August, 2018


3
Aug 18

Credit Card Issuer TCM Bank Leaked Applicant Data for 16 Months

TCM Bank, a company that helps more than 750 small and community U.S. banks issue credit cards to their account holders, said a Web site misconfiguration exposed the names, addresses, dates of birth and Social Security numbers of thousands of people who applied for cards between early March 2017 and mid-July 2018.

TCM is a subsidiary of Washington, D.C.-based ICBA Bancard Inc., which helps community banks provide a credit card option to their customers using bank-branded cards.

In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor. TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.

Bruce Radke, an attorney working with TCM on its breach outreach efforts to customers, said fewer than 10,000 consumers who applied for cards were affected. Radke declined to name the third-party vendor, saying TCM was contractually prohibited from doing so.

“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said. “We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”

ICBA Bancard is the payments subsidiary of the Independent Community Bankers of America, an organization representing more than 5,700 financial institutions that has been fairly vocal about holding retailers accountable for credit card breaches over the years. Last year, the ICBA sued Equifax over the big-three credit bureau’s massive data breach that exposed the Social Security numbers and other sensitive data on nearly 150 million Americans.

Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers. For example, identity theft protection provider LifeLock recently addressed a Web site misconfiguration that exposed the email addresses of millions of customers. LifeLock’s owner Symantec later said it fixed the flaw, which it blamed on a mistake by an unnamed third-party marketing partner.

Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners (consider the Target breach, which began with an opportunistic malware compromise at a heating and air conditioning vendor). Nevertheless, organizations of all shapes and sizes need to be vigilant about making sure their partners are doing their part on security, lest third-party risk devolves into a first-party breach of customer trust.


2
Aug 18

The Year Targeted Phishing Went Mainstream

A story published here on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack).

But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale. And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness.

The sextortion scheme that emerged this month falsely claims to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom.

What spooked people most about this scam was that its salutation included a password that each recipient legitimately used at some point online. Like most phishing attacks, the sextortion scheme that went viral this month requires just a handful of recipients to fall victim for the entire scheme to be profitable.

From reviewing the Bitcoin addresses readers shared in the comments on that July 12 sextortion story, it is clear this scam tricked dozens of people into paying anywhere from a few hundred to thousands of dollars in Bitcoin. All told, those addresses received close to $100,000 in payments over the past two weeks.

And that is just from examining the Bitcoin addresses posted here; the total financial haul from different versions of this attack is likely far higher. A more comprehensive review by the Twitter user @SecGuru_OTX and posted to Pastebin suggests that as of July 26 there were more than 300 Bitcoin addresses used to con at least 150 victims out of a total of 30 Bitcoins, or approximately $250,000.

There are several interesting takeaways from this phishing campaign. The first is that it effectively inverted a familiar threat model: Most phishing campaigns try to steal your password, whereas this one leads with it.

A key component of a targeted phishing attack is personalization. And purloined passwords are an evergreen lure because your average Internet user hasn’t the slightest inkling of just how many of their passwords have been breached, leaked, lost or stolen over the years.

This was evidenced by the number of commenters here who acknowledged that the password included in the extortion email was one they were still using, with some even admitting they were using the password at multiple sites! 

Surprisingly, none of the sextortion emails appeared to include a Web site link of any kind. But consider how effective this “I’ve got your password” scam would be at enticing a fair number of recipients into clicking on one.

In such a scenario, the attacker might configure the link to lead to an “exploit kit,” crimeware designed to be stitched into hacked or malicious sites that exploits a variety of Web-browser vulnerabilities for the purposes of installing malware of the attacker’s choosing.

Also, most of the passwords referenced in the sextortion campaign appear to have been slurped from data breaches that are now several years old. For example, many readers reported that the password they received was the one compromised in LinkedIn’s massive 2012 data breach.

Now imagine how much more convincing such a campaign would be if it leveraged a fresh password breach — perhaps one that the breached company wasn’t even aware of yet.

There are many other data elements that could be embedded in extortion emails to make them more believable, particularly with regard to freshly-hacked databases. For example, it is common for user password databases that are stolen from hacked companies to include the Internet Protocol (IP) addresses used by each user upon registering their account.

This could be useful for phishers because there are many automated “geo-IP” services that try to determine the geographical location of Website visitors based on their Internet addresses.

Some of these services allow users to upload large lists of IP addresses and generate links that plot each address on Google Maps. Suddenly, the phishing email not only includes a password you are currently using, but it also bundles a Google Street View map of your neighborhood!

There are countless other ways these schemes could become far more personalized and terrifying — all in an automated fashion. The point is that automated, semi-targeted phishing campaigns are likely here to stay.

Continue reading →


1
Aug 18

Reddit Breach Highlights Limits of SMS-Based Authentication

Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.

In a post to Reddit, the social news aggregation platform said it learned on June 19 that between June 14 and 18 an attacker compromised a several employee accounts at its cloud and source code hosting providers.

Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.

Of particular note is that although the Reddit employee accounts tied to the breach were protected by SMS-based two-factor authentication, the intruder(s) managed to intercept that second factor.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit disclosed. “We point this out to encourage everyone here to move to token-based 2FA.”

Reddit didn’t specify how the SMS code was stolen, although it did say the intruders did not hack Reddit employees’ phones directly. Nevertheless, there are a variety of well established ways that attackers can intercept one-time codes sent via text message.

In one common scenario, known as a SIM-swap, the attacker masquerading as the target tricks the target’s mobile provider into tying the customer’s service to a new SIM card that the bad guys control. A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

Another typical scheme involves mobile number port-out scams, wherein the attacker impersonates a customer and requests that the customer’s mobile number be transferred to another mobile network provider. In both port-out and SIM swap schemes, the victim’s phone service gets shut off and any one-time codes delivered by SMS (or automated phone call) get sent to a device that the attackers control. Continue reading →