<![CDATA[[SecurityRatty] tag: receipts]]> http://securityratty.com/tag/receipts Sun, 09 Dec 2007 18:14:53 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Petroleum Wholesale charged with exposing customers]]> http://securityratty.com/article/1e0eee4c18853dda51b902995e1d952a http://securityratty.com/article/1e0eee4c18853dda51b902995e1d952a Security Breach

Date Reported:
6/19/08

Organization:
Petroleum Wholesale, L. P.

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information"

Breach Description:
”HOUSTON -- Petroleum Wholesale, which operated Sunmart Travel Centers and Convenience Stores in 10 states, was charged by the Texas Attorney General of improperly disposing of customer records"

Reference URL:
The Pasadena Citizen
KHOU-TV Channel 11 News
Convenience Store News

Report Credit:
The Pasadena Citizen

Response:
From the online sources cited above:

HOUSTON - Texas Attorney General Greg Abbott today charged Houston-based Petroleum Wholesale, L.P., which operates Sunmart Travel Centers & Convenience Stores in 10 states, for exposing its customers to identity theft.

According to the state's enforcement action, Petroleum Wholesale improperly discarded customer records containing sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information.

"This defendant is charged with failing to protect its customers' sensitive information," Attorney General Abbott said.

"With more than 20,000 Texas victims each year, identity theft remains one of the nation's fastest-growing crimes. The Office of the Attorney General will continue working to protect Texans from identity theft."

Investigators with the Office of the Attorney General (OAG) discovered that the company improperly discarded hundreds of customer records in a publicly-accessible trash container outside its former headquarters.
[Evan] According to information posted on the Petroleum Wholesale web site, "Petroleum Wholesale services more than 350 retail locations throughout ten states."  This breach has the potential to affect many, many people.

According to investigators, the records included sales receipts with customers' names and full credit or debit card numbers with expiration dates.

The records also included returned checks, along with forms listing customers' names, banking routing numbers, driver's license and Social Security numbers.

The defendant is charged with violating the 2005 Identity Theft Enforcement and Protection Act, which requires the safeguarding and proper destruction of clients' sensitive personal information.

State law establishes penalties of up to $50,000 per violation of the Act.
[Evan] This could add up quick.  What's a better business decision, a few hundred bucks for a cross-cut shredder and accompanying procedures, or fifty grand per incident?  Although, I am not sure that a shredder and procedures are not all that is needed in Petroleum Wholesale's information security program (assuming one exists).

The OAG also charged the company with violating Chapter 35 of the Business and Commerce Code, which requires businesses to develop retention and disposal procedures for their clients' personal information.

The law provides for civil penalties of up to $500 for each abandoned record.

For more information about preventing identity theft, contact the Office of the Attorney General at (800) 252-8011 or visit the agency's Web site at www.texasattorneygeneral.gov.

style="font-weight: bold;">Commentary:
One question that isn't clear from the news reports is whether or not this was a common practice at Petroleum Wholesale.  Organizations should take heed of this case.  I think actions taken by Mr. Abbott and other State Attorney Generals will only become more frequent.

I look forward to more information in the future about this case.

Past Breaches:
Unknown

]]> Sun, 22 Jun 2008 17:58:23 +0000 sensitive personal information personal information petroleum wholesale information company company improperly improperly debit card information debit card Petroleum Wholesale charged with exposing customers <![CDATA[Tucson area Domino's Pizza customer information exposed]]> http://securityratty.com/article/8a47859f1eed2fddfeb4d9a0979c73fb http://securityratty.com/article/8a47859f1eed2fddfeb4d9a0979c73fb Security Breach

Date Reported:
6/18/08

Organization:
Domino's Pizza

Contractor/Consultant/Branch:
Unnamed former owner of 24 Tucson area locations    

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names and credit card numbers

Breach Description:
Hundreds of credit card receipts dating back as many as five years were found "blowing in the wind" after a former owner of 24 Domino's Pizza stores in the Tucson, Arizona area was found to have been discarding boxes of old records near her home.

Reference URL:
KVOA Channel 4 News

Report Credit:
Tom McNamara, KVOA Channel 4 News

Response:
From the online source cited above:

Investigators found credit card numbers blowing in the wind for anyone to see.

These piles and papers strewn across the alley contain hundreds of old receipts from Domino's Pizza stores.

When we got a call about this, we went down to University Avenue and Euclid and saw these receipts were three, four, and even five years old.
[Evan] Is there any business reason to keep credit card receipts for this period of time?  I suppose a case could be made that these should be kept for up to seven years for tax purposes.

We contacted the former owner of 24 Domino's Pizza stores in Tucson.
[Evan] This could have been a very risky breach in terms of overall potential impact considering the number of affected persons.  24 stores, x number of credit card transactions per year, and 5 years could add up to a pretty significant number.

She won't talk with us on-camera, but told us she'd been discarding boxes of old records near her home and somehow all those receipts got loose.
[Evan] Incidents like this tear me up.  I very much doubt that this lady had any malicious intention behind her actions, but nonetheless her actions could have caused considerable inconvenience (and possible loss) to a number of individuals.  I presume that she just didn't know any better.

We found Scott Brumage's name and credit card number on one of those receipts in the alley.

Tom McNamara asks him, "See that? Recognize that name? Recognize the number?" Scotts nods, "Uh huh."

Tom asks, "Well how'd you feel when we called you out of the blue and told you what we'd found? What went through your mind?"

"It was just kind of surreal at first because I like to think I can trust using my card [because of] the convenience and everything of course."

Scott was startled to see his name and card numbers on our screen.

He says he's ordered a lot of pizzas over the years and expects privacy and protection when he pays for his pepperoni pie.
[Evan] Is this an unreasonable expectation?  Maybe it is an unreasonable expectation, given the current environment and considering the bigger picture (merchants, processors, banks, "the system", etc.).  I don't think that it is an unreasonable requirement, but requirements, expectations and practices are not in alignment.

Scotts tells us, "I don't know. [I'm] just dumbfounded, other than they need to figure a better way of disposing."
[Evan] It is dumbfounding, isn't it.  I often wonder what people are thinking when they do some of the things they do.

The Investigators contacted the Federal Trade Commission in Washington and they say thieves could potentially use discarded credit card numbers even if the card has expired. The numbers on the card in many cases are still the same.

They say there could be enough information on the receipt to help a thief reveal more information about you, such as your social security number.

It's small comfort for Scott. He says, "I'm hoping this is a one time only [situation]. They might have just lost a loyal customer."
[Evan] The impact to the victim is usually pretty clear and easy to quantify.  The impact to the business (or organization) is not usually as easy to measure.  In a competitive business like pizza sales, companies need to identify and communicate differentiators like ingredient quality, service, taste, price, location, etc.  Maybe if customers viewed information security practices as an important differentiator, businesses would put more time and effort into securing information.  Pipe dream?

In this case, the Investigators contacted Tucson Police and several officers came to collect the records we found and have them destroyed.

Commentary:
This breach reminds me of a recent discussion I had online with Benjamin Wright in the comments section of the "Cotton Traders confirms that their website was compromised" breach.  He makes a very good argument regarding accountability in credit card breaches.  My responses to him are included.

Past Breaches:
Unknown

]]> Wed, 18 Jun 2008 06:43:34 +0000 credit card transactions credit card credit card receipts credit card breaches card pizza receipts information tucson Tucson area Domino's Pizza customer information exposed <![CDATA[A Three-Ballot-Based Secure Electronic Voting System]]> http://securityratty.com/article/1304eed9ebc2c8cc7840bff11df86ed9 http://securityratty.com/article/1304eed9ebc2c8cc7840bff11df86ed9 ]]> Thu, 22 May 2008 10:32:01 +0000 vote addresses vote receipts secure electronic election markup language single architectureone system voter privacy web services viability A Three-Ballot-Based Secure Electronic Voting System <![CDATA[Harvesting YouTube Usernames for Spamming]]> http://securityratty.com/article/eb06befb0ddb9ee0e333f0fc7283d8b2 http://securityratty.com/article/eb06befb0ddb9ee0e333f0fc7283d8b2 With a recently distributed database of several thousand YouTube user names, spammers continue trying to demonstrate their interest in establishing as many contact points with potential receipts of their message, or even malware given the harvested user names database ends up in someone else's hands.

Building such "hitlists" of end points to be spammed, or served malware, is setting up the foundations for the success of popular tools used for spamming video and social networking sites, efficiently, and with a very low degree of unsuccessful attempts to deliver the message. Moreover, these developments seem to indicate an emerging trend of building databases that would later one be efficiently abused, starting from the Thousands of IM Screen Names in the Wild uncovered in October, 2007, and going to the spamming of Skype users.

Direct applicability for spamming and malware campaigns, or a bargain for finalizing a deal, databases of any kind are prone to be abused in principle, and it's malicious parties in general I'm refering to in this case.
]]> Tue, 06 May 2008 23:21:17 +0000 database user names database malware campaigns malware names direct applicability potential receipts low degree malicious parties Harvesting YouTube Usernames for Spamming <![CDATA[Super 8 credit card receipts found in landfill]]> http://securityratty.com/article/2f9b7284a29b4691dc31649dd96d8f82 http://securityratty.com/article/2f9b7284a29b4691dc31649dd96d8f82 Security Breach

Date Reported:
3/24/08

Organization:
Wyndham Hotel Group

Contractor/Consultant/Branch:
Super 8 Worldwide, Inc.
The Super 8 Motel of Lamar

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names, credit card account numbers, expiration dates, addresses, and signatures

Breach Description:
"Bundles of credit card receipts from a Super 8 Motel in Lamar were discovered in Lamar's landfill, complete with account numbers, names, addresses and signatures."

Reference URL:
KKTV Channel 11 News

Report Credit:
Rosie Barresi, KKTV Channel 11 News

Response:
From the online source cited above:

Bundles of credit card receipts from a Super 8 Motel in Lamar were discovered in Lamar's landfill, complete with account numbers, names, addresses and signatures.

The receipts have everything a crook needs to charge thousands of dollars onto someone's credit card.
[Evan] I don't think that these are the same receipts that get handed back to a customer, these are back office receipts.  I remember when all customer credit card receipts had account numbers printed on them.  Some time ago this practice was largely stopped and now we only see a masked, partial account numbers.  I am still in the habit of checking my receipt every time I purchase something though.

Nina Kinney lives in Pueblo. She and her husband stayed at the Super 8 Motel in Pueblo a couple of years ago. Their names and address was among the pile, but not their credit card information because they paid cash.
[Evan] A lot of times a credit card is required for reservations even if you wanted to pay cash.

Jane Lupp, Super 8 Motel Clerk said, "All of our receipts are sent to the owner in Canon City," Lupp also told 11 News.
[Evan] I think Super 8 headquarters is in Parsippany, N.J., so this Lamar hotel is probably a franchise.

Lupp says those receipts come back to Lamar and go straight into storage.

"They were cleaning out that storage the other day and those are not the boxes that should have gone into the trash. Evidently one got in there," said Lupp.

But it wasn't just one box, there were at least three of them.

"I'm sure it was accidental," said Lupp.

Lupp says, normally they shred all old receipts. "I don't know how it happened. We will certainly make sure it doesn't happen again," said Lupp.

The receipts were discovered by a Lamar man who turned them over to 11 News.

If you've stayed at Lamar's Super 8 Motel in the last few years, you may want to change your credit card number.

Customer Reaction:
"We expect them to handle that safely and with proper manor. It's upsetting and disappointing,"

"It's kind of hard to believe that it was just an accident,"

Commentary:
I'm sure that this type of breach happens more often than we would like to admit.  Not just at Super 8, but retail in general.

Past Breaches:
Unknown

]]> Wed, 26 Mar 2008 07:47:46 +0000 receipts credit card receipts credit card super credit card account lamar hotel lamar credit card information jane lupp Super 8 credit card receipts found in landfill <![CDATA[Inside a Botnet's Phishing Activities]]> http://securityratty.com/article/019622c192f822a37c52e62b1a9110d4 http://securityratty.com/article/019622c192f822a37c52e62b1a9110d4 The following incident response assessment will demonstrate how a botnet's infected hosts can not only be used as stepping stones, but also for the purpose of sending out phishing emails, and hosting the domains used in the scams themselves, thereby forwarding the responsibility for the scams to the infected parties, in between remaining relatively untraceable. The malware variants are still in the wild, and the ecosystem itself is currently active as well. Upon receiving and sandboxing the malware detected as BKDR_AGENT.AKJZ, Backdoor.Agent.AJU, Proxy-Agent.af.gen and Proxy-Agent.af.gen, BKDR_AGENT.AKJZ, both binaries attempt to connect to several IPs, one's that's resolving to the entire ecosystem's name servers, namely 72.46.130.154. This KISS strategy allows us to quickly expand the entire domain portfolio and the associated phishing campaigns already in the wild. Here are the domains serving the phishing pages that are actually hosted on the botnet's infected hosts :

asp29.com
asp63.net
aspx77.in
aspx83.in
aspx94.in
bank45.us
boa23.com
cfm83.net
com94.net
info23.in
net18.in
net73.net
net94.us
pid83.net
ref34.us
sec26.net
sec94.in
sid45.com
site17.in
site37.in
ssd47.com
ssl18.net
ssl19.com
ssl62.net
web42.in
web59.net
web636.com
www84.in

It's quite obvious that their descriptive nature, just like the ones I've discussed before, is to be used in phishing attacks in order to visually social engineer the receipts. And as you can see in the attached graphs, the IPs resolving to the domains are the typical home based infected end users, who would from a theoretical perspective be sending phishing emails to themselves at a later stage. And so once infected the hosts phone back home to receive instructions on participating in the malicius ecosystem by temporarily serving the phishing domains. Upon infection the hosts try to connect to 72.46.129.154; 72.46.130.154; 72.46.136.50 and ns.uk2.net, where for the time being there're twenty different variants that are known to have been using ns.uk2.net for DNS resolving purposes. All of these domains are using the same nameservers indicating their connection. Here are some of the subdomains in the already running, and spammed phishing campaigns :

direct-certs9.bankofamerica.com.ssl36.net
www1.update.microsoft.com.ssl36.net
www7.nationalcity.com.asp29.com/consultnc/form.asp
microsoft.com.sec94.in
direct-certs1.bankofamerica.com.asp63.net
update.microsoft.com.web72.us
bankofamerica.com.web42.in
direct-certs0.bankofamerica.com.web42.in
update.microsoft.com.web72.us
www5.update.microsoft.com.sec94.in
www7.update.microsoft.com.web72.us

Now that the botnet's phishing activities are exposed, it's also important to mention the fact that besides the phishing activities, this is the botnet that's been sending out the recent fake Microsoft Critical Live Update emails.
]]> Mon, 25 Feb 2008 06:34:49 +0000 net botnet bkdr agent agent microsoft hosts phone domains hosts ecosystem Inside a Botnet's Phishing Activities <![CDATA[Setting up return receipts for LotusScript-generated Lotus Notes email]]> http://securityratty.com/article/bf003afc95a5985014b52324ca0f8c0a http://securityratty.com/article/bf003afc95a5985014b52324ca0f8c0a ]]> Tue, 19 Feb 2008 05:02:55 +0000 email messages discover implement Setting up return receipts for LotusScript-generated Lotus Notes email <![CDATA[AIB confirms payment receipts mix-up]]> http://securityratty.com/article/20b04978d19103432c6503fb7cdb0888 http://securityratty.com/article/20b04978d19103432c6503fb7cdb0888 Fri, 28 Dec 2007 10:15:45 +0000 payment advice slips aib wrong addresses computer error thursday AIB confirms payment receipts mix-up <![CDATA[Phishers, Spammers, and Malware Authors Clearly Consolidating]]> http://securityratty.com/article/630ba3b8e9e355ca51f97bb8a3578cf9 http://securityratty.com/article/630ba3b8e9e355ca51f97bb8a3578cf9 In a recent article entitled "Popular Spammers Strategies and Tactics" I emphasized on the consolidation that's been going on between phishers, spammers and malware authors for a while :

"The allure of being self-sufficient doesn’t seem to be a relevant one when it comes to a spammer’s results oriented attitude. Spammers excel at harvesting and purchasing email addresses, sending, and successfully delivering the messages, phishers are masters of social engineering, while on the other hand malware authors or botnet masters in this case, provide the infrastructure for both the fast-fluxing spam and scams in the form of infected hosts. We’ve been witnessing this consolidation for quite some time now, and some of the recent events greatly illustrate this development of an underground ecosystem. Take for instance the cases when spam comes with embedded keyloggers, when phishing emails contain malware, and a rather ironical situation where malware infected hosts inside Pfizer are spamming viagra emails."

The recently uncovered breach at the U.S Oak Ridge National Laboratory is a perfect example of some of the key concepts I covered in the article, namely, harvesting of the emails courtesy of the spammers, segmenting the emails database for targeted mailings on a per company, institution basis, and malware authors eventually purchasing the now segmented databases for such targeted attacks with the spammers earning a higher profit margin for providing the service of segmentation :

"The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes."

And, of course, there's a Chinese connection, but thankfully there're articles emphasizing on the concept of stepping-stones before reaching the final destination, with China's highly malware infected Internet population acting as the stepping-stone, not the original source of the attack :

"Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location."

Publicly obtainable research, and common sense state that malware coming through email attachments is slowing down, and is actually supposed to be filtered on the gateway perimeter by default, especially executables. Even the first round of Storm Worm malware in January, 2007, concluded that email attachments are not longer as effective as they used to be, and therefore migrated to spamming malware embedded links exploiting outdated vulnerabilities.

How such type of targeted malware attack could have been prevented?

- ensure that the emails are harvested much harder than they are for the time being, in this particular case, a huge percentage of the emails account, thus the future contact points for the malicious parties to take advantage of ornl.gov can be harvested without even bothering to crawl the domain itself through web scrapping ornl.gov

- a freely avaivable, but highly effective tool to evaluate whether or not your mail server filtering capabilities for such type of content work, is PIRANA - Email Content Filters Exploitation Framework :

"PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the excellent shellcode generator from the Metasploit framework!"

Taking the second possible scenario, namely that it wasn't a targeted attack, but malware attachments "as usual", mostly because the fact that modern malware automatically excludes mailings to .gov's .mil's and the majority of known to them anti-virus vendor's related email addresses, hoping to infect as much people as possible before a reactive response is in place.

If it were a spammed malware embedded link, the chances are the receipts followed it, but a spammed malware as an attachment is too Web 1.0 for someone to fall victim into, and it's rocket scientists we're talking about anyway.
]]> Sun, 09 Dec 2007 18:14:53 +0000 malware malware attachments malware attack malware authors hand malware authors spammers modern malware storm worm malware emails courtesy Phishers, Spammers, and Malware Authors Clearly Consolidating