Parking services have taken a beating this year at the hands of hackers bent on stealing credit and debit card data. This week’s victim — onestopparking.com — comes compliments of the same organized crime gang thought to be responsible for stealing tens of millions of card numbers from shoppers at Target and Home Depot.

Late last week, the cybercrime shop best known for being the first to sell cards stolen in the Target and Home Depot breach moved a new batch of cards taken from an unknown online merchant. Several banks contacted by KrebsOnSecurity acquired cards from this batch, and determined that all had one thing in common: They’d all been used at onestopparking.com, a Florence, Ky. based company that provides low-cost parking services at airport hotels and seaports throughout the United States.

Contacted about the suspicious activity that banks have traced back to onestopparking.com, Amer Ghanem, the site’s manager, said the company began receiving complaints from customers about a week before Christmas.

“It’s been something we have been dealing with for the past week, where some of our customers have called in and complained about fraudulent charges,” Ghanem said. He noted that the complaints stopped after the company performed several security scans and upgraded software for the Web site, but the investigation continues.

“We have been unable to identify any specific issues that has caused any credit card breach on our website,” Ghanem said in a written statement. “However, being a part of the e-commerce industry and staying up to date with the security news, we are aware of security threats that are always around, especially during the holiday season, when people tend to shop and travel more.  We currently have 2 different services that are always monitoring traffic on our website, 24/7 to ensure the safety of our customers.”

This was the second time in as many weeks that this cybercrime shop –Rescator[dot]cm — has put up for sale a batch of credit cards stolen from an online parking service: On Dec. 16, KrebsOnSecurity reported that the same shop was selling cards stolen from Park-n-Fly, a competing airport parking reservation service.  Sometime over the past few days, Park-n-Fly announced it was suspending its online service.

“In the wake of suspicious activity relating to certain Park ‘N Fly’s system containing credit card data, Park ‘N Fly has suspended our online reservations system, pending remediation,” reads a security update posted on the company’s site. Park ‘N Fly noted that it is still taking reservations over the phone.

The stolen card data that bank sources traced back to Onestopparking.com are among hundreds or thousands that went on sale Dec. 21 at Rescator, in a batch dubbed “Solidus.” The card data ranges in price from $6 to $12 per card, and include the card number, expiration date, 3-digit card verification code, as well as the cardholder’s name, address and phone number.

Last month, SP Plus — a Chicago-based parking facility provider — said payment systems at 17 parking garages in Chicago, Philadelphia and Seattle that were hacked to capture credit card data after thieves installed malware to access credit card data from a remote location. Card data stolen from those SP+ locations ended up for sale on a competing cybercrime store called Goodshop.

In Missouri, the St. Louis Parking Company recently disclosed that it learned of breach involving card data stolen from its Union Station Parking facility between Oct. 6, 2014 and Oct. 31, 2014.

It’s hard to believe, but KrebsOnSecurity turns five years old today! How time flies!

Probably the most rewarding part about being an independent reporter (for my part, anyway) is watching your readership grow and mature into a community that not only adds perspective and balance but also helps educate other readers.

I’m very proud of the community that’s sprung up around this site, and I’m extremely grateful for all of the support and encouragement from you, Dear Reader. A few dozen readers have sent PayPal or Bitcoin donations, but most have supported this site with their time, expertise and tips (keep those coming, please).

So, from the bottom of my heart, a big THANK YOU and high five to all of you! I wish you all a very happy, healthy and prosperous 2015. Here’s to another five great years!

Leaving aside the pieces in my All About Skimmers series, here are some of the most-read, exclusive posts from the past 365 days:

Lorem Ipsum: Of Good and Evil, Google and China

A Peek Inside a Professional Carding Shop

Who’s Selling Credit Cards from Target?

Are Credit Monitoring Services Worth it?

Antivirus is Dead: Long Live Antivirus

Target Hackers Broke in Via HVAC Company

A First Look at the Target Intrusion, Malware

Banks: Credit Card Breach at Home Depot

The Scrap Value of a Hacked PC, Revisited (oldie but a goodie)

The core members of a group calling itself “Lizard Squad” — which took responsibility for attacking Sony’s Playstation and Microsoft‘s Xbox networks and knocking them offline for Christmas Day — want very much to be recognized for their actions. So, here’s a closer look at two young men who appear to be anxious to let the world know they are closely connected to the attacks.

The LizardSquad reportedly only called off their attacks after MegaUpload founder Kim Dotcom offered the group some 3,000 vouchers for his content hosting service. The vouchers sell for $99 apiece, meaning that Dotcom effectively offered the group the equivalent of $300,000 to stop their seige.

On Dec. 26, BBC Radio aired an interview with two young men who claimed to have been involved in the attacks. The two were referred to in the interview only as “Member 1″ and “Member 2,” but both have each given on-camera interviews previously (more on that in a bit).

The BBC’s Stephen Nolan asks Member 2, “It was nothing really to do with exposing a company for the greater good? You took the money and you ran, didn’t you, like a petty criminal?”

M2: “Well, we didn’t really expect money from it in the first place. If we really cared about money we could have used the twitter accounts that we generated over 50,000 followers within 24-48 hours we could have used that for monetization, you know? We could have easily sent out a couple of linked….profiles or whatever where each click could gain us three to six cents.”

Nolan: “So why did you take the vouchers, then?

M2: “It was just an offer. It’s hard to say. It was just a one-time thing. It’s $300,000 worth of vouchers.”

Nolan: “Dirty, grubby, greed?”

M2: “Well, that’s what happens, I’m afraid. That’s what it is like in the security business.”

Member2, the guy that does most of the talking in the BBC interview, appears to be a 22-year-old from the United Kingdom named Vinnie Omari. Sky News ran an on-camera interview with Omari on Dec. 27, quoting him as a “computer security analyst” as he talks about the attacks by LizardSquad and their supposed feud with a rival hacker gang.

The same voice can be heard on this video from Vinnie’s Youtube channel, in which he enthuses about hackforums[dot]net, a forum that is overrun with teenage wannabe hackers who spend most of their time trying to impress, attack or steal from one another.

In a thread on Hackforums that Omari began on Dec. 26 using the Hackforums username “Vinnie” Omari says he’s been given vouchers from Kim Dotcom’s Mega, and wonders if the Hackforums rules allow him to sell the vouchers on the forum.

Member 1 from the BBC interview also gave an on-camera interview to Sky News, although he does not give his real name; he offers a pseudonym — “Ryan.” According to multiple sources, this individual is a Finnish teenager named Julius Kivimäki who has used a variety of online monikers, including “Zee,” “Zeekill” and “Ry|an.” 

Sources say Kivimäki was arrested by Helsinki police in October 2013 on suspicion of running a huge botnet consisting of more than 60,000 hacked Web servers around the world. Local Finnish media reported on the youth’s arrest, although they didn’t name him. Kivimäki, 16, also was reportedly found in possession of more than 3,000 stolen credit cards.

Both of these individuals may in fact be guilty of nothing more than taking credit for other peoples’ crimes. But I hope it’s clear to the media that the Lizard Squad is not some sophisticated hacker group.

The Lizard Squad’s monocle-wearing mascot shows them to be little more than a group of fame-seeking kids who desperately aspire to be like LulzSec, a similarly minded gang whose core members were busted and went to jail. With any luck, these kids will get their wish soon enough.

A gaggle of young misfits that has long tried to silence this Web site now is taking credit for preventing millions of users from playing Sony Playstation and Microsoft Xbox Live games this holiday season.

The group, which calls itself LizardSquad, started attacking the gaming networks on or around Christmas Day. Various statements posted by self-described LizardSquad members on their open online chat forum — chat.lizardpatrol.com — suggest that these misguided individuals launched the attack for no other reason than because they thought it would be amusing to annoy and disappoint people who received new Xbox and Playstation consoles as holiday gifts.

Such assaults, known as distributed denial-of-service (DDoS) attacks — harness the Internet connectivity of many hacked or misconfigured systems so that those systems are forced to simultaneously flood a target network with junk internet traffic. The goal, of course, is to prevent legitimate visitors from being able to load the site or or use the service under attack.

It’s unfortunate that some companies which specialize in DDoS protection services have chosen to promote their products by categorizing these latest attacks as “herculean” and “sophisticated;” these adjectives describe neither the attackers nor their attacks. The sad truth is that these attacks take advantage of compromised and misconfigured systems online, and there are tens of millions of these systems that can be freely leveraged to launch such attacks. What’s more, the tools and instructions for launching such assaults are widely available.

The LizardSquad leadership is closely tied to a cybercrime forum called Darkode[dot]com, a network of ne’er-do-wells that I have written about extensively. So much so, in fact, that the LizardSquad has made attacking KrebsOnSecurity.com and keeping it offline for at least 30 minutes a prerequisite “proof of skills” for any new members who wish to join their ranks (see the screen shot below).

Over the past month, KrebsOnSecurity.com has been the target of multiple such attacks each day. Prolexic — a DDoS protection firm now owned by Akamai — has been extremely helpful in poring over huge troves of data about systems seen attacking this site.

The majority of compromised systems being used to attack my site this month are located within three countries — Taiwan, India, and Vietnam. The bulk of attacks have been so-called “Layer 7” assaults — in that they try to mimic legitimate Web browsing activity in a bid to avoid detection.

But what’s most interesting about these compromised and/or misconfigured systems is how many of them are located at legitimate companies that have been compromised by miscreants. According to Akamai, most of the malicious sources were Windows-based servers powered by Microsoft’s IIS Web server technology.  The top five industries where those compromised systems reside are in entertainment, banking, hosting providers, software-as-a-service providers, and consulting services.

Many of those associated with LizardSquad are wannabe hackers with zero skill and a desire to be connected to something interesting and fun. Unfortunately, many of the LizardSquad individuals involved in these attacks also are embroiled in far more serious online crimes — including identity theft, malware distribution, spam and credit card fraud. While most of the group’s acolytes are known to U.S. enforcement investigators, many are minors, and the sad truth is that federal prosecutors don’t really know what to do with underage felons except to turn them into informants. Meanwhile, the cycle of abuse continues.

Update, Dec. 30, 7:05 p.m. ET: A previous version of this story named multiple companies suspected of hosting compromised systems that may have been abused by LizardSquad members in attacks on this blog. Several of those organizations have reported being unable to find any evidence that their systems were used in an attack, and took strong exception to be included in this story. Since it is entirely possible that the traffic from these systems recorded in this site’s logs could have been mistaken for attack traffic during an active (and still ongoing) attack, I have omitted the names of those companies from this post. I would like to apologize for any confusion or misunderstanding this post may have caused.

The Federal Trade Commission announced this week it is suing a consumer data broker that sold payday loan application data to scammers who used the information to pull money out of consumer bank accounts. The scam brings to mind an underground identity theft service I wrote about in 2012 that was gathering its data from a network of payday loan sites.

According to the FTC’s complaint, data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. “At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization,” the FTC said.

The FTC charges that the defendants sold approximately five percent of these loan applications to online lenders, who paid them between $10 and $150 per lead. But the defendants also allegedly sold the remaining 95 percent for approximately $0.50 each to third parties who were not online lenders and had no legitimate need for this financial information.

In Sept. 2012, I published a blog post about “Usearching[dot]info,” a now-defunct ID theft service that offered the ability to purchase personal information on countless Americans, including SSN, mother’s maiden name, date of birth, email address, and physical address, as well as and driver license data for approximately 75 million citizens in Florida, Idaho, Iowa, Minnesota, Mississippi, Ohio, Texas and Wisconsin.

That story noted that Usearching[dot]info also included data that appeared to come from another source — more than 330,000 consumer bank account records pulled from an archipelago of satellite Web sites that negotiate with a variety of lenders to offer payday loans. From that piece:

“I first began to suspect the information was coming from loan sites when I had a look at the data fields available in each record. A trusted source opened and funded an account at Usearching.info, and purchased 80 of these records, at a total cost of about $20. Each includes the following data: A record number, date of record acquisition, status of application (rejected/appproved/pending), applicant’s name, email address, physical address, phone number, Social Security number, date of birth, bank name, account and routing number, employer name, and the length of time at the current job. These records are sold in bulk, with per-record prices ranging from 16 to 25 cents depending on volume.”

“But it wasn’t until I started calling the people listed in the records that a clearer picture began to emerge. I spoke with more than a dozen individuals whose data was being sold, and found that all had applied for payday loans on or around the date in their respective records. The trouble was, the records my source obtained were all dated October 2011, and almost nobody I spoke with could recall the name of the site they’d used to apply for the loan. All said, however, that they’d initially provided their information to one site, and then were redirected to a number of different payday loan options.”

I have no idea whether LeapLab sold information to this identity theft service, or whether Ideal Financial was a customer of Usearching[dot]info. LeapLab is no longer in business, and Ideal’s assets are frozen and in receivership. But it’s clear Ideal obtained consumer data from multiple sources: The FTC says LeapLab provided Ideal Financial with financial account information for only about 16 percent of Ideal Financial’s victims.

In this, as with so many financial scams, the people least able to afford it get scammed and fleeced. The FTC charges that Ideal Financial purchased information on at least 2.2 million consumers from data brokers and used it to make more than $43 million in unauthorized debits and charges for purported financial products that the consumers never purchased. Sadly, these “financial products” were mostly about how consumers could manage their money better or get themselves out of debt.

This scam is also a reminder of how crooks steal millions with small charges, all made through a vast network of phony company Web sites made to look like established companies with legitimate products. Also, these types of micropayment schemes are more common around the holidays, so now is good time for readers to keep an extra close eye on their bank and credit card statements for any unauthorized charges.

A copy of the FTC civil complaint against LeapLab is here (PDF). Also interesting to read are these exhibits in the case (both PDF).