Dixons Carphone has said that it has been the victim of an “unauthorised data access” in which millions of customer bank card details were targeted over the past 12 months.
The company believed there were attempts since last July – only discovered over the past week – to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores.
Dixons Carphone Warehouse says there has been no evidence of fraud as a result of the hack, but there are a few general tips below if you’re worried:
Regularly check your accounts. It’s good practice to regularly keep an eye on your bank accounts and credit card statements. If you spot anything unusual contact your provider immediately.
Watch out for scams. Be alert and watch out for potential scam emails or calls – don’t simply assume they are genuine even if they look believable.
Change your password. Dixons Carphone Warehouse doesn’t think any passwords were taken, but if you’re worried change your password, and change it on other sites where you have used the same one.
In a statement the company said :-
As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents. We have also informed the relevant authorities including the ICO, FCA and the police.
Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident.
Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.
Dixons Carphone Chief Executive, Alex Baldock, said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously. We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”
Account data tied to 92 million users of the genealogy and DNA testing service MyHeritage were found on a third-party “private” server in a breach that exposed usernames and passwords of customers.
A statement on the MyHeritage blog says :-
MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.
Immediately upon receipt of the file, MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system. We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.
The security researcher reported that no other data related to MyHeritage was found on the private server. There has been no evidence that the data in the file was ever used by the perpetrators. Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.
We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.
The company did not elaborate on the ownership or origin of the server. It did however confirm that the data originated from MyHeritage and included email addresses and hashed passwords of 92,283,889 users. No other data, such as user financial information, DNA and genealogy specifics, was found on the server hosting the data.
Media reports detail an Amazon S3 bucket misconfiguration that has led to a serious data breach. According to ZDnet, a UK-based security researcher found two public S3 buckets belonging to TeenSafe, a mobile app for iOS and Android, that allows parents to monitor the texts, calls, locations and social media exchanges of their children. The buckets were reportedly left unsecured and accessible to anyone without a password. This breach exposed at least 10,200 records covering the preceding three months, including children’s Apple ID and plaintext passwords, device names and their device’s unique identifier.
This latest incident is another instance of an Amazon S3 Bucket being misconfigured, making it publicly accessible. This breach is particularly serious due to the potential for online predators to access the personal details of minors. It may also leave the affected children (and their parents) more vulnerable to identity theft in the future.
By default, all new Amazon S3 resources including buckets are private, and since November they have also been encrypted. For a bucket and its contents to be made public, it must be configured to be so. Permissions inheritance can be complicated, so AWS provides a free tool for their customers to identify any buckets that are publicly accessible.
According to The Washington Post A federal study found signs that surveillance devices for intercepting mobile calls and texts were operating near the White House and other sensitive locations in the Washington area last year.
A Department of Homeland Security program discovered evidence of the surveillance devices, called IMSI catchers, as part of federal testing last year, according to a letter from DHS to Sen. Ron Wyden (D-Ore.)
Part of this letter states :-
“While the NPPD pilot did observe anomalous activity that appeared consistent with IMSI catcher technology within the [National Capital Region], including locations in proximity to sensitive facilities like the White House,” Krebs wrote. “NPPD has neither validated nor attributed such activities to specific entities, devices or purposes.” Krebs stated that NPPD doesn’t have the law enforcement and counterintelligence authority to directly address the IMSI catcher threat, and it had passed along the data collected to other agencies.”
The devices work by simulating cell towers to trick nearby phones into connecting, allowing the IMSI catchers to collect calls, texts and data streams. Unlike some other forms of phone interception, IMSI catchers must be near targeted devices to work.
Krebs’ letter to Wyden concludes with: “Overall, the NPPD believes the malicious use of IMSI catchers is a real and growing risk”.
Group-IB, a high-fidelity threat intelligence and anti-fraud solutions vendor has released a report detailing the operations of a Russian-speaking targeted attack group dubbed by Group-IB as MoneyTaker.
In less than two years, Moneytaker group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting internal banking systems for theft, including the AWS CBR (Russian Interbank Transfer System) and attacks to steal from card payment processing systems in banks in the USA. Group-IB confirmed one attack on a financial and transaction software service provider in the United Kingdom, however, card processsing systems used inside banks was the group’s main target.
Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported. In addition to banks, the MoneyTaker group has attacked law firms and also financial software vendors. In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on an IT-company (providing financial software) in the UK and 2 attacks on Russian banks. By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed.
MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations. – Dmitry Volkov – Group-IB Co-Founder and Head of Intelligence
The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016: money was stolen from the bank by gaining access to First Data’s “STAR” network operator portal. Since that time, the group attacked companies in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida.
In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on IT-company UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group‑IB.
In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.
Using the Group-IB Threat Intelligence system, Group-IB researchers have discovered connections between all 20 incidents throughout 2016 and 2017. Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes – using unique accounts for each transaction. Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services in the [email protected] format.
Important findings that enabled Group-IB to discover the links between crimes include privilege escalation tools compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016. Also, in some incidents, hackers used the infamous Citadel and Kronos banking Trojans. The latter was used to deliver Point-of-Sale (POS) malware dubbed ScanPOS.
By analyzing the attack infrastructure, Group-IB identified that they group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks. Exfiltrated documents include: admin guides, internal regulations and instructions, change request forms, transaction logs, etc. A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB. Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker.
Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime.
MoneyTaker: arsenal for attacks
Group-IB reports that MoneyTaker uses both borrowed and their own self-written tools. For example, to spy on bank operators they developed an application with ‘screenshot’ and ‘keylogger’ capabilities. This program is designed to capture keystrokes, take screenshots of the user’s desktop and get contents from the clipboard. The application is compiled in Delphi and contains 5 timers: functions of the application (such as taking screenshots, capturing keystrokes, disabling itself) are executed once the timer triggers. To circumvent antivirus and automated sample analysis, hackers again used ‘security measures’: they implemented the anti-emulation function in the timer code.
In an attack on a Russian bank through the AWS CBR, hackers used a tool called MoneyTaker v5.0, which the group has been named after. Each component of this modular program performs a certain action: searches for payment orders and modifies them, replaces original payment details with fraudulent ones, and then erases traces. The success of replacement is due to the fact that at this stage the payment order has not yet been signed, which will occur after payment details are replaced. In addition to hiding the tracks, the concealment module again substitutes the fraudulent payment details in a debit advice after the transaction back with the original ones. This means that the payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones. This gives cybercriminals extra time to mule funds before the theft is detected.
Leaving no trace behind
To conduct targeted attacks, MoneyTaker use a distributed infrastructure that is difficult to track. A unique feature of the infrastructure is a persistence server, which delivers payloads only to victims with an IP addresses in MoneyTaker’s whitelist.
To control the full operation, MoneyTaker uses a Pentest framework Server. On it, the hackers install a legitimate tool for penetration testing – Metasploit. After successfully infecting one of the computers and gaining initial access to the system, the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network. Hackers use Metasploit to conduct all these activities: network reconnaissance, search for vulnerable applications, exploit vulnerabilities, escalate systems privileges, and collect information.
The group uses ‘fileless’ malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code ‘on the fly’ – during the attack.
After successful infection, they carefully erase malware traces. However, when investigating an incident in Russia, we managed to discover the initial point of compromise: hackers penetrated the bank’s internal network by gaining access to the home computer of the bank’s system administrator.
In addition, to protect C&C communications from being detected by security teams, MoneyTaker employs SSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc.), instead of filling the fields out randomly. In the US, they used the LogMeIn Hamachi solution for remote access.
Attacks on card processing
The first attack on card processing that Group-IB specialists attribute to this group was conducted in May 2016. Having gained access to the bank network, the attackers compromised the workstation of First Data’s STAR network portal operators, making the changes required and withdrawing the money. In January 2017, the attack was repeated in another bank.
The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about $500,000 USD.
Law enforcement, with support from Group-IB, has arrested a 32-year-old hacker, accused of stealing funds from Russian banks’ customers using Android mobile malware.
At the height of their activity, victims reportedly lost between 1,500 to 8,000 dollars daily and levered cryptocurrency for laundering.
Group-IB’s analysis reviewed the tools and techniques leveraged in the group’s attack revealing that the gang tricked customers of Russian banks into downloading malicious mobile applications “Banks at your fingertips”. The app claimed to be an aggregator of the country’s leading mobile banking systems and promised users a ‘one-click’ access to all bank cards to view balances, transfer money from card to card, and pay for online services. The app was first discovered in 2016 and was distributed through spam emails.
The criminal group’s approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.
Research by Arbor Networks has alleged that a capable state actor has hijacked software that protects users if their computers are stolen.
The software, called LoJack, allows administrators to remotely lock, locate and remove files from stolen computers.
Its main customers are corporate IT-related firms that need to protect information from exploitation. It is often installed by default. However, the actor has re-configured the software for malicious use to maintain persistent access to targeted devices and communicate with command-and-control servers that the actor operates.
Most anti-virus packages cannot detect when LoJack has been hijacked, or do not recognise the hijacked version as malicious.
Previous research as far back as 2009 has publicised that Lojack could be exploited.
However, not all computers that use LoJack are vulnerable to compromise and data exfiltration – the attacker needs to gain initial access to the machine before they can deploy the hijacked version of LoJack to maintain persistence.
Twitter has urged its users to change their passwords after a software bug exposed their login details.
The bug saw usernames and passwords written in plain text and stored in an internal log before being encrypted.
Twitter discovered and fixed the error and have since apologised for their mistake, advising all 330 million users to change their passwords as a precautionary measure.
Despite login credentials being made visible by the bug, Twitter are confident that no details have been compromised.
It is important to manage passwords effectively; never use the same password for important accounts such as banking, work accounts or cloud storage. If your password is exposed on one platform it’s possible that criminals or other threat actors might attempt to use that information in the hope of compromising others.
A cyber criminal who hacked into the online networks of at least 200 companies worldwide recently pleaded guilty to multiple offences in court.
Grant West, 25, who operated under the pseudonym ‘Courvoisier’, was detained in September 2017 following a two-year investigation by Scotland Yard. He was arrested on a train whilst logging on to his dark web marketplace account.
Southwark Crown Court heard that from at least 2015, West hacked into the online networks of Sainsburys, Asda, Apple, Uber, Ladbrokes, JustEat, Argos and others.
The data of thousands of customers was then stolen and used in spear-phishing scams to dupe customers into revealing their credit and debit card details, login credentials and email addresses.
The customer credentials were then sold on the dark web marketplace and used by other cyber criminals to make illegal purchases. Although hacking of the company websites was the major enabler of this cyber criminal activity, the spear-phishing emails ultimately led to customers unwittingly divulging their personal banking details which were then used to steal their money.