Attacks/Breaches

4/2/2018
07:50 PM
50%
50%

Hudson's Bay Brands Hacked, 5 Million Credit Card Accounts Stolen

The infamous Carbanak/FIN7 cybercrime syndicate breached Saks and Lord & Taylor and is now selling some of the stolen credit card accounts on the Dark Web.

An infamous cybercrime group hacked and purloined some 5 million credit card numbers from Hudson's Bay brands Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor in a massive retail data breach disclosed over the weekend.

In a Sunday advertisement on the Dark Web, 125,000 of the stolen credit card accounts were offered for sale on the Dark Web. The breach was first disclosed in a blog post by security analysts at Gemini Advisory, revealing that the entire network of Lord & Taylor stores, 83 Saks Fifth Avenue stores, and an unknown number of Saks Off Fifth stores were compromised by malware that breached the point-of-sale system in each location.

"The length of the breach says a lot about the methodology," says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. He explains that the breach, which Gemini Advisory says occurred from May 2017 until the time of the announcement, is characteristic of an attack that compromises the PoS and captures credit-card transaction data and metadata, exfiltrating the data over time.

This long-term compromise of the PoS system is also a characteristic of the Carbanak cybercrime gang aka JokerStash aka FIN7, based on their previous attacks. It's the same cybercrime gang behind breaches at Whole Foods, Chipotle, and Jason's Deli (among other hospitality companies), and typically employs the long-lasting data skim method.

 

"With thousands of devices spread across hundreds of stores, it can be very difficult for retailers to secure their entire networks. All it takes is for one point-of-sale device or router to be left un-patched for an entire company to be compromised," Peter Martini, president and co-founder of iboss, said in a statement.

While no details have been released on precisely how many PoS terminals were compromised, Gemini Advisory says that the majority of credit cards affected were used in New York and New Jersey stores. And some experts see that limited geography as a tool in figuring out how long the attack has been in operation.

"While locale-specific attacks like these aren't uncommon, the volume of records is a bit larger than usual, which could be a lead to how long the infection was present before detection," says Terry Ray, CTO of Imperva.

According to Ray, multiplying known factors such as number of locations, average number of customers per day, and number of customers using credit cards lead to the conclusion that this malware infection could have been present for as many as 500 days.

Faster Response

The duration of the attack is something that a number of analysts have targeted as an example of an area of enterprise security that organizations should work to improve.

"People need to understand that breaches will happen. It's flawed to think that a prevention system alone will be so strong that you never have to deal with detection inside the network," says Juniper's Hahad. He says that deficiencies in detection can lead to the worst sort of situation for a company, in which a third party recognizes and alerts you to the existence of a compromise.

Announcement of the breach comes on the heels of the announced arrest of the gang's leader in Spain. While some in law enforcement had hope that the arrest of the yet-unnamed individual might lead to a pause or slowdown in the Carbanak group's activity, the advertised sale of credit card numbers would seem to indicate just the opposite.

In a statement posted online, Saks Fifth Avenue says that the owners of any credit card numbers impacted by the breach will be notified and offered free credit reporting services.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6504
PUBLISHED: 2018-09-20
A potential Cross-Site Request Forgery (CSRF) vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Cross-Site Request Forgery (CSRF).
CVE-2018-6505
PUBLISHED: 2018-09-20
A potential Unauthenticated File Download vulnerability has been identified in ArcSight Management Center (ArcMC) in all versions prior to 2.81. This vulnerability could be exploited to allow for Unauthenticated File Downloads.
CVE-2018-14796
PUBLISHED: 2018-09-20
Tec4Data SmartCooler, all versions prior to firmware 180806, the device responds to a remote unauthenticated reboot command that may be used to perform a denial of service attack.
CVE-2018-14821
PUBLISHED: 2018-09-20
Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vulnerability may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to Port 44818, causing the RSLinx Classic application to terminate. The user will need to manually restart the software to r...
CVE-2018-14827
PUBLISHED: 2018-09-20
Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. A remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to Port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.