PROJET AUTOBLOG


Krebs on Security

Site original : Krebs on Security

⇐ retour index

Mise à jour

Mise à jour de la base de données, veuillez patienter...

Breach at Sabre Corp.’s Hospitality Unit

mardi 2 mai 2017 à 20:41

Breaches involving major players in the hospitality industry continue to pile up. Today, travel industry giant Sabre Corp. disclosed what could be a significant breach of payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments.

sabreIn a quarterly filing with the U.S. Securities and Exchange Commission (SEC) today, Southlake, Texas-based Sabre said it was “investigating an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.”

According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s SynXis reservations system, described as an inventory management Software-as-a-Service (SaaS) application that “enables hoteliers to support a multitude of rate, inventory and distribution strategies to achieve their business goals.”

Sabre said it has engaged security forensics firm Mandiant to support its investigation, and that it has notified law enforcement.

“The unauthorized access has been shut off and there is no evidence of continued unauthorized activity,” reads a brief statement that Sabre sent to affected properties today. “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.”

Sabre’s software, data, mobile and distribution solutions are used by hundreds of airlines and thousands of hotel properties to manage critical operations, including passenger and guest reservations, revenue management, flight, network and crew management. Sabre also operates a leading global travel marketplace, which processes more than $110 billion of estimated travel spend annually by connecting travel buyers and suppliers.

Sabre told customers that it didn’t have any additional details about the breach to share at this time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted.

A card involving traveler transactions for even a small percentage of the 32,000 properties that are using Sabre’s impacted technology could jeopardize a significant number of customer credit cards in a short amount of time.

The news comes amid revelations about a blossoming breach at Intercontinental Hotel Group (IHG), the parent company that manages some 5,000 hotels worldwide, including Holiday Inn and Holiday Inn Express.

KrebsOnSecurity first reported in December 2016 that cards used at IHG properties were being sold to fraudsters, but it took until February 2017 for IHG to announce it had found malicious software installed at front-desk systems at just a dozen of its properties. On April 18, IHG disclosed in an update on the investigation that more than 1,200 properties were affected, and that there could well be more added in the coming days.

According to Verizon‘s latest annual Data Breach Investigations Report (DBIR), malware attacks on point-of-sale systems used at front desk and hotel restaurant systems “are absolutely rampant” in the hospitality sector. Accommodation was the top industry for point-of-sale intrusions in this year’s data, with 87% of breaches within that pattern.

“Apparently, it is not only The Eagles that are destined for a long stay at the hotel,” Verizon mused in its report. “The hackers continue to be checked in indefinitely as well. Breach timelines continue to paint a rather dismal picture—with time-to-compromise being only seconds, time-to-exfiltration taking days, and times to discovery and containment staying firmly in the months camp.”

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malicious code usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

Blind Trust in Email Could Cost You Your Home

jeudi 27 avril 2017 à 22:36

The process of buying or selling a home can be extremely stressful and complex, but imagine the stress that would boil up if — at settlement — your money was wired to scammers in another country instead of to the settlement firm or escrow company. Here’s the story about a phishing email that cost a couple their home and left them scrambling for months to recover hundreds of thousands in cash that went missing.

It was late November 2016, and Jon and Dorothy Little were all set to close on a $200,000 home in Hendersonville, North Carolina. Just prior to the closing date on Dec. 2 their realtor sent an email to the Little’s and to the law firm handling the closing, asking the settlement firm for instructions on wiring the money to an escrow account.

The fraudulent wire instructions apparently sent by the hackers via the settlement law firm.

The fraudulent wire instructions apparently sent by the hackers via the settlement law firm.

An attorney with the closing firm responded with wiring instructions as requested, attaching a document that had the law firm’s logo and some bank account information that was represented as the seller’s account number. The Little’s realtor sent the wire on Thursday morning, the day before settlement.

“We went to closing at 1 p.m. on Friday, and after we signed all the papers, we asked the lawyers if we were going to get back the extra money we had sent them, because they hadn’t be able to give us an exact amount in the wiring instructions. At that point they told us they had never gotten the money.”

After some disagreement, both legitimate parties to the transaction agreed that someone’s email had been hacked by the fraudsters, and was used to divert the wired funds to an account the criminals controlled. The hackers had forged a copy of the law firm’s letterhead, and beneath it placed their own Bank of America account information (see screen shot above).

The owner of the Bank of America account appears to have been a willing or unwitting accomplice — also know as a “money mule” — recruited through work-at-home job schemes to receive and forward funds stolen from hacked business accounts. In this case, the money mule wired all but 10 percent of the money (a typical money mule commission) to an account at TD Bank.

Fortunately for the Littles, the FBI succeeded in having the resulting $180,000 wire transfer frozen once it hit the TD Bank account. However, efforts to recover the stolen funds were stymied immediately when the Littles’ credit union refused to give Bank of America a so-called “hold harmless” agreement that the bigger bank wanted as a legal guarantee before agreeing to help.

Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said banks have a fiduciary duty to their customers to honor their requests in good faith, and as such they tend to be very nervous legally about colluding with another bank to reverse payment instructions by one of their own customers. The “hold harmless” agreement is usually sought by the bank which received a fraudulent wire transfer, Castagnoli said, and it requires the responding bank to assume any and all liability for costs that the requesting bank may later incur should the owner of account which received the fraudulent wire decide to dispute the payment reversal.

“When it comes to wire fraud cases the banks have to move very quickly because once the wires make it outside the U.S. to foreign banks, the money is usually as good as gone,” Castagnoli said. “The receiver or transferee usually insists on a hold harmless agreement because they’re moving the money on behalf of their own account holder, kind of going against their own client which is a big ‘no-no’ when you’re a fiduciary.”

But in this case, the credit union in which the Littles had invested virtually all of their money for more than 40 years decided it could not in good faith provide that hold harmless agreement, because doing so would stipulate that the credit union affirms the victim (the Littles) hadn’t willingly and knowing initiated the wire, when in fact they had.

“I talked to the wire dept multiple times,” Mr. Little said of the folks at his financial institution, Atlanta, Ga.-based Delta Community Credit Union (DCCU). “They finally put me through to the vice president of loss prevention at the credit union. I’m not sure they even believed all that was going on. They finally came back and told me they couldn’t do it. Their rules would not allow them to send a hold harmless letter because I had asked them to do something and they had done it. They had a big meeting last week with apparently the CEO of the credit union and several other people. Then they called me on Monday again and told me they would not could not do it.”

The Littles had to cancel the contract on the house they were prepared to occupy in December. Most of their cash was tied up in this account that the banks were haggling over, and so they opted to get a heavily mortgaged small townhome instead, with the intention of paying off the mortgage when their stolen funds are returned.

“We canceled the contract on the house because the sellers really needed to sell it,” Jon Little said.

The DCCU has yet to respond to my requests for comment. But less than a day after KrebsOnSecurity reached out to the credit union for comment about the Littles’ story, the bank informed the Littles that the other bank would soon have its hold harmless letter — freeing up their $180,000 after more than four months in legal limbo.

The Littles’ story has a fairly happy ending, however most of the other few dozens stories previously featured on this blog about wayward mortgage, escrow and payroll payments wound up with the victim losing six figures at least.

One of the more recent advertisers on this blog — Ninjio — specializes in developing custom, “gamified” security awareness training videos for clients. “The Homeless Homebuyer,” one of the videos Ninjio produced for a government client seems appropriate here: It features an animated FBI agent breaking the bad news to some would-be homeowners that their money is gone and so are their dreams of a new home — all because everyone blindly trusted unsecured email for what is essentially a high-risk cash transaction.

I like the video because its message is fairly stark and real: You could get screwed if you don’t take this seriously and proceed carefully, because once the money’s gone it usually stays gone. Check it out here:

So here’s what you need to know if you or anyone you know, love or even like are about to buy or sell a home: Never wire money based on the say-so of one party to the transaction made via email. You simply don’t know if their account is hacked, so from a self-preservation standpoint it’s best to assume it is.

Agree in advance who will contact whom — preferably by phone — on settlement day to receive the wiring details, and who will manage the wiring process. Never trust bank account details and payment instructions sent via email. Always double or even triple check any instructions for wiring money at settlement. Confirm all wiring instructions in person if possible, or else over the phone.

By the way, these same precautions can help make organizations less susceptible to CEO fraud schemes, email scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster.

The Federal Bureau of Investigation (FBI) has been keeping a running tally of the financial devastation visited on companies via CEO fraud scams. In June 2016, the FBI estimated that crooks had stolen nearly $3.1 billion from more than 22,000 victims of these wire fraud schemes.

Castagnoli said many credit unions and small banks don’t have the legal staff with the clearance to make calls on whether to issue a hold harmless agreement, and so they usually try to punt on that when requested. Were she in The Littles’ position, Castagnoli said she would have called the head of the credit union and demanded assistance.

“If the head of the bank wouldn’t do it, I’d call my congressperson or a state banking regulator,” she said.

If you’re selling or buying the home yourself and somehow also in charge of wiring money, consider using a Live CD approach (all of these “live” Linux distributions will just as happily run on USB-based flash drives). I have long recommend Live Linux usage as a smart option for small businesses to avoid paying dearly when a Windows banking trojan snarfs their business banking credentials.

UK Man Gets Two Years in Jail for Running ‘Titanium Stresser’ Attack-for-Hire Service

mardi 25 avril 2017 à 17:06

A 20-year-old man from the United Kingdom was sentenced to two years in prison today after admitting to operating and selling access to “Titanium Stresser,” a simple-to-use service that let paying customers launch crippling online attacks against Web sites and individual Internet users.

Adam Mudd of Hertfordshire, U.K. admitted to three counts of computer misuse connected with his creating and operating the attack service, also known as a “stresser” or “booter” tool. Services like Titanium Stresser coordinate so-called “distributed denial-of-service” or DDoS attacks that hurl huge barrages of junk data at a site in a bid to make it crash or become otherwise unreachable to legitimate visitors.

Mudd's TitaniumStresser service.

Mudd’s TitaniumStresser service.

According to U.K. prosecutors, Mudd’s Titanium Stresser service was used by others in more than 1.7 million denial-of-service attacks against victims worldwide, with most countries in the world affected at some point. He originally built the booter service at the age of 15, earning more than $300,000 in ill-gotten gains from it. Also during his interviews, he admitted security breaches against his own college while he was there studying computer science.

Mudd pleaded guilty to three offences under the U.K. Computer Misuse Act and a further offense of money laundering under the Proceeds of Crime Act in October 2016.

“Today, he was sentenced to 24 months imprisonment for his own DDoS attacks, nine months for running a titanium stressor service and 24 months for money laundering the proceeds made from the stressor service, all to run concurrently,” reads a press release issued by the Eastern Region Special Operations Unit (ERSOU), an anti-cybercrime unit that worked with the U.K.’s National Crime Agency to investigate Mudd.

Detective Chief Inspector Martin Peters of the ERSOU’s Regional Crime Unit recalled that at sentencing the judge said the defendant likely would have received six years if he’d been tried as an adult and if he had no medical issues. Mudd had been slated to be sentenced last week, but that hearing was delayed until today after the court heard medical testimony on Mudd’s apparent struggles with autism.

The Mudd case is the latest in a string of law enforcement actions in the U.K., U.S. and elsewhere targeting booter service operators and their customers. In December 2016, federal investigators in the United States and Europe arrested nearly three-dozen people suspected of patronizing booter services. That crackdown was part of an effort by authorities to weaken demand for booter and stresser services and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have run booter services tied to the “Lizard Squad” hacking group. That same month the sprawling discussion forum Hackforums — once the most bustling marketplace on the Internet where people could compare and purchase booter and stresser service subscriptions — announced that it was permanently banning the sale and advertising of booters

Last month, authorities in Israel said they were preparing a case against two 18-year-old Israeli men who investigators there say operated the wildly popular “vDOS” booter service. The proprietors of vDOS were in business for four years prior to being exposed by KrebsOnSecurity. During just two of those four years in operation vDOS made more than $600,000 helping paying customer coordinate hundreds of thousands (if not millions) of DDoS attacks.

The detail about Mudd having attacked the very same school he was attending as a computer science student seemed both interesting and familiar. Then I remembered: This same dynamic was at work with a young man approximately Mudd’s age who lives in New Jersey and recently was implicated by many of his close associates and a great deal of circumstantial evidence as a co-author of the Mirai botnet computer code.

Mirai is a network worm that enslaves poorly secured “Internet of Things” devices like security cameras and digital video recorders for use in extremely powerful DDoS attacks capable of knocking almost any target offline.

After Mirai took my site offline for several days last year, I spent many hours trying to figure out who was responsible for writing and unleashing the malware. All signs pointed to a computer science student at Rutgers University who used a large Mirai botnet to attack the university repeatedly — all the while using his hacker alter ego to taunt the university in online interviews.

The authorities in the U.K. say they are hoping to make an example of Mudd as part of a broader education effort to divert talented, smart kids away from malicious hacking and toward more productive endeavors.

“Adam Mudd’s case is a regrettable one, because this young man clearly has a lot of skill, but he has been utilising that talent for personal gain at the expense of others,” the ERSOU press release observes. “We want to make clear it is not our wish to unnecessarily criminalise young people, but want to harness those skills before they accelerate into crime. It is important that this case sends out a clear message to others who may be tempted by committing cybercrime or who are already engaging in cyber scams from the comfort of their own bedrooms, to consider what they are doing and it is for parents to know and understand what your children are doing online.”

The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27 Year Prison Sentence

lundi 24 avril 2017 à 18:37

Roman Seleznev, a 32-year-old Russian cybercriminal and prolific credit card thief, was sentenced Friday to 27 years in federal prison. That is a record punishment for hacking violations in the United States and by all accounts one designed to send a message to criminal hackers everywhere. But a close review of the case suggests that Seleznev’s record sentence was severe in large part because the evidence against him was substantial and yet he declined to cooperate with prosecutors prior to his trial.

Maldives_(orthographic_projection).svg

The Maldives is a South Asian island country, located in the Indian Ocean, situated in the Arabian Sea. Source: Wikipedia.

The son of an influential Russian politician, Seleznev made international headlines in 2014 after he was captured while vacationing in The Maldives, a popular vacation spot for Russians and one that many Russian cybercriminals previously considered to be out of reach for western law enforcement agencies.

However, U.S. authorities were able to negotiate a secret deal with the Maldivian government to apprehend Seleznev. Following his capture, Seleznev was whisked away to Guam for more than a month before being transported to Washington state to stand trial for computer hacking charges.

The U.S. Justice Department says the laptop found with him when he was arrested contained more than 1.7 million stolen credit card numbers, and that evidence presented at trial showed that Seleznev earned tens of millions of dollars defrauding more than 3,400 financial institutions.

Investigators also reportedly found a smoking gun: a password cheat sheet that linked Seleznev to a decade’s worth of criminal hacking.

Seleznev was initially identified as a major cybercriminal by U.S. government investigators in 2011, when prosecutors in Nevada named him as part of a conspiracy involving more than three dozen popular merchants on carder[dot]su, a bustling fraud forum where he and other members openly marketed various cybercrime-oriented services.

Known by the hacker handle “nCux,” Seleznev operated multiple online shops that sold stolen credit and debit card data. According to Seleznev’s indictment in the Nevada case, he was part of a group that hacked into restaurants between 2009 and 2011 and planted malicious software to steal card data from store point-of-sale devices.

In Seattle on Aug. 25, 2016, Seleznev was convicted of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft.

“Simply put, Roman Seleznev has harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court,” federal prosecutors charged in their sentencing memorandum. “This prosecution is unprecedented.”

Seleznev’s lawyer Igor Litvak called his client’s sentence “draconian,” saying that Seleznev was gravely injured in a 2011 terrorist attack in Morocco, has Hepatitis B and is not well physically.

Litvak noted that his client also faces two more prosecutions — in Georgia and Nevada, and that his client is likely to be shipped off to Nevada soon.

“It’s unprecedented, yes, but it’s also a draconian sentence for a person who is very gravely ill,” Litvak said in an interview with KrebsOnSecurity. “He’s not going to live that long. He’s going to die in jail. I’m certain of that.”

ANALYSIS

As for the severity of his sentence, Seleznev did himself no favors by rededicating himself to his carding empire after having been clearly marked by U.S. investigators in the 2011 indictment as a key figure in an online organized crime ring.

Many of the documents related to Seleznev’s prosecution and conviction in Washington state last week remain sealed, as he still faces federal criminal hacking charges in Nevada and Georgia. But former black hat Russian hacker turned political and cybersecurity blogger Andrey “Sporaw” Sporov published snippets from documents apparently related to Seleznev’s prosecution indicating that investigators with the U.S. Secret Service and FBI met with the Russian Federal Security Service (FSB) in 2009 to discuss Seleznev’s activities, presenting “substantial” evidence that Seleznev was a bigtime cybercrook.

The 2pac[dot]cc credit card shop that Seleznov operated.

2pac[dot]cc credit card shop that Seleznov operated, among others.

Seleznev’s online alter ego nCux reportedly got word of the meeting, and was soon after seen deleting his identities on hacker forums and saying he was closing up shop:

“As U.S. Probation noted, the information that U.S. law enforcement was investigating Seleznev ‘clearly got back to Mr. Seleznev,'” reads the document. “Indeed, Seleznev had his own contacts inside the FSB. In chat messages between Seleznev and an associate from 2008, Seleznev stated that he had obtained protection through the law enforcement contacts in the computer crime squad of the FSB. Later, in 2010, Seleznev told another associate that the FSB knew his identity and was working with the FBI.”.

But nCux didn’t go away, he merely reinvented himself as “Bulba,” operating a number of carding sites including track2[dot]name, bulba[dot]cc, and 2Pac[dot]cc. These sites sold tens of thousands of “dumps,” data that thieves encode onto new plastic cards and use to buy high-priced electronics and gift cards from big box retailers. Seleznev’s sites specialized in selling tens of thousands of dumps at a time to criminal groups and street gangs operating throughout the United States

A private mesasge between card merchant "Bulba" and an interested buyer on the fraud bazaar carder[dot]pro.

A private mesasge between card merchant “Bulba” and an interested buyer on the fraud bazaar carder[dot]pro.

Seleznev reportedly used this money to live an extravagant lifestyle, buying up properties in Bali, Indonesia. Photographs seized from Seleznev show his associates with large bundles of cash, at luxurious resorts, and posing for photographs next to flashy sports cars. Just before his capture, Seleznev reportedly spent over $20,000 to stay in a resort in the Maldives and boasting of having rented the most expensive accommodations there.

Sporov’s documents describe Seleznev’s years to evade law enforcement officials following his then-sealed indictment in Nevada:

“Seleznev remained at large for over three years. During this period, Seleznev carefully evaded apprehension, employing practices like buying last-minute plane tickets to avoid giving authorities advance notice of his travel plans. Seleznev obtained an account with the U.S. Court’s PACER system, which he monitored for criminal indictments naming him or his nicknames. He avoided travel to countries that had entered into extradition treaties with the United States. Indeed, when Seleznev was finally confronted by U.S. agents in the Maldives, his first words were to question whether the United States had an extradition treaty with the Maldives.”

The defendant also apparently burned through multiple lawyers, almost all of whom appear to have advised him to seek a plea deal with the U.S. government:

“Seleznev repeatedly attempted to manipulate and protract these proceedings, resulting in a cumulative delay of 26 months, and six sets of counsel, between his capture and trial….Transcripts of jail calls previously submitted to the Court reveal that, in the days leading up to the hearing, Seleznev and his father resolved to delay the hearing so that they could work on a secret strategy they elliptically referred to as ‘Uncle Andrey’s option.’ To manufacture the delay, Seleznev’s father suggested that Seleznev either ‘get sick’ or ‘completely stop the communication with the lawyers.'”

Seleznev is the son of Valery Seleznev, a prominent member of the Russian Duma (Russia’s parliament) and is considered an ally of President Vladimir Putin. As the Seattle Times wrote at Seleznev’s conviction in 2016, “federal prosecutors accused Seleznev and his father of plotting to tamper with witnesses and possibly discussing an escape from the Federal Detention Center in SeaTac. The assertions were based on recorded conversations, according to the government.”

Seleznev posing with a sports car in Red Square. Image: DOJ.

Seleznev posing with a sports car in Red Square. Image: DOJ.

Perhaps Mr. Seleznev thought his father’s influence and/or his own apparent connections with Russian law enforcement officials would rescue him. Maybe Seleznev believed he could prevail against the U.S. government in court.

But it seems clear that Seleznev’s record 27-year sentence had at least as much to do with the impact of his crimes as it did the enormity of the charges and evidence against him combined with his refusal to cooperate with investigators.

Seleznev’s lawyer Igor Litvak said his client declined a plea deal prior to his trial, and by the time Seleznev had changed his mind the trial was over and the government no longer needed the information he could offer. Prosecutors sought to put him away for 35 years: They got eight years shy of that request.

“The prosecution said if he would have cooperated this case would have turned out very differently,” Litvak said.

The docket for Seleznev’s case is available here and includes a number of unsealed documents related to this case.

Update, Apr. 25, 5:09 p.m. ET: Added link in the third paragraph to documentation of Seleznev’s month-long hiatus in Guam.

How Cybercrooks Put the Beatdown on My Beats

vendredi 21 avril 2017 à 21:29

Last month Yours Truly got snookered by a too-good-to-be-true online scam in which some dirtball hijacked an Amazon merchant’s account and used it to pimp steeply discounted electronics that he never intended to sell. Amazon refunded my money, and the legitimate seller never did figure out how his account was hacked. But such attacks are becoming more prevalent of late as crooks increasingly turn to online crimeware services that make it a cakewalk to cash out stolen passwords.

The elusive Sonos Play:5

The elusive Sonos Play:5

The item at Amazon that drew me to this should-have-known-better bargain was a Sonos wireless speaker that is very pricey and as a consequence has hung on my wish list for quite some time. Then I noticed an established seller with great feedback on Amazon was advertising a “new” model of the same speaker for 32 percent off. So on March 4, I purchased it straight away — paying for it with my credit card via Amazon’s one-click checkout.

A day later I received a nice notice from the seller stating that the item had shipped. Even Amazon’s site seemed to be fooled because for several days Amazon’s package tracking system updated its progress slider bar steadily from left to right.

Suddenly the package seemed to stall, as did any updates about where it was or when it might arrive. This went on for almost a week. On March 10, I received an email from the legitimate owner of the seller’s account stating that his account had been hacked.

Identifying myself as a reporter, I asked the seller to tell me what he knew about how it all went down. He agreed to talk if I left his name out of it.

“Our seller’s account email address was changed,” he wrote. “One night everything was fine and the next morning our seller account had a email address not associated with us. We could not access our account for a week. Fake electronic products were added to our storefront.”

He couldn’t quite explain the fake tracking number claim, but nevertheless the tactic does seem to be part of an overall effort to delay suspicion on the part of the buyer while the crook seeks to maximize the number of scam sales in a short period of time.

“The hacker then indicated they were shipped with fake tracking numbers on both the fake products they added and the products we actually sell,” the seller wrote. “They were only looking to get funds through Amazon. We are working with Amazon to refund all money that were spent buying these false products.”

As these things go, the entire ordeal wasn’t awful — aside maybe from the six days spent in great anticipation of audiophilic nirvana (alas, after my refund I thought better of the purchase and put the item back on my wish list.) But apparently I was in plenty of good (or bad?) company.

The Wall Street Journal notes that in recent weeks “attackers have changed the bank-deposit information on Amazon accounts of active sellers to steal tens of thousands of dollars from each, according to several sellers and advisers. Attackers also have hacked into the Amazon accounts of sellers who haven’t used them recently to post nonexistent merchandise for sale at steep discounts in an attempt to pocket the cash.”

Perhaps fraudsters are becoming more brazen of late with hacked Amazon accounts, but the same scams mentioned above happen every day on plenty of other large merchandising sites. The sad reality is that hacked Amazon seller accounts have been available for years at underground shops for about half the price of a coffee at Starbucks.

The majority of this commerce is made possible by one or two large account credential vendors in the cybercrime underground, and these vendors have been collecting, vetting and reselling hacked account credentials at major e-commerce sites for years.

I have no idea where the thieves got the credentials for the guy whose account was used to fake sell the Sonos speaker. But it’s likely to have been from a site like SLILPP, a crime shop which specializes in selling hacked Amazon accounts. Currently, the site advertises more than 340,000 Amazon account usernames and passwords for sale.

The price is about USD $2.50 per credential pair. Buyers can select accounts by balance, country, associated credit/debit card type, card expiration date and last order date. Account credentials that also include the password to the victim’s associated email inbox can double the price.

The Amazon portion of SLILPP, a long-running fraud shop that at any given time has hundreds of thousands of Amazon account credentials for sale.

The Amazon portion of SLILPP, a long-running fraud shop that at any given time has hundreds of thousands of Amazon account credentials for sale.

If memory serves correctly, SLILPP started off years ago mainly as a PayPal and eBay accounts seller (hence the “PP”). “Slil” is transliterated Russian for “слил,” which in this context may mean “leaked,” “download” or “to steal,” as in password data that has leaked or been stolen in other breaches. SLILPP has vastly expanded his store in the years since: It currently advertises more than 7.1 million credentials for sale from hundreds of popular bank and e-commerce sites.

The site’s proprietor has been at this game so long he probably deserves a story of his own soon, but for now I’ll say only that he seems to do a brisk business buying up credentials being gathered by credential-testing crime crews — cyber thieves who spend a great deal of time harvesting and enriching credentials stolen and/or leaked from major data breaches at social networking and e-commerce providers in recent years.

SLILPP's main inventory page.

SLILPP’s main inventory page.

Fraudsters can take a list of credentials stolen from, say, the Myspace.com breach (in which some 427 million credentials were posted online) and see how many of those email address and password pairs from the MySpace accounts also work at hundreds of other bank and e-commerce sites.

Password thieves often then turn to crimeware-as-a-service tools like Sentry MBA, which can vastly simplify the process of checking a list of account credentials at multiple sites. To make blocking their password-checking activities more challenging for retailers and banks, these thieves often try to route the Internet traffic from their password-guessing tools through legions of open Web proxies, hacked PCs or even stolen/carded cloud computing instances.

PASSWORD RE-USE: THE ENGINE OF ALL ONLINE FRAUD

In response, many major retailers are being forced to alert customers when they see known account credential testing activity that results in a successful login (thus suggesting the user’s account credentials were replicated and compromised elsewhere). However, from the customer’s perspective, this is tantamount to the e-commerce provider experiencing a breach even though the user’s penchant for recycling their password across multiple sites is invariably the culprit.

There are a multitude of useful security lessons here, some of which bear repeating because their lack of general observance is the cause of most password woes today (aside from the fact that so many places still rely on passwords and stupid things like “secret questions” in the first place). First and foremost: Do not re-use the same password across multiple sites. Secondly, but equally important: Never re-use your email password anywhere else.

Also, with a few exceptions, password length is generally more important than password complexity, and complex passwords are difficult to remember anyway. I prefer to think in terms of “pass phrases,” which are more like sentences or verses that are easy to remember.

If you have difficult recalling even unique passphrases, a password manager can help you pick and remember strong, unique passwords for each site you interact with, requiring only one strong master password to unlock any of them. Oh, and if the online account in question allows 2-factor authentication, be sure to take advantage of that.

I hope it’s clear that Amazon is just one of the many platforms where fraudsters lurk. SLILPP currently is selling stolen credentials for nearly 500 other banks and e-commerce sites. The full list of merchants targeted by this particularly bustling fraud shop is here (.txt file).

As for the “buyer beware” aspect of this tale, in retrospect there were several warning signs that I either ignored or neglected to assign much weight. For starters, the deal that snookered me was for a luxury product on sale for 32 percent off without much explanation as to why the apparently otherwise pristine item was so steeply discounted.

Also, while the seller had a stellar history of selling products on Amazon for many years (with overwhelmingly positive feedback on virtually all of his transactions) he did not have a history of selling the type of product that thieves tried to sell through his account. The old adage “If something seems too good to be true, it probably is,” ages really well in cyberspace.

Error happened! 0 - SQLite3::exec(): database disk image is malformed In: /home/cochisebee/www/autoblog/autoblogs/autoblog.php:285 http://autoblog.cochi.se/autoblogs/krebsonsecuritycom_4eab703a256df265f3abda6134d777218e00ffe9/?32 #0 [internal function]: exception_error_handler(2, 'SQLite3::exec()...', '/home/cochisebe...', 285, Array) #1 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(285): SQLite3->exec('INSERT INTO art...') #2 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(418): VroumVroum_Blog->insertOrUpdateArticle('https://krebson...', 'Chinese Antivir...', 'https://krebson...', 1600380201, '

The ...') #3 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(932): VroumVroum_Blog->update() #4 /home/cochisebee/www/autoblog/autoblogs/krebsonsecuritycom_4eab703a256df265f3abda6134d777218e00ffe9/index.php(1): require_once('/home/cochisebe...') #5 {main}