Attacks/Breaches
3/18/2014
02:10 PM
Connect Directly
RSS
E-Mail
50%
50%

Attackers Hit Clearinghouse Selling Stolen Target Data

Hackers interrupt and deface sites of black-market forums selling credit card data stolen from Target and other retailers.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Two websites specializing in the sale of stolen credit and debit card information -- including cards lifted from Target stores -- appeared to have been knocked offline Monday after an unknown attacker breached and defaced the sites.

"Hi subhumans and miscreants, your fraud site is gone now. Go away," read a message left Monday on rescator.so and rescator.cm, The Wall Street Journal reported. Part of the Rescator network, the two sites feature Somalia and Cameroon top-level domain names.

The defacement message criticized the sites' users and "regular fraudsters" while offering a shout-out to security journalist Brian Krebs, who was the first to make public the December 2013 Target breach. It also embedded a YouTube music video of Will Smith's "Men In Black," the theme song for the 1997 movie of the same name, about a secret organization charged with protecting the Earth from the scum of the universe.

By Tuesday, however, the sites appeared to be back online. Meanwhile, three other sites in the same network -- octavian.su, rescator.cc, and rescator.co, whose top-level domains respectively refer to the former Soviet Union, Cocos Islands, and Colombia -- appeared to remain online and uninterrupted throughout the interruption.

[Why did Target disregard security warnings? Read Target Ignored Data Breach Alarms.]

The hack followed Rescator's customer database having been stolen and published to the Internet, Krebs reported.

Rescator has been selling stolen card data -- from Target, Neiman Marcus, Sally Beauty Supply, and others -- in batches, marketed under such names as "Beaver Cage," "Desert Strike," "Eagle Claw," and "Krass." The latest batch of credit cards to be offered for sale via the Rescator sites appeared on March 11, dubbed "Great Pompeii." The site accepts payment via wire transfer services such as Western Union and MoneyGram ($500 minimum), e-currency service Perfect Money, or cryptographic currencies such as Bitcoin and Litecoin.

Selling in batches helps prevent the black market from being flooded with stolen-card data, thus undercutting sale prices. Unfortunately for cardholders, that release strategy means that data breach victims -- consumers, not the businesses that lost their data -- might not experience ID theft or related fraud until many months after a breach. According to fraud protection firm Easy Solutions, for example, card data stolen from Target in December 2013 may show up on black-market forums until 2015.

But the owner of the Rescator carder forums (the name "Rescator" appears to have been also used as a person's handle on other underground forums) may have done more than simply created an eBay for fraudsters' stolen card data. Rescator was cited in an IntelCrawler report as being among the buyers of the BlackPOS malware that's designed to infect point-of-sale (POS) systems. In fact, a version of that malware was used to compromise Target.

Furthermore, in January, McAfee Labs reported that the uploader associated with the customized version of BlackPOS that was used to hack Target included the following compiler string: "z:\Projects\Rescator\uploader\Debug\scheck.pdb." Information security researchers at McAfee suggested that was one likely clue as to the "actor behind the campaign."

In related news, Sally Beauty Holdings, a $3.6 billion professional beauty supplies retailer and distributor, said Monday that digital forensic investigators from Verizon have discovered that a recent network breach resulted in the theft of credit and debit card information. As with Target, the breach was first made public by security reporter Brian Krebs, who suggested that as many as 282,000 cards may have been stolen from the company's stores and e-commerce operation, and that the theft appeared to trace to the same crew that hacked Target.

"The Rescator cards stolen from Target were indexed by Target store ZIP code. My suspicion is the same with Sally Beauty," Krebs said via Twitter.

To date, Sally Beauty has confirmed only that attackers stole credit and debit card data for some cardholders who shopped at its retail stores. "We have now discovered evidence that fewer than 25,000 records containing card-present (track 2) payment card data have been illegally accessed on our systems and we believe it may have been removed," read a statement released Monday by Sally Beauty.

Track-2 data refers to hidden information encoded in a card's magnetic stripe, which provides an authentication code that a processor can use to verify that the card is physically present. Together with track-1 data -- which includes a cardholder's name, account number, card expiration date, and CVV code -- criminals could create working counterfeit cards loaded with the stolen information.

In a related Q&A, Sally Beauty Holdings suggested that all customers watch their credit and debit statements for signs of fraud.

Sally Beauty also promised to offer regular updates about the breach and to continue working with both Verizon and the US Secret Service. To date, however, it hasn't responded to Krebs's report that up to 282,000 of its customers' credit and debit cards may have been compromised in the breach.

"As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation," the company said. "As a result, we will not speculate as to the scope or nature of the data security incident."

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkS229
50%
50%
MarkS229,
User Rank: Apprentice
3/21/2014 | 12:50:39 AM
RobinHood?
Actually, his real name was Alf, but it doesn't have the same ring to it...
anon4303592246
50%
50%
anon4303592246,
User Rank: Apprentice
3/20/2014 | 9:15:56 AM
Re: Robin Hood?
Actually there was no relation between MIB and Robin Hood. MIB was a 'secret' goverment division. And Robin Hood was a freelancer that gave away money. The MIB clip was to signify that they would do things that the govt wouldn't, but not have to be accountable for their actions.
ssabella111
50%
50%
ssabella111,
User Rank: Apprentice
3/19/2014 | 7:26:36 PM
Attackers hit clearinghouse
Amen do it again.
Laurianne
100%
0%
Laurianne,
User Rank: Apprentice
3/18/2014 | 2:52:19 PM
Robin Hood?
Men in Black video clips, huh. So they fancy themselves as Robin Hood types?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.