Attacks/Breaches
3/18/2014
02:10 PM
Connect Directly
RSS
E-Mail
50%
50%

Attackers Hit Clearinghouse Selling Stolen Target Data

Hackers interrupt and deface sites of black-market forums selling credit card data stolen from Target and other retailers.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Two websites specializing in the sale of stolen credit and debit card information -- including cards lifted from Target stores -- appeared to have been knocked offline Monday after an unknown attacker breached and defaced the sites.

"Hi subhumans and miscreants, your fraud site is gone now. Go away," read a message left Monday on rescator.so and rescator.cm, The Wall Street Journal reported. Part of the Rescator network, the two sites feature Somalia and Cameroon top-level domain names.

The defacement message criticized the sites' users and "regular fraudsters" while offering a shout-out to security journalist Brian Krebs, who was the first to make public the December 2013 Target breach. It also embedded a YouTube music video of Will Smith's "Men In Black," the theme song for the 1997 movie of the same name, about a secret organization charged with protecting the Earth from the scum of the universe.

By Tuesday, however, the sites appeared to be back online. Meanwhile, three other sites in the same network -- octavian.su, rescator.cc, and rescator.co, whose top-level domains respectively refer to the former Soviet Union, Cocos Islands, and Colombia -- appeared to remain online and uninterrupted throughout the interruption.

[Why did Target disregard security warnings? Read Target Ignored Data Breach Alarms.]

The hack followed Rescator's customer database having been stolen and published to the Internet, Krebs reported.

Rescator has been selling stolen card data -- from Target, Neiman Marcus, Sally Beauty Supply, and others -- in batches, marketed under such names as "Beaver Cage," "Desert Strike," "Eagle Claw," and "Krass." The latest batch of credit cards to be offered for sale via the Rescator sites appeared on March 11, dubbed "Great Pompeii." The site accepts payment via wire transfer services such as Western Union and MoneyGram ($500 minimum), e-currency service Perfect Money, or cryptographic currencies such as Bitcoin and Litecoin.

Selling in batches helps prevent the black market from being flooded with stolen-card data, thus undercutting sale prices. Unfortunately for cardholders, that release strategy means that data breach victims -- consumers, not the businesses that lost their data -- might not experience ID theft or related fraud until many months after a breach. According to fraud protection firm Easy Solutions, for example, card data stolen from Target in December 2013 may show up on black-market forums until 2015.

But the owner of the Rescator carder forums (the name "Rescator" appears to have been also used as a person's handle on other underground forums) may have done more than simply created an eBay for fraudsters' stolen card data. Rescator was cited in an IntelCrawler report as being among the buyers of the BlackPOS malware that's designed to infect point-of-sale (POS) systems. In fact, a version of that malware was used to compromise Target.

Furthermore, in January, McAfee Labs reported that the uploader associated with the customized version of BlackPOS that was used to hack Target included the following compiler string: "z:\Projects\Rescator\uploader\Debug\scheck.pdb." Information security researchers at McAfee suggested that was one likely clue as to the "actor behind the campaign."

In related news, Sally Beauty Holdings, a $3.6 billion professional beauty supplies retailer and distributor, said Monday that digital forensic investigators from Verizon have discovered that a recent network breach resulted in the theft of credit and debit card information. As with Target, the breach was first made public by security reporter Brian Krebs, who suggested that as many as 282,000 cards may have been stolen from the company's stores and e-commerce operation, and that the theft appeared to trace to the same crew that hacked Target.

"The Rescator cards stolen from Target were indexed by Target store ZIP code. My suspicion is the same with Sally Beauty," Krebs said via Twitter.

To date, Sally Beauty has confirmed only that attackers stole credit and debit card data for some cardholders who shopped at its retail stores. "We have now discovered evidence that fewer than 25,000 records containing card-present (track 2) payment card data have been illegally accessed on our systems and we believe it may have been removed," read a statement released Monday by Sally Beauty.

Track-2 data refers to hidden information encoded in a card's magnetic stripe, which provides an authentication code that a processor can use to verify that the card is physically present. Together with track-1 data -- which includes a cardholder's name, account number, card expiration date, and CVV code -- criminals could create working counterfeit cards loaded with the stolen information.

In a related Q&A, Sally Beauty Holdings suggested that all customers watch their credit and debit statements for signs of fraud.

Sally Beauty also promised to offer regular updates about the breach and to continue working with both Verizon and the US Secret Service. To date, however, it hasn't responded to Krebs's report that up to 282,000 of its customers' credit and debit cards may have been compromised in the breach.

"As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation," the company said. "As a result, we will not speculate as to the scope or nature of the data security incident."

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkS229
50%
50%
MarkS229,
User Rank: Apprentice
3/21/2014 | 12:50:39 AM
RobinHood?
Actually, his real name was Alf, but it doesn't have the same ring to it...
anon4303592246
50%
50%
anon4303592246,
User Rank: Apprentice
3/20/2014 | 9:15:56 AM
Re: Robin Hood?
Actually there was no relation between MIB and Robin Hood. MIB was a 'secret' goverment division. And Robin Hood was a freelancer that gave away money. The MIB clip was to signify that they would do things that the govt wouldn't, but not have to be accountable for their actions.
ssabella111
50%
50%
ssabella111,
User Rank: Apprentice
3/19/2014 | 7:26:36 PM
Attackers hit clearinghouse
Amen do it again.
Laurianne
100%
0%
Laurianne,
User Rank: Apprentice
3/18/2014 | 2:52:19 PM
Robin Hood?
Men in Black video clips, huh. So they fancy themselves as Robin Hood types?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.