How to Spot Ingenico Self-Checkout Skimmers

June 24, 2016

A KrebsOnSecurity story last month about credit card skimmers found in self-checkout lanes at some Walmart locations got picked up by quite a few publications. Since then I’ve heard from several readers who work at retailers that use hundreds of thousands of these Ingenico credit card terminals across their stores, and all wanted to know the same thing: How could they tell if their self-checkout lanes were compromised? This post provides a few pointers.

Happily, just days before my story point-of-sale vendor Ingenico produced a tutorial on how to spot a skimmer on self checkout lanes powered by Ingenico iSC250 card terminals. Unfortunately, it doesn’t appear that this report was widely disseminated, because I’m still getting questions from readers at retailers that use these devices.

The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual ISC250 on the right. Source: Ingenico.

The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual iSC250 on the right. Source: Ingenico.

“In order for the overlay to fit atop the POS [point-of-sale] terminal, it must be longer and wider than the target device,” reads a May 16, 2016 security bulletin obtained by KrebsOnSecurity. “For this reason, the case overlay will appear noticeably larger than the actual POS terminal. This is the primary identifying characteristic of the skimming device. A skimmer overlay of the iSC250 is over 6 inches wide and 7 inches tall while the iSC250 itself is 5 9/16 inch wide and 6 1⁄2 inches tall.”

In addition, the skimming device that thieves can attach in the blink of an eye on top of the Ingenico self-checkout card reader blocks the backlight from coming through the fake PIN pad overlay.

The backlight can be best seen while shading the keypad from room lights. The image on the left is a powered-on legitimate ISC250 viewed with the keypad shaded. The backlight can be seen in comparison to a powered-off ISC250 in the right image. Source: Ingenico.

The backlight can be best seen while shading the keypad from room lights. The image on the left is a powered-on legitimate iSC250 viewed with the keypad shaded. The backlight can be seen in comparison to a powered-off iSC250 in the right image. Source: Ingenico.

Continue reading

Rise of Darknet Stokes Fear of The Insider

June 22, 2016

With the proliferation of shadowy black markets on the so-called “darknet” — hidden crime bazaars that can only be accessed through special software that obscures one’s true location online — it has never been easier for disgruntled employees to harm their current or former employer. At least, this is the fear driving a growing stable of companies seeking technical solutions to detect would-be insiders.

Avivah Litan, a fraud analyst with Gartner Inc., says she’s been inundated recently with calls from organizations asking what they can do to counter the following scenario: A disaffected or disgruntled employee creates a persona on a darknet market and offers to sell his company’s intellectual property or access to his employer’s network.

A darknet forum discussion generated by a claimed insider at music retailer Guitar Center.

A darknet forum discussion generated by a claimed insider at music retailer Guitar Center.

Litan said a year ago she might have received one such inquiry a month; now Litan says she’s getting multiple calls a week, often from companies that are in a panic.

“I’m getting calls from lots of big companies, including manufacturers, banks, pharmaceutical firms and retailers,” she said. “A year ago, no one wanted to say whether they had or were seriously worried about insiders, but that’s changing.”

Insiders don't have to be smart or sophisticated to be dangerous.

Insiders don’t have to be smart or sophisticated to be dangerous, as this darknet forum discussion thread illustrates.

Some companies with tremendous investments in intellectual property — particularly pharmaceutical and healthcare firms — are working with law enforcement or paying security firms to monitor and track actors on the darknet that promise access to specific data or organizations, Litan said. Continue reading

Advertisement

Citing Attack, GoToMyPC Resets All Passwords

June 20, 2016

GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites.

gtpcOwned by Santa Clara, Calif. based networking giant Citrix, GoToMyPC is a popular software-as-a-service product that lets users access and control their PC or Mac from anywhere in the world. On June 19, the company posted a status update and began notifying users that a system-wide password update was underway.

“Unfortunately, the GoToMYPC service has been targeted by a very sophisticated password attack,” reads the notice posted to status.gotomypc.com. “To protect you, the security team recommended that we reset all customer passwords immediately. Effective immediately, you will be required to reset your GoToMYPC password before you can login again. To reset your password please use your regular GoToMYPC login link.”

John Bennett, product line director at Citrix, said once the company learned about the attack it took immediate action. But contrary to previous published reports, there is no indication Citrix or its platforms have been compromised, he said.

“Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” Bennett wrote in an emailed statement. “At this time, the response includes a mandatory password reset for all GoToMyPC users. Citrix encourages customers to visit the  GoToMyPC status page to learn about enabling two-step verification, and to use strong passwords in order to keep accounts as safe as possible. ”

Citrix’s GoTo division also operates GoToAssist, which is geared toward technical support specialists, and GoToMeeting, a product marketed at businesses. The company said it has no indication that user accounts at other GoTo services were compromised, but assuming that’s true it’s likely because the attackers haven’t gotten around to trying yet.

It’s a fair bet that whoever perpetrated this attack had help from huge email and password lists recently leaked online from older breaches at LinkedIn, MySpace and Tumblr to name a few. Re-using passwords at multiple sites is a bad idea to begin with, but re-using your GoToMyPC remote administrator password at other sites seems like an exceptionally lousy idea.

Adobe Update Plugs Flash Player Zero-Day

June 17, 2016

Adobe on Thursday issued a critical update for its ubiquitous Flash Player software that fixes three dozen security holes in the widely-used browser plugin, including at least one vulnerability that is already being exploited for use in targeted attacks.

brokenflash-aThe latest update brings Flash to v. 22.0.0.192 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually check for updates in Chrome an restart the browser to get the latest Flash version). Continue reading

FBI Raids Spammer Outed by KrebsOnSecurity

June 16, 2016

Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email artist currently flagged by anti-spam activists as one of the world’s Top 10 Worst Spammers, was reportedly raided by the FBI in connection with a federal spam investigation.

atballAccording to a June 9 story at ABC News, on April 27, 2016 the FBI raided the San Diego home of Persaud, who reportedly has been under federal investigation since at least 2013. The story noted that on June 6, 2016, the FBI asked for and was granted a warrant to search Persaud’s iCloud account, which investigators believe contained “evidence of illegal spamming’ and wire fraud to further [Persaud’s] spamming activities.”

Persaud doesn’t appear to have been charged with a crime in connection with this investigation. He maintains his email marketing business is legitimate and complies with the CAN-SPAM Act, the main anti-spam law in the United States which prohibits the sending of spam that spoofs that sender’s address or does not give recipients an easy way to opt out of receiving future such emails from that sender.

The affidavit that investigators with the FBI used to get a warrant for Persaud’s iCloud account is sealed, but a copy of it was obtained by KrebsOnSecurity. It shows that during the April 2016 FBI search of his home, Persaud told agents that he currently conducts internet marketing from his residence by sending a million emails in under 15 minutes from various domains and Internet addresses.

The affidavit indicates the FBI was very interested in the email address michaelp77x@gmail.com. In my 2014 piece Still Spamming After All These Years, I called attention to this address as the one tied to Persaud’s Facebook account — and to 5,000 or so domains he was advertising in spam. The story was about how the junk email Persaud acknowledged sending was being relayed through broad swaths of Internet address space that had been hijacked from hosting firms and other companies.

persaud-fbFBI Special Agent Timothy J. Wilkins wrote that investigators also subpoenaed and got access to that michaelp77x@gmail.com account, and found emails between Persaud and at least four affiliate programs that hire spammers to send junk email campaigns.

A spam affiliate program is a type of business or online retailer — such as an Internet pharmacy — that pays a third party (known as affiliates or spammers) a percentage of any sales that they generate for the program (for a much deeper dive on how affiliate programs work, check out Spam Nation). Continue reading

Microsoft Patches Dozens of Security Holes

June 14, 2016

Microsoft today released updates to address more than three dozen security holes in Windows and related software. Meanwhile, Adobe — which normally releases fixes for its ubiquitous Flash Player alongside Microsoft’s monthly Patch Tuesday cycle — said it’s putting off today’s expected Flash patch until the end of this week so it can address an unpatched Flash vulnerability that already is being exploited in active attacks.

brokenwindowsYes, that’s right it’s once again Patch Tuesday, better known to mere mortals as the second Tuesday of each month. Microsoft isn’t kidding around this particular Tuesday — pushing out 16 patch bundles to address at least 44 security flaws across Windows and related software.

The usual suspects earn “critical” ratings: Internet Explorer (IE), Edge (the new, improved IE), and Microsoft Office. Critical is Microsoft’s term for a flaw that allows the attacker to remotely take control over the victim’s machine without help from the victim, save for perhaps getting him to visit a booby-trapped Web site or load a poisoned ad in IE or Edge.

Windows home users aren’t the only ones who get to have all the fun: There’s plenty enough in today’s Microsoft patch batch to sow dread in any Windows system administrator, including patches that fix serious security holes in Windows SMB Server, Microsoft’s DNS Server, and Exchange Server.

I’ll put up a note later this week whenever Adobe releases the Flash update. For now, Kaspersky has more on the Flash vulnerability and its apparent use in active espionage attacks. As ever, if you experience any issues after applying any of today’s updates, please drop a note about it in the comments below.

Other resources: Takes from the SANS Internet Storm CenterQualys and Shavlik.

ATM Insert Skimmers In Action

June 13, 2016

KrebsOnSecurity has featured several recent posts on “insert skimmers,” ATM skimming devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. I’m revisiting the subject again because I’ve recently acquired how-to videos produced by two different insert skimmer peddlers, and these silent movies show a great deal more than words can tell about how insert skimmers do their dirty work.

Last month I wrote about an alert from ATM giant NCR Corp., which said it was seeing an increase in cash machines compromised by what it called “deep insert” skimmers. These skimmers can hook into little nooks inside the mechanized card acceptance slot, which is a generally quite a bit wider than the width of an ATM card.

“The first ones were quite fat and were the same width of the card,” said Charlie Harrow, solutions manager for global security at NCR. “The newer ones are much thinner and sit right there where the magnetic stripe reader is.”

Operating the insert skimmer pictured in the video below requires two special tools that are sold with it: One to set the skimmer in place inside the ATM’s card acceptance slot, and another to retrieve it. NCR told me its technicians had never actually found any tools crooks use to install and retrieve the insert skimmers, but the following sales video produced by an insert skimmer vendor clearly shows a different tool is used for each job:

 

Same goes for a different video produced by yet another vendor of insert skimming devices:

 

IRS Re-Enables ‘Get Transcript’ Feature

June 10, 2016

The Internal Revenue Service has re-enabled a service on its Web site that allows taxpayers to get a copy of their previous year’s tax transcript. The renewed effort to beef up taxpayer authentication methods at irs.gov comes more than a year after the agency disabled the transcript service because tax refund fraudsters were using it to steal sensitive data on consumers.

irsbldgDuring the height of tax-filing season in 2015, KrebsOnSecurity warned that identity thieves involved in tax refund fraud with the IRS were using irs.gov’s “Get Transcript” feature to glean salary and personal information they didn’t already have on targeted taxpayers. In May 2015, the IRS suspended the Get Transcript feature, citing its abuse by fraudsters and noting that some 100,000 taxpayers may have been victimized as a result.

In August 2015, the agency revised those estimates up to 330,000, but in February 2016, the IRS again more than doubled its estimate, saying the actual number of victims was probably closer to 724,000.

So exactly how does the new-and-improved Get Transcript feature validate that taxpayers who are requesting information aren’t cybercriminal imposters? According to the IRS’s Get Transcript FAQ, the visitor needs to supply a Social Security number (SSN) and have the following:

  • immediate access to your email account to receive a confirmation code;
  • name, birthdate, mailing address, and filing status from your most recent tax return;
  • an account number from either a credit card, auto loan, mortgage, home equity loan or home equity line of credit;
  • a mobile phone number with your name on the account.

“If you previously registered to use IRS Get Transcript Online, Identity Protection PIN, Online Payment Agreement, or ePostcard online services, log in with the same username and password you chose before,” the IRS said. “You’ll need to provide a financial account number and mobile phone number if you haven’t already done so.”

The agency said it will then verify your financial account number and mobile phone number with big-three credit bureau Equifax. Readers who have taken my advice and placed a security freeze on their credit files will need to request a temporary thaw in that freeze with Equifax before attempting to verify their identity with the IRS. Continue reading

There’s the Beef: Wendy’s Breach Numbers About to Get Much Meatier

June 9, 2016

When news broke last month that the credit card breach at fast food chain Wendy’s impacted fewer than 300 out of the company’s 5,800 locations, the response from many readers was, “Where’s the Breach?” Today, Wendy’s said the number of stores impacted by the breach is “significantly higher” and that the intrusion may not yet be contained.

wendyskyOn January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores.

But since that announcement last month, a number of sources in the fraud and banking community have complained to this author that there was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers.

What’s more, some of those same sources said they were certain the breach was still ongoing well after Wendy’s made the five percent claim in May. In my March 02 piece Credit Unions Feeling Pinch in Wendy’s Breach, I quoted B. Dan Berger, CEO of the National Association of Federal Credit Unions, saying the he’d heard from three credit union CEOs who said the fraud they’ve experienced so far from the Wendy’s breach has eclipsed what they were hit with in the wake of the Home Depot and Target breaches.

Today, Wendy’s acknowledged in a statement that the breach is now expected to be “considerably higher than the 300 restaurants already implicated.” Company spokesman Bob Bertini declined to be more specific about the number of stores involved, citing an ongoing investigation. Bertini also declined to say whether the company is confident that the breach has been contained.

“Wherever we are finding it we’ve taken action,” he said. “But we can’t rule out that there aren’t others.”

Bertini said part of the problem was that the breach happened in two waves. He said the outside forensics investigators that were assigned to the case by the credit card associations initially found 300 locations that had malware on the point-of-sale devices, but that the company’s own investigators later discovered a different strain of the malware at some locations. Bertini declined to provide additional details about either of the malware strains found in the intrusions.

“In recent days, our investigator has identified this additional strain or mutation of the original malware,” he said. “It just so happens that this new strain targets a different point of sale system than the original one, and we just within the last few days discovered this.” Continue reading

Slicing Into a Point-of-Sale Botnet

June 8, 2016

Last week, KrebsOnSecurity broke the news of an ongoing credit card breach involving CiCi’s Pizza, a restaurant chain in the United States with more than 500 locations. What follows is an exclusive look at a point-of-sale botnet that appears to have enslaved dozens of hacked payment terminals inside of CiCi’s locations that are being relieved of customer credit card data in real time.

Over the weekend, I heard from a source who said that since November 2015 he’s been tracking a collection of hacked cash registers. This point-of-sale botnet currently includes more than 100 infected systems, and according to the administrative panel for this crime machine at least half of the compromised systems are running a malicious Microsoft Windows process called cicipos.exe.

This admin panel shows the Internet address of a number of infected point-of-sale devices as of June 4, 2016. Many of these appear to be at Cici's Pizza locations.

This admin panel shows the Internet address of a number of infected point-of-sale devices as of June 4, 2016. Many of these appear to be at Cici’s Pizza locations.

KrebsOnSecurity has not been able to conclusively tie the botnet to CiCi’s. Neither CiCi’s nor its outside public relations firm have responded to multiple requests for comment. However, the control panel for this botnet includes the full credit card number and name attached to the card, and several individuals whose names appeared in the botnet control panel confirmed having eaten at CiCi’s Pizza locations on the same date that their credit card data was siphoned by this botnet.

Among those was Richard Higgins of Prattville, Ala., whose card data was recorded in the botnet logs on June 4, 2016. Reached via phone, Higgins confirmed that he used his debit card to pay for a meal he and his family enjoyed at a CiCi’s location in Prattville on that same date.

An analysis of the botnet data reveals more than 100 distinct infected systems scattered across the country. However, the panel only displayed hacked systems that were presently reachable online, so the actual number of infected systems may be larger.

Most of the hacked cash registers map back to dynamic Internet addresses assigned by broadband Internet service providers, and those addresses provide little useful information about the owners of the infected systems — other than offering a general idea of the city and state tied to each address.

For example, the Internet address of the compromised point-of-sale system that stole Mr. Higgins’ card data is 72.242.109.130, which maps back to an Earthlink system in a pool of IP addresses managed out of Montgomery, Ala.

higgins-cicis

Many of the botnet logs include brief notes or messages apparently left by CiCi’s employees for other employees. Most of these messages concern banal details about an employee’s shift, or issues that need to be addressed when the next employee shift comes in to work. Continue reading