Search This Blog

Showing posts with label Credit Card Theft. Show all posts

Fraudsters are Exploiting Google Apps to Steal Credit Card Details


Threat actors are using a novel approach to steal the credit card details of e-commerce shoppers by exploiting Google’s Apps Script business application platform. Threat actors are abusing Google Apps Script domain ‘’ to hide their malicious activities from malware scan engines and evade Content Security Policy (CSP) controls.

Eric Brandel, a cybersecurity researcher unearthed the scam while analyzing Early Breach Detection data provided by Sansec, a cybersecurity firm focused on fighting digital skimming. Brandel explained that threat actors bank on the fact that the majority of the online stores would have whitelisted all Google subdomains in their respective CSP configuration (a security protocol for blocking suspicious code execution in web apps). They take advantage of this trust and abuse the App script domain to route the stolen data to a server under their possession. 

Once, the malicious script was injected by the fraudsters in the e-commerce site, all the payment details stolen from the exploited e-commerce site were transferred as base64 encoded JSON data to a Google Apps Script custom app, using as an exfiltration endpoint. Then, the stolen data was transferred to another server - Israel-based site analit. tech – handled by fraudsters.

Sansec stated that “the malware domain analit[.]tech was registered on the same day as previously discovered malware domains hotjar[.]host and pixelm[.]tech, who are hosted on the same network.” Google services such as Google Forms and Google Sheets are also exploited in the past by FIN7 cybercriminal gang for malware command-and-control communications. This gang has targeted banks and point-of-sale (POS) terminals EU and US firms using the Carbanak backdoor.

“Typically, a digital skimmer (aka Magecart) runs on dodgy servers in tax havens, and its location reveals its nefarious intent. But when a skimming campaign runs entirely on trusted Google servers, very few security systems will flag it as ‘suspicious’. And more importantly, popular countermeasures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google”, Sansec explained the workings of the fraudsters.

E-Commerce Theft: Dark Web Card Payment Store ValidCC Shut Down

A dark web market handled by a cybercrime group, Valid CC has been hacking online merchants and stealing payment credentials for more than six years. Last week, Valid CC closed down abruptly. The owners of Valid CC say that a law enforcement operation seized their servers. The operation aimed to seize and capture the store's infrastructure. A number of online shops sell "card not present" or "CNP" payment data on the internet. The payment data may be stolen from credit cards of e-commerce stores, but it's mostly sourced from cybercriminals and threat actors.  

However, in the case of Valid CC, experts believe that the store attacked and hacked hundreds of e-commerce merchants. The hackers seeded websites with hidden card skimming codes that stole personal information and payment credentials when a customer went through the checkout stage.   Group-IB, a Russian based cybersecurity firm, had published a report last year where it briefed about the operations of Valid CC, highlighting that Valid CC was responsible for hacking around 700 e-commerce stores. Besides this, Group IB identified another group "UltraRank" responsible for attacking additional 13 third-party suppliers that offered software components to these online stores spread across Europe, America, and Asia.  

Experts believe that UltraRank orchestrated a series of cyberattacks, which were earlier attributed to three different cybercrime groups by cybersecurity firms. "Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” said Group-IB. It adds, “UltraRank combined attacks on single targets with supply chain attacks.” Valid CC's muscle man on various platforms- a hacker who goes by the handle of SPR, notified customers that the shop would be shut down from 28 January, following a law enforcement operation that sealed Valid CC's operations. 

According to SPR, Valid CC lost access to more than 600,000 unsold payment card accounts, a very heavy blow to the store's inventory.  As a result, Valid CC lost its proxy and destination servers, and now it can't open and decrypt the back-end, says SPR.  Group-IB reports, "the store’s official representative on underground forums is a user with the nickname SPR. In many posts, SPR claims that the card data sold in the ValidCC store was obtained using JS sniffers. Most of SPR’s posts are written in English, however, SPR often switches to Russian, while communicating with customers. This might indicate that ValidCC is probably managed by a Russian speaker."  

Emotet trojan one of the biggest malware

Emotet is a banking Trojan that started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

Emotet poses a grave risk for individuals and businesses of all sizes. Here's a look at what you can do to safeguard your business against this pernicious Trojan malware.

Emotet infections typically start with a simple phishing email that contains an attachment or a link to download a file. The recipient is persuaded to click the link or open the file and they unwittingly set in motion a macro that downloads a malicious payload. As soon as the device is infected, Emotet starts trying to spread to other devices on the network.

The addition of new capabilities into Emotet, inspired by other successful malware such as WannaCry, has made it a much more potent threat capable of moving laterally and infecting entire networks alarmingly quickly. It’s a modular Trojan that’s often employed as the vanguard of a bigger attack, piercing the outer defenses and then downloading other banking Trojans and spreading them around.

As persistent and pernicious as Emotet is, you can take effective action to guard against it.

First, ensure that you don’t have unsecured devices on your network. Take steps to identify and secure unmanaged devices. Eradicate potential blind spots like internet of things devices. Even if Emotet appears to be confined to an unsecured machine, the threat has not been neutralized because it’s polymorphic, constantly updating itself and working towards spreading further. Given enough time, it has a good chance of finding a weakness in your defenses that can be exploited.

Actress Sameera Reddy received call from Hacker, spent ₹ 5 Lakhs on her credit card

Indian actress Sameera Reddy has became a victim of cyber crime. An unknown hacker has spent ₹ 5 Lakhs on her credit card.

According to NDTV report, the hacker used the credit card across different locations around the world.

After spending the money , the hacker surprisingly called Sameera Reddy and informed her about the theft. The thief had apparently decided to call her up because he was a big fan of the actress.

“I was dubbing when I got a call. It was from an unknown number and the person on the other side told me he was part of a hackers’ team. I could not believe what he was saying,” Sameera Reddy said.

"I had my card with me but the bank authority asked me to pay up the dues. I kept arguing with them for two months. Finally, the matter has been settled," Sameera added.

Crazy hacker..! what do you think?!

Hackers breached Restaurant Depot's POS network again & accessed credit card info

Hackers once again breached the Point-of-Sale(POS) network of Restaurant Depot, New York based wholesale supplier. The hackers managed to steal credit and debit card details from the card processing system they use in some of their stores.

 The company discovered the security breach on December 4th 2012 when thier customers had experienced credit card fraud after they used their cards at some of our stores.

They hired Trustwave on December 6th to investigate the intrusion. After the investigation, researchers determined that the intrusion first started on Nov 7th 2012. Researchers are still in the process of identifying all the details and are continuing their investigation.

The company notified all the major card brands and provided information about potentially compromised accounts.

"To protect yourself from possible fraudulent charges, you should contact officials at your card issuer immediately by calling the toll-free number on the back of your card or on your monthly statement, tell them you have received this letter, and ask them to cancel and reissue the card. " The official notification reads.

"You should also closely review your credit /debit card statements if you used your cards at one of our stores between November 7th and December 5, 2012. You should immediately notify the bankor financial institution that maintains the card account of any unauthorized charges. "

This is not the first time the company experiencing the security breach , in the 2011, Russian hackers hacked into Restaurant Depot database and accessed the credit and debit card details of more than 200,000 customers.

Four Romanians charged with hacking 150 Subway restaurants & 50 Retailers

Four Romanians were charged with hacking into the credit card processing system at more than 150 Subway restaurants and 50 other unnamed retailers, according to an indictment.The hackers steal millions of dollars using the compromised Credit card data of  more than 80,000 customers .

Starting in 2008, these suspects hacked into more than Point of Sale(Pos) systems and installed Keyloggers and other spywares to  steal the customer credit/debit card numbers, also placed backdoors to get unauthorized access to the system.

The hackers used some kind of vulnerability scanner to find the vulnerable POS systems with certain remote desktop software applications installed on them.  After finding the vulnerable system, the break into the system by guessing passwords or using Password Crackers.

After compromising the credit card data, they cloned some credit cards and used them to make illegal purchases , mainly in Europe.  Also they sold the other credit card data.

The indictment, filed in US District Court in New Hampshire, named Adrian-Tiberiu Oprea, 27, Iulian Dolan, 27, Cezar Iulian Butu, 26, and Florin Radu, 23. They were each charged with four counts, including conspiracy to commit computer fraud, wire fraud, and two counts of conspiracy to commit fraud in connection with access device.

Hackers steal credit data: Hackers break into two computer stations of Vacationland Vendors

Hackers breached two computer stations owned by Vacationland Vendors of Wisconsin Dells, placing about 40,000 credit or debit card users at risk of theft.

The computers were at the Wilderness Resorts in Lake Delton and Sevierville, Tenn, where Vacationland Vendors operates the arcades. The company owns and operates 11 arcades and has been in operation 30 years. Vacationland Vendors is one of the Gussel family's businesses, which also include Holiday Wholesale as well as convenience stores and Dunkin Donut franchises.

A notice on the Vacationland Vendors web site says, "Based upon its investigation to date, Vacationland Vendors reasonably believes that a computer hacker improperly acquired credit card and debit information. This incident did not involve an internal security issue within the Wilderness Resort. Vacationland Vendors has learned that other businesses just like its own have been affected by this computer hacker."

Evan N. Zeppos, of the public relations firm, Zeppos & Associates, which is handling publicity about the breach, said the company was alerted to the breach by calls from one or two customers. The breach occurred on March 22.

No other computer systems in the Vacationland Vendors system with credit card information have been breached by hackers, Zeppos said.

Zeppos said when Vacationland learned of the breach, it called in forensic experts to look at the rdata in the system.

"Once we became aware of the breach, we immediately shut down the credit card system and took it offline April 1," Zeppos said.

Since then, the company has upgraded its security on the computer system. "We . . . believe we now have the highest level of security."

Although 40,000 credit or debit card users data was stored, Zeppos said it is believed that fewer than 20 individuals were impacted.

He suggested that anyone who used who used credit or debit cards at one of the affected arcades from Dec. 12, 2008 to May 25, 2011 should check their credit card statements for any unusual activity. Paying close attention to credit and debit card statements is a good thing to do. Saying he does not want to make excuses for the company, he encouraged customers to be diligent and vigilant for illegal use of their cards.

Heidi Fendos, public relations director for Sprecher Bertalot of Milwaukee, which handles public relations for the Wilderness resorts, said customers who used credit or debit cards at the resorts are being asked to carefully check their credit card statements.

"When they made our resort aware of the breach to one of their credit card stations in our Wild West Mega Arcade, we had them immediately cease all credit card activity in their leased area," Fendos said.

"Our resort wants to make it clear that the Wilderness Resort's credit card system was never compromised at any time during this situation with Vacationland Vendors' credit card station," Fendos said.

Vacationland Vendors continues to lease and operate the arcades at Wilderness, but the area is cash-only now. Credit cards are no longer accepted.

Zeppos said Vacationland is trying for broad dissemination of the information about the threat and has information on its web site, about what to do. The site says to do the following:

■ Watch for any unusual activity on your bank statements, credit card account or suspicious items on your bills.

■ Contact any of your credit card issuers, banks or credit unions, and inform them of this incident.

■ Place a fraud alert on your consumer credit file. A fraud alert instructs creditor to watch for unusual or suspicious activity in your accounts, and provides creditors with notice to contact you separately before approving an extension of credit. To place a fraud alert, free of charge, contact one of the three national credit reporting agencies listed below. You do not need to contact all three; rather, the agency that you contact will forward the fraud alert to the other two agencies on your behalf.

The national credit reporting agencies are Equifax Information Services LLC, P.O. Box 105069, Atlanta, GA 30348-5069, 1-800-525-6285,; Experian, 1-888-397-3742,; and TransUnion, Fraud Victim Assistance Dept, P.O. Box 6790, Fullerton, CA 92834, 1-800-680-7289,,

Information about personal identity theft and fraud may be obtained from the Federal Trade Commission at or by calling 1-877-ID-THEFT

Zeppos said if individuals have additional questions they can send an e-mail to