Posts Tagged: target breach

Mar 16

Credit Unions Feeling Pinch in Wendy’s Breach

A number of credit unions say they have experienced an unusually high level of debit card fraud from the breach at nationwide fast food chain Wendy’s, and that the losses so far eclipse those that came in the wake of huge card breaches at Target and Home Depot.

wendyskyAs first noted on this blog in January, Wendy’s is investigating a pattern of unusual card activity at some stores. In a preliminary 2015 annual report, Wendy’s confirmed that malware designed to steal card data was found on some systems. The company says it doesn’t yet know the extent of the breach or how many customers may have been impacted.

According to B. Dan Berger, CEO at the National Association of Federal Credit Unions, many credit unions saw a huge increase in debit card fraud in the few weeks before the Wendy’s breach became public. He said much of that fraud activity was later tied to customers who’d patronized Wendy’s locations less than a month prior.

“This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” Berger said. “It seems to have been been [the work of] a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”

Berger shared an email sent by one credit union CEO who asked not to be named in this story:

“Please take this Wendy’s story very seriously. We have been getting killed lately with debit card fraud. We have already hit half of our normal yearly fraud so far this year, and it is not even the end of January yet. After reading this, we reviewed activity on some of our accounts which had fraud on them. The first six we checked had all been to Wendy’s in the last quarter of 2015.”

All I am suggesting is that we are experiencing much high[er] losses lately than we ever did after the Target or Home Depot problems. I think we may be end up with 5 to 10 times the loss on this breach, wherever it occurred. Accordingly, please put this story in the proper perspective.”

Wendy’s declined to comment for this story.

Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers, like Social Security numbers, dates of birth and the card’s expiration date.

Thieves can abuse these automated systems to reset the PIN on the victim’s debit card, and then use a counterfeit copy of the card to withdraw cash from the account at ATMs. As I reported in September 2014, this is exactly what happened in the wake of the Home Depot breach. Continue reading →

Dec 15

When Undercover Credit Card Buys Go Bad

I recently heard from a source in law enforcement who had a peculiar problem. The source investigates cybercrime, and he was reaching out for advice after trying but failing to conduct undercover buys of stolen credit cards from a well-known underground card market. Turns out, the cybercrime bazaar’s own security system triggered a “pig alert” and brazenly flagged the fed’s transactions as an undercover purchase placed by a law enforcement officer.

Law enforcement officials and bank anti-fraud specialists sometimes purchase stolen cards from crime forums and “carding” markets online in hopes of identifying a pattern among all the cards from a given batch that might make it easy to learn who got breached: If all of the cards from a given batch were later found to be used at the same e-commerce or brick-and-mortar merchant over the same time period, investigators can often determine the source of the card breach, alert the breached company and stem the flow of stolen cards.

Of course, such activity is not something the carding shops take lightly, since it tends to cut into their criminal sales and revenues. So it is that one of the more popular carding shops — Rescator — somehow enacted a system to detect purchases from suspected law enforcement officials. Rescator and his crew aren’t shy about letting you know when they think you’re not a real criminal. My law enforcement source said he’d just placed a batch of cards into his shopping cart and was preparing to pay for the goods when the carding site’s checkout page was replaced with this image:

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this "pig detected" alert.

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this “pig detected” alert.

The shop from which my source attempted to make the purchase — called Rescator — is the same carding store that was the first to move millions of cards on sale that were stolen in the Target and Home Depot breaches, among others. I’ve estimated that although Rescator and his band of thieves stole 40 million credit and debit card numbers from Target, they only likely managed to sell between 1 and 3 million of those cards. Even so, at a median price of $26.85 per card and the median loss of 2 million cards, that’s still more than $50 million in revenue. It’s no wonder they want to keep the authorities out. Continue reading →

Sep 15

Inside Target Corp., Days After 2013 Breach

In December 2013, just days after a data breach exposed 40 million customer debit and credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for weaknesses. The results of that confidential investigation — until now never publicly revealed — confirm what pundits have long suspected: Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.

targetsmashAccording to an internal corporate report obtained by KrebsOnSecurity, Target commissioned the study “in anticipation of litigation” from banks that might join together to sue the retailer in a bid to recoup the costs of reissuing cards to their customers. Last week, a federal judge cleared those claims to go forward in a class action suit.

The Verizon assessment, conducted between December 21, 2013 to March 1, 2014, notably found “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.”

The report noted that Verizon consultants were able to directly communicate with point-of-sale registers and servers from the core network. In one instance, they were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.

Verizon’s findings lend credence to the working theory about how hackers initially broke into Target. In February 2014, KrebsOnSecurity was the first to report that investigators had zeroed in on the source of the breach: Fazio Mechanical, a small heating and air conditioning firm in Pennsylvania that worked with Target and had suffered its own breach via malware delivered in an email. In that intrusion, the thieves managed to steal the virtual private network credentials that Fazio’s technicians used to remotely connect to Target’s network.

Verizon’s report offers a likely playbook for how the Target hackers used that initial foothold provided by Fazio’s hack to push malicious software down to all of the cash registers at more than 1,800 stores nationwide.

Target spokesperson Molly Snyder would neither confirm nor deny the authenticity of the documents referenced in this report, but she maintained that Target has made great strides and is now an industry leader on cybersecurity.

“We’ve brought in new leaders, built teams, and opened a state-of-the-art cyber fusion center,” Snyder said. “We are proud of where we stand as a company and will be absolutely committed to being a leader on cybersecurity going forward.”

Snyder said Target believes “that sharing accurate and actionable information – with consumers, policy makers, and even other companies and industries – will help make all of us safer and stronger,” she said in an emailed statement. “Sometimes that means providing information directly to consumers, other times that means sharing information about possible industry threats with other companies or through our participation in the Financial Services and Retail Information Sharing and Analysis Centers (ISACs), and sometimes that means working with law enforcement. What we don’t think it means is continuing to rehash a narrative that is nearly two years old.”

A high-level graphic showing the various routes that Verizon penetration testers were able to use to get all the way down to Target's cash registers in 2013 and 2014.

A high-level graphic showing the various routes that Verizon penetration testers were able to use to get all the way down to Target’s cash registers in 2013 and 2014.


The report notes that “while Target has a password policy, the Verizon security consultants discovered that it was not being followed. The Verizon consultants discovered a file containing valid network credentials being stored on several servers. The Verizon consultants also discovered systems and services utilizing either weak or default passwords. Utilizing these weak passwords the consultants were able to instantly gain access to the affected systems.”

Default passwords in key internal systems and servers also allowed the Verizon consultants to assume the role of a system administrator with complete freedom to move about Target’s sprawling internal network.

“The Verizon security consultants identified several systems that were using misconfigured services, such as several Microsoft SQL servers that had a weak administrator password, and Apache Tomcat servers using the default administrator password,” the report observes. “Through these weaknesses, the Verizon consultants were able to gain initial access to the corporate network and to eventually gain domain administrator access.”

Within one week, the security consultants reported that they were able to crack 472,308 of Target’s 547,470 passwords (86 percent) that allowed access to various internal networks, including;,;;;;; and Continue reading →

Jul 15

Banks: Card Breach at Trump Hotel Properties

The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and now Republican presidential candidate Donald Trump, appears to be the latest victim of a credit card breach, according to data shared by several U.S.-based banks.

Trump International Hotel and Tower in Chicago.

Trump International Hotel and Tower in Chicago.

Contacted regarding reports from sources at several banks who traced a pattern of fraudulent debit and credit card charges to accounts that had all been used at Trump hotels, the company declined multiple requests for comment.

Update, 4:56 p.m. ET: The Trump Organization just acknowledged the issue with a brief statement from Eric Trump, executive vice president of development and acquisitions: “Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,” the statement reads. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

Original story:

But sources in the financial industry say they have little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York — are dealing with a card breach that appears to extend back to at least February 2015.

If confirmed, the incident would be the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments. In March, upscale hotel chain Mandarin Oriental disclosed a compromise. The following month, hotel franchising firm White Lodging acknowledged that, for the second time in 12 months, card processing systems at several of its locations were breached by hackers.

It is likely that the huge number of card breaches at U.S.-based organizations over the past year represents a response by fraudsters to upcoming changes in the United States designed to make credit and debit cards more difficult and expensive to counterfeit. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe. Continue reading →

May 15

Deconstructing the 2014 Sally Beauty Breach

This week, nationwide beauty products chain Sally Beauty disclosed that, for the second time in a year, it was investigating reports that hackers had broken into its networks and stolen customer credit card data. That investigation is ongoing, but I recently had an opportunity to interview a former Sally Beauty IT technician who provided a first-hand look at how the first breach in 2014 went down.

sallybOn March 14, 2014, KrebsOnSecurity broke the news that some 260,000 credit cards stolen from Sally Beauty stores had gone up for sale on Rescator[dot]cc, the same shop that first debuted cards stolen in the Home Depot and Target breaches. The company said thieves made off with just 25,000 customer cards. But the shop selling the cards listed each by the ZIP code of the Sally Beauty store from which the card data had been stolen, exactly like this same shop did with Home Depot and Target. An exhaustive analysis of the ZIP codes represented in the cards for sale on the fraud shop indicated that the hackers had hit virtually all 2,600 Sally Beauty locations nationwide.

The company never disclosed additional details about the breach itself or how it happened. But earlier this week I spoke with Blake Curlovic, until recently an application support analyst at Sally Beauty who was among the first to respond when virtual alarm bells starting going off last year about a possible intrusion. Curlovic said that at the time, Sally Beauty was running exactly one enterprise solution for security — Tripwire (full disclosure: Tripwire is an advertiser on this blog). Tripwire’s core product monitors key operating system and application files for any changes, which then triggers alerts.

Tripwire fired a warning when the intruders planted a new file on point-of-sale systems within Sally Beauty’s vast network of cash registers. The file was a program designed to steal card numbers as they were being swiped through the registers, and the attackers had named their malware after a legitimate program running on all Sally Beauty registers. They also used a utility called Timestomp to change the date and time stamp on their malware to match the legitimate file, but that apparently didn’t fool Tripwire.

According to Curlovic, the intruders gained access through a Citrix remote access portal set up for use by employees who needed access to company systems while on the road.

“The attackers somehow had login credentials of a district manager,” Curlovic said. “This guy was not exactly security savvy. When we got his laptop back in, we saw that it had his username and password taped to the front of it.”

Once inside the Sally Beauty corporate network, the attackers scanned and mapped out the entire thing, located all shared drives and scoured those for Visual Basic (VB) scripts. Network administrators in charge of managing thousands or tens of thousands of systems often will write VB scripts to automate certain tasks across all of those systems, and very often those scripts will contain usernames and passwords that can be quite useful to attackers.

Curlovic said the intruders located a VB script on Sally Beauty’s network that contained the username and password of a network administrator at the company.

“That allowed them to basically copy files to the cash registers,” he said. “They used a simple batch file loop, put in all the [cash] register Internet addresses they found while scanning the network, looped through there and copied [the malware] to all of the point-of-sale devices — roughly 6,000 of them. They were in the network for like a week prior to that planning the attack.”

Continue reading →

Apr 15

POS Providers Feel Brunt of PoSeidon Malware

“PoSeidon,” a new strain of malicious software designed to steal credit and debit card data from hacked point-of-sale (POS) devices, has been implicated in a number of recent breaches involving companies that provide POS services primarily to restaurants, bars and hotels. The shift by the card thieves away from targeting major retailers like Target and Home Depot to attacking countless, smaller users of POS systems is giving financial institutions a run for their money as they struggle to figure out which merchants are responsible for card fraud.

Image: Cisco.

Image: Cisco.

One basic tool that banks use to learn the source of card data theft involves determining a “common point-of-purchase” (CPP) among a given set of customer cards that experience fraud. When a new batch of cards goes on sale at an online crime shop, banks will often purchase a very small number of their stolen cards to determine if the victim customers all shopped at the same merchant across a specific time period.

This same CPP analysis was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years, and it is a method heavily relied upon by law enforcement agencies to identify breach victims.

But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant. More seasoned fraud shops have sought to achieve this confusion and confound investigators by “making sausage” — i.e., methodically mixing cards stolen from multiple victims into any single new batch of stolen cards that they offer for sale.

Increasingly, however, fraudsters selling stolen cards don’t need to make sausage: The victims that are leaking card data are already subsets of restaurant franchises or retail establishments whose only commonality is the branded point-of-sale device which they rely upon to process customer card transactions.


Card breaches involving POS devices sold by the same vendor are notoriously hard for financial institutions to diagnose because the banks very often have a direct relationship with neither the POS vendor nor the breached restaurant or bar whose customers’ cards were stolen.

nextepWhat’s more, POS-specific breaches frequently tie back to a subset of customers of a POS vendor who in turn rely on local IT company to install and support the POS systems. The commonality among breached restaurants and bars tends to be those who have relied on a support firm that invariably enables remote access to the POS systems via tools like pcAnywhere or LogMeIn using the same or easily-guessed username and password across many customer systems. Once remotely authenticated to the targeted systems, thieves can upload malware like POSeidon, which is capable of capturing all card data processed by the victim POS.

A few weeks ago, this reporter broke the news that multiple systems run by POS vendor NEXTEP had experienced a breach. The banks were only able to pinpoint NEXTEP systems as the source because the overwhelming number of merchants impacted in that breached happened to be NEXTEP customers who also were part of the Zoup chain of soup restaurants.

“You may have seen the discussions of the ‘PoSeidon’ malware that specifically targeted point of sale systems,” NEXTEP CEO Tommy Woycik said in a follow-up email. “Within thirty-six hours of the point that we learned of the problem we were able to internally use our resources to block further data compromise with most of our customers.  We retained and worked with two different sets of consultants to fix all remaining problems and to evaluate, on an ongoing basis, the effectiveness of the fixes.”

Woycik said the company also is investigating why the vast majority of its customers had no compromise of information, but that the hack was limited to a few identified locations. Part of the problem was that some of the breached locations relied on point-of-sale management firms that refused to cooperate in the investigation.

“We have been somewhat hampered in our investigation because some parties involved in the locations that we believe may have been affected have been unwilling to provide us with critical data,” he said.

Continue reading →

Nov 14

Home Depot: Hackers Stole 53M Email Addresses

As if the credit card breach at Home Depot didn’t already look enough like the Target breach: Home Depot said yesterday that the hackers who stole 56 million customer credit and debit card accounts also made off with 53 million customer email addresses.

pwnddepotIn an update (PDF) released to its site on Thursday, Home Depot warned customers about the potential for thieves to use the email addresses in phishing attacks (think a Home Depot “survey” that offers a gift card for the first 10,000 people who open the booby-trapped attachment, for example). Home Depot stressed that the files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information.

Home Depot said the crooks initially broke in using credentials stolen from a third-party vendor. The company said thieves used the vendor’s user name and password to enter the perimeter of Home Depot’s network, but that these stolen credentials alone did not provide direct access to the company’s point-of-sale devices. For that, they had to turn to a vulnerability in Microsoft Windows that was patched only after the breach occurred, according to a story in Thursday’s Wall Street Journal.

Recall that the Target breach also started with a hacked vendor — a heating and air conditioning company in Pennsylvania that was relieved of remote-access credentials after someone inside the company opened a virus-laden email attachment. Target also came out in the days after the breach became public and revealed that the attackers had stolen more than 70 million customer email addresses. Continue reading →

Aug 14

DQ Breach? HQ Says No, But Would it Know?

Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.

Update, Aug. 28, 12:08 p.m. ET: A spokesman for Dairy Queen has confirmed that the company recently heard from the U.S. Secret Service about “suspicious activity” related to a strain of card-stealing malware found in hundreds of other retail intrusions. Dairy Queen says it is still investigating and working with authorities, and does not yet know how many stores may be impacted.

Original story:

dqI first began hearing reports of a possible card breach at Dairy Queen at least two weeks ago, but could find no corroborating signs of it — either by lurking in shadowy online “card shops” or from talking with sources in the banking industry. Over the past few days, however, I’ve heard from multiple financial institutions that say they’re dealing with a pattern of fraud on cards that were all recently used at various Dairy Queen locations in several states. There are also indications that these same cards are being sold in the cybercrime underground.

The latest report in the trenches came from a credit union in the Midwestern United States. The person in charge of fraud prevention at this credit union reached out wanting to know if I’d heard of a breach at Dairy Queen, stating that the financial institution had detected fraud on cards that had all been recently used at a half-dozen Dairy Queen locations in and around its home state.

According to the credit union, more than 50 customers had been victimized by a blizzard of card fraud just in the past few days alone after using their credit and debit cards at Dairy Queen locations — some as far away as Florida — and the pattern of fraud suggests the DQ stores were compromised at least as far back as early June 2014.

“We’re getting slammed today,” the fraud manager said Tuesday morning of fraud activity tracing back to member cards used at various Dairy Queen locations in the past three weeks. “We’re just getting all kinds of fraud cases coming in from members having counterfeit copies of their cards being used at dollar stores and grocery stores.”

Other financial institutions contacted by this reporter have seen recent fraud on cards that were all used at Dairy Queen locations in Florida and several other states, including Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee, and Texas.

On Friday, Aug. 22, KrebsOnSecurity spoke with Dean Peters, director of communications for the Minneapolis-based fast food chain. Peters said the company had heard no reports of card fraud at individual DQ locations, but he stressed that nearly all of Dairy Queen stores were independently owned and operated. When asked whether DQ had any sort of requirement that its franchisees notify the company in the event of a security breach or problem with their card processing systems, Peters said no.

“At this time, there is no such policy,” Peters said. “We would assist them if [any franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees that they have had any kind of breach.”

Julie Conroy, research director at the advisory firm Aite Group, said nationwide companies like Dairy Queen should absolutely have breach notification policies in place for franchisees, if for no other reason than to protect the integrity of the company’s brand and public image.

“Without question this is a brand protection issue,” Conroy said. “This goes back to the eternal challenge with all small merchants. Even with companies like Dairy Queen, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don’t think they’re a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they’re not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule.”


The situation apparently developing with Dairy Queen is reminiscent of similar reports last month from multiple banks about card fraud traced back to dozens of locations of Jimmy John’s, a nationwide sandwich shop chain that also is almost entirely franchisee-owned. Jimmy John’s has said it is investigating the breach claims, but so far it has not confirmed reports of card breaches at any of its 1,900+ stores nationwide.

The DHS/Secret Service advisory.

The DHS/Secret Service advisory.

Rumblings of a card breach involving at least some fraction of Dairy Queen’s 4,500 domestic, independently-run stores come amid increasingly vocal warnings from the U.S. Department of Homeland Security and the Secret Service, which last week said that more than 1,000 American businesses had been hit by malicious software designed to steal credit card data from cash register systems.

In that alert, the agencies warned that hackers have been scanning networks for point-of-sale systems with remote access capabilities (think LogMeIn and pcAnywhere), and then installing malware on POS devices protected by weak and easily guessed passwords.  The alert noted that at least seven point-of-sale vendors/providers confirmed they have had multiple clients affected.

Around the time that the Secret Service alert went out, UPS Stores, a subsidiary of the United Parcel Service, said that it scanned its systems for signs of the malware described in the alert and found security breaches that may have led to the theft of customer credit and debit data at 51 UPS franchises across the United States (about 1 percent of its 4,470 franchised center locations throughout the United States). Incidentally, the way UPS handled that breach disclosure — clearly calling out the individual stores affected — should stand as a model for other companies struggling with similar breaches. Continue reading →

Jul 14

Interview With Fresh Air’s Terry Gross

nprlock On Monday, I had the distinct pleasure of being a guest on Terry Gross‘s Fresh Air radio show on National Public Radio. I’m a huge fan of Gross’s show and was quite flattered and honored to have been invited.

The roughly 39-minute interview covered a range of topics, including my reporting on the Target and Neiman Marcus breaches, as well as an investigation into how an identity theft service conned its way into getting access to a subsidiary of big three credit bureau Experian.

Gross also asked about some of the responses that my reporting has engendered from various denizens of the cybercrime underground, hence the title of the segment, “The Hazards of Probing the Internet’s Dark Side.”

The archived podcast of the show is available here.

Mar 14

ZIP Codes Show Extent of Sally Beauty Breach

Earlier this month, beauty products chain Sally Beauty acknowledged that a hacker break-in compromised fewer than 25,000 customer credit and debit cards. My previous reporting indicated that the true size of the breach was at least ten times larger. The analysis published in this post suggests that the Sally Beauty breach may have impacted virtually all 2,600+ Sally Beauty locations nationwide.

Sally Beauty cards sold under the "Desert Strike" base on Rescator's site.

Sally Beauty cards sold under the “Desert Strike” base on Rescator’s site.

Sally Beauty has declined to speculate on how many stores or total cards may have been exposed by the breach, saying in a statement last week that so far its analysis indicates fewer than 25,000 cards were compromised. But that number seems very conservative when viewed through the prism of data from the cybercriminal shop primarily responsible for selling cards stolen from Sally Beauty customers. Indeed, it suggests that the perpetrators managed to hoover up cards used at nearly all Sally Beauty stores.

The research technique used to arrive at this conclusion was the same method that allowed this reporter and others to conclude that the Target hackers had succeeded at installing card-stealing malware on cash registers at nearly all 1,800 Target locations in the United States.

The first indications of a breach at Target came when millions of cards recently used at the big box retailer started showing up for sale on a crime shop called Rescator[dot]so. This site introduced an innovation that to my knowledge hadn’t been seen before across dozens of similar crime shops in the underground: It indexed stolen cards primarily by the city, state and ZIP code of the Target stores from which each card had been stolen.

This feature was partly what allowed Rescator to sell his cards at much higher prices than other fraud shops, because the ZIP code feature allowed crooks to buy cards from the store that were stolen from Target stores near them (this feature also strongly suggested that Rescator had specific and exclusive knowledge about the breach, a conclusion that has been supported by previous investigations on this blog into the malware used at Target and the Internet history of Rescator himself).

To put the ZIP code innovation in context, the Target break-in came to light just a week before Christmas, and many banks were at least initially reluctant to reissue cards thought to be compromised in the breach because they feared a backlash from consumers who were busy doing last minute Christmas shopping and traveling for the holidays. Rather, many banks in the interim chose to put in place “geo blocks” that would automatically flag for fraud any in-store transactions that were outside the customer’s normal geographic purchasing area. The beauty of Rescator’s ZIP code indexing was that customers could buy only cards that were used at Target stores near them, thereby making it far more likely that Rescator’s customers could make purchases with the stolen cards without setting off geo-blocking limits set by the banks.

To test this theory, researchers compiled a list of the known ZIP codes of Target stores, and then scraped Rescator’s site for a list of the ZIP codes represented in the cards for sale. Although there are more than 43,000 ZIP codes in the United States, slightly fewer than 1,800 unique ZIPs were referenced in the Target cards for sale on Rescator’s shop — roughly equal to the number of Target locations across America.

Sally Beauty declined to provide a list of its various store ZIP codes, but with the assistance of several researchers — none of whom wished to be thanked or cited in this story — I was able to conduct the same analysis with the new batch of cards on Rescator’s site that initially tipped me off to the Sally Beauty breach. The result? There are nearly the exact same number of U.S. ZIP codes represented in the batch of cards for sale on Rescator’s shop as there are unique U.S. ZIP codes of Sally Beauty stores (~2,600).

More importantly, there was a 99.99 percent overlap in the ZIP codes. That strongly suggests that virtually all Sally Beauty stores were compromised by this breach.

Continue reading →