Citing a recent and large increase in credit card fraud, Washington, DC-area grocer Giant Food says it will no longer allow customers to use credit cards when purchasing gift cards and reloadable or prepaid debit cards.

I had no idea this was a new thing at Landover, Md.-based Giant, which operates 169 supermarkets in the Washington, D.C. metro area.  That is, until I encountered a couple of large new “attention” stickers in the checkout line at a local Giant in Virginia recently. Next to the credit card terminal were big decals with the warning:

“Attention Gift Card Customers: Effective immediately, all purchases of Visa, MasterCard, American Express Gift Cards and all General Purpose Reloadable or Prepaid Cards may only be made with Cash or Bank Pin-based Debit.”

Asked for comment about the change, Giant Food released a brief statement about the policy change that went into effect in March 2016, but otherwise didn’t respond to requests for more details.

“Giant has recently made a change in procedures for purchasing gift cards because of a large increase of fraudulent gift card purchasing,” the company said. “Giant will now accept only a Bank PIN-based debit card or cash for all VISA, MasterCard, and American Express gift cards, as well as re-loadable and prepaid gift cards. This change has been made in order to mitigate potential fraud risk.”

It’s not clear why Giant is only just now taking this basic anti-fraud step. Card thieves love to pick on grocery and convenience stores. Street gangs involved in card fraud (and they’re all involved in card fraud now) often extract money from grocery, dollar and convenience stores using “runners” — low-level members who are assigned the occasionally risky business of physically “cashing out” counterfeit credit and debit cards.

One of the easiest ways thieves can cash out? Walk into a grocery or retail store and buy prepaid gift cards using stolen credit cards. Such transactions — if successful — effectively launder money by converting the stolen item (counterfeit/stolen card) into a good that is equivalent to cash or can be easily resold for cash (gift cards).

I witnessed this exact crime firsthand at a Giant in Maryland last year. As I noted in a Dec. 2015 post about gift card fraud, the crooks caught in the process of these cashout schemes usually are found with dozens of counterfeit credit cards on their person or in their vehicle. From that post:

“The man in front of me in line looked and smelled homeless. The only items he was trying to buy were several $200 gift cards that Giant had on sale for various retailers. When the first card he swiped was declined, the man fished two more cards out of his wallet. Each was similarly declined, but the man just shrugged and walked out of the store. I asked the cashier if this sort of thing happened often, and he just shook his head and said, ‘Man, you have no idea.'”

Meanwhile, every Giant I visit still asks me to swipe my chip-based card, effectively negating any added security the chip provides. Chip-based cards are far more expensive and difficult for thieves to counterfeit, and they can help mitigate the threat from most modern card-skimming methods that read the cardholder data in plain text from the card’s magnetic stripe. Those include malicious software at the point-of-sale terminal, as well as physical skimmers placed over card readers at self-checkout lanes — like this one found at a Maryland Safeway earlier this year.

In a recent column – The Great EMV Fake-Out: No Chip for You! – I explored why so few retailers currently allow or require chip transactions, even though many of them already have all the hardware in place to accept chip transactions. I suspect also that grocers are reluctant to introduce chip readers at self-checkout lanes, as more supermarket chains seem to be pushing customers in the self-checkout direction.

Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT). The advice came just as researchers are reporting two new critical security holes in Quicktime that likely won’t be patched.

US-CERT cited an April 14 blog post by Christopher Budd at Trend Micro, which runs a program called Zero Day Initiative (ZDI) that buys security vulnerabilities and helps researchers coordinate fixing the bugs with software vendors. Budd urged Windows users to junk Quicktime, citing two new, unpatched vulnerabilities that ZDI detailed which could be used to remotely compromise Windows computers.

“According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation,” US-CERT wrote. The advisory continued:

“Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page.”

While the recommendations from US-CERT and others apparently came as a surprise to many, Apple has been distancing itself from QuickTime on Windows for some time now. In 2013, the Cupertino, Calif. tech giant deprecated all developer APIs for Quicktime on Windows.

Apple shipped an update to Quicktime in January 2016 that removed the Quicktime browser plugin on Windows systems, meaning the threat from browser-based attacks on Quicktime flaws was largely mitigated over the past few months for Windows users who have been keeping up to date with the latest version. Nevertheless, if you have Quicktime on a Windows box — do yourself a favor and get rid of it.

A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts — including “Paunch,” the nickname used by the author of the infamous “Blackhole” exploit kit.  Once an extremely popular crimeware-as-a-service offering, Blackhole was for several years responsible for a large percentage of malware infections and stolen banking credentials, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses over several years.

According to Russia’s ITAR-TASS news network, Dmitry “Paunch” Fedotov was sentenced on April 12 to seven years in a Russian penal colony. In October 2013, the then 27-year-old Fedotov was arrested along with an entire team of other cybercriminals who worked to sell, develop and profit from Blackhole.

According to Russian security firm Group-IB, Paunch had more than 1,000 customers and was earning $50,000 per month from his illegal activity. The image at right shows Paunch standing in front of his personal car, a Porsche Cayenne.

First spotted in 2010, BlackHole is commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities for the purposes of installing malware of the customer’s choosing.

The price of renting the kit ran from $500 to $700 each month. For an extra $50 a month, Paunch also rented customers “crypting” services; cryptors are designed to obfuscate malicious software so that it remains undetectable by antivirus software.

Paunch worked with several other cybercriminals to purchase new exploits and security vulnerabilities that could be rolled into Blackhole and help increase the success of the software. He eventually sought to buy the exploits from other cybercrooks directly to fund a pricier ($10,000/month) and more exclusive exploit pack called “Cool Exploit Kit.”

As documented on this blog in January 2013 (see Crimeware Author Funds Exploit Buying Spree), Paunch contracted with a third-party exploit broker who announced that he had a $100,000 budget for buying new, previously undocumented “zero-day” vulnerabilities.

Not long after that story, the individual with whom Paunch worked to purchase those exclusive exploits — a miscreant who uses the nickname “J.P. Morgan” — posted a message to the Darkode[dot]com crime forum, stating that he was doubling his exploit-buying budget to $200,000.

In October 2013, shortly after news of Paunch’s arrest leaked to the media, J.P. Morgan posted to Darkode again, this time more than doubling his previous budget — to $450,000.

“Dear ladies and gentlemen! In light of recent events, we look to build a new exploit kit framework. We have budgeted $450,000 to buy vulnerabilities of a browser and its plugins, which will be used only by us afterwards! ”

The Russian Interior Ministry (MVD) estimates that Paunch and his gang earned more than 70 million rubles, or roughly USD $2.3 million. But this estimate is misleading because Blackhole was used as a means to perpetrate a vast array of cybercrimes. I would argue that Blackhole was perhaps the most important driving force behind an explosion of cyber fraud over the past three years. A majority of Paunch’s customers were using the kit to grow botnets powered by Zeus and Citadel, banking Trojans that are typically used in cyberheists targeting consumers and small businesses.

For more about Paunch, check out Who is Paunch?, a profile I ran in 2013 shortly after Fedotov’s arrest that examines some of the clues that connected his online criminal persona with his personal social networking profiles.

Update, 1:42: Corrected headline.

Microsoft released fixes on Tuesday to plug critical security holes in Windows and other software. The company issued 13 patches to tackle dozens of vulnerabilities, including a much-hyped “Badlock” file-sharing bug that appears ripe for exploitation. Also, Adobe updated its Flash Player release to address at least two-dozen flaws — in addition to the zero-day vulnerability Adobe patched last week.

The Windows patch that seems to be getting the most attention this month remedies seven vulnerabilities in Samba, a service used to manage file and print services across networks and multiple operating systems. This may sound innocuous enough, but attackers who gain access to private or corporate network could use these flaws to intercept traffic, view or modify user passwords, or shut down critical services.

According to badlock.org, a Web site set up to disseminate information about the widespread nature of the threat that this vulnerability poses, we are likely to see active exploitation of the Samba vulnerabilities soon.

Two of the Microsoft patches address flaws that were disclosed prior to Patch Tuesday. One of them is included in a bundle of fixes for Internet Explorer. A critical update for the Microsoft Graphics Component targets four vulnerabilities, two of which have been detected already in exploits in the wild, according to Chris Goettl at security vendor Shavlik.

Just a reminder: If you use Windows and haven’t yet taken advantage of the Enhanced Mitigation Experience Toolkit, a.k.a. “EMET,” you should definitely consider it. I describe the basic features and benefits of running EMET in this blog post from 2014 (yes, it’s time to revisit EMET in a future post), but the gist of it is that EMET helps block or blunt exploits against known and unknown Windows vulnerabilities and flaws in third-party applications that run on top of Windows. The latest version, v. 5.5, is available here. 

On Friday, Adobe released an emergency update for Flash Player to fix a vulnerability that is being actively exploited in the wild and used to foist malware (such as ransomware). Adobe updated its advisory for that release to include fixes for 23 additional flaws.

As I noted in last week’s piece on the emergency Flash Patch, most users are better off hobbling or removing Flash altogether. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent version for Mac and Windows users is 21.0.0.213, and should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

If you use an Apple iPhone, iPad or other iDevice, now would be an excellent time to ensure that the machine is running the latest version of Apple’s mobile operating system — version 9.3.1. Failing to do so could expose your devices to automated threats capable of rendering them unresponsive and perhaps forever useless.

On Feb. 11, 2016, researcher Zach Straley posted a Youtube video exposing his startling and bizarrely simple discovery: Manually setting the date of your iPhone or iPad all the back to January. 1, 1970 will permanently brick the device (don’t try this at home, or against frenemies!).

Now that Apple has patched the flaw that Straley exploited with his fingers, researchers say they’ve proven how easy it would be to automate the attack over a network, so that potential victims would need only to wander within range of a hostile wireless network to have their pricey Apple devices turned into useless bricks.

Not long after Straley’s video began pulling in millions of views, security researchers Patrick Kelley and Matt Harrigan wondered: Could they automate the exploitation of this oddly severe and destructive date bug? The researchers discovered that indeed they could, armed with only $120 of electronics (not counting the cost of the bricked iDevices), a basic understanding of networking, and a familiarity with the way Apple devices connect to wireless networks.

Apple products like the iPad (and virtually all mass-market wireless devices) are designed to automatically connect to wireless networks they have seen before. They do this with a relatively weak level of authentication: If you connect to a network named “Hotspot” once, going forward your device may automatically connect to any open network that also happens to be called “Hotspot.”

For example, to use Starbuck’s free Wi-Fi service, you’ll have to connect to a network called “attwifi”. But once you’ve done that, you won’t ever have to manually connect to a network called “attwifi” ever again. The next time you visit a Starbucks, just pull out your iPad and the device automagically connects.

From an attacker’s perspective, this is a golden opportunity. Why? He only needs to advertise a fake open network called “attwifi” at a spot where large numbers of computer users are known to congregate. Using specialized hardware to amplify his Wi-Fi signal, he can force many users to connect to his (evil) “attwifi” hotspot. From there, he can attempt to inspect, modify or redirect any network traffic for any iPads or other devices that unwittingly connect to his evil network.

TIME TO DIE

And this is exactly what Kelley and Harrigan say they have done in real-life tests. They realized that iPads and other iDevices constantly check various “network time protocol” (NTP) servers around the globe to sync their internal date and time clocks.

The researchers said they discovered they could build a hostile Wi-Fi network that would force Apple devices to download time and date updates from their own (evil) NTP time server: And to set their internal clocks to one infernal date and time in particular: January 1, 1970.

The result? The iPads that were brought within range of the test (evil) network rebooted, and began to slowly self-destruct. It’s not clear why they do this, but here’s one possible explanation: Most applications on an iPad are configured to use security certificates that encrypt data transmitted to and from the user’s device. Those encryption certificates stop working correctly if the system time and date on the user’s mobile is set to a year that predates the certificate’s issuance.

Harrigan and Kelley said this apparently creates havoc with most of the applications built into the iPad and iPhone, and that the ensuing bedlam as applications on the device compete for resources quickly overwhelms the iPad’s computer processing power. So much so that within minutes, they found their test iPad had reached 130 degrees Fahrenheit (54 Celsius), as the date and clock settings on the affected devices inexplicably and eerily began counting backwards.

 

Harrigan, president and CEO of San Diego-based security firm PacketSled, described the meltdown thusly:

“One thing we noticed was when we set the date on the iPad to 1970, the iPad display clock started counting backwards. While we were plugging in the second test iPad 15 minutes later, the first iPad said it was Dec. 15, 1968. I looked at Patrick and was like, ‘Did you mess with that thing?’ He hadn’t. It finally stopped at 1965, and by that time [the iPad] was about the temperature I like my steak served at.”

Kelley, a senior penetration tester with CriticalAssets.com, said he and Harrigan worked with Apple to coordinate the release of their findings to ensure doing so didn’t predate Apple’s issuance of a fix for this vulnerability. The flaw is present in all Apple devices running anything lower than iOS 9.3.1.

Apple did not respond to requests for comment. But an email shared by the researchers apparently sent by Apple’s product security team suggests the company’s researchers were unable to force an affected device to heat to more than 45.8 degrees Celcisus (~114 degrees Fahrenheit). The note read:

“1) We confirmed that iOS 9.3 addresses the issue that left a device unresponsive when the date is set to 1/1/1970.

2) A device affected by this issue can be restored to iOS 9.3 or later.  iTunes restored the iPad Air you provided to us for inspection.’

3) By examining the device, we determined that the battery temperature did not exceed 45.8 degrees centigrade.”

EVIL HARDWARE

According to Harrigan and Kelley, the hardware needed to execute this attack is little more than a common Raspberry Pi device with some custom software.

“By spoofing time.apple.com, we were able to roll back the time and have it hand out to all Apple clients on the network,” the researchers wrote in a paper shared with KrebsOnSecurity. “All test devices took the update without question and rolled back to 1970.”

The researchers continued: “An interesting side effect was that this caused almost all web browsing traffic to cease working due to time mismatch. Typically, this would prompt a typical user to reboot their device. So, we did that. At this point, we could confirm that the reboot caused all iPads in test to degrade gradually, beginning with the inability to unlock, and ultimately ending with the device overheating and not booting at all. Apple has confirmed this vulnerability to be present in 64 bit devices that are running any version less than 9.3.1.”

Harrigan and Kelley say exploiting this bug on an Apple iPhone device is slightly trickier because iPhones get their network time updates via GSM, the communications standard the devices use to receive and transmit cell phone signals. But they said it may be possible to poison the date and time on iPhones using updates fed to the devices via GSM.

They pointed to research by Brandon Creighton, a research architect at software testing firm Veracode who is perhaps best known for setting up the NinjaTel GSM mobile network at the massive DefCon security conference in 2012. Creighton’s network relied on a technology called OpenBTS — a software based GSM access point. Harrigan and Kelley say an attacker could set up his own mobile (evil) network and push date and time updates to any phones that ping the evil tower.

“It is completely plausible that this vulnerability is exploitable over GSM using OpenBTS or OpenBSC to set the time,” Kelley said.

Creighton agreed, saying that his own experience testing and running the NinjaTel network shows that it’s theoretically possible, although he allows that he’s never tried it.

“Just from my experimentation, theoretically from a protocol level you can do it,” Creighton wrote in a note to KrebsOnSecurity. “But there are lots of factors (the carrier; the parameters on the SIM card; the phone’s locked status; the kind of phone; the baseband version; previously joined networks; neighboring towers; RF signal strength; and more).  If you’re just trying to cause general chaos, you don’t need to work very hard. But if, say, you were trying to target an individual device, it would require an additional amount of prep time/recon.”

Whether or not this attack could be used to remotely ruin iPhones or turn iPads into expensive skillets, it seems clear that failing to update to the latest version of Apple iOS is a less-than-stellar idea. iPad users who have not updated their OS need to be extremely cautious with respect to joining networks that they don’t know or trust.

iOS and Mac OS X have a feature that allows users to prevent the devices from automatically joining wireless networks. Enabling this “ask to join networks” feature blocks Apple devices from automatically joining networks they have never seen before — but the side effect is that the device may frequently toss up prompts asking if you wish to join any one of several available wireless networks (this can be disabled by unselecting “Ask to Join Networks”). But enabling it doesn’t prevent the device from connecting to, say, “attwifi” if it has previously connected to a network of that name.

The researchers have posted a video on Youtube that explains their work in greater detail.

Update, 1:08 p.m. ET: Added link to video and clarified how Apple’s “ask to join networks” feature works.