Krebs on Security

Crooks Grab W-2s from Credit Bureau Equifax

May 6, 2016

Identity thieves stole tax and salary data from big-three credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees on Thursday. The nation’s largest grocery chain by revenue appears to be one of several Equifax customers that were similarly victimized this year.

Atlanta-based Equifax’s W-2Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people. According to a letter Kroger sent to employees dated May 5, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.

“It appears that unknown individuals have accessed [Equifax’s] W2Express website using default log-in information based on Social Security numbers (SSN) and dates of birth, which we believe were obtained from some other source, such as a prior data breach at other institutions,” Kroger wrote in a FAQ about the incident that was included with the letter sent to employees. “We have no indication that Kroger’s systems have been compromised.”

The FAQ continued:

“At this time, we have no indication that associates who had created a new password (did not use the default PIN) were affected, and we are still identifying which associates still using the default PIN may have been affected. We believe individuals gained access to some Kroger associates’ electronic W-2 forms and may have used the information to file tax returns in their names in an effort to claim a fraudulent refund.”

“Kroger is working with Equifax and the authorities to determine who is affected and restore secure access to W-2Express. At this time, we believe you are among our current and former Kroger associates using the default PIN in the W-2Express system. This does not necessarily mean your W-2 was accessed as part of this security incident. We are still working to identify which individuals’ information was accessed.”

Kroger said it doesn’t yet know how many of its employees may have been affected.

The incident comes amid news first reported on this blog earlier this week that tax fraudsters similarly targeted employees of companies that used payroll giant ADP to give employees access to their W-2 data. ADP acknowledged that the incident affected employees at U.S. Bank and at least 11 other companies.

Equifax did not respond to requests for comment about how many other customer companies may have been affected by the same default (in)security. But Kroger spokesman Keith Dailey said other companies that relied on Equifax for W-2 data also relied on the last four of the SSN and 4-digit birth year as authenticators.

“As far as I know, it’s the standard Equifax setup,” Dailey said.

Last month, Stanford University alerted 600 current and former employees that their data was similarly accessed by ID thieves via Equifax’s W-2Express portal. Northwestern University also just alerted 150 employees that their salary and tax data was stolen via Equifax this year.

In a statement released to KrebsOnSecurity, Equifax spokeswoman Dianne Bernez confirmed that the company had been made aware of suspected fraudulent access to payroll information through its W-2Express service by Kroger. Continue reading →

Crooks Go Deep With ‘Deep Insert’ Skimmers

May 5, 2016

73 Comments

ATM maker NCR Corp. says it is seeing a rapid rise in reports of what it calls “deep insert skimmers,” wafer-thin fraud devices made to be hidden inside of the card acceptance slot on a cash machine.

KrebsOnSecurity’s All About Skimmers series has featured several stories about insert skimmers. But the ATM manufacturer said deep insert skimmers are different from typical insert skimmers because they are placed in various positions within the card reader transport, behind the shutter of a motorized card reader and completely hidden from the consumer at the front of the ATM.

Deep insert skimmers removed from hacked ATMs.

NCR says these deep insert skimming devices — usually made of metal or PCB plastic — are unlikely to be affected by most active anti-skimming jamming solutions, and they are unlikely to be detected by most fraudulent device detection solutions.

“Neither NCR Skimming Protection Solution, nor other anti-skimming devices can prevent skimming with these deep insert skimmers,” NCR wrote in an alert sent to banks and other customers. “This is due to the fact the skimmer sits well inside the card reader, away from the detectors or jammers of [NCR’s skimming protection solution].

The company said it has received reports of these skimming devices on all ATM manufacturers in Greece, Ireland, Italy, Switzerland, Sweden, Bulgaria, Turkey, United Kingdom and the United States.

“This suggests that ‘deep insert skimming’ is becoming more viable for criminals as a tactic to avoid bezel mounted anti-skimming devices,” NCR wrote. The company said it is currently testing a firmware update for NCR machines that should help detect the insertion of deep insert skimmers and send an alert.

A DEEP DIVE ON DEEP INSERT SKIMMERS

Charlie Harrow, solutions manager for global security at NCR, said the early model insert skimmers used a rudimentary wireless transmitter to send card data. But those skimmers were all powered by tiny coin batteries like the kind found in watches, and that dramatically limits the amount of time that the skimmer can transmit card data.

Harrow said NCR suspects that the deep insert skimmer makers are using tiny pinhole cameras hidden above or beside the PIN pad to record customers entering their PINs, and that the hidden camera doubles as a receiver for the stolen card data sent by the skimmer nestled inside the ATM’s card slot. He suspects this because NCR has never actually found a hidden camera along with an insert skimmer. Also, a watch-battery run wireless transmitter wouldn’t last long if the signal had to travel very far. Continue reading →

Fraudsters Steal Tax, Salary Data From ADP

May 3, 2016

52 Comments

Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms, KrebsOnSecurity has learned. ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters.

adp Patterson, N.J.-based ADP provides payroll, tax and benefits administration for more than 640,000 companies. Last week, U.S. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal.

ID thieves are interested in W-2 data because it contains much of the information needed to fraudulently request a large tax refund from the U.S. Internal Revenue Service (IRS) in someone else’s name. A reader who works at U.S. Bank shared a letter received from Jennie Carlson, the financial institution’s executive vice president of human resources.

“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP,” Carlson wrote. “During the course of that investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.”

The letter continued:

“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”

U.S. Bank spokesman Dana Ripley said the letter was sent to a “small population” of the bank’s more than 64,000 employees. Asked to comment on the letter from U.S. Bank, ADP confirmed that the fraud visited upon U.S. Bank also hit “a very small subset” of the ADP’s total customers this year.

ADP emphasized that the fraudsters needed to have the victim’s personal data — including name, date of birth and Social Security number — to successfully create an account in someone’s name. ADP also stressed that this personal data did not come from its systems, and that thieves appeared to already possess that data when they created the unauthorized accounts at ADP’s portal.

ADP Chief Security Officer Roland Cloutier said customers can choose to create an account at the ADP portal for each employee, or they can defer that process to a later date (but employers do have to chose one or the other, Cloutier said).

According to ADP, new users need to be in possession of two other things (in addition to the victim’s personal data) at a minimum in order to create an account: A custom, company-specific link provided by ADP, and a static code assigned to the customer by ADP.

The problem, Cloutier said, seems to stem from ADP customers that both deferred that signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals. Continue reading →

How the Pwnedlist Got Pwned

May 2, 2016

49 Comments

Last week, I learned about a vulnerability that exposed all 866 million account credentials harvested by pwnedlist.com, a service designed to help companies track public password breaches that may create security problems for their users. The vulnerability has since been fixed, but this simple security flaw may have inadvertently exacerbated countless breaches by preserving the data lost in them and then providing free access to one of the Internet’s largest collections of compromised credentials.

Pwnedlist is run by Scottsdale, Ariz. based InfoArmor, and is marketed as a repository of usernames and passwords that have been publicly leaked online for any period of time at Pastebin, online chat channels and other free data dump sites.

The service until quite recently was free to all comers, but it makes money by allowing companies to get a live feed of usernames and passwords exposed in third-party breaches which might create security problems going forward for the subscriber organization and its employees.

This 2014 article from the Phoenix Business Journal describes one way InfoArmor markets the Pwnedlist to companies: “InfoArmor’s new Vendor Security Monitoring tool allows businesses to do due diligence and monitor its third-party vendors through real-time safety reports.”

The trouble is, the way Pwnedlist should work is very different from how it does. This became evident after I was contacted by Bob Hodges, a longtime reader and security researcher in Detroit who discovered something peculiar while he was using Pwnedlist: Hodges wanted to add to his watchlist the .edu and .com domains for which he is the administrator, but that feature wasn’t available.

In the first sign that something wasn’t quite right authentication-wise at Pwnedlist, the system didn’t even allow him to validate that he had control of an email address or domain by sending him a verification to said email or domain.

On the other hand, he found he could monitor any email address he wanted. Hodges said this gave him an idea about how to add his domains: Turns out that when any Pwnedlist user requests that a new Web site name be added to his “Watchlist,” the process for approving that request was fundamentally flawed.

That’s because the process of adding a new thing for Pwnedlist to look for — be it a domain, email address, or password hash — was a two-step procedure involving a submit button and confirmation page, and the confirmation page didn’t bother to check whether the thing being added in the first step was the same as the thing approved in the confirmation page. [For the Geek Factor 5 crowd here, this vulnerability type is known as “parameter tampering,” and it involves the ability to modify hidden parameters in POST requests].

“Their system is supposed to compare the data that gets submitted in the second step with what you initially submitted in the first window, but there’s nothing to prevent you from changing that,” Hodges said. “They’re not even checking normal email addresses. For example, when you add an email to your watchlist, that email [account] doesn’t get a message saying they’ve been added. After you add an email you don’t own or control, it gives you the verified check box, but in reality it does no verification. You just typed it in. It’s almost like at some point they just disabled any verification systems they may have had at Pwnedlist.” Continue reading →

A Dramatic Rise in ATM Skimming Attacks

April 29, 2016

39 Comments

Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers. The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.

Two network cable card skimming devices, as found attached to this ATM.

In a series of recent alerts, the FICO Card Alert Service warned of large and sudden spikes in ATM skimming attacks. On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

“The number of ATM compromises in 2015 was the highest ever recorded by the FICO Card Alert Service, which monitors hundreds of thousands of ATMs in the US,” the company said. “Criminal activity was highest at non-bank ATMs, such as those in convenience stores, where 10 times as many machines were compromised as in 2014.”

While 2014 saw skimming attacks targeting mainly banks in big cities on the east and west coasts of the United States, last year’s skimming attacks were far more spread out across the country, the FICO report noted.

Earlier this year, I published a post about skimming attacks targeting non-bank ATMs using hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data. The skimmer pictured in that story was at a 7-Eleven convenience store.

Since that story ran I’ve heard from multiple banking industry sources who said they have seen a spike in ATM fraud targeting cash machines in 7-Elevens and other convenience stores, and that the commonality among the machines is that they are all operated by ATM giant Cardtronics (machines in 7-Eleven locations made up for 17.5 percent of Cardtronics’ revenue last year, according to this report at ATM Marketplace).

Some financial institutions are taking dramatic steps to head off skimming activity. Trailhead Credit Union in Portland, Ore., for example, has posted a notice to customers atop its Web site, stating:

“ALERT: Until further notice, we have turned off ATM capabilities at all 7-11 ATMs due to recent fraudulent activity. Please use our ATM locator for other locations. We are sorry for the inconvenience.”

Trailhead Credit Union has stopped allowing members to withdraw cash from 7-11 ATMs.

7-Eleven did not respond to requests for comment. Cardtronics said it wasn’t aware of any banks blocking withdrawals across the board at 7-11 stores or at Cardtronics machines.

“While Cardtronics is aware that a single financial institution [Xceed Financial Credit Union] temporarily restricted ATM access late in 2015, it soon thereafter restored full ATM access to its account holders,” the company said in a statement. “As the largest ATM services provider, Cardtronics has a long history of executing a layered security strategy and implementing innovative security enhancements at our ATMs. As criminals modify their attack, Cardtronics always has and always will aggressively respond, reactively and proactively, with innovation to address these instances.” Continue reading →

Dental Assn Mails Malware to Members

April 28, 2016

63 Comments

The American Dental Association (ADA) says it may have inadvertently mailed malware-laced USB thumb drives to thousands of dental offices nationwide.

The problem first came to light in a post on the DSL Reports Security Forum. DSLR member “Mike” from Pittsburgh got curious about the integrity of a USB drive that the ADA mailed to members to share updated “dental procedure codes” — codes that dental offices use to track procedures for billing and insurance purposes.

“Oh wow the usually inept ADA just sent me new codes,” Mike wrote. “I bet some marketing genius had this wonderful idea instead of making it downloadable. I can’t wait to plug an unknown USB into my computer that has PHI/HIPAA on it…” [link added].

The ADA says some flash drives mailed to members contained malware. Image: Mike

Sure enough, Mike looked at the code inside one of the files on the flash drive and found it tries to open a Web page that has long been tied to malware distribution. The domain is used by crooks to infect visitors with malware that lets the attackers gain full control of the infected Windows computer. Continue reading →

All About Fraud: How Crooks Get the CVV

April 26, 2016

53 Comments

A longtime reader recently asked: “How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: If not via phishing, probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker’s server.

Kenneth Labelle, a regional director at insurer Burns-Wilcox.com, wrote:

“So, I am trying to figure out how card not present transactions are possible after a breach due to the CVV. If the card information was stolen via the point-of-sale system then the hacker should not have access to the CVV because its not on the magnetic strip. So how in the world are they committing card not present fraud when they don’t have the CVV number? I don’t understand how that is possible with the CVV code being used in online transactions.”

First off, “dumps” — or credit and debit card accounts that are stolen from hacked point of sale systems via skimmers or malware on cash register systems — retail for about $20 apiece on average in the cybercrime underground. Each dump can be used to fabricate a new physical clone of the original card, and thieves typically use these counterfeits to buy goods from big box retailers that they can easily resell, or to extract cash at ATMs.

However, when cyber crooks wish to defraud online stores, they don’t use dumps. That’s mainly because online merchants typically require the CVV, criminal dumps sellers don’t bundle CVVs with their dumps.

Instead, online fraudsters turn to “CVV shops,” shadowy cybercrime stores that sell packages of cardholder data, including customer name, full card number, expiration, CVV2 and ZIP code. These CVV bundles are far cheaper than dumps — typically between $2-$5 apiece — in part because the are useful mainly just for online transactions, but probably also because overall they more complicated to “cash out” or make money from them.

Continue reading →

SpyEye Makers Get 24 Years in Prison

April 20, 2016

46 Comments

Two hackers convicted of making and selling the infamous SpyEye botnet creation kit were sentenced in Georgia today to a combined 24 years in prison for helping to infect hundreds of thousands of computers with malware and stealing millions from unsuspecting victims.

The Justice Department alleges that 24-year-old Aleksander Panin was responsible for SpyEye. Image courtesy: RT.

Aleksander Panin developed and sold SpyEye. Image courtesy: RT.

Atlanta Judge Amy Totenberg handed down a sentence of nine years, six months for Aleksandr Andreevich Panin, a 27-year-old Russian national also known by the hacker aliases “Gribodemon” and “Harderman.”

Convicted of conspiracy to commit wire and bank fraud, Panin was the core developer and distributor of SpyEye, a botnet toolkit that made it easy for relatively unsophisticated cyber thieves to steal millions of dollars from victims.

Sentenced to 15 years in jail was Panin’s business partner — 27-year-old Hamza “Bx1” Bendelladj, an Algerian national who pleaded guilty in June 2015 to helping Panin develop and market the SpyEye kit. Bendelladj also admitting to running his own SpyEye botnet of hacked Windows computers, a crime machine that he used to harvest and steal 200,000 credit card numbers. By the government’s math (an assumed $500 loss per card) Bx1 was potentially responsible for $100 million in losses.

“It is difficult to over state the significance of this case, not only in terms of bringing two prolific computer hackers to justice, but also in disrupting and preventing immeasurable financial losses to individuals and the financial industry around the world,” said John Horn, U.S. Attorney for the Northern District of Georgia.

THE HAPPY HACKER

Bendelladj was arrested in Bangkok in January 2013 while in transit from Malaysia to Egypt. He quickly became known as the “happy hacker” after his arrest, in which he could be seen smiling broadly while in handcuffs and being paraded before the local news media.

Photo: Hamza “Bx1” Bendelladj, Bangkok Post

In its case against the pair of hackers, the government presented chat logs between Bendelladj and Panin and other hackers. The government says the chat logs reveal that although Bendelladj worked with Panin to fuel the rise of SpyEye by vouching for him on cybercrime forums such as “Darkode,” the two had an antagonistic relationship.

Their business partnership imploded after Bx1 announced that he was publicly releasing the source code for SpyEye.

“Indeed, after Bendelladj ‘cracked’ SpyEye and made it available to others without having to purchase it from Panin, the two had a falling out,” reads the government’s sentencing memo (PDF) to the judge in the case.

The government says that while Bendelladj maintained he was little more than a malware analyzer working for a security company, his own chat logs put the lie to that claim, noting in November 2012 Bx1 bluntly said: “if they pay me the whole money of the world . . . I wont work for security.”

Bx1 had a penchant for marketing to other thieves. He shrewdly cast SpyEye as a lower-cost, more powerful alternative to the Zeus botnet creation kit, plastering cybercrime forums with animated ads pimping SpyEye as the “Zeuskiller” (in part because SpyEye was designed to remove Zeus from host computers before infecting them).

Part of a video ad for SpyEye.

Continue reading →

Giant Food Sees Giant Card Fraud Spike

April 20, 2016

45 Comments

Citing a recent and large increase in credit card fraud, Washington, DC-area grocer Giant Food says it will no longer allow customers to use credit cards when purchasing gift cards and reloadable or prepaid debit cards.

A new warning sign at Giant Food checkout counters. Giant says the warning was prompted by a spike in credit card fraud.

I had no idea this was a new thing at Landover, Md.-based Giant, which operates 169 supermarkets in the Washington, D.C. metro area. That is, until I encountered a couple of large new “attention” stickers in the checkout line at a local Giant in Virginia recently. Next to the credit card terminal were big decals with the warning:

“Attention Gift Card Customers: Effective immediately, all purchases of Visa, MasterCard, American Express Gift Cards and all General Purpose Reloadable or Prepaid Cards may only be made with Cash or Bank Pin-based Debit.”

Asked for comment about the change, Giant Food released a brief statement about the policy change that went into effect in March 2016, but otherwise didn’t respond to requests for more details.

“Giant has recently made a change in procedures for purchasing gift cards because of a large increase of fraudulent gift card purchasing,” the company said. “Giant will now accept only a Bank PIN-based debit card or cash for all VISA, MasterCard, and American Express gift cards, as well as re-loadable and prepaid gift cards. This change has been made in order to mitigate potential fraud risk.”

It’s not clear why Giant is only just now taking this basic anti-fraud step. Card thieves love to pick on grocery and convenience stores. Street gangs involved in card fraud (and they’re all involved in card fraud now) often extract money from grocery, dollar and convenience stores using “runners” — low-level members who are assigned the occasionally risky business of physically “cashing out” counterfeit credit and debit cards.

One of the easiest ways thieves can cash out? Walk into a grocery or retail store and buy prepaid gift cards using stolen credit cards. Such transactions — if successful — effectively launder money by converting the stolen item (counterfeit/stolen card) into a good that is equivalent to cash or can be easily resold for cash (gift cards).

I witnessed this exact crime firsthand at a Giant in Maryland last year. As I noted in a Dec. 2015 post about gift card fraud, the crooks caught in the process of these cashout schemes usually are found with dozens of counterfeit credit cards on their person or in their vehicle. From that post: Continue reading →

US-CERT to Windows Users: Dump Apple Quicktime

April 18, 2016

67 Comments

Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT). The advice came just as researchers are reporting two new critical security holes in Quicktime that likely won’t be patched.

US-CERT cited an April 14 blog post by Christopher Budd at Trend Micro, which runs a program called Zero Day Initiative (ZDI) that buys security vulnerabilities and helps researchers coordinate fixing the bugs with software vendors. Budd urged Windows users to junk Quicktime, citing two new, unpatched vulnerabilities that ZDI detailed which could be used to remotely compromise Windows computers.

“According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation,” US-CERT wrote. The advisory continued:

“Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page.”

While the recommendations from US-CERT and others apparently came as a surprise to many, Apple has been distancing itself from QuickTime on Windows for some time now. In 2013, the Cupertino, Calif. tech giant deprecated all developer APIs for Quicktime on Windows.

Apple shipped an update to Quicktime in January 2016 that removed the Quicktime browser plugin on Windows systems, meaning the threat from browser-based attacks on Quicktime flaws was largely mitigated over the past few months for Windows users who have been keeping up to date with the latest version. Nevertheless, if you have Quicktime on a Windows box — do yourself a favor and get rid of it.

Update, Apr. 21, 10:00 a.m. ET: Apple has finally posted a support document online that explains QuickTime 7 for Windows is no longer supported by Apple. See the full advisory here.

Last »