Posts Tagged: Gemini Advisory


18
Jan 21

Joker’s Stash Carding Market to Call it Quits

Joker’s Stash, by some accounts the largest underground shop for selling stolen credit card and identity data, says it’s closing up shop effective mid-February 2021. The announcement came on the heels of a turbulent year for the major cybercrime store, and just weeks after U.S. and European authorities seized a number of its servers.

A farewell message posted by Joker’s Stash admin on Jan. 15, 2021.

The Russian and English language carding store first opened in October 2014, and quickly became a major source of “dumps” — information stolen from compromised payment cards that thieves can buy and use to create physical counterfeit copies of the cards.

But 2020 turned out to be a tough year for Joker’s Stash. As cyber intelligence firm Intel 471 notes, the curator of the store announced in October that he’d contracted COVID-19, spending a week in the hospital. Around that time, Intel 471 says many of Joker’s loyal customers started complaining that the shop’s payment card data quality was increasingly poor.

“The condition impacted the site’s forums, inventory replenishments and other operations,” Intel 471 said.

Image: Gemini Advisory

That COVID diagnosis may have affected the shop owner’s ability to maintain fresh and valid inventory on his site. Gemini Advisory, a New York City-based company that monitors underground carding shops, tracked a “severe decline” in the volume of compromised payment card accounts for sale on Joker’s Stash over the past six months.

“Joker’s Stash has received numerous user complaints alleging that card data validity is low, which even prompted the administrator to upload proof of validity through a card-testing service,” Gemini wrote in a blog post about the planned shutdown.

Image: Gemini Advisory

Then on Dec. 16, 2020, several of Joker’s long-held domains began displaying notices that the sites had been seized by the U.S. Department of Justice and Interpol. The crime shop quickly recovered, moving to new infrastructure and assuring the underground community that it would continue to operate normally.

Gemini estimates that Joker’s Stash generated more than a billion dollars in revenue over the past several years. Much of that revenue came from high-profile breaches, including tens of millions of payment card records stolen from major merchants including Saks Fifth Avenue, Lord and TaylorBebe StoresHilton HotelsJason’s DeliWhole FoodsChipotle, Wawa, Sonic Drive-In, the Hy-Vee supermarket chain, Buca Di Beppo, and Dickey’s BBQ.

Joker’s Stash routinely teased big breaches days or weeks in advance of selling payment card records stolen from those companies, and periodically linked to this site and other media outlets as proof of his shop’s prowess and authenticity.

Like many other top cybercrime bazaars, Joker’s Stash was a frequent target of phishers looking to rip off unwary or unsophisticated thieves. In 2018, KrebsOnSecurity detailed a vast network of fake Joker’s Stash sites set up to steal login credentials and bitcoin. The phony sites all traced back to the owners of a Pakistani web site design firm. Many of those fake sites are still active (e.g. jokersstash[.]su). Continue reading →


15
Oct 20

Breach at Dickey’s BBQ Smokes 3M Cards

One of the digital underground’s most popular stores for peddling stolen credit card information began selling a batch of more than three million new card records this week. KrebsOnSecurity has learned the data was stolen in a lengthy data breach at more than 100 Dickey’s Barbeque Restaurant locations around the country.

An ad on the popular carding site Joker’s Stash for “BlazingSun,” which fraud experts have traced back to a card breach at Dickey’s BBQ.

On Monday, the carding bazaar Joker’s Stash debuted “BlazingSun,” a new batch of more than three million stolen card records, advertising “valid rates” of between 90-100 percent. This is typically an indicator that the breached merchant is either unaware of the compromise or has only just begun responding to it.

Multiple companies that track the sale in stolen payment card data say they have confirmed with card-issuing financial institutions that the accounts for sale in the BlazingSun batch have one common theme: All were used at various Dickey’s BBQ locations over the past 13-15 months.

KrebsOnSecurity first contacted Dallas-based Dickey’s on Oct. 13. Today, the company shared a statement saying it was aware of a possible payment card security incident at some of its eateries:

“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”

The confirmations came from Miami-based Q6 Cyber and Gemini Advisory in New York City.

Q6Cyber CEO Eli Dominitz said the breach appears to extend from May 2019 through September 2020.

“The financial institutions we’ve been working with have already seen a significant amount of fraud related to these cards,” Dominitz said.

Gemini says its data indicated some 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing malware, with the highest exposure in California and Arizona. Gemini puts the exposure window between July 2019 and August 2020.

“Low-and-slow” aptly describes the card breach at Dickie’s, which persisted for at least 13 months.

With the threat from ransomware attacks grabbing all the headlines, it may be tempting to assume plain old credit card thieves have moved on to more lucrative endeavors. Alas, cybercrime bazaars like Joker’s Stash have continued plying their trade, undeterred by a push from the credit card associations to encourage more merchants to install credit card readers that require more secure chip-based payment cards.

That’s because there are countless restaurants — usually franchise locations of an established eatery chain — that are left to decide for themselves whether and how quickly they should make the upgrades necessary to dip the chip versus swipe the stripe.

“Dickey’s operates on a franchise model, which often allows each location to dictate the type of point-of-sale (POS) device and processors that they utilize,” Gemini wrote in a blog post about the incident. “However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations.” Continue reading →


30
Jul 20

Is Your Chip Card Secure? Much Depends on Where You Bank

Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep key chip card security features and effectively create usable, counterfeit cards.

A chip-based credit card. Image: Wikipedia.

Traditional payment cards encode cardholder account data in plain text on a magnetic stripe, which can be read and recorded by skimming devices or malicious software surreptitiously installed in payment terminals. That data can then be encoded onto anything else with a magnetic stripe and used to place fraudulent transactions.

Newer, chip-based cards employ a technology known as EMV that encrypts the account data stored in the chip. The technology causes a unique encryption key — referred to as a token or “cryptogram” — to be generated each time the chip card interacts with a chip-capable payment terminal.

Virtually all chip-based cards still have much of the same data that’s stored in the chip encoded on a magnetic stripe on the back of the card. This is largely for reasons of backward compatibility since many merchants — particularly those in the United States — still have not fully implemented chip card readers. This dual functionality also allows cardholders to swipe the stripe if for some reason the card’s chip or a merchant’s EMV-enabled terminal has malfunctioned.

But there are important differences between the cardholder data stored on EMV chips versus magnetic stripes. One of those is a component in the chip known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.”

The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and the use of that data to create counterfeit magnetic stripe cards. Both the iCVV and CVV values are unrelated to the three-digit security code that is visibly printed on the back of a card, which is used mainly for e-commerce transactions or for card verification over the phone.

The appeal of the EMV approach is that even if a skimmer or malware manages to intercept the transaction information when a chip card is dipped, the data is only valid for that one transaction and should not allow thieves to conduct fraudulent payments with it going forward.

However, for EMV’s security protections to work, the back-end systems deployed by card-issuing financial institutions are supposed to check that when a chip card is dipped into a chip reader, only the iCVV is presented; and conversely, that only the CVV is presented when the card is swiped. If somehow these do not align for a given transaction type, the financial institution is supposed to decline the transaction.

The trouble is that not all financial institutions have properly set up their systems this way. Unsurprisingly, thieves have known about this weakness for years. In 2017, I wrote about the increasing prevalence of “shimmers,” high-tech card skimming devices made to intercept data from chip card transactions.

A close-up of a shimmer found on a Canadian ATM. Source: RCMP.

More recently, researchers at Cyber R&D Labs published a paper detailing how they tested 11 chip card implementations from 10 different banks in Europe and the U.S. The researchers found they could harvest data from four of them and create cloned magnetic stripe cards that were successfully used to place transactions.

There are now strong indications the same method detailed by Cyber R&D Labs is being used by point-of-sale (POS) malware to capture EMV transaction data that can then be resold and used to fabricate magnetic stripe copies of chip-based cards.

Earlier this month, the world’s largest payment card network Visa released a security alert regarding a recent merchant compromise in which known POS malware families were apparently modified to target EMV chip-enabled POS terminals.

“The implementation of secure acceptance technology, such as EMV® Chip, significantly reduced the usability of the payment account data by threat actors as the available data only included personal account number (PAN), integrated circuit card verification value (iCVV) and expiration date,” Visa wrote. “Thus, provided iCVV is validated properly, the risk of counterfeit fraud was minimal. Additionally, many of the merchant locations employed point-to-point encryption (P2PE) which encrypted the PAN data and further reduced the risk to the payment accounts processed as EMV® Chip.”

Visa did not name the merchant in question, but something similar seems to have happened at Key Food Stores Co-Operative Inc., a supermarket chain in the northeastern United States. Key Food initially disclosed a card breach in March 2020, but two weeks ago updated its advisory to clarify that EMV transaction data also was intercepted.

“The POS devices at the store locations involved were EMV enabled,” Key Food explained. “For EMV transactions at these locations, we believe only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code).”

While Key Food’s statement may be technically accurate, it glosses over the reality that the stolen EMV data could still be used by fraudsters to create magnetic stripe versions of EMV cards presented at the compromised store registers in cases where the card-issuing bank hadn’t implemented EMV correctly. Continue reading →


30
Jun 20

COVID-19 ‘Breach Bubble’ Waiting to Pop?

The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change — and likely for the worse.

The economic laws of supply and demand hold just as true in the business world as they do in the cybercrime space. Global lockdowns from COVID-19 have resulted in far fewer fraudsters willing or able to visit retail stores to use their counterfeit cards, and the decreased demand has severely depressed prices in the underground for purloined card data.

An ad for a site selling stolen payment card data, circa March 2020.

That’s according to Gemini Advisory, a New York-based cyber intelligence firm that closely tracks the inventories of dark web stores trafficking in stolen payment card data.

Stas Alforov, Gemini’s director of research and development, said that since the beginning of 2020 the company has seen a steep drop in demand for compromised “card present” data — digits stolen from hacked brick-and-mortar merchants with the help of malicious software surreptitiously installed on point-of-sale (POS) devices.

Alforov said the median price for card-present data has dropped precipitously over the past few months.

“Gemini Advisory has seen over 50 percent decrease in demand for compromised card present data since the mandated COVID-19 quarantines in the United States as well as the majority of the world,” he told KrebsOnSecurity.

Meanwhile, the supply of card-present data has remained relatively steady. Gemini’s latest find — a 10-month-long card breach at dozens of Chicken Express locations throughout Texas and other southern states that the fast-food chain first publicly acknowledged today after being contacted by this author — saw an estimated 165,000 cards stolen from eatery locations recently go on sale at one of the dark web’s largest cybercrime bazaars.

“Card present data supply hasn’t wavered much during the COVID-19 period,” Alforov said. “This is likely due to the fact that most of the sold data is still coming from breaches that occurred in 2019 and early 2020.”

A lack of demand for and steady supply of stolen card-present data in the underground has severely depressed prices since the beginning of the COVID-19 pandemic. Image: Gemini Advisory

Naturally, crooks who ply their trade in credit card thievery also have been working from home more throughout the COVID-19 pandemic. That means demand for stolen “card-not-present” data — customer payment information extracted from hacked online merchants and typically used to defraud other e-commerce vendors — remains high. And so have prices for card-not-present data: Gemini found prices for this commodity actually increased slightly over the past few months.

Andrew Barratt is an investigator with Coalfire, the cyber forensics firm hired by Chicken Express to remediate the breach and help the company improve security going forward. Barratt said there’s another curious COVID-19 dynamic going on with e-commerce fraud recently that is making it more difficult for banks and card issuers to trace patterns in stolen card-not-present data back to hacked web merchants — particularly smaller e-commerce shops.

“One of the concerns that has been expressed to me is that we’re getting [fewer] overlapping hotspots,” Barratt said. “For a lot of the smaller, more frequently compromised merchants there has been a large drop off in transactions. Whilst big e-commerce has generally done okay during the COVID-19 pandemic, a number of more modest sized or specialty online retailers have not had the same access to their supply chain and so have had to close or drastically reduce the lines they’re selling.”

Banks routinely take groups of customer cards that have experienced fraudulent activity and try to see if some or all of them were used at the same merchant during a similar timeframe, a basic anti-fraud process known as “common point of purchase” or CPP analysis. But ironically, this analysis can become more challenging when there are fewer overall transactions going through a compromised merchant’s site, Barratt said.

“With a smaller transactional footprint means less Common Point of Purchase alerts and less data to work on to trigger a forensic investigation or fraud alert,” Barratt said. “It does also mean less fraud right now – which is a positive. But one of the big concerns that has been raised to us as investigators — literally asking if we have capacity for what’s coming — has been that merchants are getting compromised by ‘lie in wait’ type intruders.”

Barratt says there’s a suspicion that hackers may have established beachheads [breachheads?] in a number of these smaller online merchants and are simply biding their time. If and when transaction volumes for these merchants do pick up, the concern is then hackers may be in a better position to mix the sale of cards stolen from many hacked merchants and further confound CPP analysis efforts. Continue reading →


30
Apr 20

How Cybercriminals are Weathering COVID-19

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.

FUELED BY MULES

One of the more common and perennial cybercriminal schemes is “reshipping fraud,” wherein crooks buy pricey consumer goods online using stolen credit card data and then enlist others to help them collect or resell the merchandise.

Most online retailers years ago stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. These restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe — derisively referred to as “reshipping mules” — to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.

A screen shot from a user account at “Snowden,” a long-running reshipping mule service.

But apparently a number of criminal reshipping services are reporting difficulties due to the increased wait time when calling FedEx or UPS (to divert carded goods that merchants end up shipping to the cardholder’s address instead of to the mule’s). In response, these operations are raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services.

That’s according to Intel 471, a cyber intelligence company that closely monitors hundreds of online crime forums. In a report published today, the company said since late March 2020 it has observed several crooks complaining about COVID-19 interfering with the daily activities of their various money mules (people hired to help launder the proceeds of cybercrime).

“One Russian-speaking actor running a fraud network complained about their subordinates (“money mules”) in Italy, Spain and other countries being unable to withdraw funds, since they currently were afraid to leave their homes,” Intel 471 observed. “Also some actors have reported that banks’ customer-support lines are being overloaded, making it difficult for fraudsters to call them for social-engineering activities (such as changing account ownership, raising withdrawal limits, etc).”

Still, every dark cloud has a silver lining: Intel 471 noted many cybercriminals appear optimistic that the impending global economic recession (and resultant unemployment) “will make it easier to recruit low-level accomplices such as money mules.”

Alex Holden, founder and CTO of Hold Security, agreed. He said while the Coronavirus has forced reshipping operators to make painful shifts in several parts of their business, the overall market for available mules has never looked brighter.

“Reshipping is way up right now, but there are some complications,” he said.

For example, reshipping scams have over the years become easier for both reshipping mule operators and the mules themselves. Many reshipping mules are understandably concerned about receiving stolen goods at their home and risking a visit from the local police. But increasingly, mules have been instructed to retrieve carded items from third-party locations.

“The mules don’t have to receive stolen goods directly at home anymore,” Holden said. “They can pick them up at Walgreens, Hotel lobbies, etc. There are a ton of reshipment tricks out there.”

But many of those tricks got broken with the emergence of COVID-19 and social distancing norms. In response, more mule recruiters are asking their hires to do things like reselling goods shipped to their homes on platforms like eBay and Amazon.

“Reshipping definitely has become more complicated,” Holden said. “Not every mule will run 10 times a day to the post office, and some will let the goods sit by the mailbox for days. But on the whole, mules are more compliant these days.”

GIVE AND TAKE

KrebsOnSecurity recently came to a similar conclusion: Last month’s story, “Coronavirus Widens the Money Mule Pool,” looked at one money mule operation that had ensnared dozens of mules with phony job offers in a very short period of time. Incidentally, the fake charity behind that scheme — which promised to raise money for Coronavirus victims — has since closed up shop and apparently re-branded itself as the Tessaris Foundation.

Charitable cybercriminal endeavors were the subject of a report released this week by cyber intel firm Digital Shadows, which looked at various ways computer crooks are promoting themselves and their hacking services using COVID-19 themed discounts and giveaways.

Like many commercials on television these days, such offers obliquely or directly reference the economic hardships wrought by the virus outbreak as a way of connecting on an emotional level with potential customers.

“The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services,” the report notes. “These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.”

Brian’s Club — one of the underground’s largest bazaars for selling stolen credit card data and one that has misappropriated this author’s likeness and name in its advertising — recently began offering “pandemic support” in the form of discounts for its most loyal customers.

Continue reading →


28
Apr 20

Would You Have Fallen for This Phone Scam?

You may have heard that today’s phone fraudsters like to use caller ID spoofing services to make their scam calls seem more believable. But you probably didn’t know that these fraudsters also can use caller ID spoofing to trick your bank into giving up information about recent transactions on your account — data that can then be abused to make their phone scams more believable and expose you to additional forms of identity theft.

Last week, KrebsOnSecurity told the harrowing tale of a reader (a security expert, no less) who tried to turn the tables on his telephonic tormentors and failed spectacularly. In that episode, the people impersonating his bank not only spoofed the bank’s real phone number, but they were also pretending to be him on a separate call at the same time with his bank.

This foiled his efforts to make sure it was really his bank that called him, because he called his bank with another phone and the bank confirmed they currently were in a separate call with him discussing fraud on his account (however, the other call was the fraudster pretending to be him).

Shortly after that story ran, I heard from another reader — we’ll call him “Jim” since he didn’t want his real name used for this story — whose wife was the target of a similar scam, albeit with an important twist: The scammers were armed with information about a number of her recent financial transactions, which he claims they got from the bank’s own automated phone system just by spoofing her phone number.

“When they originally called my wife, there were no fraudulent transactions on her account, but they were able to specify the last three transactions she had made, which combined with the caller-ID had mistakenly earned her trust,” Jim explained. “After we figured out what was going on, we were left asking ourselves how the crooks had obtained her last three transactions without breaking into her account online. As it turned out, calling the phone number on the back of the credit card from the phone number linked with the card provided the most recent transactions without providing any form of authentication.”

Jim said he was so aghast at this realization that he called the same number from his phone and tried accessing his account, which is also at Citi but wholly separate from his spouse’s. Sure enough, he said, as long as he was calling from the number on file for his account, the automated system let him review recent transactions without any further authentication.

“I confirmed on my separate Citi card that they often (but not quite always) were providing the transaction details,” Jim said. “I was appalled that Citi would do that. So, it seemed the crooks would spoof caller ID when calling Citibank, as well as when calling the target/victim.

The incident Jim described happened in late January 2020, and Citi may have changed its procedures since then. But in a phone interview with KrebsOnSecurity earlier this week, Jim made a call to Citi’s automated system from his mobile phone on file with the bank, and I could hear Citi’s systems asking him to enter the last four digits of his credit card number before he could review recent transactions.

The request for the last four of the customer’s credit card number was consistent with my own testing, which relied on a caller ID spoofing service advertised in the cybercrime underground and aimed at a Citi account controlled by this author.

In one test, the spoofed call let KrebsOnSecurity hear recent transaction data — where and when the transaction was made, and how much was spent — after providing the automated system the last four digits of the account’s credit card number. In another test, the automated system asked for the account holder’s full Social Security number.

Citi declined to discuss specific actions it takes to detect and prevent fraud. But in a written statement provided to this author it said the company continuously monitors and analyzes threats and looks for opportunities to strengthen its controls.

“We see regular attempts by fraudsters to gain access to information and we are constantly monitoring for emerging threats and taking preventive action for our clients’ protection,” the statement reads. “For inbound calls to call centers, we continue to adapt and implement detection capabilities to identify suspicious or spoofed phone numbers. We also encourage clients to install and use our mobile app and sign up for push notifications and alerts in the mobile app.”

PREGNANT PAUSES AND BULGING EMAIL BOMBS

Jim said the fraudster who called his wife clearly already knew her mailing and email addresses, her mobile number and the fact that her card was an American Airlines-branded Citi card. The caller said there had been a series of suspicious transactions, and proceeded to read back details of several recent transactions to verify if those were purchases she’d authorized.

A list of services offered by one of several underground stores that sell caller ID spoofing and email bombing services.

Jim’s wife quickly logged on to her Citi account and saw that the amounts, dates and places of the transactions referenced by the caller indeed corresponded to recent legitimate transactions. But she didn’t see any signs of unauthorized charges.

After verifying the recent legitimate transactions with the caller, the person on the phone asked for her security word. When she provided it, there was a long hold before the caller came back and said she’d provided the wrong answer.

When she corrected herself and provided a different security word, there was another long pause before the caller said the second answer she provided was correct. At that point, the caller said Citi would be sending her a new card and that it had prevented several phony charges from even posting to her account.

She didn’t understand until later that the pauses were points at which the fraudsters had to put her on hold to relay her answers in their own call posing as her to Citi’s customer service department.

Not long after Jim’s spouse hung up with the caller, her inbox quickly began filling up with hundreds of automated messages from various websites trying to confirm an email newsletter subscription she’d supposedly requested.

As the recipient of several of theseemail bombing” attacks, I can verify that crooks often will use services offered in the cybercrime underground to flood a target’s inbox with these junk newsletter subscriptions shortly after committing fraud in the target’s name when they wish to bury an email notification from a target’s bank.

‘OVERPAYMENT REIMBURSEMENT’

In the case of Jim’s wife, the inbox flood backfired, and only made her more suspicious about the true nature of the recent phone call. So she called the number on the back of her Citi card and was told that she had indeed just called Citi and requested what’s known as an “overpayment reimbursement.” The couple have long had their credit cards on auto-payment, and the most recent payment was especially high — nearly $4,000 — thanks to a flurry of Christmas present purchases for friends and family.

In an overpayment reimbursement, a customer can request that the bank refund any amount paid toward a previous bill that exceeds the minimum required monthly payment. Doing so causes any back-due interest on that unpaid amount to accrue to the account as well.

In this case, the caller posing as Jim’s wife requested an overpayment reimbursement to the tune of just under $4,000. It’s not clear how or where the fraudsters intended this payment to be sent, but for whatever reason Citi ended up saying they would cut a physical check and mail it to the address on file. Probably not what the fraudsters wanted, although since then Jim and his wife say they have been on alert for anyone suspicious lurking near their mailbox.

“The person we spoke with at Citi’s fraud department kept insisting that yes, it was my wife that called because the call came from her mobile number,” Jim said. “The Citi employee was alarmed because she didn’t understand the whole notion of caller ID spoofing. And we both found it kind of disturbing that someone in fraud at such a major bank didn’t even understand that such a thing was possible.” Continue reading →


28
Jan 20

Wawa Breach May Have Compromised More Than 30 Million Payment Cards

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states.

The fraud bazaar Joker’s Stash on Monday began selling some 30 million stolen payment card accounts that experts say have been tied back to a breach at Wawa in 2019.

Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening — dubbed “BIGBADABOOM-III” by Joker’s Stash — map squarely back to cardholder purchases at Wawa.

On Dec. 19, 2019, Wawa sent a notice to customers saying the company had discovered card-stealing malware installed on in-store payment processing systems and fuel dispensers at potentially all Wawa locations.

Pennsylvania-based Wawa says it discovered the intrusion on Dec. 10 and contained the breach by Dec. 12, but that the malware was thought to have been installed more than nine months earlier, around March 4. The exposed information includes debit and credit card numbers, expiration dates, and cardholder names. Wawa said the breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card).

A spokesperson for Wawa confirmed that the company today became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on December 19, 2019.

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa said in a statement released to KrebsOnSecurity. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the statement continues. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”

Gemini Advisory, a New York-based fraud intelligence company, said the biggest concentrations of stolen cards for sale in the BIGBADABOOM-III batch map back to Wawa customer card use in Florida and Pennsylvania, the two most populous states where Wawa operates. Wawa also has locations in Delaware, Maryland, New Jersey, Virginia and the District of Columbia.

According to Gemini, Joker’s Stash has so far released only a small portion of the claimed 30 million. However, this is not an uncommon practice: Releasing too many stolen cards for sale at once tends to have the effect of depressing the overall price of stolen cards across the underground market.

“Based on Gemini’s analysis, the initial set of bases linked to “BIGBADABOOM-III” consisted of nearly 100,000 records,” Gemini observed. “While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries. Non-US-based cardholders likely fell victim to this breach when traveling to the United States and utilizing Wawa gas stations during the period of exposure.”

Gemini’s director of research Stas Alforov stressed that some of the 30 million cards advertised for sale as part of this BIGBADABOOM batch may in fact be sourced from breaches at other retailers, something Joker’s Stash has been known to do in previous large batches.

Gemini monitors multiple carding sites like Joker’s Stash. The company found the median price of U.S.-issued records in the new Joker’s Stash batch is currently $17, with some of the international records priced as high as $210 per card.

“Apart from banks with a nationwide presence, only financial institutions along the East Coast had significant exposure,” Gemini concluded.

Representatives from MasterCard did not respond to requests for comment. Visa declined to comment for this story, but pointed to a series of alerts it issued in November and December 2019 about cybercrime groups increasingly targeting fuel dispenser merchants. Continue reading →


26
Nov 19

Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains

On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States.

An advertisement on the cybercrime store Joker’s Stash for a new batch of ~4 million credit/debit cards stolen from four different restaurant chains across the midwest and eastern United States.

Two financial industry sources who track payment card fraud and asked to remain anonymous for this story said the four million cards were taken in breaches recently disclosed by restaurant chains Krystal, Moe’s, McAlister’s Deli and Schlotzsky’s. Krystal announced a card breach last month. The other three restaurants are all part of the same parent company and disclosed breaches in August 2019.

KrebsOnSecurity heard the same conclusion from Gemini Advisory, a New York-based fraud intelligence company.

“Gemini found that the four breached restaurants, ranked from most to least affected, were Krystal, Moe’s, McAlister’s and Schlotzsky’s,”  Gemini wrote in an analysis of the New World Order batch shared with this author. “Of the 1,750+ locations belonging to these restaurants, nearly 50% were breached and had customer payment card data exposed. These breached locations were concentrated in the central and eastern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama.”

McAlister’s (green), Schlotzsky’s (blue), Moe’s (gray), and Krystal (orange) locations across the United States. There is an additional Moe’s location in Hawaii that is not depicted. Image: Gemini Advisory.

Focus Brands (which owns Moe’s, McAlister’s, and Schlotzsky’s) was breached between April and July 2019, and publicly disclosed this on August 23. Krystal claims to have been breached between July and September 2019, and disclosed this in late October.

The stolen cards went up for sale at the infamous Joker’s Stash carding bazaar. The most recent big breach marketed on Joker’s Stash was dubbed “Solar Energy,” and included more than five million cards stolen from restaurants, fuel pumps and drive-through coffee shops operated by Hy-Vee, a supermarket chain based in Iowa.

According to Gemini, Joker’s Stash likely delayed the debut of the New World Order cards to keep from flooding the market with too much stolen card data all at once, which can have the effect of lowering prices for stolen cards across the board.

“Joker’s Stash first announced their breach on November 11, 2019 and published the data on November 22,” Gemini found. “This delay between breaches occurring as early as July and data being offered in the dark web in November appears to be an effort to avoid oversaturating the dark web market with an excess of stolen payment records.” Continue reading →


29
Oct 19

Takeaways from the $566M BriansClub breach

Reporting on the exposure of some 26 million stolen credit cards leaked from a top underground cybercrime store highlighted some persistent and hard truths. Most notably, that the world’s largest financial institutions tend to have a much better idea of which merchants and bank cards have been breached than do the thousands of smaller banks and credit unions across the United States. Also, a great deal of cybercrime seems to be perpetrated by a relatively small number of people.

In September, an anonymous source sent KrebsOnSecurity a link to a nearly 10 gb set of files that included data for approximately 26 million credit and debit cards stolen from hundreds — if not thousands — of hacked online and brick-and-mortar businesses over the past four years.

The data was taken from BriansClub, an underground “carding” store that has (ab)used this author’s name, likeness and reputation in its advertising since 2015. The card accounts were stolen by hackers or “resellers” who make a living breaking into payment card systems online and in the real world. Those resellers then share the revenue from any cards sold through BriansClub.

KrebsOnSecurity shared a copy of the BriansClub card database with Gemini Advisory, a New York-based company that monitors BriansClub and dozens of other carding shops to learn when new cards are added.

Gemini estimates that the 26 million cards — 46 percent credit cards and 54 percent debit cards — represent almost one-third of the existing 87 million credit and debit card accounts currently for sale in the underground.

“While many of these cards were added in previous years, more than 21.6 million will not expire until after October 2019, offering cybercriminal buyers ample opportunity to cash out these records,” Gemini wrote in an analysis of the BriansClub data shared with this author.

Cards stolen from U.S. residents made up the bulk of the data set (~24 million of the 26+ million cards), and as a result these far more plentiful cards were priced much lower than cards from banks outside the U.S. Between 2016 and 2019, cards stolen from U.S.-based bank customers fetched between $12.76 and $16.80 apiece, while non-U.S. cards were priced between $17.04 and $35.70 during the same period.

Image: Gemini Advisory.

Unfortunately for cybercrime investigators, the person who hacked BriansClub has not released (at least not to this author) any information about the BriansClub users, payments, vendors or resellers. [Side note: This hasn’t stopped an unscrupulous huckster from approaching several of my financial industry sources with unlikely offers of said data in exchange for bitcoin].

But the database does have records of which cards were sold and which resellers (identified only by a unique number) supplied those cards, Gemini found.

“While neither the vendor nor the buyer usernames appeared in this database, they were each assigned ID numbers,” Gemini wrote. “This allowed analysts to determine how prolific certain threat actors were on BriansClub and derive relevant metrics from this data.”

According to Gemini, there were 142 resellers and more than 50,000 buyers of the card data sold through BriansClub. These buyers purchased at least 9 million of the 27.2 million cards available. Continue reading →


15
Oct 19

“BriansClub” Hack Rescues 26M Stolen Cards

BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.

An ad for BriansClub has been using my name and likeness for years to peddle millions of stolen credit cards.

Last month, KrebsOnSecurity was contacted by a source who shared a plain text file containing what was claimed to be the full database of cards for sale both currently and historically through BriansClub[.]at, a thriving fraud bazaar named after this author. Imitating my site, likeness and namesake, BriansClub even dubiously claims a copyright with a reference at the bottom of each page: “© 2019 Crabs on Security.”

Multiple people who reviewed the database shared by my source confirmed that the same credit card records also could be found in a more redacted form simply by searching the BriansClub Web site with a valid, properly-funded account.

All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground.

The leaked data shows that in 2015, BriansClub added just 1.7 million card records for sale. But business would pick up in each of the years that followed: In 2016, BriansClub uploaded 2.89 million stolen cards; 2017 saw some 4.9 million cards added; 2018 brought in 9.2 million more.

Between January and August 2019 (when this database snapshot was apparently taken), BriansClub added roughly 7.6 million cards.

Most of what’s on offer at BriansClub are “dumps,” strings of ones and zeros that — when encoded onto anything with a magnetic stripe the size of a credit card — can be used by thieves to purchase electronics, gift cards and other high-priced items at big box stores.

As shown in the table below (taken from this story), many federal hacking prosecutions involving stolen credit cards will for sentencing purposes value each stolen card record at $500, which is intended to represent the average loss per compromised cardholder.

The black market value, impact to consumers and banks, and liability associated with different types of card fraud.

STOLEN BACK FAIR AND SQUARE

An extensive analysis of the database indicates BriansClub holds approximately $414 million worth of stolen credit cards for sale, based on the pricing tiers listed on the site. That’s according to an analysis by Flashpoint, a security intelligence firm based in New York City.

Allison Nixon, the company’s director of security research, said the data suggests that between 2015 and August 2019, BriansClub sold roughly 9.1 million stolen credit cards, earning the site $126 million in sales (all sales are transacted in bitcoin).

If we take just the 9.1 million cards that were confirmed sold through BriansClub, we’re talking about more than $4 billion in likely losses at the $500 average loss per card figure from the Justice Department.

Also, it seems likely the total number of stolen credit cards for sale on BriansClub and related sites vastly exceeds the number of criminals who will buy such data. Shame on them for not investing more in marketing!

There’s no easy way to tell how many of the 26 million or so cards for sale at BriansClub are still valid, but the closest approximation of that — how many unsold cards have expiration dates in the future — indicates more than 14 million of them could still be valid.

The archive also reveals the proprietor(s) of BriansClub frequently uploaded new batches of stolen cards — some just a few thousand records, and others tens of thousands.

That’s because like many other carding sites, BriansClub mostly resells cards stolen by other cybercriminals — known as resellers or affiliates — who earn a percentage from each sale. It’s not yet clear how that revenue is shared in this case, but perhaps this information will be revealed in further analysis of the purloined database. Continue reading →