New Year’s Sales; Big Discounts on Stolen Data

Headlines for January have been dominated by revelations of one retailer after another suffering from enormous breaches of personal, and financial data.  From the 18th of December 2013 when news of the Target breach were publicly disclosed, to Neiman Marcus the cumulative loss runs into the many tens of millions.  At McAfee Labs we provided analysis into the Point of Sale (PoS) malware used for the Target breach which answers one of the key questions; namely how were attackers able to intercept approximately 110,000,000 records worth of payments, transactions, and other personally identifiable data.  Another question however is the net result of so much data flooding the underground economy.

In Q2 2013 we published the whitepaper entitled ‘Cybercrime Exposed’ whereby analysis of the broad nature of cybercrime products, tools and services were presented.  One of the categories within the White Paper was ‘Hacking-as-a-Service’ in which the end-customer of the cybercrime could simply purchase products such as credit cards.  The indicative prices are presented below:

Figure 1

Whilst the prices may have been relatively accurate in the summer of 2013, the reality is that as a direct result of recent breaches, the prices for large volumes of credit cards have plummeted significantly.   With newer dumps of card data related to recent breaches appearing with alarming regularity, the ‘over’ supply of cardholder data is clearly impacting prices.  This is demonstrated in the recent dumps entitled “Eagle Claw 1” and “Eagle Claw 2”, shown in the below screenshots.  “Tortuga” is a little older:



Please note that specific information in the screenshot have been intentionally obfuscated.  This of course is only one of many dumps available, earlier examples include Tourtuga and Barbarossa.  As the below example demonstrates the prices do appear to be falling as more card data floods the marketplace:


As of January 31, the pricelist for CC Dumps and Cards ranges from 2.00 USD to 85.00 USD depending on geography and completeness of data (CVV2 inclusion).

fig 10




Note that in addition to accepting Bitcoin, this site (and others) also accept Web Money, Lesspay,  Western Union and MoneyGram.  In our recent research paper entitled ‘Digital Laundry’ we reviewed the role of virtual currencies within cybercrime.

To further illustrate the pricing, here are some current listings on Carding forums/markets that are not affiliated with the Lampeduza Republic:


Compare this to prices from January 2011:


We should of course not be surprised, and these examples are just a small tip of the iceberg.  Also, whilst price reduction is just one impact, forums and their participants are demonstrating significant frustration at the disclosure of these breaches.  The below excerpts show recent commentary from within the community directed at a notable, independent, security researcher:




Note the spelling of “картонко” above.    You’ve seen this before if you have been following all the news around the retail POS issues.   In this context it’s referring to cards (aka credit cards).


Selling data, CC Numbers, and other financial jewels is not all that is available in these forums/markets/communities.  Many provide a full service.   It is not uncommon to also be able to acquire specific software ‘tools of the trade’ or the services of those that will use said tools for you so as to distance yourself (or your customer) from some of the risk.

Some examples:


  • General malware
  • Keylogging and Backdoor Trojans (kit and ready-made)
  • Crypting / Packing Tools
  • Scripts / Probes / Scanners
  • Brute force scripts (tailored to specific accounts, i.e. Paypal)
  • Cameras, Skimmers, and other hardware solutions
  • RFID & NFC Tools



  • Education / Classes (Carding tools, lingo, POS and Banking software)
  • Escrow and Anonymity Services
  • Tool and Exploit development
  • Shipping services (stealth and anonymous)
  • Currency “conversion”
  • CC and CVV Verification
  • ID and Passport Creation
  • Email / SMTP services (including flooding / DoS)
  • VPN
  • Reverse engineering
  • Decryption (ex: password cracking, etc)
  • Printing and Embossing


With further revelations hitting the media on a daily occurrence we can expect to see the supply of stolen data for sale to increase, and ultimately a further decrease in the prices offered.  Moreover, as we documented in the CyberCrime Exposed whitepaper the technical bar required to become a cybercrime has never been so low, indeed all that is required to be a cybercrime is access to the internet.




The post New Year’s Sales; Big Discounts on Stolen Data appeared first on McAfee.

Mobile Apps – Privacy & Data Security

The privacy and security of personal information in mobile Apps continues to be a hot topic. Data protection authorities, other oversight agencies, and self-regulatory bodies were busy in 2013 developing guidelines and conducting investigations.

On January 29, 2014, I had the pleasure of speaking to the Toronto Computer Lawyers Group about where we are and some thoughts about where we might be going. My slides from the presentation are below.

Target hackers may have exploited backdoor in widely used server software

Update: About 24 hours after this report was published, BMC issued a statement that said in part: "BMC has confirmed that the password mentioned in the press is not a BMC-generated password. At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack."

Widely used management software running on Target's internal network may have given an important leg-up to attackers who compromised 40 million payment cards belonging to people who recently shopped at the retail giant, according to an article published Wednesday by KrebsonSecurity.

As journalist Brian Krebs reported two weeks ago, malware that infected Target's point-of-sale terminals used the account name "Best1_user" and the password "BackupU$r" to log in to a control server inside the Target network. The malware used the privileged insider access to temporarily stash payment card data siphoned out of the terminals used in checkout lines so it could then periodically be downloaded to a different service for permanent storage. In Wednesday's post, Krebs filled in some intriguing new details that suggest a poorly secured feature inside a widely used server management program may have played a role. Krebs explained:

Read 4 remaining paragraphs | Comments


Angry Birds website defaced following reports it enables government spying

The official Angry Birds website was briefly defaced on Tuesday by people protesting reports government spy agencies abuse it and other "leaky" mobile apps to mine the personal details of smartphone users.

For a brief span of time on Tuesday some visitors saw an image of the iconic bird and pig, but with some notable modifications. The image carried the caption "Spying Birds," and the bird had an NSA logo emblazoned on its forehead. The image was captured here on the Zone-H website.

Angry Birds developer Rovio has confirmed its website was briefly hijacked, most likely by hackers who managed to tamper with domain name system settings that ultimately control what server receives requests for a particular domain name. Differences in which servers cached the malicious domain name entries and the amount of time those malicious entries were allowed to persist mean that the spoofed page was visible to only some of the people who were trying to visit the site on Tuesday. The site was not available at the time this post was being prepared for publication.

Read 1 remaining paragraphs | Comments