Credit and debit card fraud targets US hotel visitors

White Lodging, the company behind a number of of the hotels in the US chains Hilton, Marriott, Sheraton and Westin, has been leaking thousands of guests’ credit and debit card information throughout much of 2013.

safety journalist Brian Krebs reports hearing from banking business sources in January regarding a pattern of fraud on cards used at the hotels from about 23 March 2013 up until the end of 2013.

The fraud popped up in exact hotels located in the US cities of Austin, in Texas; Chicago, in Illinois; Denver, in Colorado; Los Angeles, in California; Louisville, in Kentucky; and Tampa, in Florida.

The common denominator, it turns out, is that all of the affected hotels in those locations contain businesses run by White Lodging Services Corporation, which owns, develops and/or manages premium hotel brands.

Krebs’s sources said that it was mostly the restaurants, gift shops and other businesses that White Lodging runs within some of the hotels that were targeted, as opposed to the front desk computers that verify guests in and out.

That means that the only Marriott guests who should be affected are those who used their cards at gift shops and restaurants, Krebs notes.

Marriott issued a statement saying that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.”

Sophos’s Chester Wisniewski and Numaan Huq have been tracking malware behind rigged PoS systems for more than three years and are on the brink of presenting their research at this year’s RSA Conference.

Marriott mentioned fraud “at a number of hotels across a range of brands”, which makes it sound similar to we still might well hear of other hotel brands serviced by White Lodging having been targeted.

So if you’ve been in a hotel, paid for something in a hotel restaurant or gift shop, bought crafting supplies, or fundamentally touched any sliver of plastic in your wallet or purse at all whatsoever to buy so much as a gumball, keep an eye out for funky charges on your report.

Spy agencies are slurping individual data from spongy cell phone apps

The US’ National safety Agency (NSA) and its UK counterpart, GCHQ, have been honing their data-slurping technologies to suck up anything they can get from leaky smartphones, the protector reported on Tuesday.

Beyond device details, data shared over the internet by iOS and Android apps can include personal information such as age, gender, and location, while some apps share even more responsive user information, such as sexual first choice or whether a given user might be a swinger.

The Guardian, relying on top-secret documents handed over by whistleblower Edward Snowden, says that the spy guys are increasing capabilities to milk this private information from apps as innocuous as the insanely popular Angry Birds game.

Reporting in partnership with the New York Times and Pro Publica, they revealed that the NSA and GCHQ have “common tools” ready to throw against iPhone, Android and other phone platforms.

The agencies also apparently think of Google Maps as a gold mine. The Guardian reports that one project involved intercepting Google Maps queries from smartphones to collect large volumes of location data.

The documents suggest that, depending on how much information a user has provided in his or her profile on a given app, the organization could collect “almost every key detail of a user’s life”, the protector reports: home country, current location (through geolocation), age, gender, zip code, marital status – options included “single”, “married”, “divorced”, “swinger” and more – income, ethnicity, sexual orientation, education level, and amount of children.

Given how popular Angry Birds is, and given that the secret documents use it as a case study, some articles have hung Angry Birds in their headlinery – that’s like finery, but with headlines instead of undies.

But Angry Birds shouldn’t be singled out as being in any way subverted or corrupted by the NSA or GCHQ.

Angry Birds is, after all, just one of thousands of mobile apps, none of which has been indicted as complicit with, or data-raked by, the NSA or GCHQ – rather, the spying agencies are, as news reports say, simply tapping data as it flies across the network.

It’s easy to see why: it’s a heck of a lot more fun to have apps spill your beans, since in switch over we get linked to communities or get shiny doo-dads. All we have to do is fill out profiles with stuff they actually don’t, really, need – birthdates, marital status, etc.

We can take back a large chunk of our privacy simply by refusing to hand over data, whether it’s given in a profile or beamed out when we have WiFi and/or geolocation turned on.

Cinching our data waistbands can be done with three simple steps, outlined by Naked safety in the Privacy Plan Diet.

If you can live without “discover My iPad” or other such geolocation-dependent goodies, you can keep a lot of your data out of the hands of spies, marketers or other data busybodies.

But beyond information knowingly handed over in profiles, phone apps have a nasty habit of distribution more data than users may realize.

Sometimes the holes come from software bugs, but then again, sometimes data leakage is an unintended effect of users’ own, deliberate actions, such as:

Twitter users having geolocation turned on, using the word “home” in their tweets and, Presto! thereby potentially handing a nosy small function their home address.

Soldiers snapping photos that smartphones then mechanically geotag, giving the enemy their coordinates.

Beyond bugs and deliberate leakage from probably-inattentive users is yet another category: apps that silently gulp data in the environment while they’re doing innocent-seeming things in the foreground, such as being a flashlight or a mobile phone app for kids.

Law enforcement in US, China, India, Romania work together to arrest hackers-for-hire

US China India Romania flagsLaw enforcement in four countries have managed to work together to take down a number of hackers-for-hire, all accused of operating websites present to break into email financial statement for a fee.

Arrests were made over the last week in the US, China, India and Romania, with customers of hacking services also picked up in the US, making a total of eleven arrests all told.

The target of the corresponding leap was a cluster of websites offering bespoke hacking services, mainly breaking into email and social networking sites for a variable fee. It’s not clear whether there was any connection between the sites or their operators, other than their public business model.

In the US, the FBI filed charges against five people, the main targets being two men from Arkansas idea to be behind the site.

The site is thought to have been involved in breaching over 6,000 email accounts. The men could face up to five-years jail time if found blameworthy.

The additional three defendants are accused of being customers of hacking sites. Two paid just over $1,000, while the third, from California, is alleged to have handed over more than $20,000 to a Chinese hacking site.

The Feds did not disclose whether this was the same site operated by Ying “Brent” Liu, who was picked up by Beijing police in link with another email hacking website,, linked to around 300 account compromises. Local reports claim Liu “confessed all through examination”.

In the intervening time in India another man was under arrest, described by local law enforcement reports as only “a Pune based private person” but named by the FBI as Amit Tiwari and linked to two websites connected to over 900 email account breaches.

Lastly, Romanian police have picked up and charged four people regarding six unlike websites which may have been behind around 1,600 further account break-ins.

All in all it seems like a pretty successful operation, made all the more impressive by the complexities of international cybercrime law and the difficulties involved in coordinating action connecting several law enforcement agencies, all operating under different legal codes.

Cybercrime and law blogger Gary Warner called the cooperative effort “unparalleled” and a “great sign” of tough times to come for cybercrooks.

As well as given that details and screenshots of many of the sites involved, Warner also speculates that the Romanian haul may include the notorious celebrity-hacker known as Guccifer, before now thought to have been picked up last week.

Cybercrime is a worldwide problem and requires worldwide measures to combat it. As we’ve seen several times recently, the cyber cops of the world seem to be doing an ever superior job of working together, pooling information and assets and coordinating cases across borders to good result.

Hand and computer. Image courtesy of ShutterstockWe’re also seeing ever more action on the legal side of things, with countries from Pakistan to Nigeria effective on or finishing new laws to deal with cybercrime.

If President Goodluck Jonathan gets his way, the Nigerian proposal may even include the death sentence for cases involving dangerous transportation or loss of life, according to local information.

It’s significant for those drafting and favorable these laws to take into account the global nature of cybercrime, and make sure their local laws enable teamwork and collaboration with legal systems and enforcement agencies around the world.

So, it might be best to steer clear of punishments some might think a little great.

On a brighter note, if the trends demonstrated in the hackers-for-hire case continue, we could one day end up with a properly organized set of laws covering digital crimes all over the world, and a set of enforcement agencies to back them up, all working in unity.

FBI warns of crimewave striking money registers

Image of money register courtesy of ShutterstockThe US Federal Bureau of Investigations (FBI) has warned retailers to harden their defences against cyber-heists – particularly those that latch onto acclaim card details from shoppers, as actually happened to Target.

The BBC reports that Reuters got its hands on the warning, which went out as a classified report to large retailers.

The FBI reportedly said that over the past year, it’s seen about 20 cases in which data was stolen using the similar type of malware as that inserted onto Target’s credit and debit card swiping-machines, money registers and other point-of-sale (PoS) tools.

The agency expects PoS malware crime to continue to grow in the near term, despite whatever mitigations law enforcement and security firms throw at it.

The profits are huge, and the PoS virus code is both too cheap and too widely available on dissident markets for thieves to resist, the FBI said.

According to the FBI’s report, one copy of this type of PoS malware was found on retailing for only $6,000 (£3,600).

That’s actually a bit pricey. I don’t know where they’re shopping, but they’re paying top dollar.

Cybersecurity consultants Group-IB back in September 2013 actually found booby-trapped bank card readers for half that price.

The ones they came across were bundled with a suite of money-stealing support services that offered to make scam crimes a snap: $2,000 (£1,200) on a hire-purchase basis or $3,000 (£1,800) for those crooks who just want to buy the hacked terminals outright.

The FBI wasn’t naming names when it came to whose PoS systems have been ambushed, mind you, but the name Target is the one that’s ringing a lot of bells in that branch these days.

A couple weeks ago, Target CEO Gregg Steinhafel told CNBC in an interview that there was malware installed on the retailer’s PoS registers.

We don’t know yet whether those rigged registers were behind the breach of Target’s (at least) 70 million data records.

But it wouldn’t be terribly surprising if those hacked PoS systems were the means by which the thief got to the vast universe of Target customers and guests.

As SophosLabs researcher Numaan Huq describes in this Naked safety article, this type of card fraud is ripe for setting us up to get card data plucked from our hands if we so much as pull out the plastic to pay for one measly candy bar.

In fact, “Buy candy, lose your credit card” is the name of a 2014 RSA safety conference session in which Numaan and Chester Wisniewski will be presenting a paper on the industrialization of this type of card fraud, in February.

The subject of the paper and the presentation is one specific type of PoS malware called RAM scraping very interesting stuff that gets into the nuances of how data is most definitely not encrypted end-to-end in PoS systems, in spite of their being compliant with the expense card industry’s data safety standards, PCI-DSS, and how RAM scraping takes advantage of that.

Hacker Guccifer apparently arrested in Romania

Guccifer, hacker of the stars, has supposedly been nabbed by police in Romania.

Guccifer has grabbed a slew of stuff from celebrity over his star-studded career, counting ex-US President Bush’s self-portrait in the bathtub, former US Secretary of State Colin Powell’s Facebook account, emails that portray Powell as having an issue with Romanian politician Corina Cretu, and yet the script for the Downton Abbey finale.

According to a Romanian news story, a man supposed to be the hacker, Marcel LazarusLehel, was captured Wednesday in his township.Much of the reporting is coming from Romanian sources, meaning we’re relying on web-based translation, but The Times says that so far, we know this about the man being held:

Although little is known about Mr Lehel, it is understood he was sentenced to three years supervised release in February 2012 after being under arrest … for hacking the e-mail and Facebook accounts of various public figures in Romania.

According to the Romanian newspaper Adevarul, police tracked Lehel down to his township of Sâmbăteni, in the commune of Arad County, where he lives with his wife and daughter and rarely leaves the house.

The raid was organized by Romania’s Directorate of Investigating Organized Crime and Terrorism, who said that they were cooperating with US establishment.Adevarul reports that Lehel has used the alias “Little Smoke” in the past.

The newspaper quoted the commune’s mayor, Petru Nicoară, who went to the township on Wednesday morning:

Everyone describes him just as I knew him: as a silence man who keeps to the house… I heard he spent his days at the computer.

Of course, plenty of us spend our days innocently enough at our computers so we’ll presume Lehel is innocent awaiting confirmed guilty.

Burglar who took Steve Jobs’s iPad gets seven years

Whenever discuss changes to jail here we are at cybercrime, the fur of lawful action begins to fly.

Back in 2005, for example, a younger Phil Harvey and The the air jordan Bradley of self-styled UK cybercrime group Threatt Krew were sentenced for offenses relevant to viruses.

They obtained six several weeks and three several weeks respectively.

We performed a study in which 86% of our participants sensed they should have been handled more severely.

On the other part of the Ocean, in 2006, 21-year old Jeanson Wayne Ancheta was sentenced for operating a botnet of 400,000 PCs. He got 57 several weeks (almost five years); 60% of individuals we interviewed believed he should have got more.

Take the viruses out of the cycle, though, and views on the penalties of cybercrime, and even what comprises cybercrime, seem to ease.

Infamous UK cyberpunk H McKinnon battled teeth and fingernail for ten decades to avoid extradition to the US, even after acknowledging he split into computer systems that belong to NASA and the US Division of Protection.

In 2006, only 48% of our participants believed he should be sent for test in the US.

By 2009, that rate decreased had considerably, with just 29% saying he ought to deal with the songs, even though his shame was not in question.

Celebrity muso Pain went so far as to say that McKinnon’s circumstances was “a travesty of individual privileges,” despite McKinnon having confessed the expenses on which he experienced lawful prosecution.

In the end, McKinnon got the result he desired and was let off scot-free (if you neglect the ten decades of worry, question and lawful cost he put himself through to avoid the US). He won’t be extradited and he won’t be billed in the UK.

Not all criminals are that lucky.

We had written about the new Kariem McFarlin last season, a lawful who might have kept further before law if he had been a bit more cybersavvy.

He’s the guy who missing his job, started to run out of cash and created the decision to begin assisting himself to other individuals things from vacant homes around San Francisco.

One robbery job saw him grabbing products from an apparently-empty house from the widow of the delayed Bob Tasks. This transport popularly involved a pockets packed with Jobs’s formal yearly salary: $1.

McFarlin also created off with the Jobsian iPad (a full-sized design, normally, not one of those new-fangled minis). Unfortunately for our lawful, call-home monitoring application on the product dobbed him in to the police as soon as he converted it on.

McFarlin asked for forgiveness accountable, under an contract restricting his highest possible phrase to about 50 percent of the sixteen-year expand he might in theory have got if he would battled the situation and missing.

Earlier this weeks time, he discovered out his contract price, which saw him put away for seven decades. Obviously he will get out after 50 percent of that period if he doesn’t misbehave while he’s within.

(He didn’t grab just from Laurene Powell Jobs’s house. He was nicked for a sequence of break-ins across the higher San Francisco place.)

So, to those who say that cybercriminals get difficult done by, with “real” criminals often getting reduced phrases for “real-world” lawful offenses, McFarlin could be regarded an exemption that disproves your concept.

Was Alicia Keys hacked, or is she cheating on BlackBerry with iPhone this Valentine’s Day?

BlackBerry recently surprised the tech industry when they announced at their major launch event on January 30 the appointment of musician, Alicia Keys, as the Global Creative Director.

And since then Keys has been pimping BlackBerry’s new smartphone model, Z10, tweeting from it since launch. But is there a secret that Keys has been keeping? An extra-cellular affair with the iPhone?

At the BlackBerry launch, Keys told the audience about her on-again/off-again love affair with BlackBerry.

She said she had been lured away from BlackBerry by “hotter, sexier phones, something with more bling” in the past, but now declaring that she and Blackberry were “exclusively dating”.

So it was a bit of a surprise when a tweet from her account went out to her 11 million followers on February 11 – just days after the BlackBerry launch – sent not from her exclusive BlackBerry, but from her ex, the iPhone.

Started from the bottom now were here!

Later the same day, Keys sent out a tweet stating that the previous tweet quoting lyrics from recording artist, Drake, had not come from her, but likely a hacker. (But don’t be offended – she still likes Drake.)

What the h*ll?!!!! Looks like I’ve been hacked… I like @Drake but that wasn’t my tweet 🙁

But that doesn’t explain this tweet pic posted a day before from her account showing the musician looking radiant in her dressing room at the Grammys with not just one, but two, of her exes in reach – iPhones.

Now, we at Naked Security have seen our fair share of hacked Twitter accounts of celebrities such as Justin Bieber and Britney Spears – and this doesn’t quite smell the same.

Would a hacker that has gone through the trouble of hacking an account of such a well-known figure with access to *11 million followers* really only send one tweet with just a song lyric?

This story reminds us of a previous incident when Kim Kardashian claimed her Twitter account was hacked after having trouble logging in to Twitter from her home computer.

Ashley Greene’s nude pics being distorted by hackers in web scam

Bare pictures of actress Ashley Greene have fallen into the hands of cyber crooks who are misusing them to hack into people’s computers.

The ‘Twilight’ star, which portrays the position of Alice Cullen in the hit vampire movie, before endangered to file a court case alongside anybody who posted her leaked naked pictures on the Internet.

The 22-year-old was said to have caught the notice of hackers, who have been flooding the web with hundreds of scoundrel links using the pictures to steal personal information and bank details or spread viruses. Graham Cluley, from web security firm Sophos, warned surfers against aperture the links over possible refuge threats.

“Thousands of people will be searching Google for these pictures right now and the hackers know it,” The Sun quoted Cluley as saying.

“There are more and more malware attacks targeting both PC and Mac users – so whatever system you use, infection could be just a click away.

“My advice is that if you’re a fan of Ashley Greene – go see her movies in the cinema or on DVD, don’t hunt for naked images of her on the internet,” Cluley added.