Friday, 24 January 2014
Authorities indicted 13 thieves for using Bluetooth-enabled card skimmers at multiple gas stations throughout the southern United States to steal more than $2 million over a one-year period.
The four lead defendants are accused of installing card skimming devices at various Raceway and RaceTrac gas stations in Texas, Georgia, and South Carolina, according to a statement by New York District Attorney Cryus R. Vance, Jr. The gang created cloned cards using the stolen credit and banking card numbers and PIN codes to withdraw money from ATMs and deposit them into New York-based bank accounts under their control. A group of money mules in California and Nevada then withdrew the money in small amounts.
The ring laundered approximately $2.1 million in this multi-state operation from March 26, 2012 until March 28, 2013, when the leaders were arrested, according to the statement. "By using skimming devices planted inside gas station pumps, these defendants are accused of fueling the fastest growing crime in the country," Vance said.
"This type of fraud is getting tougher and tougher to protect against as attackers are getting more intelligent in their implementation," Tom Gorup, security operations center analyst of Indianapolis-based security consulting and services firm Rook Security, told Security Watch.
Stealing Data Remotely
Fraudsters have been using card skimmers on ATMs and gas station pumps for a while, but the use of Bluetooth-enabled skimmers became a problem fairly recently, in late 2012. In the past, thieves generally had to come back and physically remove the skimmers in order to harvest the stolen data. Using Bluetooth in the skimmers makes it significantly easier to extract data, as thieves can grab the data remotely, making it harder to catch them in the act, Gorup said.
These thieves can be across the street with a laptop downloading the information since Bluetooth can easily transmit over 100 feet. It also means the attackers can just leave the skimmer in place and keep collecting the data over and over again.
It is difficult for customers to even detect the skimmers in the first place because they are installed internally. A law enforcement source in California told security writer Brian Krebs the attacks frequently take place on weekends and in the early hours of the morning. One person would pretend to pump gas while the other would enter the store to buy something. With the station attendant distracted, the person outside would then open the front of the pump with a universal key and place the skimming device inside. "Time to install/remove is between 5 – 10 minutes," Krebs reported.
What You Can Do
Even though there is virtually no way for the average consumer to tell if a pump—or the ATM, or any of the many places where you would swipe your payment card—has been modified, there are some steps you can take to help minimize the risks.
First and foremost, avoid paying at the pump using a debit card. While banks offer the same zero-liability protection on debit card as they do credit cards, it will take time for that money to come back into your bank account.
Get in the habit of tugging, or wiggling, the card reader before you put in your card. If it moves, then look for a different pump, ATM, or kiosk. I've also been told by security experts to wiggle the card when taking them out to make it harder for the skimmer to read the data.
When possible, become a creature of habit and use the same device, such as the same pump at the gas station, the same ticket kiosk at the train station, or the same ATM at your bank. That way, you will be more likely to notice physical changes, such different colors on the keypad, exposed cables, or just the way the keys feel when pressed, Gorup said. It's also a good idea not to use a machine that has exposed USB or Ethernet ports since attackers could have tampered with the device.
"Attackers are going to limit their risk by attacking the low hanging fruit," Gorup said. They are less likely to compromise terminals that are in highly-visible or protected areas with cameras. Those are the terminals you should be using.
And of course, stay on top of your bank statements and track all account activity. Report suspicious transactions immediately.
"Cybercriminals and identity thieves are not limited to any geographic region, working throughout the world behind computers," Vance said. We do what we can to stay out of their clutches.
General counsel for Microsoft Brad Smith confirmed that the company is considering letting non-US customers opt to have their data only pass through and be stored in non-US data centres, during an interview with the Financial Times (FT).
Smith said the move would help allay European businesses' ongoing concerns about links with US-based technology companies. "People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides," Smith told the FT.
It is currently unclear whether Microsoft is actually in the process of implementing the measures outlined by Smith, or how businesses could make requests to only have their data stored locally. At the time of publishing Microsoft had not responded to V3's request for comment.
It is also unclear if the measure would actually fully protect businesses from US intelligence agencies. Currently US law states that law enforcement and counter terrorism units are entitled to demand that businesses based in America hand over their data, irrespective of where it is stored if it is a matter of national security.
The NSA repeatedly used the powers during its PRISM operations, which saw it siphon vast amounts of web user data from numerous technology companies including Microsoft, Apple, Google, Yahoo, Twitter and Facebook.
The public backlash against the US government and NSA led president Barack Obama to announce a wave of reforms last Friday, regarding how and what data intelligence agencies can collect. However, many commentators remain unconvinced that the reforms will do enough to fully calm European firms' concerns.
Smith told the FT that to properly protect businesses and citizens from intelligence agencies, new international legislation is required. The current "Mutual Legal Assistance Treaty" mechanism used by the US and EU is outdated and "needs to be modernised or replaced", Smith said.
He added: "If you want to ensure that one government doesn't seek to reach data in another country, the best way to do it is [with] an international agreement between those two countries. Secure a promise by each government that it will act only pursuant to due process and along the way improve the due process."
Microsoft is one of many companies to consider rethinking how data running on its network is carried and stored. Deutsche Telekom hinted in October that it was planning to rework its system to only route German customer data through local data centres.
Kaspersky Lab revealed the statistics in its Spam in December 2013 threat report, but reported that it expects spam levels to drop over the next month.
"The proportion of spam in global email traffic was up by 0.8 percent in December, reaching 73.3 percent. The amount of spam in circulation in January will probably be smaller, since early January is a quiet time for spammers," read the report.
During the period China, the US and South Korea were shown to be the worst offenders. China topped the list, as the source of 23.1 percent of the world's spam. Below it the US ranked second, with 19 percent of all spam. South Korea took third, with 13.9 percent of all spam. The UK did not make it onto the list of sources.
Interestingly, despite being third globally, South Korea was listed as being the source of 53.1 percent of spam targeting Europe. By comparison the US was only responsible for 7.4 percent of European spam. Britain was listed as being the source of just 0.8 percent of all European spam messages and failed to make it into the global list.
Kaspersky reported that its antivirus software detected the most malicious attachments in email in Great Britain, indicating that it is a high-priority target in Europe. Kaspersky said 14 percent of all malicious email attachments were detected in Great Britain. The statistic marks a 1.7 percent increase in Kaspersky antivirus detection levels recorded in November. The US took second place, with 13.2 percent of all antivirus detections.
The research highlighted a phishing campaign masquerading as a message from Samsung as being particularly prevalent in December.
"In December, we saw a large number of messages sent on behalf of Samsung. Emails sent on behalf of Samsung were supposedly written by one of the company's managers. In the messages, the ‘manager' wrote that he needed to arrange for certain goods to be supplied at short notice and that, after a long search for an intermediary, the recipient and his/her company was selected. The order for the goods to be supplied was included in the attached file," read the paper.
"In reality, the file attached to the message was a malicious program detected by Kaspersky Lab as Trojan-Spy.Win32.Zbot.qzpl. This is a Trojan spy from the Zbot/ZeuS family, designed to steal the user's confidential information."
Data-siphoning Trojan malware has been a growing problem facing businesses. Advanced threat mitigation experts at FireEye reported uncovering six new data-stealing malware variants targeting the Android platform on Tuesday.
Security response manager at Symantec Alan Neville told V3 the malware is atypical as it uses a two-stage attack process to jump from Windows PCs to Android handsets.
"It starts with a Trojan that when executed creates a new service on a Windows machine," he said. "It then targets Android devices that connect on USB. It uses the Android debugging bridge to deliver the Fakebank Trojan."
Fakebank is a notorious Trojan designed to take victims' financial data. Neville explained: "It looks for a specific set of Korean banking applications. If these are found the Trojan asks the user to install an update. When this notification is clicked it actually downloads a malicious version of the app."
Neville added that the Trojan is particularly nasty as it also has remote SMS message-monitoring capabilities. He said the complex nature of the attack indicates that the campaign is designed to target developers.
"The attack uses a new method that is quite complex. Because it uses the Android Debug Bridge, a mode that requires the user to activate it before connecting it via USB, its reach is quite limited and it is only really a threat to people like developers," he said.
F-Secure security analyst Sean Sullivan agreed, arguing that while the infection method is atypical, the more concerning element is the way the malware dupes users to download the malicious payload.
"Banking Trojans have been cross-platform for a while now, but not via a connected cable. They've used social engineering, injecting a request for phone model or number into the compromised Windows-based banking session," he told V3.
"To me, the more worrying thing about this particular Korean campaign is that the malicious app is prompting victims to replace mobile banking apps with counterfeits."
Trojans are a growing problem facing Android users. Thanks to the platform's open nature it is fairly easy for criminals to target Android, letting them load and distribute malicious applications onto third-party stores without scrutiny.
Cisco estimated that 99 percent of all mobile malware is designed to target the Android ecosystem in its latest threat report, released earlier in January.