Toward a Breach Canary for Data Brokers

December 8, 2014

When a retailer’s credit card systems get breached by hackers, banks usually can tell which merchant got hacked soon after those card accounts become available for purchase at underground cybercrime shops. But when companies that collect and sell sensitive consumer data get hacked or are tricked into giving that information to identity thieves, there is no easy way to tell who leaked the data when it ends up for sale in the black market. In this post, we’ll examine one idea to hold consumer data brokers more accountable.

breachcanarySome of the biggest retail credit card breaches of the past year — including the break-ins at Target and Home Depot — were detected by banks well before news of the incidents went public. When cards stolen from those merchants go up for sale on underground cybercrime shops, the banks often can figure out which merchant got hacked by acquiring a handful of their cards and analyzing the customer purchase history of those accounts. The merchant that is common to all stolen cards across a given transaction period is usually the breached retailer.

Sadly, this process of working backwards from stolen data to breach victim generally does not work in the case of breached data brokers that trade in Social Security information and other data, because too often there are no unique markers in the consumer data that would indicate from where the information was obtained.

Even in the handful of cases where underground crime shops selling consumer personal data have included data points in the records they sell that would permit that source analysis, it has taken years’ worth of very imaginative investigation by law enforcement to determine which data brokers were at fault. In Nov. 2011, I wrote about an identity theft service called Superget[dot]info, noting that “each purchasable record contains a two- to three-letter “sourceid,” which may provide clues as to the source of this identity information.”

Unfortunately, the world didn’t learn the source of that ID theft service’s data until 2013, a year after U.S. Secret Service agents arrested the site’s proprietor — a 24-year-old from Vietnam who was posing as a private investigator based in the United States. Only then were investigators able to determine that the source ID data matched information being sold by a subsidiary of big-three credit bureau Experian (among other data brokers that were selling to the ID theft service). But federal agents made that connection only after an elaborate investigation that lured the proprietor of that shop out of Vietnam and into a U.S. territory.

Meanwhile, during the more than six years that this service was in operation, Superget.info attracted more than 1,300 customers who paid at least $1.9 million to look up Social Security numbers, dates of birth, addresses, previous addresses, email addresses and other sensitive information on consumers, much of it used for new account fraud and tax return fraud.

Investigators got a lucky break in determining the source of another ID theft service that was busted up and has since changed its name (more on that in a moment). That service — known as “ssndob[dot]ru” — was the service used by exposed[dot]su, a site that proudly displayed the Social Security, date of birth, address history and other information on dozens of Hollywood celebrities, as well as public officials such as First Lady Michelle Obama, then FBI Director Robert Mueller, and CIA Director John Brennan.

As I explained in a 2013 exclusive, civilian fraud investigators working with law enforcement gained access to the back-end server that was being used to handle customer requests for consumer information. That database showed that the site’s 1,300 customers had spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.

Although four million consumer records may seem like a big number, that figure did not represent the total number of consumer records available through ssndob[dot]ru. Rather, four million was merely the number of consumer records that the service’s customers had paid the service to look up. In short, it appeared that the ID theft service was drawing on active customer accounts inside of major consumer data brokers.

Investigators working on that case later determined that the same crooks who were running ssndob[dot]ru also were operating a small, custom botnet of hacked computers inside of several major data brokers, including LexisNexis, Dun & Bradstreet, and Kroll. All three companies acknowledged infections from the botnet, but shared little else about the incidents.

Despite their apparent role in facilitating (albeit unknowingly) these ID theft services, to my knowledge the data brokers involved have never been held publicly accountable in any court of law or by Congress.

CURRENT ID THEFT SERVICES

At present, there are multiple shops in the cybercrime underground that sell everything one would need to steal someone’s identity in the United States or apply for new lines of credit in their name — including Social Security numbers, addresses, previous addresses, phone numbers, dates of birth, and in some cases full credit history. The price of this information is shockingly low — about $3 to $5 per record.

KrebsOnSecurity conducted an exhaustive review of consumer data on sale at some of the most popular underground cybercrime sites. The results show that personal information on some of the most powerful Americans remains available for just a few dollars. And of course, if one can purchase this information on these folks, one can buy it on just about anyone in the United States today.

As an experiment, this author checked two of the most popular ID theft services in the underground for the availability of Social Security numbers, phone numbers, addresses and previous addresses on all members of the Senate Commerce Committee‘s Subcommittee on Consumer Protection, Product Safety and Insurance. That data is currently on sale for all thirteen Democrat and Republican lawmakers on the panel.

Between these two ID theft services, the same personal information was for sale on Edith Ramirez and Richard Cordray, the heads of the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), respectively. Continue reading

Treasury Dept: Tor a Big Source of Bank Fraud

December 5, 2014

A new report from the U.S. Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have been thwarted had affected institutions known to look for and block transactions coming through Tor, a global communications network that helps users maintain anonymity by obfuscating their true location online.

The findings come in a non-public report obtained by KrebsOnSecurity that was produced by the Financial Crimes Enforcement Network (FinCEN), a Treasury Department bureau responsible for collecting and analyzing data about financial transactions to combat domestic and international money laundering, terrorist financing and other financial crimes.

In the report, released on Dec. 2, 2014, FinCEN said it examined some 6,048 suspicious activity reports (SARs) filed by banks between August 2001 and July 2014, searching the reports for those involving one of more than 6,000 known Tor network nodes. Investigators found 975 hits corresponding to reports totaling nearly $24 million in likely fraudulent activity.

“Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor related filings were rapidly rising,” the report concluded. “Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet [link added] found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses.”

Tables from the FinCEN report.

Tables from the FinCEN report.

FinCEN said it was clear from the SAR filings that most financial institutions were unaware that the IP address where the suspected fraudulent activity occurred was in fact a Tor node.

“Our analysis of the type of suspicious activity indicates that a majority of the SARs were filed for account takeover or identity theft,” the report noted. “In addition, analysis of the SARs filed with the designation ‘Other revealed that most were filed for ‘Account Takeover,’ and at least five additional SARs were filed incorrectly and should have been ‘Account Takeover.'”

The government also notes that there has been a fairly recent and rapid rise in the number of SAR filings over the last year involving bank fraud tied to Tor nodes.

“From October 2007 to March 2013, filings increased by 50 percent,” the report observed. “During the most recent period — March 1, 2013 to July 11, 2014 — filings rose 100 percent.” Continue reading

Advertisement

Bebe Stores Confirms Credit Card Breach

December 5, 2014

In a statement released this morning, women’s clothier chain bebe stores inc. confirmed news first reported on this blog Thursday: That hackers had stolen customer card data from stores across the country in a breach that persisted for several weeks last month.

Image: Wikipedia.

Image: Wikipedia.

Bebe stores said its investigation indicates that the breach impacted payment cards swiped in its U.S., Puerto Rico and U.S. Virgin Islands stores between Nov. 8, 2014 and Nov. 26, 2014. The data may have included cardholder name, account number, expiration date, and verification code.

The company emphasized that purchases made though its web site, mobile site/application, or in Canada or other international stores were not affected, and that customers should feel confident in continuing to use their payment cards in bebe stores.

“Our relationship with our customers is of the highest importance,” said bebe CEO Jim Wiggett, in a statement. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”

Predictably, bebe stores is offering free credit monitoring services for one year to customers impacted by this incident, even though credit monitoring services do nothing to help consumers block fraud on existing accounts — such as credit and debit card accounts that may have been stolen in this breach.
Consumers still need to keep a close eye on monthly statements, and report any unauthorized charges as quickly as possible. Continue reading

Banks: Credit Card Breach at Bebe Stores

December 4, 2014

Data gathered from several financial institutions and at least one underground cybercrime shop suggest that thieves have stolen credit and debit card data from Bebe Stores Inc., a nationwide chain of some 200 women’s clothing stores.

Image: Wikipedia.

Image: Wikipedia.

Earlier this week, KrebsOnSecurity began hearing from different banks about a pattern of fraudulent charges on customer credit cards that all had one thing in common: the cards were recently used at Bebe (pronounced “bee bee”) locations across the country.

This author reached out to Bebe via email and phone early Wednesday. Officials from Bebe Stores have not yet responded to requests for comment.

On Wednesday, this author heard from an East Coast bank which had purchased several of its customers cards that were being sold on a relatively new cybercrime shop called (goodshop[dot]bz]). The bank acquired cards from a batch that Goodshop released on Dec. 1, called “Happy Winter Update.” The prices from that Happy Winter batch range from $10 to $27 per card.

The bank found that all of the cards had been used at Bebe Stores in the United States between Nov. 18 and Nov. 28. It is not clear if the breach at Bebe stores is ongoing, or if it extends prior to mid-November 2014.

The card fraud shop "goodshop[dot]bz" is selling thousands of cards in its "Happy Winter Update."

The card fraud shop “goodshop[dot]bz” is selling thousands of cards in its “Happy Winter Update.”

Continue reading

Be Wary of ‘Order Confirmation’ Emails

December 3, 2014

If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.

An "order confirmation" malware email blasted out by the Asprox spam botnet recently.

An “order confirmation” malware email blasted out by the Asprox spam botnet recently.

Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25.

This Asprox malware email poses as a notice about a wayward package from a WalMart  order.

This Asprox malware email poses as a notice about a wayward package from a WalMart order.

According to Malcovery, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet. Continue reading

Sony Breach May Have Exposed Employee Healthcare, Salary Data

December 2, 2014

The recent hacker break-in at Sony Pictures Entertainment appears to have involved the theft of far more than unreleased motion pictures: According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What’s more, it’s beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems.

Screen shot from an internal audit report allegedly stolen from Sony.

Screen shot from an internal audit report allegedly stolen from Sony and circulating on file-trading networks.

Several files being traded on torrent networks seen by this author include a global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.

Sony officials could not be immediately reached for comment; a press hotline for the company rang for several minutes without answer, and email requests to the company went unanswered.  But a comprehensive search on LinkedIn for dozens of the names in the list indicate virtually all correspond to current or former Sony employees.

Another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data.

The latest revelations come more than a week after a cyberattack on Sony Pictures Entertainment brought down the company’s corporate email systems. A Sony spokesperson told Reuters that the company has since “restored a number of important services” and was “working closely with law enforcement officials to investigate the matter.”

Some of the files apparently taken from Sony that are now being traded on file-sharing networks.

Some of the files apparently taken from Sony that are now being traded on file-sharing networks.

Several media outlets reported at the time that Sony employees had been warned not to connect to the company’s corporate network or to check email, and noted that Sony’s IT departments had instructed employees to turn off their computers as well as disable Wi-Fi on all mobile devices.” Other reports cited unnamed investigators pointing to North Korean hackers as the source of the attack, although those reports could not be independently confirmed.

Such extreme precautions would make sense if the company’s network was faced with a cyber threat designed to methodically destroy files on corporate computers. Indeed, the FBI this week released a restricted “Flash Alert” warning of just such a threat, about an unnamed attack group that has been using malware designed to wipe computer hard drives — and the underlying “master boot record” (MBR) on the affected systems — of all data.

KrebsOnSecurity obtained a copy of the alert, which includes several file names and hashes (long strings of letters and numbers that uniquely identify files) corresponding to the file-wiping malware. The FBI does not specify where the malware was found or against whom it might have been used, noting only that “the FBI has high confidence that these indicators are being used by CNE [computer network exploitation] operators for further network exploitation.” The report also says the language pack referenced by the malicious files is Korean.

Continue reading

KrebsOnSecurity on CBS’s ’60 Minutes’

December 1, 2014

In case any of you loyal readers missed it, KrebsOnSecurity.com and its author were featured in a 60 Minutes interview last night on the credit and debit card breaches that have hit countless retailers and consumers over the past year.

60mk

I spent more than a dozen hours with 60 Minutes producers, film crews and the host of this segment — CBS’s Bill Whitaker, so I’m glad they were able to use as much footage as they did. Leading up to the filming, the producer of the show asked some very incisive questions — some of which I didn’t know the answers to myself — and I was hoping the segment would address some of the less discussed issues that contribute to this epidemic of card breaches. But, alas, I hope to explore some of those questions in future posts.

A link to a video and transcript of the program is here. Continue reading

Black Friday, Cyber Monday for Crooks, Too!

November 29, 2014

Underground cybercrime shops that sell credit and debit card accounts stolen from retailers are slashing prices and promoting their own Black Friday and Cyber Monday sales as fraudsters gear up for the busy holiday shopping season.

Card data stolen from main street retailers, a.k.a. “dumps,” is sold to crooks who encode the numbers onto new plastic and go shopping for high-priced electronics and gift cards at big box stores. Other shops sell mainly stolen card numbers, expiration dates and card security codes that can only be used to shop at online retailers.

Have a look at the slide show below, which features multiple advertisements pushed out by some of the most bustling crime shops competing for buyers with discounts and promotions. You might have to scroll down a bit to see the slideshow. Advance the slides by hovering over the right edge of the image and clicking the arrow that appears.

It’s nearly impossible for consumers to tell how secure a main street or online merchant is, so it’s best just to shop as if they’re all compromised. That is, if you have the choice between using a credit or debit card, shop with your credit card. Continue reading

Skimmer Innovation: ‘Wiretapping’ ATMs

November 26, 2014

Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries, financial institutions in two countries recently reported ATM attacks in which the card data was compromised internally by “wire-tapping” or “eavesdropping” on the customer transaction. The image below shows some criminal equipment used to perpetrate these eavesdropping attacks.

Equipment used by crooks to conduct "eavesdropping" or "wiretapping" attacks on ATMs.

Equipment used by crooks to conduct “eavesdropping” or “wiretapping” attacks on ATMs. Source: EAST.

“The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
[pictured, bottom right].

Pictured above are what appear to be wires that are fed into the machine with some custom-made rods. It looks like the data is collected by removing the decal, fishing out the wire attached to the ATM’s card reader, and connecting it to a handheld data storage device.

I sought clarification from EAST about how the device works. Most skimmers are card slot overlay devices that work by using a built-in component which reads the account data off of the magnetic stripe when the customer inserts the card. But Lachlan Gunn, EAST’s executive director, suggested that this device intercepts the card data from the legitimate card reader on the inside of the ATM. He described the wiretapping device this way:

“It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”

The last report in my ATM skimming series showcased some major innovations in so-called “insert skimmers,” card-skimming devices made to fix snugly and invisibly inside the throat of the card acceptance slot. EAST’s new report includes another, slightly more advanced, insert skimmer that’s being called an “insert transmitter skimmer.”

Like the one pictured below, an insert transmitter skimmer is made up of two steel plates and an internal battery that lasts approximately one to two weeks. “They do not store data, but transmit it directly to a receiving device — probably placed less than 1 meter from the ATM. Continue reading

Adobe Pushes Critical Flash Patch

November 25, 2014

For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.

brokenflash-aAdobe recommends users of the Adobe Flash Player desktop runtime for Windows and Macintosh update to v. 15.0.0.239 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. Adobe Flash Player for Linux has been updated to v. 11.2.202.424. 

According to Adobe, these updates provide additional hardening against CVE-2014-8439, which was fixed in a Flash patch that the company released in October 2014. The bulletin for this update is here. Finnish security firm F-Secure says it reported the flaw to Adobe after receiving information from independent researcher Kafeine that indicated the vulnerability was being exploited in-the-wild by an exploit kit (malicious software designed to be stitched into hacked Web sites and foist malware on visitors via browser flaws like this one). Continue reading