These Guys Battled BlackPOS at a Retailer

February 4, 2014

Ever since news broke that thieves stole more than 40 million debit and credit card accounts from Target using a strain of Point-Of-Sale malware known as BlackPOS, much speculation has swirled around unanswered questions, such as how this malware was introduced into the network, and what mechanisms were used to infect thousands of Target’s cash registers.

BLACKPOS copyRecently, I spoke at length with  Tom Arnold and Paul Guthrie, co-founders of PSC, a security firm that consults for businesses on payment security and compliance. In early 2013, these two experts worked directly on a retail data breach that involved a version of BlackPOS. They agreed to talk about their knowledge of this malware, and how the attackers worked to defeat the security of the retail client (not named in this story).

While some of this discussion may be geektacular at times (what I affectionately like to call “Geek Factor 5”), there’s something in here for everyone. Their observations about the methods and approaches used in this attack point to an adversary that is skilled, organized, patient and thorough.

So you first saw BlackPOS at a retailer in early January 2013?

Tom: Yes, it did seem like a game changer at that point because of the way it hooked into the POS system. By that I mean the fact that it hooks into the POS process, and it’s not just a general memory scraper like some people have stated.

Help me understand the distinction between a memory scraper and malware that runs completely in memory?

Tom: Well, it’s very specific. It’s what’s called an inter-process communications hook. If you look at a memory scraper — so if you were to dump the memory on your laptop right now — you would get this big old blob of information and you would have to filter through it to find what you’re looking for. But this [malware] is very specific: It’s very much designed for the POS system it’s running on, because it knows exactly where to hook and where the memory location is going to be when the data it’s looking for is flowing through it. But if you look at what it captures, it captures only the track data [information stored on the magnetic strip on the backs of cards]. So, it’s actually very, very sophisticated and that’s why I think this isn’t just a teenage hacker who put this together in his basement. I think this is a more sophisticated development effort. [HP last week published some interesting, uber-geeky details about the memory behavior of the version of BlackPOS found at Target].

Paul:  It certainly hooks into a specific process, but we did not figure out if it was just good at scraping the memory of that process, or whether it actually altered the process to hook into the code somehow.  That part of the code was obfuscated and not reviewed during the engagement.

What did you think of the iSight paper?

Tom: The iSight paper was good, and what it described was very similar to what we saw in the first variants of BlackPOS. But it didn’t talk about how it appeared on the network or where it came from or how a retailer might defend themselves against it.

In your prior experience with BlackPOS, has it been used against the same POS that Target uses? A source who seemed to have a clue told me that their setup was somewhat homegrown.

Tom: That I don’t know.  I haven’t really looked at what Target uses. With a homegrown system, the problem is if you’re going to build a process hook, you have to have a test environment, you have to know what you’re looking at and what memory addresses to go after, and that’s not exactly something that gets published.

Paul: Target has a homegrown POS.

So you think it’s likely they were using some off-the-shelf equipment and software? Wouldn’t it be enough for the attackers in this case to have obtained a physical point of sale device that was once used at Target?

Tom: If they have one, sure, that would be different. I don’t know if they’re using a commercial product. A lot of the big retailers use commercial products and will customize those with their back end system. But at the front end and what happens at front of the house…a lot of those are just retail off-the-shelf applications. A lot of those retailers, when you have a hard disk that breaks on one of the [checkout] lanes, they’ve got an outsourced service provider of that POS that comes out there with a new hard disk and fixes it.

How do the bad guys break in, and how do they actually get the malware pushed out to the point-of-sale?

Tom:  A lot of the POS systems use whitelisting software of some kind, such as Bit9 or SolidCore. Those two companies are the two you see most out there in the industry.

Paul: It could also come in through the point-of-sale application update process.

By whitelisting, you mean sort of the opposite approach of antivirus, right? As in, if the file or program isn’t approved by the whitelisting software, it simply won’t run on the system?

Tom: The software update processes at a point-of-sale that is running one of those [whitelisting applications] has to come through one of the software update channels and has to be reviewed for the update and approved. And when it’s approved, the whitelisting software says okay this patch is approved to come online.

It’s probably a good idea at this point to make sure we’re defining the terminology in a uniform way. When you think of point-of-sale device, are you talking about the cash register, or the card swipe terminal, or…

Tom: I’m using point-of-sale to mean the payment application that is running on the cash register. The vast majority of those devices, when you check out at the grocery store or large retailer, those are just PCs, and yes they’re mostly running Windows XP or WEPOS as their operating system. But above that, you have what I call the point-of-sale, or the point-of-sale application, and that’s the stuff that the cashier is interfacing with at the time you’re checking out. It’s a software application, running as multiple pieces of software inside the register itself. And whitelisting is put on to protect the register from any sort of unsolicited modification. A lot of the attacks before this [whitelisting became more broadly used] involved where you corrupt a sales clerk to put a USB stick in the cash register and infect the PC with some malware. But by using a whitelisting software, the USB stick will not work and the operations personnel back in the head office will get notified that something isn’t right with that register.

If they get past a whitelisting system, doesn’t that suggest that someone on the inside would have to be involved?

Tom: No, not really. You have to also consider the distribution server that distributes the point-of-sale software.

Paul: Right… three possible ways… it could come through a legitimate update channel, or the retailer was lax in their update procedures, or the attackers hacked the console of the whitelisting software and just whitelisted it themselves.  

Continue reading

File Your Taxes Before the Fraudsters Do

February 3, 2014

Jan. 31 marked the start of the 2014 tax filing season, and if you haven’t yet started working on your returns, here’s another reason to get motivated: Tax fraudsters and identity thieves may very well beat you to it.

According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

There are countless shops in the cybercrime underground selling data that is especially useful for scammers engaged in tax return fraud. Typically, these shops will identify their wares as “fullz,” which include a consumer’s first name, last name, middle name, email address (and in some cases email password) physical address, phone number, date of birth, and Social Security number.

This fraud shop caters to thieves involved in tax return fraud.

This underground shop sells consumer identity data, catering to tax return fraud.

The shop pictured above, for example, caters to tax fraudsters, as evidenced by its advice to customers of the service, which can be used to find information that might help scammers establish lines of credit (PayPal accounts, credit cards) in someone else’s name:

“You can use on paypal credit, prepaid cards etc. After buying try to search by address and u can see children, wife and all people at this address,” the fraud shop explains, advising customers on ways to find the names and additional information on the taxpayer’s children (because more dependents mean greater tax deductions and higher refunds): “It’s great for tax return method, because u can get $$$ for ‘your’ children.”

Continue reading

Advertisement

Hotel Franchise Firm White Lodging Investigates Breach

January 31, 2014

White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.

whitelodgingEarlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year. But those sames sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.

Turns out, the common thread among all of those Marriott locations is that they are managed by Merrillville, Indiana-based White Lodging Services Corporationwhich bills itself as “a fully-integrated owner, developer and manager of premium brand hotels.” According to the company’s Web site, White Lodging’s property portfolio includes 168 full service hotels in 21 states, with more than 30 restaurants.

White Lodging declined to offer many details, saying in an emailed statement that “an investigation is in progress, and we will provide meaningful information as soon as it becomes available.”

Update: Feb. 7, 9:32 a.m. ET: White Lodging has issued a statement acknowledging a breach at 14 hotels, including Marriott, Starwood, Intercontinental and other brands. Also, NBC is reporting that White Lodging knew about this breach two weeks before this breaking story was first published.

Original story:

Marriott also issued a statement, noting that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.” The statement continues:

“They are in the midst of the investigation and are in close contact with the banks and credit cards companies.  We are working closely with the franchisee as they investigate the matter.  Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide.  As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”

Other hotel chains franchised by White Lodging — including Hilton and Starwood Hotels (which owns the Sheraton and Westin brands) — could not be immediately reached for comment.

Sources say the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging — not the property management systems that run the hotel front desk computers which handle guests checking in and out. In the case of Marriott, for example, all Marriott establishments operated as a franchise must use Marriott’s property management system. As a result, the breach impacted only those Marriott guests who used their cards at White Lodging-managed gift shops and restaurants.

Continue reading

New Clues in the Target Breach

January 29, 2014

An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internal network.

As I noted in  Jan. 15’s story — A First Look at the Target Intrusion, Malware — the attackers were able to infect Target’s point-of-sale registers with a malware strain that stole credit and debit card data. The intruders also set up a control server within Target’s internal network that served as a central repository for data hoovered up from all of the infected registers.

According to sources, "ttcopscli3acs" is the name of the Windows share point used by the POS malware planted at Target stores; the username that the thieves used to log in remotely and download stolen card data was "Best1_user"; the password was "BackupU$r"

“ttcopscli3acs” is the name of the Windows share used by the POS malware planted at Target stores; the username that malware used to upload stolen card data was “Best1_user”; the password was “BackupU$r”

That analysis looked at a malware component used in Target breach that was uploaded to Symantec’s ThreatExpert scanning service on Dec. 18 but which was later deleted (a local PDF copy of it is here). The ThreatExpert writeup suggests that the malware was responsible for moving stolen data from the compromised cash registers to that shared central repository, which had the internal address of 10.116.240.31. The “ttcopscli3acs” bit is the Windows domain name used on Target’s network. The user account “Best1_user” and password “BackupU$r” were used to log in to the shared drive (indicated by the “S:” under the “Resource Type” heading in the image above.

That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called “Best1_user.”

This knowledge base article (PDF) published by BMC explains the Best1_user account is installed by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine, customers shouldn’t concern themselves with this account because “it is not a member of any group (not even the ‘users’ group) and therefore can’t be used to login to the system.”

“The only privilege that the account is granted is the ability to run as a batch job,” the document states, indicating that it could be used to run programs if invoked from a command prompt. Here’s my favorite part:

Perform Technical Support does not have the password to this account and this password has not be released by Perform Development. Knowing the password to the account should not be important as you cannot log into the machine using this account. The password is known internally and used internally by the Perform agent to assume the identity of the “Best1_user” account.”

I pinged BMC to find out if perhaps the password supplied in the Target malware (BackupU$r) is in fact the secret password for the Best1_user account. The company has so far remained silent on this question.

This was the hunch put forward by the Counter Threat Unit (CTU) of Dell SecureWorks in an analysis that was privately released to some of the company’s clients this week.

Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks.

Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks.

“Attackers exfiltrate data by creating a mount point for a remote file share and copying the data stored by the memory-scraping component to that share,” the SecureWorks paper notes. “In the previous listing showing the data’s move to an internal server, 10.116.240.31 is the intermediate server selected by attackers, and CTU researchers believe the “ttcopscli3acs” string is the Windows domain name used on Target’s network. The Best1_user account appears to be associated with the Performance Assurance component of BMC Software’s Patrol product. According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network.

According to SecureWorks, one component of the malware installed itself as a service called “BladeLogic,” a service name no doubt designed to mimic another BMC product called BMC BladeLogic Automation Suite. BMC spokeswoman Ann Duhon said that the attackers were simply invoking BMC’s trademark to make the malicious program appear legitimate to the casual observer, but it seems likely that at least some BMC software was running inside of Target’s network, and that the attackers were well aware of it.

Update Jan. 30, 5:48 p.m.: BMC just issued the following statement:

There have been several articles in the press speculating about the Target breach.  BMC Software has received no information from Target or the investigators regarding the breach. In some of those articles, BMC products were mentioned in two different ways.

The first was a mention of a “bladelogic.exe” reference in the attack.   The executable name “bladelogic.exe” does not exist in any piece of legitimate BMC software.  McAfee has issued a security advisory stating that: “The reference to “bladelogic” is a method of obfuscation.  The malware does not compromise, or integrate with, any BMC products in any way.

The second reference was to a password that was possibly utilized as part of the attack, with the implication that it was a BMC password.  BMC has confirmed that the password mentioned in the press is not a BMC-generated password.

At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack.

Malware is a problem for all IT environments. BMC asks all of our customers to be diligent in ensuring that their environments are secure and protected.

I parse their statement to mean that the “BackupU$r” password referenced in the Target malware is not their software’s secret password. But nothing in the statement seems to rule out the possibility that the attackers leveraged a domain user account installed by BMC software to help exfiltrate card data from Target’s network.

Original story:

According to a trusted source who uses mostly open-source data to keep tabs on the software and hardware used in various retail environments, BMC’s software is in use at many major retail and grocery chains across the country, including Kroger, Safeway, Home Depot, Sam’s Club and The Vons Companies, among many others.

A copy of the SecureWorks report is here (PDF). It contains some fairly detailed analysis of this and other portions of the malware used in the Target intrusion. What it states up front that it does not have — and what we still have not heard from Target — is how the attackers broke in to begin with….

Continue reading

Feds to Charge Alleged SpyEye Trojan Author

January 28, 2014

Federal authorities in Atlanta today are expected to announce the arrest and charging of a 24-year-old Russian man who allegedly created and maintained the SpyEye Trojan, a sophisticated botnet creation kit that has been implicated in a number of costly online banking thefts against businesses and consumers.

The Justice Department alleges that 24-year-old Aleksander Panin was responsible for SpyEye. Image courtesy: RT.

24-year-old Aleksander Panin is thought to be responsible for SpyEye. Image courtesy: RT.

According to sources, the U.S. Justice Department is charging Aleksander Panin of Tver, Russia with being part of a gang that robbed banks via the Internet. He was reportedly arrested in the Dominican Republic in June 2013.

Update, 4:34 p.m. ET: Panin just pleaded to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of SpyEye, according to a press release from U.S. Attorney Sally Quillian Yates.

The government alleges that Panin sold SpyEye to at least 150 “clients,” one of whom is reported to have made more than $3.2 million in a six month period using the virus. The Justice Department further states that the investigation also has led to the arrests by international authorities of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.

Panin’s attorney Arkady Bukh said his client is facing up to 30 years in prison. “We are happy with the plea,” Bukh said. “It will greatly limit the client’s exposure in this case at the time of sentencing.”

Original story:

It’s not clear why Panin was in the Dominican Republic, which has strong relations with the United States. According to Wikipedia, the Dominican Republic has worked closely with U.S. law enforcement officials on issues such as the extradition of fugitives. According to Russian news station RT, Panin was high on Interpol’s “red list,” wanted for embezzlement through Internet banking scams totaling USD $5 million.

Panin’s arrest and subsequent extradition to Atlanta, Georgia caused a minor diplomatic dust-up in July 2013, when news of his arrest first came to light in Moscow. “Of course, we are seriously concerned about the fact that it again concerns the arrest of a Russian citizen with a US warrant in a third country,” said Russian Foreign Ministry Information and Press Department Deputy Director Maria Zakharova, in a television interview aired by RT. “We think the fact that such practices are becoming a vicious tendency is absolutely unacceptable and inadmissible.”

A SpyEye version from 2011.

A SpyEye version from 2011.

The arrest caps a dramatic rise and fall of a crimeware package that evolved as a major headache for security professionals, and for Microsoft in particular. In March 2012, Microsoft executed a carefully-planned takedown of dozens of botnets powered by SpyEye and ZeuS — a competing botnet creation kit that was later briefly subsumed by SpyEye.

As part of that effort, Microsoft published email addresses and other information on the alleged SpyEye author, who went by the nicknames “Gribodemon” and “Harderman.” At the time, the software giant identified the alleged author only as an unknown “John Doe.”

Continue reading

Sources: Card Breach at Michaels Stores

January 25, 2014

Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.

michaelsOn Friday morning, I put a call in to SPM Communications, the public relations company listed as the press contact on michaels.com. After explaining why I was calling, I was referred to a Michael Fox of ICR Inc. When asked what line of business ICR was in, the SPM representative replied that it was a crisis communications firm. Mr. Fox replied via email that he would inquire with Michaels, but so far the company has declined to comment.

Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”

The statement continues:

“The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred.”

“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Chuck Rubin, CEO. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges.”

Their full statement is here (PDF).

Original story:

Sources with four different financial institutions have over the past few days said hundreds of customer cards that recently had been used for fraudulent purchases all traced back to Michaels stores as the common point of purchase.

On Friday, KrebsOnSecurity heard from a fraud analyst at a large credit card processor that was seeing fraud on hundreds of cards over the previous two days that all been recently used at Michaels. The fraudulent purchases on those cards, the source said, took place at the usual big box stores like BestBuy and Target.

“What’s interesting is there’s another [arts and framing] store called Aaron Brothers, and within past week or two there was a lot of activity talking about Aaron Brothers,” said the source, who asked to remain anonymous because he was not authorized to speak to the media. “One of the things I learned the other day is that Aaron Brothers is wholly owned by Michael’s. It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place.”

Assuming my sources are correct and Michaels did have some kind of breach involving payment cards, this would not be the first time. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

It remains unclear what type of compromise may have prompted several banks to identity Michaels as the breached entity. But recent breaches at Target and Neiman Marcus both involved highly sophisticated malicious software that stole credit and debit card information from point-0f-sale registers at those stores. Target has said the breach may have affected more than 40 million customer credit and debit cards, and name, address, email address and phone numbers for at least 70 million customers. Earlier this week, Neiman Marcus revealed that the breach at its stores extended from July 16, 2013 to Oct. 30, 2013, and may have impacted more than 1.1 million customer cards.

According to Fox, ICR Inc. was brought in by Michaels to handle the retailer’s planned transition to a public company. Last month, the company filed paperwork for a potential public offering of its common stock. According to those filings, Michaels generated revenue of $4.41 billion in 2012. Michaels has said the timing, number of shares to be sold and the price range for the proposed offering have not yet been determined.

Feds Infiltrate, Bust Counterfeit Card Shop

January 24, 2014

Federal authorities in New Jersey announced a series of arrests and indictments of 14 individuals thought to be connected to an online one-stop shop selling embossed, counterfeit credit cards and holographic overlays.

According to documents released by prosecutors in New Jersey and North Carolina, the men ran or otherwise profited from the Web site fakeplastic[dot]net, which specializes in selling high-quality, custom-made counterfeit credit and debit cards, as well as holographic overlays used to create fake driver’s licenses.

A customer's purchases from fakeplastic[dot]net, which federal authorities secretly seized on Dec. 5, 2013.

A customer’s purchases from fakeplastic[dot]net, which federal authorities secretly seized on Dec. 5, 2013.

The FBI and the U.S. Postal Investigative Service began investigating fakeplastic[dot]net in January 2013. Charged with running the site is 39-year-old Sean Roberson of Palm Bay, Fla. Investigators allege that Roberson began selling counterfeit cards in April 2011, and launched the site in June 2012. Since then, Roberson and two accomplices fulfilled orders for approximately 69,000 counterfeit cards — both embossed and unembossed; more than 35,000 holographic stickers used to make counterfeit cards appear more legitimate; and more than 30,000 state identification card holographic overlays. All of the orders — 36,000 parcels in total — were shipped by the site to customers via the U.S. mail.

Using a conservative estimate of loss of $500 associated with each counterfeit payment card (derived from the federal sentencing guidelines estimation of loss associated with stolen payment card information), prosecutors estimate the losses associated with just the counterfeit payment cards trafficked by Roberson and his conspirators at more than $34.5 million. The complaint against Roberson alleges that he personally made more than $1.7 million from the scheme.

According to the Justice Department, fakeplastic[dot]net was used by various groups of criminals across the country often referred to as “carding” or “cash out” crews. These crews buy stolen payment card numbers and related information – referred to as “track data” or “dumps” – which typically appear on the magnetic stripe on the back of legitimate payment cards. Illegal vendors of that information usually get it through hacking or skimming operations involving the installation of specialized equipment at ATM locations or point-of-sale terminals. The stolen data is ultimately put on a blank card and used to make unauthorized transactions.

trackpackage

“More sophisticated cash out operations use custom-made counterfeit payment cards embossed with the same account numbers that have been encoded on the back of the card, and often acquire fake identification cards in order to reduce the likelihood of detection from law enforcement,” reads a press release issued Thursday by New Jersey U.S. Attorney Paul J. Fishman and U.S. Attorney Anne M. Tompkins for the Western District of North Carolina. “The criminal underground has evolved from fractured, regional operations to an Internet-based market where buyers and sellers across the globe can advertise, purchase and transmit stolen track data. The fakeplastic website brought the physical tools needed by cash out operations to the world of e-commerce, as it eliminated the need for crews to purchase expensive hardware.”

The Justice Department says that by December 2013 — when federal agents quietly assumed control over fakeplastic[dot]net, the site had more than 400 members. Members with access to the fakeplastic website and seeking to purchase counterfeit payment cards could browse the website’s available counterfeit card templates. Members could then choose whether to input specific information to be embossed on the cards and whether they wanted additional authentication features – such as holographic stickers.

OPSEC IS HARD; LET’S GO TO DOLLYWOOD!

As is the case with many an online scam operation, the whole thing falls apart when key members fail to exercise proper operational and personal security habits. After assuming control over the card shop, federal agents made purchases through the site to learn more about the service’s shipping methods. According to charging documents, investigators confirmed that the Fakeplastic Click-N-Ship account used to generate the tracking number associated with the undercover purchases was registered to a “Sam Adams,” with a mailing address for a university in Florida, and that the email address associated with this account was budlighthouse@gmail.com (the “Budlighthouse Gmail Account”).

After obtaining a warrant to inspect that Gmail account, federal investigators discovered that all of the Web site’s order emails were sent to this address and to the address platplus@tormail.net. Tormail is a hidden service on the Tor darkweb network that allows users to send and receive email anonymously to addresses inside and outside of Tor, an anonymity network that is not reachable from the regular Internet and requires the use of special software to reach.

Interestingly, the feds used information gleaned from an incident last summer in which federal agents compromised TorMail as part of an investigation into a child pornography network. To wit:

Between July 22, 2013 and August 2, 2013, in connection with an unrelated criminal investigation, the FBI obtained a copy of a computer server located in France via a Mutual Legal Assistance Treaty request to France, which contained data and information from the Tormail email server, including the content of Tormail e-mail accounts. On or about September 24, 2013, law enforcement obtained a search warrant to search the contents of the Platplus Tormail Account, which resided on the seized Tormail server.

Continue reading

Bug Exposes IP Cameras, Baby Monitors

January 23, 2014

A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the device’s Internet address to view live and recorded video footage, KrebsOnSecurity has learned.

foscamThe issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password. Reached via email, the company’s tech support division confirmed that the bug exists in MJPEG cameras running .54 version of the company’s firmware.

Foscam said it expects to ship an updated version of the firmware (Ver. 55) that fixes the bug by Jan. 25. The new firmware will be published on the company’s website. According to Foscam, the problem affects the following models: FI8904W, FI8905E, FI8905W, FI8906W, FI8907W, FI8909W, FI8910E, FI8910W, FI8916W, FI8918W, and FI8919W. Foscam users can determine if their camera is affected by following the instructions here.

Continue reading

Gang Rigged Pumps With Bluetooth Skimmers

January 22, 2014

Authorities in New York on Tuesday announced the indictment of thirteen men accused of running a multi-million dollar fraud ring that allegedly installed Bluetooth-enabled wireless gas pump skimmers at filling stations throughout the southern United States.

According to documents released by Manhattan District Attorney Cyrus R. Vance, Jr., the accused stole more than $2.1 million in the scheme. Investigators say the men somehow gained access to pumps at Raceway and Racetrac gas stations throughout Georgia, South Carolina and Texas and installed skimming devices like the one pictured below.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up. Image: Manhattan DA.

These devices connect directly to the pump’s power supply, and include a Bluetooth chip that enables thieves to retrieve the stolen data wirelessly — just by pulling up to the pump and opening up a laptop. The defendants allegedly then encoded the stolen card data onto counterfeit cards, and armed with stolen PINs withdrew funds from victim accounts at ATMs. The defendants then allegedly deposited the funds into accounts in New York that they controlled, after which co-conspirators in California and Nevada would withdraw the cash in sub-$10,000 increments to avoid triggering anti-money laundering reporting requirements by the banks.

Skimmer pulled off a compromised pump in California.

Skimmer pulled off a compromised pump in California.

This blog has featured several stories about gas-pump skimmers that were Bluetooth enabled. What’s remarkable is how common these attacks have become (Google News and Twitter are full of local news reports of apparent gas pump skimmer attacks, like this one at a Pilot station in Tennessee last week).

Last year, I received some information from a police officer in California who is tasked with chronicling many of these incidents (this seems to have become something of a full-time job for him). He sent me some pictures of a few several more common gas pump skimmers that show up at filling stations in his state, including the devices show above right and below left.

Continue reading

DHS Alerts Contractors to Bank Data Theft

January 21, 2014

A security breach at a Web portal for the U.S. Department of Homeland Security has exposed private documents and some financial information belonging to at least 114 organizations that bid on a contract at the agency last year.

dhsletter“This letter is to inform you that your company’s bank account information may have been improperly accessed because of this incident,” reads a letter sent to affected organizations earlier this month by DHS privacy officer Christopher Lee. “The incident appears to have occurred sometime over the prior four months.”

The letter was sent to organizations that bid on a 2013 contract to help DHS’s Science & Technology division develop new communications technologies for first responders. According to DHS, the documents were downloaded from a department Web portal by unauthorized persons outside of the agency, although it hasn’t yet determined the cause or source of that access.

Continue reading