Reporting on the exposure of some 26 million stolen credit cards leaked from a top underground cybercrime store highlighted some persistent and hard truths. Most notably, that the world’s largest financial institutions tend to have a much better idea of which merchants and bank cards have been breached than do the thousands of smaller banks and credit unions across the United States. Also, a great deal of cybercrime seems to be perpetrated by a relatively small number of people.

In September, an anonymous source sent KrebsOnSecurity a link to a nearly 10 gb set of files that included data for approximately 26 million credit and debit cards stolen from hundreds — if not thousands — of hacked online and brick-and-mortar businesses over the past four years.

The data was taken from BriansClub, an underground “carding” store that has (ab)used this author’s name, likeness and reputation in its advertising since 2015. The card accounts were stolen by hackers or “resellers” who make a living breaking into payment card systems online and in the real world. Those resellers then share the revenue from any cards sold through BriansClub.

KrebsOnSecurity shared a copy of the BriansClub card database with Gemini Advisory, a New York-based company that monitors BriansClub and dozens of other carding shops to learn when new cards are added and when existing inventory is removed (sold).

Gemini estimates that the 26 million cards — 46 percent credit cards and 54 percent debit cards — representing almost one-third of the existing 87 million credit and debit card accounts currently for sale in the underground.

“While many of these cards were added in previous years, more than 21.6 million will not expire until after October 2019, offering cybercriminal buyers ample opportunity to cash out these records,” Gemini wrote in an analysis of the BriansClub data shared with this author.

Cards stolen from U.S. residents made up the bulk of the data set (~24 million of the 26+ million cards), and as a result these far more plentiful cards were priced much lower than cards from banks outside the U.S. Between 2016 and 2019, cards stolen from U.S.-based bank customers fetched between $12.76 and $16.80 apiece, while non-U.S. cards were priced between $17.04 and $35.70 during the same period.

Unfortunately for cybercrime investigators, the person who hacked BriansClub has not released (at least not to this author) any information about the BriansClub users, payments, vendors or resellers. [Side note: This hasn’t stopped an unscrupulous huckster from approaching several of my financial industry sources with unlikely offers of said data in exchange for bitcoin].

But the database does have records of which cards were sold and which resellers (identified only by a unique number) supplied those cards, Gemini found.

“While neither the vendor nor the buyer usernames appeared in this database, they were each assigned ID numbers,” Gemini wrote. “This allowed analysts to determine how prolific certain threat actors were on BriansClub and derive relevant metrics from this data.”

According to Gemini, there were 142 resellers and more than 50,000 buyers of the card data sold through BriansClub. These buyers purchased at least 9 million of the 27.2 million cards available.

One reseller in particular (ID: 174,829) offered just shy of 6 million records, posted for $106 million. Of those, almost 940,000 were sold, grossing over $16 million in profits shared between BriansClub and the reseller. In the quote below, a “base” refers to a distinct batch of freshly-stolen card data uploaded to BriansClub.

“For context, the collective price for the entirety of exposed BriansClub records was $566 million, while the total dollar amount of all sold records exceeded $162 million,” Gemini noted. “The top 20 buyers bought 5% of the entire set of records in this shop, while the top 100 buyers accounted for 11%. The shop had a total of 11,000 bases, with most vendors uploading multiple bases.”

All the 26 million+ card records leaked from BriansClub were shared with multiple trusted sources that work directly with financial institutions to inform them when their customers’ cards go up for sale in the cybercrime underground.

Banks at this point basically have three options. Ignore the report and hope for the best. Cancel the card and reissue. Or monitor the card more closely and place tighter fraud controls on that account.

But here’s the thing: Not all banks got the data at the same time. The larger banks got it first and largely shrugged. At least according to anti-fraud sources at two large U.S.-based financial institutions: Their anti-fraud teams had already identified 90-95 percent of the cards as potentially compromised in one of hundreds of breaches since 2015, mostly those involving malware inside point-of-sale payment terminals.

The sources I spoke with at smaller financial institutions found out about the cards they’d issued to customers that wound up in the BriansClub database by receiving alerts last week from Visa and MasterCard. Most of those sources seemed genuinely surprised at the number of cards exposed, and two sources at different credit unions each estimated they were previously unaware of about 80 percent of the cards listed in the alerts from the credit card companies.

Also, smaller financial institutions are far more likely to eat the cost of re-issuing cards at risk of fraudulent use than are larger institutions, which typically have much a higher tolerance for financial losses from counterfeit card fraud. So far, however, there is no evidence this flood of card data intelligence to the banking sector is causing much of stampede for re-issuing cards.

Visa maintains that smaller financial institutions receive the same alerts sent to larger banks about cards thought to be exposed in specific breaches. The alerts include cards specific to each bank, but smaller banks are often limited in the resources they have available to do much with the reported card data, aside from re-issuing the card.

Gemini CEO and co-founder Andrei Barysevich said so far the feedback from the banks has been all over the place.

“While the larger US banks told us that most of the cards have been previously flagged as compromised, the mid and small size financial institutions were caught completely off-guard,” he said. “As to the European and Asian banks, to them the data was mostly new, in some cases upwards of 60% of cards were still open and active.”

I thought perhaps the card associations could provide some meta-statistics on the BriansClub dump, but also those hopes were dashed. MasterCard did not respond to requests for comment. Visa declined to share any information related to the BriansClub database (even though they got it indirectly courtesy of Yours Truly), but issued the following statement:

“As part of our core mission to ensure security across the payment system, we are very aware of carder forums and other criminal enterprises. Visa continuously invests in intelligence and technology to detect cyber threats and works with law enforcement, clients and other partners, to mitigate and disrupt such threats.

“Whenever we discover compromised account information, Visa uses its payment intelligence and investigative capabilities to determine the source. We also work with our financial institution clients to provide card issuers with the compromised account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, by reissuing cards. Incidents such as these reinforce the need for secure technologies such as chip and tokenization to devalue account information so that even if stolen, data cannot be leveraged for fraud.””

Gemini found that exactly two-thirds of the stolen cards (66.6 percent) siphoned from BriansClub were Visa-branded, and 23 percent MasterCard. A full 85% of the total records were EMV (chip) enabled, with the remaining 15% using only a magnetic stripe.

One final note: Gemini report also challenges claims made by the administrator of BriansClub, namely that he removed the breached cards from his online store and that the data leak stemmed from a breach in February as his site’s data center.

“While the administrator of BriansClub, operating under the moniker ‘Brian Krebs,’ claimed that the breach took place in February 2019, this appears to be false,” Gemini observed in its report. “The number of records from South Korea corresponds to a previous spike in South Korean records that occurred from March 2019 through July 2019. If BriansClub were breached in February, the South Korean-issued cards would number under 10,000 rather than over 1 million.”

The report continues:

“This threat actor also claimed to have removed the compromised records from the shop. Gemini has found this claim to be false as well. Since BriansClub offers a ‘checker service’ for all purchased records to determine whether compromised payment cards are still open, it may be unnecessary to remove the cards. The shop likely assumes that even if the banks received the compromised card data from this breach, they are unlikely to close down and reissue every single card.”

When New York-based cloud payroll provider MyPayrollHR unexpectedly shuttered its doors last month and disappeared with $26 million worth of customer payroll deposits, its payment processor Cachet Financial Services ended up funding the bank accounts of MyPayrollHR client company employees anyway, graciously eating a $26 million loss which it is now suing to recover.

But on Oct. 23 — less than 24 hours before another weekly payroll rush — Pasadena, Calif.-based Cachet threw much of its customer base into disarray when it said its bank was no longer willing to risk another MyPayrollHR debacle, and that customers would need to wire payroll deposits instead of relying on the usual method of automated clearinghouse (ACH) payments (essentially bank-to-bank checks).

Cachet processes some $150 billion in payroll payments annually for more than 110,000 employers. But payroll experts say this week’s actions by Cachet’s bank may well soon put the 22-year-old company out of business.

“We apologize for the inconvenience of this message,” reads the communication from Cachet that went out to customers just after 6:30 PM ET on Oct. 23. It continued:

“Due to ongoing fraud protocol with our bank, they are requiring pre-funding via Direct Wire for all batches that were uploaded this week, unless employees were already paid or tax payments were already transmitted. This includes all batch files moving forward.”

All files that were uploaded today for collection and disbursement will not be processed. In order to process disbursement, we will need to receive a wire first thing tomorrow in order to release the disbursements.

All collections that were processed prior to today will be reviewed by the bank and disbursements will be released once the funds are cleared. Credit trans

Deadline for wires is 1 P.M. PST.

This will be the process until further notice. If you need a backup processor, please contact us.

If you require wire instructions, please respond to this email and they will be sent to you.

We welcome and anticipate your phone calls and inquiries. We remain committed to our clients and are determined to see this through. We appreciate and thank you for your patience and understanding.”

In a follow-up communication sent Thursday evening, Cachet said all debit transactions with a settlement date of Oct. 23 had been processed, but that any transactions uploaded after Oct. 23 were not being processed at all, and that wires are no longer being accepted.

“If they aren’t taking money, they’re out of business,” Friedl said of Cachet.

Cachet’s financial institution, Wilmington, Del. based The Bancorp Bank (NASDAQ: TBBK), did not respond to requests for comment.

Cachet also did not respond to requests for comment. But in an email Thursday evening, the company sought to offer customers a range of alternatives — including other providers — to help process payrolls this week.

Steve Friedl, an IT consultant in the payroll service bureau industry, said the Cachet announcement has sent payroll providers scrambling to cut and mail or courier paper checks to client employees.  But he said many payroll providers also use Cachet to process tax withholdings for client employees, and that this, too, could be disrupted by the funding changes.

“There’s a lot of same day stuff that goes on in the payroll industry that depends on people being honest and having money available at certain times,” Friedl said. “When that’s not possible because a bank in that process says it doesn’t want to be stuck in the middle that can create problems for a lot of people who are then stuck in the middle.”

Another payroll expert at a company that uses Cachet but who asked not to be named said, “everyone I know at payroll providers is scrambling to get it done another way this week” as a result of the decision by Cachet’s bank.

“Those bureaus will do whatever they can to keep their clients happy because something like this can quickly put them out of business,” the source said. “Unlike what happened with MyPayrollHR — which harmed consumers directly — the payment service bureaus are the ones potentially getting hurt here.”

Most corporate payroll is handled through ACH transactions, a system that allows financial institutions to push and pull funds to and from checking accounts between banks. ACH is essentially the same thing as writing a check for a good or service, and it typically involves an element of trust because there is a time delay (24-48h) between which the promised funds are released to the receiving bank and the funds are made available to the recipient.

In contrast, a wire transfer takes minutes and the funds are made available to the recipient almost immediately. Wires are also far more expensive for customers, and they earn banks hugely profitable processing fees, whereas ACH transaction fees are minuscule by comparison.

Ultimately, banks may decide that for certain clients they no longer wish to assume the risk of fraudsters exploiting the float period for ACH transactions to steal tens of millions of dollars, as was the case in the MyPayrollHR fiasco.

It’s worth noting that the MyPayrollHR fraud wasn’t the first time Cachet has been tripped up by the demise of a payroll company: In 2016, the collapse of Monterey, Calif. based payroll processor Pinnacle Workforce Solutions left Cachet holding the bag for more than $1 million. Cachet sued to recover the money stuck in Pinnacle’s frozen accounts. From The Monetery County Weekly:

“Cachet’s lawyers also outline possible nefarious action by Pinnacle. ACH companies act as middlemen for processing payroll and other large transactions. Every pay period, Pinnacle would send Cachet a coded file to tell the ACH how to distribute funds. But, on Sept. 21 [2016] Pinnacle had manipulated the code sent to Cachet so the money collected from its clients went directly to Pinnacle instead of being held in the ACH account before being distributed to its clients’ employees, the suit alleges.”

It will be interesting to see how long the fallout from the MyPayrollHR episode will last and how many other firms may get wiped because of it. Shortly after MyPayrollHR closed its doors last month and disappeared with $35 million in payroll and tax payments, the company’s 49-year-old CEO Michael Mann was arrested and charged with bank fraud.

The government alleges Mann was kiting millions of dollars in checks between his accounts at Bank of American and Pioneer from Aug. 1, 2019 to Aug. 30, 2019. The Times Union reports that Mann and his company are now being sued by Pioneer Bank and a large insurance company over a $42 million loan it gave to Mann and his companies just a month before his payroll business closed up shop.

Business-to-business payments provider Billtrust is still recovering from a ransomware attack that began last week.  The company said it is in the final stages of bringing all of its systems back online from backups.

With more than 550 employees, Lawrence Township, N.J.-based Billtrust is a cloud-based service that lets customers view invoices, pay, or request bills via email or fax. In an email sent to customers today, Billtrust said it was consulting with law enforcement officials and with an outside security firm to determine the extent of the breach.

“Our standard security and back-up procedures have been and remain instrumental in our ability to execute the ongoing restoration of services,” the email reads. “Out of an abundance of caution, we cannot disclose the precise ransomware strains but will do so as soon as prudently possible.

In an interview with KrebsOnSecurity on Monday evening, Billtrust CEO Steven Pinado said the company became aware of a malware intrusion on Thursday, Oct. 17.

“We’re aware of the malware and have been able to stop the activity within our systems,” Pinado said. “We immediately started focusing on control, remediation and protection. The impact of that was several systems were no longer available to our customers. We’ve been fighting the fight, working on restoring services and also digging into the root cause.”

A report from BleepingComputer cites an unnamed source saying the ransomware strain that hit Billtrust was the BitPaymer ransomware, but that information could not be confirmed.

One of Billtrust’s customers has published a day-by-day chronology of the attack and communications from the company here (h/t @gossithedog).

Pinado said Billtrust had restored most of its systems, and that it was in the process now of putting additional security measures in place. He declined to discuss anything related to the ransomware attack, such as whether the company paid a ransom demand in exchange for a key to unlock files scrambled by the malware, although he allowed Billtrust does have cybersecurity insurance for just such occasions.

Billtrust recently teamed up with Visa to launch the Billtrust Business Payments Network, an effort to digitize payments between businesses.

Cloud service providers are a favorite target of attackers who deal in ransomware. In August, Wisconsin-based PerCSoft paid a hefty ransom to get out from beneath an attack that separated hundreds of dental offices from their patient records.

In July, attackers hit QuickBooks cloud hosting firm iNSYNQ, holding data hostage for many of the company’s clients. In February, cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider Dataresolution.net took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.

Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that — while otherwise unrelated — shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password.

Based in the Czech Republic, Avast bills itself as the most popular antivirus vendor on the market, with over 435 million users. In a blog post today, Avast said it detected and addressed a breach lasting between May and October 2019 that appeared to target users of its CCleaner application, a popular Microsoft Windows cleanup and repair utility.

Avast said it took CCleaner downloads offline in September to check the integrity of the code and ensure it hadn’t been injected with malware. The company also said it invalidated the certificates used to sign previous versions of the software and pushed out a re-signed clean update of the product via automatic update on October 15. It then disabled and reset all internal user credentials.

“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast’s Jaya Baloo wrote.

This is not the first so-called “supply chain” attack on Avast: In September 2018, researchers at Cisco Talos and Morphisec disclosed that hackers had compromised the computer cleanup tool for more than a month, leading to some 2.27 million downloads of the corrupt CCleaner version.

Avast said the intrusion began when attackers used stolen credentials for a VPN service that was configured to connect to its internal network, and that the attackers were not challenged with any sort of multi-factor authentication — such as a one-time code generated by a mobile app.

“We found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA,” Baloo wrote.

THE NORDVPN BREACH

Separately, NordVPN, a virtual private networking services that promises to “protect your privacy online,” confirmed reports that it had been hacked. Today’s acknowledgment and blog post mortem from Nord comes just hours after it emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN,” writes Zack Whittaker at TechCrunch.

VPN software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. This can offer a measure of anonymity, but the user also is placing a great deal of trust in that VPN service not to get hacked and expose this sensitive browsing data.

NordVPN’s account seems to downplay the intrusion, saying while the attackers could have used the private keys to intercept and view traffic for some of its customers’ traffic, the attackers would have been limited to eavesdropping on communications routing through just one of the company’s more than 3,000 servers.

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” reads the NordVPN blog post. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”

NordVPN said the intrusion happened in March 2018 at one of its datacenters in Finland, noting that “the attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed.” NordVPN declined to name the datacenter provider, but said the provider removed the remote management account without notifying them on March 20, 2018.

“When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider and shredded all the servers we had been renting from them,” the company said. “We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues. This couldn’t be done quickly due to the huge amount of servers and the complexity of our infrastructure.”

TechCrunch took NordVPN to task on the somewhat dismissive tone of its breach disclosure, noting that the company suffered a significant breach that went undetected for more than a year.

Kenneth White, director of the Open Crypto Audit Project, said on Twitter that based on the dumped Pastebin logs detailing the extent of the intrusion, “the attacker had full remote admin on their Finland node containers.”

“That’s God Mode folks,” White wrote. “And they didn’t log and didn’t detect it. I’d treat all their claims with great skepticism.”

ANALYSIS

Many readers are curious about whether they should enshroud all of their online communications by using a VPN. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process. For a breakdown on what you should keep in mind when considering a VPN service, see this post.

Forgotten user accounts that provide remote access to internal systems — such as VPN and Remote Desktop services (RDP) — have been a persistent source of data breaches for years. Thousands of small to mid-sized brick-and-mortar businesses have been relieved of millions of customer payment card records over the years when their hacked IT contractors used the same remote access credentials at each client location.

Almost all of these breaches could have been stopped by requiring a second form of authentication in addition to a password, which can easily be stolen or phished.

The persistent supply chain attack against Avast brings to mind something I was considering the other day about the wisdom of allowing certain software to auto-update itself whenever it pleases. I’d heard from a reader who was lamenting the demise of programs like Secunia’s Personal Software Inspector and FileHippo, which allowed users to automatically download and install available updates for a broad range of third-party Windows programs.

These days, I find myself seeking out and turning off any auto-update functions in software that I install. I’d rather be alerted to new updates when I launch the program and have the ability to review what’s changing and whether anyone has experienced issues with the new version. I guess you could say years of dealing with unexpected surprises on Microsoft Patch Tuesdays has cured me of any sort of affinity I may have once had for auto-update features.

Cybercrime forums have been abuzz this week over news that BriansClub — one of the underground’s largest shops for stolen credit and debit cards — has been hacked, and its inventory of 26 million cards shared with security contacts in the banking industry. Now it appears this brazen heist may have been the result of one of BriansClub’s longtime competitors trying to knock out a rival.

Last month, KrebsOnSecurity was contacted by an anonymous source who said he had the full database of 26M cards stolen from BriansClub, a carding site that has long used this author’s name and likeness in its advertising. The stolen database included cards added to the site between mid-2015 and August 2019.

This was a major event in the underground, as experts estimate the total number of stolen cards leaked from BriansClub represent almost 30 percent of the cards on the black market today.

The purloined database revealed BriansClub sold roughly 9.1 million stolen credit cards, earning the site and its resellers a cool $126 million in sales over four years.

In response to questions from KrebsOnSecurity, the administrator of BriansClub acknowledged that the data center serving his site had been hacked earlier in the year (BriansClub claims this happened in February), but insisted that all of the cards stolen by the hacker had been removed from BriansClub store inventories.

However, as I noted in Tuesday’s story, multiple sources confirmed they were able to find plenty of card data included in the leaked database that was still being offered for sale at BriansClub.

Perhaps inevitably, the admin of BriansClub took to the cybercrime forums this week to defend his business and reputation, re-stating his claim that all cards included in the leaked dump had been cleared from store shelves.

Meanwhile, some of BriansClub’s competitors gloated about the break-in. According to the administrator of Verified, one of the longest running Russian language cybercrime forums, the hack of BriansClub was perpetrated by a fairly established ne’er-do-well who uses the nickname “MrGreen” and runs a competing card shop by the same name.

The Verified site admin said MrGreen had been banned from the forum, and added that “sending anything to Krebs is the lowest of all lows” among accomplished and self-respecting cybercriminals. I’ll take that as a compliment.

This would hardly be the first time some cybercriminal has used me to take down one of his rivals. In most cases, I’m less interested in the drama and more keen on validating the data and getting it into the proper hands to do some good.

That said, if the remainder of BriansClub’s competitors want to use me to take down the rest of the carding market, I’m totally fine with that.