Service Systems Associates, a company that serves gift shops and eateries at zoos and cultural centers across the United States, has acknowledged a breach of its credit and debit card processing systems.

Several banking industry sources told KrebsOnSecurity they have detected a pattern of fraud on cards that were all used at zoo gift shops operated by Denver-basd SSA. On Wednesday morning, CBS Detroit moved a story citing zoo officials there saying the SSA was investigating a breach involving point-of-sale malware.

Contacted about the findings, SSA confirmed that it was the victim of a data security breach.

“The violation occurred in the point of sale systems located in the gift shops of several of our clients,” the company said in a written statement. “This means that if a guest used a credit or debit card in the gift shop at one of our partner facilities between March 23 and June 25, 2015, the information on that card may have been compromised.”

SSA said it has been working with law enforcement officials and a third-party forensic investigator, Sikich, to investigate the breach.

“Though the investigation into this attack continues, the malware that caused the breach was identified and removed,” the statement continued. “All visitors should feel confident using credit or debit cards anywhere in these facilities.”

The company declined to name the individual locations that were impacted by the breach, but financial industry sources say the breach likely involves SSA concession and gift shops at zoo locations in at least two dozen cities, including:

Birmingham, Ala.
Tucson, Ariz.
San Francisco, Calif.
Fresno, Calif.
Sacramento, Calif.
Colorado Springs, Colo.
Palm Desert, Calif.
Miami, Fla.
Honolulu, HI
Boise, Id.
Fort Wayne, Ind.
Louisville, Ky.
Baltimore, Md.
Battle Creek, Mich.
Apple Valley, Minn.
Cincinnati, Ohio
Tulsa, Okla.,
Pittsburgh, Penn.
Columbia, SC
Dallas, Texas
El Paso, Texas
Houston, Texas
Nashville, Tenn.
Salt Lake City, Utah

Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

In October 2015, merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers cyber thieves no doubt well understand they won’t have this enormously profitable cash cow around much longer, and they’re busy milking it for all it’s worth.

In a win for Internet trolls and teenage cybercriminals everywhere, a Finnish court has decided not to incarcerate a 17-year-old found guilty of more than 50,000 cybercrimes, including data breaches, payment fraud, operating a huge botnet and calling in bomb threats, among other violations.

As the Finnish daily Helsingin Sanomat reports, Julius Kivimäki — a.k.a. “Ryan” and “Zeekill” — was given a two-year suspended sentence and ordered to forfeit EUR 6,558.

Kivimaki vaulted into the media spotlight late last year when he claimed affiliation with the Lizard Squad, a group of young hooligans who knocked offline the gaming networks of Microsoft and Sony for most of Christmas Day.

According to the BBC, evidence presented at Kivimaki’s trial showed that he compromised more than 50,000 computer servers by exploiting vulnerabilities in Adobe’s Cold Fusion web application software. Prosecutors also said Kivimaki used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.

Kivimaki allegedly also was involved in calling in multiple fake bomb threats and “swatting” incident — reporting fake hostage situations at an address to prompt a heavily armed police response to that location. DailyDot quotes Blair Strater, a victim of Kivimaki’s swatting and harassment, who expressed disgust at the Finnish ruling.

Speaking with KrebsOnSecurity, Strater called Kivimaki “a dangerous sociopath” who belongs behind bars.

Although it did not factor into his trial, sources close to the Lizard Squad investigation say Kivimaki also was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others say it started with a call from Kivimaki.

In a phone interview, Smedley said he was disappointed that the judicial system in Finland didn’t do more.

“I personally got to listen to a recording of him calling in to American Airlines, and I know it was him because I talked to him myself,” Smedley said. “He’s done all kinds of bad stuff to me, including putting all of my information out on the Internet. He even attempted to use my credit numerous times. The harassment literally just did not stop.”

In an online interview with KrebsOnSecurity, Kivimaki denied involvement with the American Airlines incident, and said he was not surprised by the leniency shown by the court in his trial.

“During the trial it became apparent that nobody suffered significant (if any) damages because of the alleged hacks,” he said.

The danger in a decision such as this is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.

Case in point: Kivimaki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimaki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”

It is clear that the Finnish legal system, like that of the United States, simply does not know what to do with minors who are guilty of severe cybercrimes.  The FBI has for several years now been investigating several of Kivimaki’s contemporaries, young men under the age of 18 who are responsible for a similarly long list of cybercrimes — including credit card fraud, massively compromising a long list of Web sites and organizations running Cold Fusion software, as well as swatting my home in March 2013. Sadly, to this day those individuals also remain free and relatively untouched by the federal system.

Lance James, former head of cyber intelligence for Deloitte and a security researcher who’s followed the case closely, said he was disappointed at the court’s decision given the gravity and extensiveness of the crimes.

“We’re talking about the Internet equivalent of violent crimes and assault,” James said. “This is serious stuff.”

Kivimaki said he doesn’t agree with the characterization of swatting as a violent crime.

“I don’t see how a reasonable person could possibly compare cybercrime with violent crimes,” he said. “There’s a pretty clear distinction here. As far as I’m aware nobody has ever died in such an incident. Nor have I heard of anyone suffering bodily injury.”

As serious as Kivimaki’s crimes may be, kids like him need to be monitored, mentored, and molded — not jailed, says James.

“Studying his past, he’s extremely smart, but he’s troubled, and definitely needs a better direction,” James said. “A lot of these kids have trouble in the home, such as sibling or parental abuse and abandonment. These teenagers, they aren’t evil, they are troubled. There needs to be a diversion program — the same way they treat at-risk teenagers and divert them away from gang activity — that is designed to help them get on a better path.”

But Kivimaki may not get that chance. According to Smedley, there are more than a dozen criminal cases pending against the Finnish youth.

“Now that he’s a convicted felon, he can’t claim first time status anymore,” Smedley said. “There’s no question he’s going to get his.”

Update, 3:30 p.m. ET: Added comments from Smedley.

Adobe Systems Inc. says its plans to issue a patch on Wednesday to fix a zero-day vulnerability in its Flash Player software that is reportedly being exploited in active attacks. The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

In an advisory published today, Adobe said “a critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”

Update, July 8, 12:13 p.m. ET: The patch is now available in Flash Player 18.0.0.203 for Windows and Mac systems. See this advisory for more information and for links to downloads.

Original story:

Several reports on Twitter suggested the exploit could be used to bypass Google Chrome‘s protective “sandbox” technology, a security feature that forces the program to run in a heightened security mode designed to block attacks that target vulnerabilities in Flash. A spokesperson for Google confirmed that attackers could evade the Chrome sandbox by using the Flash exploit in tandem with another Windows vulnerability that appears to be unpatched at the moment. Google also says its already in the process of pushing the Flash fix out to Chrome users.

The Flash flaw was uncovered after Hacking Team’s proprietary information was posted online by hacktivists seeking to disprove the company’s claims that it does not work with repressive regimes (the leaked data suggests that Hacking Team has contracted to develop exploits for a variety of countries, including Egypt, Lebanon, Ethiopia, Sudan and Thailand). Included in the cache are several exploits for unpatched flaws, including apparently a Windows vulnerability.

According to new research from security firm Trend Micro, there is evidence that the Flash bug is being exploited in active attacks.

“A separate attack against one of these vulnerabilities shows that not sharing the discovery of vulnerabilities with the vendor or broader security community leaves everyone at risk,” wrote Christopher Budd, global threat communications manager at Trend. “This latest attack is yet another demonstration that Adobe is a prime target for exploit across commercial and consumer IT systems.”

There is no question that Adobe Flash Player is a major target of attackers. This Wednesday will mark the seventh time in as many months that Adobe has issued an emergency update to fix a zero-day flaw in Flash Player (the last one was on June 23).

Perhaps a more sane approach to incessantly patching Flash Player is to remove it altogether. Late last month, I blogged about my experience doing just that, and found I didn’t miss the program much at all. In any case, I’ll update this post once Adobe has issued an official fix.

The Internet is a fantastic resource for researching the reputation of companies with which you may wish to do business. Unfortunately, this same ease-of-use can lull the unwary into falling for marketing scams originally perfected by spammers: Namely, fake reviews and dodgy search engine manipulation techniques that seek to drown out legitimate, negative reviews in a sea of glowing but fake endorsements.

Perhaps the most common example of this can be found among companies that offer moving and storage services, an industry that consistently ranks in the top 10 across the United States for consumer fraud complaints.

Trust your family heirlooms and other belongings to a moving company without scratching beneath the surface of that glowing review online and at best you could end up paying way more than the agreed-upon price once the company has all of your possessions loaded onto the truck. In most cases, the consumer horror stories about moves-gone-bad also include tales of massive damage to the customer’s stuff — if indeed the customer’s stuff ever arrives.

Even people who are steeped in the ways of the Interwebs can get bamboozled by slick search engine manipulation tricks. Last month I heard from David Matusiak, a longtime reader and information security professional who hired a Florida-based moving company that got five-star reviews from dozens of sites. Unfortunately for Matusiak, many of those “review” sites appear to have been set up and maintained by the people behind the company he hired.

Based in Morrisville, NC, Matusiak had just landed a job in California that wanted him to start right away. So after a couple of hours of reading reviews online for a reputable moving company, Matusiak settled on Full Service Van Lines based in Coconut Creek, Fla. Now, more than 30 days after his truckload of belongs left his home on the East Coast, Matusiak is still waiting for his stuff to arrive in California.

HUGE RED FLAGS

Matusiak said he read page after page of glowing reviews about Full Service Van Lines. Little did he know, the same email address used to register fullservicevanlines.com was used to register many of those “review” Web sites, which naturally list Full Service at the top of their supposed consumer rankings.

Interestingly, if you conduct a simple Google search on Full Service Van Lines, you’ll notice the top review sites — Google and Yelp — have two types of reviews for this company: Very positive and extremely negative, and not much in between.

In retrospect, Matusiak said, the stark disparity in consumer reviews about the company should have been one of many red flags. Another red flag was that the company gave him an estimate for his moving costs over the phone — and refused to send anyone to his home to more accurately and realistically price the move.

The lack of an in-home inspection by the potential moving company is one of the red flags listed at the Protect Your Move site maintained by the Federal Motor Carrier Safety Administration (FMCSA), the federal agency which oversees the moving industry in the United States.

According to Matusiak, Full Service Van Lines exhibited just about every other red flag listed by the FMCSA, including a requirement that some ($1,441.65) of the total moving estimate ($4,225.52) be paid up-front. The other red flag? When the movers arrived on Sunday, May 24, 2015 to load up his belongings, they showed up in a rented Penske truck — not a company-owned and marked fleet truck as displayed on the company’s home page.

Yet another red flag: As soon as the movers had all of his furniture and belongings loaded onto the truck, the foreman — a guy who Matusiak said had a thick Russian accent and offered his name only as “Serge” — said Matusiak’s stuff took up 375 more cubic feet than the estimate had stated, and that as a result the company would be charging him an additional $2,437!

“He said it had to be paid right now in cash or money order or they were going to start unpacking the truck,” Matusiak recalled. “Since this was on a Sunday afternoon, coming up with that kind of cash was pretty impossible, and I couldn’t risk taking all of this stuff off the truck and finding another moving company to get out to my new job in time.”

So, Matusiak said he told Serge to charge the overage to the credit card that Full Service Van Lines had used to fund his initial deposit. After a heated conversation with someone from Full Service, Serge told Matusiak he needed to take a picture of Matusiak’s credit card and driver’s license. That was the last time Matusiak saw Serge or any of his worldly possessions.

Matusiak said he arrived in southern California on May 28, thinking the moving van would be a few days behind. When the promised delivery date of June 1 came and went, Matusiak reached out to Full Service Van Lines to inquire about the status of the moving van. The manager at Full Service assured him his stuff was on its way, so Matusiak decided to stay in a hotel for a few days. On June 7, unable to get a straight answer from his contact at Full Service about the van’s location, Matusiak moved into his apartment, minus any furniture, clothes or bed.

Growing increasingly alarmed, the North Carolina native said he was able to convince a police officer in Coconut Creek, Fla. to visit the company’s offices there, but the officer ultimately came back and said it was clear that this was a contract dispute — not a criminal matter — and that Matusiak needed to take his claims to civil court.

“I didn’t get a straight answer out of them for nearly a month until I asked a Coconut Creek police officer to go visit them, and they finally told him that it had been sitting ‘in their warehouse in Virginia’ since it was taken from my home on May 24th,” he told KrebsOnSecurity. “They promised to send photos of my items to prove that they still existed and had not been destroyed, stolen or sold. So far, they have yet to send me these pictures despite several requests.”

The week after that, Matusiak said, the company told him it couldn’t get in touch with the driver, and that they didn’t quite know exactly where the truck was.

“They said they thought the truck was somewhere near Texas, but that was pretty much when they stopped talking to me,” he said. “The whole thing has been a nightmare, and I’m hoping it can come to some resolution. I doubt most of my stuff will be in good condition should it ever be returned. And it would cost me tens of thousands of dollars to replace most of it, plus there are things that can never be replaced. Most of the work I’ve produced in the past 12 years existed on those computers.”

A LONG, SPOTTY HISTORY

While the Internet can help companies hide a pattern of misdeeds or crooked practices, careful research into public documents about an organization’s corporate history and company ownership can often reveal quite a bit about this activity. And as it turns out, Full Service Van Lines is just the latest venture by a company that appears to have a history of ripping people off and disappearing with their stuff (the company has not yet responded to requests for comment).

Update, July 7, 2015, 12:29 p.m., ET: I received a response from a Jason Stokes at Full Service Van Lines, who said Matusiak was one of a handful of customers who were inconvenienced by a unpredictable and sudden increase in demand for moving services at the height of the summer moving season. Stokes said Full Service was in the process of sending a truck to pick up Matusiak’s things from its warehouse in Virginia, although he noted that the truck first would need to be loaded with other customers’ items and passed through either Florida or New York before heading to California. “This isn’t something that’s normal for us,” Stokes said of the delays. “We’re going to go above and beyond monetarily to make this right with our customers.”

Original story:

Search on “Full Service Van Lines” at the corporation search page of the Florida Department of State’s Web site turns up zero results. But a search for that company using the “fictitious names” lookup at the same site reveals that this company is registered to a firm in Pompano Beach, Fla. called Moving and Storage Accounting.

A search on Moving and Storage Accounting shows that the company is run by a Grace Metzger and a Maxx Socher. A simple Google search on this last individual leads to several interesting results, including a scathing Ripoff Report listing, as well as several blogs documenting consumer experiences very similar to the nightmare that Matusiak has endured.

Among the search results for Socher is an NBC Miami story from February 2014 that recounts the heartbreaking story of a Florida couple who trusted Ryder Moving and Storage — a moving company owned by Maxx Socher’s brother Joshua Socher and Josh’s wife Jodi under the slightly modified company name Storage & Moving Services Inc. in Pompano Beach, Fla — and ran into the same fate as Matusiak. That story notes that the Better Business Bureau got so many complaints that it awarded Ryder an “F” rating.

In addition, the FMCSA fined the company $50,000 for false and deceptive billing, among other violations. And as noted triumphantly by Movingscambusters blog — a site set up by another victim of Ryder who sought to expose the company’s practices — the Florida Attorney General is now suing the Sochers after receiving hundreds of consumer complaints about the company.

Public records searches also can yield revealing results. For example, searching the FMCSA’s database on “Full Service Van Lines,” produces two results, both for companies in Coconut Beach, Fla. The first Department of Transportation (DOT) license number listed is no longer active, apparently because the operator of that license incurred a high number of consumer complaints and safety inspection violations.

The second DOT license listed — issued to a company by the same name at a different suite number — is active but also includes a number of consumer complaints about final charges and lost or damaged shipments. Oddly enough given this company’s history, the active license for Full Service Van Lines (which is a DBA of “Dr. Schlepper Inc.”), has yet to receive an inspection from the FMCSA.

Finally, while the Better Business Bureau is hardly the arbiter of which companies are legitimate and which are potentially crooked, the BBB’s consumer complaint listing on Full Service Van Lines fairly well tracks Matusiak’s awful experience.

Matusiak says he’s in the process of documenting his case and sending the supporting evidence to regulators and law enforcement in Florida and North Carolina.

“I’m trying to piece this all together and contact relevant authorities,” he said. “It is complicated by the nature of being in multiple states. Each office I contact merely asks me to get in touch with another state. It looks like I’m at the will of this company and can only wait. Without broader attention I doubt they will do much and they may close this company before I can take any legal action.”

Matusiak told me that in hindsight, he definitely should have spent more time investigating the history of Full Service Van Lines and its owners. But he said he doubts most consumers would do that before-the-fact.

“I certainly didn’t think that all of the review sites would be run by them,” he said. “But also, I don’t think the average consumer could or should have to do all this research on federal and state filings just to find out if a company is legitimate.”

Whether consumers should have to do this or not is debatable, but it seems fairly clear that there is simply far too much money to be made in moving scams and far too few consequences for people engaged in this type of fraud.

For example, several states have begun cracking down on “reputation management” and “search engine optimization” (SEO) companies that engage in writing or purchasing fake reviews, but the fines being enforced for violations are likely a fraction of the revenues that companies gain by engaging in this deceptive practice. It’s worth noting that Full Service Van Lines’ home page says the site was created by a company called Affordable SEO Miami, a reputation management firm that lists as its address the same location as Full Service Van Line’s license with the Department of Transportation.

I hope it’s clear that consumers investing in high-dollar services would be wise to spend some time using the resources available to look up public records on companies before doing business with them. True, it is easy even for computer-savvy people to get snookered by fake reviews and search engine manipulation tricks, but public records can be powerful tools in the hands of the wary consumer. Caveat emptor!

The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and now Republican presidential candidate Donald Trump, appears to be the latest victim of a credit card breach, according to data shared by several U.S.-based banks.

Contacted regarding reports from sources at several banks who traced a pattern of fraudulent debit and credit card charges to accounts that had all been used at Trump hotels, the company declined multiple requests for comment.

Update, 4:56 p.m. ET: The Trump Organization just acknowledged the issue with a brief statement from Eric Trump, executive vice president of development and acquisitions: “Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,” the statement reads. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

Original story:

But sources in the financial industry say they have little doubt that Trump properties in several U.S. locations — including Chicago, Honolulu, Las Vegas, Los Angeles, Miami, and New York — are dealing with a card breach that appears to extend back to at least February 2015.

If confirmed, the incident would be the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments. In March, upscale hotel chain Mandarin Oriental disclosed a compromise. The following month, hotel franchising firm White Lodging acknowledged that, for the second time in 12 months, card processing systems at several of its locations were breached by hackers.

It is likely that the huge number of card breaches at U.S.-based organizations over the past year represents a response by fraudsters to upcoming changes in the United States designed to make credit and debit cards more difficult and expensive to counterfeit. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

In October 2015, merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers (and many U.S. banks are only now thinking about issuing chip-based cards to customers) cyber thieves no doubt well understand they won’t have this enormously profitable cash cow around much longer, and they’re busy milking it for all it’s worth.

For more on chip cards and why most U.S. banks are moving to chip-and-signature over the more widely used chip-and-PIN approach, check out this story.