Fraudsters Tap Kohl’s Cash for Cold Cash

February 11, 2016

Scam artists have been using hacked accounts from retailer Kohls.com to order high-priced, bulky merchandise that is then shipped to the victim’s home. While the crooks don’t get the stolen merchandise, the unauthorized purchases rack up valuable credits called “Kohl’s cash” that the thieves quickly redeem at Kohl’s locations for items that can be resold for cash or returned for gift cards.

kohlscashKrebsOnSecurity reader Suzanne Perry, a self-professed “shopaholic” from Gilbert, Penn., said she recently received an email from Kohls.com stating that the email address on her account had been changed. Recognizing this as a common indicator of a compromised account, Perry said she immediately went to Kohls.com — which confirmed her fears that her password had been changed.

On a whim, Perry said she attempted to log in with the “updated” email address (the one the thief used) along with her existing password. Happily, the thieves had been too lazy to change the password.

“Once I was logged in, I checked my order history to determine if any fraudulent orders were placed in the 20 minutes since I received the notification,” she said. “I wasn’t that surprised to see two online orders, totaling almost $700 each, but I was very surprised to see they were being shipped to my house and not some address I never heard of.”

Perry said she then contacted Kohl’s and gave them the two order numbers and the fraudulent email address.

“I explained what happened, and they were very helpful in canceling the orders, updating my email address, and resetting my password,” she said. “I told them I couldn’t understand why someone would hack into my account just to have a bunch of stuff shipped to my own address. I was trying to figure out what the criminal would possibly have to gain from the effort, but the service representative informed me that is actually a very common occurrence for them.”

Turns out, the criminal wasn’t after the merchandise at all. Rather, the purpose of changing her email address was to drain the account’s stored Kohl’s cash, a form of rebate that Kohl’s offers customers — currently $10 for every $50 spent at the store. The two fraudulent orders yielded $220 in Kohls cash total, which is emailed once the order is confirmed (hence the need to change the victim’s email address).

“Since the orders were being shipped to me, even though they were  above the threshold for what my typical online spending behavior is, no red flags were raised on their end,” Perry said.

More interestingly, virtually all of the merchandise the thieves ordered to build up the account’s Kohl’s cash balance were bulky items: Three baby cribs, a stroller system and car seat, and a baby bath tub, among other items. Perry said Kohl’s told her that the thieves do this because they know bulky items usually take longer to return, and since Kohl’s revokes Kohl’s cash credits earned on items that are later returned, the thieves can spend the stolen Kohl’s credits as long as the owner of the hijacked account doesn’t return the fraudulently ordered items. Continue reading

Critical Fixes Issued for Windows, Java, Flash

February 10, 2016

Microsoft Windows users and those with Adobe Flash Player or Java installed, it’s time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security fixes for its Flash Player software that plugs at least 22 security holes in the widely-used browser component. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks.

brokenwindowsOne big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.

Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goettl at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version). Continue reading

Advertisement

Skimmers Hijack ATM Network Cables

February 9, 2016

If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.

Two network cable card skimming devices, as found attached to this ATM.

Two network cable card skimming devices, as found attached to this ATM.

In an alert sent to customers Feb. 8, NCR said it received reliable reports of NCR and Diebold ATMs being attacked through the use of external skimming devices that hijack the cash machine’s phone or Internet jack.

“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” NCR warned. “A keyboard overlay was used to attack an NCR ATM, a concealed camera was used on the Diebold ATM. PIN data is then likely transmitted wirelessly to the skimming device.”

The ATM maker believes these attacks represent a continuation of the trend where criminals are finding alternative methods to skim magnetic strip cards. Such alternative methods avoid placing the skimmer on the ATM card entry bezel, which is where most anti-skimming technology is located.

NCR said cash machine operators must consider all points where card data may be accessible — in addition to the traditional point of vulnerability at the card entry bezel — and that having ATM network communications cables and connections exposed in publicly accessible locations only invites trouble. Continue reading

IoT Reality: Smart Devices, Dumb Defaults

February 8, 2016

Before purchasing an “Internet of things” (IoT) device — a thermostat, camera or appliance made to be remotely accessed and/or controlled over the Internet — consider whether you can realistically care for and feed the security needs of yet another IoT thing. After all, there is a good chance your newly adopted IoT puppy will be:

-chewing holes in your network defenses;
-gnawing open new critical security weaknesses;
-bred by a vendor that seldom and belatedly patches;
-tough to wrangle down and patch

In April 2014, researchers at Cisco alerted HVAC vendor Trane about three separate critical vulnerabilities in their ComfortLink II line of Internet-connected thermostats. These thermostats feature large color LCD screens and a Busybox-based computer that connects directly to your wireless network, allowing the device to display not just the temperature in your home but also personal photo collections, the local weather forecast, and live weather radar maps, among other things.

Trane ComfortLink II thermostat.

Trane ComfortLink II thermostat.

Cisco researchers found that the ComfortLink devices allow attackers to gain remote access and also use these devices as a jumping off point to access the rest of a user’s network. Trane has not yet responded to requests for comment.

One big problem is that the ComfortLink thermostats come with credentials that have hardcoded passwords, Cisco found. By default, the accounts can be used to remotely log in to the system over “SSH,” an encrypted communications tunnel that many users allow through their firewall.

The two other bugs Cisco reported to Trane would allow attackers to install their own malicious software on vulnerable Trane devices, and use those systems to maintain a persistent presence on the victim’s local network.

On January 26, 2016, Trane patched the more serious of the flaws (the hardcoded credentials). According to Cisco, Trane patched the other two bugs part of a standard update released back in May 2015, but apparently without providing customers any indication that the update was critical to their protection efforts.

Continue reading

Safeway Self-Checkout Skimmer Close Up

February 3, 2016

In Dec. 2015, KrebsOnSecurity warned that security experts had discovered skimming devices attached to credit and debit card terminals at self-checkout lanes at Safeway stores in Colorado and possibly other states. Safeway hasn’t disclosed what those skimmers looked like, but images from a recent skimming attack allegedly launched against self-checkout shoppers at a Safeway in Maryland offers a closer look at once such device.

Safeway Store, Germantown, Maryland

A skimming device made for self-checkout lanes that was removed from a Safeway Store in Germantown, Maryland

The image above shows an simple but effective “overlay” skimmer that banking industry sources say was retrieved from a Safeway store in Germantown, Md. The device is designed to fit directly over top of the Verifone terminals in use at many Safeways and other retailers. It has a PIN pad overlay to capture the user’s PIN, and a mechanism for recording the data stored on a card’s magnetic stripe when customers swipe their cards at self-checkout aisles.

Safeway officials did not respond to repeated requests for comment about this incident.

My local Safeway in Northern Virginia uses this exact model of Verifone terminals, and after seeing this picture for the first time I couldn’t help but pull on the terminal facing me in the self-checkout line on a recent store visit, just to be sure.

Many banks are now issuing newer, more secure chip-based credit and debit cards that are more expensive and difficult for thieves to steal and to counterfeit. As long as retailers continue to allow customers to avoid “dipping the chip” and instead allow “swipe the stripe” these skimming attacks on self-checkout lanes will continue to proliferate across the retail industry.

It may be worth noting that this skimming device looks remarkably similar to a point-of-sale skimmer designed for Verifone terminals that I wrote about in 2013.

Here’s a simple how-to video made by a fraudster who is selling very similar-looking overlay skimmers for Verifone point-of-sale devices; he calls them “Verifone condoms.” As we can see, the device could be attached in the blink of an eye (and removed quickly as well). The device in the video is just a shell, and does not include the POS PIN pad reader or card reader.

Good Riddance to Oracle’s Java Plugin

February 2, 2016

Good news: Oracle says the next major version of its Java software will no longer plug directly into the user’s Web browser. This long overdue step should cut down dramatically on the number of computers infected with malicious software via opportunistic, so-called “drive-by” download attacks that exploit outdated Java plugins across countless browsers and multiple operating systems.

javamessAccording to Oracle, some 97 percent of enterprise computers and a whopping 89 percent of desktop systems in the U.S. run some form of Java. This has made Java JRE (the form of Java that runs most commonly on end-user systems) a prime target of malware authors.

“Exploit kits,” crimeware made to be stitched into the fabric of hacked and malicious sites, lie in wait for visitors who browse the booby-trapped sites. The kits can silently install malicious software on computers of anyone visiting or forcibly redirected to booby-trapped sites without the latest version of the Java plugin installed. In addition, crooks are constantly trying to inject scripts that invoke exploit kits via tainted advertisements submitted to the major ad networks.

These exploit kits — using names like “Angler,” “Blackhole,” “Nuclear” and “Rig” — are equipped to try a kitchen sink full of exploits for various browser plugins, but historically most of those exploits have been attacks on outdated Java and Adobe Flash plugins. As a result, KrebsOnSecurity has long warned users to remove Java altogether, or at least unplug it from the browser unless and until it is needed.

On Jan. 27, 2016, Oracle took a major step toward reducing the effectiveness of exploit kits and other crimeware when the company announced it was pulling the browser plugin from the next desktop version of Java – Java JRE 9. Continue reading

Sources: Security Firm Norse Corp. Imploding

January 30, 2016

Norse Corp., a Foster City, Calif. based cybersecurity firm that has attracted much attention from the news media and investors alike this past year, fired its chief executive officer this week amid a major shakeup that could spell the end of the company. The move comes just weeks after the company laid off almost 30 percent of its staff.

Sources close to the matter say Norse CEO Sam Glines was asked to step down by the company’s board of directors, with board member Howard Bain stepping in as interim CEO. Those sources say the company’s investors have told employees that they can show up for work on Monday but that there is no guarantee they will get paid if they do.

A snapshot of Norse's semi-live attack map.

A snapshot of Norse’s semi-live attack map.

Glines agreed earlier this month to an interview with KrebsOnSecurity but later canceled that engagement without explanation. Bain could not be immediately reached for comment.

Two sources at Norse said the company’s assets will be merged with Irvine, Ca. based networking firm SolarFlare, which has some of the same investors and investment capital as Norse. Neither Norse nor SolarFlare would comment for this story. Update, Feb. 1, 12:34 p.m. ET: SolarFlare CEO Russell Stern just pinged me to say that “there has been no transaction between Norse and SolarFlare.”

Original story: The pink slips that Norse issued just after New Years’s Day may have come as a shock to many employees, but perhaps the layoffs shouldn’t have been much of a surprise: A careful review of previous ventures launched by the company’s founders reveals a pattern of failed businesses, reverse mergers, shell companies and product promises that missed the mark by miles.

EYE CANDY

In the tech-heavy, geek-speak world of cybersecurity, infographics and other eye candy are king because they promise to make complicated and boring subjects accessible and sexy. And Norse’s much-vaunted interactive attack map is indeed some serious eye candy: It purports to track the source and destination of countless Internet attacks in near real-time, and shows what appear to be multicolored fireballs continuously arcing across the globe.

Norse says the data that feeds its online attack map come from a network of more than eight million online “sensors” — honeypot systems that the company has strategically installed at Internet properties in 47 countries around the globe to attract and record malicious and suspicious Internet traffic.

According to the company’s marketing literature, Norse’s sensors are designed to mimic a broad range of computer systems. For example, they might pretend to be a Web server when an automated attack or bot scans the system looking for Web server vulnerabilities. In other cases, those sensors might watch for Internet attack traffic that would typically only be seen by very specific machines, such as devices that manage complex manufacturing systems, power plants or other industrial control systems.

Several departing and senior Norse employees said the company’s attack data was certainly voluminous enough to build a business upon — if not especially sophisticated or uncommon. But most of those interviewed said Norse’s top leadership didn’t appear to be interested in or capable of building a strong product behind the data. More worryingly, those same people said there are serious questions about the validity of the data that informs the company’s core product.

UP IN SMOKE(S)

Norse Corp. and its fundamental technology arose from the ashes of several companies that appear to have been launched and then acquired by shell companies owned by Norse’s top executives — principally the company’s founder and chief technology officer Tommy Stiansen. Stiansen did not respond to multiple requests for comment.

This acquisition process, known as a “reverse merger” or “reverse takeover,” involves the acquisition of a public company by a private company so that the private company can bypass the lengthy and complex process of going public.

Reverse mergers are completely legal, but they can be abused to hide the investors in a company and to conceal certain liabilities of the acquired company, such as pending lawsuits or debt. In 2011, the U.S. Securities and Exchange Commission (SEC) issued a bulletin cautioning investors about plunking down investments in reverse mergers, warning that they may be prone to fraud and other abuses.

The founders of Norse Corp. got their start in 1998 with a company called Cyco.net (pronounced “psycho”). According to a press release issued at the time, “Cyco.net was a New Mexico based firm established to develop a network of cyber companies.”

“This site is a lighthearted destination that will be like the ‘People Magazine’ of the Internet,” said Richard Urrea, Cyco’s CEO, in a bizarre explanation of the company’s intentions. “This format has proven itself by providing Time Warner with over a billion dollars of ad revenue annually. That, combined with the CYCO.NET’s e-commerce and various affiliations, such as Amazon.com, could amount to three times that figure. Not a portal like Yahoo, the CYCO.NET will serve as the launch pad to rocket the Internet surfer into the deepest reaches of cyberspace.”

In 2003, Cyco.net acquired Orion Security Services, a company founded by Stiansen, Norse’s current CTO and founder and the one Norse executive who is actually from Norway. Orion was billed as a firm that provides secure computer network management solutions, as well as video surveillance systems via satellite communications.

The Orion acquisition reportedly came with $20 million in financing from a private equity firm called Cornell Capital Partners LP, which listed itself as a Cayman Islands exempt limited partnership whose business address was in Jersey City, NJ.

Cornell later changed its name to Yorkville Advisors, an entity that became the subject of an investigation by the U.S. Securities and Exchange Commission (SEC) and a subsequent lawsuit in which the company was accused of reporting “false and inflated values.”

Despite claims that Cyco.net was poised to “rocket into the deepest riches of cyberspace,” it somehow fell short of that destination and ended up selling cigarettes online instead. Perhaps inevitably, the company soon found itself the target of a lawsuit by several states led by the Washington state attorney general that accused the company of selling tobacco products to minors, failing to report cigarette sales and taxes, and for falsely advertising cigarettes as tax-free.

COPYRIGHT COPS

In 2005, Cyco.net changed its name to Nexicon, but only after acquiring by stock swap another creation by Stiansen — Pluto Communications — a company formed in 2002 and whose stated mission was to provide “operational billing solutions for telecom networks.” Again, Urrea would issue a press release charting a course for the company that would have almost no bearing on what it actually ended up doing.

“We are very excited that the transition from our old name and identity is now complete, and we can start to formally reposition our Company under the new brand name of Nexicon,” Urrea said. “After the divestiture of our former B2C company in 2003, we have laid the foundation for our new business model, offering all-in-one or issue-specific B2B management solutions for the billing, network control, and security industries.”

In June 2008, Sam Glines — who would one day become CEO of Norse Corp. — joined Nexicon and was later promoted to chief operating officer. By that time, Nexicon had morphed itself into an online copyright cop, marketing a technology they claimed could help detect and stop illegal file-sharing. The company’s “GetAmnesty” technology sent users a pop-up notice explaining that it was expensive to sue the user and even more expensive for the user to get sued. Recipients of these notices were advised to just click the button displayed and pay for the song and all would be forgiven.

In November 2008, Nexicon was acquired by Priviam, another shell company operated by Stiansen and Nexicon’s principals. Nexicon went on to sign Youtube.com and several entertainment studios as customers. But soon enough, reports began rolling in of rampant false-positives — Internet users receiving threatening legal notices from Nexicon that they were illegally sharing files when they actually weren’t. Nexicon/Priviam’s business began drying up, and it’s stock price plummeted.

In September 2011, the Securities and Exchange Commission revoked the company’s ability to trade its penny stock (then NXCO on the pink sheets), noting that the company had failed to file any periodic reports with the SEC since its inception. In June 2012, the SEC also revoked Priviam’s ability to trade its stock, citing the same compliance failings that led to the de-listing of Nexicon.

By the time the SEC revoked Nexicon’s trading ability, the company’s founders were already working to reinvent themselves yet again. In August 2011, they raised $50,000 in seed money from Capital Innovators to jump-start Norse Corp. A year later, Norse received $3.5 million in debt refinancing, and in December 2013 got its first big infusion of cash — $10 million from Oak Investment Partners. In September 2015, KPMG invested $11.4 million in the company.

Several former employees say Stiansen’s penchant for creating shell corporations served him well in building out Norse’s global sensor network. Some of the sensors are in countries where U.S. assets are heavily monitored, such as China. Those same insiders said Norse’s network of shell corporations also helped the company gain visibility into attack traffic in countries where it is forbidden for U.S. firms to do business, such as Iran and Syria. Continue reading

FTC: Tax Fraud Behind 47% Spike in ID Theft

January 28, 2016

The U.S. Federal Trade Commission (FTC) today said it tracked a nearly 50 percent increase in identity theft complaints in 2015, and that by far the biggest contributor to that spike was tax refund fraud. The announcement coincided with the debut of a beefed up FTC Web site aimed at making it easier for consumers to report and recover from all forms of ID theft.

In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47 percent increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks.

Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

Those numbers roughly coincide with data released by the Internal Revenue Service (IRS), which also shows a major increase in tax-related identity theft in 2015.

Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

Ramirez was speaking to reporters to get the word out about the agency’s new and improved online resource, identitytheft.gov, which aims to streamline the process of reporting various forms of identity theft to the FTC, the IRS, the credit bureaus and to state and local officials.

“The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others,” Ramirez said. “Identity theft victims can now go online and get a free, personalized identity theft recovery plan.”

Ramirez added that the agency’s site does not collect sensitive data — such as drivers license or Social Security numbers. The areas where that information is required are left blank in the forms that get produced when consumers finish stepping through the process of filing an ID theft complaint (consumers are instructed to “fill these items in by hand, after you print it out”).

The FTC chief also said the agency is working with the credit bureaus to further streamline the process of reporting fraud. She declined to be specific about what that might entail, but the new and improved identitytheft.gov site is still far from automated. For example, the “recovery plan” produced when consumers file a report merely lists the phone numbers and includes Web site links for the major credit bureaus that consumers can use to place fraud alerts or file a security freeze.

The "My Recovery Plan" produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC requests that consumers not file false reports (I had their PR person remove this entry after filing it).

The “My Recovery Plan” produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC kindly requests that consumers not file false reports (I had their PR person remove this entry after filing it).

Nevertheless, I was encouraged to see the FTC urging consumers to request a security freeze on their credit file, even if this was the last option listed on the recovery plan that I was issued and the agency’s site appears to do little to help consumers actually file security freezes.

I’m also glad to see the Commission’s site employ multi-factor authentication for consumers who wish to receive a recovery plan in addition to filing an ID theft report with the FTC. Those who request a plan are asked to provide an email address, pick a complex password, and input a one-time code that is sent via text message or automated phone call. Continue reading

Wendy’s Probes Reports of Credit Card Breach

January 27, 2016

Wendy’s, the nationwide chain of fast-food restaurants, says it is investigating claims of a possible credit card breach at some locations. The acknowledgment comes in response to questions from KrebsOnSecurity about banking industry sources who discovered a pattern of fraud on cards that were all recently used at various Wendy’s locations.

wen2Bob Bertini, spokesperson for the Dublin, Ohio-based restauranteur, said the company began receiving reports earlier this month from its payment industry contacts about a potential breach and that Wendy’s has hired a security firm to investigate the claims.

“We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations,” Bertini said. “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”

Bertini said it was too soon to say whether the incident is contained, how long it may have persisted, or how many stores may be affected. Continue reading

Oracle Pushes Java Fix: Patch It or Pitch It

January 26, 2016

Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if you’re not sure why you have Java installed, it’s high time to remove the program once and for all.

javamessAccording to Oracle’s release notes, seven of the eight vulnerabilities may be remotely exploitable without authentication — meaning they could be exploited over a network by malware or miscreants without the need for a username and password. The version with the latest security fixes is Java 8, Update 71. Updates also should be available via the Java Control Panel or from Java.com.

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Continue reading