tag:blogger.com,1999:blog-49761714326725492302024-02-08T05:38:59.448-08:00GiftpixonGiftpixon is a Nigerian blogger and an investigative reporter. Focusing mainly on computer problems and cyber criminal activities on and around the world.... Giftpixonhttp://www.blogger.com/profile/17457845764405811824noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4976171432672549230.post-91338419084382074102015-11-10T07:17:00.000-08:002015-11-10T07:17:02.221-08:00 Oct 15 IBM Runs World’s Worst Spam-Hosting ISP?<div dir="ltr" style="text-align: left;" trbidi="on">
This author has long sought to shame Web hosting and Internet service
providers who fail to take the necessary steps to keep spammers,
scammers and other online ne’er-do-wells off their networks. Typically,
the companies on the receiving end of this criticism are little-known
Internet firms. But according to anti-spam activists, the title of the
Internet’s most spam-friendly provider recently has passed to networks
managed by <strong>IBM</strong> — one of the more recognizable and trusted names in technology and security.<br />
In March 2010, not long after I began working on my new book <em><a href="http://www.amazon.com/Spam-Nation-Organized-Cybercrime---Epidemic/dp/1402295618/ref=sr_1_1?ie=UTF8&qid=1400765293&sr=8-1&keywords=spam+nation" target="_blank">Spam Nation: The Inside Story of Organized Cybercrime, From Global Epidemic to Your Front Door</a>, </em>I ran a piece titled <a href="http://krebsonsecurity.com/2010/03/naming-and-shaming-bad-isps/" target="_blank">Naming and Shaming Bad ISPs</a>.
That story drew on data from 10 different groups that track spam and
malware activity by ISP. At the time, a cloud computing firm called <strong>Softlayer</strong> was listed prominently in six out of 10 of those rankings.<br />
In June 2013, Softlayer was acquired by IBM. (<strong>Update: Oct. 31, 11:43 p.m. ET:</strong> As reader <a href="http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/comment-page-1/#comment-394397" target="_blank">Alex</a> and others have pointed out, another ISP listed prominently in this chart below — <strong>ThePlanet</strong> — is now also part of IBM/Softlayer).<br />
<div class="wp-caption aligncenter" id="attachment_32621" style="width: 590px;">
<a class="lightbox cboxElement" href="http://krebsonsecurity.com/wp-content/uploads/2015/10/badisp2010.png"><img alt="The top spam-friendly ISPs and hosting providers in early 2010." class="size-medium wp-image-32621" height="247" src="http://krebsonsecurity.com/wp-content/uploads/2015/10/badisp2010-580x247.png" width="580" /></a><div class="wp-caption-text">
The
top spam-friendly ISPs and hosting providers in early 2010. Softlayer
and ThePlanet both listed prominently in the top 10, and both are now
owned by IBM/Softlayer.</div>
</div>
<em>Original story:</em><br />
Softlayer gradually cleaned up its act, and began responding more
quickly to abuse reports filed by anti-spammers and security
researchers. In July 2013, the company was acquired by IBM. More
recently, however, the trouble at networks managed by Softlayer has
returned. Last month, anti-spam group Spamhaus.org <em>listed Softlayer as the “#1 spam hosting ISP,”</em> putting Softlayer at the very top of its <a href="https://www.spamhaus.org/statistics/networks/" target="_blank">World’s Worst Spam Support ISPs</a> index. Spamhaus said the number of abuse issues at the ISP has “rapidly reached rarely previously seen numbers.”<br />
Contacted by KrebsOnSecurity, Softlayer for several weeks did not
respond to requests for comment. After reaching out to IBM earlier this
week, I received the following statement from Softlayer Communications
Director <strong>Andre Fuochi</strong>:<br />
“With the growth of Softlayer’s global footprint, as expected with
any fast growing service, spammers have targeted our platform. We are
aggressively working with authorities, groups like The Spamhaus Project,
and IBM Security analysts to shut down this recent, isolated spike.
Just in the past month we’ve shut down 95 percent of the spam accounts
identified by Spamhaus, and continue to actively eliminate this
activity.”<span id="more-32398"></span><br />
<a class="lightbox cboxElement" href="http://krebsonsecurity.com/wp-content/uploads/2015/10/top10spamhaus.png"><img alt="top10spamhaus" class="alignright wp-image-32624" height="424" src="http://krebsonsecurity.com/wp-content/uploads/2015/10/top10spamhaus.png" width="303" /></a>But
according to Spamhaus, Softlayer still has more than 600 abuse issues
still unaddressed. Spamhaus says it is true that Softlayer has been
responding to its abuse complaints, but that the scammers and spammers
are moving much faster.<br />
In a blog post published earlier this month, Spamhaus explained that
the bulk of the trouble appears to have come from cybercriminal
customers in Brazil who have been rapidly registering large numbers of
domain names daily tied to fake but plausible-sounding companies or
organizations.<br />
“This Brazilian malware gang was so active that many listed
[Softlayer Internet] ranges were being reassigned to the same spam gang
immediately after re-entering the pool of available [Internet]
addresses,” Spamhaus explained. “After observing the same [Internet]
address ranges being reassigned repeatedly to the same spammers,
Spamhaus contacted the SoftLayer abuse department and told them that
[Spamhaus listings] for these specific issues would not be removed until
SoftLayer was able to get control of the overall problem with these
spammers.”<br />
Spamhaus said it doesn’t known why Softlayer is having this problem, but it has a few guesses.<br />
“We believe that SoftLayer, perhaps in an attempt to extend their
business in the rapidly-growing Brazilian market, deliberately relaxed
their customer vetting procedures,” the organization posited.
“Cybercriminals from Brazil took advantage of SoftLayer’s extensive
resources and lax vetting procedures. In particular, the malware
operation exploited loopholes in Softlayer’s automated provisioning
procedures to obtain an impressive number of IP address ranges, which
they then used to send spam and host malware sites. Unfortunately, what
happened to Softlayer can easily happen to any ISP that makes certain
unwise choices.”<br />
IBM/Softlayer did not comment on those allegations. But as I show in my book, <em>Spam Nation</em>,
spammers and malware purveyors continuously seek out and patronize ISPs
and hosting providers which erect the fewest barriers to rapidly
setting up massive numbers of scammy sites simultaneously.<br />
It is true that if you make it harder for spammers to operate, they
don’t just go away; rather, they move someplace else where it’s easier
to ply their trade. But there is little reason that these Internet
bottom feeders should have made a home for themselves at a company owned
by IBM, which <a href="http://www-03.ibm.com/press/us/en/pressrelease/47087.wss" target="_blank">bills itself</a> as the fastest growing vendor in the worldwide security software market. <a href="http://dictionary.reference.com/browse/physician--heal-thyself" target="_blank">Physician: Heal Thyself!</a><br />
<strong>Update, 10:39 p.m. ET:</strong> Since this story was published, I heard from <a href="http://www.cloudmark.com/" target="_blank">Cloudmark</a>, another company which tracks global spam activity. According to Cloudmark, SoftLayer’s network (<a href="http://bgp.he.net/AS36351" target="_blank">Autonomous System Number AS36351</a>)
was the largest source of spam in the world in Q3 2015. Cloudmark
researchers also observed that a whopping 42 percent of all outbound
email from SoftLayer was spam. “Current spam layers from SoftLayer are
600 percent higher than they were one year ago,” the company said in an
email to KrebsOnSecurity. “Legitimate email volume is also up 180
percent, indicating an overall rapid growth in terms of outbound
email.”</div>
Giftpixonhttp://www.blogger.com/profile/17457845764405811824noreply@blogger.com0tag:blogger.com,1999:blog-4976171432672549230.post-54569839008824021172015-11-10T07:15:00.000-08:002015-11-10T07:15:05.627-08:00How Carders Can Use eBay as a Virtual ATM<div dir="ltr" style="text-align: left;" trbidi="on">
How do fraudsters “cash out” stolen credit card data? Increasingly, they are selling in-demand but underpriced products on <strong>eBay</strong>
that they don’t yet own. Once the auction is over, the auction
fraudster uses stolen credit card data to buy the merchandise from an
e-commerce store and have it shipped to the auction winner. Because the
auction winners actually get what they bid on and unwittingly pay the
fraudster, very often the only party left to dispute the charge is the
legitimate cardholder.<br />
So-called “<strong>triangulation fraud</strong>” — scammers using
stolen cards to buy merchandise won at auction by other eBay members —
is not a new scam. But it’s a crime that’s getting more sophisticated
and automated, at least according to a victim retailer who reached out
to KrebsOnSecurity recently after he was walloped in one such fraud
scheme.<br />
The victim company — which spoke on condition of anonymity — has a
fairly strong e-commerce presence, and is growing rapidly. For the past
two years, it was among the Top 500 online retailers as ranked by <strong>InternetRetailer.com</strong>.<br />
The company was hit with over 40 orders across three weeks for
products that later traced back to stolen credit card data. The
victimized retailer said it was able to stop a few of the fraudulent
transactions before the items shipped, but most of the sales were losses
that the victim firm had to absorb.<br />
<div class="wp-caption aligncenter" id="attachment_32692" style="width: 590px;">
<a class="lightbox cboxElement" href="http://krebsonsecurity.com/wp-content/uploads/2015/11/triangulationfraud.png"><img alt="Triangulation fraud. Image: eBay Enterprise." class="size-medium wp-image-32692" height="318" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/triangulationfraud-580x318.png" width="580" /></a><div class="wp-caption-text">
Triangulation fraud. Image: eBay Enterprise.</div>
</div>
The scheme works like this: An auction fraudster sets up one (or
multiple) eBay accounts and sells legitimate products. A customer buys
the item from the seller (fraudster) on eBay and the money gets
deposited in the fraudster’s <strong>PayPal</strong> account.<br />
The fraudster then takes the eBay order information to another online
retailer which sells the same item, buys the item using stolen credit
card data, and has the item shipped to the address of the eBay customer
that is expecting the item. The fraudster then walks away with the
money.<br />
One reason this scheme is so sneaky is that the eBay customers are
happy because they got their product, so they never complain or question
the company that sent them the product. For the retailer, the order
looks normal: The customer contact info in the order form is partially
accurate: It has the customer’s correct shipping address and name, but
may list a phone number that goes somewhere else — perhaps to a
voicemail owned and controlled by the fraudster.<br />
“For the retailer who ships thousands of orders every day, this
fraudulent activity really doesn’t raise any red flags,” my source —
we’ll call him “Bill,” — told me. “The only way they eventually find out
is with a sophisticated fraud screening program, or when the
‘chargeback’ from Visa or MasterCard finally comes to them from the
owner of the stolen card.”<br />
In an emailed statement, eBay said the use of stolen or fraudulent
credit card numbers to purchase goods on eBay is by no means unique to
eBay.<br />
“We believe collaboration and cooperation is the best way to combat
fraud and organized retail crime of this nature, working in partnership
with retailers and law enforcement,” wrote <strong>Ryan Moore</strong>,
eBay’s senior manager of global corporate affairs. Detecting this type
of fraud, Moore said, “relies heavily on the tools that merchants use
themselves, which includes understanding their customers and
implementing the correct credit card authorization protocols.”<br />
Moore declined to discuss the technology and approaches the eBay uses
to fight triangulation fraud — saying eBay doesn’t want tip its hand to
cybercriminals. But he said the company uses internal tools and risk
models to identify suspicious activity on its platform, and that it
trains hundreds of retailers and law enforcement on various types of
fraud, including triangulation fraud.<br />
<span style="text-decoration: underline;">QUAD FRAUD?</span><br />
Moore pointed to <a href="http://www.ebayenterprise.com/blog/retail-strategy-and-best-practices/understanding-triangulation-fraud" target="_blank">one education campaign on eBay’s site</a>,
which adds another wrinkle to this fraud scheme: Very often the people
listing the item for sale on eBay are existing, long-time eBay members
with good standing who get recruited to sell items via work-at-home job
scams. These schemes typically advertise that the seller gets to keep a
significant cut of the sale price — typically 30 percent.<br />
<div class="wp-caption aligncenter" id="attachment_32693" style="width: 590px;">
<a class="lightbox cboxElement" href="http://krebsonsecurity.com/wp-content/uploads/2015/11/ebaymules.png"><img alt="A recruitment email from a work-at-home job scam that involves respondents in triangulation fraud. Source: eBay" class="size-medium wp-image-32693" height="461" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/ebaymules-580x461.png" width="580" /></a><div class="wp-caption-text">
A recruitment email from a work-at-home job scam that involves respondents in triangulation fraud. Source: eBay</div>
</div>
Interesting, the guy selling carded goods stolen from Bill’s company
has been on eBay for more than a decade and has a near-perfect customer
feedback score. That seller is not being referenced in this story
because his feedback page directly links to transactions from Bill’s
company.<span id="more-32675"></span><br />
Bill said he believes fraudsters targeted his company because it is
relatively small, and is less likely to rely on sophisticated fraud
tools that can sort out fraudulent orders. In his company’s case, it
wasn’t spending any money on such fraud prevention tools until all this
eBay fraud started.<br />
<div class="p1">
<span class="s1">“It wasn’t a huge order size, just random
products we sell,” Bill said. “They’re going after us as a medium-sized
retailer because we’re not yet to the size where we have all the fraud
software built-in.”</span></div>
<div class="p1">
<span style="text-decoration: underline;">TRI-FRAUD BOTS?</span></div>
<div class="p1">
According to Bill, the company thought it had figured out a
fraud pattern to help block future phony charges, which it found all
came from different Internet addresses at Amazon’s <a href="https://aws.amazon.com/ec2/" target="_blank"><strong>Elastic Compute Cloud</strong> (EC2) service</a>.
But he said the fraud didn’t stop until the company started blocking
purchases made from servers hosted at Amazon’s EC2 service. After that
block was put in place, visitors coming from EC2 servers could still
browse the site, but they would be blocked from placing orders.</div>
<div class="p1">
Bill said he believes the orders may have been placed by
automated “bot” programs running on instances of Amazon’s EC2 platform
(instances that were also likely paid for with stolen card data).</div>
<div class="p1">
<span class="s1">“The fraud kept going until we put in
some things that blocked his bots at Amazon EC2 from transacting with
our site,” Bill said. </span></div>
<div class="p1">
Bill allowed that he can’t prove it wasn’t just a human
manually transacting from all those EC2 systems. However, another
security measure that Bill’s company established to fight triangulation
fraud lends credence to the theory that some sort of automated EC2-based
bots may indeed be involved in placing the unauthorized product orders.
Bill’s firm put new data fields in the part of the checkout process
where customers type in their name and address. This trick uses data
fields that are hidden from regular Web site visitors but that are still
visible on the site to computers and Web crawlers.</div>
<div class="p1">
The idea is to separate orders made by humans from those
entered by automated bots. Although the latter may dutifully supply some
phony requested data in the new data fields, legitimate, human
customers would never input data into those extra fields because they
can’t see the information being requested in the first place.</div>
<div class="p1">
‘Blocking EC2 purchases and the data fields have worked
really well blocking this fraudster’s bots from spamming our email
forms,” Bill said.</div>
<div class="p1">
Bill’s company also just signed up with <strong>MaxMind</strong>,
a company that gives retailers multiple clues about potentially
fraudulent orders based on the geography of the order. For example, was
the order placed from an Internet address that is located near the
shipping address?</div>
<div class="p1">
For its part, eBay says merchants can fight triangulation
fraud by focusing on the products being sold by suspect eBay accounts.
“Collaborate with auction and marketplaces that are known to have
fraudulent sellers,” the company said in its tri-fraud primer.
“Together, you may be able to uncover additional orders that may be part
of the scam to help identify fraudulent sellers and/or employers.”</div>
<div class="p1">
Has your company or credit card been victimized by triangulation fraud? Sound off in the comments below about your experience.</div>
<div class="p1">
<br /></div>
<div class="p1">
Tags: <a href="http://krebsonsecurity.com/tag/amazon/" rel="tag">Amazon</a>, <a href="http://krebsonsecurity.com/tag/ebay/" rel="tag">eBay</a>, <a href="http://krebsonsecurity.com/tag/ec2/" rel="tag">EC2</a>, <a href="http://krebsonsecurity.com/tag/internetretailer-com/" rel="tag">Internetretailer.com</a>, <a href="http://krebsonsecurity.com/tag/maxmind/" rel="tag">MaxMind</a>, <a href="http://krebsonsecurity.com/tag/paypal/" rel="tag">Paypal</a>, <a href="http://krebsonsecurity.com/tag/triangulation-fraud/" rel="tag">triangulation fraud</a> </div>
</div>
Giftpixonhttp://www.blogger.com/profile/17457845764405811824noreply@blogger.com0tag:blogger.com,1999:blog-4976171432672549230.post-87490522705824328902015-11-10T07:05:00.001-08:002015-11-10T07:05:31.549-08:00Ransomware Now Gunning for Your Web Sites<div dir="ltr" style="text-align: left;" trbidi="on">
One of the more common and destructive computer crimes to emerge over the past few years involves <strong>ransomware </strong>— malicious
code that quietly scrambles all of the infected user’s documents and
files with very strong encryption. A ransom, to be paid in Bitcoin, is
demanded in exchange for a key to unlock the files. Well, now it appears
fraudsters are developing ransomware that does the same but for Web
sites — essentially holding the site’s files, pages and images for
ransom.<br />
<div class="wp-caption aligncenter" id="attachment_32771" style="width: 590px;">
<a href="http://krebsonsecurity.com/wp-content/uploads/2015/11/ransomware-kav.png"><img alt="Image: Kaspersky Lab" class="size-medium wp-image-32771" height="438" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/ransomware-kav-580x438.png" width="580" /></a><div class="wp-caption-text">
Image: Kaspersky Lab</div>
</div>
This latest criminal innovation, innocuously dubbed “<a href="http://vms.drweb.com/virus/?i=7704004&lng=en" target="_blank">Linux.Encoder.1</a>” by Russian antivirus and security firm <strong>Dr.Web</strong>, targets sites powered by the Linux operating system. The file currently has <a href="https://www.virustotal.com/en/file/fd042b14ae659e420a15c3b7db25649d3b21d92c586fe8594f88c21ae6770956/analysis/" target="_blank">almost zero detection</a> when scrutinized by antivirus products at <strong>Virustotal.com</strong>, a free tool for scanning suspicious files against dozens of popular antivirus products.<br />
Typically, the malware is injected into Web sites via known
vulnerabilities in site plugins or third-party software — such as
shopping cart programs. Once on a host machine, the malware will encrypt
all of the files in the “home” directories on the system, as well
backup directories and most of the system folders typically associated
with Web site files, images, pages, code libraries and scripts.<br />
The ransomware problem is costly, hugely disruptive, and growing. In June, the <strong>FBI</strong> <a href="http://www.ic3.gov/media/2015/150623.aspx" target="_blank">said</a>
it received 992 CryptoWall-related complaints in the preceding year,
with losses totaling more than $18 million. And that’s just from those
victims who reported the crimes to the U.S. government; a huge
percentage of cybercrimes never get reported at all.<br />
ONE RECENT VICTIM<br />
On Nov. 4, the Linux Website ramsomware infected a server used by professional Web site designer <strong>Daniel Macadar</strong>.
The ransom message was inside a plain text file called “instructions to
decrypt” that was included in every file directory with encrypted
files:<br />
“To obtain the private key and php script for this computer, which
will automatically decrypt files, you need to pay 1 bitcoin(s) (~420
USD),” the warning read. “Without this key, you will never be able to
get your original files back.”<br />
Macadar said the malware struck a development Web server of his that
also hosted Web sites for a couple of longtime friends. Macadar was
behind on backing up the site and the server, and the attack had
rendered those sites unusable. He said he had little choice but to pay
the ransom. But it took him some time before he was able to figure out
how to open and fund a Bitcoin account.<br />
“I didn’t have any Bitcoins at that point, and I was never planning to do anything with Bitcoin in my life,” he said.<br />
According to Macadar, the instructions worked as described, and about
three hours later his server was fully decrypted. However, not
everything worked the way it should have.<br />
“There’s a decryption script that puts the data back, but somehow it
ate some characters in a few files, adding like a comma or an extra
space or something to the files,” he said.<br />
Macadar said he hired <strong>Thomas Raef</strong> — owner of Web site security service <a href="https://www.wewatchyourwebsite.com/" target="_blank">WeWatchYourWebsite.com</a> — to
help secure his server after the attack, and to figure out how the
attackers got in. Raef told me his customer’s site was infected via an
unpatched vulnerability in <strong>Magento</strong>, a shopping cart software that many Web sites use to handle ecommerce payments.<br />
<strong>CheckPoint</strong> <a href="http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/" target="_blank">detailed this vulnerability</a>
back in April 2015 and Magento issued a fix yet many smaller ecommerce
sites fall behind on critical updates for third-party applications like
shopping cart software. Also, there <a href="http://osvdb.org/search/search?search%5Bvuln_title%5D=linux&search%5Btext_type%5D=titles&search%5Brefid%5D=magento&search%5Breferencetypes%5D=&kthx=search" target="_blank">are likely other exploits published recently</a> that can expose a Linux host and any associated Web services to attackers and to site-based ransomware.<span id="more-32761"></span><br />
<span style="text-decoration: underline;">INNOVATIONS FROM THE UNDERGROUND</span><br />
This new Linux Encoder malware is just one of several recent innovations in ransomware. As described by Romanian security firm <strong>Bitdefender</strong>, the latest version of the <strong>CryptoWall</strong> crimeware package (yes, it is actually named<strong> CryptoWall 4.0</strong>) displays a redesigned ransom message that also now<em> encrypts the names of files</em> along with each file’s data! Each encrypted file has a name made up of random numbers and letters.<br />
<strong>Update: 6:09 p.m. ET:</strong> Bitdefender has published a
blog post stating that the ransomware that is the subject of this post
contains a flaw that let the company decrypt files that were encrypted
by this malware. See their post <a href="http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" target="_blank">here</a>.<br />
<em>Original story:</em><br />
And if you’re lucky, the ransomware that hits your computer or organization won’t be full of bugs: According to <a href="http://www.bbc.com/news/technology-34765484" target="_blank">the BBC</a>, a coding mistake in a new ransom threat called <strong>Power Worm</strong> means that victims won’t get their files back even if they pay up. <strong>Lawrence Abrams</strong>
over at BleepingComputer.com (one of the first blogs added to this
site’s blogroll) was the first to write about this innovation, and <a href="http://www.bleepingcomputer.com/news/security/shoddy-programming-causes-new-ransomware-to-destroy-your-data/" target="_blank">his writeup</a> is worth a read.<br />
Traditional ransomware attacks also are getting more expensive, at
least for new threats that currently are focusing on European (not
American) banks. According to security education firm <strong>KnowBe4</strong>,
a new ransomware attack targeting Windows computers starts as a
“normal” ransomware infection, encrypting both local and network files
and throwing up a ransom note for 2.5 Bitcoin (currently almost USD
$1,000). Here’s the kicker: In the ransom note that pops up on the
victim’s screen, the attackers claim that if they are not paid, they
will publish the files on the Internet.<br />
<div class="wp-caption alignright" id="attachment_23655" style="width: 237px;">
<a href="http://krebsonsecurity.com/wp-content/uploads/2013/11/cybercrimeinnovations.png"><img alt="Crim-innovations." class="size-medium wp-image-23655" height="400" src="http://krebsonsecurity.com/wp-content/uploads/2013/11/cybercrimeinnovations-227x400.png" width="227" /></a><div class="wp-caption-text">
Crim-innovations.</div>
</div>
<em>Well, that’s one way of getting your files back.</em> This is
the reality that dawns on countless people for the first time each day:
Fail to securely back up your files — whether on your computer or Web
site — and the bad guys may eventually back them up for you! ‘<br />
Oh, the backup won’t be secure, and you probably won’t be able to
remove the information from the Internet if they follow through with
such threats.<br />
The tools for securely backing up computers, Web sites, data, and
even entire hard drives have never been more affordable and ubiquitous.
So there is zero excuse for not developing and sticking with a good
backup strategy, whether you’re a home user or a Web site administrator.<br />
<strong>PC World</strong> last year published <a href="http://www.pcworld.com/article/2095481/if-we-show-you-how-to-back-up-your-pc-for-free-will-you-finally-do-it.html" target="_blank">a decent guide</a>
for Windows users who wish to take advantage of the the OS’s built-in
backup capabilities. I’ve personally used Acronis and Macrium products,
and find both do a good job making it easy to back up your rig. The main
thing is to get into a habit of doing regular backups.<br />
There are good guides all over the Internet showing users how to securely back up Linux systems (<a href="http://www.cyberciti.biz/open-source/awesome-backup-software-for-linux-unix-osx-windows-systems/" target="_blank">here’s one</a>). Others tutorials are more OS-specific. For example, <a href="http://xmodulo.com/backup-debian-system-backupninja.html" target="_blank">here’s a sensible backup approach</a> for <strong>Debian</strong>
servers. I’d like to hear from readers about their backup strategies —
what works — particularly from those who maintain Linux-based Web
servers like <strong>Apache</strong> and <strong>Nginx</strong>.<br />
It’s worth noting that the malware requires the compromised user
account on the Linux system to be an administrator; operating Web
servers and Web services as administrator is generally considered poor
security form, and threats like this one just reinforce why.<br />
Also, most ransomware will search for other network or file shares
that are attached or networked to the infected machine. If it can access
those files, it will attempt to encrypt them as well. It’s a good idea
to either leave your backup medium disconnected from the system unless
and until you are backing up or restoring files.<br />
For his part, Macadar said he is rebuilding the compromised server
and now backing up his server in two places at once — using local,
on-site backup drives as well as remote (web-based) backup services.</div>
Giftpixonhttp://www.blogger.com/profile/17457845764405811824noreply@blogger.comElectrical Engineering Laboratory, Kwame Nkuruma Way, Nsukka, Nigeria6.868282 7.40956740000001456.8672965 7.4083069000000146 6.8692674999999994 7.4108279000000143tag:blogger.com,1999:blog-4976171432672549230.post-1918276793594739842014-06-22T10:54:00.001-07:002014-06-22T10:54:56.596-07:00OIL CON. WINS $350,000 CYBER HIEST<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 class="post-title">
Oil Co. Wins $350,000 Cyberheist Settlement</h2>
<div class="entry">
<a class="synved-social-button synved-social-button-share synved-social-size-16 synved-social-resolution-single synved-social-provider-facebook" data-provider="facebook" href="http://www.facebook.com/sharer.php?u=http%3A%2F%2Fkrebsonsecurity.com%2F2014%2F06%2Foil-co-wins-350000-cyberheist-settlement%2F&t=Oil%20Co.%20Wins%20%24350%2C000%20Cyberheist%20Settlement&s=100&p[url]=http%3A%2F%2Fkrebsonsecurity.com%2F2014%2F06%2Foil-co-wins-350000-cyberheist-settlement%2F&p[images][0]=http%3A%2F%2Fkrebsonsecurity.com%2Fwp-content%2Fuploads%2F2014%2F06%2Foilmoneysmall-285x306.png&p[title]=Oil%20Co.%20Wins%20%24350%2C000%20Cyberheist%20Settlement" rel="nofollow" style="font-size: 0px; height: 16px; margin: 0px 5px 5px 0px; width: 16px;" target="_blank" title="Share on Facebook"><img alt="facebook" class="synved-share-image synved-social-image synved-social-image-share" height="16" src="http://krebsonsecurity.com/wp-content/plugins/social-media-feather/synved-social/image/social/regular/32x32/facebook.png" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; box-shadow: none; display: inline; height: 16px; margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; width: 16px;" title="Share on Facebook" width="16" /></a><a class="synved-social-button synved-social-button-share synved-social-size-16 synved-social-resolution-single synved-social-provider-twitter" data-provider="twitter" href="http://twitter.com/share?url=http%3A%2F%2Fkrebsonsecurity.com%2F2014%2F06%2Foil-co-wins-350000-cyberheist-settlement%2F&text=Hey%20check%20this%20out" rel="nofollow" style="font-size: 0px; height: 16px; margin: 0px 5px 5px 0px; width: 16px;" target="_blank" title="Share on Twitter"><img alt="twitter" class="synved-share-image synved-social-image synved-social-image-share" height="16" src="http://krebsonsecurity.com/wp-content/plugins/social-media-feather/synved-social/image/social/regular/32x32/twitter.png" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; box-shadow: none; display: inline; height: 16px; margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; width: 16px;" title="Share on Twitter" width="16" /></a><a class="synved-social-button synved-social-button-share synved-social-size-16 synved-social-resolution-single synved-social-provider-google_plus" data-provider="google_plus" href="https://plus.google.com/share?url=http%3A%2F%2Fkrebsonsecurity.com%2F2014%2F06%2Foil-co-wins-350000-cyberheist-settlement%2F" rel="nofollow" style="font-size: 0px; height: 16px; margin: 0px 5px 5px 0px; width: 16px;" target="_blank" title="Share on Google+"><img alt="google_plus" class="synved-share-image synved-social-image synved-social-image-share" height="16" src="http://krebsonsecurity.com/wp-content/plugins/social-media-feather/synved-social/image/social/regular/32x32/google_plus.png" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; box-shadow: none; display: inline; height: 16px; margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; width: 16px;" title="Share on Google+" width="16" /></a><a class="synved-social-button synved-social-button-share synved-social-size-16 synved-social-resolution-single synved-social-provider-reddit" data-provider="reddit" href="http://www.reddit.com/submit?url=http%3A%2F%2Fkrebsonsecurity.com%2F2014%2F06%2Foil-co-wins-350000-cyberheist-settlement%2F&title=Oil%20Co.%20Wins%20%24350%2C000%20Cyberheist%20Settlement" rel="nofollow" style="font-size: 0px; height: 16px; margin: 0px 5px 5px 0px; width: 16px;" target="_blank" title="Share on Reddit"><img alt="reddit" class="synved-share-image synved-social-image synved-social-image-share" height="16" src="http://krebsonsecurity.com/wp-content/plugins/social-media-feather/synved-social/image/social/regular/32x32/reddit.png" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; box-shadow: none; display: inline; height: 16px; margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; width: 16px;" title="Share on Reddit" width="16" /></a><a class="synved-social-button synved-social-button-share synved-social-size-16 synved-social-resolution-single synved-social-provider-pinterest" data-provider="pinterest" href="http://pinterest.com/pin/create/button/?url=http%3A%2F%2Fkrebsonsecurity.com%2F2014%2F06%2Foil-co-wins-350000-cyberheist-settlement%2F&media=http%3A%2F%2Fkrebsonsecurity.com%2Fwp-content%2Fuploads%2F2014%2F06%2Foilmoneysmall-285x306.png&description=Oil%20Co.%20Wins%20%24350%2C000%20Cyberheist%20Settlement" rel="nofollow" style="font-size: 0px; height: 16px; margin: 0px 5px 5px 0px; width: 16px;" target="_blank" title="Pin it with Pinterest"><img alt="pinterest" class="synved-share-image synved-social-image synved-social-image-share" height="16" src="http://krebsonsecurity.com/wp-content/plugins/social-media-feather/synved-social/image/social/regular/32x32/pinterest.png" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; box-shadow: none; display: inline; height: 16px; margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; width: 16px;" title="Pin it with Pinterest" width="16" /></a><a class="synved-social-button synved-social-button-share synved-social-size-16 synved-social-resolution-single synved-social-provider-linkedin" data-provider="linkedin" href="http://www.linkedin.com/shareArticle?mini=true&url=http%3A%2F%2Fkrebsonsecurity.com%2F2014%2F06%2Foil-co-wins-350000-cyberheist-settlement%2F&title=Oil%20Co.%20Wins%20%24350%2C000%20Cyberheist%20Settlement" rel="nofollow" style="font-size: 0px; height: 16px; margin: 0px 5px 5px 0px; width: 16px;" target="_blank" title="Share on Linkedin"><img alt="linkedin" class="synved-share-image synved-social-image synved-social-image-share" height="16" src="http://krebsonsecurity.com/wp-content/plugins/social-media-feather/synved-social/image/social/regular/32x32/linkedin.png" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; box-shadow: none; display: inline; height: 16px; margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; width: 16px;" title="Share on Linkedin" width="16" /></a><a class="synved-social-button synved-social-button-share synved-social-size-16 synved-social-resolution-single synved-social-provider-mail" data-provider="mail" href="mailto:?subject=Oil%20Co.%20Wins%20%24350%2C000%20Cyberheist%20Settlement&body=Hey%20check%20this%20out:%20http%3A%2F%2Fkrebsonsecurity.com%2F2014%2F06%2Foil-co-wins-350000-cyberheist-settlement%2F" rel="nofollow" style="font-size: 0px; height: 16px; margin: 0px 0px 5px; width: 16px;" title="Share by email"><img alt="mail" class="synved-share-image synved-social-image synved-social-image-share" height="16" src="http://krebsonsecurity.com/wp-content/plugins/social-media-feather/synved-social/image/social/regular/32x32/mail.png" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; box-shadow: none; display: inline; height: 16px; margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; width: 16px;" title="Share by email" width="16" /></a>
A California oil company that sued its bank after being robbed of $350,000 in a 2011 cyberheist has won a settlement that effectively reimbursed the firm for the stolen funds.<br />
<strong><a href="http://krebsonsecurity.com/wp-content/uploads/2014/06/oilmoneysmall.png"><img alt="oilmoneysmall" class="alignright size-medium wp-image-26523" height="306" src="http://krebsonsecurity.com/wp-content/uploads/2014/06/oilmoneysmall-285x306.png" width="285" /></a>TRC Operating Co. Inc.</strong>, an oil production firm based in Taft, Calif., had its online accounts hijacked after an account takeover that started late in the day on Friday, November 10, 2011. In the ensuing five days, the thieves would send a dozen fraudulent wires out of the company’s operating accounts, siphoning nearly $3.5 million to accounts in Ukraine.<br />
The oil firm’s financial institution, Fresno-based <strong>United Security Bank, </strong>successfully blocked or recalled all but one of the wires – for $299,000. Nevertheless, TRC later sued its bank to recover the remaining wire amount, arguing that USB failed to offer a commercially reasonable security procedure because the bank offered little more than a user name and password to help secure the account.<br />
“For all intents and purposes, they got a user name and password, but were never offered any other security,” said <a href="http://www.dincellaw.com/attorneys/julie-bonnel-rogers" target="_blank" title="http://www.dincellaw.com/attorneys/julie-bonnel-rogers">Julie Rogers</a>, an attorney for the <strong>Dincel Law Group</strong>, the San Jose firm that represented TRC in the dispute (as well as <a href="http://krebsonsecurity.com/2012/06/bank-settles-with-calif-cyberheist-victim/" target="_blank" title="http://krebsonsecurity.com/2012/06/bank-settles-with-calif-cyberheist-victim/">another California cyberheist victim</a> that successfully sued its bank for $400,000 in 2012). “TRC had a cash management liaison assigned to them by the bank who assured them that this was all safe and reliable.”<br />
Last week, just days before the case was set to go to trial, the insurance company for the bank settled the lawsuit, agreeing to cut a check for $350,000 to the oil company and with neither side admitting fault in the incident. Under California law, the most that any business can recover from a cyber fraud lawsuit is the amount stolen from its accounts — plus interest.<span id="more-26503"></span><br />
<strong>Dennis Woods</strong>, founder and CEO of United Security Bank, said the hack took place on TRC’s computers — not the bank’s — after an employee at TRC fell for a phishing scam. Further clarification indicates that the TRC employee likely had malware on his computer that deployed a “Web inject,” a malcode component that springs into action when the victim logs in at an online banking site.<br />
Web injects are so named because they inject code into the victim’s Web browser window, causing a pop-up screen that prompts the victim to enter additional sensitive information, such as a Social Security number, date of birth, and mother’s maiden name. That information is useful for thieves in changing victim account settings at the bank that aids in the subsequent cyberheist, such as resetting account access, adding authorized users and changing contact email addresses. For more on what a Web inject looks like, see <a href="https://www.youtube.com/watch?v=tJM8V3lfMj8" target="_blank" title="https://www.youtube.com/watch?v=tJM8V3lfMj8">this video</a>.<br />
Woods said he was disappointed with the insurance company settlement because it prevented the case from going to trial.<br />
“I was very eager for the court to say that customers can make all the agreements in the world but that they are not bound by them,” Woods said sarcastically. “TRC had signed up for an online banking product where they could automate certain things — sending wires, putting stop payments in, etc. — and when you do that, we come to your office, we train you, and you sign lots of agreements that state very clearly what the bank’s responsibilities are and what the customers’ are.”<a name='more'></a><br />
TRC attorney Rogers said the bank never proved the phishing claim, nor allegations (however likely) that the company’s servers were hacked.<br />
“It turns out the bank’s expert ended up writing an incident report blaming it all on TRC, but they never actually looked at the [allegedly compromised] TRC computer,” Rogers said.<br />
Lawyers, banks and oil companies. Many readers no doubt will have trouble shedding a tear for any of the parties involved in this dispute. But those who own their own businesses should take heed: Banking online carries serious risks. As we have seen <a href="http://krebsonsecurity.com/2014/01/firm-bankrupted-by-cyberheist-sues-bank/" target="_blank" title="http://krebsonsecurity.com/2014/01/firm-bankrupted-by-cyberheist-sues-bank/">time</a> and <a href="http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/" target="_blank" title="http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/">again</a>, a single virus infection can ruin your company. And I wouldn’t count on the lawyers to save your firm from the very real cost of a cyberheist: These court challenges can just as easily end up costing the victim business well more than their original loss (see <a href="http://krebsonsecurity.com/2014/06/ruling-raises-stakes-for-cyberheist-victims/" target="_blank" title="http://krebsonsecurity.com/2014/06/ruling-raises-stakes-for-cyberheist-victims/">Ruling Raises Stakes for Cyberheist Victims</a>).<br />
Businesses do not enjoy the same protections against cyberfraud that are afforded to consumer banking customers. If this is news to you, or if you’d just like some tips how to reduce your exposure to online banking fraud, please take a moment to read my recommendations here: <a href="http://krebsonsecurity.com/online-banking-best-practices-for-businesses/" target="_blank" title="http://krebsonsecurity.com/online-banking-best-practices-for-businesses/">Online Banking Best Practices for Businesses</a>.</div>
</div>
Giftpixonhttp://www.blogger.com/profile/17457845764405811824noreply@blogger.com0tag:blogger.com,1999:blog-4976171432672549230.post-80756597548054904672014-01-01T00:06:00.001-08:002014-01-01T00:09:05.892-08:00The 10 most remarkable things that happened in
Nigeria’s tech ecosystem<div><p dir="ltr">1. SPARK – Startups, Valuation, Funding, and Saga<br>
2013 saw the launch of <a href="http://spark.ng/"><u>Spark</u></a> , an initiative defined by co-founder, Jason Njoku of<br>
iROKO Partners as a business that build companies. With start-ups like ToLet.ng,<br>
Bus.ng, Drinks.ng, setting out, and others like Hotels.ng, Giddimint, and Kuluya<br>
Games joining the network of companies, Spark has indeed taken the whole idea<br>
of business incubator to a whole new level in Nigeria, providing it’s businesses with<br>
working space, $1m funding, and the press network iROKO enjoys.<br>
It has not been all been rosy with Spark as it has also been laced with news of<br>
mass firing, in-house dispute, and acquisition-gone-bad. However, 2013 did get<br>
Sparked by this venture as people are now in the spirit of GettingShitDone.ng.<br>
*pun intended*<br>
2. Arrival of the TechCabal<br>
Online and offline conversation in the local tech ecosystem took a whole new turn<br>
with the launch of TechCabal. The convener, Bankole Oluwafemi popular known by<br>
his twitter handle @MrBankole has done a great job. Taking on the trending term<br>
“cabal” in the political arena, the platform brings together tech veterans,<br>
enthusiast, and other players with online content and offline events – Tech Cabal<br>
Sessions, which featured Tayo Oviosu of Paga in its maiden edition. Bigger things<br>
are expected of Big Cabal , the parent company having recently acquired<br>
OTEKBITS, to add to its web asset along side Republica, and gearing for a<br>
relaunch in 2014.<br>
3. The Future Awards for African Tech<br>
Described as the Nobel Prize for young people by the World Bank, The Future<br>
Awards Africa is arguably the most prestigious award recognizing the African<br>
youth. 2013 did see more recognition given to youths in the technology sector, and<br>
winners included Hugo Obi of Maliyo Games, the Jobberman Trio, and Kingsley<br>
Ezeani of Information Nigeria. It is interesting to note that the 2013 edition of<br>
the awards had the most number of categories related to technology in its 8<br>
years of running. This sure goes to show young people are making commendable<br>
ventures in the area of science and technology.<br>
4. More Incubators and Co-Working Spaces<br>
2013 saw the addition of new incubators and co-working spaces. The iDEA<br>
hub launched in Lagos and Calabar, while Audax, Startuphub, and Capital<br>
square launched on the island of Lagos for technology and business entrepreneurs.<br>
iBrigde Hub got down to business in Ibadan, and another hub opened shop at<br>
Ekiti. With the success stories coming out of the Co-Creation Hub, Veneer Hub,<br>
and Wennovation hub, no doubt the same will soon be heard of these newly<br>
launched hubs.<br>
5. Walking with Giants<br>
One thing founders, and entrepreneurs should make an habit of is<br>
collaborating smartly with bigger players. However the giants have to be willing<br>
to work with the little people first, and a lot of that happened in 2013. Telecom<br>
giants MTN came close to the developer community and ran a 16-week app<br>
challenge in collaboration with the Co-Creation Hub. OEMs like Samsung, Nokia,<br>
and Tecno also ran developer competitions, trainings, and other projects. The Tony<br>
Elumelu Foundation offered seed funding to a good number of startups, and<br>
other companies like Qualcomm, Visa, and the Federal Government (Ministry of<br>
Communication and Technology) got into the trenches to work with local<br>
developers in hacking social products and services.<br>
6. Startups – Fly, Pivot, or Crash<br>
Having mentioned that 2012 saw the launch of sooooo many startups, 2013 did see<br>
some fly, pivot, and others crash. This is no anomaly in the tech space anywhere<br>
in the world. Due to factors like team, product offering, quality, funding,<br>
scaling, and market forces, startups need to adapt or die. 2013 saw startups like<br>
Paga, and Jobberman fly with increase market size, revenue, and funding,<br>
TaxiPark had to pivot to Tranzit, and Tiketmobile had to close shop for reasons<br>
between funding, and product offering. Perhaps growth hackers will be welcomed<br>
in 2014.<br>
7. Rocket Internet blazes on<br>
How can we talk about 2013 without mentioning Rocket Internet? This name<br>
probably made the headlines more than any other in the course of the year, and<br>
for various reasons. The most recent is the exit of the two African co-founders<br>
of Jumia. Other buzz worthy moments include the partnership with MTN ( investing<br>
about N65Bn ) along side Millicom, and new ventures such as Easy Taxi, Hello Food,<br>
Carmido, Varmido, and others that may not be known to you and me.<br>
8. Getting Funded by Angel Investors and VCs<br>
One of the biggest issues of 2012 was funding. Not to say the problem is over in<br>
2013, but it can be said that solutions are now available to founders,<br>
entrepreneurs, and startups looking for seed and growth funding.<br>
The Angel investors arrived with the launch of the Lagos Angel Network with<br>
Tomie Davis of Technovision as convener. Venture Capitalist firms like Intel<br>
Capital, Echo VC, Tiger, Adlevo, among others are also actively engaging in<br>
funding startups and business in Nigeria. Rancard recently raised a 2nd round,<br>
Jobberman is said to have raised a 3rd round, and iROKOtv recently raised an<br>
$8m 4th round.<br>
9. Cracking The Code of Digital Content Distribution<br>
Lots of players are taking a jab at digital content distribution in Africa, and<br>
Nigeria is at the forefront with players like Orin.io, Freeme Digital, MyMusic,<br>
iROKING, DoBox, NextSpeel, iROKOtv, Spinlet, BattaBox etc. With the value of<br>
local content – videos, film, music videos, movies – on the rise, as well as demand<br>
locally and in diaspora, 2013 did see a lot of work go into working out a profitable<br>
way of producing, and distributing these content. So far, some have started<br>
raising revenue, others are focused on the how-to models of delivery, but no one<br>
is profitable yet, so let’s see what 2014 has in store.<br>
10. Gadgets – Smart Just Got Cheaper<br>
Thanks to Nokia, Samsung, and most especially Tecno, Nigerians can afford to own<br>
a smartphone. These gadgets were out of reach only in 2012, but 2013 saw the<br>
arrival of Nokia Asha and Lumia series, as well as the Samsung Galaxy Duos, and<br>
Tecno Phantoms, with a N15,000 to N45,000 range. Staying connected also got<br>
cheaper as telecos – MTN, Airtel, and Glo stayed competitive by releasing<br>
affordable data plans and bundles. No doubt more Nigerians are now connect to<br>
the internet via mobile phones that offer rich experiences.</p>
</div>Giftpixonhttp://www.blogger.com/profile/17457845764405811824noreply@blogger.com0tag:blogger.com,1999:blog-4976171432672549230.post-46675332567716322002013-12-31T22:11:00.001-08:002013-12-31T22:37:22.949-08:00Cards Stolen in Target Breach Flood
Underground Markets<div><p dir="ltr">Credit and debit card accounts stolen in a recent data breach at retail giant<br>
Target have been flooding underground black markets in recent weeks,<br>
selling in batches of one million cards and going for anywhere from $20 to<br>
more than $100 per card, KrebsOnSecurity has learned.<br>
Prior to breaking the story of the Target<br>
breach on Wednesday, Dec. 18, I spoke with<br>
a fraud analyst at a major bank who said his<br>
team had independently confirmed that<br>
Target had been breached after buying a<br>
huge chunk of the bank’s card accounts from<br>
a well-known “card shop” — an online store<br>
advertised in cybercrime forums as a place<br>
where thieves can reliably buy stolen credit<br>
and debit cards.<br>
There are literally hundreds of these shady<br>
stores selling stolen credit and debit cards<br>
from virtually every bank and country. But<br>
this store has earned a special reputation for selling quality “dumps,” data<br>
stolen from the magnetic stripe on the backs of credit and debit cards. Armed<br>
with that information, thieves can effectively clone the cards and use them<br>
in stores. If the dumps are from debit cards and the thieves also have access<br>
to the PINs for those cards, they can use the cloned cards at ATMs to pull<br>
cash out of the victim’s bank account.<br>
At least two sources at major banks said they’d heard from the credit card<br>
companies: More than a million of their cards were thought to have been<br>
compromised in the Target breach. One of those institutions noticed that one<br>
card shop in particular had recently alerted its loyal customers about a huge<br>
new batch of more than a million quality dumps that had been added to the<br>
online store. Suspecting that the advertised cache of new dumps were<br>
actually stolen in the Target breach, fraud investigators with the bank<br>
browsed this card shop’s wares and effectively bought back hundreds of the<br>
bank’s own cards.<br>
When the bank examined the common point of purchase among all the<br>
dumps it had bought from the shady card shop, it found that all of them had<br>
been used in Target stores nationwide between Nov. 27 and Dec. 15.<br>
Subsequent buys of new cards added to that same shop returned the same<br>
result.<br>
On Dec. 19, Target would confirm that crooks had stolen 40 million debit and<br>
credit cards from stores nationwide in a breach that extended from Nov. 27<br>
to Dec. 15. Not long after that announcement, I pinged a source at a small<br>
community bank in New England to see whether his institution had been<br>
notified by Visa or MasterCard about specific cards that were potentially<br>
compromised in the Target breach.<br>
This institution has issued a grand total of more than 120,000 debit and<br>
credit cards to its customers, but my source told me the tiny bank had not<br>
yet heard anything from the card associations about specific cards that might<br>
have been compromised as a result of the Target breach. My source was<br>
anxious to determine how many of the bank’s cards were most at risk of<br>
being used for fraud, and how many should be proactively canceled and re-<br>
issued to customers. The bank wasn’t exactly chomping at the bit to re-issue<br>
the cards; that process costs around $3 to $5 per card, but more importantly it<br>
didn’t want to unnecessarily re-issue cards at a time when many of its<br>
customers would be racing around to buy last-minute Christmas gifts and<br>
traveling for the holidays.<br>
On the other hand, this bank had identified nearly 6,000 customer cards —<br>
almost 5 percent of all cards issued to customers — that had been used at<br>
Target stores nationwide during the breach window described by the<br>
retailer.<br>
“Nobody has notified us,” my source said. “Law enforcement hasn’t said<br>
anything, our statewide banking associations haven’t sent anything out…<br>
nothing. Our senior legal counsel today was asking me if we have positive<br>
confirmation from the card associations about affected cards, but so far we<br>
haven’t gotten anything.”<br>
When I mentioned that a big bank I’d spoken with had found a 100 percent<br>
overlap with the Target breach window after purchasing its available cards<br>
off a particular black market card shop called rescator[dot]la , my source at<br>
the small bank asked would I be willing to advise his fraud team on how to<br>
do the same?<br>
CARD SHOPPING<br>
Ultimately, I agreed to help in exchange for permission to write about the<br>
bank’s experience without actually naming the institution. The first step in<br>
finding any of the bank’s cards for sale was to browse the card shop’s<br>
remarkably efficient and customer-friendly Web site and search for the<br>
bank’s “BINs”; the B ank Identification N umber is merely the first six digits of<br>
a debit or credit card, and each bank has its own unique BIN or multiple<br>
BINs.<br>
According to the “base” name for all stolen cards sold at this card shop, the<br>
proprietor sells only cards stolen in the Target breach.<br>
A quick search on the card shop for the bank’s BINs revealed nearly 100 of<br>
its customers’s cards for sale, a mix of MasterCard dumps ranging in price<br>
from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let<br>
customers pay for purchases with credit cards; rather, customers can “add<br>
money” to their accounts using a variety of irreversible payment<br>
mechanisms, including virtual currencies like Bitcoin , Litecoin , WebMoney<br>
and PerfectMoney, as well as the more traditional wire transfers via<br>
Western Union and MoneyGram .<br>
With my source’s newly registered account funded via wire transfer to the<br>
tune of USD $450, it was time to go shopping. My source wasn’t prepared to<br>
buy up all of the available cards that match his institution’s BINs, so he<br>
opted to start with a batch of 20 or so of the more recently-issued cards for<br>
sale.<br>
Like other card shops, this store allows customers to search for available<br>
cards using a number of qualifications, including BIN; dozens of card types<br>
(MasterCard, Visa, et. al.); expiration date; track type ; country; and the name<br>
of the financial institution that issued the card.<br>
A key feature of this<br>
particular dumps shop is<br>
that each card is assigned<br>
to a particular “base.” This<br>
term is underground slang<br>
that refers to an arbitrary<br>
code word chosen to<br>
describe all of the cards<br>
stolen from a specific<br>
merchant. In this case, my<br>
source at the big bank had<br>
said all of the cards his<br>
team purchased from this<br>
card shop that matched<br>
Target’s N0v. 27 – Dec. 15<br>
breach window bore the<br>
base name Tortuga , which<br>
is Spanish for “tortoise” or “turtle.”<br>
Indeed, shortly after the Target breach began, the proprietor of this card<br>
shop — a miscreant nicknamed “Rescator” and a key figure on a Russian-<br>
language cybercrime forum known as “Lampeduza” — was advertising a<br>
brand new base of one million cards, called Tortuga.<br>
Rescator even created a graphical logo in the Lampeduza forum’s typeface<br>
and style, advertising “valid 100% rate,” and offering a money-back<br>
guarantee on any cards from this “fresh” base that were found to have been<br>
canceled by the card issuer immediately after purchase. In addition,<br>
sometime in December, this shop ceased selling cards from other bases aside<br>
from those from the Tortuga base. As the month wore on, new Tortuga bases<br>
would be added to shop, with each base incrementing by one with almost<br>
every passing day (e.g., Tortuga1, Tortuga2, Tortuga3, etc.).<br>
Another fascinating feature of this card shop is that it appears to include the<br>
ZIP code and city of the store from which the cards were stolen . One fraud<br>
expert I spoke with who asked to remain anonymous said this information is<br>
included to help fraudsters purchasing the dumps make same-state<br>
purchases, thus avoiding any knee-jerk fraud defenses in which a financial<br>
institution might block transactions out-of-state from a known compromised<br>
card.<br>
The New England bank decided to purchase 20 of its own cards from this<br>
shop, cards from Tortuga bases 6-9, and Tortuga 14 and 15. The store’s<br>
“shopping cart” offers the ability to check the validity of each purchased<br>
card. Any cards that are checked and found to be invalid automatically get<br>
refunded. A check of the cards revealed that just one of the 20 had already<br>
been canceled.<br>
The bank quickly ran a fraud and common point-of-purchase analyses on<br>
each of the 19 remaining cards. Sure enough, the bank’s database showed<br>
that all had been used by customers to make purchases at Target stores<br>
around the country between Nov. 29 and Dec. 15.<br>
“Some of these already have confirmed fraud on them, and a few of them<br>
were actually just issued recently and have only been used at Target,” my<br>
source told me. Incredibly, a number of the cards were flagged for fraud<br>
after they were used to make unauthorized purchases at big box retailers,<br>
including — wait for it — Target . My source explained that crooks often use<br>
stolen dumps to purchase high-priced items such as Xbox consoles and high-<br>
dollar amount gift cards, goods that can be fenced, auctioned or otherwise<br>
offloaded quickly and easily for cash.<br>
My source said his employer isn’t yet sure which course of action it will<br>
take, but that it’s likely the bank will re-issue some or all of the 5,300+ cards<br>
affected by the Target breach — most likely sometime after Dec. 25.<br>
The bank is unconcerned that its cards compromised in the Target breach<br>
might be used for online shopping fraud because the stolen data does not<br>
include the CVV2 — the three digit security code printed on the backs of<br>
customer cards. Most online merchants require customers to supply the CVV2<br>
as proof that they posses the legitimate, physical card for the corresponding<br>
account that is being used to fund the online purchase.<br>
Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg<br>
Steinhafel said Target would be offering free credit monitoring for affected<br>
customers. Not sure how credit monitoring helps with this specific breach,<br>
but at any rate here’s the rest of his statement:<br>
“Yesterday we shared that there was unauthorized access to payment card<br>
data at our U.S. stores. The issue has been identified and eliminated. We<br>
recognize this has been confusing and disruptive during an already busy<br>
holiday season. Our guests’ trust is our top priority at Target and we are<br>
committed to making this right.<br>
We want our guests to understand that just because they shopped at Target<br>
during the impacted time frame, it doesn’t mean they are victims of fraud. In<br>
fact, in other similar situations, there are typically low levels of actual fraud.<br>
Most importantly, we want to reassure guests that they will not be held<br>
financially responsible for any credit and debit card fraud. And to provide<br>
guests with extra assurance, we will be offering free credit monitoring<br>
services. We will be in touch with those impacted by this issue soon on how<br>
and where to access the service.<br>
We understand it’s been difficult for some guests to reach us via our website<br>
and call center. We apologize and want you to understand that we are<br>
experiencing unprecedented call volume. Our Target teams are working<br>
continuously to build capacity and meet our guests’ needs.<br>
We take this crime seriously. It was a crime against Target, our team<br>
members, and most importantly, our guests. We’re in this together, and in<br>
that spirit, we are extending a 10% discount – the same amount our team<br>
members receive – to guests who shop in U.S. stores on Dec. 21 and 22.<br>
Again, we recognize this issue has been confusing and disruptive during an<br>
already busy holiday season. We want to emphasize that the issue has been<br>
addressed and let guests know they can shop with confidence at their local<br>
Target stores.”</p>
</div>Giftpixonhttp://www.blogger.com/profile/17457845764405811824noreply@blogger.com0