’t name and other data still get transmitted in the clear from the chip to the POS (and thus is subject to RAM scraping)?

    • I shopped at one of the locations in Vancouver, BC in the last month and their point of sale system supported chip and PIN. I can’t say about their stores in the US.

  6. It’s good to throw in a typo from time to time to be sure people are reading carefully.

  7. Looks like it’s Oracle-related. Check out what Mr. Jeff Pillars did for Eddie Bauer as their Director of Technology.

    https://www.linkedin.com/in/jeff-pillers-1911501

    • Odd that profile doesn’t exist anymore. Searching on the Google it returns with the same link. Must have been deleted in the last day or so.

      • Joe-Miller Kano

        Just a bad link / typo. It’s still there. Search “Jeff Pillers.” Implemented Oracle Point of Sale to U.S. and Canadian Stores to replace legacy IBM solution, currently implementing EMV for ORPOS and Mobile Point of Sale. Architected and deployed Mobile/Omni solution utilizing AirWatch’s MDM to all U.S. based stores. Implemented Oracle Store Inventory Management and Oracle ATG over 24 month timeframe and most recently Oracle MFP/IP, RMS and Tradestone PLM.

        • I heard they were using Airwatch with malware prevention signatures for their wireless POS tablets and other devices as opposed to individual malware prevention agents on each device. That might have been the point of entry.

  8. This is going to be more ammo for the FTC to likely intervene and finally do something about the PCI standards and the credit card industry

    https://www.ftc.gov/news-events/press-releases/2016/03/ftc-study-credit-card-industry-data-security-auditing

    The National Retail Federation put out a nice whitepaper in their response to the FTC action and they were anything but polite:

    https://nrf.com/sites/default/files/PCI-2016-NRF%20White%20Paper%20on%20PCI%20DSS.pdf

  9. If you are a retailer, and you are not monitoring your PoS environment for malware and monitoring your PoS network traffic for anomalies on a constant basis you obviously do not care about the security of your customers’ data. The TTPs are well known. You don’t need IOCs, if they are any good they will be using different malware and different c&c and drop servers. This is 101 level stuff for any retailer with a modicum of security acumen and a management team with even a basic grasp of IT risk in a retail environment. The fact that they were owned in every store for 6 months borders on criminal negligence. So either they are incompetent or have been told by management that securing their environment against the most obvious threat is not important. You decide which is worse…

    • What incentive do retailers have that would require them to care about protecting their customer’s card data?

      NONE

      PCI compliance is just something they HAVE to do to avoid a $30 monthly penalty. Many do not even do it. Why would they “look for anomalies” and perform other extra measures to protect card data??

    • Growth and Quarterly numbers are FAR more important than, lol, security.

      Seriously?

  10. Really? *ALL* 350 stores??

    Brian, did you (or can you) get any comment from the EB people about how it might have been possible for literally *all* of their stores to get hit with this malware?

    You’ve written before about guys going around to various actual brick&mortar locations of other chain stores and pretending to be “maintenance technicians” and installing malware that way. But is that what happened here, in this case?? Seems rather implausible to me that the crooks could pull off this sort of in-person scam 350 separate times and never even be noticed. So I’m guessing that the POS malware in this case was actually PUSHED out to all of the POS terminals from some central server, yes?

    Assuming so, then we gotta hand to to the theives in this case. They obviously found the correct 1 machine to compromise, i.e. the one single central server that was telling 100% of the entire chain’s POS terminals what to do.

  11. When is chip and PIN going to be the norm in the U.S.?

    VISA has been trying to prevent its rollout due to lost transaction fees and Home Depot is suing because of that.

  12. Thank God Pillers is “A distinguished IT Senior Executive” as per Linkedin,or they REALLY would have been in trouble! What a marroon!

  13. There should be a 10x penalty multiplier for breaches resulting from POS system malware.

  14. @Brian, when you notify companies of breaches, do you include a suggestion that identify theft protection is useless?

    I know you know it’s useless, I know it’s useless, and you write that it’s useless, but if that’s only after the fact, maybe we’re being a little mean beating up these dumb companies for not knowing anything about this area. Obviously no one told them when they got into the credit card business that they had to protect their payment terminals, maybe ignorance is their excuse.

    • twinmustangranchdressing

      If I recall correctly, Brian doesn’t (or didn’t, in the past, at least) think that *all* identity theft protection services are useless. He mentioned using a service himself, although he didn’t identify the company. (I assume he didn’t identify it because it would have been viewed as an endorsement.)

      • Yes they are useful for helping to clean up the mess after ID theft, but they’re not so great at stopping Id theft.

        • twinmustangranchdressing

          Thanks. Can a person wait to hire such a service until his or her identity is stolen or is it something he or she should have (and pay for) in advance, ready to get to work when necessary?

        • oops, thanks for the clarification.

          But are they useful in the case where someone has cloned your credit card? That’s a pretty specific case, and I’d hope all you need there is to talk to your credit card company. — If they cloned your debit card, then (1) you weren’t following best practices [i.e. don’t use a debit card to make payments / only use it at your own bank’s ATMs], (2) you’re probably in for more pain…

          • InfoSec Amateur

            In my opinion, identity monitoring does not help at all if you know someone cloned your credit card. All they have is one instrument to commit payment fraud. If its free, might as well take it…

            But if I had to pay for identity monitoring myself, I would not do it unless I knew I was – for some reason – at a high risk of being targeted by identity thieves. In those cases, I think its worth spending the money to get tools which help me monitor hits on my credit, and spend time/effort looking online for my data being sold.

            Things that I would characterize as causing me to believe I’m at high risk:
            1) my SSN, name, address and perhaps some key relationships (bank, wireless provider, etc) and other data leaked; in a example, from a breach at my doctor’s office
            2) I’m a celebrity

  15. Sample HASH or didnt happened 🙂

  16. “…breached entities could offer the cyber defenders of the world just a few details about the attack tools and online staging grounds the intruders used…”

    Amen Brother….Amen..!

  17. Retailers, hotels, restaurants, banks, the only time they will change is when we, the customers vote with our bill folds and class action suites against them. Even then while we have an executive compensation and culpability system that neither takes away their personal wealth or liberty they have no incentive to change.

  18. If they’d get Apple Pay working on their POS terminals I’d use it just like I do at Panera, Walgreens, Macy, supermarkets

  19. December 26, 2015 someone tried to use my credit card shopping online at Eddie Bauer. It was a chip card that l didn’t use and it was cancelled. The only reason l knew it was used l received a letter from Eddie Bauer company that my transaction for a gift card couldn’t be processed. I called the company back then and the security told me they thought the transaction was suspicious. I have never shopped there and my credit card hadn’t been used elsewhere.

  20. @Brian,

    It would be good for you or someone else to comment and clarify how this occurs with EMV. I see so many people who claim that EMV will stop this and I don’t believe it does or will. Isn’t it true that even with EMV, full card data is still shared with the POS and credit card middleware. This is where the Malware is able to skim the card data from memory. EMV is and authentication (verify the card is real) and the PIN verifies that the presenter of the card is the card holder. No encryption of card data occurs in an EMV transaction.

    It is rarely mentioned but I feel so critical that merchants be focused on security beyond compliance. This requires defense in depth. It includes all the best practices guided through compliance. The fatal flaw is that PCI did not and does not require encryption and tokenization. A competent end to end encryption and tokenization solution ensures that merchant systems (POS and Middleware) never come in contact with unencrypted card data. Malware would be capturing useless tokens.

    • With EMV it produces a one time use number, so if someone is able to capture the data, it is useless sicne it was already used

      • @Kevin,

        Where in the EMV specification do you see that the chip creates a one time use card? I don’t believe your statement is accurate for a Chip transaction. For ApplePay, perhaps.

        • They don’t create a ‘one-time-use card’ as such. What Kevin is referring to is that both chip and contactless payments employ dynamic transaction data as their main security feature – it’s why they’re being rolled out in the first place. They don’t just hold information about the card – they’re computers that actively participate in creating a one-time transaction cryptogram using keys on the card.
          The static chip data is different from the track1/track2 data on a mag stripe, so you can’t encode chip data to produce a counterfeit mag stripe card (even if you could physically write it, the data identifies the card as chip-capable so the payment terminal will expect the chip to be used), and no-one has been able to counterfeit the chips yet (and again, even if they could, the standard supports checking of dynamic transaction counters that will shut down the card if a duplicate is active).

          So EMV stops short of creating a one-time-use card, but still allows for a comparable degree of security. Whereas you can copy a mag stripe using repurposed VCR parts.

  21. Would you say that the cards used as chip, at their chip enabled terminals, would also be at risk? Or, should we only be concerned about mag-stripe read transactions?

    • Just the mag stripe ones.

    • If the breach was due to malware being installed on the POS terminals, I would be concerned with all credit card transactions. As you may or may not know, full PAN (Card Numbers) are still provided to the POS and/or credit card gateway/middleware in an EMV transaction.

      • I’m aware the PAN and expiry are disclosed – it’s how the card identifies itself to the system. PAN and expiry are not enough to produce a counterfeit card or complete CNP transactions (properly implemented anyway – a very, very few merchants may accept these for CNP without a CVV2, but that’s their failing. And I can’t remember when I last saw a transaction that didn’t involve the CVV2, it’s been that long).

        • The bad guys are harvesting this card data for card present transactions. If the cards are EMV, they simply encode on a card with a fake chip/sticker or re-encode the service code to indicate it is a non-chip card to avoid the dip all together.

          Brick and mortar merchants have started to implement CVV2 checks but Visa is taking this away from merchants in April of next year (another dastardly move by Visa).

          Merchants need to lock their vaults. They need to put in an E2EE or P2PE solution in conjunction with EMV.

          The issuing banks need to start declining chip cards processed as “Fallback” or not processed as chip from chip capable merchants. The bad guys are using the card brands regulations and published specifications against them. They aren’t utilizing sophisticated technology to defeat EMV and the merchant systems are STILL full of un-encrypted card data that can be monetized quickly and easily.

  22. So are these guys just not taking basic security steps like malware protection and keeping critical systems locked down from employee misuse, and updating?

  23. I used a BofA card at my local Eddie Bauer retail store several times during the breach period. I just contacted BofA on what to do and their advice was NOT to change the number–that they would look out for fraud (but would be happy to change our the card if I would be more comfortable.

    Q: if we used a CC at Eddie Bauer retail, should we cancel that card?

    I was surprised at the BofA ‘advice’.

    • I haven’t seen an article from Brian recently on the value of a stolen card. But my guess is that it’s dropping (it’s a function of supply and demand). There seems to be way more stolen card information available than criminals able to “cash-out” that information. If I’m right (and I could be wrong), this means your stolen information might not be purchased by a criminal and then encoded for use. So, you’re basically playing a game of Russian roulette — the information/bullet is available, and someone is spinning, but they might not get your chamber.

      BofA has to consider that your card will probably be cloned again, and each time they reissue your card, you’re left w/ a downtime window, and they’re left w/ a cost (for a chip card w/ compromised magstripe, perhaps $1.50, for a chip-less, probably $0.20 — I’m assuming their mailing + printing costs dwarf the magstripe costs — Disclaimer: I really don’t know the costs for either reissue, these are wild guesses, but the point is that the costs aren’t huge, and that it costs more for the chip enabled card). Either way, BofA has to be constantly monitoring your card for the next fraudulent use whether from this compromise or some future compromise (i.e. this cost isn’t alleviated by you getting a new card).

      If I were you, and I knew of a trip coming up, I’d cancel and get a replacement card immediately. Otherwise, it probably doesn’t matter. The reason it matters if you’re traveling is that it’s often very inconvenient to get a replacement card when you’re away from home — and you typically need that card to make purchases. Remember that when you’re traveling, at any moment someone could cash-out your stolen information, triggering the detection system by BofA, rendering your physical card useless, resulting in you having to wait for them to send you a new one — and if you’re about to try to check out from a hotel, that’s a problem (speaking from experience — my card wasn’t stolen, it wasn’t really lost, it just didn’t fly with me so it was effectively lost and reissued — taking ~4 days).

  24. Sadly, this will continue because so many are worried about being labeled as racists.
    So, what is in common?
    Nearly all that have been cracked run windows AND almost all have outsourced some part of their production to India.
    Now, what does a software engineer in India make? Less than $10,000. So, how easy is it for say a Russian to bribe an Indian with $100,000 (or enough to retire on), to leave a backdoor in the software? Considering that Russia is closer, politically, to India than is America, I would say, fairly easy. After all, Russians come and go out of India ALL THE TIME.

    And yet, ppl here will scream that it is RACISTS to point out facts , just like I did with target and Home Depot.
    When American businesses really want to stop this, they will :
    1) quit Windows.
    2) quit outsourcing to India.

    BTW, if a company moves to Linux, BSD, OSX, etc and still outsources to nations that manipulate their money so that employees will be extremely low paid, well, once somebody has root, then good luck stopping them, no matter the OS.

    For those of you doubting this, compare Target to Walmart and Home Depot to Lowes. Target and Home Depot use windows and outsourced.
    Walmart and Lowes are pure in-house and use linux, not windows (actually, iirc, Walmart DOES use windows on register, but still not outsourced, and rest of system is other).

    • “…once somebody has root, then good luck stopping them…”

      This! so much this!

      This is exactly my point. I could not agree more. So many people think that 2fa is going to save them. So many people think that updates are going to save them. 2fa means absolutely nothing when the user is logging in with a compromised machine and/or when they are logging into a compromised server. When the bad guys have made it in, that means they are in. Once they are in, updates are not likely going to kick them out. The idea should be to not create more attack surface….but less. Updates will not do that. Neither is 2fa. There is no update that exists that can make up for all the outsourcing that happens.

      There are reasons why Sir Bill Gates did not want his taxes done on a Windows based computer.

  25. i am 100% agree with you some peoples just not taking security steps like malware protection

  26. Hi !

    I am writing from France where chip-n-pin was rolled out 25 years ago.

    I have not heard of any card data breach at brick-and-mortar stores in local stores. I think this is mainly because:

    – Transactions are always processed by external (PCI certified) card terminals that do not share sensitive data with POS terminals. Think of an HSM is you are familiar with this notion.
    – Card terminals cannot process mag strip if a chip is present.
    – POS terminals encrypt communications with payment processing companies and banks.

    As long as card payment processing is integrated in POS terminals, card data will be at risk. It is impossible to guarantee the security of a computer running a rich OS (whether it is Windows, Linux or MacOS) and tons of software. You can stack firewalls and antivirus, the solution will never be safer than an external terminal whose task is only to process payments.

    • Nope. That has NOTHING to do with whether these systems are cracked.
      It is NOT the card readers that are being cracked. It is the computers that are running windows that have updates going to them either being sys aded by India (in the middle of the night), OR the updates were put together by India. Once an Indian based company (and it has to be Indian BASED, not just an Indian working in America), then you have ppl that are paid by Russians to leave in a backdoor for them, and they simply put in a new one, remove the old, and presto magic, they can then work the network quietly and easily.

    • France is the poster-child for EMV, as the first country to roll it out – and still not see any fraud through this channel! The reason you don’t hear about breaches there is simple: card data captured through EMV is useless for fraud.

    • Jerome,

      Thanks for your comment. Question for you: Does France have any kind of law that requires companies to disclose a data breach? I know of an EU requirement that goes into force in a couple of years, but I’m not aware of a French law. That could have something to do with the lack of reporting in France. Just a guess.

  27. There should be an update to PCI standards that mandates greater control over POS device protection such that these devices are protected by application white-listing at a minimum.

  28. Abraham Megidish

    Build it yourself
    Use Krebs to detect
    Secure it with Jentu
    Remove the attack vector

  29. Most people and most companies don’t have any security at all. Some have the impression they are secure when that’s far from the truth. I don’t think more than 10% of companies are really secured in case something bad happens. The others, well, they just hope it will pass and they’ll be left standing.

    • I agree. The question that I’m asking though is….Why is it that way?

      Most people don’t even understand what a ‘surge protector/surge suppressor’ is. Very few people understand what a UPS can do. Most people consider themselves ‘tech savy’ for being able to click on the Facebook LIKE button.

      It does not matter who you are, how much money you have, your race or religion or gender, where in the world you come from, or how old you are. Understanding the how’s and the why’s of our technology is seen as not needed and not wanted. We all use these things everyday without a care in the world…….no one knows and no one cares to know. It’s that flashing 12:00 that just gets ignored because it’s someone else’s job.