August 12, 2011

I recently wrote about an online service that was selling access to stolen credit and debit card data. That post received a lot of attention, but criminal bazaars are a dime a dozen. The real news is that few of these fraud shops are secure enough to keep their stock of stolen data from being pilfered by thieves.

Card shopping options at mn0g0.su

A prime example is the shop mn0g0.su (“mnogo” is a transliteration of много, which means “many” in Russian). This online store, launched in January 2011, lets customers shop for stolen card data by bank issuer, victim ZIP code, and card type. A source who enjoys ruining criminal projects said he stumbled upon mn0g0.su’s back-end database by accident; the site was backing up its cache of stolen card data to a third party server that was wide open and unencrypted.

Included in the database are more than 81,000 sets of credit and debit card numbers, along with their associated expiration dates and card security code. Each listing also includes the owner’s name, address and phone number and/or email address. The Social Security number, mother’s maiden name and date of birth are available for some cardholders. The site does not accept credit card payments; shopper accounts are funded by deposits from “virtual currencies,” such as WebMoney and LibertyReserve.

It’s not clear how or when these card numbers were stolen. Fraudulent card shops purchase data in bulk from multiple suppliers, most likely from small-time fraudsters who use automated tools to hack e-commerce stores. The data is inserted into the database in varying formats. For example, one batch of card information for sale includes email addresses in lieu of phone numbers, and all of the victim cardholders from that batch have physical addresses in the United Kingdom.

Just for amusement, I searched for my last name, and was surprised to find four people with the last name “Krebs” whose card information was included in the database (none are known relatives).

Not only did mn0g0.su leak all of the credit and debit cards it had for sale, but it also spilled its own “customer” list: The email addresses, IP addresses, ICQ numbers, usernames and passwords of more than 4,300 mn0g0.su shoppers were included in the exposed database backup. The customer passwords were better protected than the credit card numbers. The passwords are encrypted with a salted SHA256 hash, although a decent set of password-cracking tools could probably decipher 50-75 percent of the hashed passwords if given enough time.

The database backup appears to be a few months old. I know this because I registered two accounts at mn0g0.su, and only one of them — the one I registered late May or early June — is included in the customer database. In addition, it seems that many of the cards for sale were stolen quite recently. I ran a search for cards in my ZIP code, and the site returned just two results. Again, one of the cards was listed in the backup database, and the other — a listing for Annandale, Va. resident Andrea Bolz — was not.

My source offered to pay the $2.50 asking price to buy Bolz’s data (presumably using one of the compromised mn0g0.su customer accounts).  When I called her at the phone number that mn0g0.su returned in the purchase receipt, Bolz confirmed the Bank of America Platinum debit card was hers. Bolz said she was unaware that it had been stolen; she had not experienced any recent fraud on the account. She said that she would call her bank to cancel the card.

The good news? The act of purchasing Bolz’s card appears to have removed her personal information from the list of cards for sale at mn0g0.su. The bad news? The fraud shop is still backing up its database to a wide-open third party server.

Bolz’s debit card data may well have been stolen in a physical data breach, via an ATM skimmer, a server at a restaurant, or a store employee who swiped her card. It’s always a good idea to avoid using debit cards for most retail transactions. U.S. consumer protection laws are much stronger for credit cards than for debit cards. Unauthorized transactions on a credit card are simple to report and reverse. Stolen debit card data may lead to fraudulent cash withdrawals. Resolving incidents of unauthorized withdrawals from a debit card requires a lot of time and paperwork. What’s more, many banks require that you file a police report before they will investigate an unauthorized withdrawal.

[EPSB]

Have you seen:

Digital Hit Men for Hire…Cyber attacks designed to knock Web sites off line happen every day, yet shopping for a virtual hit man to launch one of these assaults has traditionally been a dicey affair. That’s starting to change: Hackers are openly competing to offer services that can take out a rival online business or to settle a score.

[/EPSB]


20 thoughts on “Vendor of Stolen Bank Cards Hacked

  1. Frank S.

    I recently had a phone call informing me that since I had just used my credit card ending in XXXX , the bank wants to send me $100 in free gas coupons and an membership for discounts on most purchases. I would pay for s/h and then after the first month it will be auto renewed for $29.95. Both guys talked so fast that I could barely keep up with the spiel. They made it sound like an offer from the credit card. I wanted to know how the got the card number and my unpublished telephone number. The only place where I had used that card in the previous couple of months was on a secure site for a purchase ‘as seen on TV’, which did arrive on time without problems. I called the bank and closed the account immediately. The bank said it was a scam, etc.

    Interestingly there were no additional attempts to contact me or to use the card. I could check that out online. That’s very different from when another Visa card was ‘stolen’ last year from a purchase on Amazon.com. They did try to use the card several times.

    I really no longer see the wisdom in shopping online. Both sites were https labeled.

    1. JCitizen

      Dear Frank S.;

      There really is a way to shop on line pretty safely, other than the crooks getting you name and possibly also your address. That is with an online secure credit card. I’m sure several vendors have them, but strangely they never advertise this or brag about this neat feature.

      I suspect it is because none of the credit card issuers want the public in general to know just how bad it is. The card numbers are basically fake, and generated just to identify your vendor. If anyone besides the vendor tries to use the card number, then all request are denied that number from then on. It is a LOT easier than watching every purchase and canceling cards there after.

      I have one vendor I always suspected was being cracked by criminals for card numbers, and sure as heck, every so many months, they have to have a new number issued to them, because of reasons not explained to me. But I know what is going on, the old number quit working, because someone cracked their data base – of course! It has never affected me, but fortunately part of the service of this convenience is also an automatic credit reporting function to see if anyone actually gains enough personal data to request other credit in my name. This gives me piece of mind, because it is reported through the mail so email crackers can’t block the reports.

  2. Phoenix

    “It’s not clear how are when these card numbers were stolen.” Allow me to offer a couple of clues. Picturee a businessman or tourist making his next reservation using his notebook or pad on an insecure hotel wi-fi network. Or consider an out of date or improperly set up home network. A couple of years ago my son in law took a strole around my neighborhood with his wireless device and was amazed to find home networks not passworded or encrypted. There’s some good stuff in many of the sites Brian has listed in his Blogroll. Take a look sometime.

  3. Frank S.

    Both times the cards were used online from a single home computer, direct wired to a wall outlet , sent through Comcast. No network or wifi involved.

    When on Amazon, Amazon had the card number and my personal information stored. I believe that the Visa number was stolen at the third party vendor listed on Amazon.

    The recent experience was from the same computer and I input the information to the https site. That’s the one were I received the phone call about my card that ends in XXXX.

    1. george

      Frank,
      I was under the impression when doing third-party purchases via Amazon that CC info is not passed on to the vendor, Amazon would claim the money and pass it on to the vendor in a separate, bulk transaction. Is this not the case ? CC info lost by Amazon would be pretty big news… Since a single home computer was involved wired to Internet, perhaps you should suspect Zeus, SpyEye or some other trojan in you computer.

      1. Frank S

        George,

        I don’t know how Amazon third party orders are paid. I do know that the shipping document for my order showed ‘paid by Visa’. That is the only problem that I’ve had with Amazon payments. Neither Amazon or the issuing bank wanted to deal with it or track it. Both told me that they would remove the charge from my accounts. I offered the name of the company that I suspected, but guess it is easier and cheaper to forgive and ignore, rather than dealing with it.

        I do know for sure that if PayPal is used on eBay, the payment is handled in the way that you stated for Amazon. PayPal has an arrangement with eBay, not so with Amazon.

        Frank

      2. JCitizen

        @george;

        I know you can’t use just one online secure number with Amazon; because the credit card companies can’t identify the vendor so they refuse the transaction. Since there is no way to place the order directly with the individual Amazon merchants, only base card numbers will work. I’ve never tried PayPal on Amazon – I haven’t even noticed if it is a choice.

        I’m assuming if you use just the Amazon store, this would be different.

  4. Batsy

    It’s always going to be hit and miss in a way. PCI was supposed to smooth out the peaks and valleys but largely (overall) it has increased security (if implemented in good faith)

    With that said, clearly it varies because even amongst technical folks, definition of security is hotly debated: see for yourself (From Qualys)

    https://www.ssllabs.com/ssldb/index.html

    There was actually one energy company from Eastern US that was listed and it got a whopping ZERO score.

    Stunning, simply stunning.

    1. George

      Batsy,

      I went to the website to which the URL you provided points.
      Under the Recent ones many are marked Err.
      What does error mean in these scans ?

  5. george

    Interesting report, Brian !
    There is only one question still open for me: Is your source or anyone else with access to the database taking the trouble to contact every card holder (where possible) or card issuer to inform them the cards were compromised and should be blocked ? (aside from the singular case of Mrs. Andrea Bolz). Outside US, cardholders might not enjoy the same protection and may be left with fraudulent transactions un-reversed.

    1. Brian Krebs

      Hi George, thanks. Yes, the card info has been shared with the affected banks and with law enforcement. What the issuers decide to do with the information is up to them, of course.

  6. Kooberfacer

    Actually i had a debit card scammer try to bilk me for money from my bank account.The credit card company called me almost instantly as it was an unusual purchase out of my area of what i usually use my debit card for.

    The money was replaced with no loss to my account as ive got insurance.Still maybe its time to go offense on these scammers sites and search ourselves to see if they have our info.

  7. Антуан Луи Пятнадцатый

    Редиска не даёт честным мошенникам зарабатывать

  8. ololo

    Пацаны,дрочим штаты с удвоенной силой
    Нагнем их!!!
    За Сталина!!!

  9. James

    What everyone must remember there are so many possibilities for your data to be compromised.

    1. The computer entering the information. If you don’t have an updated firewall and anti-virus you could be infected as we speak. Such virus’ and malware can easily steal your passwords and record your keystrokes which would gain the attackers to all your information.

    2. SSL can easily be broken if you are on wifi, or even a cable. A hacker can use sslstrip and make it seem as if you arn’t even using ssl. If you have an insecure password on your wifi then this will enable hackers to possibly break into your home network and sniff traffic off your network connection.

    3. Back end Databases themselves if data is not encrypted this can easily happen. Are you willing to possibly give your email, cc, and ccv details to a company and trust that the company will keep it secure? If there is one insecurity in the firewall, web server, ftp server, then all of their data can be easily stolen, then decrypted.

    4. Does the server backup to an insecure server? As this company seems to of, which seems like something that should of been thought out before it happened.

    These are just some of the topics which people don’t really understand, that every point of the connection has vulnerabilities associated with it. Unfortunately there is not much we can do other than do a hit and miss, and use paypal or other such companies to possibly secure our cc’s and identities.

  10. maddogg

    SSL Report: krebsonsecurity.com (94.228.133.163)
    krebsonsecurity.com scored only a B (73)!!!!

    Doc, heal thyself!!! 🙂

    Assessed on: Tue Aug 16 15:21:19 UTC 2011 | HIDDEN | Clear cache
    Scan Another >>

    Summary
    Overall Rating
    B
    73
    0
    20
    40
    60
    80
    100
    Certificate

    100
    Protocol Support

    85
    Key Exchange

    80
    Cipher Strength

    60

    The scores are explained in the SSL Server Rating Guide 2009.
    This server supports secure renegotiation

  11. anonymously

    Krebs, be careful. If you think you’r in safe, then you’re wrong.
    You’re not afraid to walk the streets?

    Get ready for troubles.

    1. JCitizen

      Yeah? Well you just think your anonymous! I’m your Huckleberry!

  12. luis miguel

    quiero comprar tarjetas robadas informarme por favor

  13. Mark Anderson

    The real fear here, as a consumer, is when am I likely to discover if my credit details are being traded on the criminal high-seas. And when I do discover it, what obligation does my bank have to protect me or my credit rating. And you’d think that given the paper trail left by every credit card purpose, tracking and stopping this type of activity would be easier – unfortunately though it doesn’t seem to be.

Comments are closed.