Incidents

Thousands of European cards blocked following payment processor breach

Several Eastern European banks have started notifying their customers in the beginning of last week that their cards have been blocked and will be replaced with new ones. Most of the banks did not give out any more details about what happened, and in many cases even failed to notify their customers prior to actually blocking their cards. Is it just another day in the payment processing business? Based on the rushed response from banks and the lack of information surrounding the case, I would say no.

It all started one week ago after the state-owned Romanian bank CEC Bank blocked ~17,000 cards in response to a security breach at one of VISA’s European payment processor.

The reaction of other banks followed soon. The Romanian branch of ING Bank also confirmed to have blocked compromised cards, but didn’t put out a number. They say they’ve only blocked a few cards, but are closely monitoring the situation.

A few days later, Serbian banks also started blocking thousands of cards for security reasons. Raiffeisen Bank, Komercijalna and Societe Generale confirm they have been informed by VISA about some of their customer’s cards being compromised. Very similar to what happened in Romania.

Rumors indicate the European branch of an electronic payment services provider, Euronet Worlwide, to be the source of this breach. This information has been going around Romanian business media (1, 2) – and though it hasn’t been confirmed officially, it would explain why customers from different banks in different countries were affected.

It’s very hard to assess the severity of this security breach, as the banks’ reaction to these events was very mixed. Some banks proceeded immediately to blocking and replacing all affected cads, while others decided to monitor the situation more closely.

Currently, it’s very hard to get a full picture of what is going on, but as it usually happens, these are unlikely to be isolated incidents. Actually, these stories could be just the tip of the iceberg. If you have recently received such a notification from your bank, we’d like to hear from you, especially if it’s outside Serbia and Romania.

Meanwhile, make sure to follow these 3 basic steps to make sure you don’t become a victim of credit card fraud:

  1. Check your statements as often as possible. Make sure all payments showing up are actually made by yourself. In case you suspect a fraudulent transaction, get in touch with your bank as soon as possible.
  2. Enable instant SMS notifications if your bank offers it. Some banks offer it for free, others charge for this option. No matter what, it’s worth it. You’ll be able to get instant reports of payments made with your cards.
  3. Make sure you keep most of your money in an account that has no card linked to it. Having to move money from an account to another on a weekly or monthly basis might seem annoying, but it can save you a great deal of pain in case your card gets compromised.

Last, but not least, we know it’s the holiday season and shopping is on everyone’s mind. So if you want to keep your money safe when doing online shopping, this insightful article we’ve put together is for you: Online shopping made safe and convenient.

Thousands of European cards blocked following payment processor breach

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox