One of the most popular stores for digital underground distribution of stolen credit card information began selling a batch of over three million new card records this week. KrebsOnSecurity learns that data has been stolen from persistent data breaches of more than 100 Dicky’s BBQ Restaurant places across the country.
Joker’s Stash Kart Bazaar Debuts MondayBlazingSun, “A new batch of more than three million stolen card records advertising” valid prices “between 90-100 percent. This is usually an indication that the offending trader is either unaware of the compromise or has just begun to respond to it.
Several companies tracking the sale of data from stolen payment cards say they have confirmed with card issuers that BlazingSun account sales accounts have one thing in common: All have been used in different Dickey barbecue locations in the last 13 years. 15 months.
KrebsOnSecurity first contacted Dallas-based Dickey’s on Oct. 13. Today, the company shared a statement stating that it was aware of a possible payment card security incident in some of its restaurants:
“We have received a report stating that a payment card security incident may have occurred. We took this incident very seriously and immediately launched our response protocol and an investigation is underway. We are currently focused on identifying affected locations and included deadlines. We use the experience of third parties who have helped other restaurants deal with similar issues, and we also work with the FBI and payment card networks. We understand that the rules of the payment card network usually stipulate that persons who promptly report unauthorized fees to the bank that issued their card are not responsible for these fees.
The confirmations came from the Miami-based Q6 Cyber and Gemini Advisory in New York.
Q6Cyber CEO Eli Dominic said the infringement appears to continue from May 2019 to September 2020.
“The financial institutions we have worked with have already noticed a significant amount of fraud related to these cards,” Dominic said.
Gemini says his data shows that about 156 of Dickie’s locations in 30 states may have had payment systems compromised by theft of malware, with the largest exposure in California and Arizona. The twins set the window of exposure between July 2019 and August 2020.
As the threat of ransomware attacks grabs all the headlines, it may be tempting to assume that ordinary old credit card thieves have moved on to more lucrative ventures. Alas, cybercrime bazaars like Joker’s Stash continue to trade in their trade, not deterring pressure from credit card associations to encourage more merchants to install credit card readers that require more secure chip-based payment cards.
This is because there are countless places for restaurants – usually franchises for an established chain of restaurants – that are left to decide for themselves whether and how quickly they need to make the upgrades needed to immerse the chip against slipping the strip.
“Dickey’s is working on a franchise model that often allows anywhere to dictate the type of sales device (POS) and processors they use,” Gemini wrote in a blog post about the incident. “However, given the widespread nature of the breach, the exposure may be related to a single CPU breach that has been used by more than a quarter of all Dickie locations.”
Although there are sporadic reports of criminals compromising chip-based payment systems used by merchants in the United States, much of the data on payment cards for sale in cybercrime has been stolen from merchants who still hold chip-based cards.
This is not a guess; relatively recent data from the stolen card stores themselves confirm this. In July, KrebsOnSecurity wrote about the researchers’ analysis New York University, which examined models of more than 19 million stolen payment cards that were uncovered after the hacking of BriansClub, a major competitor to Joker’s Stash card store.
Researchers from New York found that BriansClub earned nearly $ 104 million in gross revenue from 2015 to early 2019 and listed more than 19 million unique card numbers for sale. About 97% of the inventory is stolen data from magnetic tapes, often used to produce fake personal payment cards.
Visa and MasterCard introduced new rules in October 2015 that set retailers for all losses related to fraudulent card fraud related to breaches if they did not implement chip-based readers and require chip immersion when a customer submits chip-based card.
Dominic said that never in 2015, when he founded Q6Cyber, did he expect to see so many retailers dealing with magnetic tape-based data breaches.
“Five years ago, I did not expect to be in this position today with card fraud,” he said. “You’d think the industry as a whole would have made bigger dents in this underground economy a while ago.”
Tired of reissuing your credit card and updating your payment information on countless e-commerce sites every time a restaurant you visit has a violation? Here’s a radical idea: The next time you visit a restaurant (well, if it happens again after COVID, etc.), ask them if they use card readers. If not, consider taking your business elsewhere.
Tags: Breaking Dickie’s Barbecue, Eli Dominic, Tips for Gemini, Q6Cyber
This entry was posted on Thursday, October 15th, 2020 at 4:44 pm and is filed under Data Violations, Recent Warnings. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Ping is currently not allowed.