New Research Examines Traffers and the Business of Stolen Credentials

Today, Outpost24 released a new report revealing the underground operation of Traffers, cybercriminal organisations reshaping the business of stolen credentials.

The Rising Threat of Traffers report, compiled by Outpost24’s Threat Intelligence team, KrakenLabs, provides a deep dive into the credential theft ecosystem, and encourages organisations to evaluate their security measures against these evolving threats.

Stolen credentials are a major problem for organisations, causing nearly 50% of all data breaches. While businesses are still trying to figure out how to fix the password problem, cyber criminals are organising, and innovating. The increased professionalization of cyber criminal groups, specifically the rise of Traffers, is the latest threat against businesses.

Traffers are highly organized cybercriminal groups. They spread different types of malware families with the goal of exfiltrating credentials or profit. To spread the malware as far and wide as possible, they have formed an industry-like structure of product and service providers, as well as dedicated market places, in the form of Telegram channels, to facilitate the sale of those credentials.

To increase their success rate, Traffers target their would-be victims by driving their internet traffic with Google and Facebook Ads to fraudulent content. Traffers have developed a business model that involve specific recruitment, training, and compensation, all of which distinguish them from other cybercriminals.

The price spike of information-stealing malware, the subscription models for accessing stolen credentials, and even the earnings of the Traffers themselves, are just some of the highlights in the report that demonstrate the increased activity and demand in the cybercriminal ecosystem.

Victor Acin, Head of the KrankenLabs at Outpost24, “credentials, and the tools used to steal them, are a commodity. With the growing trend of Initial Access Brokers (IABs) we know that criminal groups are willing to pay for services, which means they expect a bigger profit in return – that’s bad news for businesses.”

As the underground economy circulates, current security measures may fall behind. Organisations need to consider the Traffers attack chain to stay protected against the latest threats. The Rising Threat of Traffers report provides practical advice that can protect credentials, and help businesses avoid malware infections, in the way it is done by Traffers teams.

Outpost24’s KrakenLabs will continue to monitor these groups as part of their cyber threat intelligence solution, helping organizations improve their cyber security posture with real-time threat detection and faster remediation.

To read more about the report, please visit here. Last year, we reported that in the first half of the year, stolen credentials were involved in nearly half of data breaches.

The post New Research Examines Traffers and the Business of Stolen Credentials appeared first on IT Security Guru.

New Protections for Food Benefits Stolen by Skimmers

Millions of Americans receiving food assistance benefits just earned a new right that they can’t yet enforce: The right to be reimbursed if funds on their Electronic Benefit Transfer (EBT) cards are stolen by card skimming devices secretly installed at cash machines and grocery store checkout lanes.

On December 29, 2022, President Biden signed into law the Consolidated Appropriations Act of 2023, which — for the first time ever — includes provisions for the replacement of stolen EBT benefits. This is a big deal because in 2022, organized crime groups began massively targeting EBT accounts — often emptying affected accounts at ATMs immediately after the states disperse funds each month.

EBT cards can be used along with a personal identification number (PIN) to pay for goods at participating stores, and to withdraw cash from an ATM. However, EBT cards differ from debit cards issued to most Americans in two important ways. First, most states do not equip EBT cards with smart chip technology, which can make the cards more difficult and expensive for skimming thieves to clone.

More critically, EBT participants traditionally have had little hope of recovering food assistance funds when their cards were copied by card-skimming devices and used for fraud. That’s because while the EBT programs are operated by individually by the states, those programs are funded by the U.S. Department of Agriculture (USDA), which until late last year was barred from reimbursing states for stolen EBT funds.

The protections passed in the 2023 Appropriations Act allow states to use federal funds to replace stolen EBT benefits, and they permit states to seek reimbursement for any skimmed EBT funds they may have replaced from their own coffers (dating back to Oct. 1, 2022).

But first, all 50 states must each submit a plan for how they are going to protect and replace food benefits stolen via card skimming. Guidance for the states in drafting those plans was issued by the USDA on Jan. 31 (PDF), and states that don’t get them done before Feb. 27, 2023 risk losing the ability to be reimbursed for EBT fraud losses.

Deborah Harris is a staff attorney at The Massachusetts Law Reform Institute (MLRI), a nonprofit legal assistance organization that has closely tracked the EBT skimming epidemic. In November 2022, the MLRI filed a class-action lawsuit against Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state.

Harris said she’s pleased that the USDA guidelines were issued so promptly, and that the guidance for states was not overly prescriptive. For example, some security experts have suggested that adding contactless capability to EBT cards could help participants avoid skimming devices altogether. But Harris said contactless cards do not require a PIN, which is the only thing that stops EBT cards from being drained at the ATM when a participant’s card is lost or stolen.

Then again, nothing in the guidance even mentions chip-based cards, or any other advice for improving the physical security of EBT cards. Rather, it suggests states should seek to develop the capability to perform basic fraud detection and alerting on suspicious transactions, such as when an EBT card that is normally used only in one geographic area suddenly is used to withdraw cash at an ATM halfway across the country.

“Besides having the states move fast to approve their plans, we’d also like to see a focused effort to move states from magstripe-only cards to chip, and also assisting states to develop the algorithms that will enable them to identify likely incidents of stolen benefits,” Harris said.

Harris said Massachusetts has begun using algorithms to look for these suspicious transaction patterns throughout its EBT network, and now has the ability to alert households and verify transactions. But she said most states do not have this capability.

“We have heard that other states aren’t currently able to do that,” Harris said. “But encouraging states to more affirmatively identify instances of likely theft and assisting with the claims and verification process is critical. Most households can’t do that on their own, and in Massachusetts it’s very hard for a person to get a copy of their transaction history. Some states can do that through third-party apps, but something so basic should not be on the burden of EBT households.”

Some states aren’t waiting for direction from the federal government to beef up EBT card security. Like Maryland, which identified more than 1,400 households hit by EBT skimming attacks last year — a tenfold increase over 2021.

Advocates for EBT beneficiaries in Maryland are backing Senate Bill 401 (PDF), which would require the use of chip technology and ongoing monitoring for suspicious activity (a hearing on SB401 is scheduled in the Maryland Senate Finance Commission for Thursday, Feb. 23, at 1 p.m.).

Michelle Salomon Madaio is a director at the Homeless Persons Representation Project, a legal assistance organization based in Silver Spring, Md. Madaio said the bill would require the state Department of Human Services to replace skimmed benefits, not only after the bill goes into effect but also retroactively from January 2020 to the present.

Madaio said the bill also would require the state to monitor for patterns of suspicious activity on EBT cards, and to develop a mechanism to contact potentially affected households.

“For most of the skimming victims we’ve worked with, the fraudulent transactions would be pretty easy to spot because they mostly happened in the middle of the night or out of state, or both,” Madaio said. “To make matters worse, a lot of families whose benefits were scammed then incurred late fees on many other things as a result.”

It is not difficult to see why organized crime groups have pounced on EBT cards as easy money. In most traditional payment card transactions, there are usually several parties that have a financial interest in minimizing fraud and fraud losses, including the bank that issued the card, the card network (Visa, MasterCard, Discover, etc.), and the merchant.

But that infrastructure simply does not exist within state EBT programs, and it certainly isn’t a thing at the inter-state level. What that means is that the vast majority of EBT cards have zero fraud controls, which is exactly what continues to make them so appealing to thieves.

For now, the only fraud controls available to most EBT cardholders include being especially paranoid about where they use their cards, and frequently changing their PINs.

According to USDA guidance issued prior to the passage of the appropriations act, EBT cardholders should consider changing their card PIN at least once a month.

“By changing PINs frequently, at least monthly, and doing so before benefit issuance dates, households can minimize their risk of stolen benefits from a previously skimmed EBT card,” the USDA advised.

Data stolen after Hackers hit 14 UK schools

Hackers have launched a successful cyberattack against schools across the UK and has left confidential information related to pupils leaked online.
In total, 14 schools have been impacted, with the sensitive data stolen including passport details, which were likely needed for trips abroad, as well as contracts and pay scales for members of staff.
As reported by the BBC, the attack took place in 2022 with hacking group Vice Society named as the perpetrators. After refusing to refusing to pay the ransom, the information was posted online.
Vice Society have been known to target educational institutions in the UK and US, with a string of attacks associated to the group taking place recently. For instance, 500 gigabytes of data from the entire Los Angeles Unified School District were stolen and resulted in the FBI issuing an alert on the group’s activities as a warning
Commenting on the news and offering their thoughts and advice are the following cybersecurity professionals:
Erfan Shadabi, cybersecurity expert at comforte AG:
Given the troves of personal information stored within lower and higher education institutions, they will always be a target for cybercriminals. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. Even if you don’t enter your ID, name, address, or even payment details, they can be used to start fraudulent activities. This incident is, however, very serious as many children’s PII was compromised. With an ever-growing attack surface, building just another wall around the institution’s network or a segment of sensitive data is not the best way forward, especially when it comes to phishing attacks that are likely to generate some hits. In the end, if you’re an educational institute, the most important thing to do is to protect your students’ and employees’ data, as well as your precious and highly valuable research, rather than the borders around that information. With modern solutions such as format-preserving encryption or tokenization, you can render useless to hackers any PII (including names, addresses, and IDs) or other data you deem sensitive, even if they manage to penetrate your strengthened perimeters and actually get their hands on it.
Darren Guccione, CEO, Keeper Security:
“This latest incident of Vice Society criminal activity demonstrates why parents and students must make cybersecurity a priority. A password manager is a critical first step that can help them create high-strength, unique passwords for all of their online accounts, applications and systems which will help prevent future attacks and mitigate the risk of sprawl if their information is posted to the dark web and sold. Additionally, they should immediately implement a dark web monitoring service, which will alert them if their stolen credentials and information are available on the dark web. Dark web monitoring will prompt them with an alert in real time so they can take immediate action to protect themselves from a future data breach. Lastly, they should enable two-factor authentication (2FA) on all of their websites and applications that provide this additional protection.  2FA is a powerful and simple way to safeguard accounts from a remote attacker.”

The post Data stolen after Hackers hit 14 UK schools appeared first on IT Security Guru.

Lawsuit Seeks Food Benefits Stolen By Skimmers

A nonprofit organization is suing the state of Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than a $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state. Federal law bars states from replacing these benefits using federal funds, and a recent rash of skimming incidents nationwide has disproportionately affected those receiving food assistance via state-issued prepaid debit cards.

The Massachusetts SNAP benefits card looks more like a library card than a payment card.

On Nov. 4, The Massachusetts Law Reform Institute (MLRI) filed a class action lawsuit on behalf of low-income families whose Supplemental Nutrition and Assistance Program (SNAP) benefits were stolen from their accounts. The SNAP program serves over a million people in Massachusetts, and 41 million people nationally.

“Over the past few months, thieves have stolen over a million SNAP dollars from thousands of Massachusetts families – putting their nutrition and economic stability at risk,” the MLRI said in a statement on the lawsuit. “The criminals attach a skimming device on a POS (point of sale) terminal to capture the household’s account information and PIN. The criminals then use that information to make a fake card and steal the SNAP benefits.”

In announcing the lawsuit, the MRLI linked to a story KrebsOnSecurity published last month that examined how skimming thieves increasingly are targeting SNAP payment card holders nationwide. The story looked at how the vast majority of SNAP benefit cards issued by the states do not include the latest chip technology that makes it more difficult and expensive for thieves to clone them.

The story also highlighted how SNAP cardholders usually have little recourse to recover any stolen funds — even in unlikely cases where the victim has gathered mountains of proof to show state and federal officials that the fraudulent withdrawals were not theirs.

Deborah Harris is a staff attorney at the MLRI. Harris said the goal of the lawsuit is to force Massachusetts to reimburse SNAP skimming victims using state funds, and to convince The U.S. Department of Agriculture (USDA) — which funds the program that states draw from — to change its policies and allow states to replace stolen benefits with federal funds.

“Ultimately we think it’s the USDA that needs to step up and tell states they have a duty to restore the stolen benefits, and that USDA will cover the cost at least until there is better security in place, such as chip cards,” Harris told KrebsOnSecurity.

“The losses we’re talking about are relatively small in the scheme of total SNAP expenditures which are billions,” she said. “But if you are a family that can’t pay for food because you suddenly don’t have money in your account, it’s devastating for the family.”

The USDA has not said it will help states restore the stolen funds. But on Oct. 31, 2022, the agency released guidance (PDF) whose primary instructions were included in an appendix titled, Card Security Options Available to Households. Notably, the USDA did not mention the idea of shifting to chip-based SNAP benefits cards.

The recently issued USDA guidance.

“The guidance generally continues to make households responsible for preventing the theft of their benefits as well as for suffering the loss when benefits are stolen through no fault of the household,” Harris said. “Many of the recommendations are not practical for households who don’t have a smartphone to receive text messages and aren’t able to change their PIN after each transaction and keep track of the new PIN.”

Harris said three of the four recommendations are not currently available in Massachusetts, and they are very likely not currently available in other states. For example, she said, Massachusetts households do not have the option of freezing or locking their cards between transactions. Nor do they receive alerts about transactions. And they most certainly don’t have any way to block out-of-state transactions.

“Perhaps these are options that [card] processors and states could provide, but they are not available now as far as we know,” Harris said. “Most likely they would take time to implement.”

The Center for Law and Social Policy (CLASP) recently published Five Ways State Agencies Can Support EBT Users at Risk of Skimming. CLASP says while it is true states can’t use federal funds to replace benefits unless the loss was due to a “system error,” states could use their own funds.

“Doing so will ensure families don’t have to go without food, gas money, or their rent for the month,” CLASP wrote.

That would help address the symptoms of card skimming, but not a root cause. Hardly anyone is suggesting the obvious, which is to equip SNAP benefit cards with the same security technology afforded to practically everyone else participating in the U.S. banking system.

There are several reasons most state-issued SNAP benefit cards do not include chips. For starters, nobody says they have to. Also, it’s a fair bit more expensive to produce chip cards versus plain old magnetic stripe cards, and many state assistance programs are chronically under-funded. Finally, there is no vocal (or at least well-heeled) constituency advocating for change.

A copy of the class action complaint filed by the MLRI is available here.

$8million Worth of Ethereum Stolen in Large Scale Uniswap Phishing Campaign

During an attack earlier this week, Uniswap, a popular decentralised cryptocurrency exchange, lost close to $8million worth of Ethereum.

The cyberattack has impacted many investors in digital assets.

The threat actors used the lure of free UNI tokens (airdrops) to trick victims into approving a transaction that gave hackers full access to wallets.

The trap was a disguised “setApprovalForAll” function that assigns or revokes full approval rights to the operator. This essentially allows the attacker to redeem all Uniswap v3 LP tokens for ETH in the victim’s wallet.

In total, the threat actors siphoned 7,574 ETH to a wallet address under their control and quickly moved 7,500 to the Tornado Cash service for laundering.

73,399 users who held UNI tokens were airdropped an ERC20 token created by the phishing actors. The actors spent 8.5 ETH in TX fees for the high number of transactions.

The aim of the campaign was to re-direct the recipients to a scam website on the domain “uniswaplp[.]com” which impersonates the official Uniswap domain “”

The operator appeared as “Uniswap V3: Position NFT” to the victims, tricking them into allowing approval rights.

Researchers at Check Point explain that the attackers polluted the emit function of the contract with false data tricking the block explorer into displaying Uniswap as the sender.

The post $8million Worth of Ethereum Stolen in Large Scale Uniswap Phishing Campaign appeared first on IT Security Guru.