Posts Tagged: U.S. Secret Service


5
Apr 18

Secret Service Warns of Chip Card Scheme

The U.S. Secret Service is warning financial institutions about a new scam involving the temporary theft of chip-based debit cards issued to large corporations. In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates the modified card, thieves can start draining funds from the account.

Signs of a card with an old or invalid chip include heat damage around the chip or on the card, or a small hole in the plastic used to pry the chip off the card. Image: U.S. Secret Service.

According to an alert sent to banks late last month, the entire scheme goes as follows:

1. Criminals intercept mail sent from a financial institution to large corporations that contain payment cards, targeting debit payment cards with access to large amount of funds.

2. The crooks remove the chip from the debit payment card using a heat source that warms the glue.

3. Criminals replace the chip with an old or invalid chip and repackage the payment card for delivery.

4. Criminals place the stolen chip into an old payment card.

5. The corporation receives the debit payment card without realizing the chip has been replaced.

6. The corporate office activates the debit payment card; however, their payment card is inoperable thanks to the old chip.

7. Criminals use the payment card with the stolen chip for their personal gain once the corporate office activates the card. Continue reading →


27
Jan 18

First ‘Jackpotting’ Attacks Hit U.S. ATMs

ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.

A keyboard attached to the ATM port. Image: FireEye

On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The NCR memo does not mention the type of jackpotting malware used against U.S. ATMs. But a source close to the matter said the Secret Service is warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

According to that source — who asked to remain anonymous because he was not authorized to speak on the record — the Secret Service has received credible information that crooks are activating so-called “cash out crews” to attack front-loading ATMs manufactured by ATM vendor Diebold Nixdorf.

The source said the Secret Service is warning that thieves appear to be targeting Opteva 500 and 700 series Dielbold ATMs using the Ploutus.D malware in a series of coordinated attacks over the past 10 days, and that there is evidence that further attacks are being planned across the country.

“The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs,” reads a confidential Secret Service alert sent to multiple financial institutions and obtained by KrebsOnSecurity. “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.

Reached for comment, Diebold shared an alert it sent to customers Friday warning of potential jackpotting attacks in the United States. Diebold’s alert confirms the attacks so far appear to be targeting front-loaded Opteva cash machines.

“As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanism and the authorization process for setting the communication with the [cash] dispenser,” the Diebold security alert reads. A copy of the entire Diebold alert, complete with advice on how to mitigate these attacks, is available here (PDF). Continue reading →


26
May 17

Trump’s Dumps: ‘Making Dumps Great Again’

It’s not uncommon for crooks who peddle stolen credit cards to seize on iconic American figures of wealth and power in the digital advertisements for their shops that run incessantly on various cybercrime forums. Exhibit A: McDumpals, a hugely popular carding site that borrows the Ronald McDonald character from McDonald’s and caters to bulk buyers. Exhibit B: Uncle Sam’s dumps shop, which wants YOU! to buy American. Today, we’ll look at an up-and-coming stolen credit card shop called Trump’s-Dumps, which invokes the 45th president’s likeness and promises to make credit card fraud great again.

trumpsdumps

One reason thieves who sell stolen credit cards like to use popular American figures in their ads may be that a majority of their clients are people in the United States. Very often we’re talking about street gang members in the U.S. who use their purchased “dumps” — the data copied from the magnetic stripes of cards swiped through hacked point-of-sale systems — to make counterfeit copies of the cards. They then use the counterfeit cards in big-box stores to buy merchandise that they can easily resell for cash, such as gift cards, Apple devices and gaming systems.

When most of your clientele are street thugs based in the United States, it helps to leverage a brand strongly associated with America because you gain instant brand recognition with your customers. Also, a great many of these card shops are run by Russians and hosted at networks based in Russia, and the abuse of trademarks closely tied to the U.S. economy is a not-so-subtle “screw you” to American consumers.

In some cases, the guys running these card shops are openly hostile to the United States. Loyal readers will recall the stolen credit card shop “Rescator” — which was the main source of cards stolen in the Target, Home Depot and Sally Beauty breaches (among others) — was tied to a Ukrainian man who authored a nationalistic, pro-Russian blog which railed against the United States and called for the collapse of the American economy.

In deconstructing the 2014 breach at Sally Beauty, I interviewed a former Sally Beauty corporate network administrator who said the customer credit cards being stolen with the help of card-stealing malware installed on Sally Beauty point-of-sale devices that phoned home to a domain called “anti-us-proxy-war[dot]com.”

Trump’s Dumps currently advertises more than 133,000 stolen credit and debit card dumps for sale. The prices range from just under $10 worth of Bitcoin to more than $40 in Bitcoin, depending on which bank issued the card, the cardholder’s geographic location, and whether the cards are tied to premium, prepaid, business or executive accounts.

A "state of the dumps" address on Trump's-Dumps.

A “state of the dumps” address on Trump’s-Dumps.

Continue reading →


27
Sep 16

Inside Arizona’s Pump Skimmer Scourge

Crooks who deploy skimming devices made to steal payment card details from fuel station pumps don’t just target filling stations at random: They tend to focus on those that neglect to deploy various tools designed to minimize such scams, including security cameras, non-standard pump locks and tamper-proof security tape. But don’t take my word for it: Here’s a look at fuel station compromises in 2016 as documented by the state of Arizona, which has seen a dramatic spike in fuel skimming attacks over the past year.

KrebsOnSecurity examined nearly nine months worth of pump skimming incidents in Arizona, where officials say they’ve documented more skimming attacks in the month of August 2016 alone than in all of 2015 combined.

With each incident, the Arizona Department of Agriculture’s Weights and Measures Services Division files a report detailing whether victim fuel station owners had observed industry best practices leading up to the hacks. As we can see from the interactive story map KrebsOnSecurity created below, the vast majority of compromised filling stations failed to deploy security cameras, and/or tamper-evident seals on the pumps.

Fewer still had changed the factory-default locks on their pumps, meaning thieves armed with a handful of master keys were free to unlock the pumps and install skimming devices at will.

These security report cards for fuel station owners aren’t complete assessments by any means. Some contain scant details about the above-mentioned precautionary measures, while other reports painstakingly document such information — complete with multiple photos of the skimming devices. Regardless, the data available show a clear trend of fraudsters targeting owners and operators that flout basic security best practices. Continue reading →


13
Sep 16

Secret Service Warns of ‘Periscope’ Skimmers

The U.S. Secret Service is warning banks and ATM owners about a new technological advance in cash machine skimming known as “periscope skimming,” which involves a specialized skimming probe that connects directly to the ATM’s internal circuit board to steal card data.

At left, the skimming control device. Pictured right is the skimming control device with wires protruding from the periscope.

At left, the skimming control device. Pictured right is the skimming control device with wires protruding from the periscope. These were recovered from a cash machine in Connecticut.

According to a non-public alert released to bank industry sources by a financial crimes task force in Connecticut, this is thought to be the first time periscope skimming devices have been detected in the United States. The task force warned that the devices may have the capability to remain powered within the ATM for up to 14 days and can store up to 32,000 card numbers before exhausting the skimmer’s battery strength and data storage capacity.

The alert documents the first known case of periscope skimming in the United States, discovered Aug. 19, 2016 at an ATM in Greenwich, Conn. A second periscope skimmer was reportedly found hidden inside a cash machine in Pennsylvania on Sept. 3. Continue reading →


3
Jun 16

Banks: Credit Card Breach at CiCi’s Pizza

CiCi’s Pizza, an American fast food business based in Coppell, Texas with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company’s point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang.

cicisOver the past two months, KrebsOnSecurity has received inquiries from fraud fighters at more than a half-dozen financial institutions in the United States — all asking if I had any information about a possible credit card breach at CiCi’s. Every one of these banking industry sources said the same thing: They’d detected a pattern of fraud on cards that all had all been used in the last few months at various CiCi’s Pizza locations.

Earlier today, I finally got around to reaching out to the CiCi’s headquarters in Texas and was referred to a third-party restaurant management firm called Champion Management. When I called Champion and told them why I was inquiring, they said “the issue” was being handled by an outside public relations firm called SPM Communications.

I never did get a substantive response from SPM, which according to their email and phone messages closes at 1 pm on Fridays during the summer. So I decided to follow up on a tip I’d received from a fraud fighter at one affected bank who said they’d heard from the U.S. Secret Service that the fraud was related to a breach or security weakness at Datapoint (CiCi’s point-of-sale provider).

Incredibly, I went to look up the contact information for datapoint[dot]com, and found that Google was trying to prevent me from visiting this site: According to the search engine giant, Datapoint’s Web site appears to be compromised! It appears Google has listed the site as hacked and that it was once abused by spammers to promote knockoff male enhancement pills.  Continue reading →


12
Oct 15

Credit Card Breach at America’s Thrift Stores

Another charity store chain has been hacked: America’s Thrift Stores, an organization that operates donations-based thrift stores throughout the southeast United States, said this week that it recently learned it was the victim of a malware-driven security breach that targeted software used by a third-party service provider.

americasthrift“This breach allowed criminals from Eastern Europe unauthorized access to some payment card numbers,” the company’s CEO said in a statement. “This virus/malware, is one of several infecting retailers across North America.”

The statement continues:

“The U.S. Secret Service tells us that only card numbers and expiration dates were stolen. They do not believe any customer names, phone numbers, addresses or email addresses were compromised. This breach may have affected sales transactions between September 1, 2015 and September 27, 2015. If you used your credit or debit card during this time to purchase an item at any America’s Thrift Store location, the payment card number information on your card may have been compromised.”

Nevertheless, several banking sources say they have seen a pattern of fraud on cards all used at America’s Thrift Stores locations indicating that thieves have been able to use the data stolen from the compromised point-of-sale devices to counterfeit new cards.

Founded in 1984, America’s Thrift Stores is a for-profit thrift store and operates in the southeastern United States. The company is headquartered in Birmingham, Alabama and operates stores in Alabama, Georgia, Tennessee, Mississippi and Louisiana. According to the company’s site, the organization employs over 1,000 employees and pays over $4 million to its non- profit partners annually, as it turns donated items into revenue for their missions.

The breach involving America’s Thrift Stores comes on the heels of a similar incident at Goodwill last year. That incident was tied back to security weaknesses at third-party payment vendor C&K Systems, although there is no indication yet which third-party service provider may be at fault in the America’s Thrift Stores breach.

America's Thrift Store Locations.
America’s Thrift Store Locations.

15
Jul 15

ID Theft Service Proprietor Gets 13 Years

A Vietnamese man who ran an online identity theft service that sold access to Social Security numbers and other personal information on more than 200 million Americans has been sentenced to 13 years in a U.S. prison.

Vietnamese national Hieu Minh Ngo was sentenced to 13 years in prison for running an identity theft service.

Vietnamese national Hieu Minh Ngo was sentenced to 13 years in prison for running an identity theft service.

Hieu Minh Ngo, 25, ran an ID theft service variously named Superget.info and findget.me. Ngo admitted hacking into or otherwise illegally gaining access to databases belonging to some of the world’s largest data brokers, including a Court Ventures, a subsidiary of the major consumer credit bureau Experian.

Ngo’s service sold access to “fullz,” the slang term for packages of consumer data that could be used to commit identity theft in victims’ names. The government says Ngo made nearly $2 million from his scheme.

The totality of damage caused by his more than 1,300 customers is unknown, but it is clear that Ngo’s service was quite popular among ID thieves involved in filing fraudulent tax refund requests with the U.S. Internal Revenue Service (IRS). According to the Justice Department, the IRS has confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns. Continue reading →


19
Mar 15

Convicted Tax Fraudster & Fugitive Caught

Lance Ealy, an Ohio man who fled home confinement last year just prior to his conviction on charges of filing phony tax refund requests on more than 150 Americans, was apprehended in a pre-dawn raid by federal marshals in Atlanta on Wednesday.

Lance Ealy, in self-portrait he uploaded to twitter before absconding.

Lance Ealy, in self-portrait he uploaded to twitter before absconding.

Ealy, 28, of Dayton, Ohio, was the subject of no fewer than three previous posts on this blog. Ealy reached out to me in February 2014, after being arrested by the U.S. Secret Service for using his email account to purchase Social Security numbers and other personal information from an online identity theft service run by a guy named Hieu Minh Ngo.

Ngo is a Vietnamese national who, for several years, ran an online identity theft service called Superget.info. Shortly after my 2011 initial story about his service, Ngo tauntingly renamed his site to findget.me. The Secret Service took him up on that challenge, and succeeded in luring him out of Vietnam into Guam, where he was arrested and brought to New Hampshire for trial. He pleaded guilty last year to running the ID theft service, and the government has been working on rounding up his customers ever since.

Mr. Ealy was one of several individuals found guilty of identity theft charges after buying from Ngo’s service, which relied in part on data obtained through a company owned by big-three credit bureau Experian.

After being indicted on 46 counts of fraudulent activity, Ealy fired his attorney and chose to represent himself in court. In mid-November 2014 — just days before the jury in his trial was to issue its guilty verdict — Ealy slipped his ankle monitor and skipped town, but not before posting a taunting selfie to his Twitter account.

In the four months since his disappearance, investigators caught glimpses of Ealy jumping online as he made his way south to Atlanta. Incredibly, Ealy took time to file several lengthy pro se legal arguments (PDF) stating why the judge in the case was not impartial and that he deserved a retrial. When federal officials prosecuting his case responded (PDF) incredulously to his request, Ealy took it upon himself to file a response (PDF) to their motion for dismissal — all while on the lam.

Investigators close to the case say Ealy continued filing false tax refund requests while on the run from the law. But instead of turning to an underground identity theft service as he did previously, investigators say Ealy appears to have paid numerous inmates serving time in Ohio prisons for permission to file tax refund requests on their behalf with the Internal Revenue Service (IRS) — topping up the inmates’ commissary funds to the tune of $100 per filing while pocketing the rest of the fraudulent refunds.

According to whio.com, Ealy remains in the Northern District of Georgia until he can be extradited.


8
Dec 14

Toward a Breach Canary for Data Brokers

When a retailer’s credit card systems get breached by hackers, banks usually can tell which merchant got hacked soon after those card accounts become available for purchase at underground cybercrime shops. But when companies that collect and sell sensitive consumer data get hacked or are tricked into giving that information to identity thieves, there is no easy way to tell who leaked the data when it ends up for sale in the black market. In this post, we’ll examine one idea to hold consumer data brokers more accountable.

breachcanarySome of the biggest retail credit card breaches of the past year — including the break-ins at Target and Home Depot — were detected by banks well before news of the incidents went public. When cards stolen from those merchants go up for sale on underground cybercrime shops, the banks often can figure out which merchant got hacked by acquiring a handful of their cards and analyzing the customer purchase history of those accounts. The merchant that is common to all stolen cards across a given transaction period is usually the breached retailer.

Sadly, this process of working backwards from stolen data to breach victim generally does not work in the case of breached data brokers that trade in Social Security information and other data, because too often there are no unique markers in the consumer data that would indicate from where the information was obtained.

Even in the handful of cases where underground crime shops selling consumer personal data have included data points in the records they sell that would permit that source analysis, it has taken years’ worth of very imaginative investigation by law enforcement to determine which data brokers were at fault. In Nov. 2011, I wrote about an identity theft service called Superget[dot]info, noting that “each purchasable record contains a two- to three-letter “sourceid,” which may provide clues as to the source of this identity information.”

Unfortunately, the world didn’t learn the source of that ID theft service’s data until 2013, a year after U.S. Secret Service agents arrested the site’s proprietor — a 24-year-old from Vietnam who was posing as a private investigator based in the United States. Only then were investigators able to determine that the source ID data matched information being sold by a subsidiary of big-three credit bureau Experian (among other data brokers that were selling to the ID theft service). But federal agents made that connection only after an elaborate investigation that lured the proprietor of that shop out of Vietnam and into a U.S. territory.

Meanwhile, during the more than six years that this service was in operation, Superget.info attracted more than 1,300 customers who paid at least $1.9 million to look up Social Security numbers, dates of birth, addresses, previous addresses, email addresses and other sensitive information on consumers, much of it used for new account fraud and tax return fraud.

Investigators got a lucky break in determining the source of another ID theft service that was busted up and has since changed its name (more on that in a moment). That service — known as “ssndob[dot]ru” — was the service used by exposed[dot]su, a site that proudly displayed the Social Security, date of birth, address history and other information on dozens of Hollywood celebrities, as well as public officials such as First Lady Michelle Obama, then FBI Director Robert Mueller, and CIA Director John Brennan.

As I explained in a 2013 exclusive, civilian fraud investigators working with law enforcement gained access to the back-end server that was being used to handle customer requests for consumer information. That database showed that the site’s 1,300 customers had spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.

Although four million consumer records may seem like a big number, that figure did not represent the total number of consumer records available through ssndob[dot]ru. Rather, four million was merely the number of consumer records that the service’s customers had paid the service to look up. In short, it appeared that the ID theft service was drawing on active customer accounts inside of major consumer data brokers.

Investigators working on that case later determined that the same crooks who were running ssndob[dot]ru also were operating a small, custom botnet of hacked computers inside of several major data brokers, including LexisNexis, Dun & Bradstreet, and Kroll. All three companies acknowledged infections from the botnet, but shared little else about the incidents.

Despite their apparent role in facilitating (albeit unknowingly) these ID theft services, to my knowledge the data brokers involved have never been held publicly accountable in any court of law or by Congress.

CURRENT ID THEFT SERVICES

At present, there are multiple shops in the cybercrime underground that sell everything one would need to steal someone’s identity in the United States or apply for new lines of credit in their name — including Social Security numbers, addresses, previous addresses, phone numbers, dates of birth, and in some cases full credit history. The price of this information is shockingly low — about $3 to $5 per record.

KrebsOnSecurity conducted an exhaustive review of consumer data on sale at some of the most popular underground cybercrime sites. The results show that personal information on some of the most powerful Americans remains available for just a few dollars. And of course, if one can purchase this information on these folks, one can buy it on just about anyone in the United States today.

As an experiment, this author checked two of the most popular ID theft services in the underground for the availability of Social Security numbers, phone numbers, addresses and previous addresses on all members of the Senate Commerce Committee‘s Subcommittee on Consumer Protection, Product Safety and Insurance. That data is currently on sale for all thirteen Democrat and Republican lawmakers on the panel.

Between these two ID theft services, the same personal information was for sale on Edith Ramirez and Richard Cordray, the heads of the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), respectively. Continue reading →