Saks has been hacked — adding to the already formidable challenges faced by the luxury retailer.

A well-known ring of cybercriminals has obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month.

The Hudson’s Bay Company, the Canadian corporation that owns both retail chains, confirmed on Sunday that a breach had occurred.

“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America,” the company said in a statement. “We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Hudson’s Bay said that its investigation was continuing but that its e-commerce platforms appeared to have been unaffected by the breach. The company declined to identify how many customer accounts or stores were affected.

The theft is one of the largest known breaches of a retailer and shows just how difficult it is to secure credit-card transaction systems despite the lessons learned from other large data breaches, including the theft of 40 million card numbers from Target in 2013 and 56 million card numbers from Home Depot in 2014. Last year, Equifax, a credit reporting firm, disclosed that sensitive financial information on 145.5 million Americans had been exposed in a breach of the company’s systems.

The research firm that identified the Saks breach, Gemini Advisory, said on Sunday that a group of Russian-speaking hackers known as Fin7 or JokerStash posted online on Wednesday that it had obtained a cache of five million stolen card numbers, which the thieves called BIGBADABOOM-2. The hackers, who have also hit other retail chains, offered 125,000 of the records for immediate sale.

Fin7 did not disclose where the numbers had been obtained. But the researchers, working in conjunction with banks, analyzed a sample of the records and determined that the card numbers all seemed to have been used at Saks and Lord & Taylor stores, mostly in New York and New Jersey, from May 2017 to March 2018.

Source: Card Data Stolen From 5 Million Saks and Lord & Taylor Customers – The New York Times

European organisations are taking longer to detect breaches than their counterparts in North America, according to a study by FireEye.

Organisations in EMEA are taking almost six months (175 days) to detect an intruder in their networks, which is rather more than the 102 days that the firm found when asking the same questions last year. In contrast, the median dwell time in the Americas improved to 76 days in 2017 from 99 in 2016. Globally it stands at 101 days.

The findings about European breach detection are a particular concern because of the looming GDPR deadline, which will introduce tougher breach disclosure guidelines for organisations that hold Europeans citizens’ data. GDPR can also mean fines of €20 million, or four per cent of global turnover, whichever is higher.

FireEye’s report also records a growing trend of repeat attacks by hackers looking for a second bite of the cherry. A majority (56 per cent) of global organisations that received incident response support were targeted again by the same of a similarly motivated attack group, FireEye reports.

FireEye has historically blamed China for many of the breaches its incident response teams detected. But as the geo-political landscape has changed Russia and North Korea are getting more and more “credit” for alleged cyber-nasties.

But a different country – Iran – features predominantly in attacks tracked by FireEye last year. Throughout 2017, Iran grew more capable from an offensive perspective. FireEye said that it “observed a significant increase in the number of cyber-attacks originating from Iran-sponsored threat actors”.

FireEye’s latest annual M-Trends report (pdf) is based on information gathered during investigations conducted by its security analysts in 2017 and uncovers emerging trends and tactics that threat actors used to compromise organisations.

Source: US spanks EU businesses in race to detect p0wned servers • The Register

Hundreds of thousands of online shoppers may have had their name, address, and credit information stolen by hackers thanks to a security issue with the online customer service software from [24]7.ai.

Customers that shopped online at Delta, Sears, Kmart, and Best Buy could have been affected thanks to malware that was infecting [24]7.ai’s online chat tool between September 26 and October 12, 2017.

[24]7.ai provides the live chat on those company’s websites. Your information may have potentially been compromised even if you didn’t use the chat tool but made a purchase online from one of the retailers during that time period.

Currently, none of the named companies have confirmed that information has been stolen, only that the opportunity for it to have happened was there, CNET reports. Delta has gone as far as to say that even if the breach did affect its site, that it would only impact “a small subset” of customers.

Source: Delta, Best Buy, and Sears Customers May Have Had Personal Info Stolen in Hack

Sodexo Filmology said it had informed the Information Commissioner’s Office and a specialist forensic investigation team.

“We would advise all employees who have used the site between 19th March-3rd April to cancel their payment cards and check their payment card statements,” it said.

“These incidents have been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists.”

It added: “We sincerely apologise for any inconvenience this has caused you and are doing all that we can to provide access to your benefits via alternative means. We will share more information on this with you, or your provider, in the coming days.”

It seems the issue has been going on for several months, with one employee complaining on the Money Saving Expert forum in February that he had been the victim of attempted fraud.

Source: Cinema voucher-pusher tells customers: Cancel your credit cards, we’ve been ‘attacked’

Orbitz says one of its older websites may have been hacked, potentially exposing the personal information of people who made purchases online between Jan. 1, 2016 and Dec. 22, 2017.

The current Orbitz.com website was not involved in the incident. Orbitz is now owned by Expedia Inc. of Belleview, Washington.

Orbitz said Tuesday about 880,000 payment cards were impacted.

Data that was likely exposed includes name, address, payment card information, date of birth, phone number, email address and gender. Social Security information was not hacked, however. The company said evidence suggests that an attacker may have accessed information stored on the platform — which was for both consumers and business partners — between Oct. 1, 2017 and Dec. 22, 2017.

It said it discovered the data breach March 1.

Orbitz is offering those impacted a year of free credit monitoring and identity protection service in countries where available.

Source: Orbitz Says Legacy Travel Site Likely Hacked, Affecting 880K | Business News | US News

Oddly enough, it doesn’t say which site…

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right.

Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it’s clear that the memcached attack is going to be a feature network managers are going to have to take seriously in the future.

The attacks use shoddily secured memcached database servers to amplify attacks against a target. The assailant spoofs the UDP address of its victim and pings a small data packet at a memcached server that doesn’t have an authenticated traffic requirement in place. The server responds by firing back as much as 50,000 times the data it received.

With multiple data packets sent out a second, the memcached server unwittingly amplifies the deluge of data that can be sent against the target. Without proper filtering and network management, the tsunami of data can be enough to knock some providers offline.

There are some simple mitigation techniques, notably blocking off UDP traffic from Port 11211, which is the default avenue for traffic from memcached servers. In addition, the operators of memcached servers need to lock down their systems to avoid taking part in such denial of service attacks.

Source: World’s biggest DDoS attack record broken after just five days • The Register

Computer speakers and headphones make passable microphones and can be used to receive data via ultrasound and send signals back, making the practice of air gapping sensitive computer systems less secure.

In an academic paper published on Friday through preprint service ArXiv, researchers from Israel’s Ben-Gurion University of the Negev describe a novel data exfiltration technique that allows the transmission and reception of data – in the form of inaudible ultrasonic sound waves – between two computers in the same room without microphones.

The paper, titled, “MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication,” was written by Mordechai Guri, Yosef Solwicz, Andrey Daidakulov and Yuval Elovici, who have developed a number other notable side-channel attack techniques.

These include: ODINI, a way to pass data between Faraday-caged computers using electrical fields; MAGNETO, a technique for passing data between air-gapped computers and smartphones via electrical fields; and FANSMITTER, a way to send acoustic data between air-gapped computers using fans.

Source: Air gapping PCs won’t stop data sharing thanks to sneaky speakers • The Register

Two Russian criminals have been sent down in America after pleading guilty to helping run the largest credit-card hacking scam in US history.Muscovites Vladimir Drinkman, 37, and Dmitriy Smilianets, 34, ran a massive criminal ring that spent months hacking companies to get hold of credit and debit card information. They then sold it online to the highest bidders, who then recouped their investment by ripping off companies and citizens around the world.”Drinkman and Smilianets not only stole over 160 million credit card numbers from credit card processors, banks, retailers, and other corporate victims, they also used their bounty to fuel a robust underground market for hacked information,” said acting assistant attorney general John Cronan on Thursday.
[…]
Rytikov, prosecutors allege, acted as the group’s ISP, supplying internet access that the gang knew would be unlogged and unrecorded. Smilianets handled the sales side, working dark web forums to find buyers for the cards at a cost of $50 per EU card, $10 for American accounts, and $15 for Canadian credit cards.

NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard were among the victims of the gang, the Feds claim. The final cost is difficult to estimate but just three of the companies targeted reported losses of over $300m thanks to the gang.

Source: Russians behind bars in US after nicking $300m+ in credit-card hacks • The Register

Last year, a vigilante hacker broke into the servers of a company that sells spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again.

Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent.

Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners’ and children’s phones in order to spy on them. This software has been called “stalkerware” by some. This spyware allows people to have practically full access to the smartphone or computer of their targets. Whoever controls the software can see the photos the target snaps with their phone, read their text messages, or see what websites they go to, and track their location.

Source: A Hacker Has Wiped a Spyware Company’s Servers—Againp – Motherboard

Yay to the hackers!

Telegram has fixed a security flaw in its desktop app that hackers spent several months exploiting to install remote-control malware and cryptocurrency miners on vulnerable Windows PCs.The programming cockup was spotted by researchers at Kaspersky in October. It is believed miscreants have been leveraging the bug since at least March. The vulnerability stems from how its online chat app handles Unicode characters for languages that are read right-to-left, such as Hebrew and Arabic.

Source: Shock horror! Telegram messaging app proves insecure yet again! • The Register

In its original announcement of the hack, the company had revealed that some driver’s license numbers were exposed. The new documents show that the license state and issue date might have also been compromised.

Equifax spokesperson Meredith Griffanti told CNNMoney Friday that the original list of vulnerable personal information was never intended to represent the full list of potentiality exposed information.

The new documents now raise questions of how much information hackers may have accessed in Equifax’s cyberattack.

Source: The Equifax hack could be worse than we thought – Feb. 9, 2018

The Grammarly browser extension, which has about 22 million users, exposes its authentication tokens to all websites, allowing any to access all the user’s data without permission, according to a bug report from Google Project Zero’s Tavis Ormandy.

The high-severity bug was discovered on Friday and fixed early Monday morning, “a really impressive response time,” Ormandy wrote.

Grammarly, launched in 2009 by Ukrainian developers, looks at all messages, documents and social media posts and attempts to clean up errors so the user is left with the clearest English possible. The browser extension has access to virtually everything a user types, and therefore an attacker could access a huge trove of private data.

Exploitation is as simple as a couple of console commands granting full access to everything, as Ormandy explained. The company has no evidence that the vulnerability was exploited.

The vulnerability affected Chrome and Firefox. Updates are now available for both browsers.

Source: Bug in Grammarly browser extension exposes virtually everything a user ever writes

ash machines in the US are being hacked to spew hundreds of dollar bills – a type of theft dubbed “jackpotting” because the ATMs look like slot machines paying out winnings.A gang of miscreants have managed to steal more than $1m from ATMs using this attack, according to a senior US Secret Service official speaking to Reuters on Monday.Typically, crooks inject malware into an ATM to make it rapidly dole out large sums of money that doesn’t belong to the thieves. Anyone aware of the work by security researcher Barnaby Jack – who almost 10 years ago revealed various ways to force cash machines to cough up cash on demand – will know of jackpotting.

[…]

Since 2013, if not earlier, Ploutus has been a favorite of Mexican banditos raiding cash machines, as previous Reg stories document. Viewed from this perspective, the main surprise today is that it’s taken so long for the scam to surface north of the border, moving from Mexico to the United States.

To get Ploutus into an ATM, the crooks have to gain physical access to the box’s internals to swap its computer hard drive for an infected one. Once the disk is in place and the ATM rebooted, the villains have full control over the device, allowing them to order it to dispense the contents of its cartridges of dollar bills.

Source: Crooks make US ATMs spew million-plus bucks in ‘jackpotting’ hacks • The Register

https://github.com/NullArray/AutoSploitAs the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets are collected automatically as well by employing the Shodan.io API. The program allows the user to enter their platform specific search query such as; Apache, IIS, etc, upon which a list of candidates will be retrieved.

After this operation has been completed the ‘Exploit’ component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them. Which Metasploit modules will be employed in this manner is determined by programatically comparing the name of the module to the initial search query. However, I have added functionality to run all available modules against the targets in a ‘Hail Mary’ type of attack as well.

The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured through the dialog that comes up before the ‘Exploit’ component is started.

https://github.com/NullArray/AutoSploit

The crooks had infected the network of Hancock Health, in Indiana, with the Samsam software nasty, which scrambled files and demanded payment to recover the documents. The criminals broke in around 9.30pm on January 11 after finding a box with an exploitable Remote Desktop Protocol (RDP) server, and inject their ransomware into connected computers.

Medical IT teams were alerted in early 2016 that hospitals were being targeted by Samsam, although it appears the warnings weren’t heeded in this case.

According to the hospital, the malware spread over the network and was able to encrypt “a number of the hospital’s information systems,” reducing staff to scratching out patient notes on pieces of dead tree.
[…]
The ransomware’s masters accepted the payment, and sent over the decryption keys to unlock the data. As of Monday this week, the hospital said critical systems were up and running and normal services have been resumed.

This doesn’t appear to be a data heist. The hospital claimed no digital patient records were taken from its computers, just made inaccessible. “The life-sustaining and support systems of the hospital remained unaffected during the ordeal, and patient safety was never at risk,” the healthcare provider argued.
[…]
It’s one thing to keep an offline store of sensitive data to prevent ransomware on the network from attacking it. It’s another to keep those backups somewhere so out of reach, they can’t be recovered during a crisis, effectively rendering them useless.

It just proves that when planning disaster recovery, you must consider time-to-restoration as well as the provisioning of backup hardware.

Source: Hospital injects $60,000 into crims’ coffers to cure malware infection • The Register

BCC and MediaMarkt are large electronics stores in NL. Ziggo is a large internet ISP. By linking to fake pages through marktplaats.nl (the Dutch ebay / Craigslist equivalent) people were able to shop for products on the fake sites, which were never delivered. Using a chat interface, the crims tried to gain access to the bank accounts of the marks. It very much surprises me that this kind of fraud only results in a few months in jail.

Een aantal mannen heeft voor grootschalige internetoplichting elk diverse maanden gevangenisstraf gekregen. Zij verdienden vooral aan namaakwebshops van onder meer BCC, MediaMarkt en Ziggo.

Source: Gevangenisstraf voor internetoplichting – Emerce

The exploit allowed hackers to request a password reset for a target account and then click the generated link without opening the email it had been sent in. How was this possible? Theories circulated, buoyed by posts on Hacker Noon and The Next Web. It was the r/bitcoin users out to cause trouble; Or was it a Reddit admin gone rogue?But this attack had incentive beyond ideology. What made the users of r/btc such a rich target was the deployment of a bot account called Tippr, which was used, among other things, to reward a particularly funny or insightful comment. By tagging someone and designating an amount, Tippr withdrew some BCH from your hotwallet and allocated it to the recipient. Given that Tippr is active on both Reddit and Twitter (where it provides its donation service for such heavyweights as the Tor Project), there was easy money to be had.

Source: How a Reddit Email Vulnerability Led to Thousands in Stolen Bitcoin Cash

Malware discovered by Symantec researchers sneakily spoofs Uber’s Android app and harvests users’ passwords, allowing attackers to take over the effected users’ accounts. The malware isn’t widespread, though, and most Uber users are not effected.
[…]
In order to steal a user’s login information, the malware pops up on-screen regularly and prompts the user to enter their Uber username and password. Once a user falls for the attack and enters their information, it gets swept up by the attacker.

To cover up the credential theft, this malware uses deep links to Uber’s legitimate app to display the user’s current location—making it appear as though the user is accessing the Uber app instead of a malicious fake.

Source: Rare Malware Targeting Uber’s Android App Uncovered

The basic principle behind this attack is that sound waves introduce mechanical vibrations into an HDD’s data-storage platters. If the sound is played at a specific frequency, it creates a resonance effect that amplifies the vibration effect.Because hard drives store vasts amounts of information inside small areas of each platter, they are programmed to stop all read/write operations during the time a platter vibrates so to avoid scratching storage disks and permanently damaging an HDD.

Source: Acoustic Attacks on HDDs Can Sabotage PCs, CCTV Systems, ATMs, More