Premera Blue Cross Breach Exposes Financial, Medical Records

March 17, 2015

Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn’t saying so just yet, there are indicators that this intrusion is once again the work of state-sponsored espionage groups based in China.

premeraIn a statement posted on a Web site set up to share information about the breach — premeraupdate.com — the company said that it learned about the attack on January 29, 2015. Premera said its investigation revealed that the initial attack occurred on May 5, 2014.

“This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc,” the company said. Their statement continues:

“Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.

“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected. The investigation has not determined that any such data was removed from our systems.  We also have no evidence to date that such data has been used inappropriately.”

Premera said it will be notifying affected customers in letters sent out via postal mail, and that it will be offering two years of free credit monitoring services through big-three credit bureau Experian.

ANOTHER STATE-SPONSORED ATTACK?

The health care provider said it is working with security firm Mandiant and the FBI in the investigation. Mandiant specializes in tracking and blocking attacks from state-sponsored hacking groups, particularly those based in China. Asked about clues that would suggest a possible actor involved in the breach, Premera deferred to the FBI.

An official with the FBI’s Seattle field office confirmed that the agency is investigating, but declined to discuss details of its findings thus far, citing “the ongoing nature of the investigation.”

“Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice,” the FBI said in an emailed statement.

There are indications that this may be the work of the Chinese espionage group tied to the breach disclosed earlier this year at Anthem, an intrusion that affected some 78 million Americans. Continue reading

Door Skimmer + Hidden Camera = Profit

March 17, 2015

If an ATM you’d like to use is enclosed in a vestibule that requires a card swipe at the door, it might be a good idea to go find another machine, or at least use something other than a payment card to gain entry. Thieves frequently add skimmers to these key card locks and then hide cameras above or beside such ATMs, allowing them to steal your PIN and card data without ever actually tampering with the cash machine itself.

One recent skimming incident began when fraudsters placed a card skimmer directly on top of this key card “dip” device, which managed access to a bank ATM vestibule:

Locks secured by mag stripe readers typically aren't very discriminating or physically secure.

Locks secured by mag stripe readers typically aren’t very discriminating or physically secure.

The attackers in this incident then placed a hidden camera in a false panel above the ATM.

A tiny pinhole lets the hidden video camera record customers entering their PINs.

A tiny pinhole lets the hidden video camera record customers entering their PINs.

Here’s the backside of the phony door card reader the thieves placed on top of the legitimate card reader: Continue reading

Advertisement

‘AntiDetect’ Helps Thieves Hide Digital Fingerprints

March 16, 2015

As a greater number of banks in the United States shift to issuing more secure credit and debit cards with embedded chip technology, fraudsters are going to direct more of their attacks against online merchants. No surprise, then, that thieves increasingly are turning to an emerging set of software tools to help them evade fraud detection schemes employed by many e-commerce companies.

Every browser has a relatively unique “fingerprint” that is shared with Web sites. That signature is derived from dozens of qualities, including the computer’s operating system type, various plugins installed, the browser’s language setting and its time zone. Banks can leverage fingerprinting to flag transactions that occur from a browser the bank has never seen associated with a customer’s account.

Payment service providers and online stores often use browser fingerprinting to block transactions from browsers that have previously been associated with unauthorized sales (or a high volume of sales for the same or similar product in a short period of time).

In January, several media outlets wrote about a crimeware tool called FraudFox, which is marketed as a way to help crooks sidestep browser fingerprinting. However, FraudFox is merely the latest competitor to emerge in a fairly established marketplace of tools aimed at helping thieves cash out stolen cards at online merchants.

Another fraudster-friendly tool that’s been around the underground hacker forums even longer is called Antidetect. Currently in version 6.0.0.1, Antidetect allows users to very quickly and easily change components of the their system to avoid browser fingerprinting, including the browser type (Safari, IE, Chrome, etc.), version, language, user agent, Adobe Flash version, number and type of other plugins, as well as operating system settings such as OS and processor type, time zone and screen resolution.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Antidetect is marketed to fraudsters involved in ripping off online stores.

The seller of this product shared the video below of someone using Antidetect along with a stolen credit card to buy three different downloadable software titles from gaming giant Origin.com. That video has been edited for brevity and to remove sensitive information; my version also includes captions to describe what’s going on throughout the video. Continue reading

Adobe Flash Update Plugs 11 Security Holes

March 12, 2015

Adobe has released an update for its Flash Player software that fixes at least 11 separate, critical security vulnerabilities in the program. If you have Flash installed, please take a moment to ensure your systems are updated.

brokenflash-aNot sure whether your browser has Flash installed or what version it may be running? Browse to this link. The newest, patched version is 17.0.0.134 for Windows and Mac users. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version 17.0.0.134.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The last few Flash updates from Adobe have been in response to zero-day threats targeting previously unknown vulnerabilities in the program. But Adobe says it is not aware of any exploits in the wild for the issues addressed in this update. Adobe’s advisory on this patch is available here.

MS Update 3033929 Causing Reboot Loop

March 12, 2015

One of the operating system updates Microsoft released on Tuesday of this week — KB3033929 — is causing a reboot loop for a fair number of Windows 7 users, according to postings on multiple help forums. The update in question does not appear to address a pressing security vulnerability, so users who have not  yet installed it should probably delay doing so until Microsoft straightens things out. Continue reading

Apple Pay: Bridging Online and Big Box Fraud

March 11, 2015

Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.

applepayTo understand what’s going on here, a quick primer on card fraud is probably in order. If you’re a fraudster and you wish to walk into a Best Buy store and walk out with a big screen TV or xBox console on someone else’s dime, you’re going to buy “dumps,” which are data stolen straight off the magnetic stripe on the backs of cards.

Typically, dumps are stolen via malware planted on point-of-sale devices, as in the breaches at brick-and-mortar stores like Target, Home Depot and countless others over the past year. Dumps buyers encode the data onto new plastic, which they then use “in-store” at retailers and walk out with armloads full of high-priced goods that can be easily resold for cash. The average price of a single dump is between $10-$30, but the payoff in stolen merchandise per card is often many times that amount.

When fraudsters want to order something online using stolen credit cards, they go buy what the crooks call “CVVs” — i.e., card data stolen from hacked online stores. CVV stands for “card verification code,” and refers to the three-digit code on the back of cards that’s required for most online transactions. Fraudsters buying CVVs get the credit card number, the expiration date, the card verification code, as well as the cardholder’s name, address and phone number. Because they’re less versatile than dumps, CVVs cost quite a bit less — typically around $1-$5 per stolen account.

So in summary, dumps are stolen from main-street merchants, and are sought after by crooks mainly for use at main street merchants. CVVs, on the other hand, are stolen from online stores, and are useful only for fraud against online stores.

Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs. That’s because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession.

Avivah Litan, a fraud analyst with Gartner Inc. explained a blog post published earlier this month that Apple provides banks with a fair amount of data to aid banks in their efforts at “identity proofing” the customer, such as device name, its current geographic location, and whether or not the customer has a long history of transactions with iTunes.

All useful data points, of course, unless the iTunes account that all of this information is based on is hijacked by fraudsters. And as we know from previous stories on this blog, there is a robust trade in the cybercrime underground for hijacked iTunes accounts, which retail for about $8 per account.

Continue reading

Microsoft Fixes Stuxnet Bug, Again

March 10, 2015

Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time.

brokenwindowsOn this, the third Patch Tuesday of 2015, Microsoft pushed 14 update bundles to address at least 43 separate vulnerabilities in Internet Explorer, Exchange, Office and a host of other components.

Five of the the patches released today fix flaws that Microsoft has assigned its most serious “critical” label, meaning the vulnerabilities these patches fix can be exploited to compromise vulnerable systems through little or no action on the part of the user — save for perhaps opening a booby-trapped file or visiting a hacked/malicious Web site.

One of the more curious critical fixes is MS15-020, which according to HP’s Zero Day Initiative researchers addresses the same vulnerability that Microsoft patched in August 2010. That vulnerability — first revealed in a post on this blog July 15, 2010 — was later discovered to have been one of four zero-day flaws used in Stuxnet, a weapon of unprecedented sophistication that is now widely considered to have been a joint U.S. and Israeli project aimed at delaying Iran’s nuclear ambitions. The folks at HP TippingPoint have published a blog post on their work in uncovering the failed fix, and how the original 2010 patch missed the mark. For more on Stuxnet, check out Kim Zetter‘s excellent new book, Countdown To Zero Day. Continue reading

Spoofing the Boss Turns Thieves a Tidy Profit

March 10, 2015

Judy came within a whisker of losing $315,000 in cash belonging to her employer, a mid-sized manufacturing company in northeast Ohio. Judy’s boss had emailed her, asking her to wire the money to China to pay for some raw materials. The boss, who was traveling abroad at the time, had requested such transfers before — at even higher amounts to manufacturers in China and elsewhere — so the request didn’t seem unusual or suspicious.

athookUntil it did. After Judy sent the wire instructions on to the finance department, something about the email stuck in her head: The message was far more formal-sounding than the tone of voice her boss normally used to express himself via email.

By the time she went back to review the missive and found she’d been scammed by an imposter, it was too late — the employee in charge of initiating wires at her company had already sent it on to the bank. Luckily, the bank hadn’t yet processed the wire, and they were able to claw back the funds.

“Judy” is a pseudonym; she asked to remain anonymous so as not to further embarrass herself or her employer. But for every close call like Judy’s there are many more small businesses each week that fall for these scams and lose millions in the process.

Known variously as “CEO fraud,” and the “business email compromise,” this swindle is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.  In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.

In February, con artists made off with a whopping $17.2 million from one of Omaha, Nebraska’s oldest companies —  The Scoular Co., an employee-owned commodities trader. According to Omaha.com, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.

The scam email that nearly cost Judy her job appeared to have come from her company’s chief financial officer, who she said is not usually in the office. The message was made to appear as though it was a conversation between the CFO and the CEO, in which the CEO told the CFO that money needed to be wired to China.

“$315,000 is definitely a high amount, but I did a transaction for $1.4 million before, and I wire money to China for goods that we buy from there,” she said. “But truly, the email did bother me. It didn’t feel quite right when it came in, but at no point did I think, ‘this is someone imitating the boss.'”

After sending a co-worker in finance instructions to execute the wire transfer, Judy sent a note to the CFO asking if she should also notify the CEO that the wire had been sent. When the response came back in wording she couldn’t imagine the CFO putting in writing, she studied the forwarded email more closely. Sure enough, Judy discovered the message had been sent from a domain name that was one look-alike letter different from her employer’s true domain name. Continue reading

Point-of-Sale Vendor NEXTEP Probes Breach

March 9, 2015

NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach, KrebsOnSecurity has learned.

nextepThe acknowledgement came in response to reports by sources in the financial industry who spotted a pattern of fraud on credit cards all recently used at one of NEXTEP’S biggest customers: Zoup, a chain of some 75 soup eateries spread across the northern half of the United States and Canada.

Last week, KrebsOnSecurity reached out to Zoup after hearing from financial industry sources about fraud patterns indicating some sort of card compromise at many Zoup locations. Zoup CEO Eric Ersher referred calls to NEXTEP, saying that NEXTEP was recently informed of a security issue with its point-of-sale devices. Ersher said Zoup runs NEXTEP’s point-of-sale devices across its entire chain of stores.

In an emailed statement, NEXTEP President Tommy Woycik confirmed Ersher’s account, but emphasized that the company does not believe all of its customers are impacted.

“NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” Woycik wrote. “NEXTEP immediately launched an investigation in cooperation with law enforcement and data security experts we retained to determine the root cause and remediate the issue. We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed.  This remains an ongoing investigation with law enforcement. At this stage, we are not certain of the extent of the breach, and are working around the clock to ensure a complete resolution.”

A breach at a point-of-sale vendor can impact a large number of organizations, and historically the chief victims of POS vendor breaches have been food service establishments. Last year, a pattern of credit card fraud at hundreds of Jimmy Johns sandwich shops across the country was traced back to security weaknesses that fraudsters were exploiting in point-of-sale systems produced by POS vendor Signature Systems Inc. Signature later disclosed that the breach also impacted at least 100 other independent restaurants that use its products. Continue reading

Feds Indict Three in 2011 Epsilon Hack

March 6, 2015

U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what’s being called “one of the largest reported data breaches in U.S. history.” The government isn’t naming the victims in this case, but all signs point to the 2011 hack of Texas-based email marketing giant Epsilon.

epsilonThe government alleges the defendants made more than $2 million blasting out spam to more than one billion email addresses stolen from several email service providers (ESPs), companies that manage customer email marketing on behalf of major corporate brands.  The indictments further allege that the men sent the junk missives by hijacking the email servers used by these ESPs.

“This case reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s email distribution firms,” said Acting U.S. Attorney John Horn.  “And the scope of the intrusion is unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data—they then hijacked the companies’ own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites.”

To be clear, prosecutors haven’t specifically outed Epsilon as the victim, nor did they name any of the other email service providers (ESPs) allegedly harmed by the defendants. But a press release issued today Horn’s office states that “the data breach into certain ESPs was the subject of a congressional inquiry and testimony before a U.S House of Representatives subcommittee on June 2, 2011.”

That date aligns with a June 2, 2011 House Energy and Commerce Committee panel on the data breaches at Sony and Epsilon. Epsilon officials could not be immediately reached for comment.

Update, 11:27 p.m. ET: Epsilon confirmed that it is among the victims in this case. See the end of this story for their full statement.

Original story:

In early April 2011, customers at dozens of Fortune 500 companies began complaining of receiving spam to email addresses they’d created specifically for use with those companies. On April 2, 2011, Epsilon started notifying consumers that hackers had stolen customer email addresses and names belonging to a “subset of its clients.”

Those clients were ESPs that send email to customers on behalf of some the biggest firms in the world. Epsilon didn’t name which ESPs were impacted, but the voluminous complaints from consumers about spam indicated that those ESPs served a broad range of major companies, including JP Morgan Chase, U.S. Bank, Barclays, Kroger, McDonalds, Walgreens, and Honda, to name but a few.

A scam web site that tried to sell copies of Adobe Reader.

A scam web site that tried to sell copies of Adobe Reader.

As I noted in that April 2011 story, consumers had complained of received junk email with links to sites that tried to sell versions of software made by Adobe Systems Inc. Some of the sites reportedly even tried to sell copies of Adobe Reader — software that Adobe gives away for free.

Sure enough, the men indicted today are accused of hacking into a major ESP to steal more than a billion email addresses, which they allegedly used to promote knockoff versions of Adobe software (among other dubious products).

Prosecutors in Atlanta today unsealed indictments against Viet Quoc Nguyen and Giang Hoang Vu, both citizens of Vietnam who resided for a period of time in the Netherlands. The government also unsealed an indictment against David-Manuel Santos Da Silva, a Canadian citizen who was charged with conspiring with Nguyen and others to launder the proceeds of Nguyen’s alleged computer hacking offenses.

The government alleges that Nguyen used various methods — including targeted email phishing campaigns — to trick recipients at email marketing firms into clicking links to sites which attempted to exploit browser vulnerabilities in a bid to install malicious software. For more on those targeted attacks, see my Nov. 24, 2010 story, Spear Phishing Attacks Snag E-Mail Marketers.

Continue reading