A new report proves the value of following the money in the fight against dodgy cybercrime services known as “booters” or “stressers” — virtual hired muscle that can be rented to knock nearly any website offline.

Last fall, two 18-year-old Israeli men were arrested for allegedly running vDOS, perhaps the most successful booter service of all time. The young men were detained within hours of being named in a story on this blog as the co-proprietors of the service (KrebsOnSecurity.com would later suffer a three-day outage as a result of an attack that was alleged to have been purchased in retribution for my reporting on vDOS).

That initial vDOS story was based on data shared by an anonymous source who had hacked vDOS and obtained its private user and attack database. The story showed how the service made approximately $600,000 over just two of the four years it was in operation. Most of those profits came in the form of credit card payments via PayPal.

But prior to vDOS’s takedown in September 2016, the service was already under siege thanks to work done by a group of academic researchers who teamed up with PayPal to identify and close accounts that vDOS and other booter services were using to process customer payments. The researchers found that their interventions cut profits in half for the popular booter service, and helped reduce the number of attacks coming out of it by at least 40 percent.

At the height of vDOS’s profitability in mid-2015, the DDoS-for-hire service was earning its proprietors more than $42,000 a month in PayPal and Bitcoin payments from thousands of subscribers. That’s according to an analysis of the leaked vDOS database performed by researchers at New York University.

As detailed in August 2015’s “Stress-Testing the Booter Services, Financially,” the researchers posed as buyers of nearly two dozen booter services — including vDOS —  in a bid to discover the PayPal accounts that booter services were using to accept payments. In response to their investigations, PayPal began seizing booter service PayPal accounts and balances, effectively launching their own preemptive denial-of-service attacks against the payment infrastructure for these services.

Those tactics worked, according to a paper the NYU researchers published today (PDF) at the Weis 2017 workshop at the University of California, San Diego.

“We find that VDoS’s revenue was increasing and peaked at over $42,000/month for the month before the start of PayPal’s payment intervention and then started declining to just over $20,000/month for the last full month of revenue,” the paper notes.

The NYU researchers found that vDOS had extremely low costs, and virtually all of its business was profit. Customers would pay up front for a subscription to the service, which was sold in booter packages priced from $5 to $300. The prices were based partly on the overall number of seconds that an attack may last (e.g., an hour would be 3,600 worth of attack seconds).

In just two of its four year in operation vDOS was responsible for launching 915,000 DDoS attacks, the paper notes. In adding up all the attack seconds from those 915,000 DDoS attacks, the researchers found vDOS was responsible for 48 “attack years” — the total amount of DDoS time faced by the victims of vDOS.

“As VDoS’s revenue and active subscriber base dwindled, so did the amount of harmful DDoS attacks launched by VDoS,” the NYU researchers wrote. “The peak attack time we found was slightly under 100,000 attacks and 5 attack years per month when VDoS’s revenue was slightly over $30,000/month. This decreased to slightly under 60,000 attacks and 3 attack years during the last month for which we have attack data. Unfortunately, we have incomplete attack data and likely missed the peak of VDoS’s attack volume. However, the payment intervention correlates to a 40% decrease in attack volume, which equates to 40,000 fewer attacks and 2 fewer attack years per month.”

Although a small percentage of vDOS customers shifted paying for their monthly subscriptions to Bitcoin after their preferred PayPal methods were no longer available, the researchers found that most customers who relied on PayPal simply went away and never came back.

“Near the middle of August 2015, the payment intervention that limited vDOS’s ability to accept PayPal payments began to take its toll on vDOS,” the researchers wrote. “Disrupting vDOS’s PayPal payment channel had a noticeable effect on both recurring and new revenue. By August 2015, payments from the PayPal channel decreased by $12,458 (44%) from an average of $28,523 over the previous five months. The Bitcoin payment channel increased by $6,360 (71%), but did not fully compensate for lost revenue from PayPal.”

The next month, vDOS established a number of ad-hoc payment methods, such as other third-party payment processors that accept credit card payments. However, most of these methods were short lived, likely due to the payment processors learning about the nature of their illicit DDoS service and terminating their accounts, the researchers observed.

“The revenue from these other regulated payment channels dwindled over a ten month period from $18,167 in September 2015 to $1,700 during June 2016,” the NYU team wrote. “The last month of the database leak in July 2016 shows no other forms payments other than Bitcoin.”

Other developments since vDOS’s demise in September 2016 have conspired to deal a series of body blows to the booter service industry. In October 2016, Hackforums — until recently the most bustling marketplace on the Internet where people could compare and purchase booter services — announced it was permanently banning the sale and advertising of these services on the forum.

In December 2016, authorities in the United States and Europe arrested nearly three-dozen people suspected of patronizing booter services. The enforcement action was a stated attempt by authorities to communicate to the public that people can go to jail for hiring booter services.

In April 2017, a U.K. man who ran a booter service that delivered some 1.7 million denial-of-service attacks against victims worldwide was sentenced to two years in prison.

Prosecutors in Israel say they are preparing formal charges against the two young Israeli men arrested last year on suspicion of running vDOS.

Check out the full NYU paper here (PDF).

OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.

Headquartered in San Francisco, OneLogin provides single sign-on and identity management for cloud-base applications. OneLogin counts among its customers some 2,000 companies in 44 countries, over 300 app vendors and more than 70 software-as-a-service providers.

A breach that allowed intruders to decrypt customer data could be extremely damaging for affected customers. After OneLogin customers sign into their account, the service takes care of remembering and supplying the customer’s usernames and passwords for all of their other applications.

In a brief blog post Wednesday, OneLogin chief information security officer Alvaro Hoyos wrote that the company detected unauthorized access to OneLogin data.

“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.”

“While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented.”

OneLogin’s blog post includes no other details, aside from a reference to the company’s compliance page. The company has not yet responded to request for comment. However, Motherboard has obtained a copy of a message OneLogin reportedly sent to its customers about the incident, and that missive contains a critical piece of information:

“Customer data was compromised, including the ability to decrypt encrypted data,” reads the message OneLogin sent to customers.

According to Motherboard, the message also directed customers to a list of required steps to minimize any damage from the breach, such as generating new API keys and OAuth tokens (OAuth being a system for logging into accounts), creating new security certificates as well as credentials; recycling any secrets stored in OneLogin’s Secure Notes feature; and having end-users update their passwords.

Gartner Inc. financial fraud analyst Avivah Litan said she has long discouraged companies from using cloud-based single sign-on services, arguing that they are the digital equivalent to an organization putting all of its eggs in one basket.

“It’s just such a massive single point of failure,” Litan said. “And this breach shows that other [cloud-based single sign-on] services are vulnerable, too. This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”

KrebsOnSecurity will likely update this story throughout the day as more details become available.

For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. 

Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in comment: They were all used at Kmart locations.

Asked to respond to rumors about a card breach, Kmart’s parent company Sears Holdings said some of its payment systems were infected with malicious software:

“We recently became aware that Sears Holdings was a victim of a security incident involving unauthorized credit card activity following certain customer purchases at some of our Kmart stores. We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.”

“Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls. Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores.”

Based on the forensic investigation, NO PERSONAL identifying information (including names, addresses, social security numbers, and email addresses) was obtained by those criminally responsible. However, we believe certain credit card numbers have been compromised. Nevertheless, in light of our EMV compliant point of sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”

Sears spokesman Chris Brathwaite said the company is not commenting on how many of Kmart’s 735 locations nationwide may have been impacted or how long the breach is believed to have persisted, saying the investigation is ongoing.

“Given the criminal nature of this attack, Kmart is working closely with federal law enforcement authorities, our banking partners, and IT security firms in this ongoing investigation,” Sears Holdings said in its statement. “We are actively enhancing our defenses in light of this new form of malware. Data security is of critical importance to our company, and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats.”

In October 2014, Sears announced a very similar breach in which the company also stressed that the data stolen did not include customer names, email addresses or other personal information. 

Both breaches involved malware designed to steal credit and debit card data from hacked point-of-sale (POS) devices. The malware copies account data stored on the card’s magnetic stripe. Armed with that information, thieves can effectively clone the cards and use them to buy high-priced merchandise from electronics stores and big box retailers.

At least two financial industry sources told KrebsOnSecurity that the breach does not appear to be affecting all Kmart stores. Those same sources said that if the breach had hit all Kmart locations, they would expect to be seeing much bigger alerts from the credit card companies about accounts that are potentially compromised.

All Kmart stores in the United States now have credit card terminals capable of processing transactions from more secure chip-based cards. The chip essentially makes the cards far more difficult and expensive to counterfeit. But not all banks have issued customers chip-enabled cards yet, and thus this latest breach at Kmart likely impacts mainly Kmart customers who shopped at the store using non-chip enabled cards.

Visa said in March 2017 there were more than 421 million Visa chip cards in the country, representing 58 percent of Visa cards. According to Visa, counterfeit fraud has been declining month over month — down 58 percent at chip-enabled merchants in December 2016 when compared to the previous year.

Sears also has released a FAQ (PDF) that includes a bit more information about this breach disclosure.

It’s not uncommon for crooks who peddle stolen credit cards to seize on iconic American figures of wealth and power in the digital advertisements for their shops that run incessantly on various cybercrime forums. Exhibit A: McDumpals, a hugely popular carding site that borrows the Ronald McDonald character from McDonald’s and caters to bulk buyers. Exhibit B: Uncle Sam’s dumps shop, which wants YOU! to buy American. Today, we’ll look at an up-and-coming stolen credit card shop called Trump’s-Dumps, which invokes the 45th president’s likeness and promises to make credit card fraud great again.

One reason thieves who sell stolen credit cards like to use popular American figures in their ads may be that a majority of their clients are people in the United States. Very often we’re talking about street gang members in the U.S. who use their purchased “dumps” — the data copied from the magnetic stripes of cards swiped through hacked point-of-sale systems — to make counterfeit copies of the cards. They then use the counterfeit cards in big-box stores to buy merchandise that they can easily resell for cash, such as gift cards, Apple devices and gaming systems.

When most of your clientele are street thugs based in the United States, it helps to leverage a brand strongly associated with America because you gain instant brand recognition with your customers. Also, a great many of these card shops are run by Russians and hosted at networks based in Russia, and the abuse of trademarks closely tied to the U.S. economy is a not-so-subtle “screw you” to American consumers.

In some cases, the guys running these card shops are openly hostile to the United States. Loyal readers will recall the stolen credit card shop “Rescator” — which was the main source of cards stolen in the Target, Home Depot and Sally Beauty breaches (among others) — was tied to a Ukrainian man who authored a nationalistic, pro-Russian blog which railed against the United States and called for the collapse of the American economy.

In deconstructing the 2014 breach at Sally Beauty, I interviewed a former Sally Beauty corporate network administrator who said the customer credit cards being stolen with the help of card-stealing malware installed on Sally Beauty point-of-sale devices that phoned home to a domain called “anti-us-proxy-war[dot]com.”

Trump’s Dumps currently advertises more than 133,000 stolen credit and debit card dumps for sale. The prices range from just under $10 worth of Bitcoin to more than $40 in Bitcoin, depending on which bank issued the card, the cardholder’s geographic location, and whether the cards are tied to premium, prepaid, business or executive accounts.

Trump’s Dumps is currently hosted on a Russian server that caters to a handful of other high-profile carding shops, including the long-running “Fe-shop” and “Monopoly” dumps stores.

Sites like Trump’s Dumps can be taken offline — by forcing a domain name registrar to revoke the domain — but the people responsible for running this shop have already registered a slew of similar domains and no doubt have fresh bulletproof hosting standing by in case their primary domain is somehow seized.

Also, like many other modern carding sites this one has versions of itself running on the Dark Web — sites that are only accessible using Tor and are far more difficult to force offline.

The home page of Trump’s Dumps takes some literary license with splices of President Trump’s inaugural address (see the above screenshot for the full text):

“WE, THE CITIZENS OF DARK WEB, ARE NOW JOINED IN A GREAT NATIONAL EFFORT TO REBUILD OUR COMMUNITY AND RESTORE ITS PROMISE FOR ALL OF OUR PEOPLE.”

TOGETHER, WE WILL DETERMINE THE COURSE OF CARDING AND THE BLACKHAT COMMUNITY FOR MANY, MANY YEARS TO COME. WE WILL FACE CHALLENGES. WE WILL CONFRONT HARDSHIPS. BUT WE WILL GET THE JOB DONE.”

The U.S. Secret Service, which has the dual role of protecting the President and busting up counterfeiters (including credit card theft rings), declined to comment for this story.

WHO RUNS TRUMP’S DUMPS?

For now, I’m disinclined to believe much about a dox supposedly listing the Trump’s Dumps administrator’s various contacts that was released by one of his competitors in the cybercrime underground. However, there are some interesting clues that tie Trump’s Dumps to a series of hacking attacks on e-commerce providers over the past year. Those clues suggest the criminals behind Trump’s Dumps are massively into stealing credit card data that fuels both card-present and online fraud.

In the “contacts” section of Trump’s Dumps the proprietors list three Jabber instant messenger IDs. All of them end in @trumplink[dot]su. That site is not currently active, but Web site registration records for the domain show it is tied to the email address “rudneva-y@mail.ua.”

A reverse WHOIS website registration record search ordered from domaintools.com [full disclosure: Domaintools is an advertiser on this blog] shows that this email address is associated with at least 15 other domains. Most of those domains appear to have been registered to look like legitimate Javascript calls that many e-commerce sites routinely make to process transactions, such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su” (the full list is in this PDF).

A Google search on those domains produces a report from security firm RiskIQ, which explains how those domains featured prominently in a series of hacking campaigns against e-commerce websites dating back to March 2016. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.

These same domains showed up in an attack last October when it was revealed that hackers had compromised the Web site for the U.S. Senate GOP Senatorial Committee, among more than 5,900 other sites that accept credit cards. The intruders tinkered with the GOP Committee site’s HTML code to insert calls to domains like “jquery-cloud[dot]net” to hide the fact that they were stealing all credit card data that donors submitted via the Web site.

Earlier this month, KrebsOnSecurity featured a story about a basic security flaw in the Web site of medical diagnostics firm True Health Group that let anyone who was logged in to the site view all other patient records. In that story I mentioned True Health was one of three major healthcare providers with similar website problems, and that the other two providers didn’t even require a login to view all patient records. Today we’ll examine a flaw that was just fixed by Molina Healthcare, a Fortune 500 company that until recently was exposing countless patient medical claims to the entire Internet without requiring any authentication.

In April 2017 I received an anonymous tip from a reader who said he’d figured out that just by changing a single number in the Web address when accessing his recent medical claim at MolinaHealthcare.com he could then view any and all other patient claims.

More alarmingly, the link he was given to access his claim with Molina was accessible to anyone who had the link; no authentication was required to view it. Nor was any authentication required to view any other records that could be accessed by fiddling with the numbers after the bit at the end of Molinahealthcare.com address (e.g., claimID=123456789).

In other words, having access to a single hyperlink to a patient record would allow an attacker to enumerate and download all other claims. The source showed me screenshots of his medical records at Molina, and how when he changed a single number in the URL it happily displayed another patient’s records.

The records did not appear to include Social Security numbers, but they do include patient names, addresses and dates of birth, as well as potentially sensitive information that may point to specific diseases, such as medical procedure codes and any prescribed medications.

I contacted Molina about the issue, and the company released a brief statement saying it had fixed the problem. Molina also said it was trying to figure out how such a mistake was made, and if there was any evidence to suggest the Web site bug had been widely abused.

“The previously identified security issue has been remediated,” the company said. “Because protecting our members’ information is of utmost importance to Molina and out of an abundance of caution, we are taking our ePortal temporarily offline to perform additional testing of our system security. Molina has also engaged Mandiant to assist the company in continuing to strengthen our system security.”

The company declined to say how many records may have been exposed, but it looks like potentially all of them.

Headquartered in Long Beach, Calif., Molina Healthcare was ranked 201 in 2016 in the Fortune 500. It’s unconscionable that such a basic, Security 101 flaw could still exist at a major healthcare provider today. However, the more I write about these lame but otherwise very serious vulnerabilities at healthcare firms the more I hear about how common they are from individual readers.

Since that True Health Group story was published, I’ve heard about and confirmed two very similar flaws at healthcare/insurance companies. Please keep the tips coming, Dear Readers, and I will do my best to encourage these companies to do more than just pay lip service to security.