Retail trading industry targeted with malware attacks; stolen data being sold on Dark Web

  • A Trojan is believed to be circulating among trading firms allowing attackers to steal information on a large scale.
  • Panda Trading Systems, a tech service provider to trading firms found that the malware used was Emotet.

With malware campaigns nearly targeting every industry, retail trading firms are no exception. A recent investigation by Panda Trading Systems showed that the popular banking trojan Emotet was compromising systems associated with trading firms. Even worse, attackers behind these malware campaigns were selling stolen data on the dark web.

When the tech service provider conducted security scans on some of its customers’ computers, it found that Emotet was exfiltrating databases of marketing networks and many senior executive personnel within brokerages.

The analysis showed a typical campaign of the banking trojan where a malicious attachment (in PDF or Word document) in the spam email when executed downloads the malware.

An Organized Attack

Dikla Sheffer, Director of Business Operations at Panda Trading Systems, told Finance Magnates that these attacks were planned and perpetrated in an organized way.

“This is an organized attack on brokerages, affiliate networks, PSPs, VOIPs, and other companies operating within the retail trading industry. Once we identified the virus, we saw fit to publish a warning and share our findings, in the hope that industry colleagues will become more aware of cybersecurity dangers and take the necessary steps to protect themselves,” she said.

The company also stated that it has found other types of malware making rounds in the trading industry. On top of this, it was discovered that the attackers were selling sensitive information such as client lists, to buyers on the dark web. Many malicious sites were also disclosing confidential data as ‘downloads’.

Dunn Brothers, Chino Latino and other Minnesota businesses hit by data breach

  • The breach occurred between January 3, 2019, and January 24, 2019.
  • North County Business Products, Inc. said that, on January 4, 2019, it became aware of suspicious activity occurring within certain client networks.

North Country Business Products, Inc. has announced a data breach that may have impacted hundreds of restaurants and coffee shops operating in Minnesota. This includes the likest of Dunn Brothers Coffee, Tacos Trompo in Fargo, the West Fargo VFW Post 7546 and Vinyl Taco in Grand Forks.

Discovery of the breach

According to the data breach notification, the breach occurred between January 3, 2019, and January 24, 2019. The attackers may have gained unauthorized access to credit and debit card information of customers who visited the affected shops during this period.

North County said that, on January 4, 2019, it learned of suspicious activity occurring within certain client networks. Upon discovery, it immediately launched an investigating and started determining the nature and scope of the event.

Modus operandi

On January 30, it was found that hackers had deployed info-stealing malware at some of the restaurants that are in partnership with North County. This malware was used to collect specific information such as cardholder’s name, credit card number, expiration date, and CVV.

“On January 30, 2019, the investigation determined that an unauthorized party was able to deploy malware to certain of North Country’s business partners restaurants between January 3, 2019, and January 24, 2019, that collected credit and debit card information. Specific information potentially accessed includes the cardholder’s name, credit card number, expiration date, and CVV,” said the notification report.

In the wake of the incident, North County has started notifying the potentially affected customers. It has also advised them to review their accounts for any suspicious activity.

Third batch containing 93 million account credentials stolen from 8 companies put up for sale on the Dark Web

  • Following the second batch of 127 million accounts stolen from 8 companies, the third batch containing 93 million accounts stolen from 8 companies was made available for sale on Dream Market marketplace.
  • Each listing the seller posted in Dream Market was accompanied by a message demanding fair justice for Goerge Duke-Cohan who was arrested and charged in a federal indictment, and warning to release more data otherwise.

The seller ‘gnosticplayers’ is back with a collection of 93 million stolen account credentials from 8 companies. This is the third batch made available for sale by gnosticplayers in the Dream Market marketplace which is worth 2.6249 bitcoin amounting to $9,400.

Earlier, the first batch containing almost 620 million stolen accounts from 16 companies and the second batch of 127 million stolen accounts from 8 companies were put up for sale on Dream Market.

Dream Market is a Dark Web marketplace where criminals sell an assortment of illegal products, such as user data, drugs, weapons, malware, and more.

What data was involved in the stolen accounts?

The data involved in the stolen accounts included first and last names, sex, phone numbers, location addresses, email addresses, usernames, passwords, SHA1 encrypted password, password salt, IP addresses, login logs, API keys, company information, banking information, PayPal details, Facebook IDs, and more.

Eight companies affected

The stolen accounts belonged the following 8 companies,

  1. – 3.86 million data worth 0.35 bitcoin
  2. Jobandtalent – 11 million data worth 0.4995 bitcoin
  3. Onebip – 2.6 million data worth 0.2626 bitcoin
  4. StoryBird – 4 million data worth 0.2334 bitcoin
  5. StreetEasy – 1 million data worth 0.175 bitcoin
  6. GfyCat – 8 million data worth 0.35 bitcoin
  7. ClassPass – 1.5 million data worth 0.204 bitcoin
  8. Pizap – 60.8 million data worth 0.583 bitcoin

The breached companies belong to various sectors such as movie sharing service, job portal, mobile payment platform, storytelling service, real estate, GIF image hosting, fitness service, and online photo editor.

Message posted along with listings

Each listing the seller posted in Dream Market was accompanied by a message demanding fair justice for Goerge Duke-Cohan who was arrested and charged in a federal indictment, and warning to release more data otherwise.

Goerge Duke-Cohan is a member of the Apophis Squad who was arrested and charged in a federal indictment with making false threats to schools and other institutions and launching DDoS attacks on websites.

“George Duke-Cohan is a young and talented boy, instead of giving him a chance, the UK govt sends him to prison for three years. Now, he’s been told by the American government, that he faces 65 years for the offense he was already sentenced to three years in the UK. It means he will be judged twice ??

May this upcoming release of dumps serve as a reminder:

When countries claim to respect their citizens, they have duty protect them. I wouldn’t be surprised whether George Duke-Cohan ends his life, the UK gov already destroyed him and doing this is like sentencing him to death. If he is not given a fair justice during the upcoming days, weeks, years, more data will be released….,” the message read, ZDNet reported.

The seller takes credit for the breaches

The seller ‘gnosticplayers’ admitted being responsible for the hacks and denied being just an intermediary. The seller noted that he plans to sell over one billion account credentials and then disappear with the money.

“My two main goals are: -money -downfall of American pigs. New leaks are coming, including one from a cryptocurrency exchange,” gnosticplayers told ZDNet.

Attackers exploit two-year-old vulnerability to infect MSPs with GandCrab ransomware

  • Attackers are exploiting the SQL injection vulnerability in the Kaseya VSA plugin to infect the MSPs with Gandcrab ransomware.
  • ConnectWise noted that only companies who have the plugin installed on premise were impacted.

Attackers are targeting Managed Service Providers (MSPs) in order to infect their clients with the GrandCrab ransomware. Attackers have leveraged a two-year-old vulnerability in a software package used by MSPs to gain access to vulnerable networks and deploy the GandCrab ransomware on the MSP clients’ endpoints.

Vulnerability in the Kaseya VSA plugin

The vulnerability exists in the Kaseya VSA plugin for the ConnectWise Manage software, a professional services automation (PSA) product used by IT support firms. This Kaseya VSA plugin allows MSPs to link data from the Kaseya VSA remote monitoring and management solution to a ConnectWise dashboard.

Many small IT support firms and managed service providers (MSPs) use the two applications to centralize data from their clients and manage customer workstations from a remote central location.

The vulnerability (CVE-2017-18362) in the Kesaya VSA plugin could allow an attacker to create new administrator accounts on the main Kaseya app.

Patch released but not updated by companies

Kaseya has released patches to address this vulnerability, however, many companies failed to update the Kaseya plugin on their ConnectWise dashboards, leaving their networks vulnerable to attacks.

Taunia Kipp, Kaseya executive VP of marketing and communications, said that they have identified 126 companies who failed to update the plugin and were vulnerable to attack.

“We posted a notification/support article to our support help desk and immediately started reaching out via phone/email to those identified who were at risk of impact with resolution,” said Taunia Kipp in an interview with MSSP Alert.

MSP’s clients infected with GandCrab

At the end of January 2019, attackers started exploiting this vulnerability. A Reddit post revealed that attackers breached an MSP’s network and then infected the network with GandCrab ransomware on almost 80 clients endpoints.

ConnectWise observed a growing number of ransomware attacks exploiting the Kesaya plugin vulnerability. Furthermore, ConnectWise noted that only companies who have the plugin installed on premise were impacted.

In response to the evolving ransomware attacks, ConnectWise has issued a security alert requesting its users to update their ConnectWise Manage Kaseya plugin.

“Kaseya takes security very seriously and recommends that all customers using the Connectwise Plugin for VSA upgrade to the newly released version of the Plugin immediately or alternatively remove all versions of this Plugin,” ConnectWise stated in the security alert.

Discover Financial Services notifies customers of data breach incident

Discover Financial Services has filed a data breach incident notification with the California attorney general’s office that some of its cardholders maybe have had their account information compromised.

Discover supplied few details in its Jan. 25 filing and cannot even tell its customers exactly what information may have been exposed, but it did specifically state the breach did not directly involve any Discover card systems. The company stated the breach was spotted on Aug. 13, 2018.

The company is issuing new cards as a precaution and is asking cardholders to keep an eye on their account for any fraudulent activity. Discover also consoled anyone so affected saying they will not be responsible for illegal charges made to their cards and to not contact any merchants listed about these purchases.

“To be clear, Discover was not breached. Other outlets are indicating as such without checking with us. We’re just trying to keep the discrepancy clear,” Jon W. Drummond, Discover’s director, external relations/media relations told SC Media.

Drummond added, that this is a routine filing required by the state of California whenever any company doing business in that state responds to a cybersecurity incident involving more than 500 residents.

This incident was met with a mix of annoyance and hope by industry execs that some current and upcoming legislation, along with a few technical changes, can offer some relief to consumers in the future.

“New legislation, such as the EU’s GDPR, the pending California Data Privacy coming into force in  2020, and the new national bill proposed by Marco Rubio, the American Data Dissemination Act, create a regulatory barrier only met by the end-to-end use of encryption within these financial systems. You must ensure that your data is encrypted, both in the database, and in transit (middleware, API, etc.) and in use. Similarly, your business partners must be held to the new standards you require internally,” said Anthony James, chief strategy officer at CipherCloud.

Felix Rosbach, product manager at comforte AG, told SC Media companies handling payment information have to institute a wide range of features to ensure the safety of their customer’s data.

“It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup. Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward,” he said.

Rosbach also suggested all data should be pseudonymized with merchants and issuers only using tokens instead of clear text data to process payments and store sensitive data. That way if the payment information is compromised it’s useless.