Nasty ‘Nice Pack’ Exploit Kit Targets Retail Card Info

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.,

Attacks on retailer Websites using exploit kits to steal card details and SQL injection exploits increase

Retailers are seeing a rise in Web attacks driven mainly by malware exploit toolkits as cyber-criminals attempt to steal credit card information, according to Dell SecureWorks.

Hacking attacks against retail customers were up by 43 percent from January to September, Dell SecureWorks Counter Threat Unit said. It claimed to have stopped 91,500 attackers per retail customer in the first nine months of 2011, compared to 63,581 from April through December 2010.

Nice Pack Blamed

The increase was driven primarily by the popularity of Web exploit kits, according to Jon Ramsey, Dell SecureWorks CTO. A new kit, Nice Pack, has already compromised over 10,000 Websites, according to the report. When unsuspecting users come to the site, they are covertly redirected to a different site that is hosting the exploit kit, which tries to download malware on to the user’s computer.

“Criminals are more aggressively using the Web as a primary attack vector for both clients and servers,” Ramsey said.

Nice Pack uses a similar attack sequence as the better-known BlackHole exploit kit. Attackers use various techniques to compromise Web pages and embed malicious JavaScript on the site. The malicious code is apparently identical to the code that was used in the recent compromise of MySQL.com which directed users to a site hosting the BlackHole tools.

When a victim is hooked, Nice Pack attempts to install the ZeroAccess Trojan, which is designed to remain hidden on the infected machine as it gathers confidential information and ships it off to a remote server. ZeroAccess has some rootkit-like capabilities which allows it to remain on the system despite attempts to remove it.

SQL Injection Increase

There has also been a jump in the number of SQL injection attacks against retailers, according to Dell SecureWorks researchers. These attacks involve the malicious perpetrator inserting database commands in a textbox or a form on the Website and tricking the system into executing the commands when submitted.

Just this past spring, Rogelio Hackett Jnr pleaded guilty in the US to using SQL injection attacks to steal the account information of 675,000 credit cards and racking up over $36 million (£23m) in fraudulent transactions.

Organisations need to make sure they are keeping up with the latest patches for all servers, desktop and software as many of the exploit packs take advantage of older vulnerabilities that have not been closed.

Scammers and identity thieves are not just using Web attacks to steal personal information and credit card data. The old-fashioned physical methods are still alive and well.

Operation Swiper Swoops

Law enforcement authorities in New York arrested more than 100 people accused of participating in an identity theft scam that generated $13 million (£8m), according to a 7 October statement from the District Attorney for the city’s Queens district. The arrested individuals are accused of stealing financial information from consumers in Europe and the United States over a 16-month period.

The stolen data was used to forge credit cards which were then used to buy designer handbags, games consoles and jewellery. These luxury items were then fenced online to generate cash for the scammers. The gang relied on insiders working for financial and retail businesses, including bank tellers, store employees and restaurant workers, to steal information for the scam, according to the statement.

Operation Swiper dates back to October 2009 and involved physical surveillance and electronic wiretapping of at least five ringleaders, who are accused of taking the stolen identity information and working with an underground credit card manufacturer to produce forgeries.

Once stolen, criminals can use the credit card information to make fraudulent purchases or just resell the data to other criminals on underground forums, according to security specialist Imperva. Complete credit card information with names, addresses, email addresses, expiration dates and dates of birth are available for sale, with finished cards available for as little as $2 (£1.27), according to Imperva.