Monday, June 27, 2016

Scientology Seeks Captive Converts Via Google Maps, Drug Rehab Centers

Fake online reviews generated by unscrupulous marketers blanket the Internet these days. Although online review pollution isn’t exactly a hot-button consumer issue, there are plenty of cases in which phony reviews may endanger one’s life or well-being. This is the story about how searching for drug abuse treatment services online could cause concerned loved ones to send their addicted, vulnerable friends or family members straight into the arms of the Church of Scientology.

As explained in last year’s piece, Don’t Be Fooled by Fake Online Reviews Part II, there are countless real-world services that are primed for exploitation online by marketers engaged in false and misleading “search engine optimization” (SEO) techniques. These shady actors specialize in creating hundreds or thousands of phantom companies online, each with different generic-sounding business names, addresses and phone numbers. The phantom firms often cluster around fake listings created in Google Maps — complete with numerous five-star reviews, pictures, phone numbers and Web site links.

The problem is that calls to any of these phony companies are routed back to the same crooked SEO entity that created them. That marketer in turn sells the customer lead to one of several companies that have agreed in advance to buy such business leads. As a result, many consumers think they are dealing with one company when they call, yet end up being serviced by a completely unrelated firm that may not have to worry about maintaining a reputation for quality and fair customer service.

Experts say fake online reviews are most prevalent in labor-intensive services that do not require the customer to come into the company’s offices but instead come to the consumer. These services include but are not limited to locksmiths, windshield replacement services, garage door repair and replacement technicians, carpet cleaning and other services that consumers very often call for immediate service.

As it happens, the problem is widespread in the drug rehabilitation industry as well. That became apparent after I spent just a few hours with Bryan Seely, the guy who literally wrote the definitive book on fake Internet reviews.

Perhaps best known for a stunt in which he used fake Google Maps listings to intercept calls destined for the FBI and U.S. Secret Service, Seely knows a thing or two about this industry: Until 2011, he worked for an SEO firm that helped to develop and spread some of the same fake online reviews that he is now helping to clean up.

More recently, Seely has been tracking a network of hundreds of phony listings and reviews that lead inquiring customers to fewer than a half dozen drug rehab centers, including Narconon International — an organization that promotes the theories of Scientology founder L. Ron Hubbard regarding substance abuse treatment and addiction.

As described in Narconon’s Wikipedia entry, Narconon facilities are known not only for attempting to win over new converts, but also for treating all drug addictions with a rather bizarre cocktail consisting mainly of vitamins and long hours in extremely hot saunas. The Wiki entry documents multiple cases of accidental deaths at Narconon facilities, where some addicts reportedly died from overdoses of vitamins or neglect:

“Narconon has faced considerable controversy over the safety and effectiveness of its rehabilitation methods,” the Wiki entry reads. “Narconon teaches that drugs reside in body fat, and remain there indefinitely, and that to recover from drug abuse, addicts can remove the drugs from their fat through saunas and use of vitamins. Medical experts disagree with this basic understanding of physiology, saying that no significant amount of drugs are stored in fat, and that drugs can’t be ‘sweated out’ as Narconon claims.”

whatshappening

Source: Seely Security.

FOLLOW THE BOUNCING BALL

Seely said he learned that the drug rehab industry was overrun with SEO firms when he began researching rehab centers in Seattle for a family friend who was struggling with substance abuse and addiction issues. A simple search on Google for “drug rehab Seattle” turned up multiple local search results that looked promising.

One of the top three results was for a business calling itself “Drug Rehab Seattle,” and while it lists a toll-free phone number, it does not list a physical address (NB: this is not always the case with fake listings, which just as often claim the street address of another legitimate business). A click on the organization’s listing claims the Web site rehabs.com – a legitimate drug rehab search service. However, the owners of rehabs.com say this listing is unauthorized and unaffiliated with rehabs.com.

As documented in this Youtube video, Seely called the toll-free number in the Drug Rehab Seattle listing, and was transferred to a hotline that took down his name, number and insurance information and promised an immediate call back. Within minutes, Seely said, he received a call from a woman who said she represented a Seattle treatment center but was vague about the background of the organization itself. A little digging showed that the treatment center was run by Narconon.

“You’re supposed to be getting a local drug rehab in Seattle, but instead you get taken to a call center, which can be owned by any number of rehab facilities around the country that pay legitimate vendors for calls,” Seely said. “If you run a rehab facility, you have to get people in the doors to make money. The guy who created these fake listings figured out you can use Google Maps to generate leads, and it’s free.”

TopSeek Inc.'s client list includes Narconon, a Scientology front group that recruits through a network of unorthodox addiction treatment centers.

The phony rehab establishment listed here is the third listing, which includes no physical address and routes the caller to a referral network that sells leads to Narconon, among others.

Here’s the crux of the problem: When you’re at Google.com and you search for something that Google believes to be a local search, Google adds local business results on top of the organic search results — complete with listings and reviews associated with Google Maps. Consumers might not even read them, but reviews left for businesses in this listings heavily influence their search rankings. The more reviews a business has, Seely said, the closer it gets to the coveted Number One spot in the search rankings.

That #1 rank attracts the most calls by a huge margin, and it can mean huge profits: Many rehab facilities will pay hundreds of dollars for leads that may ultimately lead to a new patient. After all, some facilities can then turn around and bill insurance providers for tens of thousands of dollars per patient.

WHO IS JOHN HARVEY?

Curious if he could track down the company or individual behind the phony review that prompted a call from Narconon, Seely began taking a closer look at the reviews for the facility he called. One reviewer in particular stood out — one “John Harvey,” a Google user who clearly has a great deal of experience with rehab centers.

A click on John Harvey’s Google Plus profile showed he reviewed no fewer than 82 phantom drug treatment centers around the country, offering very positive 5-star reviews on all of them. A brief search for John Harvey online shows that the person behind the account is indeed a guy named John Harvey from Sacramento who runs an SEO company in Kuilua, Hawaii called TopSeek Inc., which bills itself as a collection of “local marketing experts.”

A visit to the company’s Web site shows that Narconon is among four of TopSeek’s listed clients, all of which either operate drug rehab centers or are in the business of marketing drug rehab centers.

TopSeek Inc's client list includes Narconon, a Scientology front group that seeks to recruit new members via a network of unorthodox drug treatment facilities.

TopSeek Inc’s client list includes Narconon, a Scientology front group that seeks to recruit new members via a network of unorthodox drug treatment facilities.

Calls and emails to Mr. Harvey went unreturned, but it’s clear he quickly figured out that the jig was up: Just hours after KrebsOnSecurity reached out to Mr. Harvey for comment, all of his phony addiction treatment center reviews mysteriously disappeared (some of the reviews are preserved in the screenshot below).

“This guy is sitting in Hawaii saying he’s retired and that he’s not taking any more clients,” Seely said. “Well, maybe he’s going to have to come out of retirement to go into prison, because he’s committed fraud in almost every state.”

While writing fake online reviews may not be strictly illegal or an offense that could send one to jail, several states have begun cracking down on “reputation management” and SEO companies that engage in writing or purchasing fake reviews. However, it’s unclear whether the fines being enforced for violations will act as a deterrent, since those fines are likely a fraction of the revenues that shady SEO companies stand gain by engaging in this deceptive practice.

Some of John Harvey's reviews. All of these have since been deleted.

Some of John Harvey’s reviews. All of these have since been deleted.

WHAT YOU CAN DO ABOUT FAKE ONLINE REVIEWS

Before doing business with a company you found online, don’t just pick the company that comes up tops in the search results on Google. Unfortunately, that generally guarantees little more than the company is good at marketing.

Take the time to research the companies you wish to hire before booking them for jobs or services, especially when it comes to big, expensive, and potentially risky services like drug rehab or moving companies. By the way, if you’re looking for a legitimate rehab facility, you could do worse than to start at the aforementioned rehabs.com, a legitimate rehab search engine.

It’s a good idea to get in the habit of verifying that the organization’s physical address, phone number and Web address shown in the search result match that of the landing page. If the phone numbers are different, use the contact number listed on the linked site.

Take the time to learn about the organization’s reputation online and in social media; if it has none (other than a Google Maps listing with all glowing, 5-star reviews), it’s probably fake. Search the Web for any public records tied to the business’ listed physical address, including articles of incorporation from the local secretary of state office online. A search of the company’s domain name registration records can give you an idea of how long its Web site has been in business, as well as additional details about the company and/or the organization itself.

Seely said one surefire way to avoid these marketing shell games is to ask a simple question of the person who answers the phone in the online listing.

“Ask anyone on the phone what company they’re with,” Seely said. “Have them tell you, take their information and then call them back. If they aren’t forthcoming about who they are, they’re most likely a scam.”

For the record, I requested comment on this story from Google — and specifically from the people at Google who handle Google Maps — but have yet to hear back from them. I’ll update this story in the event that changes.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fscientology-seeks-captive-converts-via-google-maps-drug-rehab-centers%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Friday, June 24, 2016

How to Spot Ingenico Self-Checkout Skimmers

A KrebsOnSecurity story last month about credit card skimmers found in self-checkout lanes at some Walmart locations got picked up by quite a few publications. Since then I’ve heard from several readers who work at retailers that use hundreds of thousands of these Ingenico credit card terminals across their stores, and all wanted to know the same thing: How could they tell if their self-checkout lanes were compromised? This post provides a few pointers.

Happily, just days before my story point-of-sale vendor Ingenico produced a tutorial on how to spot a skimmer on self checkout lanes powered by Ingenico iSC250 card terminals. Unfortunately, it doesn’t appear that this report was widely disseminated, because I’m still getting questions from readers at retailers that use these devices.

The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual ISC250 on the right. Source: Ingenico.

The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual iSC250 on the right. Source: Ingenico.

“In order for the overlay to fit atop the POS [point-of-sale] terminal, it must be longer and wider than the target device,” reads a May 16, 2016 security bulletin obtained by KrebsOnSecurity. “For this reason, the case overlay will appear noticeably larger than the actual POS terminal. This is the primary identifying characteristic of the skimming device. A skimmer overlay of the iSC250 is over 6 inches wide and 7 inches tall while the iSC250 itself is 5 9/16 inch wide and 6 1⁄2 inches tall.”

In addition, the skimming device that thieves can attach in the blink of an eye on top of the Ingenico self-checkout card reader blocks the backlight from coming through the fake PIN pad overlay.

The backlight can be best seen while shading the keypad from room lights. The image on the left is a powered-on legitimate ISC250 viewed with the keypad shaded. The backlight can be seen in comparison to a powered-off ISC250 in the right image. Source: Ingenico.

The backlight can be best seen while shading the keypad from room lights. The image on the left is a powered-on legitimate iSC250 viewed with the keypad shaded. The backlight can be seen in comparison to a powered-off iSC250 in the right image. Source: Ingenico.

What’s more, the skimming overlay devices currently block the green LED light that is illuminated during contactless card reads like Apple Pay.

The green LED light that is lit up during contactless payments is obscured by the overlay skimmer. Source: Ingenico.

The green LED light that is lit up during contactless payments is obscured by the overlay skimmer. Source: Ingenico.

The overlay skimming devices pictured here include their own tiny magnetic read heads to snarf card data from the magnetic stripe when customers swipe their cards. Consequently, those tiny readers often interfere with the legitimate magnetic card reader on the underlying device, meaning compromised self-checkout lines may move a bit slower than others.

“The overlay design appears to occasionally interfere with the magnetic stripe reads, leading to greater numbers of read failures,” Ingenico wrote.

Finally, all checkout terminals include a tethered stylus that customers use to sign their names after swiping their cards. According to Ingenico, the skimmers made to fit the iSC250 appear to prevent the ordinary placement of the stylus due to the obtrusive overhang of the skimmer overlay.

The overlay skimmer on the left blocks the stylus tray. The picture on the right is a device that's not been attacked.

The overlay skimmer on the left blocks the stylus tray. The picture on the right is a device that’s not been attacked.

It’s probably true that posting information like this online gives skimmer scammers an opportunity to improve their product and to make the telltale giveaways less noticeable. However, this only goes so far without significantly driving up the cost of these overlay skimmers. Each iSC250 skimmer already retails for a few hundred bucks apiece — and that’s without the electronics needed to gather and store card data. The up-front cost of these fraud devices is important because the fraudsters have no guarantee they will be able to recover their skimmers before the devices are discovered.

On the other hand, as I mentioned earlier there are countless nationwide retailers that have hundreds of thousands of these Ingenico devices installed in self-checkout lanes, and that in turn means millions of employees and customers who are the first lines of defense against skimmers. The more people know about what to look for in these fraud devices, the more likely the fraudsters will lose their up-front investments — and maybe even get busted trying to retrieve them.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fhow-to-spot-ingenico-self-checkout-skimmers%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Wednesday, June 22, 2016

Rise of Darknet Stokes Fear of The Insider

With the proliferation of shadowy black markets on the so-called “darknet” — hidden crime bazaars that can only be accessed through special software that obscures one’s true location online — it has never been easier for disgruntled employees to harm their current or former employer. At least, this is the fear driving a growing stable of companies seeking technical solutions to detect would-be insiders.

Avivah Litan, a fraud analyst with Gartner Inc., says she’s been inundated recently with calls from organizations asking what they can do to counter the following scenario: A disaffected or disgruntled employee creates a persona on a darknet market and offers to sell his company’s intellectual property or access to his employer’s network.

A darknet forum discussion generated by a claimed insider at music retailer Guitar Center.

A darknet forum discussion generated by a claimed insider at music retailer Guitar Center.

Litan said a year ago she might have received one such inquiry a month; now Litan says she’s getting multiple calls a week, often from companies that are in a panic.

“I’m getting calls from lots of big companies, including manufacturers, banks, pharmaceutical firms and retailers,” she said. “A year ago, no one wanted to say whether they had or were seriously worried about insiders, but that’s changing.”

Insiders don't have to be smart or sophisticated to be dangerous.

Insiders don’t have to be smart or sophisticated to be dangerous, as this darknet forum discussion thread illustrates.

Some companies with tremendous investments in intellectual property — particularly pharmaceutical and healthcare firms — are working with law enforcement or paying security firms to monitor and track actors on the darknet that promise access to specific data or organizations, Litan said.

“One pharma guy I talked to recently said he meets with [federal agents] once a week to see if his employees are active on the darknet,” she said. “Turns out there are a lot of disgruntled employees who want to harm their employers. Before, it wasn’t always clear how to go about doing that, but now they just need to create a free account on some darknet site.”

Statistics and figures only go so far in illustrating the size of the problem. A Sept. 2015 report from Intel found that internal actors were responsible for 43 percent of data loss — but only about half of that was intended to harm the employer.

Likewise, the 2016 Data Breach Investigation Report (DBIR), an annual survey of data breaches from Verizon Enterprise, found insiders and/or the misuse of employee privileges were present in a majority of incident. Yet it also concluded that much of this was not malicious but instead appeared related to employees mailing sensitive information or loading it to a file-sharing service online.

Perhaps one reason insiders are so feared is that the malicious ones very often can operate for years undetected, doing major damage to employers in the process. Indeed, Verizon’s DBIR found that insider breaches usually takes months or years to discover.

Noam Jolles, a senior intelligence expert at Diskin Advanced Technologies, studies darknet communities. I interviewed her last year in “Bidding for Breaches,” a story about a secretive darknet forum called Enigma where members could be hired to launch targeted phishing attacks at companies. Some Enigma members routinely solicited bids regarding names of people at targeted corporations that could serve as insiders, as well as lists of people who might be susceptible to being recruited or extorted.

Jolles said the proliferation of darkweb communities has lowered the barriers to entry for insiders, and provided even the least sophisticated would-be insiders with ample opportunities to betray their employer’s trust.

“I’m not sure everyone is aware of how simple and practical this phenomena looks from adversary eyes and how far it is from the notion of an insider as a sophisticated disgruntled employee,” Jolles said. “The damage from the insider is not necessarily due to his position, but rather to the sophistication of the threat actors that put their hands on him.”

Who is the typical insider? According to Verizon’s DBIR, almost one third of insiders at breaches in 2015 were found to be end users who had access to sensitive data as a requirement to do their jobs.

“Only a small percentage (14%) are in leadership roles (executive or other management), or in roles with elevated access privilege jobs such as system administrators or developers (14%),” Verizon wrote, noting that insiders were most commonly found in administrative, healthcare and public sector jobs. “The moral of this story is to worry less about job titles and more about the level of access that every Joe or Jane has (and your ability to monitor them). At the end of the day, keep up a healthy level of suspicion toward all employees.”

If tech industry analysts like Litan are getting pinged left and right about the insider threat these days, it might have something to do with how easy it is to find company proprietary information or access on offer in darknet forums — many of which allow virtually anyone to register and join.

A darknet forum discussion about possible insiders at Vodafone.

A darknet forum discussion about possible insiders at Vodafone.

The other reason may be that there are a lot more companies looking for this information and actively notifying affected organizations. These notifications invariably become sales pitches for “dark web monitoring” or “threat intelligence services,” and a lot of companies probably aren’t sure what to make of this still-nascent industry.

How can organizations better detect insiders before the damage is done? Gartner’s Litan emphasized continuous monitoring and screening for trusted insiders with high privileges. Beyond that, Litan says there are a wide range of data-driven insider threat technology solutions. On the one end of the spectrum are companies that conduct targeted keyword searches on behalf of clients on social media networks and darknet destinations. More serious and expensive offerings apply machine learning to internal human resources (HR) records, and work to discover and infiltrate online crime rings.

What’s Verizon’s answer to the insider threat? “Love your employees, bond at the company retreat, bring in bagels on Friday, but monitor the heck out of their authorized daily activity, especially ones with access to monetizable data (financial account information, personally identifiable information (PII), payment cards, medical records).”

ladbrokes

Additional reading: Insider Threats Escalate and Thrive in the Dark Web.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Frise-of-darknet-stokes-fear-of-the-insider%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Monday, June 20, 2016

Citing Attack, GoToMyPC Resets All Passwords

GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites.

gtpcOwned by Santa Clara, Calif. based networking giant Citrix, GoToMyPC is a popular software-as-a-service product that lets users access and control their PC or Mac from anywhere in the world. On June 19, the company posted a status update and began notifying users that a system-wide password update was underway.

“Unfortunately, the GoToMYPC service has been targeted by a very sophisticated password attack,” reads the notice posted to status.gotomypc.com. “To protect you, the security team recommended that we reset all customer passwords immediately. Effective immediately, you will be required to reset your GoToMYPC password before you can login again. To reset your password please use your regular GoToMYPC login link.”

John Bennett, product line director at Citrix, said once the company learned about the attack it took immediate action. But contrary to previous published reports, there is no indication Citrix or its platforms have been compromised, he said.

“Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” Bennett wrote in an emailed statement. “At this time, the response includes a mandatory password reset for all GoToMyPC users. Citrix encourages customers to visit the  GoToMyPC status page to learn about enabling two-step verification, and to use strong passwords in order to keep accounts as safe as possible. ”

Citrix’s GoTo division also operates GoToAssist, which is geared toward technical support specialists, and GoToMeeting, a product marketed at businesses. The company said it has no indication that user accounts at other GoTo services were compromised, but assuming that’s true it’s likely because the attackers haven’t gotten around to trying yet.

It’s a fair bet that whoever perpetrated this attack had help from huge email and password lists recently leaked online from older breaches at LinkedIn, MySpace and Tumblr to name a few. Re-using passwords at multiple sites is a bad idea to begin with, but re-using your GoToMyPC remote administrator password at other sites seems like an exceptionally lousy idea.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fciting-attack-gotomypc-resets-all-passwords%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Friday, June 17, 2016

Adobe Update Plugs Flash Player Zero-Day

Adobe on Thursday issued a critical update for its ubiquitous Flash Player software that fixes three dozen security holes in the widely-used browser plugin, including at least one vulnerability that is already being exploited for use in targeted attacks.

brokenflash-aThe latest update brings Flash to v. 22.0.0.192 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually check for updates in Chrome an restart the browser to get the latest Flash version).

For some reason that probably has nothing to do with security, Adobe has decided to stop distributing direct links to its Flash Player software. According to the company’s Flash distribution page, on June 30, 2016 Adobe will decommission direct links to various Flash Player downloads. This will essentially force Flash users to update the program using its built-in automatic updates feature (which sometimes takes days to notice a new security update is available), or to install the program from the company’s Flash Home page — a download that currently bundles McAfee Security Scan Plus and a product called True Key by Intel Security.

Anything that makes it less likely users will update Flash seems like a bad idea, especially when we’re talking about a program that often needs security fixes more than once a month.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fadobe-update-plugs-flash-player-zero-day%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Thursday, June 16, 2016

FBI Raids Spammer Outed by KrebsOnSecurity

Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email artist currently flagged by anti-spam activists as one of the world’s Top 10 Worst Spammers, was reportedly raided by the FBI in connection with a federal spam investigation.

atballAccording to a June 9 story at ABC News, on April 27, 2016 the FBI raided the San Diego home of Persaud, who reportedly has been under federal investigation since at least 2013. The story noted that on June 6, 2016, the FBI asked for and was granted a warrant to search Persaud’s iCloud account, which investigators believe contained “evidence of illegal spamming’ and wire fraud to further [Persaud’s] spamming activities.”

Persaud doesn’t appear to have been charged with a crime in connection with this investigation. He maintains his email marketing business is legitimate and complies with the CAN-SPAM Act, the main anti-spam law in the United States which prohibits the sending of spam that spoofs that sender’s address or does not give recipients an easy way to opt out of receiving future such emails from that sender.

The affidavit that investigators with the FBI used to get a warrant for Persaud’s iCloud account is sealed, but a copy of it was obtained by KrebsOnSecurity. It shows that during the April 2016 FBI search of his home, Persaud told agents that he currently conducts internet marketing from his residence by sending a million emails in under 15 minutes from various domains and Internet addresses.

The affidavit indicates the FBI was very interested in the email address michaelp77x@gmail.com. In my 2014 piece Still Spamming After All These Years, I called attention to this address as the one tied to Persaud’s Facebook account — and to 5,000 or so domains he was advertising in spam. The story was about how the junk email Persaud acknowledged sending was being relayed through broad swaths of Internet address space that had been hijacked from hosting firms and other companies.

persaud-fbFBI Special Agent Timothy J. Wilkins wrote that investigators also subpoenaed and got access to that michaelp77x@gmail.com account, and found emails between Persaud and at least four affiliate programs that hire spammers to send junk email campaigns.

A spam affiliate program is a type of business or online retailer — such as an Internet pharmacy — that pays a third party (known as affiliates or spammers) a percentage of any sales that they generate for the program (for a much deeper dive on how affiliate programs work, check out Spam Nation).

When I wrote about Persaud back in 2014, I noted that his spam generally advertised the types of businesses you might expect to see pimped in junk email: payday loans, debt consolidation services, and various “nutraceutical” products.

Persaud did not respond to requests for comment. But in an email he sent to KrebsOnSecurity in November 2014, he said:

“I can tell you that my company deals with many different ISPs both in the US and overseas and I have seen a few instances where smaller ones will sell space that ends up being hijacked,” Persaud wrote in an email exchange with KrebsOnSecurity. “When purchasing IP space you assume it’s the ISP’s to sell and don’t really think that they are doing anything illegal to obtain it. If we find out IP space has been hijacked we will refuse to use it and demand a refund. As for this email address being listed with domain registrations, it is done so with accordance with the CAN-SPAM guidelines so that recipients may contact us to opt-out of any advertisements they receive.”

Persaud is currently listed as #10 on the World’s 10 Worst Spammers list maintained by Spamhaus, an anti-spam organization. In 1998, Persaud was sued by AOL, which charged that he committed fraud by using various names to send millions of get-rich-quick spam messages to America Online customers. In 2001, the San Diego District Attorney’s office filed criminal charges against Persaud, alleging that he and an accomplice crashed a company’s email server after routing their spam through the company’s servers.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Ffbi-raids-spammer-outed-by-krebsonsecurity%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Tuesday, June 14, 2016

Free WiFi Hotspot Systems for Local Toronto Businesses!

Microsoft Patches Dozens of Security Holes

Microsoft today released updates to address more than three dozen security holes in Windows and related software. Meanwhile, Adobe — which normally releases fixes for its ubiquitous Flash Player alongside Microsoft’s monthly Patch Tuesday cycle — said it’s putting off today’s expected Flash patch until the end of this week so it can address an unpatched Flash vulnerability that already is being exploited in active attacks.

brokenwindowsYes, that’s right it’s once again Patch Tuesday, better known to mere mortals as the second Tuesday of each month. Microsoft isn’t kidding around this particular Tuesday — pushing out 16 patch bundles to address at least 44 security flaws across Windows and related software.

The usual suspects earn “critical” ratings: Internet Explorer (IE), Edge (the new, improved IE), and Microsoft Office. Critical is Microsoft’s term for a flaw that allows the attacker to remotely take control over the victim’s machine without help from the victim, save for perhaps getting him to visit a booby-trapped Web site or load a poisoned ad in IE or Edge.

Windows home users aren’t the only ones who get to have all the fun: There’s plenty enough in today’s Microsoft patch batch to sow dread in any Windows system administrator, including patches that fix serious security holes in Windows SMB Server, Microsoft’s DNS Server, and Exchange Server.

I’ll put up a note later this week whenever Adobe releases the Flash update. For now, Kaspersky has more on the Flash vulnerability and its apparent use in active espionage attacks. As ever, if you experience any issues after applying any of today’s updates, please drop a note about it in the comments below.

Other resources: Takes from the SANS Internet Storm CenterQualys and Shavlik.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fmicrosoft-patches-dozens-of-security-holes%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Monday, June 13, 2016

ATM Insert Skimmers In Action

KrebsOnSecurity has featured several recent posts on “insert skimmers,” ATM skimming devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. I’m revisiting the subject again because I’ve recently acquired how-to videos produced by two different insert skimmer peddlers, and these silent movies show a great deal more than words can tell about how insert skimmers do their dirty work.

Last month I wrote about an alert from ATM giant NCR Corp., which said it was seeing an increase in cash machines compromised by what it called “deep insert” skimmers. These skimmers can hook into little nooks inside the mechanized card acceptance slot, which is a generally quite a bit wider than the width of an ATM card.

“The first ones were quite fat and were the same width of the card,” said Charlie Harrow, solutions manager for global security at NCR. “The newer ones are much thinner and sit right there where the magnetic stripe reader is.”

Operating the insert skimmer pictured in the video below requires two special tools that are sold with it: One to set the skimmer in place inside the ATM’s card acceptance slot, and another to retrieve it. NCR told me its technicians had never actually found any tools crooks use to install and retrieve the insert skimmers, but the following sales video produced by an insert skimmer vendor clearly shows a different tool is used for each job:

 

Same goes for a different video produced by yet another vendor of insert skimming devices:

 

Here’s a close-up of the insert skimmer pictured in the first sales video above:

An insert skimmer. Credit: Hold Security.

An insert skimmer. Credit: Hold Security.

This video from another insert skimmer seller shows some type of tool I can’t quite make out that is used to retrieve the skimmer. It’s unclear if this one requires a second tool to install the device.

Skimmed card data lets you counterfeit new copies of the card, but to withdraw cash from ATMs using the counterfeit cards the crooks also need to somehow steal each customer’s PIN. That task usually falls to a false keypad or a hidden camera — the latter being far more common and cheaper. The seller of the insert skimmer pictured above also sells a hidden camera setup. Below is a false overhead panel, including a cannibalized vidocamera that peeps through a tiny hole down at the ATM keypad.

The insert skimmer, sold alongside a hidden camera embedded within a false overhead panel.

The insert skimmer, sold alongside a hidden camera embedded within a false overhead panel.

Once you know about all the ways that skimmer thieves are coming up with to fleece the banks and consumers, it’s difficult not to go through life seeing every ATM as a potential zombie threat — banging and pulling on the poor machines and half expecting half hoping parts to come unglued. I’m always disappointed, but it hasn’t stopped me all the same.

Truthfully, you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life. So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. Stick to ATMs that are physically installed in a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on a weekend — when they know the bank won’t be open again for more than 24 hours.

Lastly but most importantly, covering the PIN pad with your hand defeats the hidden camera from capturing your PIN — and hidden cameras are used on the vast majority of the more than three dozen ATM skimming incidents that I’ve covered here. Shockingly, few people bother to take this simple, effective step, as detailed in this skimmer tale from 2012, wherein I obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

For more on how these insert skimmers work, check out Crooks Go Deep With ‘Deep Insert’ Skimmers. If you’re here because you find skimmers of all kinds fascinating, please see my series All About Skimmers.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fatm-insert-skimmers-in-action%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Friday, June 10, 2016

IRS Re-Enables ‘Get Transcript’ Feature

The Internal Revenue Service has re-enabled a service on its Web site that allows taxpayers to get a copy of their previous year’s tax transcript. The renewed effort to beef up taxpayer authentication methods at irs.gov comes more than a year after the agency disabled the transcript service because tax refund fraudsters were using it to steal sensitive data on consumers.

irsbldgDuring the height of tax-filing season in 2015, KrebsOnSecurity warned that identity thieves involved in tax refund fraud with the IRS were using irs.gov’s “Get Transcript” feature to glean salary and personal information they didn’t already have on targeted taxpayers. In May 2015, the IRS suspended the Get Transcript feature, citing its abuse by fraudsters and noting that some 100,000 taxpayers may have been victimized as a result.

In August 2015, the agency revised those estimates up to 330,000, but in February 2016, the IRS again more than doubled its estimate, saying the actual number of victims was probably closer to 724,000.

So exactly how does the new-and-improved Get Transcript feature validate that taxpayers who are requesting information aren’t cybercriminal imposters? According to the IRS’s Get Transcript FAQ, the visitor needs to supply a Social Security number (SSN) and have the following:

  • immediate access to your email account to receive a confirmation code;
  • name, birthdate, mailing address, and filing status from your most recent tax return;
  • an account number from either a credit card, auto loan, mortgage, home equity loan or home equity line of credit;
  • a mobile phone number with your name on the account.

“If you previously registered to use IRS Get Transcript Online, Identity Protection PIN, Online Payment Agreement, or ePostcard online services, log in with the same username and password you chose before,” the IRS said. “You’ll need to provide a financial account number and mobile phone number if you haven’t already done so.”

The agency said it will then verify your financial account number and mobile phone number with big-three credit bureau Equifax. Readers who have taken my advice and placed a security freeze on their credit files will need to request a temporary thaw in that freeze with Equifax before attempting to verify their identity with the IRS.

According to Federal Computer Week, central to the new setup will be knowledge-based authentication that uses supposedly harder-to-answer questions than the tests that led to the compromise of Get Transcript.

Mike Kasper, the tax fraud victim whose story ultimately earned him a chance to testify about the experience before the U.S. Senate Commerce Committee, called the new authentication methods a good step forward. But he worries that they will simply encourage tax refund thieves to commit more acts of identity theft in victim’s name.

“Looks like the investment for a $6,000 refund went from $10 to purchase credit data or now a card number for the victim, up to about $30 to buy a prepaid number although it’s probably even cheaper now,” Kasper said.

Kasper notes that the same lame authentication methods that led to the Get Transcript debacle are still used by annualcreditreport.com, a site mandated by Congress as the only site where consumers can get their by-rights guaranteed free copy of their credit report from each of the major bureaus. Credit reports contain quite a bit of information that may allow thieves to glean the mobile and credit card account numbers for the taxpayers they’re targeting.

Annualcreditreport.com asks consumers to provide a bunch of personal data that can be bought for about $3-$4 from cybercrime shops online — such as date of birth, Social Security number, address and previous addresses. The site also asks the visitor to answer a series of so-called knowledge-based authentication (KBA) questions supplied by the credit bureaus.

These KBA questions — which involve four multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

Fraudsters also may opt to simply phish the phone and credit card information from victims, or turn to criminal data brokers in the underground that specialize in selling these dossiers on consumers, Kasper said.

“The real question is, when will more banks start to check that the incoming transfer from the IRS is for an account under the name of an actual customer,” Kasper said. “There were probably thousands of fraudulent tax refunds last year where the [perpetrators] just opened up bank accounts in other peoples’ names to receive a refund from the IRS. Because if you’re a thieve and you open an account in the victim’s name, it’s a little harder to trace.”



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Firs-re-enables-get-transcript-feature%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Thursday, June 9, 2016

There’s the Beef: Wendy’s Breach Numbers About to Get Much Meatier

When news broke last month that the credit card breach at fast food chain Wendy’s impacted fewer than 300 out of the company’s 5,800 locations, the response from many readers was, “Where’s the Breach?” Today, Wendy’s said the number of stores impacted by the breach is “significantly higher” and that the intrusion may not yet be contained.

wendyskyOn January 27, 2016, this publication was the first to report that Wendy’s was investigating a card breach. In mid-May, the company announced in its first quarter financial statement that the fraud impacted just five percent of stores.

But since that announcement last month, a number of sources in the fraud and banking community have complained to this author that there was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers.

What’s more, some of those same sources said they were certain the breach was still ongoing well after Wendy’s made the five percent claim in May.

Today, Wendy’s acknowledged in a statement that the breach is now expected to be “considerably higher than the 300 restaurants already implicated.” Company spokesman Bob Bertini declined to be more specific about the number of stores involved, citing an ongoing investigation. Bertini also declined to say whether the company is confident that the breach has been contained.

“Wherever we are finding it we’ve taken action,” he said. “But we can’t rule out that there aren’t others.”

Bertini said part of the problem was that the breach happened in two waves. He said the outside forensics investigators that were assigned to the case by the credit card associations initially found 300 locations that had malware on the point-of-sale devices, but that the company’s own investigators later discovered a different strain of the malware at some locations. Bertini declined to provide additional details about either of the malware strains found in the intrusions.

“In recent days, our investigator has identified this additional strain or mutation of the original malware,” he said. “It just so happens that this new strain targets a different point of sale system than the original one, and we just within the last few days discovered this.”

The company also emphasized that all of the breached stores were franchised — not company-run — entities. Here is the statement that Wendy’s provided to KrebsOnSecurity, in its entirety:

Based on the preliminary findings of the previously-disclosed investigation, the Company reported on May 11 that malware had been discovered on the point of sale (POS) system at fewer than 300 franchised North America Wendy’s restaurants. An additional 50 franchise restaurants were also suspected of experiencing, or had been found to have, other cybersecurity issues. As a result of these issues, the Company directed its investigator to continue to investigate.

In this continued investigation, the Company has recently discovered a variant of the malware, similar in nature to the original, but different in its execution. The attackers used a remote access tool to target a POS system that, as of the May 11 th announcement, the Company believed had not been affected. This malware has been discovered on some franchise restaurants’ POS systems, and the number of franchise restaurants impacted by these cybersecurity attacks is now expected to be considerably higher than the 300 restaurants already implicated. To date, there has been no indication in the ongoing investigation that any Company-operated restaurants were impacted by this activity.

Many franchisees and operators throughout the retail and restaurant industries contract with third-party service providers to maintain and support their POS systems. The Company believes this series of cybersecurity attacks resulted from certain service providers’ remote access credentials being compromised, allowing access to the POS system in certain franchise restaurants serviced by those providers.

The malware used by attackers is highly sophisticated in nature and extremely difficult to detect. Upon detecting the new variant of malware in recent days, the Company has already disabled it in all franchise restaurants where it has been discovered, and the Company continues to work aggressively with its experts and federal law enforcement to continue its investigation.

Customers may call a toll-free number (888-846- 9467) or email PaymentCardUpdate@wendys.com with specific questions.

Wendy’s statement that the attackers got access by stealing credentials that allowed remote access to point-of-sale terminals should hardly be surprising: The vast majority of the breaches involving restaurant and hospitality chains over the past few years have been tied to hacked remote access accounts that POS service providers use to remotely manage the devices.

Wednesday’s story about a point-of-sale botnet that has stolen at least 1.2 million credit cards from more than 100 Cici’s Pizza locations and other restaurants noted that Cici’s point-of-sale provider believes the attackers in this case used social engineering and remote access tools to compromise and maintain control over hacked cash registers.

Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register. Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

Many retailers are now moving to install card readers that can handle transactions from more secure chip-based credit and debit cards, which are far more expensive for thieves to clone.

Gavin Waugh, vice president and treasurer at The Wendy’s Company, declined to say whether Wendy’s has any timetable for deploying chip-based readers across it’s fleet of stores — the vast majority of which are franchise operations.

“I don’t think that would have solved this problem, and it’s a bit of a misnomer,” Waugh said, in response to questions about plans for the deployment of chip-based readers across the company’s U.S. footprint. “I think it makes it harder [for the attackers], but I don’t think it makes it impossible.”

Avivah Litan, a fraud analyst with Gartner Inc., said chip readers at Wendy’s would help, but only if the company can turn them on to accept chip transactions. As I noted in February, although a large number of merchants have chip card readers in place, many still  face delays in getting the systems up to snuff with the chip card standards.

Litan said the biggest bottleneck right now to more merchants accepting chip cards is first getting their new systems certified as compliant with the chip card standard (known as Europay, Mastercard and Visa or EMV). And the backlog among firms that certify retailers as EMV compliant is rapidly growing.

Litan said the reality is that chip cards will continue to have magnetic stripes on them for many years to come.

“Unless the mag stripe data is not transmitted anymore and you get rid of the mag stripe, there is always going to be card data compromised, stolen and counterfeited,” Litan said.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Ftheres-the-beef-wendys-breach-numbers-about-to-get-much-meatier%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Download the New 'Wi-Fi Design Poster' Today!

Performing a proper Wi-Fi design is critical to success. Modern WLANs have grown ever more complex, having to provide high quality coverage, meet density and capacity requirements, facilitate user mobility and roaming, all while minimizing both Wi-Fi interference and external RF interference. The new 'Wi-Fi Design Poster' can provide a quick reference for wireless engineers. The poster was a collaborative effort between myself and Ekahau.

The poster covers the 4 critical aspects of Wi-Fi design, an overview of the design process, and 10 high-performance Wi-Fi tips and tricks.

Download and print yours today! It is available as both a poster and an infographic. We hope you like it :) Please share it if you think others would benefit as well.

Ekahau and Revolution Wi-Fi Design Infographic (vertical).png

from
http://redirect.viglink.com?u=http%3A%2F%2Ffeedproxy.google.com%2F%7Er%2FRevolutionWi-fi%2F%7E3%2FKXMUsacpbiY%2Fgrab-the-new-wi-fi-design-poster-today&key=ddaed8f51db7bb1330a6f6de768a69b8

Wednesday, June 8, 2016

Slicing Into a Point-of-Sale Botnet

Last week, KrebsOnSecurity broke the news of an ongoing credit card breach involving CiCi’s Pizza, a restaurant chain in the United States with more than 500 locations. What follows is an exclusive look at a point-of-sale botnet that appears to have enslaved dozens of hacked payment terminals inside of CiCi’s locations that are being relieved of customer credit card data in real time.

Over the weekend, I heard from a source who said that since November 2015 he’s been tracking a collection of hacked cash registers. This point-of-sale botnet currently includes more than 100 infected systems, and according to the administrative panel for this crime machine at least half of the compromised systems are running a malicious Microsoft Windows process called cicipos.exe.

This admin panel shows the Internet address of a number of infected point-of-sale devices as of June 4, 2016. Many of these appear to be at Cici's Pizza locations.

This admin panel shows the Internet address of a number of infected point-of-sale devices as of June 4, 2016. Many of these appear to be at Cici’s Pizza locations.

KrebsOnSecurity has not been able to conclusively tie the botnet to CiCi’s. Neither CiCi’s nor its outside public relations firm have responded to multiple requests for comment. However, the control panel for this botnet includes the full credit card number and name attached to the card, and several individuals whose names appeared in the botnet control panel confirmed having eaten at CiCi’s Pizza locations on the same date that their credit card data was siphoned by this botnet.

Among those was Richard Higgins of Prattville, Ala., whose card data was recorded in the botnet logs on June 4, 2016. Reached via phone, Higgins confirmed that he used his debit card to pay for a meal he and his family enjoyed at a CiCi’s location in Prattville on that same date.

An analysis of the botnet data reveals more than 100 distinct infected systems scattered across the country. However, the panel only displayed hacked systems that were presently reachable online, so the actual number of infected systems may be larger.

Most of the hacked cash registers map back to dynamic Internet addresses assigned by broadband Internet service providers, and those addresses provide little useful information about the owners of the infected systems — other than offering a general idea of the city and state tied to each address.

For example, the Internet address of the compromised point-of-sale system that stole Mr. Higgins’ card data is 72.242.109.130, which maps back to an Earthlink system in a pool of IP addresses managed out of Montgomery, Ala.

higgins-cicis

Many of the botnet logs include brief notes or messages apparently left by CiCi’s employees for other employees. Most of these messages concern banal details about an employee’s shift, or issues that need to be addressed when the next employee shift comes in to work.

In total, there are more than 1.2 million unique credit and debit card numbers recorded in the botnet logs seen by this reporter. However, the total number of card accounts harvested by the cybercrooks in charge of this crime machine is probably far greater. That’s because the botnet logs go back to early April 2016, but it appears that someone reset and/or cleared those records prior to that date.

Only about half of the 1.2 million stolen accounts appear to have been taken from compromised CiCi’s locations. The majority of the other Internet addresses that appear in the bot logs could not be traced back to specific establishments. Others seem to be tied to individual businesses, including a cinema in Wallingford, Ct., a pizza establishment in Chicago (the famous Lou Malnatis), a hotel in Pennsylvania, and a restaurant at a Holiday Inn hotel in Washington, D.C.

This particular point-of-sale botnet looks to be powered by Punkey, a POS malware strain first detailed last year by researchers at Trustwave Spiderlabs. According to Trustwave, Punkey includes a component that records keystrokes on the infected device, which may explain why short notes left by CiCi’s employees show up frequently in the bot logs alongside credit card data.

Although CiCi’s has remained silent so far, the company’s main point-of-sale service provider — Clearwater, Fla.-based Datapoint POS — told KrebsOnSecurity last week that the hackers behind this botnet used social engineering to trick employees into installing the malware, and that the breach impacted multiple other point-of-sale providers.

“All of these attacks have been traced to social engineering/Team Viewer breaches because stores from SEVERAL POS vendors let supposed techs in to conduct ‘support,'” said Stephen P. Warne, vice president of service and support, in an email to this author. “Nothing to do with any of our support mechanisms which are highly restricted and well within PCI Compliance.”

Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fslicing-into-a-point-of-sale-botnet%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Monday, June 6, 2016

Password Re-user? Get to Get Busy

In the wake of megabreaches at some of the Internet’s most-recognized destinations, don’t be surprised if you receive password reset requests from numerous companies that didn’t experience a breach: Some big name companies — including Facebook and Netflix — are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users.

Netflix sent out notices to customers who re-used their Netflix password at other sites that were hacked.

Netflix sent out notices to customers who re-used their Netflix password at other sites that were hacked. This notice was shared by a reader who had re-used his Netflix password at one of the breached companies.

Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.

“We believe your Netflix account credentials may have been included in a recent release of email addresses and passwords from an older breach at another company,” the message from Neflix reads. “Just to be safe, we’ve reset your password as a precautionary measure.”

The missive goes on to urge recipients to visit Netflix.com and click the “forgot your email or password” link to reset their passwords.

Netflix is taking this step because it knows from experience that cybercriminals will be using the credentials leaked from Tumblr, MySpace and LinkedIn to see if they work on a variety of third-party sites (including Netflix).

As I wrote last year in the aftermath of the AshleyMadison breach that exposed tens of millions of user credentials, Netflix’s forensics team has been using a tool that the company released in 2014 called Scumblr, which scours high-profile sites for specific terms and data.

“Some Netflix members have received emails encouraging them to change their account passwords as a precautionary measure due to the recent disclosure of additional credentials from an older breach at another internet company,” Netflix said in a statement released to KrebsOnSecurity. “Note that we are always engaged in these types of proactive security measures (leveraging Scumblr in addition to other mechanisms and data sources), not just in the case of major security breaches such as this one.”

Facebook also has been known to mine data leaked in major external password breaches for any signs that users are re-using their passwords at the hacked entity. After at a breach discovered at Adobe in 2013 exposed tens of millions Adobe customer credentials, Facebook scoured the leaked Adobe password data for credential recycling among its users.

The last time I wrote about this preemptive security measure, many readers seem to have hastily and erroneously concluded that whichever company is doing the alerting doesn’t properly secure its users passwords if it can simply compare them in plain text to leaked passwords that have already been worked out.

What’s going on here is that Facebook, Netflix, or any other company who wants to can take a corpus of leaked passwords that have already been guessed or cracked and simply hash those passwords with whatever one-way hashing mechanism(s) they use internally. After that, it’s just a matter of finding any overlapping email addresses that use the same password.

Message that Facebook has used in the past to alert users who have re-used their Facebook passwords at other breached sites.

Message that Facebook has used in the past to alert users who have re-used their Facebook passwords at other breached sites.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fpassword-re-user-get-to-get-busy%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Friday, June 3, 2016

Banks: Credit Card Breach at CiCi’s Pizza

CiCi’s Pizza, an American fast food business based in Coppell, Texas with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company’s point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang.

cicisOver the past two months, KrebsOnSecurity has received inquiries from fraud fighters at more than a half-dozen financial institutions in the United States — all asking if I had any information about a possible credit card breach at CiCi’s. Every one of these banking industry sources said the same thing: They’d detected a pattern of fraud on cards that all had one thing in common: They’d all been used in the last few months at various CiCi’s Pizza locations.

Earlier today, I finally got around to reaching out to the CiCi’s headquarters in Texas and was referred to a third-party restaurant management firm called Champion Management. When I called Champion and told them why I was inquiring, they said “the issue” was being handled by an outside public relations firm called SPM Communications.

I never did get a substantive response from SPM, which according to their email and phone messages closes at 1 pm on Fridays during the summer. So I decided to follow up on a tip I’d received from a fraud fighter at one affected bank who said they’d heard from the U.S. Secret Service that the fraud was related to a breach or security weakness at Datapoint (CiCi’s point-of-sale provider).

Incredibly, I went to look up the contact information for datapoint[dot]com, and found that Google was trying to prevent me from visiting this site: According to the search engine giant, Datapoint’s Web site appears to be compromised and trying to foist malicious software on visitors! Unless you know what you’re doing, please resist the temptation to visit this site.

Google thinks Datapoint's Web site is trying to foist malicious software.

Google thinks Datapoint’s Web site is trying to foist malicious software.

A quick look at Datapoint’s site via a virtual machine-protected Linux browser indicates that CiCi’s Pizza is indeed one of the company’s largest clients. The Secret Service did not immediately respond to requests for comment.

Undeterred, I phoned and emailed Datapoint, and heard back via email from Stephen P. Warne, vice president of service and support for the company. Warne said I was jumping to conclusions and that my “sources” must have had a beef with the company. Here’s his email to me, verbatim:

If you did indeed talk to the Secret Service you would know that the breaches they have investigated involved multiple POS vendors in one particular franchise, including Harbortouch and Granbury Restaurant Systems.

You would also know that not one Agent we spoke and cooperated with came to any conclusion of wrong doing on our part after scans months ago. The SS actually helped point out that these hackers used among Team Viewer, Screen Connect and some others they installed.

All of these attacks have been traced to social engineering/Team Viewer breaches because stores from SEVERAL POS vendors let supposed techs in to conduct ‘support’. Nothing to do with any of our support mechanisms which are highly restricted and well within PCI Compliance.

I won’t say much else on this as this is not a Datapoint breach. We just happened to have by far the most systems in that particular franchise overwhelmingly.

Interestingly, this apparent breach comes to light amid a great deal of speculation on Reddit and other places online about a possible data breach at Teamviewer. The idea that countless credit card terminals or cash registers at CiCi’s Pizza establishments and other businesses could have been compromised by cybercriminals who simply phoned up the establishments posing as tech support technicians for various point-of-sale vendors is remarkable (and frankly pretty ingenious).

I’ll no doubt have updates to this story as the weekend progresses. Stay tuned.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fbanks-credit-card-breach-at-cicis-pizza%2F&key=ddaed8f51db7bb1330a6f6de768a69b8

Thursday, June 2, 2016

Dropbox Smeared in Week of Megabreaches

Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.

Today’s post examines some of the missteps that preceded this embarrassing and potentially brand-damaging “oops.” We’ll also explore the limits of automated threat intelligence gathering in an era of megabreaches like the ones revealed over the past week that exposed more than a half billion usernames and passwords stolen from Tumblr, MySpace and LinkedIn.

The credentials leaked in connection with breaches at those social networking sites were stolen years ago, but the full extent of the intrusions only became clear recently — when several huge archives of email addresses and hashed passwords from each service were posted to the dark web and to file-sharing sites.

Last week, a reader referred me to a post by a guy named Andrew on the dropbox.com help forum. Andrew said he’d just received alerts blasted out by two different credit monitoring firms that his dropbox credentials had been compromised and were found online (see screenshot below).

A user on the dropbox forum complains of receiving alerts from separate companies warning of a huge password breach at dropbox.com.

A user on the dropbox forum complains of receiving alerts from separate companies warning of a huge password breach at dropbox.com.

Here’s what LifeLock sent out on May 23, 2016 to many customers who pay for the company’s credential recovery services:

Alert Date: 05-23-2016
Alert Type: Monitoring
Alert Category: Internet-Black Market Website
**Member has received a File Sharing Network alert Email: *****
Password: ****************************************
Where your data was found: social media
Type of Compromise: breach
Breached Sector: business
Breached Site: www.dropbox.com
Breached Record Count: 73361477
Password Status: hashed
Severity: red|email,password
Site: www.dropbox.com

LifeLock said it got the alert data via an information sharing agreement with a third party threat intelligence service, but it declined to name the service that sent the false positive alert.

“We can confirm that we recently notified a small segment of LifeLock members that a version of their dropbox.com credentials were detected on the internet,” LifeLock said in a written statement provided to KrebsOnSecurity. “When we are notified about this type of information from a partner, it is usually a “list” that is being given away, traded or sold on the dark web. The safety and security of our members’ data is our highest priority. We are continuing to monitor for any activity within our source network. At this time, we recommend that these LifeLock members change their Dropbox password(s) as a precautionary measure.”

Dropbox says it didn’t have a breach, and if it had the company would be seeing huge amounts of account checking activity and other oddities going on right now. And that’s just not happening, they say.

“We have learned that LifeLock and MyIdCare.com are reporting that Dropbox account details of some of their customers are potentially compromised,” said Patrick Heim, head of trust and security at Dropbox. “An initial investigation into these reports has found no evidence of Dropbox accounts being impacted. We’re continuing to look into this issue and will update our users if we find evidence that Dropbox accounts have been impacted.”

FALSE POSITIVES?

After some digging, I learned that the bogus attribution of the Tumblr breach to Dropbox came from CSID, an identity monitoring firm that is in the midst of being acquired by credit bureau giant Experian.

Fascinated by anything related to security and false positives, I phoned Bryan Hjelm, vice president of product and marketing for CSID. Hjelm took issue with my classifying this as a threat intel false positive, since from CSID’s perspective the affected individual customers were in fact alerted that their credentials were compromised (just not their Dropbox credentials).

“Our mandate is to alert our client subscribers when we find their information on the darkweb,” Hjelm said. “Regardless of the source, this is compromised data that belongs to them.”

Hjelm acknowledged that CSID was “experiencing some reputational concerns” from Dropbox and others as a result of its breach mis-attribution, but he said the incident was the first time this kind of snafu has occurred for CSID.

I wanted to know exactly how this could have happened, so I asked Hjelm to describe what transpired in more detail. He told me that CSID relies on a number of sources online who have been accurate, early indicators of breaches past. One such actor — a sort of cyber gadfly best known by his hacker alias “w0rm” — had proven correct in previous posts on Twitter about new data breaches, Hjelm said.

In this case, w0rm posted to Twitter a link to download a file containing what he claimed were 100M records stolen from Dropbox. Perhaps one early sign that something didn’t quite add up is that the download he linked to as the Dropbox user file actually only included 73 million usernames and passwords.

In any case, CSID analysts couldn’t determine one way or the other whether it actually was Dropbox’s data. Nonetheless, they sent it out as such anyway, based on little more than w0rm’s say-so.

w0rm's advertisement of the claimed dropbox credentials.

w0rm’s advertisement of the claimed dropbox credentials.

Hjelm said his analysts never test the validity of stolen credentials they’re harvesting from the dark web (i.e. they don’t try to log in using those credentials to see if they’re valid). But he said CSID may take steps such as attempting to crack some of the hashed passwords to see whether a preponderance of them point to a certain online merchant or social network.

In the LinkedIn breach involving more than 100,000 million stolen usernames and passwords, for example, investigators were able to connect a corpus of hashed passwords posted on a password cracking form to LinkedIn because a large number of users in the hashed password list had a password with some form of “linkedin” in it.

I asked CSID whether its researchers took the basic step of attempting to register accounts at the suspected breached service using the email addresses included in the supposed user data dump. As I discussed in the post How to Tell Data Leaks from Publicity Stunts, most online services do not allow two different user accounts to have the same email address, so attempting to sign up for an account using an email address in the claimed leak data is an effective way to test leak claims. If a large number of email addresses in the claimed leak list do not already have accounts associated with them at the allegedly breached Web site, the claim is almost certainly bogus.

Hjelm said CSID doesn’t currently use this rather manual technique, but that the company is open to suggestions about how to improve the accuracy of their breach victim attribution. He said CSID only started providing attribution information about a year ago because clients were demanding it.

Allison Nixon, a cybercrime researcher and director of security research at dark web monitoring firm Flashpoint, was the genesis of that aforementioned story about data leaks vs. publicity stunts. She’s done more research than anyone I know to date on ways to quickly tell whether a claimed breach is real, and how to source it. Nixon said automating threat intel only goes so far.

“In general, the skill of human skepticism performed today by threat intelligence experts is extremely difficult to automate,” Nixon said. “Even with advancements in cognitive and artificial intelligence technologies, humans will still and always be needed to validate the nuances associated with accurate intelligence. Security experts must be intimately involved in the fact checking process of threat intelligence, or otherwise, will run the risk of losing valuable time, resources and possibly even more, by validating false information perceived as accurate by automated technologies.”

Flashpoint found closer examination of the file that w0rm leaked maps back to a 2013 recycled breach at Tumblr.

There is no question w0rm has a history of sharing real dumps. But according to Flashpoint that reputation must be taken with a grain of salt because even though the dumps are real, they are usually publicly available yet are portrayed by w0rm as evidence of his hacking proficiency.

In short: The intended victim of guys like w0rm is probably other cybercriminals, but threat intel companies can get caught up in this as well.

Many readers have asked me to weigh in on reports of a possible breach at Teamviewer, a service that lets users share their desktops, audio chat and other applications with friends and contacts online. Teamviewer has so far denied experiencing a breach.

My guess is that a large number of Teamviewer users either re-used passwords at some of the social networking services whose usernames and hashed passwords were posted online this week, or they are Teamviewer users who unfortunately were caught up in the day-to-day churn of systems compromised through other malware. In any case, there is a lengthy thread on Reddit populated by Teamviewer users who mostly claim they didn’t re-use their Teamviewer password anywhere else.

It’s interesting to note that early versions of remote access Trojans like Zeus contained a Teamviewer-like component called “backconnect” that let the attackers use the systems much like Teamviewer enables its users. These days, however, cybercriminals often forgo that homegrown backconnect feature and rely instead on either equipping the victim with a Teamviewer account and/or hijacking the victim’s existing Teamviewer account credentials, and then exfiltrating stolen credentials and other data through a Teamviewer installation. Hence, a compromise of one’s Teamviewer account may indicate that the victim’s system already is compromised by sophisticated Windows-based malware.

For its part, Dropbox is using this opportunity to encourage users to beef up the security of their accounts. According to Dropbox’s Patrick Heim, less than one percent of the Dropbox user base is taking advantage of the company’s two-factor authentication feature, which makes it much harder for thieves and other ne’er-do-wells to use stolen passwords.

“In matters of security, we always suggest users take an abundance of caution and reset their passwords if they receive any notification of a potential compromise,” Heim said. “Dropbox strongly encourages individuals use strong and unique passwords for each service.  We also encourage Dropbox users to enable two-factor authentication to further protect their account.”

I hope it goes without saying that re-using passwords across multiple sites that may hold personal information about you is an extermely bad idea. If you’re guilty of this apparently common practice, please change that. If you need some inspiration on this front, check out this post.



from
http://redirect.viglink.com?u=http%3A%2F%2Fkrebsonsecurity.com%2F2016%2F06%2Fdropbox-smeared-in-week-of-megabreaches%2F&key=ddaed8f51db7bb1330a6f6de768a69b8