Posts Tagged: discover


12
Mar 14

NoMoreRack.com Probes Possible Card Breach

For the second time since Aug. 2013, online retailer NoMoreRack.com has hired a computer forensics team after being notified by Discover about a potential breach of customer card data, KrebsOnSecurity has learned.

nomorerackOver the past several weeks, a number of banks have shared information with this reporter indicating that they are seeing fraud on cards that were all recently used by nomorerack.com customers. Turns out, nomorerack.com has heard this as well, and for the second time in the last seven months has called in outside investigators to check for signs of a digital break-in.

Vishal Agarwal, director of business development for the New York City-based online retailer, said the company was first approached by Discover Card back in August 2013, when the card association said it had isolated nomorerack.com as a likely point-of-compromise.

“They requested then that we go through a forensics audit, and we did that late October by engaging with Trustwave,” Agarwal said. “Trustwave came out with a report at end of October saying there was no clear cut evidence that our systems had been compromised. There were a few minor bugs reported, but not conclusive evidence of anything that caused a leakage in our systems.”

Then, just last month, NoMoreRack heard once again from Discover, which said that between Nov. 1, 2013 and Jan. 15, 2014, the company had determined there were more incidents of fraud tied to cards that were all used at the company’s online store.

Continue reading →


8
Mar 12

Banking on Badb in the Underweb

Underground Web sites can be a useful barometer for the daily volume of criminal trade in goods like stolen credit card numbers and hijacked PayPal or eBay accounts. And if the current low prices at one of Underweb’s newer and more brazen card shops are indicative of a trend, the market for these commodities has never been more cutthroat.

Visa, Amex cards for sale at Badb.su

Badb.su is distinguishable from dozens of underground carding shops chiefly by its slick interface and tiny domain name, which borrows on the pseudonym and notoriety of the Underweb’s most recognizable carder. It’s difficult to say whether “Badb” himself would have endorsed the use of his brand for this particular venture, but it seems unlikely: The man alleged by U.S. authorities to be Badb — 29-year-old Vladislav Anatolievich Horohorin — has been in a French prison since his arrest there in 2010. Authorities believe Horohorin is one of the founding members of CarderPlanet, a site that helped move millions of stolen accounts. He remains jailed in France, fighting extradition to the United States (more about his case in an upcoming story).

Badb.su’s price list shows that purloined American Express and Discover accounts issued to Americans cost between $2.50 and $3 apiece, with MasterCard and Visa accounts commanding slightly lower prices ($2-$3). Cards of any type issued by banks in the United Kingdom or European Union fetch between $4-$7 each, while accounts from Canadian financial institutions cost between $3 to $5 a pop.

The site also sells verified PayPal and eBay accounts. Verified PayPal accounts with credit cards and bank accounts attached to them go for between 2-3$, while the same combination + access to the account holder’s email inbox increases the price by $2. PayPal accounts that are associated with bank and/or credit accounts and include a balance are sold for between 2 and 10 percent of the available balance. That rate is considerably lower than the last PayPal underground shop I reviewed, which charged 8 to 12 percent of the total compromised account balance.

Verified PayPal accounts with positive balances sell for between 2-10% of the available balance.

Ebay auction accounts are priced according to the number of positive “feedback” points that each victim account possesses (feedback is the core of eBay’s reputation system, whereby members evaluate their buying and selling experiences with other members). eBay accounts with fewer than 75 feedback history sell for $2 each, while those with higher levels of feedback command prices of $5 and higher apiece, because these accounts are more likely to be perceived as trustworthy by other eBay members.

But don’t count on paying for any of these goods with a credit card; Badb.su accepts payment only through virtual currencies such as Liberty Reserve and WebMoney.

Badb.su, like many other card shops, offers an a-la-carte, card-checking service that allows buyers to gauge the validity of stolen cards before or after purchasing them. Typically, these services will test stolen card numbers using a hijacked merchant account that initiates tiny charges or so-called pre-authorization checks against the card; if the charge or pre-auth clears, the card-checking service issues a “valid” response for the checked card number.

Continue reading →


22
Sep 10

I’ll Take 2 MasterCards and a Visa, Please

When you’re shopping for stolen credit and debit cards online, there are so many choices these days. A glut of stolen data — combined with innovation and cutthroat competition among vendors — is conspiring to keep prices for stolen account numbers exceptionally low. Even so, many readers probably have no idea that their credit card information is worth only about $1.50 on the black market.

Don’t you just hate it, though, when online stores nickel and dime you to death? I started to get that chintzy vibe when I opened an account at rock3d.cc, one of many sites where one can buy stolen Visa, MasterCard, Discover and Amex card information. The purloined card numbers — no doubt lifted from PCs infected with data-stealing malware like the ZeuS Trojan — fetch $1.50 for U.S. accounts, and $4 (USD) for accounts belonging to U.K. residents.

And for a premium, you can obtain “fullz,” or the card data plus other useful information about cardholders, such as their date of birth, mother’s maiden name, etc.

The trouble is, the minute you seek to narrow your search using the built-in tools, the site starts adding all these extra convenience fees (sound familiar?). For example, if I wanted to buy a card stolen from anyone around the Washington, D.C. area, it would probably be from a resident of McLean, Va., which is more or less a tony place where there are plenty of well-to-do folk. Anyway, the site found me a card (a MasterCard) belonging to a McLean resident alright, but then the service wanted to tack on an extra $.60 just because I isolated my search by city and state — raising the cost in my shopping cart to $2.10! No way, Jose. Not this bargain shopper.

[EPSB]

Have you seen:

Virus Scanners for Virus Authors…The very first entry I posted at Krebs on Security, Virus Scanners for Virus Authors, introduced readers to two services that let virus writers upload their creations to see how well they are detected by numerous commercial anti-virus scanners. In this follow-up post, I take you inside of a pair of similar services that allow customers to periodically scan a malware sample and receive alerts via instant message or e-mail when a new anti-virus product begins to detect the submission as malicious.
[/EPSB]