“PoSeidon,” a new strain of malicious software designed to steal credit and debit card data from hacked point-of-sale (POS) devices, has been implicated in a number of recent breaches involving companies that provide POS services primarily to restaurants, bars and hotels. The shift by the card thieves away from targeting major retailers like Target and Home Depot to attacking countless, smaller users of POS systems is giving financial institutions a run for their money as they struggle to figure out which merchants are responsible for card fraud.

One basic tool that banks use to learn the source of card data theft involves determining a “common point-of-purchase” (CPP) among a given set of customer cards that experience fraud. When a new batch of cards goes on sale at an online crime shop, banks will often purchase a very small number of their stolen cards to determine if the victim customers all shopped at the same merchant across a specific time period.

This same CPP analysis was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years, and it is a method heavily relied upon by law enforcement agencies to identify breach victims.

But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant. More seasoned fraud shops have sought to achieve this confusion and confound investigators by “making sausage” — i.e., methodically mixing cards stolen from multiple victims into any single new batch of stolen cards that they offer for sale.

Increasingly, however, fraudsters selling stolen cards don’t need to make sausage: The victims that are leaking card data are already subsets of restaurant franchises or retail establishments whose only commonality is the branded point-of-sale device which they rely upon to process customer card transactions.

NEXTEP

Card breaches involving POS devices sold by the same vendor are notoriously hard for financial institutions to diagnose because the banks very often have a direct relationship with neither the POS vendor nor the breached restaurant or bar whose customers’ cards were stolen.

What’s more, POS-specific breaches frequently tie back to a subset of customers of a POS vendor who in turn rely on local IT company to install and support the POS systems. The commonality among breached restaurants and bars tends to be those who have relied on a support firm that invariably enables remote access to the POS systems via tools like pcAnywhere or LogMeIn using the same or easily-guessed username and password across many customer systems. Once remotely authenticated to the targeted systems, thieves can upload malware like POSeidon, which is capable of capturing all card data processed by the victim POS.

A few weeks ago, this reporter broke the news that multiple systems run by POS vendor NEXTEP had experienced a breach. The banks were only able to pinpoint NEXTEP systems as the source because the overwhelming number of merchants impacted in that breached happened to be NEXTEP customers who also were part of the Zoup chain of soup restaurants.

“You may have seen the discussions of the ‘PoSeidon’ malware that specifically targeted point of sale systems,” NEXTEP CEO Tommy Woycik said in a follow-up email. “Within thirty-six hours of the point that we learned of the problem we were able to internally use our resources to block further data compromise with most of our customers.  We retained and worked with two different sets of consultants to fix all remaining problems and to evaluate, on an ongoing basis, the effectiveness of the fixes.”

Woycik said the company also is investigating why the vast majority of its customers had no compromise of information, but that the hack was limited to a few identified locations. Part of the problem was that some of the breached locations relied on point-of-sale management firms that refused to cooperate in the investigation.

“We have been somewhat hampered in our investigation because some parties involved in the locations that we believe may have been affected have been unwilling to provide us with critical data,” he said.

Bevo POS

More recently, KrebsOnSecurity has heard from multiple banks about suspicions that systems sold and maintained by another POS vendor – Naples, Fla.- based Bevo POS — was likely the source of fraud for more than a dozen restaurants and bars in and around Florida.

Reached for comment about these allegations, Bevo POS CEO Onur Haytac responded by acknowledging that a very small subset of its customers were indeed the victim of PoSeidon.

“Was Bevo POS ever breached?  No, however, Windows was. Bevo POS is Point of Sale application (not cloud based) that is both PCI compliant and encrypts all credit card data,” he explained. “The malware identified, PoSeidon, which pushes itself with DLL injection and backdoor Trojans, is a keylogger with memory scraping that breached Windows, and as I’m sure you are aware, Microsoft’s security essentials anti-virus and windows updates do not recognize or stop many of the newer more unique threats. The same day we were alerted to a possible compromise, our engineers found an executable that had been recently installed in Windows at that location, called ‘Winhost.exe.’”

According to Haytac, the company learned of the incidents on March 15. He said the breach occurred with memory scraping as the data passed through while Windows was sending the data to the Bevo application, basically capitalizing on a ‘millisecond gap’ between the systems.   

“A mere 0.26% of customers (13 out of 6,500) were effected and we not only identified the malware within 24 hours (5 days before it was publicly reported by the security experts), we had created a PoSeidon killer tool, and swept every customers machine within a week.  Actual Windows breaches of our customers only occurred over a two day period.”

Haytac said the most frustrating aspect of the ordeal so far is that all of its customers have some form of Windows anti-virus software and that none of these applications were able to recognize the malware. 

“So to prevent future possibilities of this ‘gap’ in the system being tapped again by relentless hackers, we have made an agreement with Comodo to create a new-age containment software that includes anti-virus,” he said. “We are pushing this to all our customers, closing the gap between these breach techniques and Windows OS. We are due to ship this weekend as we are in final stages of testing. Windows is obviously not our product to protect, however our customers are, so we are doing it regardless and without cost to them.”

RESCATOR REVISITED

For several months following revelations that fraudsters had stolen 56 million cards from customers of Home Depot, the card shop principally responsible for selling those cards — Rescator[dot]cm (the same hackers thought to be responsible for the Target intrusion) — inexplicably stopped selling new cards stolen from main-street merchants and retailers.

This hiatus continued for an unprecedented six months until March 10, 2015, when Rescator and his merry band of thieves advertised the “American Dream” batch of credit cards. Days later, the Rescator shop pushed out millions of cards in rapid-fire batches variously named “Breakthrough,” “American Dream,” “Imperium Romanum” and “Spring Awakening.”

Multiple financial institutions contacted by this author purchased handfuls of their cards from these batches, but were unable to find a single common point-of-purchase among any of them. However, each bank said they saw within each batch a strong preponderance of small restaurants and bars that they’d been watching for months as a suspected source of stolen cards. The banks reported to KrebsOnSecurity that the bulk of these establishments are centered around cities in Colorado, Texas, Florida and the Washington, D.C. metropolitan area — including Virginia and Maryland.

BRIAN’S DUMP

The above-mentioned trend away from selling cards stolen from major retail chains toward attacking smaller bars and restaurants is hardly unique to the Rescator shop. Earlier this year, several security experts pointed out that a relative newcomer to the fraud scene — a card shop that markets its wares by capitalizing on the name and likeness of this author (briansdump[dot]ru) — also was pushing fairly large batches of stolen cards onto its shelves.

KrebsOnSecurity worked with three different banks who each acquired multiple customer cards from all of the batches of cards that showed up for sale on Briansdump. Eerily enough, all of the merchants identified were from small restaurants and bars in and around the Washington, D.C. area, the hometown of Yours Truly.

OTHER SOLUTIONS

Security vendors have long recommended “end-to-end” or “point-to-point” encryption products and services to sidestep threats like PoSeidon. The idea being that if the card data never traverses the local network or point-of-sale device in an unencrypted format, any card-stealing malware that makes its way to the point-of-sale systems will have nothing to steal but worthless gibberish.

The problem is that many merchants — particularly smaller ones — don’t seem particularly interested in or incentivized to invest in these technologies, which tend to require more up-front costs and on-going maintenance fees to security vendors, said Rich Stuppy, chief operating officer at Kount, a payments security firm based in Boise, Idaho.

“It’s a fundamental redrawing of how the bits are transmitted, and that also tends to redraw a lot of power into another end of the network, either to a card brand or to a point of sale company, and it dramatically changes who’s got the power in this situation,” Stuppy said.

As for why more smaller merchants don’t turn to solutions like point-to-point and end-to-end encryption, Stuppy said it’s a numbers game that favors the attackers.

“I think the bigger [merchants] could maybe put up the fence around this such that it gets harder and harder, but the little guys aren’t going to do that. With these widely distributed point-of-sale systems, the bad guys are looking to just plug in the malware once, and it doesn’t matter if you have to get the big guys once to get 50 million cards, or you have to get 1,000 cards from 50,000 compromised merchants.”

For a deep dive into PoSeidon malware, check out this Mar. 25, 2015 blog post from researchers at Cisco.

Get your patch chops on people, because chances are you’re running software from Microsoft, Adobe or Oracle that received critical security updates today. Adobe released a Flash Player update to fix at least 22 flaws, including one flaw that is being actively exploited. Microsoft pushed out 11 update bundles to fix more than two dozen bugs in Windows and associated software, including one that was publicly disclosed this month. And Oracle has an update for its Java software that addresses at least 15 flaws, all of which are exploitable remotely without any authentication.

Adobe’s patch includes a fix for a zero-day bug (CVE-2015-3043) that the company warns is already being exploited. Users of the Adobe Flash Player for Windows and Macintosh should update to Adobe Flash Player 17.0.0.169 (the current versions other OSes is listed in the chart below).

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version 17.0.0.169.

Google has an update available for Chrome that fixes a slew of flaws, and I assume it includes this Flash update, although the Flash checker pages only report that I now have version 17.0.0 installed after applying the Chrome update and restarting (the Flash update released last month put that version at 17.0.0.134, so this is not particularly helpful). To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Microsoft has released 11 security bulletins this month, four of which are marked “critical,” meaning attackers or malware can exploit them to break into vulnerable systems with no help from users, save for perhaps visiting a booby-trapped or malicious Web site. The Microsoft patches fix flaws in Windows, Internet Explorer (IE), Office, and .NET

The critical updates apply to two Windows bugs, IE, and Office. .NET updates have a history of taking forever to apply and introducing issues when applied with other patches, so I’d suggest Windows users apply all other updates, restart and then install the .NET update (if available for your system).

Oracle’s quarterly “critical patch update” plugs 15 security holes. If you have Java installed, please update it as soon as possible. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or fromJava.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. In the past, updating via the control panel auto-selected the installation of third-party software, so be sure to look for any pre-checked “add-ons” before proceeding with an update through the Java control panel. Also, Java 7 users should note that Oracle has ended support for Java 7 after this update. The company has been quietly migrating Java 7 users to Java 8, but if this hasn’t happened for you yet and you really need Java installed in the browser, grab a copy of Java 8. The recommended version is Java 8 Update 45.

Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

In February 2015, KrebsOnSecurity reported that for the second time in a year, multiple financial institutions were complaining of fraud on customer credit and debit cards that were all recently used at a string of hotel properties run by hotel franchise firm White Lodging Services Corporation. The company said at the time that it had no evidence of a new breach, but last week White Lodging finally acknowledged a “suspected” breach of point-of-sale systems at 10 locations.

Banking sources back in February 2015 told this author that the cards compromised in this most recent incident looked like they were stolen from many of the same White Lodging locations implicated in the 2014 breach, including hotels in Austin, Texas, Bedford Park, Ill., Denver, Indianapolis, and Louisville, Kentucky.  Those sources said the compromises appear once again to be tied to hacked cash registers at food and beverage establishments within the White Lodging run hotels. The sources said the fraudulent card charges that stemmed from the breach ranged from mid-September 2014 to January 2015.

In a press release issued April 8, 2015, White Lodging announced the “suspected breach of point of sales systems at food and beverage outlets, such as restaurants and lounges, from the period July 3, 2014 through February 6, 2015 at 10 properties.

While it acknowledged some of the locations breached this time around were the same as last year’s victim locations, the company emphasized that this was a separate breach.

“After suffering a malware incident in 2014, we took various actions to prevent a recurrence, including engaging a third party security firm to provide security technology and managed services,” wrote Dave Sibley, White Lodging president and CEO, Hospitality Management. “These security measures were unable to stop the current malware occurrence on point of sale systems at food and beverage outlets in 10 hotels that we manage.  We continue to remain committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests.  We deeply regret and apologize for this situation.”

White Lodging said the stolen data includes names printed on customers’ credit or debit cards, credit or debit card numbers, and the security code and card expiration dates. Naturally, White Lodging is offering a year’s worth of credit protection services for customers impacted by the breach, from Experian.

China has been actively diverting unencrypted Web traffic destined for its top online search service — Baidu.com — so that some visitors from outside of the country were unwittingly enlisted in a novel and unsettling series of denial-of-service attacks aimed at sidelining sites that distribute anti-censorship tools, according to research released this week.

The findings, published in a joint paper today by researchers with University of Toronto’s Citizen Lab, the International Computer Science Institute (ICSI) and the University of California, Berkeley, track a remarkable development in China’s increasingly public display of its evolving cyber warfare prowess.

“Their willingness to be so public mystifies me,” said Nicholas Weaver, a researcher at the ICSI who helped dig through the clues about the mysterious attack. “But it does appear to be a very public statement about their capabilities.”

Earlier this month, Github — an open-source code repository — and greatfire.org, which distributes software to help Chinese citizens evade censorship restrictions enacted by the so-called “Great Firewall of China,” found themselves on the receiving end of a massive and constantly-changing attack apparently designed to prevent people from being able to access the sites.

Experts have long known that China’s Great Firewall is capable of blocking Web surfers from within the country from accessing online sites that host content which is deemed prohibited by the Chinese government. But according to researchers, this latest censorship innovation targeted Web surfers from outside the country who were requesting various pages associated with Baidu, such that Internet traffic from a small percentage of surfers outside the country was quietly redirected toward Github and greatfire.org.

This attack method, which the researchers have dubbed the “Great Cannon,” works by intercepting non-Chinese traffic to Baidu Web properties, Weaver explained.

“It only intercepts traffic to a certain set of Internet addresses, and then only looks for specific script requests. About 98 percent of the time it sends the Web request straight on to Baidu, but about two percent of the time it says, ‘Okay, I’m going to drop the request going to Baidu,’ and instead it directly provides the malicious reply, replying with a bit of Javascript which causes the user’s browser to participate in a DOS attack, Weaver said.

The researchers said they tracked the attack for several days after Github apparently figured out how to filter the malicious traffic, which relied on malicious Javascript files that were served to visitors outside of China that were browsing various Baidu properties.

Chillingly, the report concludes that Chinese censors could just have easily served malicious code to exploit known Web browser vulnerabilities.

“With a minor tweak in the code, they could have provided exploits to targeted [Internet addresses], so that instead of intercepting all traffic to Baidu, they would serve malware attacks to those visitors,” Weaver said.

Interestingly, this type of attack is not unprecedented. According to documents leaked by National Security Agency whistleblower Edward Snowden, the NSA and British intelligence services used a system dubbed “QUANTUM” to inject content and modify Web results for individual targets that appeared to be coming from a pre-selected range of Internet addresses.

“The Chinese government can credibly say the United States has done similar things in the past,” Weaver said. “They can’t say we’ve done large scale DDoS attacks, but the Chinese government can honestly state that the U.S. has modified traffic in-flight to attack and exploit systems.”

Weaver said the attacks from the Great Cannon don’t succeed when people are browsing Chinese sites with a Web address that begins with “https://”, meaning that regular Internet users can limit their exposure to these attacks by insisting that all Internet communications are routed over “https” versus unencrypted “http://” connections in their browsers. A number of third-party browser plug-ins — such as https-everywhere — can help people accomplish this goal.

“The lesson here is encrypt all the things all the time always,” Weaver said. “If you have to worry about a nation state adversary and if they can see an unencrypted web request that they can tie to your identity, they can use that as a vehicle for attack. This has always been the case, but it’s now practice.”

But Bill Marczak, a research fellow with Citizen Lab, said relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-everywhere will still serve regular unencrypted content when Web sites refuse to or don’t offer the same content over an encrypted connection. What’s more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources.

“Some of the scripts being injected in this attack are from online ad networks,” Marczak said. “But certainly this kind of attack suggests a far more aggressive use of https where available.”

For a deep dive into the research referenced in this story, check out this link.

The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers.

According to the FBI, ISIS sympathizers are targeting WordPress Web sites and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international sites. The agency said the attackers are mainly exploiting known flaws in WordPress plug-ins for which security updates are already available.

The public service announcement (PSA) coincides with a less public alert that the FBI released to its InfraGard members, a partnership between the FBI and private industry partners. That alert noted that several extremist hacking groups indicated they would participate in an operation dubbed #OpIsrael, which will target Israeli and Jewish Web sites to coincide with Holocaust Remembrance Day (Apr .15-16).

“The FBI assesses members of at least two extremist hacking groups are currently recruiting participants for the second anniversary of the operation, which started on 7 April 2013, and coincides with Holocaust Remembrance Day,” the InfraGard alert notes. “These groups, typically located in the Middle East and North Africa, routinely conduct pro-extremist, anti-Israeli, and anti-Western cyber operations.”

Experts say there may be no actual relationship between these defacements and Islamist militants. In any case, if you run a Web site powered by WordPress — or any other content management system (CMS) — please take a few moments today to ensure that the CMS itself is up-to-date with the latest patches, and apply all available fixes for any installed plug-ins.

The FBI also issued an unrelated PSA advising people to be wary of fake government Web sites set up to take advantage of search engine optimization techniques that try to get the sites listed prominently in search results when searching for government services online. The FBI explains the scam thusly:

“Victims use a search engine to search for government services such as obtaining an Employer Identification Number (EIN) or replacement social security card. The fraudulent criminal websites are the first to appear in search results, prompting the victims to click on the fraudulent government services website. The victim completes the required fraudulently posted forms for the government service they need. The victim submits the form online, believing they are providing their PII to government agencies such as the Internal Revenue Service, Social Security Administration, or similar agency based on the service they need.”

“Once the forms are completed and submitted, the fraudulent website usually requires a fee to complete the service requested. The fees typically range from $29 to $199 based on the government service requested. Once the fees are paid the victim is notified they need to send their birth certificate, driver’s license, employee badge, or other personal items to a specified address. The victim is then told to wait a few days to several weeks for processing.”

“By the time the victim realizes it is a scam, they may have had extra charges billed to their credit/debit card, had a third-party designee added to their EIN card, and never received the service(s) or documents requested. Additionally, all of their PII data has been compromised by the criminals running the websites and can be used for any number of illicit purposes. The potential harm gets worse for those who send their birth certificate or other government-issued identification to the perpetrator.”

The FBI advises consumers to use search engines or other websites to research the advertised services or person/company you plan to deal with. Search the Internet for any negative feedback or reviews on the government services company, their Web site, their e-mail addresses, telephone numbers, or other searchable identifiers. Fly-by-night scam Web sites often have little or no reputation — i.e., they haven’t been online that long. A simple WHOIS Web site registration record search will often reveal scam domains as just recently having been put online.