By Jeffrey Green (@epaymentsguy)
Breach activity throughout most of the week seemed pretty ho-hum. That was until Thursday, when news that various U.S. state attorneys general reportedly have launched a multistate investigation into a breach in which crooks allegedly gained access to some 200 million Social Security numbers via a unit of credit bureau Experian PLC.
“We are investigating,” Maura Possley, a spokeswoman for Illinois Attorney General Lisa Madigan, said in the Reuters report. “It’s part of a multistate investigation.”
Experian declined to comment, Reuters said.
The past two weeks started out rough for Target, as it faced off with a top lawmaker over its recent breach. But it ended more positively for the retailer when two banks that earlier sued the company and its PCI assessor dropped their lawsuit.
During a March 25 Senate Commerce, Science and Transportation Committee hearing, U.S. Sen. John Rockefeller (D-W.Va.) questioned Target’s chief financial officer, John Mulligan, about the preventative measures the company could have taken to prevent last winter’s data breach. Rockefeller earlier released a majority staff report on Target’s reaction to breach titled “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach.”
The hearing discussion referenced third parties Target uses that did not adhere to acceptable security protocol. Mulligan reportedly accepted that if vendors (refrigerator contractor Fazio Mechanical Services in particular) had better security practice the breach could have been avoided.
Also during that week, Trustwave, which provides Target with PCI-compliance testing, was named in litigation filed by two banks over the Target breach. However, earlier this week Trustmark National Bank and Green Bank N.A. said they dropped their lawsuit against Target and Trustwave Holdings Inc., but they did not say why they withdrew the suit just a week after filing it.
Meanwhile, some 33 lawsuits across 18 districts, and potentially more, related to the Target breach reportedly will be consolidated before U.S. District Judge Paul Magnuson in Minnesota, where Target is based.
Also this week, Kaspersky Lab released results from the study, Financial Cyber Threats in 2013, which found that 31.5 percent of phishing attacks targeted online financial institutions including, banks, online stores and e-payment systems. Of those financial phishing attacks, 71 percent used fake bank webpages to acquire confidential user information and steal money from bank accounts, showing the strong trend of cyber criminals exploiting online financial services.
Phishing is a fraudulent scheme used by cybercriminals to obtain confidential consumer data with the help of fake webpages imitating Internet resources. In 2013, the most popular phishing attacks used fake bank websites, which were involved in twice as many attacks in 2013 as they were in 2012. Within the 70.6 percent of phishing attacks using banks in 2013, about 60 percent exploited the names of just 25 organizations, Kaspersky Lab said.
Among attacks on e-payment systems, nearly 90 percent of phishing attacks fell on one of five international brands: PayPal, American Express, MasterCard, Visa or Western Union. PayPal was the leading brand exploited, as the amount of attacks on this system reached 44.12 percent, according to the report.
Prepaid for ‘mules’
Meanwhile, prepaid cards are replacing human money movers, known as mules, as crooks increasingly are turning to the plastic to commit fraud, according to a recent interview with Tom Willis, director of consultancy Ontrack Advisory.
In the interview with Information Security Media Group, Willis noted that prepaid cards offer less risk, and they are less expensive, than using mules to move illicit funds. Money mules have a short shelf life, whereas prepaid cards do not, Wills said.
“Money mules are a key link in this overall fraud chain,” Wills said in the interview. “For the crime bosses, money mules are people, so they’re messy and they’re hard to manage. The banks have monitoring systems that detect patterns and anomalies. Once those detection systems kick in, then new mules have to be recruited.”