Krebs on Security

FTC: Tax Fraud Behind 47% Spike in ID Theft

January 28, 2016

The U.S. Federal Trade Commission (FTC) today said it tracked a nearly 50 percent increase in identity theft complaints in 2015, and that by far the biggest contributor to that spike was tax refund fraud. The announcement coincided with the debut of a beefed up FTC Web site aimed at making it easier for consumers to report and recover from all forms of ID theft.

In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47 percent increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks.

Tax refund fraud contributed mightily to a big spike in ID theft complaints to the FTC in 2015. Image: FTC

Those numbers roughly coincide with data released by the Internal Revenue Service (IRS), which also shows a major increase in tax-related identity theft in 2015.

Incidence of tax-related ID theft as of Sept. 2015. Source: IRS.

Ramirez was speaking to reporters to get the word out about the agency’s new and improved online resource, identitytheft.gov, which aims to streamline the process of reporting various forms of identity theft to the FTC, the IRS, the credit bureaus and to state and local officials.

“The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools, that enables identity theft victims to create the documents they need to alert police, the main credit bureaus and the IRS among others,” Ramirez said. “Identity theft victims can now go online and get a free, personalized identity theft recovery plan.”

Ramirez added that the agency’s site does not collect sensitive data — such as drivers license or Social Security numbers. The areas where that information is required are left blank in the forms that get produced when consumers finish stepping through the process of filing an ID theft complaint (consumers are instructed to “fill these items in by hand, after you print it out”).

The FTC chief also said the agency is working with the credit bureaus to further streamline the process of reporting fraud. She declined to be specific about what that might entail, but the new and improved identitytheft.gov site is still far from automated. For example, the “recovery plan” produced when consumers file a report merely lists the phone numbers and includes Web site links for the major credit bureaus that consumers can use to place fraud alerts or file a security freeze.

The "My Recovery Plan" produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC requests that consumers not file false reports (I had their PR person remove this entry after filing it).

The “My Recovery Plan” produced when I filed a test report claiming the worst possible scenario of ID theft that I could think up. The FTC kindly requests that consumers not file false reports (I had their PR person remove this entry after filing it).

Nevertheless, I was encouraged to see the FTC urging consumers to request a security freeze on their credit file, even if this was the last option listed on the recovery plan that I was issued and the agency’s site appears to do little to help consumers actually file security freezes.

I’m also glad to see the Commission’s site employ multi-factor authentication for consumers who wish to receive a recovery plan in addition to filing an ID theft report with the FTC. Those who request a plan are asked to provide an email address, pick a complex password, and input a one-time code that is sent via text message or automated phone call. Continue reading →

Wendy’s Probes Reports of Credit Card Breach

January 27, 2016

122 Comments

Wendy’s, the nationwide chain of fast-food restaurants, says it is investigating claims of a possible credit card breach at some locations. The acknowledgment comes in response to questions from KrebsOnSecurity about banking industry sources who discovered a pattern of fraud on cards that were all recently used at various Wendy’s locations.

Bob Bertini, spokesperson for the Dublin, Ohio-based restauranteur, said the company began receiving reports earlier this month from its payment industry contacts about a potential breach and that Wendy’s has hired a security firm to investigate the claims.

“We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations,” Bertini said. “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”

Bertini said it was too soon to say whether the incident is contained, how long it may have persisted, or how many stores may be affected. Continue reading →

Oracle Pushes Java Fix: Patch It or Pitch It

January 26, 2016

29 Comments

Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if you’re not sure why you have Java installed, it’s high time to remove the program once and for all.

javamess According to Oracle’s release notes, seven of the eight vulnerabilities may be remotely exploitable without authentication — meaning they could be exploited over a network by malware or miscreants without the need for a username and password. The version with the latest security fixes is Java 8, Update 71. Updates also should be available via the Java Control Panel or from Java.com.

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Continue reading →

Skype Now Hides Your Internet Address

January 25, 2016

34 Comments

Ne’er-do-wells have long abused a feature in Skype to glean the Internet address of other users. Indeed, many shady online services that can be hired to launch attacks aimed at knocking users offline bundle so-called “Skype resolvers” that let customers find a target’s last known location online. At long last, Microsoft says its latest version of Skype will hide user Internet addresses by default.

“Starting with this update to Skype and moving forward, your IP address will be kept hidden from Skype users,” Microsoft’s Skype team wrote in a blog post about the latest version, v. 7.0.18.109 for most users. “This measure will help prevent individuals from obtaining a Skype ID and resolving to an IP address.”

A Skype resolver service in action.

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (most often against online gamers). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account, and then use the resolvers to locate their IP. Thus far, the resolvers have worked regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel. Continue reading →

Guy Who Tried to Frame Me In Heroin Plot Pleads Guilty to Cybercrime Charges

January 20, 2016

52 Comments

A Ukrainian man who tried to frame me for heroin possession has pleaded guilty to multiple cybercrime charges in U.S. federal court, including credit card theft and hacking into more than 13,000 computers.

Sergei “Fly” Vovnenko, in an undated photo. In a letter to this author following his arrest, Vovnenko said he forgave me for “doxing” him — printing his real name and image — on my site.

Sergey Vovnenko, 29, entered a guilty plea in Newark, New Jersey to charges of aggravated identity theft and conspiracy to commit wire fraud. Prosecutors said Vovnenko operated a network of more than 13,000 hacked computers, using them to harvest credit card numbers and other sensitive information.

When I first became acquainted with Vovnenko in 2013, I knew him only by his many hacker names, including “Fly” and “Flycracker,” among others. At the time, Fly was the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

After I secretly gained access to his forum, I learned he’d hatched a plot to have heroin sent to my home and to have one of his forum lackeys call the police when the drugs arrived.

I explained this whole ordeal in great detail last fall, when Vovnenko initially was extradited from Italy to face charges here in the United States. In short, the antics didn’t end when I foiled his plot to get me arrested for drug possession, and those antics likely contributed to his arrest and to this guilty plea.

The aggravated ID theft charge to which Vovnenko pleaded guilty carries a mandatory two-year sentence. The other charges he copped to will lengthen his sentence and include fines. His sentencing is currently slated for May 2, 2016. The indictment against Vovnenko is here (PDF). A copy of his plea agreement is at this link (PDF).

The Lowdown on Freezing Your Kid’s Credit

January 20, 2016

35 Comments

A story in a national news source earlier this month about freezing your child’s credit file to preempt ID thieves prompted many readers to erroneously conclude that all states allow this as of 2016. The truth is that some states let parents create a file for their child and then freeze it, while many states have no laws on the matter. Here’s a short primer on the current situation, with the availability of credit freezes (a.k.a “security freeze”) for minors by state and by credit bureau.

The lighter-colored states have some type of law permitting parents and/or guardians to place a freeze or flag on a dependent's credit file.

The lighter-colored states have laws permitting parents and/or guardians to place a freeze or flag on a dependent’s credit file.

A child’s Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts, apply for a loan or utility service, or rent a place to live. Why would ID thieves wish to assume a child’s identity? Because that child is (likely) a clean slate, which translates to plenty of available credit down the road. In addition, minors generally aren’t in the habit of checking their credit reports or even the existence of one, and most parents don’t find out about the crime until the child approaches the age of 18 (or well after).

A 2012 report on child identity theft from the Carnegie Mellon University CyLab delves into the problem of identity thieves targeting children for unused Social Security numbers. The study looked at identity theft protection scans done on some 40,000 children, and found that roughly 10 percent of them were victims of ID theft.

The Protect Children from Identity Theft Act, introduced in the House of Representatives in March 2015, would give parents and guardians the ability to create a protected, frozen credit file for their children. However, GovTrack currently gives the bill a two percent chance of passage in this Congress.

So for now, there is no federal law for minors regarding credit freezes. This has left it up to the states to establish their own policies.

Credit bureau Equifax offers a free service that will allow parents to create a credit report for a minor and freeze it regardless of the state requirement. The minor also does not have to be a victim of identity theft. Equifax has more information on this offering here.

Experian told me that company policy is not to create a file for a minor upon request unless mandated by state law. “However, if a file exists for the minor we will provide a copy free to the parent or legal guardian and will freeze it,” said Experian spokesperson Susan Henson.

Henson added that depending on state law, there may be a fee ranging from $3 to $10 associated with the minor’s freeze. However, if the minor is a victim of identity theft and the applicant submits a copy of a valid police or incident report or complaint with a law enforcement agency or the Department of Motor Vehicles (DMV), the fee will be waived.

Trans Union has a form on its site that lets parents and guardians check for the presence of a credit file on their dependents. But it also only allows freezes in states that reserve that right for minors and their parents or guardians, and applicable fees may apply.

Innovis, often referred to as the fourth major consumer credit bureau, allows parents or guardians to place a freeze on their dependent’s file regardless of state laws. Continue reading →

Firm Sues Cyber Insurer Over $480K Loss

January 18, 2016

43 Comments

A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a $480,000 loss following an email scam that impersonated the firm’s chief executive.

athook At issue is a cyber insurance policy issued to Houston-based Ameriforge Group Inc. (doing business as “AFGlobal Corp.“) by Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but that the insurer nevertheless denied a claim filed in May 2014 after scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.

According to documents filed with the U.S. District Court in Harris County, Texas, the policy covered up to $3 million, with a $100,000 deductible. The documents indicate that from May 21, 2014 to May 27, 2014, AFGlobal’s director of accounting received a series of emails from someone claiming to be Gean Stalcup, the CEO of AFGlobal.

“Glen, I have assigned you to manage file T521,” the phony message to the accounting director Glen Wurm allegedly read. “This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.”

Roughly 30 minutes later, Mr. Wurm said he was contacted via phone and email by Mr. Shapiro stating that due diligence fees associated with the China acquisition in the amount of $480,000 were needed. AFGlobal claims a Mr. Shapiro followed up via email with wiring instructions.

After wiring the funds as requested — sending the funds to an account at the Agricultural Bank of China — Mr. Wurm said he received no further correspondence from the imposter until May 27, 2014, when the imposter acknowledged receipt of the $480,000 and asked Wurm to wire an additional $18 million. Wurm said he became suspicious after that request, and alerted the officers of the company to his suspicions.

According to the plaintiff, “the imposter seemed to know the normal procedures of the company and also that Gean Stalcup had a long-standing, very personal and familiar relationship with Mr. Wurm — sufficient enough that Mr. Wurm would not question a request from the CEO.”

The company said it attempted to recover the $480,000 wire from its bank, but that the money was already gone by the 27th, with the imposters zeroing out and closing the recipient account shortly after the transfer was completed on May 21.

In a letter sent by Chubb to the plaintiff, the insurance firm said it was denying the claim because the scam, known alternatively as “business email compromise” (BEC) and CEO fraud, did not involve the forgery of a financial instrument as required by the policy. Continue reading →

Hyatt Card Breach Hit 250 Hotels in 50 Nations

January 15, 2016

42 Comments

If you stayed, ate or played at a Hyatt hotel between Aug. 13 and Dec. 8, 2015, there’s a good chance your credit or debit card data was stolen by unknown cyber thieves who infiltrated many of the hotel chain’s payment systems. In its first disclosure about the scope of a breach acknowledged last month, Hyatt Hotels Corp. says the intrusion likely affected guests at 250 hotels in roughly 50 countries.

hyatt In a statement released Thursday, Hyatt said the majority of the payment systems compromised by card-stealing malware were at restaurants within the hotels, and that a “small percentage of the at-risk cards were used at spas, golf shops, parking and a limited number of front desks.” The list of affected hotels is here.

Chicago-based Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging (twice) and the Trump Collection.

ANALYSIS/RANT

U.S. banks have been transitioning to offering chip-based credit and debit cards, and a greater number of retailers are installing checkout systems that can read customer card data off the chip. The chip encrypts the card data and makes it much more difficult and expensive for thieves to counterfeit cards.

However, most of these chip cards will still hold customer data in plain text on the card’s magnetic stripe, and U.S. merchants that continue to allow customers to swipe the stripe or who do not have chip card readers in place face shouldering all of the liability for any transactions later determined to be fraudulent.

The United States is the last of the G20 nations to enact this liability shift, and many countries that have transitioned to chip card technology have done so through government fiat. Those nations also almost uniformly have seen card counterfeiting fraud go way down while thieves shift their attention to targeting e-commerce providers.

Although cyber thieves still steal card data off the magnetic stripe from customers of banks in nations that long ago shifted to chip-cards, that card data is typically shipped to thieves here in the United States, who can counterfeit the cards and use them to steal merchandise from U.S.-based big box retailers.

What’s remarkable about the U.S. experiment with moving to chip cards is that the discussion about whether and when to move to more physical security (chips) in credit and debit cards has played out almost entirely apart from the move to impose expensive and increasingly labyrinthine compliance regulations (PCI) on merchants that wish to process or accept card transactions.
Continue reading →

Ransomware a Threat to Cloud Services, Too

January 14, 2016

61 Comments

Ransomware — malicious software that encrypts the victim’s files and holds them hostage unless and until the victim pays a ransom in Bitcoin — has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services.

ransomhand Toni Casala found this out the hard way. Casala’s firm — Children in Film — works as an advocate for young actors and their families. The company’s entire operations run off of application hosting services at a managed cloud solutions firm in California, from QuickBooks to Microsoft Office and Outlook. Employees use Citrix to connect to the cloud, and the hosting firm’s application maps the cloud drive as a local disk on the user’s hard drive.

“We were loving that situation,” Casala said. “We can keep the computers here at work empty, and the service is very inexpensive when you compare it the cost of having more IT people on staff. Also, when we need support, they are very responsive. We don’t get farmed out to some call center in India.”

They were loving it, that is, until just before New Year’s Eve, when an employee opened an email attachment that appeared to be an invoice. Thirty minutes later, nobody in Casala’s firm could access any of the company’s 4,000+ files stored on the cloud drive.

“Someone in my office was logged into Outlook and opened up invoice attachment and BAM!, within 30 minutes, every single file on our Q drive had ‘vvv’ added as file extensions,” she said. Every single folder -had a file that said “help.decrypt,” essentially the attacker’s’ instructions for how to pay the ransom.

The cloud provider that Casala’s company is using was keeping daily backups, but she said it still took them almost a week to fully restore all of the files that were held hostage. She said the hosting service told her that the malware also disrupted operations for other customers on the same server.

Casala said her company got lucky on several fronts. For starters, the infection happened right before her firm closed down operations for the New Year’s break, so the outage was less of a disruption than it might normally have been.

More importantly, the malware that scrambled their files — a strain of ransomware called TeslaCrypt, contained a coding weakness that has allowed security and antivirus firms to help victims decrypt the files without paying the ransom. Users over at the computer help forum BleepingComputer have created TeslaDecoder, which allows victims to decrypt files locked by TeslaCrypt.

Casala said the hosting firm had antivirus installed on the server, but that the ransomware slipped past those defenses. That’s because the crooks who are distributing ransomware engineer the malware to evade detection by antivirus software. For more on how cybercriminals achieve that, see Antivirus is Dead: Long Live Antivirus.

The best defense against ransomware is a good set of data backups that are made each day — preferably to a device that is not always connected to the network. Unfortunately, this is often easier said than done, especially for small businesses. For many ransomware victims who do not have backups to rely upon, the choice of whether to pay comes down to the question of how badly the victim needs access to the ransomed files, and whether the files lost are worth more than the ransom demand (which is usually only a few hundred dollars in Bitcoin). Continue reading →

Adobe, Microsoft Push Reader, Windows Fixes

January 12, 2016

32 Comments

Adobe and Microsoft each issued updates today to fix critical security problems with their software. Adobe’s patch tackles 17 flaws in its Acrobat and PDF Reader products. Microsoft released nine update bundles to plug at least 22 security holes in Windows and associated software.

brokenwindows Six of the nine patches Microsoft is pushing out today address flaws the software giant considers “critical,” meaning the vulnerabilities could be exploited by malware or miscreants to break into vulnerable computers remotely without any help from users. The critical updates tackle problems with Internet Explorer, Microsoft Edge, Office and Silverlight, among other components. Links to all of the updates are available here.

As noted by security firm Qualys, several versions of Internet Explorer will get their last security updates this month, including IE 11 on Windows 7 and 10; IE 8, 9 and 10; IE 10 on Server 2012; IE 9 on Vista Service Pack 2 and Server 2008; and IE7 and IE8. If you’re using one of these older versions of IE, consider switching — either to a newer, supported version of IE, or to something less tightly bound to the Windows operating system, such as Google Chrome. Continue reading →

Last »