Apple Pay: Bridging Online and Big Box Fraud

March 11, 2015
84 Comments

Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.

applepayTo understand what’s going on here, a quick primer on card fraud is probably in order. If you’re a fraudster and you wish to walk into a Best Buy store and walk out with a big screen TV or xBox console on someone else’s dime, you’re going to buy “dumps,” which are data stolen straight off the magnetic stripe on the backs of cards.

Typically, dumps are stolen via malware planted on point-of-sale devices, as in the breaches at brick-and-mortar stores like Target, Home Depot and countless others over the past year. Dumps buyers encode the data onto new plastic, which they then use “in-store” at retailers and walk out with armloads full of high-priced goods that can be easily resold for cash. The average price of a single dump is between $10-$30, but the payoff in stolen merchandise per card is often many times that amount.

When fraudsters want to order something online using stolen credit cards, they go buy what the crooks call “CVVs” — i.e., card data stolen from hacked online stores. CVV stands for “card verification code,” and refers to the three-digit code on the back of cards that’s required for most online transactions. Fraudsters buying CVVs get the credit card number, the expiration date, the card verification code, as well as the cardholder’s name, address and phone number. Because they’re less versatile than dumps, CVVs cost quite a bit less — typically around $1-$5 per stolen account.

So in summary, dumps are stolen from main-street merchants, and are sought after by crooks mainly for use at main street merchants. CVVs, on the other hand, are stolen from online stores, and are useful only for fraud against online stores.

Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs. That’s because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession.

Avivah Litan, a fraud analyst with Gartner Inc. explained a blog post published earlier this month that Apple provides banks with a fair amount of data to aid banks in their efforts at “identity proofing” the customer, such as device name, its current geographic location, and whether or not the customer has a long history of transactions with iTunes.

All useful data points, of course, unless the iTunes account that all of this information is based on is hijacked by fraudsters. And as we know from previous stories on this blog, there is a robust trade in the cybercrime underground for hijacked iTunes accounts, which retail for about $8 per account.

Continue reading

Microsoft Fixes Stuxnet Bug, Again

March 10, 2015
62 Comments

Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time.

brokenwindowsOn this, the third Patch Tuesday of 2015, Microsoft pushed 14 update bundles to address at least 43 separate vulnerabilities in Internet Explorer, Exchange, Office and a host of other components.

Five of the the patches released today fix flaws that Microsoft has assigned its most serious “critical” label, meaning the vulnerabilities these patches fix can be exploited to compromise vulnerable systems through little or no action on the part of the user — save for perhaps opening a booby-trapped file or visiting a hacked/malicious Web site.

One of the more curious critical fixes is MS15-020, which according to HP’s Zero Day Initiative researchers addresses the same vulnerability that Microsoft patched in August 2010. That vulnerability — first revealed in a post on this blog July 15, 2010 — was later discovered to have been one of four zero-day flaws used in Stuxnet, a weapon of unprecedented sophistication that is now widely considered to have been a joint U.S. and Israeli project aimed at delaying Iran’s nuclear ambitions. The folks at HP TippingPoint have published a blog post on their work in uncovering the failed fix, and how the original 2010 patch missed the mark. For more on Stuxnet, check out Kim Zetter‘s excellent new book, Countdown To Zero Day. Continue reading

Advertisement

Spoofing the Boss Turns Thieves a Tidy Profit

March 10, 2015
68 Comments

Judy came within a whisker of losing $315,000 in cash belonging to her employer, a mid-sized manufacturing company in northeast Ohio. Judy’s boss had emailed her, asking her to wire the money to China to pay for some raw materials. The boss, who was traveling abroad at the time, had requested such transfers before — at even higher amounts to manufacturers in China and elsewhere — so the request didn’t seem unusual or suspicious.

athookUntil it did. After Judy sent the wire instructions on to the finance department, something about the email stuck in her head: The message was far more formal-sounding than the tone of voice her boss normally used to express himself via email.

By the time she went back to review the missive and found she’d been scammed by an imposter, it was too late — the employee in charge of initiating wires at her company had already sent it on to the bank. Luckily, the bank hadn’t yet processed the wire, and they were able to claw back the funds.

“Judy” is a pseudonym; she asked to remain anonymous so as not to further embarrass herself or her employer. But for every close call like Judy’s there are many more small businesses each week that fall for these scams and lose millions in the process.

Known variously as “CEO fraud,” and the “business email compromise,” this swindle is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.  In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.

In February, con artists made off with a whopping $17.2 million from one of Omaha, Nebraska’s oldest companies —  The Scoular Co., an employee-owned commodities trader. According to Omaha.com, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.

The scam email that nearly cost Judy her job appeared to have come from her company’s chief financial officer, who she said is not usually in the office. The message was made to appear as though it was a conversation between the CFO and the CEO, in which the CEO told the CFO that money needed to be wired to China.

“$315,000 is definitely a high amount, but I did a transaction for $1.4 million before, and I wire money to China for goods that we buy from there,” she said. “But truly, the email did bother me. It didn’t feel quite right when it came in, but at no point did I think, ‘this is someone imitating the boss.'”

After sending a co-worker in finance instructions to execute the wire transfer, Judy sent a note to the CFO asking if she should also notify the CEO that the wire had been sent. When the response came back in wording she couldn’t imagine the CFO putting in writing, she studied the forwarded email more closely. Sure enough, Judy discovered the message had been sent from a domain name that was one look-alike letter different from her employer’s true domain name. Continue reading

Point-of-Sale Vendor NEXTEP Probes Breach

March 9, 2015
30 Comments

NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach, KrebsOnSecurity has learned.

nextepThe acknowledgement came in response to reports by sources in the financial industry who spotted a pattern of fraud on credit cards all recently used at one of NEXTEP’S biggest customers: Zoup, a chain of some 75 soup eateries spread across the northern half of the United States and Canada.

Last week, KrebsOnSecurity reached out to Zoup after hearing from financial industry sources about fraud patterns indicating some sort of card compromise at many Zoup locations. Zoup CEO Eric Ersher referred calls to NEXTEP, saying that NEXTEP was recently informed of a security issue with its point-of-sale devices. Ersher said Zoup runs NEXTEP’s point-of-sale devices across its entire chain of stores.

In an emailed statement, NEXTEP President Tommy Woycik confirmed Ersher’s account, but emphasized that the company does not believe all of its customers are impacted.

“NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” Woycik wrote. “NEXTEP immediately launched an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue. We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed.  This remains an ongoing investigation with law enforcement. At this stage, we are not certain of the extent of the breach, and are working around the clock to ensure a complete resolution.”

A breach at a point-of-sale vendor can impact a large number of organizations, and historically the chief victims of POS vendor breaches have been food service establishments. Last year, a pattern of credit card fraud at hundreds of Jimmy Johns sandwich shops across the country was traced back to security weaknesses that fraudsters were exploiting in point-of-sale systems produced by POS vendor Signature Systems Inc. Signature later disclosed that the breach also impacted at least 100 other independent restaurants that use its products. Continue reading

Feds Indict Three in 2011 Epsilon Hack

March 6, 2015
22 Comments

U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what’s being called “one of the largest reported data breaches in U.S. history.” The government isn’t naming the victims in this case, but all signs point to the 2011 hack of Texas-based email marketing giant Epsilon.

epsilonThe government alleges the defendants made more than $2 million blasting out spam to more than one billion email addresses stolen from several email service providers (ESPs), companies that manage customer email marketing on behalf of major corporate brands.  The indictments further allege that the men sent the junk missives by hijacking the email servers used by these ESPs.

“This case reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s email distribution firms,” said Acting U.S. Attorney John Horn.  “And the scope of the intrusion is unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data—they then hijacked the companies’ own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites.”

To be clear, prosecutors haven’t specifically outed Epsilon as the victim, nor did they name any of the other email service providers (ESPs) allegedly harmed by the defendants. But a press release issued today Horn’s office states that “the data breach into certain ESPs was the subject of a congressional inquiry and testimony before a U.S House of Representatives subcommittee on June 2, 2011.”

That date aligns with a June 2, 2011 House Energy and Commerce Committee panel on the data breaches at Sony and Epsilon. Epsilon officials could not be immediately reached for comment.

Update, 11:27 p.m. ET: Epsilon confirmed that it is among the victims in this case. See the end of this story for their full statement.

Original story:

In early April 2011, customers at dozens of Fortune 500 companies began complaining of receiving spam to email addresses they’d created specifically for use with those companies. On April 2, 2011, Epsilon started notifying consumers that hackers had stolen customer email addresses and names belonging to a “subset of its clients.”

Those clients were ESPs that send email to customers on behalf of some the biggest firms in the world. Epsilon didn’t name which ESPs were impacted, but the voluminous complaints from consumers about spam indicated that those ESPs served a broad range of major companies, including JP Morgan Chase, U.S. Bank, Barclays, Kroger, McDonalds, Walgreens, and Honda, to name but a few.

A scam web site that tried to sell copies of Adobe Reader.

A scam web site that tried to sell copies of Adobe Reader.

As I noted in that April 2011 story, consumers had complained of received junk email with links to sites that tried to sell versions of software made by Adobe Systems Inc. Some of the sites reportedly even tried to sell copies of Adobe Reader — software that Adobe gives away for free.

Sure enough, the men indicted today are accused of hacking into a major ESP to steal more than a billion email addresses, which they allegedly used to promote knockoff versions of Adobe software (among other dubious products).

Prosecutors in Atlanta today unsealed indictments against Viet Quoc Nguyen and Giang Hoang Vu, both citizens of Vietnam who resided for a period of time in the Netherlands. The government also unsealed an indictment against David-Manuel Santos Da Silva, a Canadian citizen who was charged with conspiring with Nguyen and others to launder the proceeds of Nguyen’s alleged computer hacking offenses.

The government alleges that Nguyen used various methods — including targeted email phishing campaigns — to trick recipients at email marketing firms into clicking links to sites which attempted to exploit browser vulnerabilities in a bid to install malicious software. For more on those targeted attacks, see my Nov. 24, 2010 story, Spear Phishing Attacks Snag E-Mail Marketers.

Continue reading

Intuit Failed at ‘Know Your Customer’ Basics

March 5, 2015
135 Comments

Intuit, the makers of TurboTax, recently introduced several changes to beef up the security of customer accounts following a spike in tax refund fraud at the state and federal level. Unfortunately, those changes don’t go far enough. Here’s a look at some of the missteps that precipitated this mess, and what the company can do differently going forward.

dyot copy2

As The Wall Street Journal noted in a story this week, competitors H&R Block and TaxAct say they haven’t seen a similar surge in fraud this year. Perhaps the bad guys are just picking on the industry leader. But with 29 million customers last year — far more than H&R Block or TaxAct (which each had about seven million) — TurboTax should also be leading the industry in security.

Keep in mind that none of the security steps described below are going to stop fraud alone. But taken together, they do or would provide more robust security for TurboTax accounts, and significantly raise the costs for criminals engaged in this type of fraud.

NO EMAIL VALIDATION

Intuit fails to take basic steps to validate key account information, such as email addresses and mobile numbers, and these failures have limited the company’s ability to enact stricter account security measures. In fact, TurboTax still does not require new users to verify their email address, a basic security precaution that even random Internet forums which don’t collect nearly as much sensitive data require of all new users.

Last month, KrebsOnSecurity featured an in-depth story that stemmed from information provided by two former Intuit security employees who accused the company of making millions of dollars knowingly processing tax refund requests filed by cybercriminals. Those individuals shared a great deal about Intuit’s internal discussions on how best to handle a spike in account takeovers and fraudsters using stolen personal information to file tax refund requests on unwitting consumers.

Both whistleblowers said the lack of email verification routinely led to bizarre scenarios in which customers would complain of seeing other peoples’ tax data in their accounts. These were customers who’d forgotten their passwords and entered their email address at the site to receive a password reset link, only to find their email address tied to multiple identities that belonged to other victims of stolen identity refund fraud.

In mid-February, Intuit announced that it would begin the process of prompting all users to validate their accounts, either by validating their email address, answering a set of knowledge-based authentication questions, or entering a code sent to their mobile phone.

In an interview today, Intuit’s leadership sidestepped questions about why the company still does not validate email addresses. But TurboTax Chief Information Security Officer Indu Kodukula did say TurboTax will no longer display multiple profiles tied to a single email address when users attempt to reset their passwords by supplying an email address.

“We had an option where when you entered an email address, we’d show you a list of user IDs that were associated with that address,” Kodukula said. “We’ve removed that option, so now if you try to do password recovery, you have to go back to the email associated with you.” Continue reading

Credit Card Breach at Mandarin Oriental

March 4, 2015
31 Comments

In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach.

mandarinReached for comment about reports from financial industry sources about a pattern of fraudulent charges on customer cards that had all recently been used at Mandarin hotels, the company confirmed it is investigating a breach.

“We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue,” the company said in an emailed statement.

The statement continues, indicating that some of the chain’s point-of-sale systems were infected with malware capable of stealing customer card data:

“Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law. The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.Unfortunately incidents of this nature are increasingly becoming an industry-wide concern. The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected.”  Continue reading

Hospital Sues Bank of America Over Million-Dollar Cyberheist

March 3, 2015
51 Comments

A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013.

cascadeIn April 2013, organized cyber thieves broke into the payroll accounts of Chelan County Hospital No. 1 , one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The crooks added to the hospital’s payroll account almost 100 “money mules,” unwitting accomplices who’d been hired to receive and forward money to the perpetrators.

On Thursday, April 19, and then again on April 20, the thieves put through a total of three unauthorized payroll payments (known as automated clearing house or ACH payments), siphoning approximately $1 million from the hospital.

Bank of America was ultimately able to claw back roughly $400,000 of the fraudulent payroll payments. But in a complaint (PDF) filed against the bank, the hospital alleges that an employee on the Chelan County  Treasurer’s staff noticed something amiss the following Monday — April 22, 2013 — and alerted the bank to the suspicious activity.

“Craig Scott, a Bank of America employee, contacted the Chelan County Treasurer’s office later that morning and asked if a pending transfer request of $603,575.00 was authorized,” the complaint reads. “No funds had been transferred at the time of the phone call.  Theresa Pinneo, an employee in the Chelan County Treasurer’s Office, responded immediately that the $603,575.00 transfer request was not authorized. Nonetheless, Bank of America processed the $603,575.00 transfer request and transferred the funds as directed by the hackers.” Continue reading

Natural Grocers Investigating Card Breach

March 2, 2015
48 Comments

Sources in the financial industry tell KrebsOnSecurity they have traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country. The grocery chain says it is investigating “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.”

ngrocerIn response to questions from KrebsOnSecurity about a possible security breach, Lakewood, Colo. based Natural Grocers by Vitamin Cottage Inc. said it has hired a third-party data forensics firm, and that law enforcement is investigating the matter.

Natural Grocers emphasized that it “has received no reports of any fraudulent use of payment cards from any customer, credit card brand or financial institution.”

“In addition, there is no evidence that PIN numbers or card verification codes were accessed,” the company’s statement continued. “Finally, no personally identifiable information, such as names, addresses or Social Security numbers, was involved, as the company does not collect that data as part of its payment processing system.”

Perhaps they aren’t reporting the fraud to Natural Grocer, but banking sources have told this author about a pattern of card fraud indicating cards stolen from the retailer are already on sale in the cybercrime underground. Continue reading

Spam Uses Default Passwords to Hack Routers

February 26, 2015
43 Comments

In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims.

tp-link WDR4300Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users. The emails were made to look like they were sent by Brazil’s largest Internet service provider, alerting recipients about an unpaid bill. In reality, the missives contained a link designed to hack that same ISP’s router equipment.

According to Proofpoint, the link in the spam campaign led to a page that mimicked the telecom provider. The landing page included code that silently attempted to execute what’s known as a cross-site request forgery attack on known vulnerabilities in two types of routers, UT Starcom and TP-Link. The malicious page would then invoke hidden inline frames (also known as “iframes”) that try to log in to the administration page of the victim’s router using a list of known default credentials built into these devices.

If successful, the attacker’s script would modify the domain name system (DNS) settings on the victim’s router, adding the attacker’s own DNS server as the primary server while assigning the secondary DNS server to Google’s public DNS (8.8.8.8). Such a change would allow the attackers to hijack the victim’s traffic to any Web site, redirecting it away from the legitimate site to a look-alike page designed to siphon the victim’s credentials. In the event that the attacker’s DNS server was unresponsive for any reason, the victim’s router would still function normally.

The malicious script used by the spammers in this campaign tries multiple default multiple default credentials in a bid to hijack routers with factory-default settings. Image: Proofpoint.

The malicious script used by the spammers in this campaign tries multiple default credentials in a bid to hijack routers with factory-default settings. Image: Proofpoint.

The real danger of attacks like these is that they bypass antivirus and other security tools, and they are likely to go undetected by the victim for long periods of time. Continue reading