Attacks/Breaches

4/2/2018
07:50 PM
50%
50%

Hudson's Bay Brands Hacked, 5 Million Credit Card Accounts Stolen

The infamous Carbanak/FIN7 cybercrime syndicate breached Saks and Lord & Taylor and is now selling some of the stolen credit card accounts on the Dark Web.

An infamous cybercrime group hacked and purloined some 5 million credit card numbers from Hudson's Bay brands Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor in a massive retail data breach disclosed over the weekend.

In a Sunday advertisement on the Dark Web, 125,000 of the stolen credit card accounts were offered for sale on the Dark Web. The breach was first disclosed in a blog post by security analysts at Gemini Advisory, revealing that the entire network of Lord & Taylor stores, 83 Saks Fifth Avenue stores, and an unknown number of Saks Off Fifth stores were compromised by malware that breached the point-of-sale system in each location.

"The length of the breach says a lot about the methodology," says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. He explains that the breach, which Gemini Advisory says occurred from May 2017 until the time of the announcement, is characteristic of an attack that compromises the PoS and captures credit-card transaction data and metadata, exfiltrating the data over time.

This long-term compromise of the PoS system is also a characteristic of the Carbanak cybercrime gang aka JokerStash aka FIN7, based on their previous attacks. It's the same cybercrime gang behind breaches at Whole Foods, Chipotle, and Jason's Deli (among other hospitality companies), and typically employs the long-lasting data skim method.

 

"With thousands of devices spread across hundreds of stores, it can be very difficult for retailers to secure their entire networks. All it takes is for one point-of-sale device or router to be left un-patched for an entire company to be compromised," Peter Martini, president and co-founder of iboss, said in a statement.

While no details have been released on precisely how many PoS terminals were compromised, Gemini Advisory says that the majority of credit cards affected were used in New York and New Jersey stores. And some experts see that limited geography as a tool in figuring out how long the attack has been in operation.

"While locale-specific attacks like these aren't uncommon, the volume of records is a bit larger than usual, which could be a lead to how long the infection was present before detection," says Terry Ray, CTO of Imperva.

According to Ray, multiplying known factors such as number of locations, average number of customers per day, and number of customers using credit cards lead to the conclusion that this malware infection could have been present for as many as 500 days.

Faster Response

The duration of the attack is something that a number of analysts have targeted as an example of an area of enterprise security that organizations should work to improve.

"People need to understand that breaches will happen. It's flawed to think that a prevention system alone will be so strong that you never have to deal with detection inside the network," says Juniper's Hahad. He says that deficiencies in detection can lead to the worst sort of situation for a company, in which a third party recognizes and alerts you to the existence of a compromise.

Announcement of the breach comes on the heels of the announced arrest of the gang's leader in Spain. While some in law enforcement had hope that the arrest of the yet-unnamed individual might lead to a pause or slowdown in the Carbanak group's activity, the advertised sale of credit card numbers would seem to indicate just the opposite.

In a statement posted online, Saks Fifth Avenue says that the owners of any credit card numbers impacted by the breach will be notified and offered free credit reporting services.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.