Five million customer credit and debit cards offered for sale on the Joker's Stash credit card marketplace, likely came from records stolen from Saks Fifth Avenue and Lord & Taylor sometime between May 2017 and their March 28 release by the hacking syndicate Fin7.
“Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations [has] been compromised” and the majority of cards were “obtained from New York and New Jersey locations,” according to a Gemini Advisory report, which states that approximately 125,000 records were for sale, with the remainder of the cache, advertised on the dark web as BIGBADABOOM-2, expected to be rolled out in the coming months.
“While locale-specific attacks like these aren't uncommon, the volume of records is a bit larger than usual, which could be a lead to how long the infection was present before detection,” said Terry Ray, CTO of Imperva, noting that organizations often struggle to identify a breach or infection in a reasonable time-frame. “Most attacks are designed to run under the radar and the methods of breach constantly evolve. This requires that cybersecurity teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common,” Ray added.
Gemini expressed “a high level of confidence” that the stolen cards came from Saks Fifth Avenue, its discount outlet Saks Fifth Avenue OFF 5TH, and Lord & Taylor Stores, all operated by Hudson's Bay Company (HBC), a Canadian firm.
"We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America," reads a company statement from Saks Fifth Avenue. "We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication at this time that this affects our e-commerce or other digital platforms, Hudson's Bay, Home Outfitters, or HBC Europe."
The company added that it is coordinating with law enforcement authorities and payment card companies and assured customers that there is no evidence that Social Security and Social Insurance numbers, driver's license numbers, and PINs were affected.
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, told SC Media via emailed comments that there is reason to believe that an additional million-or-so credit cards from European and Asian customers may also have been stolen. "A recent similar operation targeted national stores and stole about three million credit cards between May and December 2017," said Hahad. "All of these breaches seem to have utilized a point-of-sale malware that intercepts credit card transactions, records them onto a local file, encrypts them and then sends the encrypted information to its command-and-control server."
Fin7 has successfully hacked hotel chains like Trump Hotels and Omni Hotels & Resorts, as well as retailers like Whole Foods, Jason's Deli and Chipotle. The group last year also launched spearphishing campaigns targeting Securities and Exchange Commission (SEC) filings using a fileless attack framework.
“This incident shows once again merchants still need to protect themselves against POS system infiltration attacks targeting cardholder data. A multi-layer security strategy is necessary,” including segmenting POS networks and upping monitoring and threat detection capabilities, said Mark Cline, vice president at Netsurion. “If nothing else, dwell time of such an attack would be reduced to hours or days. After all, the report is that this attack has persisted for almost a year, just as we have seen in previous massive card breaches.”
“Retailers and banks are valuable targets for e-crime, with attacks focused on point-of-sale devices and threat actors deploying large botnets," said Dmitri Alperovtich, co-founder and CTO of CrowdStrike. "Increasingly sophisticated attacks are forcing large retailers to evaluate their security to enhance comprehensive visibility into their endpoints, advance detection and response, and utilize tactical and strategic threat intelligence to protect consumer information.”