Hackers Back to Their Old Tricks

Old tricks that have helped hackers penetrate computers for months or longer worked again last week at Goodwill and Stubhub.

Taking a page from the gang that pillaged payment card and personal information from Target last year, hackers clipped payment card information from an undisclosed number of Goodwill Industries International customers.

As they were in the Target attack, it’s believed point-of-sale systems were compromised at Goodwill, which has 2,900 U.S. retail locations that collect and sell donated clothing and other goods, with the proceeds earmarked for community programs.

Meanwhile, Stubhub revealed that hackers using purloined information from other sources compromised some 1,600 user accounts and ran up a tab amounting to US$1.35 million.

Reuse of credentials by the users enabled the hackers to break into the accounts, buy tickets to premium events, and then scalp the tickets for cash.

On the bright side, some of the alleged hackers were locked up by law enforcement authorities within hours of Stubhub’s announcement of the breach.

Pillaging Villages

Not-for-profit companies like Goodwill are a tempting target for hackers.

“Like most nonprofits, they have a core mission, and spending significant dollars on high-end security for point-of-sale systems are dollars not going toward fulfilling that mission,” said Philip Casesa, director of IT/service operations for the International Information Systems Security Certification Consortium.

“This seems to be the new fad — hackers picking on companies with high-volume transactions where security is an afterthought,” he told TechNewsWorld. “To hackers, these organizations are villages waiting to be pillaged.”

However, organizations don’t see themselves that way, and that can make them even more vulnerable to an attack like the one on Goodwill.

“Many organizations have been in denial for too long,” Mike Lloyd, CTO of RedSeal Networks, told TechNewsWorld.

“Executives are tempted to think, ‘why would anyone come after us?’ when we’re a charity, or a medical institution, or a sports team,” he continued. “Many industries are loved by the public and can lapse into thinking they don’t have enemies, and so don’t really need to worry about security.”

What the Goodwill breach illustrates — and why old hacker tricks continue to work on these systems — is the inadequacy of the Payment Card Industry Data Security Standard for payment systems.

“Almost all major retail and credit card breaches occurred where a vendor or merchant was actually in PCI-DSS compliance,” Vijay Basani, president and CEO of EiQ Networks, told TechNewsWorld.

“This goes to show regulations in general incentivize merchants to do just enough to pass a security audit,” he said.

Classic Case of Reuse

The Stubhub case was a classic one of credentials stolen from one account used to crack another, although Stubhub said some keylogging malware also may have been involved in the caper.

Stubhub had been working with law enforcement authorities for months to nail the gang ringing up fraudulent charges to the compromised accounts. While the operation was in motion, though, the account owners didn’t have to suffer, because Stubhub was reimbursing them for the bogus buys by the cybercriminals.

“Password reuse is the end-user’s responsibility,” Core Security Chief Architect Andy Rappaport told TechNewsWorld. “These customers are fortunate Stubhub reimbursed them.”

Reusing passwords is a security taboo. Belief that passwords never should be reused is so strong that when some Microsoft researchers recently presented a contrarian view, they were roundly chastised for their opinions.

“The Stubhub attack highlights that the weakest point in security is not through servers but rather through consumers,” said Richard Westmoreland, lead security analyst with SilverSky.

“People often reuse the same credentials on different sites, and once these are harvested, they can be used to perform attacks elsewhere the person also has an account,” he told TechNewsWorld.

Nevertheless, people continue to reuse passwords. Hackers know that, so they continue to reach into in their old bag of tricks.

Breach Diary

• July 21. Goodwill Industries International reveals federal authorities are investigating possible payment card breach at the organization.
• July 21. Forensic scientist Jonathan Zdziarski claims all iOS devices are riddled with backdoors that can be exploited by attackers. Apple responds that alleged backdoors are services used for diagnostic purposes.
• July 21. U.S. District Judge Paul Grewal rejects motion by Google to dimiss class action lawsuit that claims the company misled consumers by spreading user data across several products and giving it to advertisers without user consent.
• July 21. Websense Security Labs reports MSNBC news site compromised by URL shortener used to redirect visitors to false news sites.
• July 21. Zscaler reports CNN app for iPhone contains vulnerability that allows transmission of passwords in unencrypted form, allowing them to be snatched by network sniffers.
• July 21. California Appeals Court dismisses lawsuit resulting from data breach at Sutter Health in Sacramento because compromised information wasn’t used to harm the members of the class action against the provider.
• July 22. Websense Security Labs reports U.S. website of Metro International is compromised and serving malicioius code to visitors.
• July 22. Trend Micro reports it has discovered hacking scheme to break two-factor authentication protection at banks in Austria, Japan, Sweden and Switzerland.
• July 22. Black Hat Conference talk on breaking anonymity on the Tor network by Alexander Volynkin and Michael McCord, of Carnegie Mellon University, scrapped due to legal issues.
• July 22. ACI Worldwide releases worldwide fraud study that finds 29 percent of consumers don’t trust retailers to protect data and just 55 percent think stores use security systems that adequately protect financial data.
• July 22. Eset reports English-language version of Android ransomware Simplocker has started appearing in underground markets. After encrypting files on a phone’s SD card, the malware displays a bogus notice from the FBI demanding US$300.
• July 23. Stubhub, an online seller of tickets to events, reports more than 1,000 customer accounts were hacked and information stolen from them used to make unauthorized purchases.
• July 23. Six people indicted by New York state authorities for their roles in an international crime ring that defrauded Stubhub of $1.6 million.
• July 23. Bromium releases 2014 first half Endpoint Exploitation Trends report. Among its findings: Microsoft Internet Explorer vulnerabilities increased 100 percent year-over-year; no Java vulnerabilities were discovered during the reporting period.
• July 23. Women & Infants Hospital of Rhode Island agrees to pay $150,000 to resolve allegations it failed to protect personal information and protected health information of more than 12,000 patients in Massachusetts.
• July 23. Collin Green of Louisiana files class action lawsuit against eBay for data breach that occurred earlier this year. Green claims eBay’s security was inadequate to protect its customers’ accounts.
• July 23. Miguel Corzo, director of the information technology department and employee with the Maricopa county Community College District for 30 years, is dimissed by the district’s governing board for negligence over a data breach that compromised personal information, including Social Security numbers and banking information, of 2.4 million current and former students, staff and vendors going back more than 30 years.
• July 24. Sucuri estimates some 50,000 websites have been compromised by exploiting an old version of a popular WordPress plug-in called “MailPoet Newsletters.”
• July 24. Federal judge in Minnesota rejects motion by Target to postpone discovery in lawsuits resulting from data breach in which personal and payment card information of 110 million customers was compromised.
• July 24. Sony agrees to preliminary settlement of $15 million for 2011 PSN data breach that compromised some 77 million customer accounts.
• July 24. European Central Bank reports data breach that compromised a database servicing its public website. Email and contact information of an undisclosed number of people who registered for ECB events was compromised, but no internal systems or market-sensitive data were violated, the bank said.

Upcoming Security Events

• July 31. How to Tackle Vendor Risk Hazards: Operationalizing Third-Party Risk Management in Today’s Regulated Environment. 11:30 a.m. ET. Webinar sponsored by Agiliance . Free with registration.
• Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
• Aug. 5-6. Fourth Annual Cyber Security Training Forum. Double Tree Hilton Hotel, Colorado Springs, Colo.
• Aug.5-6. B-Sides Las Vegas. Tuscany Suites and Casino, Las Vegas. Free.
• Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
• Aug. 16-17. B-Sides Dubai. Dubai World Trade Center. Free.
• Aug. 23. B-Sides Minneapolis-St. Paul. Nerdery! Free with registration.
• Sept. 6-7. B-Sides Dubai. Move n Pick Jumeirah Hotel, Dubai. Free.
• Sept. 13. B-Sides Memphis. Southwest Tennessee Community College, 5983 Macon Cove, Memphis, Tenn. Free.
• Sept. 13. B-Sides Augusta. Georgia Regents University, Science Hall, 2500 Walton Way, Augusta, Ga.
• Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
• Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
• Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
• Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, non-members $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, non-member $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
• Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.
• Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, The Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
• Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nev. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.