Krebs on Security

P.F. Chang’s Breach Likely Began in Sept. 2013

June 18, 2014

The recently-announced credit card breach at P.F. Chang’s Chinese Bistro appears to have gone on for at least nine months: New information indicates that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11, one day after KrebsOnSecurity.com broke the news about the break-in.

Whenever there is a data breach that jeopardizes credit card accounts, Visa, MasterCard and the other card associations typically issue private Compromised Account Management System (CAMS) alerts to banks that issue their cards. The purpose of those CAMS alerts is to notify those institutions of specific cards thought to have been affected in a breach, so that institutions can re-issue the cards or otherwise take additional steps to manage the fraud exposure on those accounts.

On June 17, Visa issued a new CAMS alert to one of the banks that I worked with in reporting out the P.F. Chang’s story, letting them know that they had many hundreds of cards exposed in a recent breach that dated back to Sept. 18, 2013. That bank had purchased more than a dozen cards sold from an underground store that’s been exclusively selling cards stolen in the P.F. Chang’s break-in, and every one of those cards was listed on the June 17 CAMS alert from Visa. Continue reading →

Gear to Block ‘Juice Jacking’ on Your Mobile

June 18, 2014

94 Comments

Ever since I learned about the threat of “juice-jacking” — the possibility that plugging your mobile device into a random power charging station using a USB cord could jeopardize the data on that device — I’ve been more mindful about bringing a proper power-outlet charging adapter on my travels. But in the few cases when I forgot or misplaced the adapter, I’ve found myself falling back on one of two devices I’ll review today that are both designed to block USB charging cords from transmitting data.

The USB Condom, in action at 35k feet.

Juice-jacking as a threat probably first crept into the collective paranoia of gadget geeks in the summer of 2011, after I wrote a story about two researchers at the DefCon hacker convention in Vegas who’d set up a mobile charging station designed to educate the unwary to the fact that many mobile devices (particularly Apple devices) are set up to connect to a computer and immediately sync data.

Their proof-of-concept was a reminder that in the (admittedly unlikely) event that a clever attacker managed to hide a small computer inside of a USB charging kiosk, he might be able to slurp up your device’s data.

Since that story, several products have sprung up to help minimize such threats. These small USB pass-through devices are designed to allow charging yet block any data transfer capability. The two products I’ve been using over the past few months include the “USB Condom” and a device called the “Juice-Jack Defender.”

Both prophylactics (cue the crude jokes) function the same way — with male and female USB adapters at either end — but the two have a slightly different form factor and feel. True to its name, the USB Condom is a rectangular black circuit board wrapped in a clear plastic sheath, measuring approximately 54 millimeters/2 inches long and 20 mm/.75 inches wide.

The Juice-Jack Defender is slightly smaller — about 45 mm long and roughly 16 mm wide — and is wrapped in rubberized black plastic, although the device picture on the Web site of the vendor, chargedefense.com, shows a product coated in blue plastic. Continue reading →

If It Sounds Too Good To Be True…

June 17, 2014

65 Comments

The old adage “If it sounds too good to be true, it probably is” no doubt is doubly so when it comes to steeply discounted brand-name stuff for sale on random Web sites, especially sports jerseys, designer shoes and handbags. A great many stores selling these goods appear to be tied to an elaborate network of phony storefronts and credit card processing sites based out of China that will happily charge your card but deliver nothing (or at best flimsy knockoffs).

Earlier this month I heard from a reader whose wife had purchased ladies clothing from bearcrs.co.uk, a site that until very recently billed itself as an official seller of Victoria Secrets goods. Most of the items for sale were roughly 60-70 percent off the retail price advertised anywhere else. The checkout process brought her to payment site called unimybill.com, which took her credit card information and said she’d been successfully charged for her purchases. The goods never arrived.

“They charged her card about $100,” said the reader, who asked to remain anonymous. “I tried to contact them, they never replied back. I started to discover similar websites by entering phrases from bearcrs.co.uk into Google. All websites have the same php engine, same phrases, registered in China, same checkout process, all they sell brand clothes for 30% of real price.”

Bearcrs.co.uk is one of hundreds of bogus storefronts that list products of well-known brands like Nike, Ray Ban, Michael Kors and others, hoping to lure bargain-hunting shoppers. Among the many fraudulent sites is michaelkorshandbags.co.uk, a site that claims to be a merchant in the United Kingdom but whose infrastructure is all Chinese.

The same network is tied to michaelkorshandbags.co.uk and hundreds of other similarly structured sites, all of which have left a trail of complaints online from customers who were charged for goods that never arrived. Order anything from this shop and you are taken to a checkout page at sslcreditpay.com, which tries to assure shoppers that the page is legitimate by posting a number of logos and trust seals from a variety of security and payment security providers such as Verisign, Symantec, Trustwave and the PCI Security Standards Council. Trouble is, none of these organizations actually authorized this payment gateway to use their seals, which are supposed to be clickable icons that provide information to help support that claim.

sslcreditpay.com uses a variety of security seals to make you feel more at ease submitting your credit card for goods you’ll never get.

A check with Trustwave showed that the seal was bogus. John Randall, senior product manager for the company, said Trustwave only issues the Trustwave seal for customers that purchase its domain validation or extended validation (EV) certificates, and that the site in question hadn’t done either.

Likewise, the PCI Security Standards Council said it doesn’t authorize the use of its logo for payment processing sites.

“As a standards setting organization we do not validate compliance with PCI Standards – this is managed separately by each payment card brand,” said Ella Nevill, vice president of stakeholder engagement at the PCI Counil. “As such, we don’t provide any sort of compliance ‘seal’ or use of our company logo. What we do provide is use of a PCI Participating Organization logo for our member organizations that pay to be PCI Participating Organizations and be involved in standards development process.”

Sslcreditpay.com is one of many apparently bogus online payment processing sites tied to this fraud network. Other phony payment portals include payitrust.com and paymentsol.com. You can’t reach the payment pages for these processors directly unless you actually check out from an associated online store. At that point, you’ll be directed to a subdomain like https://payment.payitrust.com and https://payment.paymentsol.com. Continue reading →

Ruling Raises Stakes for Cyberheist Victims

June 16, 2014

53 Comments

A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institution’s legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases.

Choice Escrow and Land Title LLC sued Tupelo, Miss. based BancorpSouth Inc., after hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.

BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

A trial court was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.

“It’s a good opinion for banks [and] it’s definitely more pro-bank than pro-consumer,” said Dan Mitchell, a lawyer who chairs the data security practice at Bernstein Shur in Portland, Maine. “The appellate court found the same thing as the basic court. The customer was offered dual controls — that two people should be required to sign off on all transactions — and they were informed that it was important for them to take advantage of this. So, when [Choice Escrow] made an informed decision in writing not to use dual controls, the bank was careful to document that.”

Perhaps most significantly, Mitchell said, the decision could be a blow to companies trying to recover cyberheist losses from their banks. Bancorp South had asserted at the trial court level that its contract with Choice Escrow indemnified it against paying legal fees in such a dispute. The trial court dismissed that claim, but the appeals court said in its decision that the bank could recover the costs from the escrow firm. Continue reading →

P.F. Chang’s Confirms Credit Card Breach

June 12, 2014

99 Comments

Nationwide restaurant chain P.F. Chang’s Chinese Bistro on Thursday confirmed news first reported on this blog: That customer credit and debit card data had been stolen in a cybercrime attack on its stores. The company had few additional details to share about the breach, other than to say that it would temporarily be switching to a manual credit card imprinting system for all P.F. Chang’s restaurants in the United States.

In statement released to this reporter this evening, P.F. Chang’s said it first learned of the breach on June 10, the same day this publication pointed to evidence that the eatery chain may have been compromised. Their complete statement is as follows: Continue reading →

Banks: Credit Card Breach at P.F. Chang’s

June 10, 2014

138 Comments

Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.

On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014.

Contacted about the banks’ claims, the Scottsdale, Arizona-based restaurant chain said it has not yet been able to confirm a card breach, but that the company “has been in communications with law enforcement authorities and banks to investigate the source.”

“P.F. Chang’s takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more,” the company said in an emailed statement. “We will provide an update as soon as we have additional information.”

A spokesperson for the U.S. Secret Service, which typically investigates breaches involving counterfeit credit and debit cards, declined to comment.

It is unclear how many P.F. Chang’s locations may have been impacted. According to the company’s Wikipedia entry, as of January 2012 there were approximately 204 P.F. Chang’s restaurants in the United States, Puerto Rico, Mexico, Canada, Argentina, Chile and the Middle East. Banks contacted for this story reported cards apparently stolen from PFC locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina.

The new batch of stolen cards, dubbed “Ronald Reagan” by the card shop’s owner, is the first major glut of cards released for sale on the fraud shop since March 2014, when curators of the crime store advertised the sale of some 282,000 cards stolen from nationwide beauty store chain Sally Beauty.

The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).

The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Target, Neiman Marcus, Michaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems.

Unlike with the Target and Sally Beauty batches, however, the advertisement on Rescator’s shop for cards sold under the Ronald Reagan batch does not list the total number of cards that are for sale currently. Instead, it appears to list just the first 100 pages of results, at approximately 50 cards per page. The cards range in price from $18 to $140 per card. Many factors can influence the price of an individual card, such as whether the card is a Visa or American Express card; similarly, Platinum and Business cards tend to fetch far higher prices than Classic and Standard cards.

A new ad that debuted on June 9 for a fresh batch of cards apparently stolen from PF Chang’s China Bistro locations.

The ad for the Ronald Reagan batch of cards also includes guidance for potential customers who wish to fund their accounts via Western Union or MoneyGram wire transfers, advice that strongly suggests those involved in this apparent heist are once again from Russia and Eastern Europe: Continue reading →

Adobe, Microsoft Push Critical Security Fixes

June 10, 2014

37 Comments

Adobe and Microsoft today each released updates to fix critical security vulnerabilities in their software. Adobe issued patches for Flash Player and AIR, while Microsoft’s Patch Tuesday batch includes seven update bundles to address a whopping 66 distinct security holes in Windows and related products.

The vast majority of the vulnerabilities addressed by Microsoft today are in Internet Explorer, the default browser on Windows machines. A single patch for IE this month (MS14-035) shores up at least 59 separate security issues scattered across virtually every supported version of IE. Other patches fix flaws in Microsoft Word, as well as other components of the Windows operating system itself.

Most of the vulnerabilities Microsoft fixed today earned its “critical” rating, meaning malware or bad guys could exploit the flaws to seize control over vulnerable systems without any help from users, save perhaps for having the Windows or IE user visit a hacked or booby-trapped Web site. For more details on the individual patches, see this roundup at the Microsoft Technet blog.

Adobe’s update for Flash Player fixes at least a half-dozen bugs in the widely-used browser plugin. The Flash update brings the media player to v. 14.0.0.125 on Windows and Mac systems, and v. 11.2.202.378 for Linux users. To see which version of Flash you have installed, check this link.

Continue reading →

Backstage with the Gameover Botnet Hijackers

June 9, 2014

65 Comments

When you’re planning to rob the Russian cyber mob, you’d better make sure that you have the element of surprise, that you can make a clean getaway, and that you understand how your target is going to respond. Today’s column features an interview with two security experts who helped plan and execute last week’s global, collaborative effort to hijack the Gameover Zeus botnet, an extremely resilient and sophisticated crime machine that helped an elite group of thieves steal more than $100 million from banks, businesses and consumers worldwide.

Gameover infections on June 4, 2014. Source: Shadowserver.org

Neither expert I spoke with wished to be identified for this story, citing a lack of permission from their employers and a desire to remain off the radar of the crooks inconvenienced by the action. For obvious reasons, they were also reluctant to share details about the exact weaknesses that were used to hijack the botnet, focusing instead on the planning and and preparation that went into this effort.

GAMEOVER ZEUS PRIMER

A quick review of how Gameover works should help readers get more out of the interview. In traditional botnets, infected PCs report home to and are controlled by a central server. But this architecture leaves such botnets vulnerable to disruption or takeover if authorities or security experts can gain access to the control server.

Gameover, on the other hand, is a peer-to-peer (P2P) botnet designed as a collection of small networks that are distinct but linked up in a decentralized fashion. The individual Gameover-infected PCs are known as “peers.” Above the peers are a select number of slightly more powerful and important infected systems that are assigned roles as “proxy nodes,” meaning they were selected from the peers to serve as relay points for commands coming from the Gameover botnet operators and as conduits for encrypted data stolen from the infected systems.

The basic network structure of the Gameover botnet. Source: FBI

The Gameover botnet code also includes a failsafe mechanism that can be invoked if the botnet’s P2P communications system fails, whether the failure is the result of a faulty malware update or because of a takedown effort by researchers/law enforcement. That failsafe is a domain generation algorithm (DGA) component that generates a list of 1,000 domain names each week (gibberish domains that are essentially long jumbles of letters) combined with one of six top-level domains; .com, .net, .org, .biz, .info and .ru. In the event the infected Gameover systems can’t get new instructions from their peers, the code instructs the botted systems to seek out domains from the latest list of 1,000 domains generated by the DGA until it finds a site with new instructions.

HUNDREDS OF ‘WEB INJECTS’

The Gameover malware was designed specifically to defeat two-factor authentication used by many banks. It did so using a huge collection of custom-made scripts known as “Web injects” that can inject custom content into a Web browser when the victim browses to certain sites — such as a specific bank’s login page. Web injects also are used to prompt the victim to enter additional personal information when they log in to a trusted site. An example of this type of Web inject can be seen in the video below, which shows an inject designed for Citibank customers. Continue reading →

They Hack Because They Can

June 5, 2014

87 Comments

The Internet of Things is coming….to a highway sign near you? In the latest reminder that much of our nation’s “critical infrastructure” is held together with the Internet equivalent of spit and glue, authorities in several U.S. states are reporting that a hacker has once again broken into and defaced electronic road signs over highways in several U.S. states.

Image: WNCN.

Earlier this week, news media in North Carolina reported that at least three highway signs there had apparently been compromised and re-worded to read “Hack by Sun Hacker.” Similar incidents were reported between May 27 and June 2, 2014 in two other states, which spotted variations on that message left by the perpetrator, (including an invitation to chat with him on Twitter).

The attack was reminiscent of a series of incidents beginning two years ago in which various electronic message signs were changed to read “Warning, Zombies Ahead”.

While at least those attacks were chuckle-worthy, messing with traffic signs is no laughing matter: As a report by the Multi-State Information Sharing and Analysis Center (MS-ISAC) points out, changes to road signs create a public safety issue because instead of directing drivers through road hazards, they often result in drivers slowing or stopping to view the signs or take pictures.

That same MS-ISAC notice, obtained by KrebsOnSecurity and published here (PDF), points out that these incidents appear to be encouraged by sloppy security on the part of those responsible for maintaining these signs.

“Investigators in one state believe the compromise may be in part due to the use of weak Simple Network Management Protocol (SNMP) community strings. Investigators in another state believe the malicious actor used Telnet port 23 and a simple password cracker to gain remote access. In one state the malicious actor changed the modem passwords, forcing technicians to restore to factory default settings to regain access.”

Continue reading →

Peek Inside a Professional Carding Shop

June 4, 2014

88 Comments

Over the past year, I’ve spent a great deal of time trolling a variety of underground stores that sell “dumps” — street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. By way of explaining this bizarro world, this post takes the reader on a tour of a rather exclusive and professional dumps shop that caters to professional thieves, high-volume buyers and organized crime gangs.

The subject of this post is “McDumpals,” a leading dumps shop that first went online in late April 2013. Featuring the familiar golden arches and the bastardized logo, “i’m swipin’ it,” the site’s mascot is a gangstered-up Ronald McDonald pointing a handgun at the viewer.

Nevermind that this shop is violating a ridiculous number of McDonald’s trademarks in one fell swoop: It’s currently selling cards stolen from data breaches at main street stores in nearly every U.S. state.

Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.

I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.

This was a major innovation that we saw prominently on display in the card shop that was principally responsible for selling cards stolen in the Target and Sally Beauty retail breaches: In those cases, buyers were offered the ability to search for cards by the city, state and ZIP of the Target and Sally Beauty stores from which those cards were stolen. Experienced carders (as buyers are called) know that banks will often flag transactions as suspicious if they take place outside of the legitimate cardholder’s regular geographic purchasing patterns, and so carders tend to favor cards stolen from consumers who live nearby.

The slideshow may make more sense if readers familiarize themselves with a few terms and phrases that show up in the text:

Continue reading →

Last »