UPS Confirms Security Breach
UPS Stores, a subsidiary of UPS, said Wednesday that a security breach may have led to the theft of customer credit and debit data at 51 of its franchises in the United States.
An assessment by UPS Store and an IT security firm revealed the presence of this malware at 51 locations in 24 states, about 1 percent of the company’s 4,470 franchised center locations throughout the United States. In a statement, the company said that customers who had used their debit or credit cards at affected locations, which are listed on the UPS website, from Jan. 20 to Aug. 11, 2014, may have been exposed to the malware, although the company said most exposures to the malware occurred after March 26. UPS said it had eliminated the malware as of Aug. 11.
The breach at the UPS stores is just the latest in a string of similar cyber attacks on in-store payment systems at major American corporations, including Target, P.F. Chang’s, Neiman Marcus, Michaels, Sally Beauty and, most recently, the Supervalu and Albertsons grocery stores.
Russian Hackers Amass Over a Billion Internet PasswordsArticle by NY Times
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.
There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.
And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.
But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web.
“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”
Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.
So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.
But selling more of the records on the black market would be lucrative.
While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.
Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time. The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”
They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools. Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.
“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.
By July, criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.
“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data.
Mr. Holden said his team had begun alerting victimized companies to the breaches, but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database.
The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release research — to land new business, discuss with colleagues or simply for bragging rights.
Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.
Last February, Mr. Holden also uncovered a database of 360 million records for sale, which were collected from multiple companies.
“The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.”
Debit/Credit Card Unauthorized Charges 7/10/2014
TrustAtlantic Bank has become aware of a recent scam involving unauthorized charges to Debit/Credit Cards.
A large amount of complaints have been filed against a company named IEPTC or IEPTCS. The description that accompanies these charges is often times the company’s website address (IEPTCS.COM). http://www.bbb.org/atlanta/business-reviews/internet-services/ieptcscom-in-atlanta-ga-27505623
As always, we urge you to please keep a close eye on your Bank and Credit Card statements and report any suspicious or unauthorized activity to the appropriate financial institution.
P.F. Chang's Confirms Card Breach Cybercrime Forums Sell Stolen Credit and Debit Card Data
Restaurant chain P. F. Chang's China Bistro confirms it suffered a data breach that compromised credit and debit card numbers used by an unknown number of patrons.
P. F. Chang's, which is based in Scottsdale, Ariz., says it first learned from the U. S. Secret Service on June 10 that the company's systems appeared to have been compromised via a security breach. "Immediately, we initiated an investigation with the U. S. Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and have concluded that data has been compromised," says Rick Federico, CEO of P. F. Chang's, in a statement released June 12.
Federico's statement was posted to a dedicated P. F. Chang's site for communicating information about the breach. "We are coordinating with the U. S. Secret Service on an investigation to determine when the incident started and what information is involved," he says. "To assist with these efforts, P.F. Chang's retained specialized data privacy counsel and forensics experts who are actively assisting in the investigation."
P. F. Chang's is still working with payment card companies to assemble an exhaustive list of all cards that were compromised in the breach. Based on past breaches, it will also take more time for digital forensic investigators to identify exactly how the attack occurred and then lock down the company's network to prevent repeat attacks.
Until that happens, Federico says P. F. Chang's restaurants in the United States will use a "manual credit card imprinting system." A spokeswoman for the chain confirms to Information Security Media Group that its restaurants are using carbon-copy slips with manual card imprinters, and that P. F. Chang's is distributing "dial-up card readers to restaurants that will be plugged in via the PSTN fax line and used to process the slips."
Restaurants with the P. F. Chang's brand are also operated in Canada and Mexico, as well as a number of other countries, including Argentina, Bahrain, Chile, Columbia, Kuwait and Turkey. But the company said Thursday that the data breach is confined to the continental United States.
Breach Response: Rapid The restaurant's rapid switch to a backup payment card clearing system, as well as its CEO issuing a public data breach warning just 48 hours after learning about the potential security intrusion, suggests officials are taking the breach seriously.
SANS Institute handler Richard Porter conducted first-hand research into P. F. Chang's on-the-ground breach response by eating lunch there Thursday. "I polled one of the managers if she had been briefed on the breach. She had been informed," Porter reported June 12.
"At lunch... people were still paying with credit cards, but what returned was a pleasant and welcome surprise," he said. "The bartender placed the bill down along with a manually run credit card from one of the old school card imprinters."
For Sale: Stolen Data The Secret Service appears to have learned about the P. F. Chang's breach - most likely after having been alerted by fraud experts at one or more payment card providers - after related data appeared for sale on June 9 on the stolen card data marketplace called Rescator. That's one of a number of sites that offer Amazon-like e-commerce functionality to buyers of stolen card data, or "dumps," which is the code contained on the magnetic stripe of a card. The information can be used to commit online fraud, as well as to create cloned credit and debit cards. Some gangs distribute cloned cards to mules located around the world, who then use the cards to attempt to withdraw as much money as possible from ATMs until before payment card providers spot the fraud and disable the card numbers.
P. F. Chang's hasn't yet disclosed how card data was compromised. Leading theories range from a network penetration attack that allowed hackers to exfiltrate information from a database, or an attack that infected point-of-sale payment terminals with malware.