Scammers bug Nordstrom registers with $40 devices to skim card data

Share this article:
Fraudsters boldly entered the store to plant skimming devices.
Fraudsters boldly entered the store to plant skimming devices.

A group of men boldly entered a Florida Nordstrom store and planted skimming devices on the retailer's registers, according to a security journo that publicized the scheme.

On Thursday, Brian Krebs detailed how six men allegedly carried out the con. On Saturday, part of the group distracted Nordstrom staff, while others worked to plant the devices over the course of several hours.

A team of three entered first with the mission to scope the premises, taking photos of the register and removing its back panel. Then, a few hours later, a separate group of three installed a keylogging device.

According to Krebs, who obtained an alert on the incident from police in Aventura, Fla., the suspects were caught on Nordstrom surveillance cameras tampering with store registers.

The keyloggers used by the fraudsters can be easily obtained online for about $40, he revealed. Nordstrom discovered that six devices had been planted.

“These hardware keyloggers are essentially PS2 connectors that are about an inch in length,” Krebs wrote. “The tiny data storage devices are usually purple in color to match the color-coded standard for keyboards, and are made to be inserted between the male end of a PS2 keyboard connector and the female receptor on a computer.”

He later added that while the color and shape of the devices indicated they were designed to interface with keyboards, that detail didn't mean that scammers “can't steal data from a credit card reader,” with the devices.

“Many cash registers at retailers have PS2-based card readers, or connect the reader directly to the computer's keyboard,” Krebs explained.

In a Friday email to SCMagazine.com, Brooke White, a Nordstrom spokeswoman, confirmed that devices were planted on its registers.

“We can confirm that we found and removed unauthorized devices on a small number of cash registers at our Nordstrom Aventura, Florida store,” she wrote. “We take this situation seriously and have been working closely with law enforcement and forensic experts to investigate this and understand any impact on our customers."

Chris Hague, managing consultant on the SpiderLabs research team at Trustwave, a Chicago-based firm that provides anti-cyber crime solutions, told SCMagazine.com on Friday that criminals have become more brazen over the years, sometimes opting to physically compromise businesses to overcome other implemented security measures.

“Retail merchants over the years have put in tremendous security to protect their devices from compromise,” Hague said. “So the next step [for criminals] is physical compromise. The one thing about skimmers themselves, which makes it really difficult for organizations to detect, is they really have no electronic component coded in – it's just a pass through where the data stream will [run] through the device to get recorded.”

Skimming cases occur most frequently on ATM machines, Hague explained, where fraudsters can simply put a transparent overlay on top of PIN pad devices, which are usually inconspicuous to users.

In a different recent scam, con artists entered target establishments to carry out fraud. Crooks in London, who posed as IT engineers, allegedly waltzed right into Barclays and Santander bank locations to fit computers with keyboard video mouse (KVM) devices. The devices were meant to give them access to multiple computers in the organization's network – to monitor accounts, move money or do any manner of malicious feats.

London police were able to thwart the cyber heist on Santander, but Barclays reported a £1.3 million loss in April, equivalent to around $2 million, as a result of the incident.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.