All posts by Buster5252

Magecart Credit Card Skimmer – Gen 2

Magecart is a major (virtual) credit card skimming attack that has taken down the likes of British Airways and Ticket Master, among tens of thousands of other sites.  It works by somehow inserting malicious software into the web server that grabs the customer’s credit card info as they enter it onto the web page.  This can be done by using an unpatched vulnerability on the web site or by compromising an admin’s credentials or other methods.

Of course, web sites might be able to detect that malicious software has invaded its turf, so the hackers evolve.

Enter Magecart Generation 2.

Well, this is not literally true.  This new software isn’t based on the Magecart code, but rather on the Magecart concept.

More than likely, the dirty work of stealing the card data is actually done on the customer’s machine, inside the browser, with code downloaded from the infected server.  Because the data, possibly going to North Korea, is doing that from a consumer’s computer, which has almost no security, no logging, no auditing and no alerting, the odds of being detected before the credit card is used fraudulently, is very low.

Gen 2 is called Pipka and one of it’s neat features (if you are a bad guy) is to delete itself from the web page’s code after it has done its dirty work to make detection and even forensics much harder.

Pipka was discovered by Visa’s anti-fraud team.

They found it on the web server of an American merchant that had been infected with a different bit of malicious credit card skimming code called Inter.  People don’t learn.

In addition to this patient 0, Visa found the code on 16 more merchant sites.  How many more sites are infected?  Unknown.

Since this is an evolution (hence my calling it Gen 2), it is more sophisticated.  It can decide which fields out of the website payment form the hacker wants, that data is encrypted and stored in a cookie (after all, credit card data is only 16 characters for the card number and probably for less than 100-200 characters, you can have everything you need).

Since cookies fly around the Internet all the time and are often encrypted, they would fly under the radar.

As I said before, when the dirty work is done, it deletes itself, making it difficult for developers and investigators to fine.

Of course, once a server is infected, the Visa investigators will eventually track it back to your infected server and that is when all hell will break loose.

In British Airways case, the FINE ALONE – never mind the mitigation, the reputation damage, the credit monitoring services, etc. – cost them $230 million.

All because they didn’t have controls in place to detect this malicious code.  Because their security was not up to the job.

A lot of the sites that have been infected with Magecart are small.  Museum gift shops, for example.  A few very well known brands.

If you accept credit cards online, it is up to you to protect yourself.  Deal with it now or deal with it later.  It tends to be a bit more expensive to deal with it later. Just sayin’

Or wind up on the news.  Source:  CSOOnline


“Smart Cities” Need to be Secure Cities Too

For hundreds of years, government has been the domain of the quill pen and parchment or whatever followed on from that.

But now, cities want to join the digital revolution to make life easier for their citizens and save money.

However, as we have seen, that has not always worked out so well.

Atlanta recently was hit by a ransomware attack – just one example out of hundreds.  It appears that was facilitated by the city’s choice to not spend money on IT and IT security.  Now they are planning on spending about $18 million to fix the mess.  Atlanta can afford that, smaller towns cannot.

We are hearing of hundreds of towns and cities getting hit by hackers – encrypting data, shutting down services and causing mayhem.  In Atlanta, for example, the buying and selling of homes and businesses was shut down for weeks because the recorder could not reliably tell lenders how much was owed on a property being sold or record liens on property being purchased.

But what if, instead of not being able to pay your water bill, not having any telephones working in city hall or not being able to do things on the city’s web site – what if instead, the city owned water delivery system stopped working because the control system was hacked and the water was contaminated?  Or, what if, all of the traffic lights went green in all directions?  Or red?  What if the police lost access to all of the digital evidence for crimes and all of the people being charged had to be set free?  You get the general idea.

As cities and towns, big and small, go digital, they will need to upgrade their security capabilities or run the risk of being attacked.  Asking a vendor to fill out a form asking about their security and then checking the box that says its secure does not cut it.  Not testing software, both before the city buys it and periodically after they buy it to test for security bugs doesn’t work either.  We are already seeing that problem with city web sites that collect credit cards being hacked costing customers (residents) millions.  Not understanding how to configure systems for security and privacy doesn’t cut it either.

Of course the vendors don’t care because cities are not requiring vendors to warranty that their systems are secure or provide service level agreements for downtime.  I promise if the vendor is required to sign a contract that says that if their software is hacked and it costs the city $X million dollars to deal with it, then the vendor gets to pay for that, vendors will change their tune.  Or buy a lot of insurance.  In either case, the city’s taxpayers aren’t left to foot the bill, although the other issues are still a problem.  We have already seen information permanently lost.  Depending on what that information is, that could get expensive for the city.

In most states governments have some level of immunity, but that immunity isn’t complete and even if you can’t sue the government, you can vote them out of office – something politicians are not fond of.

As hackers become more experienced at hacking cities, they will likely do more damage, escalating the spiral.

For cities, the answer is simple but not free.  The price of entering the digital age includes the cost of ensuring the security AND PRIVACY of the data that their citizens entrust to them as well as the security and safety of those same citizens.

When people die because a city did not due appropriate security testing, lawsuits will happen, people will get fired and politicians will lose their jobs.   Hopefully it won’t take that to get a city’s attention.

Source: Helpnet Security

Not a Great Day for One Law Firm, Its Vendor and its Clients

I wrote a while back about hackers that had compromised a law firm and its customer Hiscox insurance – or said differently Hiscox and its vendor.  The law firm was handling claims related to 9/11 (almost 20 years later and still litigating!).

A lot of law firms (certainly not all) have not figured out that they are a high value target for hackers because of all of the customer data that they have.

The hackers broke into the law firm and stole tens of thousands of claims documents and emails.  Stuff that Hiscox’s clients probably did not want to be public.

Then the hackers tried to extort Hiscox and the law firm.

Apparently that didn’t work.

The hackers had distributed three encrypted blobs after the extortion became public a couple of months ago.

Now the hackers have released another encryption key.  This time it exposed about 8,000 emails – about 5 gigabytes of stuff.  That means a lot of attachments, otherwise 8,000 emails would be a lot smaller.

Since  the hackers are dribbling out these encryption keys they may be still trying to extort the law firm and Hiscox, but each one of these data dumps makes things worse for them.

Hiscox’s story was “it wasn’t us” meaning that the hackers didn’t break into the insurance carrier, but, you know what, when it comes to lawsuits, Hiscox’s customers are going to say that they gave the documents to Hiscox;  if they gave it to someone else, that is Hiscox’ problem, not theirs.  And, I think, the courts are likely to agree.

And, Hiscox added, once they learned about the breach, they informed the policy holders.

I’m guessing that the insureds are going to say that Hiscox had a fiduciary responsibility to protect the data that they shared and that responsibility can’t be waived.

Given that this is 18 years after 9/11, those suits still being litigated are probably big dollar claims.  I hope Hiscox has a lot of insurance because I can’t imagine they are not going to be sued.

Okay, so what is the implication to you?

At all levels here, we are talking about a vendor cyber risk management (VCRM).  Between Hiscox’s clients and Hiscox and between Hiscox and its vendors.  There will be lawsuits over that.

The second issue is the security at the law firm.  Apparently not so good.  How good is the security at the law firm that you use?  Even though you might be able to sue them after a breach, that doesn’t really solve the problem.  

Now there is a big mess.  Who gets to pay for the cleanup?  Look at the agreements that everyone signed.  My guess is that the law firm wrote something in the contract that said they were not responsible.  Assuming Hiscox accepted such language. 

Did the law firm have cyber risk insurance?  If not, can they write a check for $10 or $100 million out of their checking account?  If not, they file for BK and walk away, leaving the customer holding the bag.

YOU, as the customer, need to make sure that everyone has their ducks in a row.  To quote a sign I saw yesterday:

     I don’t have ducks
     I don’t have a row
     I have squirrels
    And they are drunk


Information for this post came from Motherboard.



The Cost of Cyber Breaches

In case you were of those who thought that there was no real cost to cyber breaches, you might want to ask Yahoo CEO Marissa Mayer and GC Ron Bell about that.

The Yahoo Board has decided not to award Mayer, CEO of Yahoo during all of the recent breaches and renegotiated Verizon deal, any cash bonus at all.  Exactly how much that is was not disclosed, but surely it was in the millions.

In addition to that, the Board voted not to give her an equity bonus (AKA stock or options).  The minimum value of that, according to CNN, was $12,000,000.00 .

Granted Mayer’s net worth is estimated to around $300 million according to Google, but no one wants to walk away from $10-$20 million.

In addition, Yahoo General Counsel Ron Bell has “resigned”.   According to the company, Yahoo did not make any “payments” to him in exchange for his leaving.

Yahoo’s Board said that the GC had sufficient information to warrant substantial further inquiry in 2014 – two years before the breaches were publicly announced.

In other Yahoo news, Yahoo released it’s 10-K and said that it recorded a charge of $16 million in 2016 related to the breach.  Given that the announcement of the breaches came late in the year (mid December for the big breach), maybe a number that small makes sense.  It will be much more interesting to hear how much they will spend in 2017, 2018 and 2019.

In addition, in that same 10-K, Yahoo said that it did not have any cyber breach insurance.  Seriously?  You’ve GOT to be kidding.

In many cases of a breach, the stock price dives and then rebounds for the most part so investors are not hurt, but in this case, the investors, too, were hurt.

First, the sale price was reduced by $350 million and the sale has been delayed for a year.  Second, Yahoo gets to pay 50% of most of the breach costs and lastly, Yahoo gets to foot the entire bill for the SEC investigation and fines and any shareholder suits.

How many other people at Yahoo were also sacrificial lambs will likely never be known.

Information for this post came from Venture Beat and  Variety.

Expect Dramatic Fraud IncreaseThis Year in Virtual World

If the US is anything like Europe, you can expect that “Card Not Present” or CNP fraud will increase significantly in 2016.

We will have to wait and see, but some things are likely.

  1. Chip and signature – the alternative to chip and PIN that most US banks and almost no international banks chose – will do nothing to protect against stolen credit cards.  Of course, you cannot steal a credit card from half way around the world, so this type of attack only works if you are near the victim.  AND, the victim is much more likely to notice that their wallet has been stolen and cancel the card, so my guess is that this is not going to be a significant source of fraud in 2016.
  2. Service providers (anything from Uber to Etsy to Amazon) who match buyers and sellers are likely to see a significant rise in fraud.  Online marketplaces such as Uber never see the customer and the representative (like the Uber driver) never see the credit card.  Even service providers like AirBnB, where someone may talk to you, doesn’t have any information about the credit card used and likely does not ask you for ID.  Even if they do, that ID could easily be fake.
  3. Even online product providers like Amazon are likely to see increases in attempted fraud.  The fraudsters hire mules to provide their addresses and then get the products from the mules some other way, including via reshipping.  If the mule gets caught, they don’t know very much about the fraudsters operation.

Merchants not only lose the amount of the fraudulent transaction, but also the cost of dealing with the fraud.  According to Lexis-Nexis, merchants spend over $3.00 for every $1.00 in fraudulent transactions.

According to Lexis-Nexis, fraud as a percentage of revenue for all merchants, increased from 0.51% to 0.68% between 2013 and 2014.  For merchants accepting payments via mobile (phones) the fraud rate went up from 0.8% to 1.36% – more than a 50% increase.  I guess we know one place where fraudsters are going.

A couple more interesting stats from Lexis-Nexis.  Merchants say that the number of prevented fraudulent transactions is up by more than 60% – meaning that the card services are doing a good job of detecting fraud, but the number of successful fraudulent transactions is also up – by around 45%.  Merchants say that the dollar value of fraudulent transactions that are caught is equal to fraudulent transactions that are successful.  Said a different way, by dollar value, only 50% of the credit card fraud is caught.

What is clear to me is that trying to get solid data is very hard.  For example, in the Lexis-Nexis report, it says that merchants say that credit card fraud is down, but Lexis-Nexis says this is because merchants are accepting more payment types and that this is not a real decline – the fraud is spread across more channels.

This means that merchants need to continue to up their game in fraud detection.  The Dark Reading article has several suggestions of things that merchants can do.  The goal, of course,  is to do as much as you can without scaring off the consumer.  Jumio uses the camera in your phone to compare ID documents against a live image of the buyer to reduce fraud.  While this is NOT an example of something that happens behind the scenes, companies like AirBnB are using it with minimal customer pushback.  This is likely true because the average AirBnB customer only does a couple of transactions a year.   But, I am sure, the crooks will also learn to improve their techniques.  For example, if you compare a buyer’s actual face to a drivers license, how do you know that the picture on the drivers license is real.  Still, you do have a picture of the fraudster and that can’t be all bad.

Businesses that accept credit cards will be fighting a cat and mouse game with fraudsters for the foreseeable future – they just need to make sure they don’t let their guard down.

Information for this post came from Dark Reading and Lexis-Nexis.

The Law Of Expected Consequences – China Reacts To CISA

In the last weeks of the year, Congress did what Congress does and took a controversial bill, CISA, which experts say expands government spying on citizens in the name of protecting them, and stuck it inside a must pass bill – in this case the omnibus spending bill – at the last minute.

Since Congress has been unable to muster the votes to pass this bill as a standalone bill for several years, this seemed like an expedient way for Congress to get it passed.  And, while it worked, as many people predicted, it has already had unintended consequences.

China has announced that since it is now OK for the U.S. government to increase the level of spying on Internet traffic, China will do the same.

The draft legislation would require companies to install “back doors” or hand over encryption keys to the Chinese government.  Not only that, but they would be required to hand over user information to the Chinese government as well.  In the name of countering terrorism.

This includes Financial institutions and manufacturing companies.

China actually said that they looked at U.S. law, along with other countries, when drafting this legislation.

Of course the recent announcement that the NSA may have been bugging Juniper routers for years likely did not make the Chinese any happier.

Apparently, things move a little quicker in China than in the U.S. – China, on the same day that the draft legislation was proposed, passed that legislation into law.  Among other things, that law requires “ISPs and telecomm providers “shall provide technical interfaces, decryption and other technical support and assistance to public security and state security agencies”.

Now we have to see what China actually demands.

The challenge is that for many companies, China is a significant market and walking away from China will cost them money.  On the other hand, if they do not turn over their encryption keys, they could see their sites blocked by The Great Firewall.

It looks like the Cold War is heating up – this time in cyber space.  Other countries, such as France and England, are considering similar laws.  Will every country now demand the encryption keys from every company?

If so, I give it about a week before those keys are leaked to the hacker community.

Companies will be forced to make hard decisions.  Do we allow governments across the globe to paw through our users’ traffic or do we stop doing business in certain countries.

And, from the user’s standpoint, they now have total plausible deniability for any cyber crime that they are charged with.  “Your Honor, as you already know, the French, English, Chinese, U.S. and other governments all have my encryption keys.  Given that,  and the fact that, at least, the U.S. Government has a bad track record for keeping keys secret – after all, we just have to look as far as the TSA and OPM to see that – it is likely that hackers have my keys as well.  Since I have no ability to control who has my keys, it is just as likely that a hacker in China committed this crime.  While I don’t have the resources to prove this, you cannot deny this is possible.  I submit that the government cannot, beyond a reasonable doubt, prove that it was me who did this.  I request that the charges against me be dropped.”  This may seem far fetched, but it isn’t.

This has certainly NOT played out yet – stay tuned.

Information for this post came from SC Magazine .

There is another article in SC Magazine with an update.