After Tax Fraud Spike, Payroll Firm Greenshades Ditches SSN/DOB Logins

April 6, 2016

Online payroll management firm Greenshades.com is an object lesson in how not to do authentication. Until very recently, the company allowed corporate payroll administrators to access employee payroll data online using nothing more than an employee’s date of birth and Social Security number. That is, until criminals discovered this and began mass-filing fraudulent tax refund requests with the IRS on large swaths of employees at firms that use the company’s services.

A notice on the Greenshades Web site.

A notice on the Greenshades Web site.

Jacksonville, Fla.-based Greenshades posted an alert on its homepage stating that the company “has seen an abnormal increase in identity thieves using personal information to fraudulently log into the company’s system to access personal tax information.”

Many online services blame these sorts of attacks on customers re-using the same password at multiple sites, but Greenshades set customers up for this by allowing access to payroll records just by supplying the employee’s Social Security number and date of birth.

As this author has sought repeatedly to demonstrate, SSN/DOB information is extremely easy and cheap to obtain via multiple criminal-run Web sites: SSN/DOB data is reliably available for purchase from underground online crime shops for less than $4 per person (payable in Bitcoin only).

The spike in tax fraud against employees of companies that use Greenshades came to light earlier this month in various media stories. A number of employees at public high schools in Chicago discovered that crooks beat them to the punch on filing tax returns. An investigation into that incident suggested security weaknesses at Greenshades were to blame.

The Milwaukee Journal Sentinel wrote last month about tax fraud perpetrated against local county workers, fraud that also was linked to compromised Greenshades accounts. In Nebraska, the Lower Platte North Natural Resources District and Fremont Health hospital had a number of employees with tax fraud linked to compromised Greenshades accounts, according to a report in the Fremont Tribune.

Greenshades co-CEO Matthew Kane said the company allowed payroll administrators to access W2 information with nothing more than SSN and DOB for one simple reason: Many customers demanded it.

“There’s a valid reason to have what I call weak login credentials,” Kane told KrebsOnSecurity. “Some of our clients clamor for weaker login credentials, such as companies that have a large staff of temporary workers.”

Kane said customers have a “wide range of options” to select from in choosing how they will authenticate to Greenshades.com, but that the most secure option currently offered is a simple username and password.

When asked whether the company offers any sort of two-step or two-factor authentication, Kane argued that corporate email addresses assigned to company employees serve as a kind of second factor. Continue reading

Sources: Trump Hotels Breached Again

April 4, 2016

Banking industry sources tell KrebsOnSecurity that the Trump Hotel Collection — a string of luxury properties tied to business magnate and Republican presidential candidate Donald Trump — appears to be dealing with another breach of its credit card systems. If confirmed, this would be the second such breach at the Trump properties in less than a year.

Trump International Hotel in New York.

Trump International Hotel in New York.

A representative from Trump Hotels said the organization was investigating the claims.

“We are in the midst of a thorough investigation on this matter,” the company said in a written statement. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

KrebsOnSecurity reached out to the Trump organization after hearing from three sources in the financial sector who said they’ve noticed a pattern of fraud on customer credit cards which suggests that hackers have breached credit card systems at some — if not all — of the Trump Hotel Collection properties.

On July 1, 2015, this publication was the first to report that banks suspected a breach at Trump properties. After that story ran, Trump Hotel Collection acknowledged being alerted about suspicious activity tied to accounts that were recently used at its hotels. But it didn’t officially confirm that its payment systems had been infected with card-stealing malware until October 2015.

The Trump Hotel Collection includes more than a dozen properties globally. Sources said they noticed a pattern of fraud on cards that were all used at multiple Trump hotel locations in the past two to three months, including at Trump International Hotel New York, Trump Hotel Waikiki in Honolulu, and the Trump International Hotel & Tower in Toronto. Continue reading

Advertisement

Crooks Steal, Sell Verizon Enterprise Customer Data

March 24, 2016

Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned.

vzbzEarlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.

The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site.

Contacted about the posting, Verizon Enterprise told KrebsOnSecurity that the company recently identified a security  flaw in its site that permitted hackers to steal customer contact information, and that it is in the process of alerting affected customers.

“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”

The seller of the Verizon Enterprise data offers the database in multiple formats, including the database platform MongoDB, so it seems likely that the attackers somehow forced the MongoDB system to dump its contents. Verizon has not yet responded to questions about how the breach occurred, or exactly how many customers were being notified. Continue reading

Phishing Victims Muddle Tax Fraud Fight

March 24, 2016

Many U.S. citizens are bound to experience delays in getting their tax returns processed this year, thanks largely to more stringent controls enacted by Uncle Sam and the states to block fraudulent tax refund requests filed by identity thieves. A steady drip of corporate data breaches involving phished employee W-2 information is adding to the backlog, as is an apparent mass adoption by ID thieves of professional tax services for processing large numbers of phony refund requests.
runnerdudesd

According to data released this week by anti-fraud company iovation, the Internal Revenue Service is taking up to three times longer to review 2015 tax returns compared to past years.

Julie Magee, commissioner of Alabama’s Department of Revenue,  said much of the delay this year at the state level is likely due to new “fraud filters” the states have put in place with Gentax, a return processing and auditing system used by about half of U.S. state revenue departments. If the states can’t outright deny a suspicious refund request, they’ll very often deny the requested electronic bank deposit and issue a paper check to the taxpayer’s known address instead.

“Many states decided they weren’t going to start paying refunds until March 1, and on our side we’ve been using all our internal fraud resources and tools to analyze the tax return before we even put it in the queue,” Magee said. “That’s delaying refunds nationwide for the IRS and the states, and it’s pretty much going to also mean a helluva lot of paper checks are going out this year.”

The added fraud filters that states are employing take advantage of data elements shared for the first time this tax season by the major online tax preparation firms such as TurboTax. The filters look for patterns known to be associated with phony refund requests, such how quickly the return was filed, or whether the same Internet address was seen completing multiple returns.

Magee said some of the states have been adding new fraud filters nearly every time they learn of another big breach involving large numbers of stolen or phished employee W2 data, a huge problem this tax season that is forcing dozens of companies large and small to disclose data breaches over the past few weeks.

“Every time we turn around getting a phone call about another breach,” Magee said. “Because of all the different breaches, the states and the IRS have been taking extreme measures to filter, filter, filter. And each time we’d get news of an additional breach, we’d start over, reprogram our fraud filters, and re-assess those returns that were not processed fully yet and those waiting to be processed.”

Magee said the Gentax software assigns each tax return a score for “wage confidence” and “identity confidence,” and that usually fraudulent tax refund requests have high wage confidence but low — if any — identity confidence. That’s because the fraudsters are filing refund requests on taxpayers for whom they already have stolen W2 information. The identity confidence in these cases is low often because the fraudsters are asking to have the money electronically deposited into an account that can’t be directly tied to the taxpayer, or they have incorrectly supplied some of the victim’s data.

“I have zero confidence that filings which match this pattern are legitimate,” Magee said. “It’s early still, but our new filtering system seems to be working. But it’s still a big unknown about the percentage of fraudulent refunds we’re not stopping.”

MORE W2 PHISHING VICTIMS

athookMost states didn’t start processing returns until after March 1, which is exactly when a flood of data breaches related to phished employee W2 data began washing up. As KrebsOnSecurity first warned in mid-February, thieves have been sending targeted phishing emails to human resources and finance employees at countless organizations, spoofing a message from the CEO requesting all employee W2’s in PDF format.

In Magee’s own state, W2 phishers hauled in tax data on an estimated 180 employees of ISCO Industries in Huntsville, and some 425 employees at the EWTN Global Catholic Network in Irondale, Ala. But those are just the ones that have been made public. Magee’s office only learned of those breaches after employees at the affected organizations reached out to journalists who then wrote about the compromises.

Over the past week, KrebsOnSecurity similarly has heard from employees at a broad range of organizations that appear to have fallen victim to W2 phishing scams, including some 28,000 employees of the market research giant Kantar Group; 17,000+ employees of Sprouts Farmer’s Market; call center software provider Aspect; computer backup software maker AcronisKids Dental Kare in Los Angeles; Century Fence, a fencing company in Wisconsin; Nation’s Lending Corporation, a mortgage lending firm in Independent, Ohio; QTI Group, a Wisconsin-based human resources consulting company; and the jousting-and-feasting entertainment company Medieval Times. Continue reading

Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection

March 22, 2016

A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.

A streaming red banner on Methodisthospital.net warns that a computer virus infection has limited the hospital's use of electronic web-based services.

A streaming red banner on Methodisthospital.net warns that a computer virus infection has limited the hospital’s use of electronic web-based services. Click to enlarge.

Henderson, Ky.-based Methodist Hospital placed a scrolling red alert on its homepage this week, stating that “Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web based services.  We are currently working to resolve this issue, until then we will have limited access to web based services and electronic communications.”

Jamie Reid, information systems director at the hospital, said malware involved is known as the “Locky” strain of ransomware, a contagion that encrypts all of the important files, documents and images on an infected host, and then deletes the originals. Victims can regain access to their files only by paying the ransom, or by restoring from a backup that is hopefully not on a network which is freely accessible to the compromised computer.

In the case of Methodist Hospital, the ransomware tried to spread from the initial infection to the entire internal network, and succeeded in compromising several other systems, Reid said. That prompted the hospital to shut down all of the hospital’s desktop computers, bringing systems back online one by one only after scanning each for signs of the infection.

“We have a pretty robust emergency response system that we developed quite a few years ago, and it struck us that as everyone’s talking about the computer problem at the hospital maybe we ought to just treat this like a tornado hit, because we essentially shut our system down and reopened on a computer-by-computer basis,” said David Park, an attorney for the Kentucky healthcare center.

The attackers are demanding a mere four bitcoins in exchange for a key to unlock the encrypted files; that’s a little more than USD $1,600 at today’s exchange rate.

Park said the administration hasn’t ruled out paying the ransom.

“We haven’t yet made decision on that, we’re working through the process,” with the FBI, he said. “I think it’s our position that we’re not going to pay it unless we absolutely have to.”

The attack on Methodist comes just weeks after it was revealed that a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.

Park said the main effect of the infection has been downtime, which forced the hospital to process everything by hand on paper. He declined to say which systems were infected, but said no patient data was impacted. Continue reading

Carders Park Piles of Cash at Joker’s Stash

March 21, 2016

A steady stream of card breaches at retailers, restaurants and hotels has flooded underground markets with a historic glut of stolen debit and credit card data. Today there are at least hundreds of sites online selling stolen account data, yet only a handful of them actively court bulk buyers and organized crime rings. Faced with a buyer’s market, these elite shops set themselves apart by focusing on loyalty programs, frequent-buyer discounts, money-back guarantees and just plain old good customer service.

An ad for new stolen cards on Joker's Stash.

An ad for new stolen cards on Joker’s Stash.

Today’s post examines the complex networking and marketing apparatus behind “Joker’s Stash,” a sprawling virtual hub of stolen card data that has served as the distribution point for accounts compromised in many of the retail card breaches first disclosed by KrebsOnSecurity over the past two years, including Hilton Hotels and Bebe Stores.

Since opening for business in early October 2014, Joker’s Stash has attracted dozens of customers who’ve spent five- and six-figures at the carding store. All customers are buying card data that will be turned into counterfeit cards and used to fraudulently purchase gift cards, electronics and other goods at big-box retailers like Target and Wal-Mart.

Unlike so many carding sites that mainly resell cards stolen by other hackers, Joker’s Stash claims that all of its cards are “exclusive, self-hacked dumps.”

“This mean – in our shop you can buy only our own stuff, and our stuff you can buy only in our shop – nowhere else,” Joker’s Stash explained on an introductory post on a carding forum in October 2014.

“Just don’t wanna provide the name of victim right here, and bro, this is only the begin[ning], we already made several other big breaches – a lot of stuff is coming, stay tuned, check the news!” the Joker went on, in response to established forum members who were hazing the new guy. He continued:

“I promise u – in few days u will completely change your mind and will buy only from me. I will add another one absolute virgin fresh new zero-day db with 100%+1 valid rate. Read latest news on http://krebsonsecurity.com/ – this new huge base will be available in few days only at Joker’s Stash.”

As a business, Joker’s Stash made good on its promise. It’s now one of the most bustling carding stores on the Internet, often adding hundreds of thousands of freshly stolen cards for sale each week.

A true offshore pirate’s haven, its home base is a domain name ending in “.sh” Dot-sh is the country code top level domain (ccTLD) assigned to the tiny volcanic, tropical island of Saint Helena, but anyone can register a domain ending in dot-sh. St. Helena is on Greenwich Mean Time (GMT) — the same time zone used by this carding Web site. However, it’s highly unlikely that any part of this fraud operation is in Saint Helena, a remote British territory in the South Atlantic Ocean that has a population of just over 4,000 inhabitants.

This fraud shop includes a built-in discount system for larger orders: 5 percent for customers who spend between $300-$500; 15 percent off for fraudsters spending between $1,000 and $2,500; and 30 percent off for customers who top up their bitcoin balances to the equivalent of $10,000 or more.

For its big-spender “partner” clients, Joker’s Stash assigns three custom domain names to each partner. After those partners log in, the different 3-word domains are displayed at the top of their site dashboard, and the user is encouraged to use only those three custom domains to access the carding shop in the future (see screenshot below). More on these three domains in a moment.

The dashboard for a Joker's Stash customer that has spent over $10,000 buying stolen credit cards from the site.

The dashboard for a Joker’s Stash customer who has spent over $10,000 buying stolen credit cards from the site. Click image to enlarge.

REFUNDS AND CUSTOMER LOYALTY BONUSES

Customers pay for stolen cards using Bitcoin, a virtual currency. All sales are final, although some batches of stolen cards for sale at Joker’s Stash come with a replacement policy — a short window of time from minutes to a few hours, generally — in which buyers can request replacement cards for any that come back as declined during that replacement timeframe.

Like many other carding shops, Joker’s Stash also offers an a-la-carte card-checking option that customers can use an insurance policy when purchasing stolen cards. Such checking services usually rely on multiple legitimate, compromised credit card merchant accounts that can be used to round-robin process a small charge against each card the customer wishes to purchase to test whether the card is still valid. Customers receive an automatic credit to their shopping cart balances for any purchased cards that come back as declined when run through the site’s checking service.

This carding site also employs a unique rating system for clients, supposedly to prevent abuse of the service and to provide what the proprietors of this store call “a loyalty program for honest partners with proven partner’s record.” Continue reading

Spammers Abusing Trust in US .Gov Domains

March 17, 2016

Spammers are abusing ill-configured U.S. dot-gov domains and link shorteners to promote spammy sites that are hidden behind short links ending in”usa.gov”.

shellgameSpam purveyors are taking advantage of so-called “open redirects” on several U.S. state Web sites to hide the true destination to which users will be taken if they click the link.  Open redirects are potentially dangerous because they let spammers abuse the reputation of the site hosting the redirect to get users to visit malicious or spammy sites without realizing it.

For example, South Dakota has an open redirect:

http://dss.sd.gov/scripts/programredirect.asp?url=

…which spammers are abusing to insert the name of their site at the end of the script. Here’ a link that uses this redirect to route you through dss.sd.gov and then on to krebsonsecurity.com. But this same redirect could just as easily be altered to divert anyone clicking the link to a booby-trapped Web site that tries to foist malware.

The federal government’s stamp of approval comes into the picture when spammers take those open redirect links and use bit.ly to shorten them. Bit.ly’s service automatically shortens any US dot-gov or dot-mil (military) site with a “1.usa.gov” shortlink. That allows me to convert the redirect link to krebsonsecurity.com from the ungainly….

http://dss.sd.gov/scripts/programredirect.asp?url=http://krebsonsecurity.com

…into the far less ugly and perhaps even official-looking:

http://1.usa.gov/1pwtneQ.

Helpfully, Uncle Sam makes available a list of all the 1.usa.gov links being clicked at this page. Keep an eye on that and you’re bound to see spammy links going by, as in this screen shot. One of the more recent examples I saw was this link — http:// 1.usa[dot]gov/1P8HfQJ# (please don’t visit this unless you know what you’re doing) — which was advertised via Skype instant message spam, and takes clickers to a fake TMZ story allegedly about “Gwen Stefani Sharing Blake Shelton’s Secret to Rapid Weight Loss.” Continue reading

Thieves Phish Moneytree Employee Tax Data

March 16, 2016

Payday lending firm Moneytree is the latest company to alert current and former employees that their tax data — including Social Security numbers, salary and address information — was accidentally handed over directly to scam artists.

moneytreeSeattle-based Moneytree sent an email to employees on March 4 stating that “one of our team members fell victim to a phishing scam and revealed payroll information to an external source.”

“Moneytree was apparently targeted by a scam in which the scammer impersonated me and asked for an emailed copy of certain information about the Company’s payroll including Team Member names, home addresses, social security numbers, birthdates and W2 information,” Moneytree co-founder Dennis Bassford wrote to employees.

The message continued:

“Unfortunately, this request was not recognized as a scam, and the information about current and former Team Members who worked in the US at Moneytree in 2015 or were hired in early 2016 was disclosed. The good news is that our servers and security systems were not breached, and our millions of customer records were not affected. The bad news is that our Team Members’ information has been compromised.”

A woman who answered a Moneytree phone number listed in the email confirmed the veracity of the co-founder’s message to employees, but would not say how many employees were notified. According to the company’s profile on Yellowpages.com, Moneytree Inc. maintains a staff of more than 1,200 employees. The company offers check cashing, payday loan, money order, wire transfer, mortgage, lending, prepaid gift cards, and copying and fax services.

Moneytree joins a growing list of companies disclosing to employees that they were duped by W2 phishing scams, which this author first warned about in mid-February.  Earlier this month, data storage giant Seagate acknowledged that a similar phishing scam had compromised the tax and personal data on thousands of current and past employees. Continue reading

From Stolen Wallet to ID Theft, Wrongful Arrest

March 14, 2016

It’s remarkable how quickly a stolen purse or wallet can morph into full-blown identity theft, and possibly even result in the victim’s wrongful arrest. All of the above was visited recently on a fellow infosec professional whose admitted lapse in physical security led to a mistaken early morning arrest in front of his kids.

The guy police say stole Miller's wallet and got him wrongfully arrested was himself apprehended earlier this month.

The guy police say stole Miller’s wallet and got him wrongfully arrested was himself apprehended earlier this month.

On the morning of Feb. 20, Lance Miller was arrested in front of his two children by local sheriffs in Golden, Colo. Miller, a managing partner at cybersecurity recruitment firm Curity, had discovered his wallet was missing three days prior to his arrest, reported it to the local police and canceled his credit cards. In the meantime someone had drained his checking account of approximately $5,000, and maxed out his credit cards for almost another $5,000.

“I was standing there in front of my kids saying, ‘You guys are crazy. Do I look like a burglar?'” Miller recalled. “The cop goes, ‘Well, I don’t know what a burglar looks like,’ and they put me in cuffs and in the car.”

Miller said it wasn’t until the 30-minute, handcuffed drive to police station that the local police and the local sheriff’s office began comparing notes, discovering in the process that they’d grabbed the wrong guy and removing the cuffs. Miller soon learned the thief who’d stolen his wallet had impersonated him during multiple traffic stops. A car the impostor was driving also was spotted speeding away from the scene of a burglary, but Miller said the police in that case didn’t give chase in that case because it wasn’t a violent crime. Continue reading

Hackers Target Anti-DDoS Firm Staminus

March 11, 2016

Staminus Communications Inc., a California-based Internet hosting provider that specializes in protecting customers from massive “distributed denial of service” (DDoS) attacks aimed at knocking sites offline, has itself apparently been massively hacked. Staminus’s entire network was down for more than 20 hours until Thursday evening, leaving customers to vent their rage on the company’s Facebook and Twitter pages. In the midst of the outage, someone posted online download links for what appear to be Staminus’s customer credentials, support tickets, credit card numbers and other sensitive data.

The e-zine posted online Thursday following an outage at Staminus Communications.

The e-zine posted online Thursday following an outage at Staminus Communications.

Newport Beach, Calif.-based Staminus first acknowledged an issue on its social media pages because the company’s Web site was unavailable much of Thursday.

“Around 5am PST today, a rare event cascaded across multiple routers in a system wide event, making our backbone unavailable,” Staminus wrote to its customers. “Our technicians quickly began working to identify the problem. We understand and share your frustration. We currently have all hands on deck working to restore service but have no ETA for full recovery.”

Staminus now says its global services are back online, and that ancillary services are being brought back online. However, the company’s Web site still displays a black page with a short message directing customers to Staminus’s social media pages.

Meanwhile, a huge trove of data appeared online Thursday, in a classic “hacker e-zine” format entitled, “Fuck ’em all.” The page includes links to download databases reportedly stolen from Staminus and from Intreppid, another Staminus project that targets customers looking for protection against large DDoS attacks. Continue reading