Enough Hilton Hhonors points to cover $1200 worth of stays can be bought for $12, and the crooks who're inside your account can use your associated credit-card to buy more points and more hotel rooms for themselves.
Read the rest
Enough Hilton Hhonors points to cover $1200 worth of stays can be bought for $12, and the crooks who're inside your account can use your associated credit-card to buy more points and more hotel rooms for themselves. Read the rest
The older machines -- about half of them running Windows XP, which no longer receives security updates -- are very vulnerable to "jackpotting" attacks where criminals trick the machines into paying out money without correctly debiting any account, to the tune of millions. Read the rest
Someone sent Brian Krebs an envelope of counterfeit $100 and $50 bills, apparently manufactured by Mrmouse, the counterfeiter whom Krebs outed for selling his notes openly on Reddit. Read the rest
Security journalist Brian Krebs documents a string of escalating extortion crimes perpetrated with help from the net, and proposes that the growth of extortion as a tactic preferred over traditional identity theft and botnetting is driven by Bitcoin, which provides a safe way for crooks to get payouts from their victims. Read the rest
Sergei "Fly" Vovnenko, a Russo-Ukrainian cybercrook who stalked and harassed security journalist Brian Krebs -- at one point conspiring to get him arrested by sending him heroin via the Silk Road -- has been arrested. According to Krebs, Vovnenko was a prolific credit-card crook, specializing in dumps of stolen Italian credit-card numbers, and faces charges in Italy and the USA. Krebs documents how Vovnenko's identity came to light because he installed a keylogger on his own wife's computer, which subsequently leaked her real name, which led to him. Read the rest
In an echo of the massive breach of credit-card numbers from Target, credit-card numbers from thousands of PF Chang's customers who used their cards at the restaurant between March and May 2014 are being sold on the criminal underground. Rescator, the criminal selling the PF Chang's customers' card, has branded his product "Ronald Reagan", and offers cards at different prices based on whether they're regular, gold or platinum cards. Read the rest
A 16-year-old Canadian male has been arrested for calling in over 30 "swattings," bomb threats and other hoax calls to emergency services in North America. The young man is alleged to be the operator of @ProbablyOnion on Twitter, which had previously advertised swattings (sending SWAT teams to your enemies' homes by reporting phony hostage-takings there, advising police that someone matching your victim's description is on the scene, armed and out of control) as a service, and had bragged of swatting computer crime journalism Brian Krebs twice. Krebs had previously caught a kid who swatted him, and outed him to his father -- this may have made him a target for other swatters. Read the rest
The news that Target stores lost 110 million customers' credit card details in a hacker intrusion has illustrated just how grave a risk malicious software presents to the average person and the businesses they patronize. Brian Krebs has good, early details on the software that the hackers used on infected point-of-sale terminals at Target, and some good investigative guesses about who planted it there and how they operated it.
Krebs suggests that a Russian hacker called "Antikiller" may be implicated in the Target hack, and that Antikiller is, in any event, the author of the malware used against the point-of-sale systems. Read the rest
Security researcher Brian Krebs reported yesterday that Target was investigating a data breach "potentially involving millions of customer credit and debit card records." Target confirmed this morning that 40 million such records were stolen.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
Since this was apprently being leaked to security researchers before they admitted it publicly, I guess Target's idea of "moved swiftly" is a little different to that of, oh, say, a quarter of the adult population of America. Read the rest
Experian, the massive data-broker with far-reaching influence over your ability to get a mortgage, credit-card, or job, sold extensive consumer records to an identity thieves' service called Superget.info. Superget specialized in supplying identity thieves with "fullz" -- full records of their victims, useful for impersonating them and for knowing where their assets are. Experian sold the data through a third part called "Court Ventures" -- which they later acquired -- and the sales continued for about a year. Experian bills itself as a service for people worried about identity theft. It's not clear whether Experian will face any penalty for the wrongdoing. Read the rest
Looks like the government shutdown didn't stop federal agents from shutting down the most popular "deep web" illegal drug market. In San Francisco, federal prosecutors have indicted Ross William Ulbricht, who is said to be the founder of Silk Road. The internet marketplace allowed users around the world to buy and sell drugs like heroin, cocaine, and meth.
The government announced that it seized about 26,000 Bitcoins worth roughly USD$3.6 million, making this the largest Bitcoin bust in history. There were nearly 13,000 listings for controlled substances on the Silk Road site as of Sept. 23, 2013, according to the FBI, and the marketplace did roughly USD$1.2 billion in sales, yielding some $80 million in commissions.
According to the complaint, the service was also used to negotiate murder-for-hire: "not long ago, I had a clean hit done for $80k," the site's founder is alleged to have messaged an associate.
Ulbricht, 29, is also known as "Dread Pirate Roberts." Read the rest
Security researcher Brian Krebs has had a look at the contents of "BestRecovery" (now called "PrivateRecovery") a service used by Nigerian 419 scammers to store the keystrokes of victims who have been infected with keyloggers. It appears that many of the scammers -- known locally as "Yahoo Boys" -- also plant keyloggers on each other, and Krebs has been able to get a look at the internal workings of these con artists. He's assembled a slideshow of the scammers' Facebook profiles and other information. Read the rest
A pair of researchers -- one a grad student working at Twitter -- bought $5,000 worth of fake Twitter accounts (with Twitter's blessing) and developed a template for identifying spam Twitter accounts. The spammers were using cheap overseas labor to solve Twitter's CAPTCHAs, registering the new accounts with automatically created email boxes from Hotmail and Mail.ru, and spreading the registrations out across a range of IP addresses, courtesy of massive botnets of infected computers. Twitter nuked zillions of spam accounts and prevented new ones from signing up -- for a while. Quickly, the spammers adapted their tactics and went back to registering new accounts. The researchers, Kurt Thomas and Vern Paxson, presented their results today at Usenix Security DC, in a paper called Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse (PDF).
Update: Here's the full research team: "Kurt Thomas is a grad student at UC Berkeley who works at Twitter; Alek Kolz works at Twitter, Damon McCoy is a professor at GMU, Chris Grier is a researcher at ICSI and UC Berkeley and Vern Paxson is a lead researcher at ICSI and a professor at UC Berkeley." Read the rest