Kaspersky Lab Survey Shows Loss of Money and Data Due to Online Activities of Children
Kaspersky Lab Partners with LifeJourney to Support Future Generations of Malware Experts
Home Depot credit cards: chain confirms breach, fraud spikes
The world’s largest home improvement chain store, Home Depot, yesterday confirmed a data breach affecting Home Depot credit cards and debit cards used in stores on the American mainland, which may have continued since April.
Reports by security reporter Brian Krebs and others have said that the malware used in the attack was the same used in the Target breach, and that large-scale fraud is being perpetrated with stolen debit cards, with $300,000 withdrawn from one bank in under two hours, using what appeared to be debit card numbers used in Home Depot.
In an official release, the company said that anyone who used a payment card at a Home Depot store since April 2014 may have been affected, and the chain is to offer free identity protection and credit monitoring to customers who used Home Depot credit cards or debit card in-store. Customers who shopped online or in Mexico have not been affected, the chain said in an official release.
Home Depot credit cards: Who is at risk?
Veteran security reporter Brian Krebs said that the news had been accompanied by a spike in debit card fraud, after a vast haul of Home Depot credit card and debit card numbers were sold on an underground forum last week.
Krebs said, “multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts. Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards.â€
Home Depot said that there was no evidence PIN numbers had been compromised during the breach, and that, “Home Depot’s investigation is focused on April forward, and the company has taken aggressive steps to address the malware.â€
Technology site GigaOm reports that the malware involved in the breach has been reported as being BlackPOS, the same used in the Target breach earlier this year.
“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” said Frank Blake, chairman and CEO.
“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”
How criminals withdraw cash without needing PINs
GigaOm reports that the chain is to roll out EMV chip-and-PIN technology by the end of the year, offering a secure chip rather than a magnetic stripe which is more easily copied by malware such as BlackPOS.
Krebs said that the current glut of fraud relies on working out a customer’s ZIP code using criminal services which sell such information, starting from the ZIP code of the Home Depot they shopped at.
Krebs writes, “Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks. One is that the system checks to see if the call is coming from a phone number on file for that customer. It also requests the following four pieces of information:the 3-digit code (known as a card verification value or CVV/CV2) printed on the back of the debit card; the card’s expiration date; the customer’s date of birth; the last four digits of the customer’s Social Security number.â€
Krebs said that this authentication process was weak enough that one large bank told him that a single West Coast bank had lost $300,000 in less than two hours due to debit and credit card fraud perpetrated with cards stolen in the breach.
ESET researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.â€
The post Home Depot credit cards: chain confirms breach, fraud spikes appeared first on We Live Security.
More 1024-Bit Certificates to Be Deprecated in Firefox
When Mozilla released Firefox 32 last week, the company removed several root certificates from the trust store for the browser. The move wasn’t because the certificates were fraudulent or the CAs that issued them were compromised, but because the certificates use 1024-bit keys. This is the first step in a process that Mozilla officials say […]
Google ‘Sunsetting’ Weak SHA-1 Crypto Algorithm
Google has initiated a process to revoke trust from any certificates that rely on the outdated SHA-1crytpographic hash algorithm.
Kyle & Stan Malvertising Hits Amazon, YouTube
The “Kyle and Stan” method is an example of a particular type of exploit known as ‘malvertising’, because it inserts malware into online advertising, so as to infect visitors of legitimate, high-traffic websites. Because online advertisements are served up by a relatively small number of ad-publishing networks that reach many popular websites simultaneously, malvertising is a very efficient means of malware distribution.
This particular exploit is called “Kyle and Stan†because the malware code contains references to specific sub-domains with the URLs “kyle.mxp2038.com†and “stan.mxp2099.com.”
Although most malvertising exploits do not harm individual users directly, they will often make unscrupulous revenue by generating fake advertising clicks, or by redirecting users to other scam websites, or installing spyware or back-doors that are later used to hijack the users’ computers for misuse, for example as botnets. In the case of the Kyle and Stan exploits, users are redirected to websites that offer a legitimate media-player app that, when downloaded, comes bundled with a malicious browser hijacker that installs itself automatically.
Unfortunately, this new threat makes detection extra difficult by creating a unique profile for each and every installation.
In the bigger picture, the Kyle and Stan malvertising exploit may represent a new style of malware distribution that is OS-agnostic and highly efficient. We may soon see an industry call for ad publishers to more carefully scan the ads that are distributed through their networks. Our experts will monitor the progress of Kyle and Stan and will inform you as we learn more.
The post Kyle & Stan Malvertising Hits Amazon, YouTube appeared first on Avira Blog.
FreeBSD-SA-14:18.openssl
2871997 – Update to Improve Credentials Protection and Management – Version: 3.0
Revision Note: V3.0 (September 9, 2014): Rereleased advisory to announce the release of update 2982378 to provide additional protection for users’ credentials when logging into a Windows 7 or Windows Server 2008 R2 system. See Updates Related to this Advisory for details.
Summary: Microsoft is announcing the availability of updates for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 that improve credential protection and domain authentication controls to reduce credential theft.
MS14-SEP – Microsoft Security Bulletin Summary for September 2014 – Version: 1.0
Revision Note: V1.0 (September 9, 2014): Bulletin Summary published.
Summary: This bulletin summary lists security bulletins released for September 2014.