‘LuminosityLink RAT’ Author Pleads Guilty

A 21-year-old Kentucky man has pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” a malware strain that security experts say was used by thousands of customers to gain unauthorized access to tens of thousands of computers across 78 countries worldwide.

The LuminosityLink Remote Access Tool (RAT) was sold for $40 to thousands of customers, who used the tool to gain unauthorized access to tens of thousands of computers worldwide.

Federal prosecutors say Colton Ray Grubbs of Stanford, Ky. conspired with others to market and distribute the LuminosityLink RAT, a $40 Remote Access Tool that made it simple for buyers to hack into computers to surreptitiously view documents, photographs and other files on victim PCs. The RAT also let users view what victims were typing on their keyboards, disable security software, and secretly activate the webcam on the target’s computer.

Grubbs, who went by the pseudonym “KFC Watermelon,” began selling the tool in May 2015. By mid-2017 he’d sold LuminosityLink to more than 8,600 customers, according to Europol, the European Union’s law enforcement agency.

Speculation that Grubbs had been arrested began surfacing last year after KFC Watermelon stopped responding to customer support queries on Hackforums[dot]net, the Web site where he primarily sold his product.

Grubbs, using the hacker nickname “KFC Watermelon,” advertised and sold his RAT via Hackforums.net.

The sale and marketing of remote access tools, also known as remote administration tools, is not illegal in the United States, and indeed there are plenty of such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors instead as “Remote Access Trojans” when their proprietors advertise the programs as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

According to the indictment against him, Grubbs “recruited and encouraged co-conspirators to answer questions on Skype, an internet messaging service, from potential and actual purchasers of LuminosityLink seeking to use the software to get unauthorized and undetected access to victim computers and steal information.”

Linking Grubbs to LuminosityLink was likely not a tall hurdle for prosecutors. A public filing at the Kentucky Secretary of State office lists Grubbs as the owner of Luminosity Security Solutions LLC.

However, there are indications that Luminosity was not Grubb’s first foray into making and selling malware tools. According to a February 2018 blog post by Palo Alto Networks, the Skype account connected to KFC Watermelon’s identity on Hackforums is tied to the email address “codyjohnson1337@live.com; that email account was used in 2013 to register “plasmarat.pw,” a similar RAT sold and marketed on Hackforums.

KFC Watermelon’s Skype profile (the “HF” in his Skype name is a likely reference to HackForums, where both Luminosity RAT and Plasma RAT were primarily sold and marketed).

The street address listed by the Kentucky Secretary of State’s office for Luminosity Security Solutions (127 Circle Dr., Stanford, KY) shows up in the original registration records for dozens of domains, including at least a half-dozen that early on listed the email address coltongrubbs@gmail.com. That same email address appears in the early registration records for barracudasec[dot]com, a domain that as far back as 2012 was identified as a popular “command and control” server that many denizens of Hackforums used to remotely administer large numbers of remotely commandeered computers or “bots.”

Around the time that KFC Watermelon stopped responding to support requests on Hackforums, federal prosecutors were securing a guilty plea against Taylor Huddleston, a then 27-year-old programmer from Arkansas who sold the “NanoCore RAT.”  Like Grubbs, Huddleston initially pleaded not guilty to computer intrusion charges, arguing that he wasn’t responsible for how customers used his products. That is, until prosecutors presented Skype logs showing that Huddleston routinely helped buyers work out how to use the tools to secretly compromise remote computers.

Grubbs’ guilty plea could well lead to further arrests and prosecutions of customers who purchased and used LuminosityLink. Case in point: The author of the Blackshades Trojan — once a wildly popular RAT sold principally on Hackforums — was arrested along along with dozens of his customers in a global law enforcement sweep in 2014.

Indeed, many former customers of LuminosityLink have posted to Hackforums that they are expecting similar treatment:

Hackforums users speculate that Grubbs’ arrest could lead to the arrest and prosecution of his customers. Image: Palo Alto Networks.

Grubbs initially pleaded not guilty, and his trial was slated to begin in August. But in a plea agreement released today, Grubbs admitted to conspiring to make and sell LuminosityLink, and to knowingly assisting customers in using his software to break into computers.

The plea agreement notes that on July 10, 2017, when Grubbs found out the the FBI was about to raid his apartment, he hid the phone and debit card tied to his Bitcoin account, and also removed the hard drives from his computer and apartment prior to the search. “Three days later, Defendant transferred over 114 bitcoin from his LuminosityLink bitcoin address into six new bitcoin addresses,” the agreement states.

The charges to which Grubbs has pleaded guilty carry punishments of up to 25 years in prison and as much as $750,000 in fines, although any sentence the judge hands down in this case may be significantly tempered by U.S. Sentencing Guidelines.

A copy of the plea agreement is available here (PDF).

Source: https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/

Advertisements

Sextortion Scam Uses Recipient’s Hacked Passwords

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Source: https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

Notorious ‘Hijack Factory’ Shunned from Web

Score one for the good guys: Bitcanal, a Portuguese Web hosting firm long accused of helping spammers hijack large swaths of dormant Internet address space over the years, was summarily kicked off the Internet this week after a half-dozen of the company’s bandwidth providers chose to sever ties with the company.

Spammers and Internet service providers (ISPs) that facilitate such activity often hijack Internet address ranges that have gone unused for periods of time. Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

For years, security researchers have tracked the suspected theft of millions of IPv4 Internet addresses back to Bitcanal, which was also doing business under the name “Ebony Horizon.” Experts say shortly after obtaining a chunk of IP addresses, Bitcanal would apparently sell or lease the space to spammers, who would then begin sending junk email from those addresses — taking full advantage of the good or at least neutral Internet reputation of the previous owner to evade anti-spam blacklists.

Much of the hijacked address space routed by Bitcanal was once assigned to business entities that no longer exist. But some of the more brazen hijacks attributed to Bitcanal and its customers involved thousands of Internet addresses assigned to active organizations, such as the company’s well-documented acquisition of address space assigned to the Texas State Attorney General’s office, as well as addresses managed by the U.S. Department of Defense.

Bitcanal’s reputation finally caught up with the company late last month, when anti-spam activist and researcher Ron Guilmette documented yet another new major IP address hijack at the company and challenged Bitcanal’s upstream Internet providers to stop routing traffic for it (KrebsOnSecurity has published several stories about previous high-profile IP address hijacks involving spammers who were flagged by Guilmette).

Guilmette said Bitcanal and its proprietor — Portuguese businessman Joao Silveira — have a well-documented history of “behaving badly and coloring outside the lines for literally years.”

“His actions in absconding with other people’s IP address space, over the years, are those of either a spoiled child or else those of a sociopath, depending on one’s personal point of view,” Guilmette said. “In either case the Internet will, by and large, be glad to see his backside, and will be better off without him.”

Doug Madory, a researcher for Internet performance management firm Dyn (now owned by Oracle), published a blog post chronicling Bitcanal’s history as an address “hijack factory.” That post also documents the gradual ostracization of Bitcanal over the past week, as one major Internet exchange after another pulled the plug on the company.

Dyn’s depiction of Bitcanal’s final remaining upstream Internet provider pulling the plug on the company on July 10, effectively severing it from existence on the Web. Source: Dyn.

Reached for comment just days before Bitcanal was shunned by all of its peering providers, Mr. Silveira expressed shock and surprise over what he called unfair attacks against his company’s reputation. He blamed the besmirchment on one or two “bad” customers who abused his service over the years.

“My thought is that one or two customer in my network maybe [imitated] people acting like a client and force the errors or injecting bad network space,” Silveira said in an emailed response to KrebsOnSecurity. “I am not the problem and this public trial and conviction will not solve the prefix hijacking matter. If these questions remain without solution, those actors will keep doing it.”

Another business tied to Mr. Silveira suggests that Bitcanal/Ebony Horizon has long been actively involved in obtaining sizable chunks of Internet address space on behalf of its clients. The same contact phone number that once existed on the (now unreachable) home page of Bitcanal.com also appears on the homepage of ip4transfer.net, a company that advertises the ability to lease large chunks of Internet address space.

Bitcanal owner Joao Silveira.

The current WHOIS registration records for ip4transfer.net are mostly redacted by domain registrar GoDaddy, but the name Ebony Horizon appears as the current business name, and Mr. Silveira’s name is on the original domain registration records from 2016, according to historic WHOIS records maintained by DomainTools [full disclosure: DomainTools is an advertiser on this blog].

Much of the content on ipv4transfer.net seeks to answer questions about what customers should expect when leasing address space from the company, including the possibility that some leased address ranges could be flagged as malicious or spammy by Spamhaus.org, an anti-spam group whose spam blacklists are relied upon by many ISPs to block large-scale spam campaigns. Prior to Bitcanal’s final disconnection this week, Spamhaus had blacklisted virtually all of Bitcanal’s address ranges as sources of spam and/or malicious email.

“Legitimate IP address space brokers don’t need to spend a lot of ink telling their customers how to avoid getting their shiny new IP address blocks listed by Spamhaus, or how to get them unlisted by Spamhaus, or what to do about it if the shiny new block they just purchased is already listed by Spamhaus,” Guilmette said.

Because the global routing of Internet address space is largely based on trust relationships between and among network operators, those operators have an obligation to ensure they’re not inadvertently facilitating the hijacking of Internet address space.

Perhaps coincidentally to the disconnection of Bitcanal, the RIPE Network Coordination Centre — one of the five global Regional Internet Registries (RIRs) providing Internet address allocations — on July 10 published an analysis of route hijacking activity across the Internet. The analysis includes a set of tips for network operators to help avoid contributing to the overall problem.

Source: https://krebsonsecurity.com/2018/07/notorious-hijack-factory-shunned-from-web/

Patch Tuesday, July 2018 Edition

Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat.

According to security firm Qualys, all but two of the “critical” fixes in this round of updates apply to vulnerabilities in Microsoft’s browsers — Internet Explorer and Edge. Critical patches mend software flaws that can be exploited remotely by malicious software or bad guys with little to no help from the user, save for perhaps visiting a Web site or opening a booby-trapped link.

Microsoft also patched dangerous vulnerabilities in its .NET Framework (a Windows development platform required by many third-party programs and commonly found on most versions of Windows), as well as Microsoft Office. With both of these weaknesses, an attacker could trick a victim into opening an email that contained a specially crafted Office document which loads malicious code, says Allan Liska, a threat intelligence analyst at Recorded Future.

One of the more nettlesome features of Windows 10 is the operating system by default decides on its own when to install updates, very often shutting down open programs and restarting your PC in the middle of the night to do so unless you change the defaults.

Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

It’s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing updates is often much less hassle and an added piece of mind while you’re sitting there praying for the machine to reboot successfully after patching.

As per usual on Microsoft’s Patch Tuesday, Adobe issued an update to its Flash Player browser plugin. The latest update brings Flash to version 30.0.0.134, and patches at least two security vulnerabilities in the program. Microsoft’s patch bundle includes the Flash update as well.

Adobe says the Flash update addresses “critical” security holes, meaning they could be exploited by malware or miscreants to take complete, remote control over vulnerable systems. My standard advice is for readers to kick Flash to the curb, as it’s a buggy program that is a perennial favorite target of malware purveyors.

For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.

Another, perhaps less elegant, alternative to wholesale junking Flash is keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.

If you use Adobe Reader or Acrobat to manage PDF documents, you’re probably going to want to update these products soon: Adobe released updates for both today that fix more than 100 security vulnerabilities in the software titles.

Some folks may be unaware that there are other free PDF readers which aren’t quite as bloated as Adobe’s. Whether these alternative readers are more secure is another question; they certainly seem to be updated less frequently, but that may have something to do with the fact that they include far fewer features and likely less overall attack surface area.

I can’t recall the last time I had Adobe Reader installed on anything I own. My preferred PDF reader for Windows is Sumatra PDF, which is comparatively lightweight and very fast. Unfortunately, no matter how many times you change Sumatra to the default PDF reader on Windows 10, the operating system keeps defaulting to opening PDFs in Microsoft Edge.

For a detailed rundown of the individual vulnerabilities patched by Microsoft today, check out the SANS Internet Storm Center, which indexes the fixes by severity, how likely it is that each vulnerability will be exploited anytime soon, and whether specific flaws were publicly disclosed prior to today’s patch release.

According to SANS, at least three of the flaws — CVE-2018-8278, CVE-2018-8313, and CVE-2018-8314 — were previously disclosed publicly, meaning that attackers may have had a head start figuring out how to exploit these flaws for criminal gain.

As always, if you experience any problems installing or downloading these updates, please don’t hesitate to leave a comment. If past Patch Tuesday posts are any indicator, you may even find helpful responses or solutions from other readers experiencing the same issues.

Source: https://krebsonsecurity.com/2018/07/patch-tuesday-july-2018-edition/

ExxonMobil Bungles Rewards Card Debut

Energy giant ExxonMobil recently sent snail mail letters to its Plenti rewards card members stating that the points program was being replaced with a new one called Exxon Mobil Rewards+. Unfortunately, the letter includes a confusing toll free number and directs customers to a parked page that tries to foist Web browser extensions on visitors.

The mailer (the first page of which is screenshotted below) urges customers to visit exxonmobilrewardsplus[dot]com, to download its mobile app, and to call “1-888-REWARD+” with any questions. It may not be immediately obvious, but that “+” sign is actually the same thing as a zero on the telephone keypad (although I’m ashamed to say I had to look that up online to be sure).

Worse, visiting the company’s new rewards Web site in Google Chrome prompted my browser to run a “security check,” followed by a series of popups offering to install a Chrome extension called “Browsing Safely.”

That extension changes your default search engine to Yahoo and appears to redirect all searches through a domain called lastlog[dot]in, which seems to be affiliated with an Israeli online advertising network. After adding the Browsing Safely extension to Chrome using a virtual machine, my browser was redirected to Exxon.com.

The Google Chrome extension offered when I first visited exxonmobilrewardsplus-dot-com.

Many people on Twitter who expressed confusion about the mailer said they accidentally added an “e” to the end of “exxonmobil” and ended up getting bounced around to spammy-looking sites with ad redirects and dodgy download offers.

ExxonMobil corporate has not yet responded to requests for comment. But after about 10 minutes on hold listening to the same Muzak-like song, I was able to reach a customer service person at the confusing ExxonMobil Rewards+ phone number. That person said the Web site for the rewards program wasn’t going to be active until July 11.

“Currently the Web site is not available,” the representative said. “Please don’t try to download anything from it right now. It should be active and available next week.”

It always amazes me when major companies roll out new marketing initiatives without consulting professionals who help mitigate security and privacy issues for a living. It seems likely that happened in this case because anyone who knows a thing or two about security would strongly advise against instructing customers to visit a parked domain or one that isn’t yet fully under the company’s control.

Source: https://krebsonsecurity.com/2018/07/exxonmobil-bungles-rewards-card-debut/

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.

The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.

Some examples of how being a modern-day Luddite can backfire are well-documented, such as when scammers create online accounts in someone’s name at the Internal Revenue Service, the U.S. Postal Service or the Social Security Administration.

Other examples may be far less obvious. Consider the case of a consumer who receives their home telephone service as part of a bundle through their broadband Internet service provider (ISP). Failing to set up a corresponding online account to manage one’s telecommunications services can provide a powerful gateway for fraudsters.

Carrie Kerskie is president of Griffon Force LLC, a company in Naples, Fla. that helps identity theft victims recover from fraud incidents. Kerskie recalled a recent case in which thieves purchased pricey items from a local jewelry store in the name of an elderly client who’d previously bought items at that location as gifts for his late wife.

In that incident, the perpetrator presented a MasterCard Black Card in the victim’s name along with a fake ID created in the victim’s name (but with the thief’s photo). When the jewelry store called the number on file to verify the transactions, the call came through to the impostor’s cell phone right there in the store.

Kerskie said a follow-up investigation revealed that the client had never set up an account at his ISP (Comcast) to manage it online. Multiple calls with the ISP’s customer support people revealed that someone had recently called Comcast pretending to be the 86-year-old client and established an online account.

“The victim never set up his account online, and the bad guy called Comcast and gave the victim’s name, address and Social Security number along with an email address,” Kerskie said. “Once that was set up, the bad guy logged in to the account and forwarded the victim’s calls to another number.”

Incredibly, Kerskie said, the fraudster immediately called Comcast to ask about the reason for the sudden account changes.

“While I was on the phone with Comcast, the customer rep told me to hold on a minute, that she’d just received a communication from the victim,” Kerskie recalled. “I told the rep that the client was sitting right beside me at the time, and that the call wasn’t from him. The minute we changed the call forwarding options, the fraudster called customer service to ask why the account had been changed.”

Two to three days after Kerskie helped the client clean up fraud with the Comcast account, she got a frantic call from the client’s daughter, who said she’d been trying her dad’s mobile phone but that he hadn’t answered in days. They soon discovered that dear old dad was just fine, but that he’d also neglected to set up an online account at his mobile phone provider.

“The bad guy had called in to the mobile carrier, provided his personal details, and established an online account,” Kerskie said. “Once they did that, they were able transfer his phone service to a new device.”

OFFLINE BANKING

Many people naively believe that if they never set up their bank or retirement accounts for online access then cyber thieves can’t get access either. But Kerskie said she recently had a client who had almost a quarter of a million dollars taken from his bank account precisely because he declined to link his bank account to an online identity.

“What we found is that the attacker linked the client’s bank account to an American Express Gift card, but in order to do that the bad guy had to know the exact amount of the microdeposit that AMEX placed in his account,” Kerskie said. “So the bad guy called the 800 number for the victim’s bank, provided the client’s name, date of birth, and Social Security number, and then gave them an email address he controlled. In this case, had the client established an online account previously, he would have received a message asking to confirm the fraudulent transaction.”

After tying the victim’s bank account to a prepaid card, the fraudster began slowly withdrawing funds in $5,000 increments. All told, thieves managed to siphon almost $170,000 over a six month period. The victim’s accounts were being managed by a trusted acquaintance, but the withdrawals didn’t raise alarms because they were roughly in line with withdrawal amounts the victim had made previously.

“But because the victim didn’t notify the bank within 60 days of the fraudulent transactions as required by law, the bank only had to refund the last 60 days worth of fraudulent transactions,” Kerskie said. “We were ultimately able to help him recover most of it, but that was a whole other ordeal.”

Kerskie said many companies try to fight fraud on accounts belonging to customers who haven’t set up a corresponding online account by sending a letter via snail mail to those customers when account changes are made.

“But not everyone does that and if the thief who’s taking advantage of the situation is smart, he’ll simply set up an online account and change the billing address, so the customer never gets that notice,” Kerskie said.

MARK YOUR TERRITORY

Kerskie said it’s a good idea for people with older relatives to help those individuals ensure they have set up and manage online identities for their various accounts — even if those relatives never intend to access any of the accounts online. Helping those relatives place a security freeze on their credit files with the four major credit bureaus (and with another, little known bureau that many mobile providers rely upon for credit checks) can go a long way toward preventing new account fraud.

Adding two-factor authentication (whenever it is available) and/or establishing a customer-specific personal identification number (PIN) also can help secure online access. For those who can’t be convinced to use a password manager, even writing down all of the account details and passwords on a slip of paper can be helpful, provided the document is secured in a safe place.

This process is doubly important, Kerskie said, for parents and relatives who have just lost a spouse.

“When someone passes away, there’s often an obituary in the paper that offers a great deal of information about the deceased and any surviving family members,” she said. “And the bad guys absolutely love obits.”

Eschewing accounts on popular social media platforms also can have consequences, mainly because most people have enough information about themselves online that anyone can create an account in their name and start messaging friends and family members with various fraud schemes.

“I always tell people if you don’t want to set up an online account for social media that’s fine, but make sure you tell your friends and family, ‘If you ever get a social media request from me, just ignore it because I’ll never do that,’” Kerskie advised.

In summary, plant your flag online or — as Kerskie puts it — “mark your territory” — before fraudsters do it for you. And consider helping less Internet-savvy friends and family members to do the same.

“It can save a lot of headache,” she said. “The sad reality is that criminals very often only need to answer two or three questions to commit fraud in your name, whereas victims typically need to spend hours of their time and answer dozens of questions to undo the resulting fraud.”

Source: https://krebsonsecurity.com/2018/06/plant-your-flag-mark-your-territory/

How to Avoid Card Skimmers at the Pump

Previous stories here on the proliferation of card-skimming devices hidden inside fuel pumps have offered a multitude of security tips for readers looking to minimize their chances of becoming the next victim, such as favoring filling stations that use security cameras and tamper-evident tape on their pumps. But according to police in San Antonio, Texas, there are far more reliable ways to avoid getting skimmed at a fuel station.

San Antonio, like most major U.S. cities, is grappling with a surge in pump skimming scams. So far in 2018, the San Antonio Police Department (SAPD) has found more than 100 skimming devices in area fuel pumps, and that figure already eclipses the total number of skimmers found in the area in 2017. The skimmers are hidden inside of the pumps, and there are often few if any outward signs that a pump has been compromised.

In virtually all cases investigated by the SAPD, the incidents occurred at filling stations using older-model pumps that have not yet been upgraded with physical and digital security features which make it far more difficult for skimmer thieves to tamper with fuel pumps and siphon customer card data (and PINs from debit card users).

Lt. Marcus Booth is the financial crimes unit director for the SAPD. Booth said most filling stations in San Antonio and elsewhere use legacy pumps that have a vertical card reader and a flat, membrane-based keypad. In addition, access to the insides of these older pumps frequently is secured via a master key that opens not only all pumps at a given station, but in many cases all pumps of a given model made by the same manufacturer.

Older model fuel pumps like this one feature a flat, membrane-based keypad and vertical card reader. Image: SAPD.

In contrast, Booth said, newer and more secure pumps typically feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad and referred to in the fuel industry as a “full travel” keypad:

Newer, more tamper-resistant fuel pumps include raised metallic keypads (known in the industry as “full travel” keypads), horizontal card readers and custom locks for each pump.

Booth said the SAPD has yet to see a skimming incident involving newer pump models like the one pictured directly above.

“Here in San Antonio, many of these stations with these older keypads and card slots were getting hit all the time, sometimes weekly,” he said. “But as soon as those went over to newer gear, we’ve seen zero problems.”

According to Booth, the newer pumps include not only custom keys for each pump, but also tamper protections that physically shut down a pump if the machine is improperly accessed. What’s more, these more advanced pumps do a better job of compartmentalizing individual components, very often enclosing the electronics that serve the card reader and keypad in separately secured metal cages.

“Pretty much all these full travel metallic keypads are encrypted, and if you disconnect them they disable themselves and can only be re-enabled by technician,” Booth told KrebsOnSecurity. “Also, if the pump is opened improperly, it disables itself. These two specific items: The card reader or the pad, if you pull power to them they’re dead, and then they can only be re-enabled by an authorized technician.”

Newer pumps may also include more modern mobile payment options — such as Apple Pay — although many stations with pumps that advertise this capability have not yet enabled it, which allows customers to pay for fuel without ever sharing their credit or debit card account details with the fuel station.

One reason that pump skimmers seem to be more pervasive is that authorities across the country are doing a better job of working with banks and federal investigators to determine fuel stations that appear to be compromised. The flip side is that thieves are generally opportunistic, and tend to focus on targeting systems that offer the least resistance and lowest hanging fruit.

Unfortunately, there is still a ton of low-hanging fruit, and these newer and more secure pump systems remain the exception rather than the rule, Booth said. In December 2016, Visa delayed by three years a deadline for fuel station owners to install payment terminals at the pump that are capable of handling more secure chip-based cards. The chip card technology standard, also known as EMV (short for Europay, MasterCard and Visa) makes credit and debit cards far more expensive and difficult for thieves to clone.

Under previous credit card association rules, station owners that didn’t have chip-ready readers in place by Oct. 2017 would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks eat most of the fraud costs from fuel skimming). Currently, fuel stations have until Oct. 1, 2020 to meet the liability shift deadline.

Some pump skimming devices are capable of stealing debit card PINs as wellso it’s a good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

This advice often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.

In summary, if you have the choice, look for fuel pumps with raised keypads and horizontal card slots. And keep in mind that it may not be the best idea to frequent a particular filling station simply because it offers the lowest prices: Doing so could leave you with hidden costs down the road.

If you enjoyed this story, check out my series on all things skimmer-related: All About Skimmers. Looking for more information on fuel pump skimming? Have a look at some of these stories.

Source: https://krebsonsecurity.com/2018/06/how-to-avoid-card-skimmers-at-the-pump/