Banks in France, the Netherlands, Denmark, Belgium and Norway are receiving an extortion letter via email. A hacker promises to destroy credit card data on 48,000 of the banks’ clients if the bank will send 10,000 Euro to his account. Otherwise, he threatens to release the credit card data and inform news outlets of the security breach. The message reads:
From: “qazda qazda”
Subject: We can have a deal !
Greeting . I want to inform you that your clients accounts have been successfully stolen. So now I have 48.000 numbers of your banks clients with cvv2 and full information. And now I have twoways to do : 1. I can upload all that information to popular Internet portals and it going to be widely available for using. Moreover I will send information about incident to popular news channels like CNN and EuroNews. A lot of newspapers can get this as well. I am sure that it will make negative effect and bring a lot of problems for your bank. However I have the second way. 2. We can have a deal if you translate 10.000 EUR on my account. This will avoid you of trouble. The information I have will not be given away and used by anybody. Besides I make you warrantly that I will not trouble you if you agree with my terms. You have to understand that there is no matter for me what you will choose. Anyway I will not lose anything. However ypu can lose a lot. I hope that your name cost much more than that sum which we can solve that incident quietly and forget about it. I will wait for you reply tomorrow.
Copycat scams have been spotted targeting banks in the UK, Spain and Germany. The wording is the same, but the reply address is different. We will almost certainly see this one jump the pond and target banks in the United States shortly.
Credit card information is most commonly lost through physical skimming, social engineering, phishing and spyware attacks against a bank’s client. Stolen credit card information does not usually indicate a breach at the bank itself. In this scam, the extortionist does not promise the bank not to reveal any information regarding the “supposed” breach. This could indicate that this data did not come from a breach of the bank’s systems. The wording also indicates that the extortionist is not receiving any additional data, which may imply that any possible bank breach has been discovered and fixed. One would also assume the compromised credit card numbers would be reissued.
At first, the scam has an air of credibility because:
- The 48,000 credit card numbers would seem credible to anyone investigating major phishing operations or spyware attacks. It is credible that attack masterminds, server administrator, and “leechers” of large attacks would possess data in this volume.
- There have been recent breaches of internal bank systems where attackers stole the “Track 2″ data (containing account number, expiration date, CVV2 code, etc., in a format readily usable by card counterfeiters) for debit cards, which the bank had to then reissue. The threat of public disclosure of a breach might seem credible.
- The Track 2 data alone is almost worthless on the carding markets today. Full online identities, in the form of dossiers created from various sources of public information and stolen data, are selling well at premium asking prices on the underground markets because they give people the information used to fool modern anti-fraud systems. Rather than selling them on the black market, someone in possession of 48,000 Track 2 records could make more money, more quickly, by selling them (and the threat of exposure) back to the bank. The economics of this scam seem credible.
What doesn’t seem credible:
- The extortionist tells every bank he has 48,000 credit card account records. He asks every bank for 10,000 Euro.
- The extortionist does stand to lose something if he posts the account data publicly. It might be the 10,000 Euro he would possibly get from the bank. Or at the very least, it is the approximately 1,000 Euro he could get on the black market for the data (assuming his reputation among brokers is good). Why wouldn’t he at least sell the data on the black market? He’s already blackmailed a bank. The risk dynamics of the described scenario do not make sense.
Assuming the extortionist is not telling the truth, nothing will change regarding the account data (assuming it exists), if the banks comply, we should assume the hacker will not keep his promise and destroy the data. If he does in fact posses such data, we should assume he will sell it anyway. The report to the media would be a poorly worded email, probably sent directly to the Junk Mail folder, saying “scammer steals credit card numbers from gullible customers of bank”. Not news. News: “Banks pay extortionist 10,000 Euro to keep 1,000 Euro of stolen data off black market.”
If a bank receives this extortion attempt, SecureWorks advises that they do not reply. Report all extortion attempts to your local FBI and/or U.S. Secret Service field office.