“BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.

Last month, KrebsOnSecurity was contacted by a source who shared a plain text file containing what was claimed to be the full database of cards for sale both currently and historically through BriansClub[.]at, a thriving fraud bazaar named after this author. Imitating my site, likeness and namesake, BriansClub even dubiously claims a copyright with a reference at the bottom of each page: “© 2019 Crabs on Security.”

Multiple people who reviewed the database shared by my source confirmed that the same credit card records also could be found in a more redacted form simply by searching the BriansClub Web site with a valid, properly-funded account.

All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground.

The leaked data shows that in 2015, BriansClub added just 1.7 million card records for sale. But business would pick up in each of the years that followed: In 2016, BriansClub uploaded 2.89 million stolen cards; 2017 saw some 4.9 million cards added; 2018 brought in 9.2 million more.

Between January and August 2019 (when this database snapshot was apparently taken), BriansClub added roughly 7.6 million cards.

Most of what’s on offer at BriansClub are “dumps,” strings of ones and zeros that — when encoded onto anything with a magnetic stripe the size of a credit card — can be used by thieves to purchase electronics, gift cards and other high-priced items at big box stores.

As shown in the table below (taken from this story), many federal hacking prosecutions involving stolen credit cards will for sentencing purposes value each stolen card record at $500, which is intended to represent the average loss per compromised cardholder.

STOLEN BACK FAIR AND SQUARE

An extensive analysis of the database indicates BriansClub holds approximately $414 million worth of stolen credit cards for sale, based on the pricing tiers listed on the site. That’s according to an analysis by Flashpoint, a security intelligence firm based in New York City.

Allison Nixon, the company’s director of security research, said Flashpoint had help from numerous parties in crunching the numbers from the massive leaked database.

Nixon said the data suggests that between 2015 and August 2019, BriansClub sold roughly 9.1 million stolen credit cards, earning the site $126 million in sales (all sales are transacted in bitcoin).

If we take just the 9.1 million cards that were confirmed sold through BriansClub, we’re talking about $2.27 billion in likely losses at the $500 average loss per card figure from the Justice Department.

Also, it seems likely the total number of stolen credit cards for sale on BriansClub and related sites vastly exceeds the number of criminals who will buy such data. Shame on them for not investing more in marketing!

There’s no easy way to tell how many of the 26 million or so cards for sale at BriansClub are still valid, but the closest approximation of that — how many unsold cards have expiration dates in the future — indicates more than 14 million of them could still be valid.

The archive also reveals the proprietor(s) of BriansClub frequently uploaded new batches of stolen cards — some just a few thousand records, and others tens of thousands.

That’s because like many other carding sites, BriansClub mostly resells cards stolen by other cybercriminals — known as resellers or affiliates — who earn a percentage from each sale. It’s not yet clear how that revenue is shared in this case, but perhaps this information will be revealed in further analysis of the purloined database.

BRIANS CHAT

In a message titled “Your site is hacked,’ KrebsOnSecurity requested comment from BriansClub via the “Support Tickets” page on the carding shop’s site, informing its operators that all of their card data had been shared with the card-issuing banks.

I was surprised and delighted to receive a polite reply a few hours later from the site’s administrator (“admin”):

“No. I’m the real Brian Krebs here

Correct subject would be the data center was hacked.

Will get in touch with you on jabber. Should I mention that all information affected by the data-center breach has been since taken off sales, so no worries about the issuing banks.”

Flashpoint’s Nixon said a spot check comparison between the stolen card database and the card data advertised at BriansClub suggests the administrator is not being truthful in his claims of having removed the leaked stolen card data from his online shop.

The admin hasn’t yet responded to follow-up questions, such as why BriansClub chose to use my name and likeness to peddle millions of stolen credit cards.

Almost certainly, at least part of the appeal is that my surname means “crab” (or cancer), and crab is Russian hacker slang for “carder,” a person who engages in credit card fraud.

HACKING BACK?

Nixon said breaches of criminal website databases often lead not just to prevented cybercrimes, but also to arrests and prosecutions.

“When people talk about ‘hacking back,’ they’re talking about stuff like this,” Nixon said. “As long as our government is hacking into all these foreign government resources, they should be hacking into these carding sites as well. There’s a lot of attention being paid to this data now and people are remediating and working on it.”

By way of example on hacking back, she pointed to the 2016 breach of vDOS — at the time the largest and most powerful service for knocking Web sites offline in large-scale cyberattacks.

Soon after vDOS’s database was stolen and leaked to this author, its two main proprietors were arrested. Also, the database added to evidence of criminal activity for several other individuals who were persons of interest in unrelated cybercrime investigations, Nixon said.

“When vDOS got breached, that basically reopened cases that were cold because [the leak of the vDOS database] supplied the final piece of evidence needed,” she said.

THE TARGET BREACH OF THE UNDERGROUND?

After many hours spent poring over this data, it became clear I needed some perspective on the scope and impact of this breach. As a major event in the cybercrime underground, was it somehow the reverse analog of the Target breach — which negatively impacted tens of millions of consumers and greatly enriched a large number of bad guys? Or was it more prosaic, like a Jimmy Johns-sized debacle?

For that insight, I spoke with Gemini Advisory, a New York-based company that works with financial institutions to monitor dozens of underground markets trafficking in stolen card data.

Andrei Barysevich, co-founder and CEO at Gemini, said the breach at BriansClub is certainly significant, given that Gemini currently tracks a total of 87 million credit and debit card records for sale across the cybercrime underground.

Gemini is monitoring most underground stores that peddle stolen card data — including such heavy hitters as Joker’s Stash, Trump’s Dumps, and BriansDump.

Contrary to popular belief, when these shops sell a stolen credit card record, that record is then removed from the inventory of items for sale. This allows companies like Gemini to determine roughly how many new cards are put up for sale and how many have sold.

Barysevich said the loss of so many valid cards may well impact how other carding stores compete and price their products.

“With over 78% of the illicit trade of stolen cards attributed to only a dozen of dark web markets, a breach of this magnitude will undoubtedly disturb the underground trade in the short term,” he said. “However, since the demand for stolen credit cards is on the rise, other vendors will undoubtedly attempt to capitalize on the disappearance of the top player.”

Liked this story and want to learn more about how carding shops operate? Check out Peek Inside a Professional Carding Shop. Want to help this site continue to produce useful, impactful journalism? Consider donating!

On Tuesday Microsoft issued software updates to fix almost five dozen security problems in Windows and software designed to run on top of it. By most accounts, it’s a relatively light patch batch this month. Here’s a look at the highlights.

Happily, only about 15 percent of the bugs patched this week earned Microsoft’s most dire “critical” rating. Microsoft labels flaws critical when they could be exploited by miscreants or malware to seize control over a vulnerable system without any help from the user.

Also, Adobe has kindly granted us another month’s respite from patching security holes in its Flash Player browser plugin.

Included in this month’s roundup is something Microsoft actually first started shipping in the third week of September, when it released an emergency update to fix a critical Internet Explorer zero-day flaw (CVE-2019-1367) that was being exploited in the wild.

That out-of-band security update for IE caused printer errors for many Microsoft users whose computers applied the emergency update early on, according to Windows update expert Woody Leonhard. Apparently, the fix available through this month’s roundup addresses those issues.

Security firm Ivanti notes that the patch for the IE zero day flaw was released prior to today for Windows 10 through cumulative updates, but that an IE rollup for any pre-Windows 10 systems needs to be manually downloaded and installed.

Once again, Microsoft is fixing dangerous bugs in its Remote Desktop Client, the Windows feature that lets a user interact with a remote desktop as if they were sitting in front of the other PC. On the bright side, this critical bug can only be exploited by tricking a user into connecting to a malicious Remote Desktop server — not exactly the most likely attack scenario.

Other notable vulnerabilities addressed this month include a pair of critical security holes in Microsoft Excel versions 2010-2019 for Mac and Windows, as well as Office 365. These flaws would allow an attacker to install malware just by getting a user to open a booby-trapped Office file.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Staying up-to-date on Windows patches is good. Updating only after you’ve backed up your important data and files is even better. A reliable backup means you’re not pulling your hair out if the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

As always, if you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.

A Slovenian man convicted of authoring the destructive and once-prolific Mariposa botnet and running the infamous Darkode cybercrime forum has been arrested in Germany on request from prosecutors in the United States, who’ve recently re-indicted him on related charges.

The Slovenian Press Agency reported today that German police arrested Matjaž “Iserdo” Škorjanc last week, in response to a U.S.-issued international arrest warrant for his extradition.

In December 2013, a Slovenian court sentenced Škorjanc to four years and ten months in prison for creating the malware that powered the ‘Mariposa‘ botnet. Spanish for “Butterfly,” Mariposa was a potent crime machine first spotted in 2008. Very soon after its inception, Mariposa was estimated to have infected more than 1 million hacked computers — making it one of the largest botnets ever created.

Škorjanc and his hacker handle Iserdo were initially named in a Justice Department indictment from 2011 (PDF) along with two other men who allegedly wrote and sold the Mariposa botnet code. But in June 2019, the DOJ unsealed an updated indictment (PDF) naming Škorjanc, the original two other defendants, and a fourth man (from the United States) in a conspiracy to make and market Mariposa and to run the Darkode crime forum.

More recently, Škorjanc served as chief technology officer at NiceHash, a Slovenian company that lets users sell their computing power to help others mine virtual currencies like bitcoin. In December 2017, approximately USD $52 million worth of bitcoin mysteriously disappeared from the coffers of NiceHash. Slovenian police are reportedly still investigating that incident.

It will be interesting to see what happens with the fourth and sole U.S.-based defendant added in the latest DOJ charges — Thomas K. McCormick, a.k.a “fubar” — allegedly one of the last administrators of Darkode. Prosecutors say McCormick also was a reseller of the Mariposa botnet, the ZeuS banking trojan, and a bot malware he allegedly helped create called “Ngrbot.”

Between 2010 and 2013, Fubar would randomly chat me up on instant messenger apropos of nothing to trade information about the latest goings-on in the malware and cybercrime forum scene.

Fubar frequently knew before anyone else about upcoming improvements to or new features of ZeuS, and discussed at length his interactions with Iserdo/Škorjanc. Every so often, I would reach out to Fubar to see if he could convince one of his forum members to call off an attack against KrebsOnSecurity.com, an activity that had become something of a rite of passage for new Darkode members.

On Dec. 5, 2013, federal investigators visited McCormick at his University of Massachusetts dorm room. According to a memo filed by FBI agents investigating the case, in that interview McCormick acknowledged using the “fubar” identity on Darkode, but said he’d quit the whole forum scene years ago, and that he’d even interned at Microsoft for several summers and at Cisco for one summer.

A subsequent search warrant executed on his dorm room revealed multiple removable drives that held tens of thousands of stolen credit card records. For whatever reason, however, McCormick wasn’t arrested or charged until December 2018.

According to the FBI, back in that December 2013 interview McCormick voluntarily told them a great deal about his various businesses and online personas. He also apparently told investigators he talked with KrebsOnSecurity quite a bit, and that he’d tipped me off to some important developments in the malware scene. For example:

“TM had found the email address of the Spyeye author in an old fake antivirus affiliate program database and that TM was able to find the true name of the Spyeye author from searching online for an individual that used the email address,” the memo states. “TM passed this information on to Brian Krebs.”

Read more of the FBI’s interview with McCormick here (PDF).

German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two of the men accused in the scheme, this was their second bunker-based hosting business that was raided by cops and shut down for courting and supporting illegal activity online.

The latest busted cybercrime bunker is in Traben-Trarbach, a town on the Mosel River in western Germany. The Associated Press says investigators believe the 13-acre former military facility served a number of dark web sites, including: the “Wall Street Market,” a sprawling, online bazaar for drugs, hacking tools and financial-theft wares before it was taken down earlier this year; the drug portal “Cannabis Road;” and the synthetic drug market “Orange Chemicals.”

German police reportedly seized $41 million worth of funds allegedly tied to these markets, and more than 200 servers that were operating throughout the underground temperature-controlled, ventilated and closely guarded facility.

The authorities in Germany haven’t named any of the people arrested or under investigation in connection with CyberBunker’s alleged activities, but said those arrested were apprehended outside of the bunker. Still, there are clues in the details released so far, and those clues have been corroborated by sources who know two of the key men allegedly involved.

We know the owner of the bunker hosting business has been described in media reports as a 59-year-old Dutchman who allegedly set it up as a “bulletproof” hosting provider that would provide Web site hosting to any business, no matter how illegal or unsavory.

We also know the German authorities seized at least two Web site domains in the raid, including the domain for ZYZTM Research in The Netherlands (zyztm[.]com), and cb3rob[.]org.

According to historic whois records maintained by Domaintools.com, Zyztm[.]com was originally registered to a Herman Johan Xennt in the Netherlands. Cb3rob[.]org was an organization hosted at CyberBunker registered to Sven Kamphuis, a self-described anarchist who was convicted several years ago for participating in a large-scale attack that briefly impaired the global Internet in some places.

Both 59-year-old Xennt and Mr. Kamphuis worked together on a previous bunker-based project — a bulletproof hosting business they sold as “CyberBunker” and ran out of a five-story military bunker in The Netherlands.

That’s according to Guido Blaauw, director of Disaster-Proof Solutions, a company that renovates and resells old military bunkers and underground shelters. Blaauw’s company bought the 12,500 square-meter Netherlands bunker from Mr. Xennt in 2011 for $700,000.

Media reports indicate that in 2002 a fire inside the CyberBunker 1.0 facility in The Netherlands summoned emergency responders, who discovered a lab hidden inside the bunker that was being used to produce the drug ecstasy/XTC.

Blaauw said nobody was ever charged for the drug lab, which was blamed on another tenant in the building. Blauuw said Xennt and others in 2003 were then denied a business license to continue operating in the bunker, and they were forced to resell servers from a different location — even though they bragged to clients for years to come about hosting their operations from an ultra-secure underground bunker.

“After the fire in 2002, there was never any data or servers stored in the bunker,” in The Netherlands, Blaauw recalled. “For 11 years they told everyone [the hosting servers where] in this ultra-secure bunker, but it was all in Amsterdam, and for 11 years they scammed all their clients.”

Blaauw said sometime between 2012 and 2013, Xennt purchased the bunker in Traben-Trarbach, Germany — a much more modern structure that was built in 1997. CyberBunker was reborn, and it began offering many of the same amenities and courted the same customers as CyberBunker 1.0 in The Netherlands.

“They’re known for hosting scammers, fraudsters, pedophiles, phishers, everyone,” Blaauw said. “That’s something they’ve done for ages and they’re known for it.”

About the time Xennt and company were settling into their new bunker in Germany, he and Kamphuis were engaged in a fairly lengthy and large series of distributed denial-of-service (DDoS) attacks aimed at sidelining a number of Web sites — particularly anti-spam organization Spamhaus. A chat record of that assault, detailed in my 2016 piece, Inside the Attack that Almost Broke the Internet, includes references to and quotes from both Xennt and Kamphuis.

Kamphuis was later arrested in Spain on the DDoS attack charges. He was convicted in The Netherlands and sentenced to time served, which was approximately 55 days of detention prior to his extradition to the United States.

The AP story mentioned above quoted German prosecutor Juergen Bauer saying the 59-year-old main suspect in the case was believed to have links to organized crime.

A 2015 expose’ (PDF) by the Irish newspaper The Sunday World compared Mr. Xennt (pictured below) to a villain from a James Bond movie, and said he has been seen frequently associating with another man: an Irish mobster named George “the Penguin” Mitchell, listed by Europol as one of the top-20 drug traffickers in Europe and thought to be involved in smuggling heroin, cocaine and ecstasy.

Blaauw said he doesn’t know whether Kamphuis was arrested or named in the investigation, but added that people who know him and can usually reach him have not heard from Kamphuis over several days.

Here’s what the CyberBunker in The Netherlands looked like back in the early aughts when Xennt still ran it:

Here’s what it looks like now after being renovated by Blaauw’s company and designed as a security operations center (SOC):

I’m glad when truly bad guys doing bad stuff like facilitating child porn are taken down. The truth is, almost anyone trafficking in the kinds of commerce these guys courted also is building networks of money laundering business that become very tempting to use or lease out for other nefarious purposes, including human trafficking, and drug trafficking.

Earlier this month, employees at more than 1,000 companies saw one or two paycheck’s worth of funds deducted from their bank accounts after the CEO of their cloud payroll provider absconded with $35 million in payroll and tax deposits from customers. On Monday, the CEO was arrested and allegedly confessed that the diversion was the last desperate gasp of a financial shell game that earned him $70 million over several years.

Michael T. Mann, the 49-year-old CEO of Clifton Park, NY-based MyPayrollHR, was arrested this week and charged with bank fraud. In court filings, FBI investigators said Mann admitted under questioning that in early September — on the eve of a big payroll day — he diverted to his own bank account some $35 million in funds sent by his clients to cover their employee payroll deposits and tax withholdings.

After that stunt, two different banks that work with Mann’s various companies froze those corporate accounts to keep the funds from being moved or withdrawn. That action set off a chain of events that led another financial institution that helps MyPayrollHR process payments to briefly pull almost $26 million out of checking accounts belonging to employees at more than 1,000 companies that use MyPayrollHR.

At the same time, MyPayrollHR sent a message (see screenshot above) to clients saying it was shutting down and that customers should find alternative methods for paying employees and for processing payroll going forward.

In the criminal complaint against Mann (PDF), a New York FBI agent said the CEO admitted that starting in 2010 or 2011 he began borrowing large sums of money from banks and financing companies under false pretenses.

“While stating that MyPayroll was legitimate, he admitted to creating other companies that had no purpose other than to be used in the fraud; fraudulently representing to banks and financing companies that his fake businesses had certain receivables that they did not have; and obtaining loans and lines of credit by borrowing against these non-existent receivables.”

“Mann estimated that he fraudulently obtained about $70 million that he has not paid back. He claimed that he committed the fraud in response to business and financial pressures, and that he used almost all of the fraudulently obtained funds to sustain certain businesses, and purchase and start new ones. He also admitted to kiting checks between Bank of America and Pioneer [Savings Bank], as part of the fraudulent scheme.”

Check-kiting is the illegal act of writing a check from a bank account without sufficient funds and depositing it into another bank account, explains MagnifyMoney.com. “Then, you withdraw the money from that second account before the original check has been cleared.”

Kiting also is known as taking advantage of the “float,” which is the amount of time between when an individual submits a check as payment and when the individual’s bank is instructed to move the funds from the account.

Magnify Money explains more:

“Say, for example, that you write yourself a check for $500 from checking account A, and deposit that check into checking account B — but the balance in checking account A is only $75. Then, you promptly withdraw the $500 from checking account B. This is check-kiting, a form of check fraud that uses non-existent funds in a checking account or other type of bank account. Some check-kiting schemes use multiple accounts at a single bank, and more complicated schemes involve multiple financial institutions.”

“In a more complex scenario, a person could open checking accounts at bank A and bank B, at first depositing $500 into bank A and nothing in bank B. Then, they could write a check for $10,000 with account A and deposit it into account B. Bank B immediately credits the account, and in the time it might take for bank B to clear the check (generally about three business days), the scammer writes a $10,000 check with bank B, which gets deposited into bank A to cover the first check. This could keep going, with someone writing checks between banks where there’s no actual funds, yet the bank believes the money is real and continues to credit the accounts.”

The government alleges Mann was kiting millions of dollars in checks between his accounts at Bank of American and Pioneer from Aug. 1, 2019 to Aug. 30, 2019.

For more than a decade, MyPayrollHR worked with California-based Cachet Financial Services to process payroll deposits for MyPayrollHR client employees. Every other week, MyPayrollHR’s customers would deposit their payroll funds into a holding account run by Cachet, which would then disburse the payments into MyPayrollHR client employee bank accounts.

But when Mann diverted $26 million in client payroll deposits from Cachet to his account at Pioneer Bank, Cachet’s emptied holding account was debited for the payroll payments. Cachet quickly reversed those deposits, causing one or two pay periods worth of salary to be deducted from bank accounts for employees of companies that used MyPayrollHR.

That action caused so much uproar from affected companies and their employees that Cachet ultimately decided to cancel all of those reversals and absorb that $26 million hit, which it is now trying to recover through the courts.

According to prosecutors in New York, Pioneer was Mann’s largest creditor.

“Mann stated that the payroll issue was precipitated by his decision to route MyPayroll’s clients’ payroll payments to an account at Pioneer instead of directly to Cachet,” wrote FBI Special Agent Matthew J. Wabby. “He did this in order to temporarily reduce the amount of money he owed to Pioneer. When Pioneer froze Mann’s accounts, it’s also (inadvertently) stopped movement of MyPayroll’s clients’ payroll payments to Cachet.”

Approximately $9 million of the $35 million diverted by Mann was supposed to go to accounts at the National Payment Corporation (NatPay) — the Florida-based firm which handles tax withholdings for MyPayrollHR clients. NatPay said its insurance should help cover the losses it incurred when MyPayrollHR’s banks froze the company’s accounts.

Court records indicate Mann hasn’t yet entered a plea, but that he was ordered to be released today under a $200,000 bond secured by a family home and two vehicles. His passport also was seized.