Hackers Acquire 'Fullz' in Recent Data Breaches 

The mounting data breaches toll affecting payment card and other data now provides a “fullz,” jargon used by card hackers and data resellers meaning full packages of individuals’ identifying information.

A perfect example of a “fullz” happened recently at Macy’s department stories.

Macy’s announced it suffered a data breach as a result of its website hacking by a Magecart attackers who use web skimmer malware that collects payment card info from customers. Magecart gangs often use a script, which work like a card skimmer mounted on a physical card terminal. With the malicious script, hackers can lift electronic payment information in real time during checkout.

According to a Notice of Data Breach issued by Macy’s, hackers added a malicious script to the ‘Checkout’ and ‘My Wallet’ pages on October 7, 2019, which sent any payment information any credit card details and customer information to a remote site under the attacker’s control. “The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) macys.com pages: (1) the checkout page.” Macy’s said they did not know of the attack until a week later.

Cybercriminals gained access to customer and credit card information including full names, home and email addresses, phone numbers, and payment card numbers and security codes, and expiration dates.

Robert Prigge, president of Jumio, noted, “The Macy’s data breach is concerning for two reasons. First, it released even more personally identifiable information into the dark web.” Prigge added compromised data when combined with other available information creates a fullz, giving criminals everything needed to exploit the power of bots to automate and perform account takeover fraud at scale.

“2019 has been a record year for fraud and criminals are splicing together information from disconnected breaches, creating full identity profiles for sale on the dark web. Bots can perform upwards of 100 attacks per second, making it easier and faster to penetrate the defenses of popular websites,” Prigge maintained. “if a person uses a password on the originally compromised website, bots can scour the web to find other websites using the same credentials and perpetrate ATO with relative ease.”

Mike Bittner, director of digital security and operations at The Media Trust, also commented: “The challenge with preventing cross-site scripting attacks is identifying which code should be running on a site, which ones shouldn’t.” Bittner added, “If they have an inventory of allowed digital vendors, they will be able to root out unauthorized actors like those behind barn-x.com. They need to take a left-of-breach approach. Only allow code from digital vendors you know. Treat everyone else as a potential threat.”

Anurag Kahol, CTO Bitglass, said “Payment card-skimming malware continues to be a security challenge for retailers as we have seen over the years for British Airways, Kitronik, and now Macy’s. As customers begin to purchase their holiday gifts, they are trusting that the merchants are keeping their sensitive data safe. Unfortunately, when malicious parties compromise payment card information and personally identifiable information, they can make fraudulent purchases, sell said data on the dark web, and much more.”

“Cybercriminals are continuously looking for gaps in security defenses and vulnerabilities to turn a quick profit,” Chris Kennedy, CISO and vice president of customer success, AttackIQ. “During peak holiday shopping season, it is imperative companies continuously validate their security controls to make sure they are enabled, configured correctly and operating effectively. Companies should proactively test and evaluate their cybersecurity posture to find vulnerabilities and remediate them before they can be exploited by bad actors.”

In other breach news, Ars Technica reported the online posting of password data and other personal information belonging to as many as 2.2 million users of two websites, according to Troy Hunt, the security researcher behind the Have I Been Pwned breach notification service.

One incident affected personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The other contained data for about 800,000 accounts on RuneScape bot provider EpicBot. The databases included registered email addresses and passwords cryptographically hashed.

The person posting the 3.72GB GateHub database said it also included two-factor authentication keys, mnemonic phrases, and wallet hashes. The EpicBot database purportedly included usernames and IP addresses. Hunt said he selected a representative sample of accounts from both databases to verify the authenticity of the data.

Colin Bastable, CEO of security awareness and training at Lucy Security, issued this statment: “Users should assume that their account credentials are going to be compromised, and act accordingly.” He added, “Disney+ was barely out of the traps before users’ accounts were being hijacked and credentials offered for sale on the dark web. We need a different way of managing online account security – authentication using usernames (especially email addresses) and passwords alone is way beyond their sell-by date, and MFA still faces an uphill battle for universal adoption.”

(Disney said Disney+ account passwords sold in underground hacking forums are coming from previous breaches at other companies, predating last week’s launch of its streaming service.)

vpnMentor cybersecurity researchers, led by Noam Rotem and Ran Locar, disclosed a data leak of PII belonging to customers of PayMyTab, which provide restaurants and other venues with mobile and card terminals and data, due to an open Amazon Web Service’s bucket. According to ZDNet, the unidentified person notifying vpnMentor wanted to raise awareness of the security breach. The information leaked, included customer names, email addresses, telephone numbers, order details, restaurant visit information as well as the last four digits of customer payment card numbers.

Kahol said, “All too often companies make the mistake of leaving a database open with their customers’ sensitive data exposed.” He also noted, “While there is not yet evidence of an actual breach, the information left unsecured on the PayMyTab database could have been bought and sold on the dark web, further exposing those affected to future fraud and phishing attacks.”