thewayne | Entries tagged with retailer compromise

Their systems were compromised from late June 2013 to late February 2014. They brought in two security firms to analyze their systems and they found nothing, subsequent analysis found a hack attack that the two firms had not previously encountered.

This is the second time in three years that they've been hacked, they were previously compromised in 2011.

http://krebsonsecurity.com/2014/04/3-million-customer-credit-debit-cards-stolen-in-michaels-aaron-brothers-breaches/

Big merchants like Target have to get an annual audit that their IT systems are secure for processing credit cards. The level of audit varies, depending on whether or not they store credit card info internally. For example, Amazon stores your credit card so they have a (theoretically) more stringent audit.

Small merchants, like a mom & pop coffee house, don't normally get audited, they just send in a questionnaire to Visa/Mastercard.

The problem is, every merchant that has been hacked has passed the audits. In one case, they were being hacked WHILE BEING AUDITED. And it wasn't noticed.

The issue is that the auditors are not doing a really comprehensive job. They look for some things and miss others, like the merchant who was storing unencrypted credit card info for five years.

And aside from auditors not looking thoroughly and trying to do penetration tests, any configuration change or network change or replacing the firewall or router on an otherwise compliant and safe network can introduce a host of vulnerabilities.

IT security is a moving target, and there is no easy solution. Visa/MC forcing merchants and vendors to replace their equipment with chip and PIN systems by October 2015 is a step in the right direction, but it's going to be expensive and while transitioning, bring in a host of vulnerabilities all on their own.

http://www.wired.com/threatlevel/2014/03/trustwave-target-audit/

The number of cards compromised is at least 10x the number reported (fewer than 25,000), according to Brian Krebs. An analysis has been done of the zip codes of the cards stolen that are available for sale, and it looks like every SB store in the USA was compromised, just like Target.

A similar analysis was done on the Target breech cards, matching the zip codes of the stores with the zip codes of the site selling the cards, they found that the selling site had the zip code of the card, with a 99%+ correlation between store zip and customer zip. The reason for also including the zip code information is that the banks didn't want to inconvenience their customers so close to Christmas, so they geo-fenced the cards, meaning that the stolen card info could be used within the customer's home zip code area.

http://krebsonsecurity.com/2014/03/zip-codes-show-extent-of-sally-beauty-breach/

Some interesting stuff. First up, Target. They were hit by a piece of malware called BlackPOS, in this post Brian Krebs interviews two computer security experts who fought BlackPOS at another unnamed retailer. The story is quite interesting, it's amazingly sophisticated software. For example, the software is equipped with anti-forensic modules. They watched it infect a laptop in their lab, realize that there was no card swipe machine connected to it, then erase itself. In doing so, it deployed the anti-forensic modules and left no trace of itself behind for analysis.

http://krebsonsecurity.com/2014/02/these-guys-battled-blackpos-at-a-retailer

Next, still Target. It would appear that one attack vector was through their HVAC contractor (heating/ventilation/air conditioning). Understandably, they want their HVAC people to be able to remote in to their infrastructure to make adjustments, do updates, etc., to save money and energy. Unfortunately either they were given far too much permission on the network or the attackers were able to escalate privileges to improve their access. Privilege escalation is a common thing to try: if you're able to get the network access of a peon and escalate the privileges to that of the CEO or head network admin, then you get to have all sorts of fun.

http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

And finally, taxes. In 2012, the US Internal Revenue Service issued $4,000,000,000 in fraudulent refunds to thieves who did some basic identity theft and filed fraudulent returns in people's names, had the returns sent to different addresses, then disappeared. The solution? File your returns ASAP and get them in before the bad guys do. The thieves need full information to file these fraudulent returns, and probably also need to do some electronic forgery to transmit the supporting documents. And this is the exact level of information stolen by the Experian subsidiary by those Vietnamese hackers who were paying via electronic funds transfers from China.

http://krebsonsecurity.com/2014/02/file-your-taxes-before-the-fraudsters-do/

You can't win, and you can't quit the game. The best solution is to pay cash whenever possible, failing that, pay with a credit card as they offer you the best electronic theft protection.

They operate hotels under the Hilton, Marriott, Sheraton, and Westin brands in certain cities, they don't own all of these chains. Apparently in the case of Marriott, the franchisee must use Marriott's property management system for core operations, and they say that their system is intact, so the breach may have been in other operations on the property like restaurants, guest shops, etc. The company, White Lodging, apparently was compromised from late March through the end of 2013. They operate in Austin, Chicago, Denver, Los Angeles, Louiseville, and Tampa. Currently Marriott is the one reported as compromised, the other chains didn't respond to requests for comment before Krebs posted.

A comment on this article talked about a book about the Gonzalez gang, who perpetrated the TJ Maxx et al thefts, also hacked in to a manufacturer of point of sale equipment called Micros and stole software and employee IDs, which could explain how the Target POS terminals were hacked to scrape the credit card information before it was encrypted.

http://krebsonsecurity.com/2014/01/hotel-franchise-firm-white-lodging-investigates-breach/

We were discussing the recent hacks at the observatory and talked about going to a cash payment system for local commerce last night. One of Russet's co-workers talked about living in, I think, Chile for a couple of years and basically most businesses there operate strictly on a cash basis, so she got in to the habit and continued doing it once she got home. Russet's problem is that she doesn't like accumulating change from purchases, which is understandable. I have a large tin that holds probably about $300 worth of coinage, it's probably about half full. We're looking at going to Europe next year, and one thing that I've been thinking about is money. With the exception of England/Scotland, we'll be in Belgium, Holland, and probably a couple of other places where I think it's pretty much exclusively Euros. So I guess it'll be traveller's cheques, convert to cash, and hope for the best.

Turns out Target was using a network management system from BMC Software (a major player in network management) to keep an eye on their infrastructure, and said software had a canned admin account and password, and that was very helpful for the attackers.

And it is now believed that everything came through a SQL injection attack, an attack vector that's been known for years, if not a decade, and can be defended against.

Interestingly, the article also gives a little more info on the Albert Gonzalez hack, he's the one who stole 160 million cards from TJ Maxx et al. Gonzalez and an associate would travel to stores, identify the make and model of the point of sale terminals, then report it back to his hacker crew who would customize the hack software for that type of POS.

Barnes & Noble took their POS terminals off the counter when they were hacked, but they specifically were target through their POS terminals being replaced with hacked counterfeits. Now you have to hand your card to the clerk. The problem is, that if the POS terminal is compromised, such as it was by the Target memory scraper, it doesn't matter where the POS terminal is located or who swipes your card, your card has been swiped.

And the FBI just said that it's going to be a growth industry and there's little that can be done to stop it at this time.

Time to start writing checks, where you're vulnerable to compromise at the upstream check processing clearing house (my checking account was compromised this way) or stopping at an ATM before shopping and paying with cash.

http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/

Details are very preliminary and sketchy, it was suspected that both crafting store retailers had been hacked then it was found out that Michael's bought out Aaron Bros, so they're really one in the same. I expect the date range of the compromise will probably come out next week and we'll begin getting a feeling for what the scope of the hack is. Cards are appearing on underworld web sites and they all traced back to Michael's or Aaron Brothers as the common point.

http://krebsonsecurity.com/2014/01/sources-card-breach-at-michaels-stores/

In other retailer hacking news, Neiman Marcus revealed that they were compromised from the middle of July to the end of October 2013.

I think it's time for me to create a 'Retailer Compromise' tag.