credit card hacking | Breaking Cybersecurity News | The Hacker News

Chicago-based online travel booking company Orbitz, a subsidiary of Expedia.com , reveals that one of its old websites has been hacked, exposing nearly 880,000 payment card numbers of the people who made purchases online. Orbitz.com is a travel fare aggregator website and travel metasearch engine, allowing customers to quickly and easily search and book flights, hotels, rental cars, vacation packages, travel deals, cruises and more. The data breach incident, which was detected earlier this month, likely took place somewhere between October 2016 and December 2017, potentially exposing customers' information from the travel site to hackers. According to the company, hackers may have accessed payment card information stored on a consumer and business partner platform, along with customers' personal information, including name, address, date of birth, phone number, email address and gender. However, the company said its services such as Expedia flights, Expedia hotels, E

Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect. A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems. Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS . Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind. Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn —a legitimate remote desktop control service used to manage computers and other systems remo

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

OnePlus has finally confirmed that its online payment system was breached, following several complaints of fraudulent credit card transactions from its customers who made purchases on the company's official website. In a statement released today, Chinese smartphone manufacturer admitted that credit card information belonging to up to 40,000 customers was stolen by an unknown hacker between mid-November 2017 and January 11, 2018. According to the company, the attacker targeted one of its systems and injected a malicious script into the payment page code in an effort to sniff out credit card information while it was being entered by the users on the site for making payments. The malicious script was able to capture full credit card information, including their card numbers, expiry dates, and security codes, directly from a customer's browser window. " The malicious script operated intermittently, capturing and sending data directly from the user's browser. It ha

Roman Valerevich Seleznev , the son of a prominent Russian lawmaker who's already facing a 27-year prison sentence in the United States, has been handed another 14-year prison sentence for his role in an "organized cybercrime ring" that caused $59 Million in damages across the US. In April this year, Seleznev, the 33-year-old son of a Russian Parliament member of the nationalist Liberal Democratic Party (LDPR), was sentenced to 27 years in prison for payment card fraud, causing nearly $170 million in damages to small business and financial institutions in the US. The sentence was so far the longest sentence ever imposed in the United States for a hacking-related case. Now, after pleading guilty in two criminal cases stemming from a hacking probe in September, Seleznev Thursday  received another 14-year prison sentence for racketeering in Nevada and another 14 years for conspiracy to commit bank fraud charges in Georgia. The sentences will run concurrently to

Another day, another data breach. This time Amazon-owned grocery chain has fallen victim to a credit card security breach. Whole Foods Market—acquired by Amazon for $13.7 billion in late August— disclosed Thursday that hackers were able to gain unauthorized access to credit card information for its customers who made purchases at certain venues like taprooms and full table-service restaurants located within some stores. Whole Foods Market has around 500 stores in the United States, United Kingdom, and Canada. The company did not disclose details about the targeted locations or the total number of customers affected by the breach, but it did mention that hackers targeted some of its point-of-sale (POS) terminals in an attempt to steal customer data, including credit details. The company also said people who only shopped for groceries at Whole Foods were not affected, neither the hackers were able to access Amazon transactions in the security breach. Instead, only certain venu

The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well. Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device's calls and display overlays on top of taxi booking apps to steal banking information. Dubbed Faketoken.q , the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware. Malware Spy On Telephonic Conversations Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device. When calls are m

A 29-year-old Russian-born, Los Angeles resident has been sentenced to over nine years in prison for running botnets of half a million computers and stealing and trafficking tens of thousands of credit card numbers on exclusive Russian-speaking cybercriminal forums. Alexander Tverdokhlebov was arrested in February, pleaded guilty on March 31 to wire fraud and on Monday, a federal court sentenced him to 110 months in prison. According to court documents , Tverdokhlebov was an active member of several highly exclusive Russian-speaking cybercriminal forums largely engaged in money laundering services, selling stolen sensitive data, and malware tools since at least 2008. Tverdokhlebov offered several illegal services on these underground forums, including the exchange of tools, services and stolen personal and financial information. The hacker also operated several botnets – a network of compromised ordinary home and office computers that are controlled by hackers and can be us

MasterCard has unveiled its brand new payment card that has a built-in biometric fingerprint scanner, allowing customers to authorize payments with their fingerprint, without requiring a PIN code or a signature. The company is already testing the new biometric payment cards, combined with the on-board chips, in South Africa and says it hopes to roll out the new cards to the rest of the world by the end of 2017. Don't Worry, It Still Supports PIN-based Transactions as Fallback Wait — If you think that this feature would not allow you to share your card with your child and spouse, don't worry — Mastercard has a solution for this issue as well. The company has confirmed that even if the card is configured to expect the fingerprint for authenticating a purchase, but it does still have a PIN as a fallback, in case, for some reason EMV readers fail to read fingerprint or you have yourself handed it to your child for shopping. Stores & Retailers Don't Need New Hardw

InterContinental Hotels Group (IHG) is notifying its customers that credit card numbers and other sensitive information may have been stolen after it found malware on payment card systems at 1,174 franchise hotels in the United States. It's the second data breach that U.K.-based IHG, which owns Holiday Inn and Crowne Plaza, has disclosed this year. The multinational hotel conglomerate confirmed a credit card breach in February which affected 12 of its hotels and restaurants. What happened? IHG identified malware accessing payment data from cards used at front desk systems between September 29 and December 29, 2016, but the malware was erased after the investigation got completed in March 2017. "Many IHG-branded locations are independently owned and operated franchises and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately us

Almost 20,000 Tesco Bank customers have had their money stolen from their accounts after the banking arm of UK's biggest retailer fall victim to a hacking attack this weekend. As a result of the hack, Tesco Bank has frozen online transactions in an attempt to protect its customers from, what it described as, the " online criminal activity. " However, customers can still use their debit and credit cards for cash withdrawals and card-based payments. Tesco Bank has not disclosed any details of the cyber attack or how accounts had been compromised, but Benny Higgins, chief executive of Tesco, confirmed that the hack affected 40,000 of its 136,000 accounts, half of which had already been used to withdraw money fraudulently over the weekend. The bank would not disclose the total amount stolen from the accounts, but confirmed that the amount stolen was a " big number but not a huge number. " If you have been affected by this incident, don't worry! Higgins has apo

India is undergoing the biggest data breaches to date with as many as 3.2 Million debit card details reportedly stolen from multiple banks and financial platforms. The massive financial breach has hit India's biggest banks including State Bank of India (SBI), HDFC Bank, Yes Bank, ICICI Bank and Axis, and customers are advised to change their ATM PIN immediately. Hackers allegedly used malware to compromise the Hitachi Payment Services platform — which is used to power country's ATM, point-of-sale (PoS) machines and other financial transactions — and stole details of 3.2 Million debit cards, reports The Economic Times. Of 3.2 Million debit cards, 2.6 Million are powered by Visa or Mastercard and rest 600,000 work on top of India's own RuPay platform. Hacked Debit Cards Reportedly Used in China It is not yet clear who is behind the cyber attack, but the report adds that a number of affected customers have observed unauthorized transactions made by their cards in v

Around 324,000 users have likely had their payment records stolen either from payment processor BlueSnap or its customer Regpack ; however, neither of the company has admitted a data breach. BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process the financial transactions for its online enrollments. The data breach was initially reported on July 10, when a hacker published a link on Twitter, pointing to a file containing roughly 324,000 records allegedly stolen from Waltham, Massachusetts-based BlueSnap. The tweet has since been deleted, but Australian security expert Troy Hunt took a copy of it for later review to analyze the data and after analyzing, he discovered that the leaked payment records are most likely legitimate. Payment Card Data Including CVV Codes Leaked The data contains users' details registred between 10

Forget about security! It turns out that the Chip-and-PIN cards are just as easy to clone as magnetic stripe cards. It took researchers just a simple chip and pin hack to withdraw up to $50,000 in cash from an ATM in America in under 15 minutes. We have been told that EMV ( Europay, MasterCard and Visa ) chip-equipped cards provides an extra layer of security which makes these cards more secure and harder to clone than the old magnetic stripe cards. But, it turns out to be just a myth. A team of security engineers from Rapid7 at Black Hat USA 2016 conference in Las Vegas demonstrated how a small and simple modifications to equipment would be enough for attackers to bypass the Chip-and-PIN protections and enable unauthorized transactions. The demonstration was part of their presentation titled, "Hacking Next-Gen ATMs: From Capture to Washout," [ PDF ]. The team of researchers was able to show the audience an ATM spitting out hundreds of dollars in cash. Here

The Popular fast-food restaurant chain Wendy's on Thursday admitted that a massive cyber attack had hit more than 1,000 of its restaurants across the country. The burger chain did not speculate how many people may have been affected, though it did confirm that the hackers were able to steal its customers' credit and debit card information. The data breach is more than three times bigger than initially thought. The original data breach was believed to have affected " fewer than 300 " of its 5,144 franchised locations in the United States when the malware was discovered in May. The Malware had been installed on Point-of-Sale (PoS) systems in the affected restaurants and was able to obtain cardholder's name, payment card number, expiration date, service code, cardholder verification value, among other data. The data breach began in fall 2015 and discovered in February this year, and the company went public with in May. Just last month, Wendy's s

In an era where major data hacks are on the rise, it is no surprise breaches on individuals are also up. In just three hours, over 100 criminals managed to steal ¥1.4 Billion ( approx. US$12.7 Million ) from around 1,400 ATMs placed in small convenience stores across Japan. The heist took place on May 15, between 5:00 am and 8:00 am, and looked like a coordinated attack by an international crime network. The crooks operated around 1,400 convenience store ATMs from where the cash was withdrawn simultaneously in 16 prefectures around Japan, including Tokyo, Osaka, Fukuoka, Kanagawa, Aichi, Nagasaki, Hyogo, Chiba and Nigata, The Mainichi reports . Also Read: Tyupkin Malware Hacking ATM Machines Worldwide Many ATM incidents involve a long-established technique called ' ATM Skimming ' in which criminals install devices to obtain card details via its magnetic stripe, or use ATM malware or from data breaches, and then work with so-called carders and money mules to pilfe

In Brief Two International hackers, Aleksandr Andreevich Panin and Hamza Bendelladj, have been sentenced to a combined 24 years and 6 months in prison for their roles in developing and distributing SpyEye banking trojan, a powerful botnet similar to the infamous ZeuS malware. Both hackers were charged with stealing hundreds of millions of dollars from banking institutions worldwide. Masterminds behind the development and distribution of the infamous " SpyEye " botnet have finally been sentenced to a combined total of 24 years and 6 months in prison. Aleksandr Andreevich Panin and Hamza Bendelladj have been sentenced for their roles in developing and distributing SpyEye malware that is said to have caused hundreds of millions of dollars in losses to the financial sector, the U.S. Justice Department said  on Wednesday. SpyEye, a successor to the notorious Zeus banking malware , has affected financial institutions since 2009. Once infected, the malware connects t

Hyatt Hotels Corporation is notifying its customers that credit card numbers and other sensitive information may have been stolen after it found malware on the computers that process customer payments. "We recently identified malware on computers that operate the payment processing systems for Hyatt-managed locations," the company announced on Wednesday. "As soon as we discovered the activity, we launched an investigation and engaged leading third-party cyber security experts." What type of information? The company didn't confirm whether the attackers succeeded in stealing payment card numbers, neither it say how long its network was infected or how many hotel chains were affected in the malware attack. But as the payment processing system was infected with credit-card-stealing malware, there is a possibility that hackers may have stolen credit card numbers and other sensitive information. What happened? Hyatt spokeswoman Stephanie Sheppard

Imagine you have lost your credit card and applied for a fresh credit card from your bank. What if some criminal is using your new credit card before you have even received it? Yes, it's possible at least with this $10 device. Hardware hacker Samy Kamkar has built a $10 device that can predict and store hundreds of American Express credit card numbers, allowing anyone to use them for wireless payment transactions, even at non-wireless terminals. The device, dubbed MagSpoof , guesses the next credit card numbers and new expiration dates based on a cancelled credit card's number and when the replacement card was requested respectively. This process does not require the three or four-digit CVV numbers that are printed on the back side of the credit cards. Also Read:  How Hackers Can Hack Your Chip-and-PIN Credit Cards The tiny gadget would be a dream of any card fraudster who can pilfer cash from the stolen credit cards even after they have been blocked

British Police have arrested a second teenage boy in relation to the major hack on the servers of UK-based telco 'TalkTalk' last week. On Monday, a 15-year-old boy (first arrest) from County Antrim, Northern Ireland, was arrested in connection with the TalkTalk Data Breach. On Thursday, The Metropolitan Police Cyber Crime Unit (MPCCU) arrested this second unnamed 16-year-old boy from Feltham in west London on suspicion of Computer Misuse Act offences. Latest TalkTalk Data breach put the Bank details and Personally Identifiable Information (PII) of millions of customers at risk, including: Nearly 21,000 Bank Accounts Almost 28,000 obscured Credit and Debit card details Less than 15,000 customer dates of birth Names, Email Addresses, and Phone Numbers of 1.2 Million Customers TalkTalk has confessed that " Not all of the data was encrypted "... yeah, its' too bad. However, " Investigations so far show that the information that may have bee

The arrest is the first major outcome since TalkTalk – the biggest phone and broadband provider in the UK with more than 4 Million customers – had suffered a serious data breach. The Police Service of Northern Ireland (PSNI) and the investigating officers from the Metropolitan police's cyber crime unit (MPCCU) have arrested a 15-year-old boy in connection with the latest cyber attack on TalkTalk . The press release issued by the police said the boy was detained in County Antrim at about 4.20pm on Monday on suspicion of committing offences under the Computer Misuse Act. The Computer Misuse Act 1990 is an act of the Parliament of the United Kingdom, according to which any computer misuse offences like: Unauthorised access to computer material. Unauthorised access with the intent to commit further offences. Unauthorised acts with the intent to impair, or with recklessness as to impairing, operation of the computers, and other electronic devices. ...Are consi