Credit and debit card fraud targets US hotel visitors

White Lodging, the company behind a number of of the hotels in the US chains Hilton, Marriott, Sheraton and Westin, has been leaking thousands of guests’ credit and debit card information throughout much of 2013.

safety journalist Brian Krebs reports hearing from banking business sources in January regarding a pattern of fraud on cards used at the hotels from about 23 March 2013 up until the end of 2013.

The fraud popped up in exact hotels located in the US cities of Austin, in Texas; Chicago, in Illinois; Denver, in Colorado; Los Angeles, in California; Louisville, in Kentucky; and Tampa, in Florida.

The common denominator, it turns out, is that all of the affected hotels in those locations contain businesses run by White Lodging Services Corporation, which owns, develops and/or manages premium hotel brands.

Krebs’s sources said that it was mostly the restaurants, gift shops and other businesses that White Lodging runs within some of the hotels that were targeted, as opposed to the front desk computers that verify guests in and out.

That means that the only Marriott guests who should be affected are those who used their cards at gift shops and restaurants, Krebs notes.

Marriott issued a statement saying that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.”

Sophos’s Chester Wisniewski and Numaan Huq have been tracking malware behind rigged PoS systems for more than three years and are on the brink of presenting their research at this year’s RSA Conference.

Marriott mentioned fraud “at a number of hotels across a range of brands”, which makes it sound similar to we still might well hear of other hotel brands serviced by White Lodging having been targeted.

So if you’ve been in a hotel, paid for something in a hotel restaurant or gift shop, bought crafting supplies, or fundamentally touched any sliver of plastic in your wallet or purse at all whatsoever to buy so much as a gumball, keep an eye out for funky charges on your report.

Spy agencies are slurping individual data from spongy cell phone apps

The US’ National safety Agency (NSA) and its UK counterpart, GCHQ, have been honing their data-slurping technologies to suck up anything they can get from leaky smartphones, the protector reported on Tuesday.

Beyond device details, data shared over the internet by iOS and Android apps can include personal information such as age, gender, and location, while some apps share even more responsive user information, such as sexual first choice or whether a given user might be a swinger.

The Guardian, relying on top-secret documents handed over by whistleblower Edward Snowden, says that the spy guys are increasing capabilities to milk this private information from apps as innocuous as the insanely popular Angry Birds game.

Reporting in partnership with the New York Times and Pro Publica, they revealed that the NSA and GCHQ have “common tools” ready to throw against iPhone, Android and other phone platforms.

The agencies also apparently think of Google Maps as a gold mine. The Guardian reports that one project involved intercepting Google Maps queries from smartphones to collect large volumes of location data.

The documents suggest that, depending on how much information a user has provided in his or her profile on a given app, the organization could collect “almost every key detail of a user’s life”, the protector reports: home country, current location (through geolocation), age, gender, zip code, marital status – options included “single”, “married”, “divorced”, “swinger” and more – income, ethnicity, sexual orientation, education level, and amount of children.

Given how popular Angry Birds is, and given that the secret documents use it as a case study, some articles have hung Angry Birds in their headlinery – that’s like finery, but with headlines instead of undies.

But Angry Birds shouldn’t be singled out as being in any way subverted or corrupted by the NSA or GCHQ.

Angry Birds is, after all, just one of thousands of mobile apps, none of which has been indicted as complicit with, or data-raked by, the NSA or GCHQ – rather, the spying agencies are, as news reports say, simply tapping data as it flies across the network.

It’s easy to see why: it’s a heck of a lot more fun to have apps spill your beans, since in switch over we get linked to communities or get shiny doo-dads. All we have to do is fill out profiles with stuff they actually don’t, really, need – birthdates, marital status, etc.

We can take back a large chunk of our privacy simply by refusing to hand over data, whether it’s given in a profile or beamed out when we have WiFi and/or geolocation turned on.

Cinching our data waistbands can be done with three simple steps, outlined by Naked safety in the Privacy Plan Diet.

If you can live without “discover My iPad” or other such geolocation-dependent goodies, you can keep a lot of your data out of the hands of spies, marketers or other data busybodies.

But beyond information knowingly handed over in profiles, phone apps have a nasty habit of distribution more data than users may realize.

Sometimes the holes come from software bugs, but then again, sometimes data leakage is an unintended effect of users’ own, deliberate actions, such as:

Twitter users having geolocation turned on, using the word “home” in their tweets and, Presto! thereby potentially handing a nosy small function their home address.

Soldiers snapping photos that smartphones then mechanically geotag, giving the enemy their coordinates.

Beyond bugs and deliberate leakage from probably-inattentive users is yet another category: apps that silently gulp data in the environment while they’re doing innocent-seeming things in the foreground, such as being a flashlight or a mobile phone app for kids.

Law enforcement in US, China, India, Romania work together to arrest hackers-for-hire

US China India Romania flagsLaw enforcement in four countries have managed to work together to take down a number of hackers-for-hire, all accused of operating websites present to break into email financial statement for a fee.

Arrests were made over the last week in the US, China, India and Romania, with customers of hacking services also picked up in the US, making a total of eleven arrests all told.

The target of the corresponding leap was a cluster of websites offering bespoke hacking services, mainly breaking into email and social networking sites for a variable fee. It’s not clear whether there was any connection between the sites or their operators, other than their public business model.

In the US, the FBI filed charges against five people, the main targets being two men from Arkansas idea to be behind the site.

The site is thought to have been involved in breaching over 6,000 email accounts. The men could face up to five-years jail time if found blameworthy.

The additional three defendants are accused of being customers of hacking sites. Two paid just over $1,000, while the third, from California, is alleged to have handed over more than $20,000 to a Chinese hacking site.

The Feds did not disclose whether this was the same site operated by Ying “Brent” Liu, who was picked up by Beijing police in link with another email hacking website,, linked to around 300 account compromises. Local reports claim Liu “confessed all through examination”.

In the intervening time in India another man was under arrest, described by local law enforcement reports as only “a Pune based private person” but named by the FBI as Amit Tiwari and linked to two websites connected to over 900 email account breaches.

Lastly, Romanian police have picked up and charged four people regarding six unlike websites which may have been behind around 1,600 further account break-ins.

All in all it seems like a pretty successful operation, made all the more impressive by the complexities of international cybercrime law and the difficulties involved in coordinating action connecting several law enforcement agencies, all operating under different legal codes.

Cybercrime and law blogger Gary Warner called the cooperative effort “unparalleled” and a “great sign” of tough times to come for cybercrooks.

As well as given that details and screenshots of many of the sites involved, Warner also speculates that the Romanian haul may include the notorious celebrity-hacker known as Guccifer, before now thought to have been picked up last week.

Cybercrime is a worldwide problem and requires worldwide measures to combat it. As we’ve seen several times recently, the cyber cops of the world seem to be doing an ever superior job of working together, pooling information and assets and coordinating cases across borders to good result.

Hand and computer. Image courtesy of ShutterstockWe’re also seeing ever more action on the legal side of things, with countries from Pakistan to Nigeria effective on or finishing new laws to deal with cybercrime.

If President Goodluck Jonathan gets his way, the Nigerian proposal may even include the death sentence for cases involving dangerous transportation or loss of life, according to local information.

It’s significant for those drafting and favorable these laws to take into account the global nature of cybercrime, and make sure their local laws enable teamwork and collaboration with legal systems and enforcement agencies around the world.

So, it might be best to steer clear of punishments some might think a little great.

On a brighter note, if the trends demonstrated in the hackers-for-hire case continue, we could one day end up with a properly organized set of laws covering digital crimes all over the world, and a set of enforcement agencies to back them up, all working in unity.

FBI warns of crimewave striking money registers

Image of money register courtesy of ShutterstockThe US Federal Bureau of Investigations (FBI) has warned retailers to harden their defences against cyber-heists – particularly those that latch onto acclaim card details from shoppers, as actually happened to Target.

The BBC reports that Reuters got its hands on the warning, which went out as a classified report to large retailers.

The FBI reportedly said that over the past year, it’s seen about 20 cases in which data was stolen using the similar type of malware as that inserted onto Target’s credit and debit card swiping-machines, money registers and other point-of-sale (PoS) tools.

The agency expects PoS malware crime to continue to grow in the near term, despite whatever mitigations law enforcement and security firms throw at it.

The profits are huge, and the PoS virus code is both too cheap and too widely available on dissident markets for thieves to resist, the FBI said.

According to the FBI’s report, one copy of this type of PoS malware was found on retailing for only $6,000 (£3,600).

That’s actually a bit pricey. I don’t know where they’re shopping, but they’re paying top dollar.

Cybersecurity consultants Group-IB back in September 2013 actually found booby-trapped bank card readers for half that price.

The ones they came across were bundled with a suite of money-stealing support services that offered to make scam crimes a snap: $2,000 (£1,200) on a hire-purchase basis or $3,000 (£1,800) for those crooks who just want to buy the hacked terminals outright.

The FBI wasn’t naming names when it came to whose PoS systems have been ambushed, mind you, but the name Target is the one that’s ringing a lot of bells in that branch these days.

A couple weeks ago, Target CEO Gregg Steinhafel told CNBC in an interview that there was malware installed on the retailer’s PoS registers.

We don’t know yet whether those rigged registers were behind the breach of Target’s (at least) 70 million data records.

But it wouldn’t be terribly surprising if those hacked PoS systems were the means by which the thief got to the vast universe of Target customers and guests.

As SophosLabs researcher Numaan Huq describes in this Naked safety article, this type of card fraud is ripe for setting us up to get card data plucked from our hands if we so much as pull out the plastic to pay for one measly candy bar.

In fact, “Buy candy, lose your credit card” is the name of a 2014 RSA safety conference session in which Numaan and Chester Wisniewski will be presenting a paper on the industrialization of this type of card fraud, in February.

The subject of the paper and the presentation is one specific type of PoS malware called RAM scraping very interesting stuff that gets into the nuances of how data is most definitely not encrypted end-to-end in PoS systems, in spite of their being compliant with the expense card industry’s data safety standards, PCI-DSS, and how RAM scraping takes advantage of that.

Hacker Guccifer apparently arrested in Romania

Guccifer, hacker of the stars, has supposedly been nabbed by police in Romania.

Guccifer has grabbed a slew of stuff from celebrity over his star-studded career, counting ex-US President Bush’s self-portrait in the bathtub, former US Secretary of State Colin Powell’s Facebook account, emails that portray Powell as having an issue with Romanian politician Corina Cretu, and yet the script for the Downton Abbey finale.

According to a Romanian news story, a man supposed to be the hacker, Marcel LazarusLehel, was captured Wednesday in his township.Much of the reporting is coming from Romanian sources, meaning we’re relying on web-based translation, but The Times says that so far, we know this about the man being held:

Although little is known about Mr Lehel, it is understood he was sentenced to three years supervised release in February 2012 after being under arrest … for hacking the e-mail and Facebook accounts of various public figures in Romania.

According to the Romanian newspaper Adevarul, police tracked Lehel down to his township of Sâmbăteni, in the commune of Arad County, where he lives with his wife and daughter and rarely leaves the house.

The raid was organized by Romania’s Directorate of Investigating Organized Crime and Terrorism, who said that they were cooperating with US establishment.Adevarul reports that Lehel has used the alias “Little Smoke” in the past.

The newspaper quoted the commune’s mayor, Petru Nicoară, who went to the township on Wednesday morning:

Everyone describes him just as I knew him: as a silence man who keeps to the house… I heard he spent his days at the computer.

Of course, plenty of us spend our days innocently enough at our computers so we’ll presume Lehel is innocent awaiting confirmed guilty.

Sex and the City writer compromised, set up of new book is released online

Candace Bushnell, the writer popular for “Sex and the City”, has dropped sufferer to a cyberpunk who not only split into her Twitter posts consideration, but also published ingredients of her as-yet-unfinished next guide on the internet.

Although the designer of June Bradshaw seems to have removed the cyberpunk from her Twitter posts consideration, and removed the harmful tweets, an beginning set up edition of what seem to be the first 50 webpages of Bushnell’s guide – currently eligible “Killing Monica” – are available on the internet for anyone to obtain and study to their heart’s material.

In inclusion, the cyberpunk has also published screenshots of personal emails from Bushnell’s Earthlink consideration between her, her marketers and her fictional providers.Interestingly, the cyberpunk who is getting credit score for the bargain of Bushnell’s records and the flow of her guide set up is “Guccifer”.

Regular visitors of Undressed Protection will keep in mind that Guccifer is the hoopy frood who believed it was a wise decision to crack into records that belong to Colin Powell and former US Presidents Henry H and Henry W Shrub.

From the looks of factors, Candace Bushnell has been poor with her pc security – perhaps selecting an easy-to-guess security password, using the same security password in several locations or enabling her security password to be phished by a cyberpunk.But furthermore, the occurrence underlines the value of encrypting delicate records (such as the first 50 set up webpages of an future book) so even if your e-mail consideration *is* affected, a cyberpunk won’t be able to study any accessories which could be personal or from the commercial perspective delicate.

Nobody prefers to be compromised, of course. And it is a legal act which should be examined by the regulators. And Bushnell and her marketers have the right to select how and when ingredients from her guide are distributed to a broader viewers.

But you can’t help but wonder if Candace Bushnell’s marketers might be able to convert a prospective catastrophe into a PR opportunity, and convert around this regrettable occurrence and use it as a opportunity to improve attention in the popular writer’s next guide.

Burglar who took Steve Jobs’s iPad gets seven years

Whenever discuss changes to jail here we are at cybercrime, the fur of lawful action begins to fly.

Back in 2005, for example, a younger Phil Harvey and The the air jordan Bradley of self-styled UK cybercrime group Threatt Krew were sentenced for offenses relevant to viruses.

They obtained six several weeks and three several weeks respectively.

We performed a study in which 86% of our participants sensed they should have been handled more severely.

On the other part of the Ocean, in 2006, 21-year old Jeanson Wayne Ancheta was sentenced for operating a botnet of 400,000 PCs. He got 57 several weeks (almost five years); 60% of individuals we interviewed believed he should have got more.

Take the viruses out of the cycle, though, and views on the penalties of cybercrime, and even what comprises cybercrime, seem to ease.

Infamous UK cyberpunk H McKinnon battled teeth and fingernail for ten decades to avoid extradition to the US, even after acknowledging he split into computer systems that belong to NASA and the US Division of Protection.

In 2006, only 48% of our participants believed he should be sent for test in the US.

By 2009, that rate decreased had considerably, with just 29% saying he ought to deal with the songs, even though his shame was not in question.

Celebrity muso Pain went so far as to say that McKinnon’s circumstances was “a travesty of individual privileges,” despite McKinnon having confessed the expenses on which he experienced lawful prosecution.

In the end, McKinnon got the result he desired and was let off scot-free (if you neglect the ten decades of worry, question and lawful cost he put himself through to avoid the US). He won’t be extradited and he won’t be billed in the UK.

Not all criminals are that lucky.

We had written about the new Kariem McFarlin last season, a lawful who might have kept further before law if he had been a bit more cybersavvy.

He’s the guy who missing his job, started to run out of cash and created the decision to begin assisting himself to other individuals things from vacant homes around San Francisco.

One robbery job saw him grabbing products from an apparently-empty house from the widow of the delayed Bob Tasks. This transport popularly involved a pockets packed with Jobs’s formal yearly salary: $1.

McFarlin also created off with the Jobsian iPad (a full-sized design, normally, not one of those new-fangled minis). Unfortunately for our lawful, call-home monitoring application on the product dobbed him in to the police as soon as he converted it on.

McFarlin asked for forgiveness accountable, under an contract restricting his highest possible phrase to about 50 percent of the sixteen-year expand he might in theory have got if he would battled the situation and missing.

Earlier this weeks time, he discovered out his contract price, which saw him put away for seven decades. Obviously he will get out after 50 percent of that period if he doesn’t misbehave while he’s within.

(He didn’t grab just from Laurene Powell Jobs’s house. He was nicked for a sequence of break-ins across the higher San Francisco place.)

So, to those who say that cybercriminals get difficult done by, with “real” criminals often getting reduced phrases for “real-world” lawful offenses, McFarlin could be regarded an exemption that disproves your concept.

Emma Watson: the world’s dangerous celebrity in Web search

The most famous Harry Potter Star “Emma Watson” is found to be the world’s dangerous celebrity in internet search as many cyber criminals used her image to trick users into downloading malicious sites or to steal the personal information. The McAfee in their research had found that Watson is the recent targeted celebrity of cyber criminals in stealing personal information of all internet users. They also found that female celebrities are more likely aimed by hackers. There’s a one-in-eight possibility of landing on a malicious site when looking for the 22-year-old.

Emma Watson
McAfee provides the following guidelines to assist internet users defend themselves in opposition to Malware and Phishing:

  • Be careful in downloading anything that prompts you to click first before showing the actual content.
  • Downloading free may plays high role in affecting your computer. If you download some files or videos, be alert in clicking.
  • As nearly all public use different tools to look for celebrities, be confident you have up-to-date, complete security for all of your tools.

Facebook Scammers – Latest Target is Rihanna

Facebook Scammers like to share the fake link to get traffic towards their certain sites. They mostly use to share the fake link about celebrities like Lady Gaga, Christina Aguilera, Charlie Sheen, Justin Beiber, MIley Cyrus and Emma Watson. Now their latest target is Rihanna.

The link about her sex video are spread on facebook right now along with messages like “OMG – I just hate RIHANNA after watching this video”, “you will lost your all respect for RIHANNA after watching this.” This is the way the facebook scammers make money. They also told all their visitors to share this link to all facebook friends.

Avoid click on everything that your friends share on facebook. Report it if you observe a scam like this single and make sure that you is not spreading this scam in your wall. Soon clean up like this scam message and it’s better to have the facebook security.

Bieber’s sexy web camera is another Myspace popular scam

The Myspace study fraudsters are up to their filthy techniques again, now trying to technique you into knowing that pint-sized pop trend Bieber has been sexy on his web camera.

For at least the last 24 time details have been displaying on the public media assistance, apparently published by not guilty customers, saying:

Facebook Bieber position messages


Did you saw how Bieber become sexy on his webcam?


Bieber become sexy on his web camera – surprising video!

Bieber like you never saw before.


Clicking on the weblink requires you to a web page which creates as a movie of Bieber Bieber involved in a web camera movie discussion with a women admirer. According to the site, Bieber Bieber requested unique ladies on the internet to mock him on his web camera (something, you think about, that his rapid women supporters might be all too willing to do).

Facebook Bieber web camera video


OMG! Bieber Webcam scandal revealed!


Bieber requested unique ladies to mock him on webcam

what they will do ? what he will do ? you will be in impact when you will see the complete movie !

However, if you were wanting to look at the claimed movie you’ll have to leap through some basketball first. As is regular with these form of frauds, the webpages want you to “Like” and “Share” their material on Myspace before they will let you see the “shocking video”.

If you’re in any question as to whether this is a sensible plan of measures or not, the site shows some “reviews” from other lovers verifying how “shocking” and “naughty” the movie is.

So, the fraudsters are trying to get you to discuss the weblink as much as possible – with the guarantee of displaying you a surprising movie of Bieber Bieber proposition on a web camera at the end.Their wish is that you will discuss the weblink far and large, improving the variety of individuals who might want to go through with the procedure and – eventually – take an paid study.

Surveys like this not only details up your private details, but also generate commission payment for the individuals who are distributing these backlinks around. In the toughest situations they even ask for your variety and indication you up for costly top quality amount solutions. It ‘s time that Myspace customers got sensible to this technique, and rejected to perform tennis ball.

If there really is a amazing surprising movie of Bieber Bieber you can be very sure that it will be displaying on a sleazy TV details place very soon, rather than being invisible behind Myspace webpages that create you take on the internet surveys and complete on their backlinks.

This isn’t once that Bieber Bieber has been used as lure by on the internet fraudsters, and it won’t be the last.If you dropped for the fraud, eliminate sources to it from your details and newsfeed. In particular, create sure that you have also eliminated it from the record of “Movies” you like, where it has sneakily placed itself for others to fall across: