Two websites specializing in the sale of stolen credit and debit card information -- including cards lifted from Target stores -- appeared to have been knocked offline Monday after an unknown attacker breached and defaced the sites.
"Hi subhumans and miscreants, your fraud site is gone now. Go away," read a message left Monday on rescator.so and rescator.cm, The Wall Street Journal reported. Part of the Rescator network, the two sites feature Somalia and Cameroon top-level domain names.
The defacement message criticized the sites' users and "regular fraudsters" while offering a shout-out to security journalist Brian Krebs, who was the first to make public the December 2013 Target breach. It also embedded a YouTube music video of Will Smith's "Men In Black," the theme song for the 1997 movie of the same name, about a secret organization charged with protecting the Earth from the scum of the universe.
By Tuesday, however, the sites appeared to be back online. Meanwhile, three other sites in the same network -- octavian.su, rescator.cc, and rescator.co, whose top-level domains respectively refer to the former Soviet Union, Cocos Islands, and Colombia -- appeared to remain online and uninterrupted throughout the interruption.
[Why did Target disregard security warnings? Read Target Ignored Data Breach Alarms.]
The hack followed Rescator's customer database having been stolen and published to the Internet, Krebs reported.
Rescator has been selling stolen card data -- from Target, Neiman Marcus, Sally Beauty Supply, and others -- in batches, marketed under such names as "Beaver Cage," "Desert Strike," "Eagle Claw," and "Krass." The latest batch of credit cards to be offered for sale via the Rescator sites appeared on March 11, dubbed "Great Pompeii." The site accepts payment via wire transfer services such as Western Union and MoneyGram ($500 minimum), e-currency service Perfect Money, or cryptographic currencies such as Bitcoin and Litecoin.
Selling in batches helps prevent the black market from being flooded with stolen-card data, thus undercutting sale prices. Unfortunately for cardholders, that release strategy means that data breach victims -- consumers, not the businesses that lost their data -- might not experience ID theft or related fraud until many months after a breach. According to fraud protection firm Easy Solutions, for example, card data stolen from Target in December 2013 may show up on black-market forums until 2015.
But the owner of the Rescator carder forums (the name "Rescator" appears to have been also used as a person's handle on other underground forums) may have done more than simply created an eBay for fraudsters' stolen card data. Rescator was cited in an IntelCrawler report as being among the buyers of the BlackPOS malware that's designed to infect point-of-sale (POS) systems. In fact, a version of that malware was used to compromise Target.
Furthermore, in January, McAfee Labs reported that the uploader associated with the customized version of BlackPOS that was used to hack Target included the following compiler string: "z:\Projects\Rescator\uploader\Debug\scheck.pdb." Information security researchers at McAfee suggested that was one likely clue as to the "actor behind the campaign."
In related news, Sally Beauty Holdings, a $3.6 billion professional beauty supplies retailer and distributor, said Monday that digital forensic investigators from Verizon have discovered that a recent network breach resulted in the theft of credit and debit card information. As with Target, the breach was first made public by security reporter Brian Krebs, who suggested that as many as 282,000 cards may have been stolen from the company's stores and e-commerce operation, and that the theft appeared to trace to the same crew that hacked Target.
"The Rescator cards stolen from Target were indexed by Target store ZIP code. My suspicion is the same with Sally Beauty," Krebs said via Twitter.
To date, Sally Beauty has confirmed only that attackers stole credit and debit card data for some cardholders who shopped at its retail stores. "We have now discovered evidence that fewer than 25,000 records containing card-present (track 2) payment card data have been illegally accessed on our systems and we believe it may have been removed," read a statement released Monday by Sally Beauty.
Track-2 data refers to hidden information encoded in a card's magnetic stripe, which provides an authentication code that a processor can use to verify that the card is physically present. Together with track-1 data -- which includes a cardholder's name, account number, card expiration date, and CVV code -- criminals could create working counterfeit cards loaded with the stolen information.
In a related Q&A, Sally Beauty Holdings suggested that all customers watch their credit and debit statements for signs of fraud.
Sally Beauty also promised to offer regular updates about the breach and to continue working with both Verizon and the US Secret Service. To date, however, it hasn't responded to Krebs's report that up to 282,000 of its customers' credit and debit cards may have been compromised in the breach.
"As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation," the company said. "As a result, we will not speculate as to the scope or nature of the data security incident."
Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)