The malware, dubbed "ISN," is masked as a module for Microsoft Internet Information Services (IIS) web-hosting software, Trustwave found.
The botnet is reportedly behind the compromise of more than 20,000 payment cards in recent months.
The system crash reportedly kept bank customers from withdrawing money from ATMs and from carrying out mobile and online transactions.
Version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) became available today.
On Wednesday morning, the website showcased items, normally priced for hundreds of dollars, at around $10 to $20.
So far, one solution, developed by European Payment Services, has been verified under PCI security standards for point-to-point encryption (P2PE) hardware.
"The 2013 eCommerce Cyber Crime Report" weighed the business loss incurred by holiday cyber attacks.
Fraudsters boldly entered the store to plant skimming devices.
According to a federal judge in Illinois, the plaintiffs failed to demonstrate loss or injury as a result of increased risk of identity theft, invasion of privacy and other claims.
The case hinges on a 2012 breach where the live video feeds of nearly 700 web-connected cameras were made available online.
Liberty Mutual, the insurer for St. Louis-based Schnucks, said the supermarket chain's general liability policy wasn't designed to absorb costs associated with data breach lawsuits and related claims.
The council released a highlight of potential new requirements and guidance to the PCI Data Security Standard and Payment Application Data Security Standard, both due out in November.
US Airways reported Aug. 2 that an unauthorized user gained access to a small number of Dividend Miles accounts. It was the second reported breach in under a month for the airline.
A programming error experienced by the payroll vendor for US Airways may have allowed employees to see wage information belonging to their colleagues.
Mapco Express suffered a credit card breach in March and April after hackers infected its systems with malware.
Customers that used their credit and debit cards during the month of February may have had their data exposed.
More than half of C-level executives surveyed in large Canadian companies do not educate employees about data security, storage and destruction.
Between June and July, the U.S. Food and Drug Administration shut down 1,677 pharmacies it says were operating illegally.
Technological vulnerability and valuable data make retailers the latest target for malware attacks, says Jenny Craig CIO Abe Lietz. Karen Epper Hoffman investigates.
The supermarket chain, which has more than 120 stores, primarily in California, was targeted by online intruders.
Adrian-Tiberiu Oprea, a Romanian man, admitted that he helped steal payment card data from hundreds of U.S.-based point-of-sale (POS) systems at the sandwich chain.
Mapco disclosed this week that hackers compromised its payment card processing systems to steal credit and debit card information belonging to an unknown number of customers.
The numbers corresponded to cards used by shoppers at 79 of 100 Schnucks Markets locations in the Midwest. The attacks may have persisted as long as four months, from last December through March 29.
The trojan was recently a topic of discussion on an underground Russian forum, researchers found.
The Payment Card Industry Security Standards Council (PCI SSC) released recommendations for card data security and compliance in cloud environments.
How can we provide the customers with outstanding customer support to complement our products?
Zaxby's, a Georgia-based restaurant chain, said the credit and debit card information of customers at locations in 10 states may have been accessed by fraudsters.
Cezar Butu received the penalty after admitting that he helped infiltrate the credit card processing systems of more than 150 Subway restaurants in 2011.
The PCI Security Standards Council, the body that manages payment security industries guidelines, on Friday released a methodology for meeting a risk management requirement included in the standard.
Less than two weeks after the book giant revealed that PIN pads at dozens of its stores were compromised, four victims have filed lawsuits, alleging the company failed to properly protect their data and notify them in reasonable timeframe.
EMC has acquired Menlo Park, Calif.-based online fraud detection provider Silver Tail Systems. Silver Tail, which offers "real-time web session and behavioral analysis" for banking, e-commerce and government customers, will operate as part of RSA, EMC's security division.
Fraudsters tampered with the point-of-sales devices at a number of locations to steal customers' debit and credit card information.
Two men each have been sentenced to 36 months in prison for withdrawing tens of thousands of dollars from ATMs with credit card information that was stolen from craft-store retail chain Michaels Stores.
The Federal Trade Commission is alleging that the hotel chain failed to implement basic security practices, which led to a number of costly data-leakage incidents.
A 21-year-old Dutch man is accused of accessing the point-of-sales terminals of restaurants and other businesses to steal credit card numbers, which he and a co-conspirator then sold in underground forums.
The body that manages debit and credit card security standards on Wednesday released best practices for retailers wishing to accept payments via mobile devices.
A group of six has been charged in the latest scam to defraud bank customers through the use of skimming devices, a trend that has seen a noticeable uptick in arrests and prosecutions over the past year.
A new development in the criminal underground is to peddle trojans that steal credit card data from hotels.
A 33-year-old Maryland man on Friday was sentenced to 5 1/2 years in prison for participating in an identity theft and credit card skimming scheme, according to the U.S. attorney's office in Alexandria, Va.
Trustwave's annual review of its data breach response investigations concluded that franchises are now the prime target for hackers seeking customer data, such as credit card numbers.
The EMV standard, widely considered an effective way to curb counterfeit card fraud because it requires a microchip to be embedded in a credit or debit card or on a mobile device, is gradually picking up steam in the U.S.
Visa has issued best practices that detail how retailers, card issuers and processors can upgrade their credit card transaction technology to a chip-based model, so to avoid burdensome complexity, cost and time to market.
Hackers breached a server belonging to online retailer Zappos and made off with the personal information of 24 million customers, though no credit card numbers were involved.
Hackers breached the systems of New York-based food services wholesaler Restaurant Depot, and stole hundreds of thousands of credit and debit card numbers.
Studies show that online consumers are concerned about security and privacy. That means web retailers must ensure they are taking all the steps necessary to ensure a safe and transparent shopping experience.
The defendants allegedly compromised the credit card data of 80,000 customers and made millions of dollars in unauthorized purchases.
As of Monday, at least 80 people were victimized by credit and debit card readers being tampered with.
Proper DNS management by organizations is critical to protecting against threats and staying online during the busy holiday months.
Sony's PlayStation Network again has been hit by hackers, but the limited damage that resulted could point to strides being made by the electronics giant.
Much of the surge can be blamed on SQL injection and the use of exploit toolkits, according to researchers at Dell SecureWorks.
The organized structure of a huge identity theft operation, based in New York, allowed members to make millions in profits.
Microsoft has introduced a "fairly major" update to its Malicious Software Removal Tool to detect and kill infections of the insidious and constantly morphing data-stealing malware family known as Zbot, or Zeus. Since the software giant first added detection for Zeus last October, hundreds of thousands of Windows PCs have been expunged of the threat, prominent in banking and e-commerce fraud. But as Zeus, which recently merged code bases with SpyEye, continues to acquire advanced evasion capabilities, Microsoft has had to fight "sneakiness with sneakiness," according to a blog post on Wednesday. The company introduced the update as part of its monthly security patches, released on Tuesday.
Much-maligned Sony announced Tuesday that it has hired a former U.S. cybersecurity official to serve as its first-ever chief information security officer. Philip Reitinger, 49, the former director of the National Cybersecurity Center at the U.S. Department of Homeland Security since June 2009, who tendered his resignation in May, will be tasked with assuring the protection of the multibillion dollar company's assets and services. It's been a tough year for Sony, which has experienced multiple breaches, most notably the compromise of its PlayStation Network and Qriocity services, which resulted in the exposure of the personal details of tens of millions of users. Reitinger has been in the private sector before, where he held the role of security strategist at Microsoft.
Fallout continues, and new corporate victims come to light after the massive breach of an email marketing services provider.
A former network engineer at Gucci has been charged with hacking into the company's network, deleting data and shutting down servers and networks.
A growing list of companies, including Capital One, U.S. Bank, Citigroup and JPMorgan Chase, are notifying customers that their email addresses were stolen by hackers.
For many small and midsize businesses, neglecting IT security is a thing of the past, reports Angela Moscaritolo.
Mobile payment service startup Square has refuted claims made by a competitor that its card reader could easily be turned into a skimmer capable of stealing financial and personal information.
eHarmony has confirmed that a hacker recently gained access to a file containing user information, weeks after another popular dating site was compromised.
The PCI Data Security Standard assessment process must change, or the payment industry faces an ethical bind.
The credentials of nearly 30 million online daters are at risk following the exploit of a common website vulnerability. The exact circumstances of the incident remain in question.
A new survey from Cisco reveals that organizations are getting better at handling their obligations to meet payment industry security guidelines.
Visa has enhanced the security of its electronic credit card authorization system, known as VisaNet, to improve the speed and accuracy of fraud detection, the card brand announced Thursday. Earlier this year, Visa improved the processing platform of its Advanced Authorization technology so that it can analyze more information and perform more functions faster. "This provides Visa with a comprehensive view into the global payments system, leading to high levels of intelligence around spending patterns and improving the company's ability to detect and prevent fraud in near real-time," Visa said. The company believes the improvements could lead to a 29 percent gain in fraud detection over 2009. - DK
Operation eMule is targeting a Vietnamese-based fraud operation believed to have duped U.S. retailers out of millions of dollars.
In this instance, the public fervor isn't over the release of secret diplomatic cables but a U.K. academic paper detailing a vulnerability in chip-and-PIN.
The credit card details belonging to customers of CitySights NY were stolen when a database belonging to the sightseeing bus tours company was hacked.
A new Zeus botnet is targeting the credit card accounts of several major U.S. retailers, including Macy's and Nordstrom, according to researchers at online banking security firm, Trusteer.
Lawyers, doctors and accountants may avoid having to comply with the Federal Trade Commission's new identity theft rule.
Social networking sites and search engines are expected to be hit hard as cybercriminals try to wrangle in unsuspecting holiday shoppers.
Grocery chain Aldi is warning customers that their payment card information may have been stolen after fraudsters placed altered point-of-sale terminals at a number of Aldi stores in 11 states.
Nations abroad may be forging ahead of the United States in terms of offering consumers enhanced cardholder protection, but the decision to move toward technology such as chip-and-PIN is not always cut and dry.
The average website contains nearly 13 "serious" vulnerabilities, according to a report released this week by White Hat Security, a website risk management solutions provider. The report, which was compiled using data from more than 2,000 websites across 350 organizations, found that cross-site scripting and information leakage flaws were most prevalent, and websites belonging to large organizations - those with more than 2,500 employees - had the highest average number of serious flaws. In terms of industry, banking organizations had the least amount of vulnerabilities on average, followed by insurance and health care firms. — AM
The group responsible for managing payment security rules plans to release two new guidance documents early next month assessing the impact of emerging data security technologies on payment card security.
Security professionals must consider all the options available to them to secure cardholder data.
Heartland Payment Systems, the New Jersey-based credit card processor that fell victim to the largest reported data breach of all time, announced on Wednesday that it will settle with Discover for $5 million. Heartland already has settled with Visa for $60 million and MasterCard for $41.4 million over the breach, which exposed an estimated 130 million credit and debit card numbers to organized criminals. The settlement money will be used by Discover to recoup costs related to reissuing cards and any incidents of fraud consumers may have experienced. — DK
Visa on Tuesday announced best practices for companies to use when implementing, installing and managing programs that process payment applications. The guidance will complement the existing Payment Application Data Security Standard (PA-DSS), which prescribes 14 requirements for software developers that build programs that process credit card payments. The Visa payment application best practices, developed in conjunction with the SANS Institute, include 10 guidelines and can be downloaded here. They are meant for vendors, integrators and resellers. — DK
The body that manages PCI guidelines has released a summary of expected changes, but merchants will not find any mention of emerging data security technologies.
Visa on Wednesday released a four-page document that offers best practices for tokenization, the process by which 16-digit credit card numbers are replaced with unique symbols. The guidance is meant to reduce risk for merchants, vendors, service providers and acquiring banks. It covers such areas as detecting suspicious activity so attackers cannot compromise the token system. In addition on Wednesday, Visa, in conjunction with the National Retail Federation trade group, clarified its operating rules around storage of sensitive information. According to the card brand, issuing banks must accept a disguised or truncated card number on transaction receipts for dispute resolution. Also, merchants are permitted to store disguised or truncated card numbers to reduce the amount of data that could be retrieved by attackers. — DK
Guests at 21 Destination Hotels & Resorts' properties may have been subjected to credit card theft after the chain discovered malware installed in its credit card processing system.
Microsoft has joined forces with the National Cyber Forensics Training Alliance (NCFTA) to launch a portal designed to immediately alert companies if credentials or credit card numbers belonging to their customers or employees have been discovered online.
Police in 12 countries have arrested 178 individuals linked to an international credit card fraud ring. Eight of alleged members were nabbed in the United States
Bob Carr, CEO of Heartland Payment Systems, which suffered a record-breaking breach in 2008, has rolled out a new payment solution to its merchants that offers end-to-end encryption of sensitive transaction data. In an interview with SC Magazine's Deputy Editor Dan Kaplan, Carr discusses the new offering and offers an update on the company's recovery 18 months after it announced the breach, which exposed some 130 million records.
The Federal Trade Commission is, for the fifth time, pushing back the deadline for financial institutions and creditors to comply with the Red Flags Rule.
Heartland Payment Systems and MasterCard have settled for $41.4 million over the payment processor's record-breaking data breach, disclosed in January 2009. Under the settlement, MasterCard issuing banks will be eligible to recoup costs related to reissuing cards and any incidents of fraud consumers may have experienced. For the settlement to be official, banks representing 80 percent of the affected accounts must agree to it by June 25. Heartland and Visa settled for $60 million in January. — DK
The PCI Security Standards Council, tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), on Friday announced a new training program designed to educate internal security personnel on conducting assessments. The three-day course, to be led by PCI Council experts, either will enable security departments to better work with with third-party assessors or allow them to conduct their own assessments, Bob Russo, the council's general manager, told SCMagazineUS.com. Merchants that process more that six million annual transactions are required to conduct annual on-site PCI DSS assessments. Classes will be held in multiple locations. For more information, including pricing, visit here. — DK
Visa announced Tuesday that it has banned merchants from providing cardholder data to third parties without first receiving consent from the consumer. The new rule is a move to prevent a deceptive practice known as "data pass," by which a shopper, during checkout, is prompted to enroll in a club membership. The customer often does not realize the offer originates from a different merchant or that it comes with additional fees and charges, Visa said. Under the new rule, consumers will have to re-enter their credit card information if they wish to sign up for the promotions, which have cost some 30 million Americans about $1.4 billion, said Visa, citing a 2009 report from the U.S. Senate Commerce Committee. — DK
Eastern European gangs are systematically conducting well-organized skimming attacks against U.S. consumers and businesses, according to a Gartner analyst.
The sixth and final U.S. person charged two years ago with breaking into the computer networks at discount retail parent TJX was sentenced Thursday. A U.S. District Court judge in Boston sentenced Damon Patrick Toey, 25, to five years in prison and fined him $100,000. Toey pleaded guilty in September 2008 to wire fraud, credit card fraud and aggravated identity theft. He also is connected to a number of other major heists at retailers and payment processor Heartland Payment Systems. The ring's orchestrator, Albert Gonzalez, was sentenced last month to 20 years in prison. Some of Gonzalez' Eastern European-based co-conspirators remain at large. — DK
The number of consumers seriously concerned about the security of online transactions is at its highest level in three years, according to the latest Unisys Security Index, released Tuesday. In the biannual survey of 1,004 consumers, which measures how safe Americans feel regarding national, financial, internet and personal security, 20 percent of respondents were "extremely concerned" about shopping or banking online, up from 16 percent in September 2009. Another 23 percent said they are "very concerned." Meanwhile, identity theft and national security ranked as Americans' top worries, garnering serious concern from 64 and 65 percent of respondents, respectively. — AM
A new Washington state law set to go into effect July 1 will allow banks to recoup certain data breach losses from negligent businesses. Under the new law, passed by the state Legislature in late March, financial institutions can seek reimbursement from large retailers and credit card processors that have suffered a data breach — if they failed to comply with the Payment Card Industry Data Security Standard (PCI DSS). The new law is similar to a Minnesota statute passed in 2007. — AM
Another co-conspirator to hacker Albert Gonzalez was sentenced Monday in federal court in Boston to seven years in prison for playing a major role in the BJ's Wholesale Club and TJX hacks. Christopher Scott of Miami pleaded guilty in September to charges of unlawful access to computers, access device fraud, wire fraud, aggravated identity theft and money laundering, according to court documents. Scott is latest person involved in the crime ring to be sentenced. The ringleader Gonzalez last week received a record-breaking hacking sentence of 20 years. — AM
Court documents unsealed Friday name JCPenney and another retailer as additional targets of notorious hacker Albert Gonzalez' cybercriminal gang.
Jeremy Jethro, 29, was sentenced Tuesday in federal court in Boston to six months home confinement and three years probation for providing accused retail hacker Albert Gonzalez with a zero-day exploit.
Join us Tuesday and Wednesday for our special two-day SC eConference and Expo: Complying with PCI.
While hacker Albert Gonzalez awaits his sentencing date, scheduled for later this month, one of his co-conspirators in the TJX, BJ's Wholesale Club and Sports Authority hacks was sentenced Thursday in federal court in Boston to 46 months in prison and fined $75,000. Prosecutors said Humza Zaman, formerly a programmer at Barclays bank, laundered $600,000 to $800,000 in identity theft proceeds for Gonzalez. Zaman received a 10 percent cut for his work. — AM
Three California men each are facing two dozen charges for running a sophisticated identity theft ring which netted them nearly $2 million, the Los Angeles County district attorney's office announced Monday. Albert Jose Gonzalez, 39, of Lancaster, Josue Gustavo Albizuras, 42, of Los Angeles and Cesar Vasquez Echeverria, 28, of Santa Clarita installed skimmer devices on computerized pay pumps at gas stations to steal customers' credit and debit card information. The men, who have pleaded innocent, were arrested Feb. 25 after a three-year investigation by members of the Los Angeles Sheriff's Department and the FBI. — AM
The Westin Bonaventure Hotel & Suites in Los Angeles recently revealed that hackers may have broken into its point-of-sale systems.
Wyndham Hotels and Resorts (WHR) recently revealed that it was the victim of another data breach after hackers broke into its computer systems and stole customer payment card data and other sensitive information.
Hacker Albert Gonzalez will likely receive a record-breaking prison term, law enforcement officials said Thursday at the RSA Conference.
Four men were charged on Monday with using computer hacking to obtain tickets to major sporting events, theater productions and concerts.