Brian Krebs reports on a terrifyingly real-seeming Point of Sale skimmer.

Security researcher Brian Krebs picks out some choice exchanges out of a dump from an elite Russian spammer message-board, and suggests that this contains clues to the identities of the world's most prolific spammers.

"Everything is all right with John. We drank with him recently in Europe.

Brian Krebs has published an ad from "Foreign Agents," a notorious Russian crime service. They're advertising the availability of foot soldiers in the USA who can help cash out hacked bank accounts and credit cards. Unlike traditional bank-fraud mules, who don't know that they're part of a scam, these "associates" are "неразводные" ("nerazvodni" or "not deceived"). — Read the rest

Brian Krebs has located and published a sales pitch from a hacker who has found a zero-day exploit allowing him to steal cookies from Yahoo webmail users, granting access to their accounts.

"I'm selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers," wrote the vendor of this exploit, using the hacker handle 'TheHell.'

Brian Krebs revisits his must-see chart on the ways that hacked PCs can be valuable to criminals, which is meant to help explain the importance of security to people who think that their old PCs aren't worth enough for crooks to bother with. — Read the rest

Brian Krebs, who has written many excellent investigative pieces on ATM skimmers, spent several hours watching footage seized from hidden skimmer cameras, and has concluded that covering your hand while you enter your PIN really works in many cases — and that many people don't bother to take this elementary step. — Read the rest

Brian Krebs interviews Joe Stewart, a security researcher "who's spent 18 months cataloging and tracking malicious software that was developed and deployed specifically for spying on governments, activists and industry executives." Speaking at Defcon in Las Vegas, Stewart says the "complexity and scope of these cyberspy networks now rivals many large conventional cybercrime operations. — Read the rest

Police in an unidentified European nation have retrieved wafer-thin ATM skimmers that are so small that they can be fitted inside the credit-card insertion slot. Brian Krebs describes the finding:

That's according to two recent reports from the European ATM Security Team (EAST), an organization that collects ATM fraud reports from countries in the region.

Security expert Brian Krebs was the target of a malicious email flood, and writes firsthand about the experience. These floods — which can be directed at any and all of your phone (voice or SMS) and email — are used by crooks who want to busy-out all their victims' communications channels while they are ripping them off electronically. — Read the rest

My introduction to Gary Trudeau's Doonesbury happened around the age of 8, when I discovered my father's anthology collections. (I was extraordinarily up on early 1970s pop culture for a late 1980s grade schooler.) Reading the new strip and the daily archives is still part of my morning routine. — Read the rest

Brian Krebs is conducting a series of interviews with computer experts on how they got into the field and what they'd advise others to do if they want to break in themselves. The first one, an interview with Thomas Ptacek, ran last month. — Read the rest

In the wake of a series of very high-profile password leaks, Brian Krebs talks to security researcher Thomas H. Ptacek about the best practices for securing passwords. The trick isn't to merely hash with a good salt — you must use a slow password hash that takes a lot of work, so that making rainbow tables is impractical. — Read the rest

If the previous ATM skimmer posts didn't scare the pants off you, this one from San Fernando Valley, which Brian Krebs reports on, might. It has a near-undetectable pinhole camera for recording timestamped footage of your PIN entry, and apart from that indicator, the only way to spot it is to yank hard on the front of the ATM before you start using it. — Read the rest

Brian Krebs has been through the support forums for the "Citadel" trojan, a piece of commercial malicious software (spun out from the notorious ZeuS trojan) you can buy and use to take over other peoples' computers to make botnets for sending spam or taking down websites with traffic-floods. — Read the rest

KolotiBablo, a Russian service, pays workers in China, India, Pakistan, and Vietnam to crack CAPTCHAs — it's a favorite of industrial scale spammers. This company's fortunes represent an interesting economic indicator of the relative cost of labor (plus Internet access and junk PCs) in the poorest countries in the world, versus skilled programmer labor to automate CAPTCHA-breaking (or automating a man-in-the-middle attack on CAPTCHAs, such as making people solve imported Gmail account-creation CAPTCHAs in order to look at free porn). — Read the rest

Brian Krebs reports on a new cybercrime service that will max-out a company's switchboard with fake phone calls as a diversionary tactic while their servers are being plundered:

For just $5 an hour, or $40 per day, you can keep anyone's phone so tied up with incoming junk calls that the number is unable to receive legitimate calls.

Russia's contested election have roused the ire of the Russian people, who have risked brutal crackdowns to take to the streets and protest irregularities like ballot-stuffing, which returned Putin to power.

Some of that anger is being vented on the Web. — Read the rest

This ATM skimmer was retrieved from a Chase ATM in West Hills, CA, and it appears to have been 3D printed. It is very sophisticated, with "true geek factor."

On the bottom of the fake card acceptance slot is a tiny hole for a built-in spy camera that is connected to a battery.

Brian Krebs documents a sophisticated offline/online attack on banks. Thieves combine a fraudulent wire-transfer to an innocent jewelry store with a denial-of-service attack on the bank that ties up the IT and other staff. The jeweler has been told that the money is to buy expensive jewels and watches, which are given to a stooge recruited as a courier and reshipper. — Read the rest

Brian Krebs reports: "The U.S. Department of Homeland Security today took aim at widespread media reports about a hacking incident that led to an equipment failure at a water system in Illinois, noting there was scant evidence to support any of the key details in those stories — including involvement by Russian hackers or that the outage at the facility was the result of a cyber incident." — Read the rest