Krebs on Security

Feds Infiltrate, Bust Counterfeit Card Shop

January 24, 2014

Federal authorities in New Jersey announced a series of arrests and indictments of 14 individuals thought to be connected to an online one-stop shop selling embossed, counterfeit credit cards and holographic overlays.

According to documents released by prosecutors in New Jersey and North Carolina, the men ran or otherwise profited from the Web site fakeplastic[dot]net, which specializes in selling high-quality, custom-made counterfeit credit and debit cards, as well as holographic overlays used to create fake driver’s licenses.

A customer’s purchases from fakeplastic[dot]net, which federal authorities secretly seized on Dec. 5, 2013.

The FBI and the U.S. Postal Investigative Service began investigating fakeplastic[dot]net in January 2013. Charged with running the site is 39-year-old Sean Roberson of Palm Bay, Fla. Investigators allege that Roberson began selling counterfeit cards in April 2011, and launched the site in June 2012. Since then, Roberson and two accomplices fulfilled orders for approximately 69,000 counterfeit cards — both embossed and unembossed; more than 35,000 holographic stickers used to make counterfeit cards appear more legitimate; and more than 30,000 state identification card holographic overlays. All of the orders — 36,000 parcels in total — were shipped by the site to customers via the U.S. mail.

Using a conservative estimate of loss of $500 associated with each counterfeit payment card (derived from the federal sentencing guidelines estimation of loss associated with stolen payment card information), prosecutors estimate the losses associated with just the counterfeit payment cards trafficked by Roberson and his conspirators at more than $34.5 million. The complaint against Roberson alleges that he personally made more than $1.7 million from the scheme.

According to the Justice Department, fakeplastic[dot]net was used by various groups of criminals across the country often referred to as “carding” or “cash out” crews. These crews buy stolen payment card numbers and related information – referred to as “track data” or “dumps” – which typically appear on the magnetic stripe on the back of legitimate payment cards. Illegal vendors of that information usually get it through hacking or skimming operations involving the installation of specialized equipment at ATM locations or point-of-sale terminals. The stolen data is ultimately put on a blank card and used to make unauthorized transactions.

“More sophisticated cash out operations use custom-made counterfeit payment cards embossed with the same account numbers that have been encoded on the back of the card, and often acquire fake identification cards in order to reduce the likelihood of detection from law enforcement,” reads a press release issued Thursday by New Jersey U.S. Attorney Paul J. Fishman and U.S. Attorney Anne M. Tompkins for the Western District of North Carolina. “The criminal underground has evolved from fractured, regional operations to an Internet-based market where buyers and sellers across the globe can advertise, purchase and transmit stolen track data. The fakeplastic website brought the physical tools needed by cash out operations to the world of e-commerce, as it eliminated the need for crews to purchase expensive hardware.”

The Justice Department says that by December 2013 — when federal agents quietly assumed control over fakeplastic[dot]net, the site had more than 400 members. Members with access to the fakeplastic website and seeking to purchase counterfeit payment cards could browse the website’s available counterfeit card templates. Members could then choose whether to input specific information to be embossed on the cards and whether they wanted additional authentication features – such as holographic stickers.

OPSEC IS HARD; LET’S GO TO DOLLYWOOD!

As is the case with many an online scam operation, the whole thing falls apart when key members fail to exercise proper operational and personal security habits. After assuming control over the card shop, federal agents made purchases through the site to learn more about the service’s shipping methods. According to charging documents, investigators confirmed that the Fakeplastic Click-N-Ship account used to generate the tracking number associated with the undercover purchases was registered to a “Sam Adams,” with a mailing address for a university in Florida, and that the email address associated with this account was budlighthouse@gmail.com (the “Budlighthouse Gmail Account”).

After obtaining a warrant to inspect that Gmail account, federal investigators discovered that all of the Web site’s order emails were sent to this address and to the address platplus@tormail.net. Tormail is a hidden service on the Tor darkweb network that allows users to send and receive email anonymously to addresses inside and outside of Tor, an anonymity network that is not reachable from the regular Internet and requires the use of special software to reach.

Interestingly, the feds used information gleaned from an incident last summer in which federal agents compromised TorMail as part of an investigation into a child pornography network. To wit:

Between July 22, 2013 and August 2, 2013, in connection with an unrelated criminal investigation, the FBI obtained a copy of a computer server located in France via a Mutual Legal Assistance Treaty request to France, which contained data and information from the Tormail email server, including the content of Tormail e-mail accounts. On or about September 24, 2013, law enforcement obtained a search warrant to search the contents of the Platplus Tormail Account, which resided on the seized Tormail server.

Continue reading →

Bug Exposes IP Cameras, Baby Monitors

January 23, 2014

42 Comments

A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the device’s Internet address to view live and recorded video footage, KrebsOnSecurity has learned.

The issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password. Reached via email, the company’s tech support division confirmed that the bug exists in MJPEG cameras running .54 version of the company’s firmware.

Foscam said it expects to ship an updated version of the firmware (Ver. 55) that fixes the bug by Jan. 25. The new firmware will be published on the company’s website. According to Foscam, the problem affects the following models: FI8904W, FI8905E, FI8905W, FI8906W, FI8907W, FI8909W, FI8910E, FI8910W, FI8916W, FI8918W, and FI8919W. Foscam users can determine if their camera is affected by following the instructions here.

Continue reading →

Gang Rigged Pumps With Bluetooth Skimmers

January 22, 2014

75 Comments

Authorities in New York on Tuesday announced the indictment of thirteen men accused of running a multi-million dollar fraud ring that allegedly installed Bluetooth-enabled wireless gas pump skimmers at filling stations throughout the southern United States.

According to documents released by Manhattan District Attorney Cyrus R. Vance, Jr., the accused stole more than $2.1 million in the scheme. Investigators say the men somehow gained access to pumps at Raceway and Racetrac gas stations throughout Georgia, South Carolina and Texas and installed skimming devices like the one pictured below.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up. Image: Manhattan DA.

These devices connect directly to the pump’s power supply, and include a Bluetooth chip that enables thieves to retrieve the stolen data wirelessly — just by pulling up to the pump and opening up a laptop. The defendants allegedly then encoded the stolen card data onto counterfeit cards, and armed with stolen PINs withdrew funds from victim accounts at ATMs. The defendants then allegedly deposited the funds into accounts in New York that they controlled, after which co-conspirators in California and Nevada would withdraw the cash in sub-$10,000 increments to avoid triggering anti-money laundering reporting requirements by the banks.

Skimmer pulled off a compromised pump in California.

This blog has featured several stories about gas-pump skimmers that were Bluetooth enabled. What’s remarkable is how common these attacks have become (Google News and Twitter are full of local news reports of apparent gas pump skimmer attacks, like this one at a Pilot station in Tennessee last week).

Last year, I received some information from a police officer in California who is tasked with chronicling many of these incidents (this seems to have become something of a full-time job for him). He sent me some pictures of a few several more common gas pump skimmers that show up at filling stations in his state, including the devices show above right and below left.

Continue reading →

DHS Alerts Contractors to Bank Data Theft

January 21, 2014

21 Comments

A security breach at a Web portal for the U.S. Department of Homeland Security has exposed private documents and some financial information belonging to at least 114 organizations that bid on a contract at the agency last year.

“This letter is to inform you that your company’s bank account information may have been improperly accessed because of this incident,” reads a letter sent to affected organizations earlier this month by DHS privacy officer Christopher Lee. “The incident appears to have occurred sometime over the prior four months.”

The letter was sent to organizations that bid on a 2013 contract to help DHS’s Science & Technology division develop new communications technologies for first responders. According to DHS, the documents were downloaded from a department Web portal by unauthorized persons outside of the agency, although it hasn’t yet determined the cause or source of that access.

Continue reading →

The Adventures of a Cybercrime Gumshoe

January 18, 2014

54 Comments

I was fortunate to spend several hours this past week with two reporters whose work I admire. Both wanted to learn more about my job as an independent investigative reporter. Their stories about my story are below.

Mark Stencel, a former colleague at Washingtonpost.com who similarly worked his way up from an entry-level job at the publication, wanted to hear about the challenges and rewards of going solo. Stencel’s piece, Reporter Brian Krebs Hacks it on His Own, One Scoop at a time, was written for poynter.org, an online publication for and about journalists.

Stencel writes:

“All of this reporting pays off with loyal readers, even at companies who fear finding themselves covered on his site. “As someone who does payment card security for a brick and mortar retailer, ‘Brian Krebs’ is a name I never ever want to see flash across my Caller ID,” one admirer wrote in a recent reader comment.”

Separately, I spent half a day with with Business Week reporter Karen Weise, whose profile, The Cybersecurity Blogger Hackers Love to Hate, appears in this coming week’s print edition. Weise observes:

“Krebs’s talent for exposing the weaknesses in online security has earned him respect in the IT business and loathing among cybercriminals. His track record of scoops, including the Dec. 18 revelation that hackers stole tens of millions of customers’ financial data from Target (TGT), has helped him become the rare blogger who supports himself on the strength of his reputation for hard-nosed reporting.”

My favorite part of both these stories are the observations from readers. For instance, Weise quoted Lance James, head of intelligence at Deloitte, with whom I co-presented last year at the Black Hat conference in Las Vegas.

“No intelligence agency could get as much as Brian Krebs does,” BW quotes James as saying. “Everybody wants to share with him.”

Fortunately, that’s very true: Key information that informs some of my best scoops is just as likely to come from people actively engaged in cybercrime as it is industry experts working to fight fraud. So, once again, a sincere thank you to all of my readers — lovers and haters alike.

A Closer Look at the Target Malware, Part II

January 16, 2014

145 Comments

Yesterday’s story about the point-of-sale malware used in the Target attack has prompted a flood of analysis and reporting from antivirus and security vendors about related malware. Buried within those reports are some interesting details that speak to possible actors involved and to the timing and discovery of this breach.

As is the case with many data breaches, the attackers in this attack used a virtual toolbox of crimeware to get the job done. As I noted in a Tweet shortly after filing my story Wednesday, at least one of those malware samples includes the text string “Rescator.” Loyal readers of this blog will probably find this name familiar. That’s because Rescator was the subject of a blog post that I published on Dec. 24, 2013, titled “Who is Selling Cards from Target?“.

In that post, I examined a network of underground cybercrime shops that were selling almost exclusively credit and debit card accounts stolen from Target stores. I showed how those underground stores all traced back to a miscreant who uses the nickname Rescator, and how clues about Rescator’s real-life identity suggested he might be a particular young man in Odessa, Ukraine.

This afternoon, McAfee published a blog post confirming many of the findings in my story yesterday, including that two malware uploaders used in connection with the Target attack contained the Rescator string:

“z:\Projects\Rescator\uploader\Debug\scheck.pdb”.

A private message on cpro[dot]su between Rescator and a member interested in his card shop. Notice the ad for Rescator’s email flood service at the bottom.

Earlier this morning, Seculert posted an analysis that confirmed my reporting that the thieves used a central server within Target to aggregate the data hoovered up by the point-of-sale malware installed at Target. According to Seculert, the attack consisted of two stages.

“First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.”

Continue reading →

A First Look at the Target Intrusion, Malware

January 15, 2014

202 Comments

Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.

The seller of the point-of-sale “memory dump” malware allegedly used in the Target attack.

In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware.

This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.

Target hasn’t officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack.

‘BLACK POS’

On Dec. 18, three days after Target became aware of the breach and the same day this blog broke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec. The report generated by that scan was very recently removed, but it remains available via Google cache (Update, Jan. 16, 9:29 a.m.: Sometime after this story ran, Google removed the cached ThreatExpert report; I’ve uploaded a PDF version of it here).

According to sources, “ttcopscli3acs” is the name of the Windows computer name/domain used by the POS malware planted at Target stores; the username that the malware used to upload stolen data data was “Best1_user”; the password was “BackupU$r”

According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-sale malware strain that Symantec calls “Reedum” (note the Windows service name of the malicious process is the same as the ThreatExpert analysis –“POSWDS”). Interestingly, a search in Virustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, “30503 POS malware from FBI”.

The source close to the Target investigation said that at the time this POS malware was installed in Target’s environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. “They were customized to avoid detection and for use in specific environments,” the source said.

That source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system.

According the author of BlackPOS — an individual who uses a variety of nicknames, including “Antikiller” — the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones “budget version” of the crimeware costs $1,800, while a more feature-rich “full version” — including options for encrypting stolen data, for example — runs $2,300.

Continue reading →

Security Updates for Windows, Java, Flash & Reader

January 14, 2014

45 Comments

Adobe, Microsoft and Oracle today each issued security updates to fix serious vulnerabilities in their products. Adobe released patches for AIR, Acrobat, Flash and Reader, while Microsoft pushed out fixes to shore up at least a half dozen security weaknesses in Windows and Office. Oracle released an update for Java that fixes at least three dozen security holes in the widely-used program.

All of the vulnerabilities that Microsoft fixed this month earned “important” ratings; not quite as dire as those labeled “critical,” which involve flaws so dangerous that they can be exploited by bad guys or malware to break into systems with no user interaction. Nevertheless, flaws marked “important” can be quite dangerous, particularly when used in tandem with other attack techniques.

By way of illustration, this month’s MS14-002 patch addresses an important zero-day flaw that was first found to be exploited in targeted attacks late last year. In one version of this attack, documented quite nicely in this fascinating yet somewhat technical writeup from Trustwave Spiderlabs, attackers used this Windows flaw in combination with a bug in Adobe Reader. According to Trustwave, the bad guys in that attack included the Windows flaw as a means of bypassing Adobe Reader’s security sandbox, a technology designed ensure that any malicious code embedded in documents only runs under limited privileges (i.e., isn’t allowed to invoke other programs or alter core system settings).

In short, don’t put off applying this month’s patches from Microsoft. They are available via Windows Update or Automatic Update. Also, Microsoft took this opportunity to remind Windows XP users that the company will no longer be supporting Windows XP after April 2014 (guess I will have to retire the above broken Windows graphic as well). The lack of ongoing security updates for XP means it will likely become an even bigger target for attackers; if you rely on XP, please consider transitioning to a newer operating system sometime soon. Who knows, it might be a great excuse to try Linux, which tends to be very light on resources and ideal for older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

Continue reading →

Hackers Steal Card Data from Neiman Marcus

January 10, 2014

126 Comments

Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards.

Earlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus.

Today, I reached out to Neiman Marcus and received confirmation that the company is in fact investigating a breach that was uncovered in mid-December.

Neiman Marcus spokesperson Ginger Reeder said the company does not yet know the cause, size or duration of the breach, noting that these are details being sought by a third-party forensics firm which has yet to complete its investigation. But she said there is no evidence that shoppers who purchased from the company’s online stores were affected by this breach.

The entirety of the company’s formal statement is as follows:

“Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”

The disclosure comes as many in the retail sector are seeking more information about the causes of the breach at nationwide retail giant Target, which extended from around Thanksgiving 2013 to Dec. 15, and affected some 40 million customer debit and credit cards.

Continue reading →

Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen

January 10, 2014

190 Comments

Nationwide retail giant Target today disclosed that a data breach discovered last month exposed the names, mailing addresses, phone number and email addresses for up to 70 million individuals.

The disclosure comes roughly three weeks after the company acknowledged that hackers had broken in late last year and stolen approximately 40 million customer debit and credit card records.

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach,” the company said in a statement released Friday morning. “This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”

Target said much of the data is partial in nature, but that in cases where Target has an email address, it will attempt to contact affected guests with informational tips to guard against consumer scams. The retail giant was quick to note that its email communications would not ask customers to provide any personal information as part of that communication.

Target Chairman Gregg Steinhafel apologized for any inconvenience that the breach may have caused customers, and said he wanted customers to know that “understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Nevertheless, the company still has not disclosed any details about how the attackers broke in. This lack of communication appears to have spooked many folks responsible for defending other retailers from such attacks, according to numerous interviews conducted by this reporter over the past few weeks.

Continue reading →

Last »