Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Attackers Hit Clearinghouse Selling Stolen Target Data

Hackers interrupt and deface sites of black-market forums selling credit card data stolen from Target and other retailers.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Two websites specializing in the sale of stolen credit and debit card information -- including cards lifted from Target stores -- appeared to have been knocked offline Monday after an unknown attacker breached and defaced the sites.

"Hi subhumans and miscreants, your fraud site is gone now. Go away," read a message left Monday on rescator.so and rescator.cm, The Wall Street Journal reported. Part of the Rescator network, the two sites feature Somalia and Cameroon top-level domain names.

The defacement message criticized the sites' users and "regular fraudsters" while offering a shout-out to security journalist Brian Krebs, who was the first to make public the December 2013 Target breach. It also embedded a YouTube music video of Will Smith's "Men In Black," the theme song for the 1997 movie of the same name, about a secret organization charged with protecting the Earth from the scum of the universe.

By Tuesday, however, the sites appeared to be back online. Meanwhile, three other sites in the same network -- octavian.su, rescator.cc, and rescator.co, whose top-level domains respectively refer to the former Soviet Union, Cocos Islands, and Colombia -- appeared to remain online and uninterrupted throughout the interruption.

[Why did Target disregard security warnings? Read Target Ignored Data Breach Alarms.]

The hack followed Rescator's customer database having been stolen and published to the Internet, Krebs reported.

Rescator has been selling stolen card data -- from Target, Neiman Marcus, Sally Beauty Supply, and others -- in batches, marketed under such names as "Beaver Cage," "Desert Strike," "Eagle Claw," and "Krass." The latest batch of credit cards to be offered for sale via the Rescator sites appeared on March 11, dubbed "Great Pompeii." The site accepts payment via wire transfer services such as Western Union and MoneyGram ($500 minimum), e-currency service Perfect Money, or cryptographic currencies such as Bitcoin and Litecoin.

Selling in batches helps prevent the black market from being flooded with stolen-card data, thus undercutting sale prices. Unfortunately for cardholders, that release strategy means that data breach victims -- consumers, not the businesses that lost their data -- might not experience ID theft or related fraud until many months after a breach. According to fraud protection firm Easy Solutions, for example, card data stolen from Target in December 2013 may show up on black-market forums until 2015.

But the owner of the Rescator carder forums (the name "Rescator" appears to have been also used as a person's handle on other underground forums) may have done more than simply created an eBay for fraudsters' stolen card data. Rescator was cited in an IntelCrawler report as being among the buyers of the BlackPOS malware that's designed to infect point-of-sale (POS) systems. In fact, a version of that malware was used to compromise Target.

Furthermore, in January, McAfee Labs reported that the uploader associated with the customized version of BlackPOS that was used to hack Target included the following compiler string: "z:\Projects\Rescator\uploader\Debug\scheck.pdb." Information security researchers at McAfee suggested that was one likely clue as to the "actor behind the campaign."

In related news, Sally Beauty Holdings, a $3.6 billion professional beauty supplies retailer and distributor, said Monday that digital forensic investigators from Verizon have discovered that a recent network breach resulted in the theft of credit and debit card information. As with Target, the breach was first made public by security reporter Brian Krebs, who suggested that as many as 282,000 cards may have been stolen from the company's stores and e-commerce operation, and that the theft appeared to trace to the same crew that hacked Target.

"The Rescator cards stolen from Target were indexed by Target store ZIP code. My suspicion is the same with Sally Beauty," Krebs said via Twitter.

To date, Sally Beauty has confirmed only that attackers stole credit and debit card data for some cardholders who shopped at its retail stores. "We have now discovered evidence that fewer than 25,000 records containing card-present (track 2) payment card data have been illegally accessed on our systems and we believe it may have been removed," read a statement released Monday by Sally Beauty.

Track-2 data refers to hidden information encoded in a card's magnetic stripe, which provides an authentication code that a processor can use to verify that the card is physically present. Together with track-1 data -- which includes a cardholder's name, account number, card expiration date, and CVV code -- criminals could create working counterfeit cards loaded with the stolen information.

In a related Q&A, Sally Beauty Holdings suggested that all customers watch their credit and debit statements for signs of fraud.

Sally Beauty also promised to offer regular updates about the breach and to continue working with both Verizon and the US Secret Service. To date, however, it hasn't responded to Krebs's report that up to 282,000 of its customers' credit and debit cards may have been compromised in the breach.

"As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation," the company said. "As a result, we will not speculate as to the scope or nature of the data security incident."

Cyber-criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkS229
50%
50%
MarkS229,
User Rank: Apprentice
3/21/2014 | 12:50:39 AM
RobinHood?
Actually, his real name was Alf, but it doesn't have the same ring to it...
anon4303592246
50%
50%
anon4303592246,
User Rank: Apprentice
3/20/2014 | 9:15:56 AM
Re: Robin Hood?
Actually there was no relation between MIB and Robin Hood. MIB was a 'secret' goverment division. And Robin Hood was a freelancer that gave away money. The MIB clip was to signify that they would do things that the govt wouldn't, but not have to be accountable for their actions.
ssabella111
50%
50%
ssabella111,
User Rank: Apprentice
3/19/2014 | 7:26:36 PM
Attackers hit clearinghouse
Amen do it again.
Laurianne
100%
0%
Laurianne,
User Rank: Apprentice
3/18/2014 | 2:52:19 PM
Robin Hood?
Men in Black video clips, huh. So they fancy themselves as Robin Hood types?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.