Posts Tagged: Stephen P. Warne

Jul 16

Cici’s Pizza: Card Breach at 130+ Locations

Cici’s Pizza, a Coppell, Texas-based fast-casual restaurant chain, today acknowledged a credit card breach at more than 135 locations. The disclosure comes more than a month after KrebsOnSecurity first broke the news of the intrusion, offering readers a sneak peak inside the sprawling cybercrime machine that thieves used to siphon card data from Cici’s customers in real-time.

cicisIn a statement released Tuesday evening, Cici’s said that in early March 2016, the company received reports from several of its restaurant locations that point-of-sale systems were not working properly.

“The point-of-sale vendor immediately began an investigation to assess the problem and initiated heightened security measures,” the company said in a press release. “After malware was found on some point-of-sale systems, the company began a restaurant-by-restaurant review and remediation, and retained a third-party cybersecurity firm, 403 Labs, to perform a forensic analysis.”

According to Cici’s, “the vast majority of the intrusions began in March of 2016,” but the company acknowledges that the breach started as early as 2015 at some locations. Cici’s said it was confident the malware has been removed from all stores. A list of affected locations is here (PDF).

On June 3, 2016, KrebsOnSecurity reported that sources at multiple financial institutions suspected a card breach at Cici’s. That story featured a quote from Stephen P. Warne, vice president of service and support for Datapoint POS, a point-of-sale provider that services a large number of Cici’s locations. Warne told this author that the fraudsters responsible for the intrusions had tricked employees into installing the card-stealing malicious software. Continue reading →

Jun 16

Slicing Into a Point-of-Sale Botnet

Last week, KrebsOnSecurity broke the news of an ongoing credit card breach involving CiCi’s Pizza, a restaurant chain in the United States with more than 500 locations. What follows is an exclusive look at a point-of-sale botnet that appears to have enslaved dozens of hacked payment terminals inside of CiCi’s locations that are being relieved of customer credit card data in real time.

Over the weekend, I heard from a source who said that since November 2015 he’s been tracking a collection of hacked cash registers. This point-of-sale botnet currently includes more than 100 infected systems, and according to the administrative panel for this crime machine at least half of the compromised systems are running a malicious Microsoft Windows process called cicipos.exe.

This admin panel shows the Internet address of a number of infected point-of-sale devices as of June 4, 2016. Many of these appear to be at Cici's Pizza locations.

This admin panel shows the Internet address of a number of infected point-of-sale devices as of June 4, 2016. Many of these appear to be at Cici’s Pizza locations.

KrebsOnSecurity has not been able to conclusively tie the botnet to CiCi’s. Neither CiCi’s nor its outside public relations firm have responded to multiple requests for comment. However, the control panel for this botnet includes the full credit card number and name attached to the card, and several individuals whose names appeared in the botnet control panel confirmed having eaten at CiCi’s Pizza locations on the same date that their credit card data was siphoned by this botnet.

Among those was Richard Higgins of Prattville, Ala., whose card data was recorded in the botnet logs on June 4, 2016. Reached via phone, Higgins confirmed that he used his debit card to pay for a meal he and his family enjoyed at a CiCi’s location in Prattville on that same date.

An analysis of the botnet data reveals more than 100 distinct infected systems scattered across the country. However, the panel only displayed hacked systems that were presently reachable online, so the actual number of infected systems may be larger.

Most of the hacked cash registers map back to dynamic Internet addresses assigned by broadband Internet service providers, and those addresses provide little useful information about the owners of the infected systems — other than offering a general idea of the city and state tied to each address.

For example, the Internet address of the compromised point-of-sale system that stole Mr. Higgins’ card data is, which maps back to an Earthlink system in a pool of IP addresses managed out of Montgomery, Ala.


Many of the botnet logs include brief notes or messages apparently left by CiCi’s employees for other employees. Most of these messages concern banal details about an employee’s shift, or issues that need to be addressed when the next employee shift comes in to work. Continue reading →

Jun 16

Banks: Credit Card Breach at CiCi’s Pizza

CiCi’s Pizza, an American fast food business based in Coppell, Texas with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company’s point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang.

cicisOver the past two months, KrebsOnSecurity has received inquiries from fraud fighters at more than a half-dozen financial institutions in the United States — all asking if I had any information about a possible credit card breach at CiCi’s. Every one of these banking industry sources said the same thing: They’d detected a pattern of fraud on cards that all had all been used in the last few months at various CiCi’s Pizza locations.

Earlier today, I finally got around to reaching out to the CiCi’s headquarters in Texas and was referred to a third-party restaurant management firm called Champion Management. When I called Champion and told them why I was inquiring, they said “the issue” was being handled by an outside public relations firm called SPM Communications.

I never did get a substantive response from SPM, which according to their email and phone messages closes at 1 pm on Fridays during the summer. So I decided to follow up on a tip I’d received from a fraud fighter at one affected bank who said they’d heard from the U.S. Secret Service that the fraud was related to a breach or security weakness at Datapoint (CiCi’s point-of-sale provider).

Incredibly, I went to look up the contact information for datapoint[dot]com, and found that Google was trying to prevent me from visiting this site: According to the search engine giant, Datapoint’s Web site appears to be compromised! It appears Google has listed the site as hacked and that it was once abused by spammers to promote knockoff male enhancement pills.  Continue reading →