Crooks are constantly dreaming up new ways to use and conceal stolen credit card data. According to the U.S. Secret Service, the latest scheme involves stolen card information embedded in barcodes affixed to phony money network rewards cards. The scammers then pay for merchandise by instructing a cashier to scan the barcode and enter the expiration date and card security code.
This phony reloadable rewards card conceals stolen credit card data written to a barcode. The barcode and other card data printed on the card have been obfuscated. Image: U.S. Secret Service.
Earlier this month, the Secret Service documented a recent fraud incident in Texas involving a counterfeit club membership card containing a barcode, and a card expiration date and CVV printed below the barcode.
“Located underneath the barcode are instructions to the cashier on the steps necessary to complete the transaction,” reads an alert the Secret Service sent to law enforcement agencies. “They instruct the cashier to select card payment, scan the barcode, then enter the expiration date and CVV. In this instance, the barcode was encoded with a VISA credit card number.”
The instructions on the phony rewards card are designed to make the cashier think it’s a payment alternative designed for use exclusively at Sam’s Club and WalMart stores. When the transaction goes through, it’s recorded as card-not-present purchase.
“This appears to be an evolution of the traditional card-not-present fraud, and early indications are linking this type of activity to criminal organizations of Asian descent,” the Secret Service memo observed.
“As a result of this emerging trend, instead of finding a large number of re-encoded credit cards during a search, a subject may only possess stickers or cards with barcodes that contain stolen card data,” the alert continues. “Additionally, the barcodes could be stored on the subject’s cell phone. If barcodes are discovered in the field, it could be beneficial to utilize a barcode scanning app to check the barcode for credit card data.”
*** This is a Security Bloggers Network syndicated blog from Krebs on Security authored by BrianKrebs. Read the original post at: https://krebsonsecurity.com/2020/02/encoding-stolen-credit-card-data-on-barcodes/
Consumers love the convenience of paying for goods and services in store by using their NFC enabled smartphones and stored credit cards. This is demonstrated by the fact that you can download retailer specific apps for your smartphone to pay for everything from coffee, to movie tickets, to poutine using a retailer specific mobile app.
As more and more retailers embrace this technology and release their own mobile apps with in-store payment options, the threat of fraudsters looking to benefit from flaws in the implementation, or by exploiting the human component must be carefully considered. The following are a few example Card Not Present (CNP) fraud schemes that retailers who offer in-store purchasing using a store branded mobile app should be aware of.
In these scenarios, we will use the imaginary retailer Smoothie Shop. Smoothie Shop has a mobile app that allows customers to save their credit card in the app in order to facilitate easy in-store purchases. Consumers log into their Smoothie Shop account using an email address and password. Smoothie Shop has recently seen an increase in CNP fraud and chargebacks, but is unable to pinpoint the root cause.
(Smoothie Shop mobile app login)
CNP Fraud Scheme #1 – Fraudster takes over a Smoothie Shop account that has a Credit Card saved in the app
In this scenario, the fraudster has to take over an existing Smoothie Shop account. This is known in the industry as Account Takeover (ATO) which is explained here.
In this scenario the fraudster has lucked out! Since the account that was taken over by the fraudster already has a credit card saved in the app, the fraudster can simply walk over to a Smoothie Shop, present the mobile app with the saved credit card information and enjoy a refreshing smoothie that was paid for via some other Smoothie Shop customer’s stored credit card.
CNP Fraud Scheme #2 – Fraudster takes over a Smoothie Shop account that does not have a Credit Card saved in the app
Again this scenario requires the Frauster to take over an existing Smoothie Shop account, however this scenario requires a little bit more legwork, and is less profitable as Fraud Scheme #1 above. Since the Smoothie Shop account that was taken over does not have a credit card saved in the app, the fraudster will instead need to buy a stolen credit card off the Dark Web or some other electronic market*, and then add the freshly purchased credit card to the Smoothie Shop account and app. Once this is done, the fraudster proceeds in-store to obtain smoothies using the stolen credit card.
Why would the fraudster go through the trouble of taking over an existing Smoothie Shop account you ask? Good question! Fraudsters are aware that aged accounts (e.g. accounts more than 3-6 months old) with a good transaction history are usually given more leeway and transactions from these accounts are less closely scrutinized when compared to a brand new account with no transaction history.
*Stolen credit cards can be acquired for as little as $3 or as much as several hundred dollars depending on the credit limit, zip/postal code, issuing bank, etc.
(screenshot from Dark Web Credit Card market)
CNP Fraud Scheme #3 – Fraudster creates a brand new Smoothie Shop account
This scheme doesn’t require taking over an existing account, but instead requires the fraudster to use a bot tool or a human clickfarm to create hundreds of “fake” Smoothie Shop accounts. Once the fraudster has access to multiple Smoothie Shop fake accounts, he can then add in as many stolen credit cards as he pleases in order to make in-store purchases at Smoothie Shop, each one being a unique incident of CNP fraud.
(In-store payment via Smoothie Shop mobile app and stored credit card)
What can Retailers and Consumers do to protect themselves?
Prevention Methods for Retailers
1) Prevent Account Takeover. This is easier said than done. There are many ways to prevent or at least significantly reduce the amount of ATO, such as by eliminating Credential Stuffing. The goal of the organization should be to eliminate the economic advantage that fraudsters obtain from taking over an account. If the cost/effort of taking over an account outweighs the value of said account, there will be no incentive for the fraudster and he/she will likely go elsewhere to commit fraud.
2) Maintain control of Account Creation process. Creation of accounts by bots and scripts can be limited by using a CAPTCHA, however captchas can be bypassed by mid-level sophistication fraudsters, and consumers generally dislike captchas. Preventing bulk creation of accounts requires collecting device level information in order to restrict the number of new accounts that can be created by a single device. There are device farms available for rent, but forcing the fraudster to leverage a device farm could make their rate of return less desirable and push the fraudster elsewhere.
3) Ensure your customers are not logging into your site/mobile app with credentials that have been compromised in 3rd party data breaches. This is a NIST recommendation that makes a lot of sense in today’s world of daily breaches. The customers that are logging in to your website or mobile app with compromised credentials are most likely the accounts that will be taken over and defrauded first.
4) Build controls around misuse of credit cards in the mobile app. Legitimate customers will likely need to add 1, maybe 2 unique credit cards to their account/device. Any account/device trying to add 3, 4, 5, or more credit cards to an account should be closely inspected and possibly restricted from adding any more. The stored credit card should also be tied to the device, rather than the account. That way, if an account is taken over from a new device, there will be no stored credit card information available for the fraudster to use. Both of these require a strong and unique identifier on the device level.
Prevention Methods for Consumers
1) Don’t reuse passwords across multiple sites! – This is the single most important piece of advice consumers should follow. If you reuse the same password across multiple sites, it is no longer a question of if, but rather when you will become a victim of Account Takeover and fraud. Using a Password Manager to create strong and unique passwords will greatly improve your personal security posture.
2) Be mindful of the sites and apps that you enter your username and password in to. Many fraudsters are now relying on phishing scam sites that look eerily similar to the real retailer/airline/bank site but are in fact under the control of the fraudster and are meant to harvest credentials in order to commit fraud.
3) Make sure you have a reputable antivirus on your Smartphone and uninstall any apps that are flagged as suspicious or malicious.
4) Use a virtual credit card. Virtual credit cards are now available from a number of organizations. These are beneficial as you can create a single use virtual credit card with a credit limit for a specific retailer. That way if the retailer suffers a data breach, or your account is taken over, your fraud exposure is contained and your real credit card is still secure.
5) Ask the retailer about their security controls and practices, and how they prevent Account Takeover. If they give you a sub-par canned answer, maybe you should think twice before saving your credit card information in their app.
*** This is a Security Bloggers Network syndicated blog from Shape Security Blog authored by Carlos Asuncion. Read the original post at: https://blog.shapesecurity.com/2020/02/13/in-store-payments-via-mobile-apps-can-lead-to-increase-in-card-not-present-cnp-fraud/
If you’re wondering what this seemingly random set of words mean, that is how a fresh database of 461,976 payment card records currently on sale on Joker’s Stash, a popular underground cardshop in the dark web has been listed.
Group-IB, a Singapore based cybersecurity company specialising in preventing cyber attacks which detected the database, says that over 98% of this database on sale were cards issued by Indian banks.
At the moment, the source of this new breach is unknown. The card records were uploaded on the 5th of February and that the total estimated value of the database according to Group-IB, is USD4.2 million, at around USD 9 apiece. Till yesterday morning 16 cards details were found to have been sold. Those who buy these cards do so with the intention of committing payment card fraud.
The company says that they have already alerted India’s Computer Emergency Response Team (CERT-In). The Economic Times will update this story as and when we hear from CERT-In on the steps they have taken.
With the sharp rise in digital payments in India and a lack of corresponding rise in awareness of the best practices to use payment cards safely online and offline, the country has become an attractive destination for nefarious elements online.
This newest breach has, according to Group-IB, “exposed card numbers, expiration dates, CVV/CVC codes and, in this case, some additional information such as cardholders’ full name, as well as their emails, phone numbers and addresses.”
This is the second major database of Indian payment card details that Group-IB has detected since October when 1.3 million credit and debit card records of mostly Indian banks’ customers uploaded to Joker’s Stash with and estimated underground market value of USD130 million was detected in what became “the biggest card database encapsulated in a single file ever uploaded on underground markets at once.”
According to Dmitry Shestakov, the head of Group-IB cybercrime research unit, “In the current case, we are dealing with so-called fullz — they have info on card number, expiration date, CVV/CVC, cardholder name as well as some extra personal info.”
They also say that unlike earlier breaches what “distinguishes the new database from its predecessor is the fact that the cards were likely compromised online, this assumption is supported by the set of data offered for sale.”
Shestakov adds “such type of data is likely to have been compromised online — with the use of phishing, malware, or JS-sniffers — while in the previous case, we dealt with card dumps (the information contained in the card magnetic stripe), which can be stolen through the compromise of offline POS terminals, for example.”
The Indonesian National Police in a joint press conference with Interpol earlier today announced the arrest of three Magecart-style Indonesian hackers who had compromised hundreds of international e-commerce websites and stolen payment card details of their online shoppers.
Dubbed ‘Operation Night Fury,’ the investigation was led by Interpol’s ASEAN Cyber Capability Desk, a joint initiative by law enforcement agencies of Southeast Asian countries to combat cybercrime.
According to the press conference, all three accused (23, 26, and 35 years old) were arrested last year in December from Jakarta and Yogyakarta and charged with criminal laws related to the data theft, fraud, and unauthorized access.
Just like most of the other widespread Magecart attacks, the modus operandi behind this series of attacks also involved exploiting unpatched vulnerabilities in e-commerce websites powered by Magento and WordPress content management platforms.
Hackers then secretly implanted digital credit card skimming code—also known as web skimming or JS sniffers—on those compromised websites to intercept users’ inputs in real-time and steal their payment card numbers, names, addresses and login details as well.
Though Indonesian police claim these hackers had compromised 12 e-commerce websites, experts at cybersecurity firm Sanguine Security believe the same group is behind the credit card theft at more than 571 online stores.
“These hacks could be attributed because of an odd message that was left in all of the skimming code,” Sanguine Security said.
“http://feedproxy.google.com/”Success gan’ translates to ‘Success bro’ in Indonesian and has been present for years on all of their skimming infrastructures.’
The police revealed that the suspects used stolen credit cards to buy electronic goods and other luxury items, and then also attempted to resell some of them at a relatively low price through local e-commerce websites in Indonesia.
On an Indonesian news channel, one of the accused even admitted to hacking e-commerce websites and injecting web skimmers since 2017.
Moreover, experts also observed similar cyberattacks linked to the same online infrastructure even after the arrest of three people, and thus believes that there are more members of this hacking group who are still at large.
Stolen credit card data from Singapore banks is valued higher on the Dark Web than that from other countries because of the robust cyber security measures protecting it and the difficulty in obtaining such data, according to new research from cyber security firm Group-IB.
The Singapore-based firm yesterday said that for cards from the United States, the average price for raw payment card data, which includes credit card number, expiration date, cardholder name and CVV number, is between US$8 (S$11) and US$10 on Dark Web shops.
Source: National Cyber Security – Produced By Gregory Evans
The details of more than 1.3 million credit and debit cards – most of them from India – have been put up for sale on an underground forum.
The database, which has been on the Joker’s Stash carding forum since 28 October, was spotted by […]
View full post on AmIHackerProof.com
In an instance of robbers getting robbed, a large underground store for buying stolen credit card data has been hacked. Cyber-security journalist Brian Kerbs has reported that data stored by BriansClub, a dubious website that shares his name, was stolen.
BriansClub hosted more than 26 million credit and debit card records pilfered from online and physical retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.
“Multiple people who reviewed the database shared by my source confirmed that the same credit card records also could be found in a more redacted form simply by searching the BriansClub Web site with a valid, properly-funded account,” wrote Kerbs.
The cyber-security journalist complains that the fraud website has been piggybacking on the cybersecurity journalist’s online popularity to carry on their activities, even using his image in one of their ads.
Data accessed by Kerbs shows that the blackmarket website added just 1.7 million card records for sale, and added 2.89 million stolen cards in 2016, 4.9 million cards in 2017 and 9.2 million in 2018. The addition between January and August 2019 was roughly 7.6 million cards.
BriansClub holds approximately £325 million worth of stolen credit cards for sale, according to an analysis byNew York-based security intelligence firm Flashpoint.
“All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground,” Kerbs wrote.
“There is no honour among thieves,” noted Sam Curry, chief security officer at Cybereason.
“The asymmetry of cyber-conflict is undeniable, and while cybercriminals and nation state attackers probe for holes at their leisure, it’s important to remember that the tables can be turned. Predator can become prey when they are successful enough,” he said.
A new way to use Microsoft Office to spread malware, hackers move fast to leverage another Adobe Flash exploit, and problems with a programmable credit card.
Criminals often try to trick users into infecting themselves by opening a zipped Microsoft Office document attached to an email. The document has a link to a malicious website. Barracuda Networks said this week the latest scam is to disguise that link so it fetches the website not through a web browser but through a communications protocol called Samba. Then malicious code is downloaded. Often it starts with victims get a message with something like ‘Your bill is attached.’
One thing you can do it beware of web page links in messages that start with “file://” rather than the expected “http://”
Barracuda says employees also should be regularly trained and tested to increase their security awareness.
Adobe Flash has long been a favoured way for attackers to get malware onto your computer. You download what’s supposed to be a Flash update or a Flash-based presentation, and instead you’re infected. A new hole was just discovered and patched by Adobe. However, Security Affairs reports that a researcher has discovered the popular ThreadKit exploit kit used by hackers is already now trying to use that exploit.
What can you do? A lot of these exploits are spread through email, so you’ve got to be wary of opening messages with attachments. Savvy criminals may target you, so don’t assume that because a message is from your boss, a friend or a relative that it’s valid. Many people disable Flash as a precaution. Those who don’t make sure their Flash is updated from a reputable site.
Finally, a California company named BrilliantTS has a problem with its Fuze Card, a smart card with a programmable security chip that looks like a credit card. The idea is you program the chip with data from several of your credit cards so you only carry the Fuze Card. However, Ars Technica reports two researchers have discovered a way that uses Bluetooth to impersonate the Android app that loads credit card data onto the smart cards. BrilliantTS says a fix will be released April 19th.
I don’t know if the card can be used in Canada. Your local bank or organization behind credit and debit cards has to approve its use for their processes. But it’s another lesson that there’s no quick fix for any problem in your wallet.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, your Alexa Flash Briefing or wherever else you listen to podcasts. Thanks for listening.
Hackers who attacked the now defunct website of second hand goods store Cash Converters may have access to the account details of thousands of customers.
Usernames, passwords, delivery addresses and potentially partial credit card numbers are among the data believed to have been stolen.
The culprits are said to be holding the information to ransom while the firm works with law enforcement authorities to investigate the incident.
It is not known exactly how many customers were impacted in the hack or when it happened.
Cash Converters operates high street stores where customers can trade items like jewellery and electronics for money.
The affected website, which was put out of action in September 2017 and replaced with an updated version, lets people purchase these products online.
As well as cash trade ins, the company offers small financial loans to its customers.
The data breech is only believed to affect customers of the Perth-founded firm who are based in the UK.
In a breach notification email sent to customers, a Cash Converters spokesman said: ‘Please be reassured that, alongside the relevant authorities, we are investigating this as a matter of urgency and priority.
‘We are also actively implementing measures to ensure that this cannot happen again.
‘Although some details relating to the cybersecurity breach remain confidential while Cash Converters works with the relevant authorities, we will continue to provide as much detail as possible as it becomes available.
‘The current webshop site was independently and thoroughly security tested as part of its development process.
‘We have no reason to believe it has any vulnerability, however additional testing is being completed to get assurance of this.
‘Our customers truly are at the heart of everything we do and we are both disappointed and saddened that you have been affected.
‘We apologise for this situation.’
Cash Converts reportedly received an email from hackers who claiming to have gained access to the data.
They threatened to release the data if they were not paid, which means anyone who used the old site before September 22 could be at risk.
Customers have been to advised to change their passwords and the firm has forced a reset for all UK webshop users.
Speaking about the breach, Jon Topper, CEO of UK webhosting firm The Scale Factory, said: ‘When migrating away from old solutions it’s important to bear in mind that old digital assets will still be running and available online until such time as they are fully decommissioned.
‘As a result they should still be treated as ‘live” which means maintaining a good security posture around them, keeping up with patching and so forth.
‘In their customer notification, Cash Converters were quick to point out that the old site was operated by a third party, possibly intending to deflect responsibility for this breach.
‘This definitely won’t fly under General Data Protection Regulation regulations coming into force next year.
‘Companies running server infrastructure that handles customer data should be engaging with experts to review their security posture ahead of that, in order to avoid being slapped with a large fine.’
Busting an international gang ofcredit cardhackers, the cyber wing of Madhya Pradesh Police has arrested two persons on Monday who are accused of making large-scale online purchases by hacking information on credit cards. The two accused, both residents of Mumbai, are suspected to be associated with a gang of international cyber criminals, run by Pakistani citizen Shaikh Afzal aka Shozi.
Speaking after the arrest of credit card hackers, Superintendent of Police (SP) of State Cyber Cell of Indore unit, Jitendra Singh said that two Indian members of this gang, identified as Ramkumar Pillai and Ramprasad Nadar, were arrested following a complaint made by a bank official from Agar Malwa district.
“We have learnt that Shozi is a native of Lahore and got married only last year. Shozi visits different countries across the world. He was in Uzbekistan when Nadar and Pillai talked to him last time through Skype. We are trying to confirm these details,” the Superintendent of Police said.
The duo purchased hacked credit card details from some websites on the dark web and later paid for the information through Bitcoin. “If this payment is measured in terms of Indian currency, it costs only Rs 500 to Rs 800 to buy details of every credit card,” Singh added.
The gang members bought air tickets and travel packages of Bangkok, Thailand, Dubai, Hong Kong and Malaysia by using this information of hacked credit cards. They also shopped costly items online using the hacked details, said the official.
Singh said the accused also used to send half the amount, they spent by misusing the credit card details, to Shozi by secret online methods.
The accused also used to select the online e-commerce website, where they do not need a one-time password (OTP) to make a purchase. So, the holders would get the information about the misuse of credit cards only after the payment.
Singh said initial investigation revealed that both the accused have made purchases of about Rs 20 lakh by misusing the details of 17 credit cards so far. However, this figure may go up after further investigation.
He said that the police have been searching for a resident of Jabalpur, who is also learnt to be connected with this gang.