Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Fresh Target Breach Cards Hitting Black Market

A Bitcoin-powered marketplace is selling stolen card data in small batches, offering card validity guarantees, an RSA presentation reveals.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Since Target discovered that its point-of-sale systems were breached and 40 million credit cards stolen, how usable has the stolen card data been for criminals?

In fact, nearly two-thirds of the stolen card data being sold by Target's attackers remains valid, Dan Ingevaldson, CTO of Easy Solutions, said Thursday in a presentation at this week's RSA Conference in San Francisco. "When the first batch of Target cards hit, it was about 90% valid," Ingevaldson said in an interview at the conference. "Now they're about 60% valid, so it's just tapering off."

So far, only a fraction of the 40 million cards stolen from Target's point-of-sale systems have hit the black market. Furthermore, at the current rate of distribution, attackers will be continuing to drip feed the data on to carder forums for many more months. "The Target breach is going to be happening for at least the next year, until the cards age out," Ingevaldson said.

The implications for consumers are clear. Anyone whose card data was stolen by Target's attackers may not see related fraud hit their card until later this year -- or even next year -- when their card data finally gets offered for sale. The reason for that delay, Ingevaldson said, comes down to supply and demand: Attackers want to maximize their haul from the Target breach. "The market isn't big enough to absorb 40 million cards" all at once.

[The Target data breach started with an email attack on retailer's HVAC subcontractor. Read Target Breach: Phishing Attack Implicated.]

That release strategy is also tailored to selling card data repeatedly to a relatively small audience, which wouldn't have enough cash to hand to buy -- or put to use -- all the stolen card data outright, Aviv Raff, CTO of Seculert, said in an interview at the conference. "They want to monetize their stolen data. They could have just dumped it and gotten some money, but they want to get more."

Why are the stolen credit card numbers still valid at all? Because many issuers have chosen not to invalidate stolen numbers and issue new cards -- which costs either them or Target money. They are taking a wait-and-see approach and hope that their internal fraud controls spot related abuse.

How effective is that approach? "Good luck with that," said Raff, who formed the fraud action research lab at RSA before cofounding Seculert. In other words, those who shopped at Target during the period when attackers hacked into the company's network -- from Nov. 27 until Dec. 18 of last year -- may want to call their credit or debit card issuer and demand a new card, if they haven't already received one.

In his RSA presentation, Ingevaldson also demonstrated how Target's attackers -- or anyone else selling stolen card data -- maintain buyer interest, even as the data grows less valid and thus usable over time. Interestingly, some sites selling card data offer money-back guarantees for any numbers that don't work. Ingevaldson browsed a carder site called Valid Shop, which functions like an Amazon.com for black market data buyers, allowing them to purchase card data using bitcoins.

Valid Shop, which is offering Target card data, offers a number of otherwise de rigueur e-commerce features: one-click buying, easy checkout, robust customer service, and the aforementioned money-back guarantee. The site also allows users to buy either individual card numbers or bigger batches, and it calculates their validity rate, typically by using a valid merchant card that's been stolen by hackers. "That validity level is really the core metric for the price of the card -- in addition to limits and gold cards and platinum cards and stuff like that," Ingevaldson said.

Upon checkout and payment, the site adds a further twist: It tests all the numbers to see if they're valid. Some boards will immediately replace bad numbers with good ones or issue the buyer a refund -- in bitcoins, in the case of Valid Shop. "So it's a good customer service angle."

What will likely happen now that Easy Solutions has publicized Valid Shop? The forum may continue unchanged, since it does restrict access to vetted members. "We had to talk with these guys on ICQ, build up a persona, and do a few transactions with them to get known and vetted," Ingevaldson said. The site is hidden behind registration walls.

Or Valid Shop's administrators may just set up a new shop under a different name, as recently happened when the journalist Brian Krebs publicized a similar outfit. "When Krebs exposed a forum, it was shut down the next day and came up [under a new name] the day after that," Ingevaldson said.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
3/2/2014 | 9:32:37 AM
Re: Not Only Credit Cards
The Microsoft scam support call is amusing to think about, someone actually thinks that by making such calls and investing time and money consumers are going to fall prey to the scam. The scary bit is that they are still operational, which means that they are people falling for the scam -- generating revenue. Otherwise they would not be attempting such a scam. The idea that a company will provide a high level of customer support is appealing to customers, but from the article we can see that when support and protection requires investment then firms choose the wait-and-see approach (risk management).
asksqn
50%
50%
asksqn,
User Rank: Ninja
3/1/2014 | 7:10:12 PM
Target Breach: the gift that keeps giving
The really galling thing about this latest breach is that this kind of theft can be nixed if the credit card industry (and those biz that accept plastic) would simply upgrade its current PCI DSS to the same standard Europe uses. 
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
3/1/2014 | 1:57:03 PM
Re: Not Only Credit Cards

This is scary. The level of "service" that Valid Shop is offering is a bit disturbing. I guess that even illegal marketplaces need to serve their customers well, or else people will not pay them. 

This is another unfortunate example of people using bitcoin for nefarious purposes. Bitcoin has many positive aspects, but its pseudononymous nature is causing it to be used as a tool for criminality. 

Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/28/2014 | 6:47:04 PM
Re: Bottom line advice?
Yes. If I'd shopped at Target during the breach window -- which I didn't -- and used a credit/debit card, I'd call the card issuer and demand a new card number. Failing that, I'd threaten to cancel the account, or change banks.

However long that new-card process takes, it's a good bet it will equal a lot less time than dealing with the mess caused by any resulting ID theft.
Jim Donahue
50%
50%
Jim Donahue,
User Rank: Apprentice
2/28/2014 | 2:31:14 PM
Targeted
I got my first direct communication from Target about this situation only this week! That is remarkably bad.


Given I used only my Target card at the store during the affected time frame--not a general credit card--I can pretty easly keep tabs on how the card is being used, so I'm not terribly concerned. But I am surprised Target hasn't canceled its cards and issued new ones.
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
2/28/2014 | 2:29:33 PM
Bottom line advice?
So the bottom line, Mat, is if you shopped at Target during the timeframe in question, you should insist now on a new card?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
2/28/2014 | 1:04:31 PM
Not Only Credit Cards
In the past week, I received a call about my "Microsoft Windows software" and another from "XYZ Bank's collection agency." Both, of course, were scams. I laughed at the first guy but was a bit concerned for a couple of minutes by the voicemail from the second until commonsense kicked in.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be &quot;fluff&quot; in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.