Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Credit Card Theft. Show all posts

Upgraded Python NodeStealer Now Targets Facebook Ads Manager and Steals More Sensitive Data

 

Python NodeStealer, a notorious infostealer previously known for targeting Facebook Business accounts, has now been enhanced with new, dangerous capabilities that allow it to infiltrate Facebook Ads Manager accounts. This upgrade not only boosts its ability to steal more data but also paves the way for even more malicious campaigns.

In an extensive analysis by cybersecurity experts at Netskope Threat Labs, it was revealed that the infostealer is now capable of stealing credit card information in addition to previously targeted browser credentials. 

The new attack vector involves copying the “Web Data” from browsers, a SQLite database containing sensitive data like autofill details and saved payment methods.

“With these, the infostealer can now collect the victim’s credit card information which includes the cardholder’s name, card expiration date, and card number,” the researchers pointed out. To access this information, NodeStealer uses Python’s SQLite3 library to run specific queries on the stolen database, looking for credit card-related data.

The new version of Python NodeStealer also abuses Windows Restart Manager, a tool typically used to manage reboots after software updates. In this case, however, the tool is leveraged to bypass locked database files that contain valuable data. By extracting browser database files into a temporary folder, NodeStealer circumvents file locks, and exfiltrates the data via a Telegram bot.

Most likely developed by a Vietnamese cybercriminal group, Python NodeStealer’s primary targets are Facebook Business and Ads Manager accounts, which are then exploited in malvertising campaigns. Since Facebook’s stringent vetting process for ad purchases typically prevents unauthorized ads, cybercriminals now resort to stealing verified accounts to run their malicious ads instead.

Esso Corporate Fleet Programme Hit by Ransomware Attack on Abecha Servers

 

A ransomware attack on Abecha, the company managing Singapore’s Esso Corporate Fleet Discount Programme, may have compromised sensitive credit card information of its customers. Abecha discovered the breach on August 13 and notified affected customers on August 28. According to the company, the hackers may have accessed customers’ credit card numbers and expiration dates, but other personal information, such as names, addresses, and contact details, appears to have remained secure. 

In light of the breach, Abecha advised customers to review their credit card statements for any unauthorized or suspicious transactions. They also encouraged prompt reporting of any unusual activity to prevent potential misuse. An Abecha representative stated that there was no indication that any data had been taken by unauthorized parties. The company assured customers that their transactions were secure, and normal business operations were continuing. The Esso Corporate Fleet Discount Programme, a collaboration with ExxonMobil, has been in operation since 2003 and currently serves more than 18,000 corporate clients. 

The programme provides fuel discounts to corporate employees and is one of Abecha’s key offerings, alongside other corporate programmes with Citibank and DBS Bank. Following the attack, Abecha quickly shut down the affected servers and hired data protection and cybersecurity specialists to investigate the breach and recommend additional security protocols. The company also filed a police report and informed the Personal Data Protection Commission Singapore (PDPC), which is now investigating the incident. Despite assurances from Abecha, some customers have expressed concern. 

Alson Tang, a public relations professional, voiced his anxiety since he had provided his bank account number when signing up for the discount programme. “Fuel prices are high, and the discount is appealing, but my trust in the organization has been somewhat shaken,” Tang said. Davidson Chua, co-founder of the car-selling aggregator platform Telequotes, called the news “alarming.” While he had not detected any suspicious activity on his credit card, he noted that he might not have checked had he not learned of the breach. “If I hadn’t heard about this, I wouldn’t have checked my credit card transactions, and something could have happened, especially since I don’t use the Abecha Esso fleet card regularly,” Chua said, indicating he would likely cancel his card. 

This incident highlights the importance of stringent cybersecurity measures for companies handling sensitive financial data. The PDPC’s investigation may provide further insights into the breach and any potential regulatory consequences for Abecha.

Theft of 54 million SA Records, as per TransUnion Linked to the Current Breach

 

Recently one of South Africa's main credit bureaus, TransUnion has been hacked, and the hackers are demanding $15 million in ransom. 

The compromised credit bureau revealed on Friday it had been hacked and had received a ransom demand which "will not be paid." By exploiting an authorised client's credentials, the hackers, dubbed N4aughtysecTU, acquired access to an "isolated server holding restricted data from our South African firm."

N4aughtysecTU told IT Web it had 4 terabytes of client data and had accessed 54 million records, including information from more than 200 businesses. It allegedly threatened to attack TransUnion's corporate clients unless the credit bureau paid it $15 million in Bitcoin (about R223 million). 

The breach affects many South Africans who have entered into credit agreements, regardless of loan size. Users automatically consent to the credit bureaus disclosing about credit and payment history when they sign into agreements with banks or other financial institutions, credit card providers, vehicle lenders, utilities, or other creditors. The fact that your account information and payment history will be submitted to credit reporting agencies is outlined in these agreements.

According to a statement on the TransUnion website: 
  • An isolated server containing limited information from our South African operations was impacted by the attack.
  • The team is working closely with other specialists to figure out what data was impacted. 
  • Consumer information, such as phone numbers, email addresses, and identity information, may be affected. 
People should not give out personal information such as passwords and PINs to strangers over the phone or over email, according to Sabric, and demands for personal information should be confirmed first.

Experian, a credit bureau, had a data breach in 2020, potentially exposing the personal information of 24 million South Africans. Alongside, a ransomware attack hit Debt-IN Consultants, a debt recovery partner to various South African financial sector companies, in 2021. It is estimated that over 1.4 million South Africans' personal information was fraudulently accessed from its systems.

Moreover, banks have also been targeted. Absa revealed a data breach in November 2020, and over a year and a half later, it is still identifying more compromised customers. 

Fraudsters are Exploiting Google Apps to Steal Credit Card Details

 

Threat actors are using a novel approach to steal the credit card details of e-commerce shoppers by exploiting Google’s Apps Script business application platform. Threat actors are abusing Google Apps Script domain ‘script.google.com’ to hide their malicious activities from malware scan engines and evade Content Security Policy (CSP) controls.

Eric Brandel, a cybersecurity researcher unearthed the scam while analyzing Early Breach Detection data provided by Sansec, a cybersecurity firm focused on fighting digital skimming. Brandel explained that threat actors bank on the fact that the majority of the online stores would have whitelisted all Google subdomains in their respective CSP configuration (a security protocol for blocking suspicious code execution in web apps). They take advantage of this trust and abuse the App script domain to route the stolen data to a server under their possession. 

Once, the malicious script was injected by the fraudsters in the e-commerce site, all the payment details stolen from the exploited e-commerce site were transferred as base64 encoded JSON data to a Google Apps Script custom app, using script.google.com as an exfiltration endpoint. Then, the stolen data was transferred to another server - Israel-based site analit. tech – handled by fraudsters.

Sansec stated that “the malware domain analit[.]tech was registered on the same day as previously discovered malware domains hotjar[.]host and pixelm[.]tech, who are hosted on the same network.” Google services such as Google Forms and Google Sheets are also exploited in the past by FIN7 cybercriminal gang for malware command-and-control communications. This gang has targeted banks and point-of-sale (POS) terminals EU and US firms using the Carbanak backdoor.

“Typically, a digital skimmer (aka Magecart) runs on dodgy servers in tax havens, and its location reveals its nefarious intent. But when a skimming campaign runs entirely on trusted Google servers, very few security systems will flag it as ‘suspicious’. And more importantly, popular countermeasures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google”, Sansec explained the workings of the fraudsters.

E-Commerce Theft: Dark Web Card Payment Store ValidCC Shut Down


A dark web market handled by a cybercrime group, Valid CC has been hacking online merchants and stealing payment credentials for more than six years. Last week, Valid CC closed down abruptly. The owners of Valid CC say that a law enforcement operation seized their servers. The operation aimed to seize and capture the store's infrastructure. A number of online shops sell "card not present" or "CNP" payment data on the internet. The payment data may be stolen from credit cards of e-commerce stores, but it's mostly sourced from cybercriminals and threat actors.  

However, in the case of Valid CC, experts believe that the store attacked and hacked hundreds of e-commerce merchants. The hackers seeded websites with hidden card skimming codes that stole personal information and payment credentials when a customer went through the checkout stage.   Group-IB, a Russian based cybersecurity firm, had published a report last year where it briefed about the operations of Valid CC, highlighting that Valid CC was responsible for hacking around 700 e-commerce stores. Besides this, Group IB identified another group "UltraRank" responsible for attacking additional 13 third-party suppliers that offered software components to these online stores spread across Europe, America, and Asia.  

Experts believe that UltraRank orchestrated a series of cyberattacks, which were earlier attributed to three different cybercrime groups by cybersecurity firms. "Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” said Group-IB. It adds, “UltraRank combined attacks on single targets with supply chain attacks.” Valid CC's muscle man on various platforms- a hacker who goes by the handle of SPR, notified customers that the shop would be shut down from 28 January, following a law enforcement operation that sealed Valid CC's operations. 

According to SPR, Valid CC lost access to more than 600,000 unsold payment card accounts, a very heavy blow to the store's inventory.  As a result, Valid CC lost its proxy and destination servers, and now it can't open and decrypt the back-end, says SPR.  Group-IB reports, "the store’s official representative on underground forums is a user with the nickname SPR. In many posts, SPR claims that the card data sold in the ValidCC store was obtained using JS sniffers. Most of SPR’s posts are written in English, however, SPR often switches to Russian, while communicating with customers. This might indicate that ValidCC is probably managed by a Russian speaker."  

Emotet trojan one of the biggest malware

Emotet is a banking Trojan that started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

Emotet poses a grave risk for individuals and businesses of all sizes. Here's a look at what you can do to safeguard your business against this pernicious Trojan malware.

Emotet infections typically start with a simple phishing email that contains an attachment or a link to download a file. The recipient is persuaded to click the link or open the file and they unwittingly set in motion a macro that downloads a malicious payload. As soon as the device is infected, Emotet starts trying to spread to other devices on the network.

The addition of new capabilities into Emotet, inspired by other successful malware such as WannaCry, has made it a much more potent threat capable of moving laterally and infecting entire networks alarmingly quickly. It’s a modular Trojan that’s often employed as the vanguard of a bigger attack, piercing the outer defenses and then downloading other banking Trojans and spreading them around.

As persistent and pernicious as Emotet is, you can take effective action to guard against it.

First, ensure that you don’t have unsecured devices on your network. Take steps to identify and secure unmanaged devices. Eradicate potential blind spots like internet of things devices. Even if Emotet appears to be confined to an unsecured machine, the threat has not been neutralized because it’s polymorphic, constantly updating itself and working towards spreading further. Given enough time, it has a good chance of finding a weakness in your defenses that can be exploited.

Actress Sameera Reddy received call from Hacker, spent ₹ 5 Lakhs on her credit card


Indian actress Sameera Reddy has became a victim of cyber crime. An unknown hacker has spent ₹ 5 Lakhs on her credit card.

According to NDTV report, the hacker used the credit card across different locations around the world.

After spending the money , the hacker surprisingly called Sameera Reddy and informed her about the theft. The thief had apparently decided to call her up because he was a big fan of the actress.

“I was dubbing when I got a call. It was from an unknown number and the person on the other side told me he was part of a hackers’ team. I could not believe what he was saying,” Sameera Reddy said.

"I had my card with me but the bank authority asked me to pay up the dues. I kept arguing with them for two months. Finally, the matter has been settled," Sameera added.

Crazy hacker..! what do you think?!

Hackers breached Restaurant Depot's POS network again & accessed credit card info


Hackers once again breached the Point-of-Sale(POS) network of Restaurant Depot, New York based wholesale supplier. The hackers managed to steal credit and debit card details from the card processing system they use in some of their stores.

 The company discovered the security breach on December 4th 2012 when thier customers had experienced credit card fraud after they used their cards at some of our stores.

They hired Trustwave on December 6th to investigate the intrusion. After the investigation, researchers determined that the intrusion first started on Nov 7th 2012. Researchers are still in the process of identifying all the details and are continuing their investigation.

The company notified all the major card brands and provided information about potentially compromised accounts.

"To protect yourself from possible fraudulent charges, you should contact officials at your card issuer immediately by calling the toll-free number on the back of your card or on your monthly statement, tell them you have received this letter, and ask them to cancel and reissue the card. " The official notification reads.

"You should also closely review your credit /debit card statements if you used your cards at one of our stores between November 7th and December 5, 2012. You should immediately notify the bankor financial institution that maintains the card account of any unauthorized charges. "

This is not the first time the company experiencing the security breach , in the 2011, Russian hackers hacked into Restaurant Depot database and accessed the credit and debit card details of more than 200,000 customers.

Four Romanians charged with hacking 150 Subway restaurants & 50 Retailers

Four Romanians were charged with hacking into the credit card processing system at more than 150 Subway restaurants and 50 other unnamed retailers, according to an indictment.The hackers steal millions of dollars using the compromised Credit card data of  more than 80,000 customers .

Starting in 2008, these suspects hacked into more than Point of Sale(Pos) systems and installed Keyloggers and other spywares to  steal the customer credit/debit card numbers, also placed backdoors to get unauthorized access to the system.

The hackers used some kind of vulnerability scanner to find the vulnerable POS systems with certain remote desktop software applications installed on them.  After finding the vulnerable system, the break into the system by guessing passwords or using Password Crackers.

After compromising the credit card data, they cloned some credit cards and used them to make illegal purchases , mainly in Europe.  Also they sold the other credit card data.

The indictment, filed in US District Court in New Hampshire, named Adrian-Tiberiu Oprea, 27, Iulian Dolan, 27, Cezar Iulian Butu, 26, and Florin Radu, 23. They were each charged with four counts, including conspiracy to commit computer fraud, wire fraud, and two counts of conspiracy to commit fraud in connection with access device.

Hackers steal credit data: Hackers break into two computer stations of Vacationland Vendors

Hackers breached two computer stations owned by Vacationland Vendors of Wisconsin Dells, placing about 40,000 credit or debit card users at risk of theft.

The computers were at the Wilderness Resorts in Lake Delton and Sevierville, Tenn, where Vacationland Vendors operates the arcades. The company owns and operates 11 arcades and has been in operation 30 years. Vacationland Vendors is one of the Gussel family's businesses, which also include Holiday Wholesale as well as convenience stores and Dunkin Donut franchises.

A notice on the Vacationland Vendors web site says, "Based upon its investigation to date, Vacationland Vendors reasonably believes that a computer hacker improperly acquired credit card and debit information. This incident did not involve an internal security issue within the Wilderness Resort. Vacationland Vendors has learned that other businesses just like its own have been affected by this computer hacker."

Evan N. Zeppos, of the public relations firm, Zeppos & Associates, which is handling publicity about the breach, said the company was alerted to the breach by calls from one or two customers. The breach occurred on March 22.

No other computer systems in the Vacationland Vendors system with credit card information have been breached by hackers, Zeppos said.

Zeppos said when Vacationland learned of the breach, it called in forensic experts to look at the rdata in the system.

"Once we became aware of the breach, we immediately shut down the credit card system and took it offline April 1," Zeppos said.

Since then, the company has upgraded its security on the computer system. "We . . . believe we now have the highest level of security."

Although 40,000 credit or debit card users data was stored, Zeppos said it is believed that fewer than 20 individuals were impacted.

He suggested that anyone who used who used credit or debit cards at one of the affected arcades from Dec. 12, 2008 to May 25, 2011 should check their credit card statements for any unusual activity. Paying close attention to credit and debit card statements is a good thing to do. Saying he does not want to make excuses for the company, he encouraged customers to be diligent and vigilant for illegal use of their cards.

Heidi Fendos, public relations director for Sprecher Bertalot of Milwaukee, which handles public relations for the Wilderness resorts, said customers who used credit or debit cards at the resorts are being asked to carefully check their credit card statements.

"When they made our resort aware of the breach to one of their credit card stations in our Wild West Mega Arcade, we had them immediately cease all credit card activity in their leased area," Fendos said.

"Our resort wants to make it clear that the Wilderness Resort's credit card system was never compromised at any time during this situation with Vacationland Vendors' credit card station," Fendos said.

Vacationland Vendors continues to lease and operate the arcades at Wilderness, but the area is cash-only now. Credit cards are no longer accepted.

Zeppos said Vacationland is trying for broad dissemination of the information about the threat and has information on its web site, www.vactionlandvendors.com about what to do. The site says to do the following:

■ Watch for any unusual activity on your bank statements, credit card account or suspicious items on your bills.

■ Contact any of your credit card issuers, banks or credit unions, and inform them of this incident.

■ Place a fraud alert on your consumer credit file. A fraud alert instructs creditor to watch for unusual or suspicious activity in your accounts, and provides creditors with notice to contact you separately before approving an extension of credit. To place a fraud alert, free of charge, contact one of the three national credit reporting agencies listed below. You do not need to contact all three; rather, the agency that you contact will forward the fraud alert to the other two agencies on your behalf.

The national credit reporting agencies are Equifax Information Services LLC, P.O. Box 105069, Atlanta, GA 30348-5069, 1-800-525-6285, www.equifax.com; Experian, 1-888-397-3742, www.experian.com; and TransUnion, Fraud Victim Assistance Dept, P.O. Box 6790, Fullerton, CA 92834, 1-800-680-7289, www.transunion.com, fvad@transunion.com.

Information about personal identity theft and fraud may be obtained from the Federal Trade Commission at www.consumer.gov.idtheft or by calling 1-877-ID-THEFT

Zeppos said if individuals have additional questions they can send an e-mail to info@vacationlandvendors.com.


Source